CN112328977A - Method, device, equipment and medium for detecting authenticity of application software - Google Patents
Method, device, equipment and medium for detecting authenticity of application software Download PDFInfo
- Publication number
- CN112328977A CN112328977A CN202011239787.9A CN202011239787A CN112328977A CN 112328977 A CN112328977 A CN 112328977A CN 202011239787 A CN202011239787 A CN 202011239787A CN 112328977 A CN112328977 A CN 112328977A
- Authority
- CN
- China
- Prior art keywords
- application software
- label
- target application
- authenticity
- detected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000001514 detection method Methods 0.000 claims abstract description 14
- 230000006870 function Effects 0.000 claims description 105
- 238000012549 training Methods 0.000 claims description 26
- 238000004590 computer program Methods 0.000 claims description 15
- 230000008569 process Effects 0.000 claims description 14
- 238000013528 artificial neural network Methods 0.000 claims description 11
- 238000004422 calculation algorithm Methods 0.000 claims description 8
- 230000008676 import Effects 0.000 claims description 5
- 230000004913 activation Effects 0.000 claims description 4
- 238000010276 construction Methods 0.000 claims description 3
- 238000004891 communication Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 238000002372 labelling Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Technology Law (AREA)
- Multimedia (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Stored Programmes (AREA)
Abstract
The application discloses a method, a device, equipment and a medium for detecting authenticity of application software, wherein the method comprises the following steps: acquiring function description information of target application software; extracting a character string which accords with a preset regular expression rule from the function description information, and obtaining a sample label of the target application software based on the character string; generating a label to be detected of the target application software by using a dynamic link library corresponding to the target application software and a label model which is constructed in advance; and matching the sample label with the label to be detected to judge the authenticity of the target application software. By the method, the generated label to be detected can truly reflect the function of the target application software, and finally the sample label is compared with the label to be detected to detect the authenticity of the target application software, so that the automatic false software identification is realized, the limitation of a use scene is avoided, and the software authenticity detection capability is improved.
Description
Technical Field
The invention relates to the field of application software, in particular to a method, a device, equipment and a medium for detecting authenticity of application software.
Background
Currently, people need to use various application software in daily life, and facing various downloading channels, users are likely to download false application software by mistake, that is, the actual functions of the software are not consistent with the described functions, so that the users waste time and energy, and even have the possibility of economic loss. In the prior art, the authenticity of software is detected by a manual checking mode, but the manual mode has low efficiency and high cost. In the prior art, the authenticity of the software is detected in a software signature mode, namely the authenticity of the software is detected through a software signature provided by a trusted manufacturer, but a large amount of unsigned software exists in a network, and the manufacturer cannot be completely trusted, so that the method has a limited application range, an unreliable detection result and reduced software authenticity detection capability.
Disclosure of Invention
In view of the above, the present invention provides a method, an apparatus, a device and a medium for detecting authenticity of application software, which can improve the capability of detecting authenticity of software. The specific scheme is as follows:
in a first aspect, the application discloses a method for detecting authenticity of application software, comprising:
acquiring function description information of target application software;
extracting a character string which accords with a preset regular expression rule from the function description information, and obtaining a sample label of the target application software based on the character string;
generating a label to be detected of the target application software by using a dynamic link library corresponding to the target application software and a label model which is constructed in advance;
and matching the sample label with the label to be detected to judge the authenticity of the target application software.
Optionally, the extracting, from the function description information, a character string that meets a preset regular expression rule, and obtaining a sample tag of the target application software based on the character string includes:
matching the function description information with a preset regular expression rule to obtain a character string conforming to the preset regular expression rule;
and matching the character string with the content in a preset label list to determine a sample label corresponding to the target application software.
Optionally, the generating a to-be-detected label of the target application software by using the dynamic link library corresponding to the target application software and the label model constructed in advance includes:
determining a function called by the target application software from a dynamic link library corresponding to the target application software;
performing logic operation on the function codes among the functions to obtain software codes;
and inputting the software code into a label model which is constructed in advance to obtain a label to be detected of the target application software.
Optionally, before performing the logic operation on the function code corresponding to the function in the dynamic link library, the method further includes:
coding all functions in the dynamic link library according to a preset coding rule to obtain corresponding function codes; the preset coding rule is that the AND operation result of any two function codes is 0.
Optionally, before generating the to-be-detected label of the target application software by using the dynamic link library of the target application software and the label model constructed in advance, the method further includes:
obtaining a PE file of the target application software;
and checking the import table of the PE file to determine a dynamic link library corresponding to the target application software.
Optionally, the creating process of the label model includes:
marking the acquired software code to obtain a training sample containing marking information;
training a blank model constructed based on an artificial neural network by using the training sample, and performing iterative updating in the training until the model is converged to obtain the label model; wherein,
in the construction of the blank model, a Sigmoid function is adopted as an activation function of the artificial neural network, and a loss value of the data to be detected and sample data is calculated by utilizing a cross entropy loss function; the training process of the blank model is a regularization training process.
Optionally, the matching the sample label with the label to be detected to determine whether the target application software is true or false includes:
matching operation is carried out on the sample label and the label to be detected by utilizing a cosine similarity algorithm, and a corresponding scalar numerical value is obtained;
and if the scalar numerical value is smaller than a preset scalar threshold value, judging that the target application software is false software.
In a second aspect, the present application discloses an apparatus for detecting authenticity of application software, comprising:
the information acquisition module is used for acquiring the function description information of the target application software;
the sample label generating module is used for extracting a character string which accords with a preset regular expression rule from the function description information and obtaining a sample label of the target application software based on the character string;
the label generation module to be detected is used for generating a label to be detected of the target application software by utilizing a dynamic link library corresponding to the target application software and a label model which is constructed in advance;
and the authenticity judgment module is used for matching the sample label with the label to be detected so as to judge the authenticity of the target application software.
In a third aspect, the present application discloses an electronic device, comprising:
a memory for storing a computer program;
and the processor is used for executing the computer program to realize the application software authenticity detection method.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program; wherein the computer program realizes the above-mentioned application software authenticity detection method when being executed by the processor.
According to the method and the device, the function description information of the target application software is obtained, the character strings meeting the preset regular expression rules are extracted from the function description information, the sample labels of the target application software are obtained based on the character strings, the dynamic link library corresponding to the target application software and the label model which is constructed in advance are used for generating the labels to be detected of the target application software, and finally the sample labels and the labels to be detected are matched to judge the authenticity of the target application software. It can be seen that the corresponding sample label is determined through the function description information of the target application software, the corresponding label to be detected is generated by reading the dynamic link library corresponding to the target application software and utilizing the label model which is constructed in advance, the function of the target application software can be truly reflected by the generated label to be detected, and finally the sample label is compared with the label to be detected to detect the authenticity of the target application software.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of an application software authenticity detection method provided by the present application;
fig. 2 is a flowchart of a specific method for detecting authenticity of application software provided by the present application;
fig. 3 is a schematic diagram of an encoding method provided in the present application;
fig. 4 is a schematic structural diagram of an application software authenticity detection apparatus provided in the present application;
fig. 5 is a block diagram of an electronic device provided in the present application.
Detailed Description
In the prior art, the authenticity of software is detected in a software signature mode, namely the authenticity of the software is detected through a software signature provided by a trusted manufacturer, but a large amount of unsigned software exists in a network, and the manufacturer cannot be completely trusted, so that the application range of the method is limited, and the authenticity detection capability of application software is reduced. In order to overcome the technical problems, the application software authenticity detection method of the neural network is provided, and the software authenticity detection efficiency and accuracy can be improved.
The embodiment of the application discloses a method for detecting authenticity of application software, which is shown in fig. 1 and can comprise the following steps:
step S11: and acquiring the function description information of the target application software.
In this embodiment, first, function description information of target application software is obtained; it can be understood that there are many software download sources in the internet, and the target application software sample and the function description information of the target application software can be obtained by using a manual or automatic crawler through the software download link and the description information of the software function provided by the software download source.
Step S12: extracting a character string which accords with a preset regular expression rule from the function description information, and obtaining a sample label of the target application software based on the character string.
In this embodiment, after the function description information is acquired, a character string that meets a preset regular expression rule is extracted from the function description information, and then a sample label of the target application software is obtained based on the extracted character string. Specifically, a preset regular expression is used for matching with the obtained function description information to obtain a character string which accords with the rule of the preset regular expression, and then a corresponding sample label vector is determined based on the character string so as to facilitate detection in the subsequent steps.
Step S13: and generating the label to be detected of the target application software by using the dynamic link library corresponding to the target application software and a label model which is constructed in advance.
In this embodiment, based on the information data in the dynamic link library corresponding to the target application software, and by using the label model constructed in advance, the corresponding label to be detected is generated for the target application software. It can be understood that the specific realizable functions of the target application software can be determined by looking up the information data in the dynamic link library corresponding to the target application software, and then the corresponding to-be-detected label is generated for the target application software by combining the label model which is constructed in advance, so that the obtained to-be-detected label can truly reflect the real functions of the target application software.
In this embodiment, before generating the to-be-detected label of the target application software by using the dynamic link library of the target application software and the label model constructed in advance, the method may further include: acquiring a PE (Portable Executable) file of the target application software; and checking the import table of the PE file to determine a dynamic link library corresponding to the target application software. Specifically, a compressed packet of the target application software, which is acquired while the function description information is acquired, is decompressed to acquire a file corresponding to the target application software, and a PE file of the target application software is determined according to characteristics of the PE file, that is, a universal file suffix, a file content format, and a signature; and finally, determining a dynamic link library and a called function called by the target application software by inquiring the information of the import table.
Step S14: and matching the sample label with the label to be detected to judge the authenticity of the target application software.
In this embodiment, after the sample label and the label to be detected are obtained, the sample label and the label to be detected are matched, and then the authenticity of the target application software can be judged according to the similarity between the sample label and the label to be detected.
As can be seen from the above, in this embodiment, the function description information of the target application software is obtained, then the character string meeting the preset regular expression rule is extracted from the function description information, the sample label of the target application software is obtained based on the character string, then the label to be detected of the target application software is generated by using the dynamic link library corresponding to the target application software and the label model established in advance, and finally the sample label is matched with the label to be detected, so as to determine the authenticity of the target application software. It can be seen that the corresponding sample label is determined through the function description information of the target application software, the corresponding label to be detected is generated by reading the dynamic link library corresponding to the target application software and utilizing the label model which is constructed in advance, the function of the target application software can be truly reflected by the generated label to be detected, and finally the sample label is compared with the label to be detected to detect the authenticity of the target application software.
The embodiment of the application discloses a specific method for detecting authenticity of application software, which is shown in fig. 2 and can comprise the following steps:
step S21: and acquiring the function description information of the target application software.
Step S22: and matching the function description information with a preset regular expression rule to obtain a character string conforming to the preset regular expression rule.
In the embodiment, after the function description information of the target application software is acquired, a preset regular expression is matched with the function description information, and a character string conforming to the regular expression rule is acquired through matching; specifically, one or more text fields can be matched through matching a preset regular expression with the function description information, so as to obtain a character string according with a preset regular expression rule.
Step S23: and matching the character string with the content in a preset label list to determine a sample label corresponding to the target application software.
In this embodiment, after the character string is obtained, matching the character string with the content in a preset tag list to determine a sample tag corresponding to the target application software; it can be understood that the preset tag list is a tag list of common software, and contains a sample character string conforming to a preset sample rule expression, and by corresponding the character string obtained by matching with data in the tag list, if the character string appears in the tag list, a number 1 is generated, otherwise, a number 0 is generated, thereby implementing conversion from characters to numbers, so as to facilitate subsequent comparison detection and storage.
Step S24: determining a function called by the target application software from a dynamic link library corresponding to the target application software; and performing logic operation on the function codes among the functions to obtain the software codes.
In this embodiment, the PE file of the target application software may be obtained by decompressing the compressed packet of the target application software, and then the import table of the PE file is checked to determine the dynamic link library corresponding to the target application software. And then determining functions called by the target application software by reading the dynamic link library, and carrying out logic operation on function codes of the functions called by the target application software to obtain the software codes corresponding to the target software.
In this embodiment, before performing the logic operation on the function code corresponding to the function in the dynamic link library, the method may further include: coding all functions in the dynamic link library according to a preset coding rule to obtain corresponding function codes; the preset coding rule is that the AND operation result of any two function codes is 0. For example, in the encoding method shown in fig. 3, the dynamic link library is used as a unit to encode the function name, so as to obtain a corresponding dynamic link library containing a function encoding table; the dynamic link library containing the function code table can be obtained by manual arrangement, wherein the common function library and the function name are collected. By the coding mode, the AND operation result of any two different function codes is 0. The logic operation can be an or operation, after the corresponding dynamic link library is determined, the code of the calling function is obtained through query, and the or operation is carried out on the function code in the dynamic link library to obtain the corresponding software code.
Step S25: and inputting the software code into a label model which is constructed in advance to obtain a label to be detected of the target application software.
In this embodiment, after determining the software code of the target application software, the software code is input into a pre-constructed tag model, and a corresponding vector tag, that is, a tag to be detected of the target application software is obtained through calculation, where values of the tag to be detected in different dimensions are all between 0 and 1.
In this embodiment, the process of creating the label model may include: marking the acquired software code to obtain a training sample containing marking information; training a blank model constructed based on an artificial neural network by using the training sample, and performing iterative updating in the training until the model is converged to obtain the label model; the construction of the blank model adopts a Sigmoid function as an activation function of the artificial neural network, and calculates the loss value of the data to be detected and the sample data by using a cross entropy loss function; the training process of the blank model is a regularization training process.
It can be understood that, when creating the label model, labeling the acquired software code to obtain a training sample of the model; specifically, the training sample set is XiIndicating that i is 1,2 … N, which indicates the ith sample in the training sample set; the label vector for the label is denoted by Y, YiRepresenting a vector of dimension M, Yi (j)J-th dimension label representing ith sample, j being 1,2 … M, Yi (j)Taking a value of 0 or 1 if Yi (j)Taking 0 then represents XiNot belonging to the corresponding jth dimension tag if Yi (j)If 1 is taken out, X is representediBelonging to the corresponding jth dimension tag. After a training sample containing labeling information is obtained, inputting the training sample into a blank model constructed based on an artificial neural network for training, and performing iterative updating in the training until the model is converged, namely, iterating repeatedly until the error of the neural network model is smaller, so as to obtain the label model; the artificial neural network adopts a full-connection structure, the network weight is initialized to a random value, the output layer of the artificial neural network adopts a sigmoid activation function, the number of nodes is M, and cross entropy loss function is utilized for calculationAnd in the model training process, a back propagation algorithm is used for learning, the weight in the neural network is adjusted, and an L2 regularization method is introduced to reduce the risk of network overfitting. Therefore, the obtained label model can obtain the corresponding label to be detected according to the input software code.
Step S26: and performing matching operation on the sample label and the label to be detected by using a cosine similarity algorithm to obtain a corresponding scalar numerical value.
In this embodiment, after the sample label and the label to be detected of the target application software are obtained, the similarity operation is performed on the sample label and the label to be detected by using a cosine similarity algorithm, so as to obtain a scalar numerical value capable of representing the similarity between the sample label and the label to be detected.
Step S27: and if the scalar numerical value is smaller than a preset scalar threshold value, judging that the target application software is false software.
In this embodiment, after the scalar value is obtained through calculation, the scalar value is compared with a preset scalar threshold, and if the scalar value is smaller than the preset scalar threshold, it can be determined that the target application software is false software; the preset scalar threshold may be an empirical value obtained through multiple tests.
For the specific process of the step S21, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
As can be seen from the above, in this embodiment, the function description information is matched with the preset regular expression rule to obtain the character string meeting the preset regular expression rule, and then the character string is matched with the content in the preset label list to determine the sample label corresponding to the target application software. Determining functions called by the target application software from a dynamic link library corresponding to the target application software, then carrying out logic operation on function codes among the functions to obtain software codes, and inputting the software codes into a label model which is constructed in advance to obtain a label to be detected of the target application software; and finally, carrying out matching operation on the sample label and the label to be detected by using a cosine similarity algorithm to obtain a corresponding scalar numerical value. Therefore, through the sample label obtained by the function description information and the label to be detected obtained by utilizing the corresponding dynamic link library and the preset label model for calculation, whether the actual function of the application software is consistent with the description function can be judged, and whether the application software is false software is further judged; the sample label is determined based on the function description information of the target application software, and the label to be detected is determined based on the dynamic link library corresponding to the target application software, so that the false software identification is automatically realized without limitation of a use scene, the method can be suitable for application software with or without signatures and from different channels, the identification efficiency and accuracy are improved, and various risks brought by false software propagation on a network are reduced.
Correspondingly, the embodiment of the present application further discloses an apparatus for detecting authenticity of application software, as shown in fig. 4, the apparatus includes:
the information acquisition module 11 is used for acquiring function description information of the target application software;
the sample label generating module 12 is configured to extract a character string meeting a preset regular expression rule from the function description information, and obtain a sample label of the target application software based on the character string;
the to-be-detected label generation module 13 is configured to generate a to-be-detected label of the target application software by using a dynamic link library corresponding to the target application software and a label model constructed in advance;
and the authenticity judgment module 14 is configured to match the sample label with the to-be-detected label to judge authenticity of the target application software.
In the embodiment, the authenticity of the target application software is judged by acquiring the function description information of the target application software, extracting the character string which accords with the preset regular expression rule from the function description information, obtaining the sample label of the target application software based on the character string, generating the label to be detected of the target application software by using the dynamic link library corresponding to the target application software and the label model which is constructed in advance, and finally matching the sample label with the label to be detected. It can be seen that the corresponding sample label is determined through the function description information of the target application software, the corresponding label to be detected is generated by reading the dynamic link library corresponding to the target application software and utilizing the label model which is constructed in advance, the function of the target application software can be truly reflected by the generated label to be detected, and finally the sample label is compared with the label to be detected to detect the authenticity of the target application software.
In some embodiments, the sample label generating module 12 may specifically include:
the regular expression rule matching unit is used for matching the function description information with a preset regular expression rule to obtain a character string which accords with the preset regular expression rule;
and the sample label determining unit is used for matching the character string with the content in a preset label list so as to determine a sample label corresponding to the target application software.
In some specific embodiments, the tag generation module 13 to be detected may specifically include:
the function determining unit is used for determining a function called by the target application software from a dynamic link library corresponding to the target application software;
the software code generating unit is used for carrying out logical operation on the function codes among the functions to obtain software codes;
and the to-be-detected label generating unit is used for inputting the software code into a label model which is constructed in advance to obtain the to-be-detected label of the target application software.
In some embodiments, the authenticity judging module 14 may specifically include:
a scalar numerical value determining unit, configured to perform matching operation on the sample tag and the tag to be detected by using a cosine similarity algorithm to obtain a corresponding scalar numerical value;
and the judging unit is used for judging the target application software as false software if the scalar numerical value is smaller than a preset scalar threshold value.
Further, the embodiment of the present application also discloses an electronic device, which is shown in fig. 5, and the content in the drawing cannot be considered as any limitation to the application scope.
Fig. 5 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present disclosure. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. The memory 22 is configured to store a computer program, and the computer program is loaded and executed by the processor 21 to implement the relevant steps in the method for detecting authenticity of application software disclosed in any of the foregoing embodiments.
In this embodiment, the power supply 23 is configured to provide a working voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and a communication protocol followed by the communication interface is any communication protocol applicable to the technical solution of the present application, and is not specifically limited herein; the input/output interface 25 is configured to obtain external input data or output data to the outside, and a specific interface type thereof may be selected according to specific application requirements, which is not specifically limited herein.
In addition, the storage 22 is used as a carrier for resource storage, and may be a read-only memory, a random access memory, a magnetic disk or an optical disk, etc., the resources stored thereon include an operating system 221, a computer program 222, data 223 including function description information, etc., and the storage may be a transient storage or a permanent storage.
The operating system 221 is used for managing and controlling each hardware device and the computer program 222 on the electronic device 20, so as to realize the operation and processing of the mass data 223 in the memory 22 by the processor 21, and may be Windows Server, Netware, Unix, Linux, and the like. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the method for detecting the authenticity of the application software executed by the electronic device 20 disclosed in any of the foregoing embodiments.
Further, an embodiment of the present application further discloses a computer storage medium, where computer-executable instructions are stored in the computer storage medium, and when the computer-executable instructions are loaded and executed by a processor, the steps of the method for detecting authenticity of application software disclosed in any of the foregoing embodiments are implemented.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The method, the device, the equipment and the medium for detecting the authenticity of the application software provided by the invention are introduced in detail, specific examples are applied in the text to explain the principle and the implementation mode of the invention, and the description of the examples is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (10)
1. A method for detecting authenticity of application software is characterized by comprising the following steps:
acquiring function description information of target application software;
extracting a character string which accords with a preset regular expression rule from the function description information, and obtaining a sample label of the target application software based on the character string;
generating a label to be detected of the target application software by using a dynamic link library corresponding to the target application software and a label model which is constructed in advance;
and matching the sample label with the label to be detected to judge the authenticity of the target application software.
2. The method for detecting the authenticity of the application software according to claim 1, wherein the extracting a character string which conforms to a preset regular expression rule from the function description information and obtaining a sample label of the target application software based on the character string comprises:
matching the function description information with a preset regular expression rule to obtain a character string conforming to the preset regular expression rule;
and matching the character string with the content in a preset label list to determine a sample label corresponding to the target application software.
3. The method for detecting the authenticity of the application software according to claim 1, wherein before the step of generating the label to be detected of the target application software by using the dynamic link library of the target application software and the label model which is constructed in advance, the method further comprises the following steps:
obtaining a PE file of the target application software;
and checking the import table of the PE file to determine a dynamic link library corresponding to the target application software.
4. The method for detecting the authenticity of the application software according to claim 1, wherein the generating of the to-be-detected label of the target application software by using the dynamic link library corresponding to the target application software and the label model constructed in advance comprises:
determining a function called by the target application software from a dynamic link library corresponding to the target application software;
performing logic operation on the function codes among the functions to obtain software codes;
and inputting the software code into a label model which is constructed in advance to obtain a label to be detected of the target application software.
5. The method for detecting authenticity of application software according to claim 4, wherein before performing the logical operation on the function code corresponding to the function in the dynamic link library, the method further comprises:
coding all functions in the dynamic link library according to a preset coding rule to obtain corresponding function codes; the preset coding rule is that the AND operation result of any two function codes is 0.
6. The method for detecting the authenticity of the application software according to claim 4, wherein the process of creating the label model comprises the following steps:
marking the acquired software code to obtain a training sample containing marking information;
training a blank model constructed based on an artificial neural network by using the training sample, and performing iterative updating in the training until the model is converged to obtain the label model; wherein,
in the construction of the blank model, a Sigmoid function is adopted as an activation function of the artificial neural network, and a loss value of the data to be detected and sample data is calculated by utilizing a cross entropy loss function; the training process of the blank model is a regularization training process.
7. The method for detecting the authenticity of the application software according to any one of claims 1 to 6, wherein the matching the sample label with the label to be detected to judge the authenticity of the target application software comprises:
matching operation is carried out on the sample label and the label to be detected by utilizing a cosine similarity algorithm, and a corresponding scalar numerical value is obtained;
and if the scalar numerical value is smaller than a preset scalar threshold value, judging that the target application software is false software.
8. An application software authenticity detection device, characterized by comprising:
the information acquisition module is used for acquiring the function description information of the target application software;
the sample label generating module is used for extracting a character string which accords with a preset regular expression rule from the function description information and obtaining a sample label of the target application software based on the character string;
the label generation module to be detected is used for generating a label to be detected of the target application software by utilizing a dynamic link library corresponding to the target application software and a label model which is constructed in advance;
and the authenticity judgment module is used for matching the sample label with the label to be detected so as to judge the authenticity of the target application software.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the application software authenticity detection method according to any one of claims 1 to 7.
10. A computer-readable storage medium for storing a computer program; wherein the computer program when executed by the processor implements the method for detecting authenticity of application software according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011239787.9A CN112328977B (en) | 2020-11-09 | 2020-11-09 | Application software authenticity detection method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011239787.9A CN112328977B (en) | 2020-11-09 | 2020-11-09 | Application software authenticity detection method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112328977A true CN112328977A (en) | 2021-02-05 |
| CN112328977B CN112328977B (en) | 2024-03-22 |
Family
ID=74316513
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011239787.9A Active CN112328977B (en) | 2020-11-09 | 2020-11-09 | Application software authenticity detection method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112328977B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116820502A (en) * | 2023-07-19 | 2023-09-29 | 天筑科技股份有限公司 | Sustainable operation method, device and equipment for software platform |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104317711A (en) * | 2014-10-22 | 2015-01-28 | 牟永敏 | Path-based method and system for verifying software implementation and design uniformity |
| CN106709336A (en) * | 2015-11-18 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Method and apparatus for identifying malware |
| CN107169021A (en) * | 2017-04-07 | 2017-09-15 | 华为机器有限公司 | Method and apparatus for predicting application function label |
| CN109711163A (en) * | 2018-12-26 | 2019-05-03 | 西安电子科技大学 | Android malware detection method based on API Calls sequence |
| CN110447215A (en) * | 2017-11-10 | 2019-11-12 | 华为技术有限公司 | The dynamic alarm method and terminal of application software malicious act |
| CN110647747A (en) * | 2019-09-05 | 2020-01-03 | 四川大学 | False mobile application detection method based on multi-dimensional similarity |
| CN111382783A (en) * | 2020-02-28 | 2020-07-07 | 广州大学 | Malicious software identification method and device and storage medium |
-
2020
- 2020-11-09 CN CN202011239787.9A patent/CN112328977B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104317711A (en) * | 2014-10-22 | 2015-01-28 | 牟永敏 | Path-based method and system for verifying software implementation and design uniformity |
| CN106709336A (en) * | 2015-11-18 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Method and apparatus for identifying malware |
| CN107169021A (en) * | 2017-04-07 | 2017-09-15 | 华为机器有限公司 | Method and apparatus for predicting application function label |
| CN110447215A (en) * | 2017-11-10 | 2019-11-12 | 华为技术有限公司 | The dynamic alarm method and terminal of application software malicious act |
| CN109711163A (en) * | 2018-12-26 | 2019-05-03 | 西安电子科技大学 | Android malware detection method based on API Calls sequence |
| CN110647747A (en) * | 2019-09-05 | 2020-01-03 | 四川大学 | False mobile application detection method based on multi-dimensional similarity |
| CN111382783A (en) * | 2020-02-28 | 2020-07-07 | 广州大学 | Malicious software identification method and device and storage medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116820502A (en) * | 2023-07-19 | 2023-09-29 | 天筑科技股份有限公司 | Sustainable operation method, device and equipment for software platform |
| CN116820502B (en) * | 2023-07-19 | 2024-04-23 | 天筑科技股份有限公司 | Sustainable operation method, device and equipment for software platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112328977B (en) | 2024-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110569353B (en) | Attention mechanism-based Bi-LSTM label recommendation method | |
| CN107346336B (en) | Information processing method and device based on artificial intelligence | |
| CN112487149B (en) | Text auditing method, model, equipment and storage medium | |
| CN116775847B (en) | Question answering method and system based on knowledge graph and large language model | |
| CN109710739B (en) | Information processing method and device and storage medium | |
| CN114330966A (en) | Risk prediction method, device, equipment and readable storage medium | |
| CN109698798B (en) | Application identification method and device, server and storage medium | |
| CN112069498A (en) | SQL injection detection model construction method and detection method | |
| CN117668181A (en) | Information processing method, device, terminal equipment and storage medium | |
| CN110705250A (en) | Method and system for identifying target content in chat records | |
| CN111199421B (en) | Social relationship-based user recommendation method and device and electronic equipment | |
| CN112328977B (en) | Application software authenticity detection method, device, equipment and medium | |
| CN113836929B (en) | Named entity recognition method, device, equipment and storage medium | |
| CN113705192B (en) | Text processing method, device and storage medium | |
| CN112884009A (en) | Classification model training method and system | |
| CN117312535A (en) | Method, device, equipment and medium for processing problem data based on artificial intelligence | |
| CN115270777A (en) | Contract document information extraction method, device and system | |
| CN113434695A (en) | Financial event extraction method and device, electronic equipment and storage medium | |
| CN112511643A (en) | Message data extraction method and device | |
| CN113535946A (en) | Text identification method, device and equipment based on deep learning and storage medium | |
| CN112765340A (en) | Method and device for determining cloud service resources, electronic equipment and storage medium | |
| CN112328871A (en) | Reply generation method, device, equipment and storage medium based on RPA module | |
| CN111753548A (en) | Information acquisition method and device, computer storage medium and electronic equipment | |
| CN113535737B (en) | Feature generation method and device, electronic equipment and computer storage medium | |
| CN108038230B (en) | Information generation method and device based on artificial intelligence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |