CN112269991A - Malicious application detection method and device, electronic equipment and medium - Google Patents

Malicious application detection method and device, electronic equipment and medium Download PDF

Info

Publication number
CN112269991A
CN112269991A CN202011178226.2A CN202011178226A CN112269991A CN 112269991 A CN112269991 A CN 112269991A CN 202011178226 A CN202011178226 A CN 202011178226A CN 112269991 A CN112269991 A CN 112269991A
Authority
CN
China
Prior art keywords
application program
application
memory value
target
malicious
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011178226.2A
Other languages
Chinese (zh)
Inventor
黄超华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Meizu Technology Co Ltd
Original Assignee
Meizu Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Meizu Technology Co Ltd filed Critical Meizu Technology Co Ltd
Priority to CN202011178226.2A priority Critical patent/CN112269991A/en
Publication of CN112269991A publication Critical patent/CN112269991A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Abstract

The disclosure relates to a malicious application detection method, a malicious application detection device, an electronic device and a medium. The malicious application detection method comprises the following steps: monitoring the memory value of the process in real time; and sending the memory value to an application detection end so that the application detection end determines a target process with abnormal memory value change in first preset time based on the memory value, and determines an application program corresponding to the target process as a malicious application program, wherein the first preset time comprises the time when the target application program is successfully installed, and the target application program comprises a virus application program or a plurality of non-virus application programs. According to the method and the device, the malicious application program is accurately positioned by detecting the process memory value.

