CN111737692A - Application program risk detection method and device, equipment and storage medium - Google Patents
Application program risk detection method and device, equipment and storage medium Download PDFInfo
- Publication number
- CN111737692A CN111737692A CN202010823320.2A CN202010823320A CN111737692A CN 111737692 A CN111737692 A CN 111737692A CN 202010823320 A CN202010823320 A CN 202010823320A CN 111737692 A CN111737692 A CN 111737692A
- Authority
- CN
- China
- Prior art keywords
- application program
- target application
- webpage
- installation package
- risk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Abstract
The embodiment of the application discloses a risk detection method, a risk detection device, risk detection equipment and a computer-readable storage medium for an application program. The method comprises the following steps: acquiring an installation package file of a target application program; performing feature detection on the installation package file of the target application program, and determining that the target application program is the application program of the webpage type when detecting that the installation package file contains features matched with the application program of the webpage type; extracting uniform resource locators contained in the installation package file of the target application program; detecting the webpage positioned by the uniform resource locator according to the webpage information loaded by the target application program during operation; and if the webpage is detected to be a risk webpage, marking the target application program as a risk application program. According to the technical scheme, the risk detection can be performed on the application program from the application program layer and the webpage layer, and the accuracy of the risk detection is greatly improved.
Description
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a method and an apparatus for risk detection of an application, and a computer-readable storage medium.
Background
With the popularization of terminal devices such as smart phones and tablet computers, fraud-type application programs such as false loans are in the endlessly.
In the existing application program detection scheme, whether an application program is an application program developed by a known fraud type application program developer is mainly judged by detecting the package name and the certificate of the application program, and if so, the application program is marked as a risk application program. However, a developer of the fraud type application program can change the package name and the certificate of the application program at will with low cost, so that the existing risk detection scheme has low detection accuracy, and cannot accurately detect the real fraud type application program.
Therefore, how to improve the detection accuracy of fraudulent application programs such as false loans is a technical problem to be solved in the prior art.
Disclosure of Invention
In order to solve the above technical problems, embodiments of the present application provide a method, an apparatus, and a device for risk detection of an application program, and provide a computer-readable storage medium.
Wherein, the technical scheme who this application adopted does:
a risk detection method of an application, comprising: acquiring an installation package file of a target application program; performing feature detection on the installation package file of the target application program, and determining that the target application program is the application program of the webpage type when detecting that the installation package file contains features matched with the application program of the webpage type; extracting uniform resource locators contained in the installation package file of the target application program; detecting the webpage positioned by the uniform resource locator according to the webpage information loaded by the target application program during operation; and if the webpage is detected to be a risk webpage, marking the target application program as a risk application program.
A risk detection apparatus for an application, comprising: the file acquisition module is used for acquiring an installation package file of the target application program; the file detection module is used for carrying out feature detection on the installation package file of the target application program, and determining that the target application program is the application program of the webpage type when the installation package file is detected to contain features matched with the application program of the webpage type; the information extraction module is used for extracting the uniform resource locators contained in the installation package file of the target application program; the webpage detection module is used for detecting the webpage positioned by the uniform resource locator according to the webpage information loaded by the target application program during operation; and the risk marking module is used for marking the target application program as a risk application program when the webpage is detected to be a risk webpage.
A risk detection device for an application comprising a processor and a memory, said memory having stored thereon computer readable instructions which, when executed by said processor, implement a risk detection method for an application as described above.
A computer readable storage medium having stored thereon computer readable instructions which, when executed by a processor of a computer, cause the computer to perform the risk detection method of an application program as described above.
In the above technical solution, because fraud-type applications such as false loans generally have some characteristics that web-type applications have, for example, a normal interaction function, easy destruction, easy development, and the like, the application first detects whether a target application is a web-type application on the basis of an application layer, and if so, further detects web content on the basis of a website layer, and finally determines whether the target application is a fraud-type application, thereby improving detection accuracy of the application.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application. It is obvious that the drawings in the following description are only some embodiments of the application, and that for a person skilled in the art, other drawings can be derived from them without inventive effort. In the drawings:
FIG. 1 is a schematic illustration of an implementation environment to which the present application relates.
FIG. 2 is a flow diagram illustrating a method for risk detection of an application according to an example embodiment.
Fig. 3 is a flowchart illustrating a risk detection method for an application according to another exemplary embodiment.
Fig. 4 is a flowchart illustrating a risk detection method of an application according to another exemplary embodiment.
Fig. 5 is a flowchart illustrating a risk detection method of an application according to another exemplary embodiment.
Fig. 6 is a flowchart illustrating a risk detection method of an application according to another exemplary embodiment.
Fig. 7 is a flowchart illustrating a risk detection method of an application according to another exemplary embodiment.
Fig. 8 is a flowchart illustrating a risk detection method for an application according to another exemplary embodiment.
FIG. 9 is a flow diagram illustrating a method for risk detection for an application according to an exemplary application scenario.
FIG. 10 is an exemplary interface schematic of a risk detection APP.
FIG. 11 illustrates an application risk detection apparatus in accordance with an exemplary embodiment.
Fig. 12 is a schematic structural diagram illustrating a risk detection device for an application according to an exemplary embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
In addition, "a plurality" described in the present application should be understood to be at least two.
It should be noted that Cloud technology (Cloud technology) refers to a hosting technology for unifying serial resources such as hardware, software, and network in a wide area network or a local area network to implement data calculation, storage, processing, and sharing.
The cloud technology is a general term of network technology, information technology, integration technology, management platform technology, application technology and the like applied based on a cloud computing business model, can form a resource pool, is used as required, and is flexible and convenient. With the high development and application of the internet industry, each article may have its own identification mark and needs to be transmitted to a background system for logic processing, data in different levels are processed separately, and various industrial data need strong system background support and can only be realized through cloud computing.
Therefore, the risk detection method for the application program can be deployed at the cloud as a cloud technical service, and specifically provides detection services for the risk application program for different network devices covered by the cloud network.
Referring to fig. 1, fig. 1 is a schematic diagram of an implementation environment related to the present application. The implementation environment is specifically an application risk detection system, and includes a terminal 100 and a server 200, where the terminal 100 and the server 200 communicate with each other through a wired or wireless network.
The terminal 100 runs a client for detecting the risk application program, the client is provided with a user interaction interface, and performs data interaction with the server 200 based on an operation instruction triggered in the user interaction interface, for example, an installation package file of a target application program to be risk detected is sent to the server 200, so that the server 200 performs risk detection on the target application program.
Based on the installation package file of the target application program, the server 200 first detects whether the target application program is a web page type application program, if so, further detects the web page content loaded by the target application program, and if it is determined that the target application program has a risk based on the web page content, the target application program can be finally determined to be a risk application program. And, the server 200 also sends the obtained risk detection result to the terminal 100, so that the terminal 100 presents the risk detection result to the user.
It should be noted that the terminal 100 may be an electronic device such as a smart phone, a tablet, a notebook, a computer, etc., which is not limited herein. The server 200 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a CDN (Content Delivery Network), a big data and artificial intelligence platform, which is not limited herein.
Referring to fig. 2, fig. 2 is a flowchart illustrating a risk detection method for an application according to an exemplary embodiment. The method may be adapted to the implementation environment shown in fig. 1, for example, to be specifically performed by the server 200 in the implementation environment shown in fig. 1. Or in some other implementation environments, the method may be specifically executed by a terminal device installed with an application program, which is not limited herein.
As shown in fig. 2, in an exemplary embodiment, the method includes at least the steps of:
and step 110, acquiring an installation package file of the target application program.
First, in the present embodiment, an application refers to a computer program that is developed to run on an operating system in order to accomplish a certain task or certain specific tasks. For example, the application may specifically be an app (application) application running on an Android (Android) system or an IOS system, or may also be a PC (Personal Computer) application running on a Windows system, which is not limited herein. The target application is the application to be risk detected.
The installation package file of the application program is also referred to as an application package, and refers to an installation package of the application program, for example, for the application program running on the android system, the installation package file of the application program is specifically an APK (android application package) file; for an application running on a Windows system, the installation package File of the application is specifically an EXE (Executable File) File.
For the device specifically executing the method for detecting risk of an application program provided in this embodiment, the installation package file of the target application program may be obtained from the local storage, or the installation package file of the target application program is sent to the device specifically executing this method by another device, which is not limited herein.
Taking the implementation environment shown in fig. 1 as an example, if the method is specifically executed by the server 200, the installation package file of the target application acquired by the server 200 may be sent by the terminal 100. The terminal 100 may also upload installation package files of each application installed by the terminal 100 to the server 200 in advance for storage, and when the terminal 100 initiates a control instruction for performing risk detection on the target application to the server 200, the server 200 acquires the installation package files of the target application from the local storage, so as to perform risk detection on the target application based on the acquired installation package files.
In some other implementation environments, for example, if the method is specifically executed by a terminal device installed with an application program, the terminal device directly obtains an installation package file of the target application program from a local storage. It should be further noted that the target application in this embodiment may specifically refer to one or more applications to be risk-detected.
In this embodiment, the web page type application refers to an application developed by using a web page technology, that is, an application developed by using HTML (Hyper Text Markup Language). The development code of the webpage type application program can run on different operating systems such as Windows, android, IOS and the like at the same time.
Fraudulent types of malicious applications such as fraudulent loans typically have the following characteristics:
1. the method has normal interaction function; such as user registration, loan application, etc., so that the malicious application program must have interaction of the background server to support the storage of data;
2. easy to destroy; after the victim reports, the police can acquire the network address of the background server of the malicious application program through technical means, so the background server of the malicious application program needs to be frequently destroyed and replaced for anti-tracking;
3. the method is easy to develop and suitable for a plurality of operating systems; because malicious applications are frequently replaced and terminal devices used by users may adopt different operating systems, an application development mode which is low in development cost and can be deployed across platforms is needed.
The above characteristics are all satisfied with the application program of the webpage type, for example, many fraudulent APP such as false loan is Web APP, the essence of Web APP is a webpage adapted to the intelligent terminal, and then the webpage is packaged into an android application or an IOS application through the package file generation platform, so that the fraudulent APP such as false loan is very likely to be the application program of the webpage type. The package file generation platform is also a software program for generating an installation package file of an application program.
Based on this, the embodiment first detects whether the target application is a web page type application based on the application layer, and if so, continues to further detect the target application to ensure the accuracy of the detection result.
The installation package file of the target application program contains various files and resources required by the target application program to run on the operating system, for example, the APK package file contains compiled code files (. dex files), file resources (resources), native resource files (assets), certificates (certificates), manifest files (manifest files), and the like.
The feature detection performed on the installation package file of the target application may include performing static feature detection on the installation package file of the target application, or performing dynamic feature detection on the installation package file of the target application, or may be a combination of the two, and this is not limited in this respect.
The static feature detection of the installation package file of the target application program means that whether the target application program is a webpage type application program is judged based on the static feature contained in the installation package file of the target application program, and the static feature is understood to be a feature of the installation package file of the target application program under the premise that the installation package file of the target application program is not installed and operated. For example, since the installation package file generated by the package file generation platform for the application program of the web page type usually contains a fixed file structure, if the installation package file of the target application program contains these fixed file structures, it may be determined that the installation package file of the target application program contains the features matched with the application program of the web page type, so as to determine that the target application program is the application program of the web page type.
The step of performing dynamic feature detection on the installation package file of the target application program refers to determining whether the target application program is a web page type application program or not based on the dynamic features of the installation package file of the target application program in the installation running state. For example, if the installation package file of the target application performs the operation related to the web page loading at runtime, it may be determined that the installation package file of the target application contains the characteristics matching the application of the web page type, and it is determined that the target application is the application of the web page type.
It should be noted that a Uniform Resource Locator (URL) refers to a web page address, and a web page type application needs to load a web page based on the web page address when running. Therefore, based on the uniform resource locator contained in the installation package file of the target application program, the related information of the webpage loaded during the operation of the target application program, such as the resources of pictures and characters contained in the webpage, the website background corresponding to the webpage and the like, can be obtained, and then the risk detection of the target application program on the webpage level can be performed according to the obtained information, so that the accuracy of the risk detection of the target application program is ensured.
In this embodiment, the webpage information loaded by the target application program during running refers to relevant information of the webpage located by the uniform resource locator loaded by the target application program during running, and may include, for example, resources such as characters and pictures included in the webpage, and information such as a directory structure included in the uniform resource locator loaded by the target application program.
The detection of the webpage positioned by the uniform resource locator means that whether the target application program has a use risk to the user is judged according to the related information of the webpage loaded when the target application program runs, and if the target application program has the use risk, the webpage is judged to be a risk webpage.
As described above, fraudulent application programs such as false loans are frequently replaced due to being reported, and development needs to be performed in a low-cost development manner, so that malicious website templates exist to facilitate malicious development of fraudulent application programs such as false loans. The application programs developed by using the malicious website templates usually load the same resources such as pictures and characters during running, uniform resource locators corresponding to the webpages loaded by the application programs contain the same directory structure, and the webpages also have the same website background, so that the embodiment can detect whether the webpage loaded by the target application program is a risk webpage based on one or more of the characteristics. In this way most fraudulent types of applications can be detected.
In addition, considering that the developer of the fraudulent application program may modify the name or content of the resource file contained in the website module, such as modifying the color of the picture, the actual fraudulent application program may not be detected in the foregoing manner. In order to solve the problem, the present embodiment may perform content detection on the webpage resource loaded by the target application, and if it is detected that the webpage resource loaded by the target application is only a simple modification of a resource provided by a malicious website template, determine the webpage loaded by the target application as a risk webpage.
It should be noted that the above is only an exemplary manner for detecting the risk webpage, and does not indicate that the detection manner of the risk webpage is limited in this embodiment. In this embodiment, it may also be detected whether the webpage loaded by the target application is a risky webpage by using other manners, for example, if the fraud type application does not log out the relevant malicious webpage in time after being reported, it may be directly detected whether the webpage loaded by the target application is the known malicious webpage.
As described above, if it is detected that the web page located by the uniform resource locator contained in the installation package file of the target application is a risky web page in the foregoing manner, it indicates that the target application is most likely to be a fraud type application, and the user is at risk of using the target application, for example, causing property damage to the user, and therefore the target application is marked as a risky application.
Therefore, the embodiment provides an application risk detection method based on the characteristics of a fraud type application, and the method includes firstly detecting whether a target application is a webpage type application based on an application level, if so, further detecting the target application based on the webpage level, and finally judging that the target application is the fraud type risk application if the webpage recorded by the target application is a risk webpage.
For example, in some specific application scenarios, the risk application marked according to the present embodiment can remind the user in time when the risk application runs, so as to effectively protect the personal property of the user. In addition, the URL of the risk application program can be permeated, the record information of the webpage background is extracted to obtain the victim information, and the victim information is provided for the police to return visit. User information of a first installation user of the risk application program can be traced back to screen suspected developers to serve as evidence to be provided to police, and therefore criminals are accurately attacked.
FIG. 3 is a flow chart illustrating a method of risk detection for an application according to another exemplary embodiment. As shown in fig. 3, on the basis of the embodiment shown in fig. 2, the process of performing feature detection on the package file of the target application in step 130 may specifically include the following steps:
first, it should be noted that the present embodiment is a process of performing static feature detection on a target application. The file structure contained in the installation package file of the target application refers to a multilevel file directory contained in the installation package file, and the file structure is a feature that the installation package file of the target application has in an uninstalled running state, and is therefore referred to as a static feature of the target application.
In step 132, if it is detected that the file structure matches the static identification feature, it is determined that the target application is a web page type application.
In this embodiment, the static identification feature is generated according to a file structure commonly used among installation package files of known web page type applications, and therefore the static identification feature includes a common structure feature included in the installation package files of the web page type applications.
Because the installation package files generated by the package file generation platform for the webpage type application programs usually contain fixed and unchangeable file structures, the fixed and unchangeable file structures are the file structures commonly used among the installation package files of the webpage type application programs. For example, in a file structure included in an installation package file of a Web APP, an "Assets" directory is a general file directory.
In this embodiment, these fixed and unchangeable file structures are used as the static identification features, the file structures included in the installation package file of the target application program are compared, and if it is detected that the installation package file of the target application program includes these fixed and unchangeable file structures, the file structure included in the installation package file of the target application program is matched with the static identification features, so that it can be determined that the target application program is the application program of the web page type.
For example, the static identification feature may be YARA (an open source tool for assisting a malware researcher in identifying and classifying malware samples) rules extracted for a file structure of an installation package of a web page type application, and YARA feature detection is performed on the file structure in the installation package of a target application based on the extracted YARA rules, and if it is detected that the file structure in the installation package of the target application matches the YARA rules, the target application is determined to be the web page type application.
For example, if the installation package file of the web page type application contains a plurality of fixed and unchangeable file structures, YARA rules can be described as: and if the installation package file of the target application program contains the any one fixed and unchangeable file structure, judging that the target application program is the application program of the webpage type. Using the YARA detection tool can simply and quickly determine whether the target application is a web page type application.
In another embodiment, in consideration of the killing countermeasure of the malicious application program, when the malicious application program is identified and killed by the risk detection software, the malicious application program generally performs trial modification on its own code and repackages the modified installation package file until the risk detection software cannot identify the malicious application program, which is a "killing-free" process.
In order to prevent the risk monitoring software from being unable to accurately detect the real risk application program due to the malicious application program killing-free process, the present embodiment obtains the installation package files of the multiple known-risk web-type application programs, and generates the static identification features according to the file structure features commonly used among the installation package files of the multiple known-risk web-type application programs, thereby detecting whether the target application program is the web-type application program based on the static identification features. Wherein the known-risk web page type application is a known-fraud type application.
According to the method provided by the embodiment, the malware family corresponding to the webpage type application program with known risk can be accurately detected, for example, if the static identification feature generated according to the embodiment detects that the target application program is the webpage type application program, the target application program is most likely to be a fraud type application program.
FIG. 4 is a flowchart illustrating a method of risk detection for an application according to another example embodiment. As shown in fig. 4, on the basis of the embodiment shown in fig. 2, the process of performing feature detection on the package file of the target application in step 130 may specifically include the following steps: step 133 detects operation information generated when the installation package file of the target application program runs.
The present embodiment is a process of performing dynamic feature detection on an installation package file of a target application, and this process determines whether the target application is a web-type application according to dynamic features of the installation package file of the target application in installation and operation.
The dynamic characteristic of the installation package file of the target application program in the installation and operation is also the operation information detected in this embodiment, specifically, the relevant record of the target application program executing the web page operation after the installation package file of the target application program is actually installed and operated in the virtual environment. The virtual environment may specifically be a virtual machine.
In this embodiment, the operation information generated when the detected installation package file of the target application runs may specifically include operation records corresponding to web page operations such as network access, sub-package loading, popup window, and file operation executed by the target application. The network access is understood as an object that the target application generates network interaction when running, for example, an installation package file generated by the package file generation platform accesses a server of the package file generation platform to obtain configuration information when executing. The load sub-package is understood as a sub-program called by a target application program in the running process, for example, all application programs of Web page types start a browser program carried by an operating system to open a Web page during running, and specifically, all Web APPs load a "webview.
The detecting of the operation information generated when the installation package file of the target application program runs in this embodiment specifically means that after the operation information generated when the installation package file of the target application program runs in a virtual environment is acquired, the web page operation executed when the installation package file of the target application program runs is determined based on the operation information, and if the web page operation executed by the target application program is the web page operation that the application programs of the web page types will execute when running, it may be determined that the target application program is the application program of the web page type.
In step 134, if the operation information is detected to match the dynamic identification feature, the target application is determined to be a web page type application.
The dynamic identification feature is generated according to the running feature of the application program of the web page type in the running state, for example, the application program of the web page type can execute a network access operation when running, and the web page is opened by executing a sub-package loading operation, so that the dynamic identification feature contains the running feature of the installation package file of the application program of the web page type in the running state.
Because the application program is only the application program generated by using the packet file generation platform and not necessarily the application program of the web page type when the network access operation is executed alone, for example, the application program may be an official application program of the packet file generation platform, and the application program is only the application program of the web page type when the application program is executed alone, and the application program cannot be determined to be the application program of the web page type when the application program is executed alone, but if the application program is respectively executed with the network access operation and the sub-packet loading operation, the application program can be determined to be the application program of the web page type.
Therefore, in this embodiment, after acquiring a plurality of operating characteristics of the web page type application program in an operating state, the acquired plurality of operating characteristics are combined to obtain a dynamic identification characteristic. And if the operation information generated when the target application program runs in the virtual environment indicates that the installation package file of the target application program executes the webpage operation corresponding to the dynamic identification feature during running, determining that the operation information of the target application program is matched with the dynamic identification feature, so that the target application program can be determined to be the webpage type application program.
Therefore, the method provided based on the embodiment can accurately judge whether the target application program is the application program of the webpage type according to the operation information of the target application program during running.
FIG. 5 is a flowchart illustrating a method of risk detection for an application according to another example embodiment. As shown in fig. 5, based on the embodiment shown in fig. 2, the process of extracting the uniform resource locator contained in the installation package file of the target application in step 150 may include the following steps:
In this embodiment, the regular expression is a logical formula operating on a character string, and a rule character string is formed by using specific characters defined in advance and a combination of the specific characters, and the rule character string is used for expressing a filtering logical regular expression on the character string, and is generally used for retrieving and replacing some texts conforming to a certain pattern or rule.
Considering that the uniform resource locator may exist in the installation package file of the target application program in a plaintext form, the regular expression is adopted to perform character string matching in the installation package file of the target application program so as to obtain the uniform resource locator existing in the installation package file in the plaintext form.
Specifically, since the uniform resource locator is actually a character string beginning with "http", the following regular expression may be used to obtain the uniform resource locator contained in the package file of the target application program:
The installation package file of the target application program is scanned in a full amount, and all characters contained in the installation package file of the target application program can be obtained. In the process of scanning the installation package file of the target application program in a full amount, the regular expression is used for matching with the scanned characters, and the obtained character string matched with the regular expression is the uniform resource locator.
Therefore, based on the method provided by the embodiment, the uniform resource locator contained in the package file of the target application program can be simply and conveniently extracted.
In another embodiment, it is necessary to extract the uniform resource locator contained in the package file of the target application according to the written script file, considering that the uniform resource locator may also be stored in the fixed configuration file contained in the package file of the target application, and the fixed configuration files may be encrypted files and cannot be directly extracted from the package file of the target application.
In addition, because there are a plurality of package file generation platforms for generating the package file of the target application program, and file positions of the fixed configuration files storing the uniform resource locators in the package file generated based on each package file generation platform may be different, the uniform resource locators included in the package file of the target application program need to be extracted according to the following steps:
acquiring a script file matched with a package file generation platform corresponding to a target application program;
a uniform resource locator is extracted from a specified file location in a package file of the target application based on the obtained script file.
The above methods are all manners of statically executing uniform resource locator extraction for the package file of the target application program, and in other embodiments, the uniform resource locator contained in the package file may also be dynamically extracted for the package file of the target application program. As shown in fig. 6, in an exemplary embodiment, the process of extracting the uniform resource locator contained in the installation package file of the target application in step 150 may include the following steps:
In this embodiment, a sandbox (a virtual machine simulating a real IP address, a geographical location, and a device configuration) may be used as a specific virtual environment to install and run an installation package file of a target application. When the target application program runs in the virtual environment, the loading operation of the uniform resource locator is executed, so that the terminal equipment where the target application program is located jumps to display the corresponding webpage in the real environment along with the running of the target application program.
The sandbox can directly monitor the loading operation of the browser program sub-packages and the specific loaded uniform resource locators, so that the uniform resource locators loaded when the target application program runs can be directly obtained, and the sandbox is very convenient.
As described above, the installation package file of the target application program contains multiple files and resources required by the target application program to run on the operating system, and the target application program depends on the same resource locator contained in the installation package file when executing the web page access, so that the uniform resource locator loaded when the package file of the target application program runs in the virtual environment can be determined to be the uniform resource locator contained in the installation package file of the target application program.
Therefore, based on the above uniform resource locator extraction method, the uniform resource locators contained in the installation package file of the target application program can be accurately extracted, so as to provide accurate detection data for further subsequent detection of the target application program.
FIG. 7 is a flowchart illustrating a method of risk detection for an application according to another example embodiment. The method further describes step 170 in the method shown in fig. 2, and as shown in fig. 7, the process of detecting a url located web page may include the following steps:
In this embodiment, since fraudulent applications such as a false loan are generally developed by using some malicious website templates, these malicious website templates are referred to as risky website templates.
By way of example, applications developed using the same risky website template typically have the following characteristics:
1. loading the same resources such as pictures, characters and the like, for example, loading fraudulent characters such as 'quick borrowing', '0 mortgage', '0 guarantee' and the like;
2. the loaded uniform resource locators contain the same directory structure, for example, in the uniform resource locator "https:// wld.mjtjkj.cn/index.php/Index/home.shtml", wld.mjtjkj.cn "is a domain name," index.php/Index "is a subdirectory, and" home.shtml "is the name of a page file, the resources loaded by the web page are stored in different subdirectories, so the subdirectories in the URL of the application developed by using the same risk web site template are the same;
3. have the same web site background.
Therefore, in this embodiment, the template features included in the risk website template may include resources such as pictures and characters included in the risk website template, subdirectories corresponding to the resources provided by the risk website template during loading, website background of the risk website template, and other information, which is not limited in this place.
And 172, matching the webpage information in the webpage positioned by the uniform resource locator of the target application program with the template characteristics contained in the risk website template, and determining the webpage to be the risk webpage if consistency between the webpage information and the template characteristics is detected.
As described above, the web page information in the web page located by the uniform resource locator of the target application may include information such as resources, subdirectories, and website backgrounds loaded by the web page, and in this embodiment, the template features included in the known risky website template are obtained, then the web page information in the web page located by the uniform resource locator of the target application is matched with the template features included in the risky website template, and if consistency between the web page information and the template features is detected, it indicates that the web page loaded by the target application is developed through the risky website template, so that the web page is determined to be the risky web page.
In addition, in another embodiment of the present application, the web page located by the url of the target application is detected by a risk identification model, considering that the developer of the fraud type application may modify the name or content of the resource file contained in the website module, such as modifying the color of the picture, which may not detect the real risk application.
As shown in fig. 8, in an exemplary embodiment, the web page loaded by the target application program may be specifically detected through the following steps:
step 210, obtaining the resource loaded by the access uniform resource locator.
As described above, the resource loaded by the target application accessing the uniform resource locator may include a resource such as a text and a picture, which is not limited in this embodiment.
And step 230, inputting the resources into the risk identification model, and obtaining the probability scores of the resources output by the risk identification model and coming from different risk website templates.
In this embodiment, the risk identification model is obtained by training according to data sets corresponding to different risk website templates. For example, by obtaining picture resources contained in different risk website templates, and screening picture resources with picture sizes exceeding a picture threshold value from the picture resources contained in the different risk website templates, data sets corresponding to the different risk website templates are obtained, then a risk identification model is trained according to the data sets corresponding to the different risk website templates, and the trained risk identification model can indicate whether a loaded picture resource identification webpage is a risk webpage or not based on a webpage information uniform resource locator in a webpage located by a uniform resource locator of a target application program.
In addition, the data sets corresponding to different risk website templates may also be text data sets or data sets combining text and pictures, which is not limited herein.
The risk identification model may be a classification model, and different risk website templates are different types of classification models for performing classification processing, so that, in this embodiment, after obtaining resources loaded by the uniform resource locator of the target application program, the resources are input into the risk identification model, and the probability scores of the resources output by the risk identification model and originating from different risk website templates can be obtained.
If the likelihood score exceeds the score threshold, the web page is determined to be a risky web page, step 250.
Wherein if the probability score output by the risk identification model exceeds the score threshold, it indicates that the current webpage is developed based on the corresponding risk template, and thus the webpage is determined to be a risk webpage.
Therefore, according to the risk webpage detection method provided by the above embodiment, whether the target application is a risk application can be accurately detected based on the webpage level.
In order to facilitate understanding of the technical essence of the present application, the risk detection method for an application provided in the present application will be described in detail in a specific application scenario.
In this exemplary application scenario, the target application is an APP installed in the smart phone, and a risk detection APP is also installed in the smart phone, where the risk detection APP is used to detect whether the APP installed in the smart phone is a risk APP of a fraud type.
When a risk monitoring instruction is triggered in the risk detection APP, the server communicating with the risk detection APP executes a flow shown in fig. 9 to detect whether the APP installed in the smartphone is a risk application of a fraud type, and returns a detection result to the risk detection APP to display the detection result.
Specifically, the server acquires an installation package file of a target APP to be subjected to risk detection, and then performs static feature detection or dynamic feature detection on the acquired installation package file to determine whether the target APP is a WebAPP based on a detection result. If not, the server performs other processing on the target APP, for example, other risk monitoring methods except the present application may be adopted to detect the target APP. If so, further extracting the URL corresponding to the webpage loaded by the target APP operation. Specifically, the URL corresponding to the web page may be extracted statically or extracted dynamically, and for the process of specifically extracting the URL corresponding to the web page, reference is made to the contents described in the foregoing embodiments, which is not described herein again.
After the URL corresponding to the webpage is extracted, whether the target APP is a fraud risk APP can be detected by URL template detection or URL content detection. The URL template detection specifically detects whether webpage information loaded by the target APP is matched with feature information contained in a known risk website template, and the URL content detection specifically detects whether resources such as pictures loaded by the target APP are modified based on the resource template contained in the known risk website template, for example, whether the colors of the pictures are modified, and the like.
And if the target APP is finally detected to be the risk APP of the fraud type, the server marks the target APP as the risk APP and returns the detection result to the risk detection APP for display. As shown in fig. 10, an icon, a name, and other information of the target APP are displayed in the interface of the risk detection APP, and the user can select to move the target APP into the trust zone or unload the target APP according to the information.
FIG. 11 illustrates an application risk detection apparatus in accordance with an exemplary embodiment. The apparatus may be deployed in a server 200 in the implementation environment shown in FIG. 1. Or in some other implementation environments, the apparatus may be configured in a terminal device installed with an application program, which is not limited herein.
As shown in FIG. 11, in an exemplary embodiment, the apparatus includes a document acquisition module 310, a document detection module 330, an information extraction module 350, a web page detection module 370, and a risk tagging module 390. The file obtaining module 310 is configured to obtain an installation package file of the target application program. The file detection module 330 is configured to perform feature detection on the installation package file of the target application program, and when it is detected that the installation package file contains features matched with the application program of the web page type, determine that the target application program is the application program of the web page type. The information extraction module 350 is configured to extract a uniform resource locator included in the installation package file of the target application. The web page detection module 370 is configured to detect a web page located by a uniform resource locator according to web page information loaded by a target application during running. The risk tagging module 370 is configured to tag the target application as a risk application upon detecting that the web page is a risk web page.
In another exemplary embodiment, the file detection module 330 includes a file structure detection unit and a static feature matching unit. The file structure detection unit is used for detecting a file structure contained in the installation package file of the target application program. The static feature matching unit is used for determining that the target application program is a webpage type application program when the matching of the file structure and the static identification feature is detected, and the static identification feature contains a general structure feature contained in an installation package file of the webpage type application program.
In another exemplary embodiment, the file detection module 330 further includes a static feature generation unit, configured to obtain installation package files of multiple known-risk web page type applications, and generate a static identification feature according to a file structure feature commonly used among the installation package files of the multiple known-risk web page type applications.
In another exemplary embodiment, the file detection module 330 includes an operation information acquisition unit and a dynamic feature recognition unit. The operation information acquisition unit is used for detecting operation information generated when the installation package file of the target application program runs. The dynamic characteristic identification unit is used for determining that the target application program is a webpage type application program if the operation information is matched with the dynamic identification characteristic, and the dynamic identification characteristic contains the running characteristic of the installation package file of the webpage type application program in the running state.
In another exemplary embodiment, the file detection module 330 further includes an operation feature combination unit, configured to obtain a plurality of operation features of the web page type application program in an operation state, and combine the plurality of operation features of the web page type application program in the operation state to obtain the dynamic identification feature.
In another exemplary embodiment, the operation information acquiring unit includes an operation information collecting sub-unit and a web page operation comparing sub-unit. The operation information acquisition subunit is used for acquiring operation information generated when the installation package file of the target application program runs in the virtual environment. The webpage operation comparison subunit is used for determining that the operation information is matched with the dynamic identification feature when the operation information indicates that the installation package file of the target application program executes the webpage operation corresponding to the dynamic identification feature during running.
In another exemplary embodiment, the information extraction module 350 includes a regular expression unit and a regular matching unit. The regular expression unit is used for determining a regular expression for matching the uniform resource locator. The regular matching unit is used for extracting the uniform resource locators matched with the regular expressions in the process of carrying out full scanning on the installation package files of the target application program.
In another exemplary embodiment, the information extraction module 350 further includes a script acquisition unit and a script extraction unit. The script acquisition unit is used for acquiring a script file matched with the package file generation platform corresponding to the target application program. The script extraction unit is used for extracting a uniform resource locator from a specified file position in an installation package file of the target application program based on the script file.
In another exemplary embodiment, the information extraction module 350 further includes an operation acquisition unit and a locator extraction unit. The operation collection unit is used for collecting the uniform resource locator loading operation executed when the installation package file of the target application program runs in the virtual environment. The locator extraction unit is used for extracting the loaded uniform resource locator as the uniform resource locator contained in the installation package file of the target application program.
In another exemplary embodiment, the web page detection module 370 includes a template feature acquisition unit and a template feature comparison unit. The template characteristic acquisition unit is used for acquiring the template characteristics contained in the known risk website template. The template characteristic comparison unit is used for matching the webpage information in the webpage positioned by the uniform resource locator with the template characteristics contained in the risk website template, and if consistency between the webpage information and the template characteristics is detected, the webpage is determined to be the risk webpage.
In another exemplary embodiment, the template feature comparison unit includes a resource acquisition subunit, a score acquisition subunit, and a risk web page judgment subunit. The resource obtaining subunit is configured to obtain the resource loaded by the access uniform resource locator. The score acquiring subunit is used for inputting the resources into the risk identification model and acquiring the possibility scores of the resources output by the risk identification model and coming from different risk website templates. And the risk webpage judging subunit is used for determining the webpage as the risk webpage when the possibility score exceeds the score threshold value.
In another exemplary embodiment, the template feature comparison unit further includes a picture resource acquisition subunit, a picture resource screening subunit, and a model training subunit. The picture resource acquisition subunit is used for acquiring picture resources contained in different risk website templates. The picture resource screening subunit is used for screening the picture resources with the picture size exceeding the picture threshold value from the picture resources contained in the different risk website templates to obtain the data sets corresponding to the different risk website templates. And the model training subunit is used for training the risk recognition model according to the data sets corresponding to different risk website templates.
It should be noted that the apparatus provided in the foregoing embodiment and the method provided in the foregoing embodiment belong to the same concept, and the specific manner in which each module and unit execute operations has been described in detail in the method embodiment, and is not described again here.
Embodiments of the present application further provide a risk detection device for an application program, which includes a processor and a memory, where the memory stores computer readable instructions, and the computer readable instructions, when executed by the processor, implement the risk detection method for an application program as described above.
Fig. 12 is a schematic structural diagram illustrating a risk detection device for an application according to an exemplary embodiment.
It should be noted that the risk detection device of the application is only an example adapted to the application and should not be considered as providing any limitation to the scope of use of the application. The risk detection device of the application is also not to be construed as requiring one or more components of the risk detection device that rely on or must have the exemplary application shown in fig. 12.
As shown in fig. 12, in an exemplary embodiment, the risk detection device of an application includes a processing component 801, a memory 802, a power component 803, a multimedia component 804, an audio component 805, a sensor component 807, and a communication component 808. The above components are not all necessary, and the risk detection device of the application program may add other components or reduce some components according to its own functional requirements, which is not limited in this embodiment.
The processing component 801 generally controls the overall operation of the risk detection device of the application, such as operations associated with display, data communication, and log data processing. The processing component 801 may include one or more processors 809 to execute instructions to perform all or a portion of the above-described operations. Further, the processing component 801 may include one or more modules that facilitate interaction between the processing component 801 and other components. For example, the processing component 801 may include a multimedia module to facilitate interaction between the multimedia component 804 and the processing component 801.
The memory 802 is configured to store various types of data to support operation at the risk detection device of an application, examples of which include instructions for any application or method operating on the risk detection device of an application. The memory 802 stores one or more modules configured to be executed by the one or more processors 809 to perform all or part of the steps of the risk detection method of the application program described in the above embodiments.
The power component 803 provides power to the various components of the risk detection device for the application. The power components 803 may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the risk detection devices of the application.
The multimedia component 804 includes a screen that provides an output interface between the risk detection device of the application and the user. In some embodiments, the screen may include a TP (Touch Panel) and an LCD (liquid crystal Display). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation.
The audio component 805 is configured to output and/or input audio signals. For example, audio component 805 includes a microphone configured to receive external audio signals when the risk detection device of the application is in an operational mode, such as a call mode, a recording mode, and a speech recognition mode. In some embodiments, the audio component 805 also includes a speaker for outputting audio signals.
The sensor component 807 includes one or more sensors for providing various aspects of status assessment for the risk detection device of the application. For example, the sensor component 807 may detect the open/closed state of the risk detection device for the application and may also detect temperature changes of the risk detection device for the application.
The communication component 808 is configured to facilitate communication between the risk detection device of the application and other devices in a wired or wireless manner. The risk detection device of the application may have access to a Wireless network based on a communication standard, such as Wi-Fi (Wireless-Fidelity, Wireless network).
It will be appreciated that the configuration shown in FIG. 12 is merely illustrative and that the risk detection device of an application may include more or fewer components than shown in FIG. 12 or may have different components than shown in FIG. 12. Each of the components shown in fig. 12 may be implemented in hardware, software, or a combination thereof.
Yet another aspect of the present application provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the risk detection method of an application program as described above. The computer-readable storage medium may be included in the risk detection device of the application described in the above embodiment, or may exist separately without being assembled into the risk detection device of the application.
Another aspect of the application also provides a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device executes the risk detection method of the application program provided in the above embodiments.
The above description is only a preferred exemplary embodiment of the present application, and is not intended to limit the embodiments of the present application, and those skilled in the art can easily make various changes and modifications according to the main concept and spirit of the present application, so that the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (15)
1. A risk detection method for an application program is characterized by comprising the following steps:
acquiring an installation package file of a target application program;
performing feature detection on the installation package file of the target application program, and determining that the target application program is the application program of the webpage type when detecting that the installation package file contains features matched with the application program of the webpage type;
extracting uniform resource locators contained in the installation package file of the target application program;
detecting the webpage positioned by the uniform resource locator according to the webpage information loaded by the target application program during operation;
and if the webpage is detected to be a risk webpage, marking the target application program as a risk application program.
2. The method of claim 1, wherein performing feature detection on the installation package file of the target application program, and when it is detected that the installation package file contains features matching with the application program of the web page type, determining that the target application program is the application program of the web page type comprises:
detecting a file structure contained in an installation package file of the target application program;
and if the file structure is matched with the static identification characteristics, determining that the target application program is a webpage type application program, wherein the static identification characteristics contain general structure characteristics contained in an installation package file of the webpage type application program.
3. The method of claim 2, further comprising:
acquiring installation package files of a plurality of webpage type application programs with known risks;
and generating the static identification features according to the file structure features commonly used among the installation package files of the webpage type application programs with known risks.
4. The method of claim 1, wherein performing feature detection on the installation package file of the target application program, and when it is detected that the installation package file contains features matching with the application program of the web page type, determining that the target application program is the application program of the web page type comprises:
detecting operation information generated when an installation package file of the target application program runs;
and if the operation information is matched with the dynamic identification characteristics, determining that the target application program is a webpage type application program, wherein the dynamic identification characteristics comprise the running characteristics of the installation package file of the webpage type application program in a running state.
5. The method of claim 4, further comprising:
acquiring a plurality of running characteristics of a webpage type application program in a running state;
and combining a plurality of running characteristics of the webpage type application program in a running state to obtain the dynamic identification characteristics.
6. The method of claim 4, wherein detecting operation information generated by the installation package file of the target application program during runtime comprises:
collecting operation information generated when the installation package file of the target application program runs in a virtual environment;
and if the operation information indicates that the installation package file of the target application program executes the webpage operation corresponding to the dynamic identification feature during running, determining that the operation information is matched with the dynamic identification feature.
7. The method of claim 1, wherein detecting the web page located by the uniform resource locator according to the web page information loaded by the target application program during runtime comprises:
acquiring template features contained in a known risk website template;
matching the webpage information in the webpage positioned by the uniform resource locator with the template characteristics contained in the risk website template, and determining the webpage to be a risk webpage if consistency between the webpage information and the template characteristics is detected.
8. The method of claim 7, wherein the web page information comprises the uniform resource locator indicating the loaded resource; matching the webpage information positioned by the uniform resource locator with the template features contained in the risk website template, including:
acquiring a resource loaded by accessing the uniform resource locator;
inputting the resources into a risk identification model, and obtaining the probability scores of the resources output by the risk identification model and coming from different risk website templates;
determining the web page as a risky web page if the likelihood score exceeds a score threshold.
9. The method of claim 8, wherein the uniform resource locator indicates that the loaded resource comprises a picture resource, the method further comprising:
acquiring picture resources contained in different risk website templates;
screening picture resources with picture sizes exceeding picture threshold values from picture resources contained in different risk website templates to obtain data sets corresponding to different risk website templates;
and training the risk recognition model according to the data sets corresponding to the different risk website templates.
10. The method of claim 1, wherein extracting the uniform resource locator contained in the installation package file of the target application comprises:
determining a regular expression for matching a uniform resource locator;
and in the process of scanning the installation package file of the target application program in a full amount, extracting the uniform resource locator matched with the regular expression.
11. The method of claim 1, wherein extracting the uniform resource locator contained in the installation package file of the target application comprises:
acquiring a script file matched with a package file generation platform corresponding to the target application program;
extracting a uniform resource locator from a specified file location in an installation package file of the target application based on the script file.
12. The method of claim 1, wherein extracting the uniform resource locator contained in the installation package file of the target application comprises:
collecting uniform resource locator loading operation executed when the installation package file of the target application program runs in a virtual environment;
and extracting the loaded uniform resource locator as a uniform resource locator contained in an installation package file of the target application program.
13. A risk detection device for an application, comprising:
the file acquisition module is used for acquiring an installation package file of the target application program;
the file detection module is used for carrying out feature detection on the installation package file of the target application program, and determining that the target application program is the application program of the webpage type when the installation package file is detected to contain features matched with the application program of the webpage type;
the information extraction module is used for extracting the uniform resource locators contained in the installation package file of the target application program;
the webpage detection module is used for detecting the webpage positioned by the uniform resource locator according to the webpage information loaded by the target application program during operation;
and the risk marking module is used for marking the target application program as a risk application program when the webpage is detected to be a risk webpage.
14. A risk detection device for an application, comprising:
a memory storing computer readable instructions;
a processor to read computer readable instructions stored by the memory to perform the method of any of claims 1-12.
15. A computer-readable storage medium having computer-readable instructions stored thereon, which, when executed by a processor of a computer, cause the computer to perform the method of any one of claims 1-12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010823320.2A CN111737692B (en) | 2020-08-17 | 2020-08-17 | Application program risk detection method and device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010823320.2A CN111737692B (en) | 2020-08-17 | 2020-08-17 | Application program risk detection method and device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111737692A true CN111737692A (en) | 2020-10-02 |
| CN111737692B CN111737692B (en) | 2020-12-18 |
Family
ID=72658563
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010823320.2A Active CN111737692B (en) | 2020-08-17 | 2020-08-17 | Application program risk detection method and device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111737692B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112256286A (en) * | 2020-10-21 | 2021-01-22 | 北京字节跳动网络技术有限公司 | Application running method and device and computer storage medium |
| CN112486510A (en) * | 2020-11-04 | 2021-03-12 | 深圳市金百锐通信科技有限公司 | Method and device for software installation, terminal equipment and storage medium |
| CN112948830A (en) * | 2021-03-12 | 2021-06-11 | 哈尔滨安天科技集团股份有限公司 | File risk identification method and device |
| CN113254932A (en) * | 2021-06-16 | 2021-08-13 | 百度在线网络技术(北京)有限公司 | Application program risk detection method and device, electronic equipment and medium |
| CN114244599A (en) * | 2021-12-15 | 2022-03-25 | 杭州默安科技有限公司 | Method for interfering malicious program |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101504673A (en) * | 2009-03-24 | 2009-08-12 | 阿里巴巴集团控股有限公司 | Method and system for recognizing doubtful fake website |
| CN103607385A (en) * | 2013-11-14 | 2014-02-26 | 北京奇虎科技有限公司 | Method and apparatus for security detection based on browser |
| CN104598513A (en) * | 2014-11-03 | 2015-05-06 | 腾讯科技(成都)有限公司 | Data flow control method and system based on webpage frame |
| CN104766008A (en) * | 2014-01-07 | 2015-07-08 | 腾讯科技(深圳)有限公司 | Application program installation package safety detection method and server |
| CN105867935A (en) * | 2016-04-13 | 2016-08-17 | 周奇 | Application management method and device |
| CN106131016A (en) * | 2016-07-13 | 2016-11-16 | 北京知道创宇信息技术有限公司 | Maliciously URL detection interference method, system and device |
| CN106162648A (en) * | 2015-04-17 | 2016-11-23 | 上海墨贝网络科技有限公司 | A kind of behavioral value method, server and system applying installation kit |
| CN106502879A (en) * | 2015-09-07 | 2017-03-15 | 中国移动通信集团公司 | A kind of method and device for realizing applications security detection |
| CN107622200A (en) * | 2016-07-14 | 2018-01-23 | 腾讯科技(深圳)有限公司 | The safety detecting method and device of application program |
| CN109981604A (en) * | 2019-03-07 | 2019-07-05 | 北京华安普特网络科技有限公司 | A kind of method of the quick black chain of detection webpage |
-
2020
- 2020-08-17 CN CN202010823320.2A patent/CN111737692B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101504673A (en) * | 2009-03-24 | 2009-08-12 | 阿里巴巴集团控股有限公司 | Method and system for recognizing doubtful fake website |
| CN103607385A (en) * | 2013-11-14 | 2014-02-26 | 北京奇虎科技有限公司 | Method and apparatus for security detection based on browser |
| CN104766008A (en) * | 2014-01-07 | 2015-07-08 | 腾讯科技(深圳)有限公司 | Application program installation package safety detection method and server |
| CN104598513A (en) * | 2014-11-03 | 2015-05-06 | 腾讯科技(成都)有限公司 | Data flow control method and system based on webpage frame |
| CN106162648A (en) * | 2015-04-17 | 2016-11-23 | 上海墨贝网络科技有限公司 | A kind of behavioral value method, server and system applying installation kit |
| CN106502879A (en) * | 2015-09-07 | 2017-03-15 | 中国移动通信集团公司 | A kind of method and device for realizing applications security detection |
| CN105867935A (en) * | 2016-04-13 | 2016-08-17 | 周奇 | Application management method and device |
| CN106131016A (en) * | 2016-07-13 | 2016-11-16 | 北京知道创宇信息技术有限公司 | Maliciously URL detection interference method, system and device |
| CN107622200A (en) * | 2016-07-14 | 2018-01-23 | 腾讯科技(深圳)有限公司 | The safety detecting method and device of application program |
| CN109981604A (en) * | 2019-03-07 | 2019-07-05 | 北京华安普特网络科技有限公司 | A kind of method of the quick black chain of detection webpage |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112256286A (en) * | 2020-10-21 | 2021-01-22 | 北京字节跳动网络技术有限公司 | Application running method and device and computer storage medium |
| CN112256286B (en) * | 2020-10-21 | 2023-05-05 | 抖音视界有限公司 | Application running method and device and computer storage medium |
| CN112486510A (en) * | 2020-11-04 | 2021-03-12 | 深圳市金百锐通信科技有限公司 | Method and device for software installation, terminal equipment and storage medium |
| CN112948830A (en) * | 2021-03-12 | 2021-06-11 | 哈尔滨安天科技集团股份有限公司 | File risk identification method and device |
| CN112948830B (en) * | 2021-03-12 | 2023-11-10 | 安天科技集团股份有限公司 | File risk identification method and device |
| CN113254932A (en) * | 2021-06-16 | 2021-08-13 | 百度在线网络技术(北京)有限公司 | Application program risk detection method and device, electronic equipment and medium |
| CN113254932B (en) * | 2021-06-16 | 2024-02-27 | 百度在线网络技术(北京)有限公司 | Application risk detection method and device, electronic equipment and medium |
| CN114244599A (en) * | 2021-12-15 | 2022-03-25 | 杭州默安科技有限公司 | Method for interfering malicious program |
| CN114244599B (en) * | 2021-12-15 | 2023-11-24 | 杭州默安科技有限公司 | Method for interfering malicious program |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111737692B (en) | 2020-12-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111737692B (en) | Application program risk detection method and device, equipment and storage medium | |
| CN104766014B (en) | For detecting the method and system of malice network address | |
| CN106295333B (en) | method and system for detecting malicious code | |
| CN109862003B (en) | Method, device, system and storage medium for generating local threat intelligence library | |
| CN104486140A (en) | Device and method for detecting hijacking of web page | |
| CN107463844B (en) | WEB Trojan horse detection method and system | |
| CN103986731A (en) | Method and device for detecting phishing web pages through picture matching | |
| CN109344614B (en) | Android malicious application online detection method | |
| US20140052851A1 (en) | Systems and methods for discovering sources of online content | |
| CN114398673A (en) | Application compliance detection method and device, storage medium and electronic equipment | |
| CN113869789A (en) | Risk monitoring method and device, computer equipment and storage medium | |
| CN103390129A (en) | Method and device for detecting security of uniform resource locator | |
| CN109684844B (en) | Webshell detection method and device, computing equipment and computer-readable storage medium | |
| US10275596B1 (en) | Activating malicious actions within electronic documents | |
| EP4137976A1 (en) | Learning device, detection device, learning method, detection method, learning program, and detection program | |
| US20240054210A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| CN112351008B (en) | Network attack analysis method and device, readable storage medium and computer equipment | |
| CN111414525B (en) | Method, device, computer equipment and storage medium for acquiring data of applet | |
| CN114491528A (en) | Malicious software detection method, device and equipment | |
| CN111177614A (en) | Source tracking method and device for injecting content to third party of webpage | |
| US20220191177A1 (en) | System and method for securing messages | |
| US11972027B1 (en) | Preserving web page functionality through dynamic analysis of host web pages | |
| US9767276B1 (en) | Scanning kernel data structure characteristics | |
| CN107908961B (en) | Malicious webpage detection method, equipment and storage medium based on virtualization | |
| US20220164449A1 (en) | Classifer generator |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40030753 Country of ref document: HK |