Description

Malicious application detection method and device, electronic equipment and medium
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a malicious application detection method, apparatus, electronic device, and medium.
Background
With the development of communication technology, mobile terminals, such as smart phones, tablet computers and other devices, are also becoming more and more popular. However, some information security issues are also introduced due to the openness and fragmentation of the android system.
Currently, some malware or malware development kits will quiescently force the installation of some applications to the user's handset. For example, when a third-party application accesses malware, installation authority is generally raised through a system bug, and then applications of a malicious channel (such as virus applications) are installed in a silent mode. For another example, when the system application program accesses the malware development kit, because the system application program has an installation authority, malicious codes existing in the malware development kit can start an installation action, so that the application program of a malicious channel is installed. Because there are many third-party applications and system applications, especially system applications with installation privileges, it is difficult to locate malicious behavior in a third-party application or system application.
Disclosure of Invention
To solve the above technical problem or at least partially solve the above technical problem, the present disclosure provides a malicious application detection method, apparatus, electronic device, and medium.
The present disclosure provides a malicious application detection method, including:
monitoring the memory value of the process in real time;
and sending the memory value to an application detection end so that the application detection end determines a target process with abnormal memory value change in first preset time based on the memory value, and determines an application program corresponding to the target process as a malicious application program, wherein the first preset time comprises the time when the target application program is successfully installed, and the target application program comprises a virus application program or a plurality of non-virus application programs.
Optionally, the application detection end is arranged in the mobile terminal or the server.
Optionally, when the application detection end is set in the server, before monitoring the memory value of the process in real time, the method further includes:
sending a monitoring request to the application detection terminal;
receiving a switch state returned by the application detection terminal in response to the monitoring request, wherein the switch state comprises on or off;
when the switch state is on, monitoring the memory value of the process in real time;
and when the switch state is off, not monitoring the memory value of the process.
Optionally, the switch state is configured based on one or more of an application version of a preset management application program, a terminal model, and a version number of system firmware.
Optionally, the malicious application detection method further includes:
monitoring the broadcast of the target application program which is successfully installed in real time;
when monitoring the broadcast of the target application program which is successfully installed, judging whether the target application program is a virus application program or not based on a preset application blacklist, wherein the preset application blacklist comprises identification information of one or more virus application programs;
when the target application program is a virus application program, the related information of the target application program is sent to the application detection end, so that the application detection end determines a target process with abnormal memory value change in first preset time based on the memory value after receiving the related information of the target application program.
Optionally, before determining whether the target application is a virus application based on a preset application blacklist, the method further includes:
and when an application blacklist acquisition event is triggered, acquiring the preset application blacklist from a server.
Optionally, the malicious application detection method further includes:
acquiring the CPU utilization rate of the target process within second preset time and one or more of the standby state and the network state of the mobile terminal;
and sending one or more of the CPU utilization rate, the standby state and the network state to the application detection end, so that the application detection end determines a target process with abnormal memory value change in first preset time based on the memory value and in combination with one or more of the CPU utilization rate, the standby state and the network state.
The present disclosure provides a malicious application detection method, including:
acquiring a memory value of a process monitored by a mobile terminal in real time;
determining a target process with abnormal memory value change in first preset time based on the memory value, wherein the first preset time comprises the time when a target application program is installed successfully, and the target application program comprises a virus application program or a plurality of non-virus application programs;
and determining the application program corresponding to the target process as a malicious application program.
Optionally, before determining the target process with abnormal memory value change within the first preset time based on the memory value, the method further includes:
and receiving related information of the target application program, wherein the target application program is a virus application program determined by the mobile terminal.
Optionally, the malicious application detection method further includes:
acquiring the CPU utilization rate of the target process and one or more of the standby state and the network state of the mobile terminal within second preset time sent by the mobile terminal, wherein the second preset time comprises the first preset time;
and determining a target process with abnormal memory value change in first preset time based on the memory value and in combination with one or more of the CPU utilization rate, the standby state and the network state.
The present disclosure provides a malicious application detection apparatus, including:
the memory monitoring module is used for monitoring the memory value of the process in real time;
the memory sending module is configured to send the memory value to an application detection end, so that the application detection end determines a target process with abnormal memory value change within a first preset time based on the memory value, and determines an application program corresponding to the target process as a malicious application program, where the first preset time includes a time when the target application program is successfully installed, and the target application program includes a virus application program or multiple non-virus application programs.
The present disclosure provides a malicious application detection apparatus, including:
the memory acquisition module is used for acquiring a memory value of a process monitored by the mobile terminal in real time;
the process determining module is used for determining a target process with abnormal memory value change in first preset time based on the memory value, wherein the first preset time comprises the time when a target application program is installed successfully, and the target application program comprises a virus application program or a plurality of non-virus application programs;
and the application determining module is used for determining the application program corresponding to the target process as a malicious application program.
The present disclosure provides an electronic device, including:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to execute the steps of the malicious application detection method provided by the embodiments of the present disclosure via execution of the executable instructions.
The present disclosure provides a computer-readable storage medium on which a computer program is stored, which when executed by a processor implements the steps of the malicious application detection method provided by the embodiments of the present disclosure.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:
the method and the device for detecting the memory value of the application process determine the target process with abnormal memory value change within the first preset time through the application detection end based on the memory value and determine the application program corresponding to the target process as the malicious application program. Therefore, by combining dynamic monitoring and static analysis, the process with abnormal memory value change when the virus application program or a plurality of non-virus application programs are successfully installed can be detected, so that the application program corresponding to the process, namely the malicious application program, is determined, the malicious application program is accurately positioned, the problem of difficulty in positioning the malicious application program is solved, and the subsequent processing of the malicious application program is facilitated.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present disclosure, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a flowchart of a malicious application detection method according to an embodiment of the present disclosure;
fig. 2 is a flowchart of another malicious application detection method according to an embodiment of the present disclosure;
fig. 3 is a flowchart of another malicious application detection method according to an embodiment of the present disclosure;
fig. 4 is a block diagram of a malicious application detection apparatus according to an embodiment of the present disclosure;
fig. 5 is a block diagram of another malicious application detection apparatus according to an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, aspects of the present disclosure will be further described below. It should be noted that the embodiments and features of the embodiments of the present disclosure may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced in other ways than those described herein; it is to be understood that the embodiments disclosed in the specification are only a few embodiments of the present disclosure, and not all embodiments.
Fig. 1 is a flowchart of a malicious application detection method according to an embodiment of the present disclosure. The malicious application program detection method is suitable for the situation of accurately positioning the third-party application program or the system application program which is accessed with the malicious software or the malicious software development kit, can be executed by a malicious application program detection device, can be realized by adopting software and/or hardware, and can be generally integrated in electronic equipment. The malicious application detection method provided in this embodiment may be executed by a mobile terminal (including a mobile phone, a computer, a wearable smart device, and the like), and in some embodiments, the malicious application detection method may be specifically executed by a management application (such as a mobile phone manager) installed in the mobile terminal. Specifically, as shown in fig. 1, the malicious application detection method provided in this embodiment includes:
and S110, monitoring the memory value of the process in real time.
The memory value of the process is the memory usage rate or occupancy rate of the process. Considering that an IO interface needs to be called when an application is installed, a sudden and violent memory condition certainly exists when an application calls an installation function. Therefore, the present disclosure detects a third party application or system application that has access to malware or a malware development kit by monitoring the memory value of the process in real time. In this embodiment, the process memory monitoring tool may be used to monitor the memory value of the process in real time, or may directly call the memory value of the relevant interface to monitor the process in real time, which is not limited in this disclosure.
S120, the memory value is sent to the application detection end, so that the application detection end determines a target process with abnormal memory value change in first preset time based on the memory value, and determines an application program corresponding to the target process as a malicious application program.
The first preset time comprises the time when the target application program is installed successfully, and the target application program comprises a virus application program or a plurality of non-virus application programs. In addition, the first preset time may be set according to an empirical value, and in some embodiments, the first preset time may be two minutes, and specifically may include one minute before the target application is successfully installed and one minute after the target application is successfully installed. The memory value change abnormality is embodied as memory jitter, wherein the memory jitter refers to a phenomenon that a large amount of objects are created or recycled in a short time in a system (mobile phone) and a large amount of fluctuations occur in a short time in the Android system. For example, in a first preset time, the memory value of a process at the current time is higher than the memory value of the process at the previous time and is higher than a set memory threshold, and then the process suddenly rises in memory, and it is determined that the memory value of the process changes abnormally. Further, since the application accessing the malware or malware development kit can install a virus application and a plurality of non-virus applications in a bundle, the non-virus applications may bring inconvenience to the user. Thus, in some embodiments, the target application includes not only a viral application, but may also include a plurality of non-viral applications. Therefore, when a plurality of non-virus application programs are installed in the first preset time, the application program corresponding to the process with the abnormal memory value change in the first preset time is still determined to be the malicious application program.
The application detection terminal is an application detection module, and may be configured in the mobile terminal or the server. In some embodiments, the application detection terminal is configured in the mobile terminal. At this time, corresponding to the above technical scheme, the mobile terminal monitors the memory value of the process in real time, determines the target process with abnormal memory value change within the first preset time based on the memory value, and determines the application program corresponding to the target process as a malicious application program. Namely, the mobile terminal not only performs the dynamic monitoring operation on the process memory, but also performs the static analysis operation on the monitored memory value. In some other embodiments, to reduce the load of the mobile terminal and improve the detection efficiency of the malicious application, the application detection terminal is configured in a server (e.g., a cloud-side server). At this time, corresponding to the above technical scheme, the mobile terminal monitors the memory value of the process in real time, sends the memory value to the server, and the server determines the target process with abnormal memory value change within the first preset time based on the memory value and determines the application program corresponding to the target process as a malicious application program.
The method and the device for detecting the memory value of the application process determine the target process with abnormal memory value change within the first preset time through the application detection end based on the memory value and determine the application program corresponding to the target process as the malicious application program. Therefore, by combining dynamic monitoring and static analysis, the process with abnormal memory value change when the virus application program or a plurality of non-virus application programs are successfully installed can be detected, so that the application program corresponding to the process, namely the malicious application program, is determined, the malicious application program is accurately positioned, the problem of difficulty in positioning the malicious application program is solved, and the subsequent processing of the malicious application program is facilitated.
In some embodiments, when the application detection terminal is set in the server, before monitoring the memory value of the process in real time, the method further includes: sending a monitoring request to an application detection end; receiving a switch state returned by the application detection terminal in response to the monitoring request, wherein the switch state comprises on or off; when the switch state is on, monitoring the memory value of the process in real time; and when the switch state is off, the memory value of the process is not monitored.
For example, a plurality of mobile terminals may establish a matching relationship with the same server, that is, the plurality of mobile terminals send the memory value of the monitored process to the same server, and the server performs static analysis on the memory value of each process of each mobile terminal. In order to configure the starting time of each mobile terminal for monitoring the process memory value, so as to realize the orderly monitoring of each mobile terminal and improve the effectiveness of the monitoring data of each mobile terminal, the embodiment of the disclosure can set a virtual switch in the mobile terminal, and the starting time and the monitoring duration of each mobile terminal for monitoring the process memory value are controlled by configuring the switch state, namely on or off, of the virtual switch. Specifically, the switch state is configured based on one or more of an application version of a preset management application program (such as a cell phone manager), a terminal model of the mobile terminal, and a version number of system firmware, so that dynamic configuration of the switch state is realized. For example, for a mobile terminal a and a mobile terminal B, when the terminal models of the mobile terminal a and the mobile terminal B are different, the switch states may be respectively preset to be different at different on times corresponding to the mobile terminal a and the mobile terminal B, the monitoring requests sent by the mobile terminal a and the mobile terminal B to the application detection terminal may include terminal model information, the server determines the switch states corresponding to the mobile terminal a and the mobile terminal B according to the terminal signal information, and returns the switch states to the mobile terminal a and the mobile terminal B, so that the mobile terminal a and the mobile terminal B determine whether to start the memory value of the monitoring process according to the switch states.
In addition, monitoring the memory value of a process in real time (typically detecting the memory value of a process every second) can have an impact on system performance. Thus, in some embodiments, the monitoring duration may be dynamically configurable while ensuring that malicious applications may be effectively and reliably detected. Optionally, the monitoring duration is at least one day, and the default setting is one day. Therefore, the influence on the system performance is reduced while the malicious application program is ensured to be detected.
Optionally, the malicious application detection method further includes: monitoring broadcast of successful installation of a target application program in real time; when monitoring the broadcast of the target application program which is successfully installed, judging whether the target application program is a virus application program or not based on a preset application blacklist, wherein the preset application blacklist comprises identification information of one or more virus application programs; when the target application program is a virus application program, the related information of the target application program is sent to the application detection end, so that the application detection end determines the target process with abnormal memory value change in the first preset time based on the memory value after receiving the related information of the target application program.
Since virus applications can damage system and system data and steal user privacy information, the harm to users is great. Therefore, the method can detect the virus application program and kill the virus application program fundamentally due to the lack of the installation source of the virus application program.
Based on the above technical solution, in a specific embodiment of the present disclosure, as shown in fig. 2, the malicious application detection method may include:
s210, monitoring the memory value of the process in real time and monitoring the broadcast of the target application program which is successfully installed in real time.
S220, when the broadcast of the target application program which is installed successfully is monitored, whether the target application program is a virus application program is judged based on a preset application blacklist.
In some embodiments, the preset application blacklist may be obtained by statistics of virus applications determined by the server based on history and configured in the server, wherein the preset application blacklist includes identification information of one or more virus applications, and the identification information may include an application package name, a signature md5, an application version number, an apk file md5, and the like. Illustratively, when an application blacklist acquisition event is triggered, a preset application blacklist is acquired from a server. Specifically, the event for triggering the application blacklist acquisition may include a user switching a network of the mobile terminal or charging the mobile terminal. When monitoring the broadcast of the target application program which is successfully installed, acquiring the identification information of the target application program, comparing the identification information of the target application program with the identification information of one or more virus application programs in a preset application blacklist, and determining that the target application program is the virus application program when the identification information of the target application program is the same as one of the identification information of the one or more virus application programs.
And S230, when the target application program is a virus application program, sending the memory value and the related information of the target application program to an application detection terminal.
The relevant information of the target application program can include the identification information and other information used for representing the virus application program, and the relevant information of the target application program can be fed back to the server, so that the server updates the preset application blacklist. After the application detection end obtains the memory value within the first preset time corresponding to the successful installation moment of the target application program, the target process with the abnormal memory value change is determined, and the application program corresponding to the target process is determined to be a malicious application program.
Based on the above technical solution, the malicious application detection method may further include: acquiring the CPU utilization rate of a target process in second preset time and one or more of the standby state and the network state of the mobile terminal; and sending one or more of the CPU utilization rate, the standby state and the network state to an application detection end, so that the application detection end determines a target process with abnormal memory value change in first preset time based on the memory value and in combination with one or more of the CPU utilization rate, the standby state and the network state.
In some embodiments, the malicious application may be secondarily checked using the CPU utilization of the target process and one or more of the standby state and the network state of the mobile terminal to further improve the accuracy of detecting the malicious application. Specifically, the second preset time includes the first preset time, and the longest time may be the monitoring duration. And when one or more conditions of sudden increase of the CPU utilization rate of the target process, standby of the mobile terminal and non-networking of the mobile terminal are detected, determining that the application program corresponding to the target process is a malicious application program. When the mobile terminal is in standby and the mobile terminal is not networked, the application program is successfully installed, the application program is downloaded in advance and is installed in a silent mode, and the application program is probably illegally installed (installed by a non-user actively). Therefore, the target process with the abnormal memory value change in the first preset time is determined based on the memory value and by combining one or more of the CPU utilization rate, the standby state and the network state, and the malicious application program can be further determined more accurately.
In addition, fig. 3 is a flowchart of another malicious application detection method provided in the embodiment of the present disclosure. The malicious application program detection method is suitable for the situation of accurately positioning the third-party application program or the system application program which is accessed with the malicious software or the malicious software development kit, can be executed by a malicious application program detection device, can be realized by adopting software and/or hardware, and can be generally integrated in electronic equipment. The malicious application detection method provided by the embodiment can be executed by a server (including a cloud server). Specifically, as shown in fig. 3, the malicious application detection method provided in this embodiment includes:
s310, obtaining a memory value of a process monitored by the mobile terminal in real time.
S320, determining the target process with abnormal memory value change in the first preset time based on the memory value.
The first preset time comprises the time when the target application program is installed successfully, and the target application program comprises a virus application program or a plurality of non-virus application programs.
S330, determining the application program corresponding to the target process as a malicious application program.
Optionally, before determining the target process with abnormal memory value change within the first preset time based on the memory value, the method further includes:
and receiving related information of a target application program, wherein the target application program is a virus application program determined by the mobile terminal.
Optionally, the malicious application detection method further includes:
acquiring the CPU utilization rate of a target process within second preset time sent by the mobile terminal and one or more of the standby state and the network state of the mobile terminal, wherein the second preset time comprises first preset time;
and determining the target process with abnormal memory value change in the first preset time based on the memory value and in combination with one or more of the CPU utilization rate, the standby state and the network state.
The malicious application detection method provided in this embodiment and the malicious application detection methods provided in the foregoing embodiments belong to a general inventive concept, have the same or corresponding specific technical features, and can achieve the same technical effects.
Corresponding to the malicious application detection method shown in fig. 1, an embodiment of the present disclosure further provides a malicious application detection apparatus. Fig. 4 is a block diagram of a malicious application detection apparatus according to an embodiment of the present disclosure. As shown in fig. 4, the malicious application detection apparatus includes:
a memory monitoring module 41, configured to monitor a memory value of a process in real time;
the memory sending module 42 is configured to send a memory value to the application detection end, so that the application detection end determines, based on the memory value, a target process in which the memory value is abnormally changed within a first preset time, and determines an application program corresponding to the target process as a malicious application program, where the first preset time includes a time when the target application program is successfully installed, and the target application program includes a virus application program or multiple non-virus application programs.
Optionally, the application detection terminal is arranged in the mobile terminal or the server.
Optionally, when the application detection end is disposed in the server, the malicious application detection apparatus further includes:
the monitoring request sending module is used for sending a monitoring request to the application detection terminal before the memory value of the process is monitored in real time;
the switch state feedback module is used for receiving a switch state returned by the application detection end in response to the monitoring request, wherein the switch state comprises on or off;
the monitoring state control module is used for monitoring the memory value of the process in real time when the switch state is on; and when the switch state is off, the memory value of the process is not monitored.
Optionally, the switch state is configured based on one or more of an application version of a preset management application, a terminal model, and a version number of system firmware.
Optionally, the malicious application detection apparatus further includes:
the broadcast monitoring module is used for monitoring the broadcast of the target application program which is successfully installed in real time;
the system comprises a virus judging module, a virus detecting module and a virus detecting module, wherein the virus judging module is used for judging whether a target application program is a virus application program based on a preset application blacklist when monitoring a broadcast that the target application program is installed successfully, and the preset application blacklist comprises identification information of one or more virus application programs;
the information sending module is used for sending the relevant information of the target application program to the application detection end when the target application program is the virus application program, so that the application detection end determines the target process with abnormal memory value change in the first preset time based on the memory value after receiving the relevant information of the target application program.
Optionally, the malicious application detection apparatus further includes:
and the blacklist acquisition module is used for acquiring the preset application blacklist from the server before judging whether the target application program is the virus application program based on the preset application blacklist and when an application blacklist acquisition event is triggered.
Optionally, the malicious application detection apparatus further includes:
the auxiliary parameter acquisition module is used for acquiring the CPU utilization rate of the target process in second preset time and one or more of the standby state and the network state of the mobile terminal;
and the auxiliary parameter sending module is used for sending one or more of the CPU utilization rate, the standby state and the network state to the application detection end so that the application detection end determines a target process with abnormal memory value change in first preset time based on the memory value and in combination with one or more of the CPU utilization rate, the standby state and the network state.
The malicious application detection apparatus provided in this embodiment may be used to execute the malicious application detection method provided in the corresponding embodiment, and has the same functions and beneficial effects as the malicious application detection method.
Corresponding to the malicious application detection method shown in fig. 3, an embodiment of the present disclosure further provides a malicious application detection apparatus. Fig. 5 is a block diagram of a malicious application detection apparatus according to an embodiment of the present disclosure. As shown in fig. 5, the malicious application detection apparatus includes:
a memory obtaining module 51, configured to obtain a memory value of a process monitored by the mobile terminal in real time;
the process determining module 52 is configured to determine, based on the memory value, a target process in which the memory value changes abnormally within a first preset time, where the first preset time includes a time when the target application is successfully installed, and the target application includes a virus application or multiple non-virus applications;
and the application determining module 53 is configured to determine the application program corresponding to the target process as a malicious application program.
Optionally, the malicious application detection apparatus further includes:
the information receiving module is used for receiving related information of a target application program before determining a target process with abnormal memory value change in first preset time based on the memory value, wherein the target application program is a virus application program determined by the mobile terminal.
Optionally, the malicious application detection apparatus further includes:
the auxiliary parameter receiving module is used for acquiring the CPU utilization rate of the target process within second preset time sent by the mobile terminal and one or more of the standby state and the network state of the mobile terminal, wherein the second preset time comprises first preset time;
the process determination module is further configured to determine, based on the memory value and in combination with one or more of a CPU utilization rate, a standby state, and a network state, a target process in which the memory value changes abnormally within a first preset time.
The malicious application detection apparatus provided in this embodiment may be used to execute the malicious application detection method provided in the corresponding embodiment, and has the same functions and beneficial effects as the malicious application detection method.
The present disclosure provides an electronic device, including: a processor; and a memory for storing executable instructions for the processor; wherein the processor is configured to perform the steps of the malicious application detection method provided by the embodiments of the present disclosure via execution of executable instructions.
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. As shown in fig. 6, the electronic device 600 includes one or more processors 601 and memory 602.
The processor 601 may be a Central Processing Unit (CPU) or other form of processing unit having data processing capabilities and/or instruction execution capabilities, and may control other components in the electronic device 600 to perform desired functions.
Memory 602 may include one or more computer program products that may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, Random Access Memory (RAM), cache memory (cache), and/or the like. The non-volatile memory may include, for example, Read Only Memory (ROM), hard disk, flash memory, etc. One or more computer program instructions may be stored on the computer-readable storage medium and executed by processor 601 to implement the malicious application detection methods of the embodiments of the present disclosure described above and/or other desired functions. Various contents such as an input signal, a signal component, a noise component, etc. may also be stored in the computer-readable storage medium.
In one example, the electronic device 600 may further include: an input device 603 and an output device 604, which are interconnected by a bus system and/or other form of connection mechanism (not shown).
The input device 603 may also include, for example, a keyboard, a mouse, and the like.
The output device 604 may output various information including the determined distance information, direction information, and the like to the outside. The output devices 604 may include, for example, a display, speakers, a printer, and a communication network and remote output devices connected thereto, among others.
Of course, for simplicity, only some of the components of the electronic device 600 relevant to the present disclosure are shown in fig. 6, omitting components such as buses, input/output interfaces, and the like. In addition, electronic device 600 may include any other suitable components depending on the particular application.
In addition to the above methods and apparatus, embodiments of the present disclosure may also be a computer program product comprising computer program instructions that, when executed by a processor, cause the processor to perform the malicious application detection methods provided by embodiments of the present disclosure.
The computer program product may write program code for carrying out operations for embodiments of the present disclosure in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present disclosure may also be a computer-readable storage medium having stored thereon computer program instructions that, when executed by a processor, cause the processor to perform the malicious application detection method provided by embodiments of the present disclosure.
The computer-readable storage medium may take any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (14)

1. A malicious application detection method, comprising:
monitoring the memory value of the process in real time;
and sending the memory value to an application detection end so that the application detection end determines a target process with abnormal memory value change in first preset time based on the memory value, and determines an application program corresponding to the target process as a malicious application program, wherein the first preset time comprises the time when the target application program is successfully installed, and the target application program comprises a virus application program or a plurality of non-virus application programs.
2. The malicious application detection method according to claim 1, wherein the application detection terminal is disposed in a mobile terminal or a server.
3. The malicious application detection method according to claim 2, wherein when the application detection terminal is disposed in the server, before monitoring a memory value of the process in real time, the method further comprises:
sending a monitoring request to the application detection terminal;
receiving a switch state returned by the application detection terminal in response to the monitoring request, wherein the switch state comprises on or off;
when the switch state is on, monitoring the memory value of the process in real time;
and when the switch state is off, not monitoring the memory value of the process.
4. The malicious application detection method according to claim 3, wherein the switch state is configured based on one or more of an application version of a preset management application, a terminal model, and a version number of system firmware.
5. The malicious application detection method according to claim 1, further comprising:
monitoring the broadcast of the target application program which is successfully installed in real time;
when monitoring the broadcast of the target application program which is successfully installed, judging whether the target application program is a virus application program or not based on a preset application blacklist, wherein the preset application blacklist comprises identification information of one or more virus application programs;
when the target application program is a virus application program, the related information of the target application program is sent to the application detection end, so that the application detection end determines a target process with abnormal memory value change in first preset time based on the memory value after receiving the related information of the target application program.
6. The malicious application detection method according to claim 5, wherein before determining whether the target application is a virus application based on a preset application blacklist, the method further comprises:
and when an application blacklist acquisition event is triggered, acquiring the preset application blacklist from a server.
7. The malicious application detection method according to any one of claims 1 to 6, further comprising:
acquiring the CPU utilization rate of the target process within second preset time and one or more of the standby state and the network state of the mobile terminal;
and sending one or more of the CPU utilization rate, the standby state and the network state to the application detection end, so that the application detection end determines a target process with abnormal memory value change in first preset time based on the memory value and in combination with one or more of the CPU utilization rate, the standby state and the network state.
8. A malicious application detection method, comprising:
acquiring a memory value of a process monitored by a mobile terminal in real time;
determining a target process with abnormal memory value change in first preset time based on the memory value, wherein the first preset time comprises the time when a target application program is installed successfully, and the target application program comprises a virus application program or a plurality of non-virus application programs;
and determining the application program corresponding to the target process as a malicious application program.
9. The malicious application detection method according to claim 8, wherein before determining the target process with abnormal memory value change within the first preset time based on the memory value, the method further comprises:
and receiving related information of the target application program, wherein the target application program is a virus application program determined by the mobile terminal.
10. The malicious application detection method according to claim 8 or 9, further comprising:
acquiring the CPU utilization rate of the target process and one or more of the standby state and the network state of the mobile terminal within second preset time sent by the mobile terminal, wherein the second preset time comprises the first preset time;
and determining a target process with abnormal memory value change in first preset time based on the memory value and in combination with one or more of the CPU utilization rate, the standby state and the network state.
11. A malicious application detection apparatus, comprising:
the memory monitoring module is used for monitoring the memory value of the process in real time;
the memory sending module is configured to send the memory value to an application detection end, so that the application detection end determines a target process with abnormal memory value change within a first preset time based on the memory value, and determines an application program corresponding to the target process as a malicious application program, where the first preset time includes a time when the target application program is successfully installed, and the target application program includes a virus application program or multiple non-virus application programs.
12. A malicious application detection apparatus, comprising:
the memory acquisition module is used for acquiring a memory value of a process monitored by the mobile terminal in real time;
the process determining module is used for determining a target process with abnormal memory value change in first preset time based on the memory value, wherein the first preset time comprises the time when a target application program is installed successfully, and the target application program comprises a virus application program or a plurality of non-virus application programs;
and the application determining module is used for determining the application program corresponding to the target process as a malicious application program.
13. An electronic device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the steps of the malicious application detection method of any of claims 1 to 10 via execution of the executable instructions.
14. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the malicious application detection method according to any one of claims 1 to 10.
CN202011178226.2A 2020-10-29 2020-10-29 Malicious application detection method and device, electronic equipment and medium Pending CN112269991A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011178226.2A CN112269991A (en) 2020-10-29 2020-10-29 Malicious application detection method and device, electronic equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011178226.2A CN112269991A (en) 2020-10-29 2020-10-29 Malicious application detection method and device, electronic equipment and medium

Publications (1)

Publication Number Publication Date
CN112269991A true CN112269991A (en) 2021-01-26

Family

ID=74345694

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011178226.2A Pending CN112269991A (en) 2020-10-29 2020-10-29 Malicious application detection method and device, electronic equipment and medium

Country Status (1)

Country Link
CN (1) CN112269991A (en)

Similar Documents

Publication Publication Date Title
US10893068B1 (en) Ransomware file modification prevention technique
CN109873803B (en) Permission control method and device of application program, storage medium and computer equipment
KR101803890B1 (en) Method and Apparatus for Detecting Evasive Malware
US20140013429A1 (en) Method for processing an operating application program and device for the same
CN109840418B (en) Jump control method and device for application program, storage medium and terminal
US20230004648A1 (en) Firmware Integrity Check Using Silver Measurements
CN111259348B (en) Method and system for safely running executable file
US9747449B2 (en) Method and device for preventing application in an operating system from being uninstalled
Chaugule et al. A specification based intrusion detection framework for mobile phones
CN105260655A (en) Application program starting protection method, device and system
CN105279433B (en) Application program protection method and device
EP3486823B1 (en) System notification service control method, apparatus, terminal device, and storage medium
US20170372311A1 (en) Secure payment-protecting method and related electronic device
CN112163193A (en) Broadcast registration control method, device, equipment and medium
CN112269991A (en) Malicious application detection method and device, electronic equipment and medium
US11921599B2 (en) Control method and electronic device
US20200244461A1 (en) Data Processing Method and Apparatus
CN114238021A (en) SDK interface positioning method, device, equipment and computer storage medium
CN112307466A (en) Application program detection method and device, electronic equipment and storage medium
CN110266710B (en) Cluster safety protection method and device, server and storage medium
CN113836529A (en) Process detection method, device, storage medium and computer equipment
CN114490135A (en) Task processing method and device, electronic equipment and storage medium
KR102368160B1 (en) Terminal for detecting cryptojacking and method for operating thereof
CN107835317B (en) Scheduling job control method, device, terminal equipment and storage medium
CN110633568B (en) Monitoring system for host and method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination