CN112328977B - Application software authenticity detection method, device, equipment and medium - Google Patents
Application software authenticity detection method, device, equipment and medium Download PDFInfo
- Publication number
- CN112328977B CN112328977B CN202011239787.9A CN202011239787A CN112328977B CN 112328977 B CN112328977 B CN 112328977B CN 202011239787 A CN202011239787 A CN 202011239787A CN 112328977 B CN112328977 B CN 112328977B
- Authority
- CN
- China
- Prior art keywords
- application software
- target application
- label
- detected
- authenticity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 23
- 238000000034 method Methods 0.000 claims abstract description 47
- 230000006870 function Effects 0.000 claims description 99
- 238000012549 training Methods 0.000 claims description 26
- 238000004590 computer program Methods 0.000 claims description 15
- 230000008569 process Effects 0.000 claims description 14
- 238000013528 artificial neural network Methods 0.000 claims description 11
- 238000004422 calculation algorithm Methods 0.000 claims description 8
- 238000002372 labelling Methods 0.000 claims description 8
- 230000008676 import Effects 0.000 claims description 6
- 230000004913 activation Effects 0.000 claims description 4
- 238000010276 construction Methods 0.000 claims description 3
- 238000004891 communication Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 230000006835 compression Effects 0.000 description 2
- 238000007906 compression Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Technology Law (AREA)
- Multimedia (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Stored Programmes (AREA)
Abstract
The application discloses a method, a device, equipment and a medium for detecting authenticity of application software, wherein the method comprises the following steps: acquiring function description information of target application software; extracting a character string conforming to a preset regular expression rule from the function description information, and obtaining a sample label of the target application software based on the character string; generating a label to be detected of the target application software by using a dynamic link library corresponding to the target application software and a pre-constructed label model; and matching the sample label with the label to be detected to judge the authenticity of the target application software. In this way, the generated label to be detected can truly reflect the function of the target application software, and finally the sample label is compared with the label to be detected to detect the authenticity of the target application software, so that the identification of automatic false software is realized, the use situation is not limited, and the authenticity detection capability of the software is improved.
Description
Technical Field
The present invention relates to the field of application software, and in particular, to a method, an apparatus, a device, and a medium for detecting authenticity of application software.
Background
Currently, people need to use various application software in daily work and life, and in the face of various downloading channels, users are likely to download false application software by mistake, that is, the actual functions of the software are not consistent with the described functions, so that the users waste time and energy, and even have the possibility of economic loss. In the prior art, the authenticity of the software is detected by a manual auditing mode, but the manual mode has low efficiency and high cost. In the prior art, the authenticity of the software is detected by a software signature mode, namely, the authenticity of the software is detected by a software signature provided by a trusted manufacturer, but a large amount of unsigned software exists in a network, and the manufacturer cannot be completely trusted, so that the application range of the method is limited, the detection result is unreliable, and the capability of detecting the authenticity of the software is reduced.
Disclosure of Invention
In view of the above, the present invention aims to provide a method, an apparatus, a device and a medium for detecting authenticity of application software, which can improve the capability of software authenticity detection. The specific scheme is as follows:
in a first aspect, the application discloses a method for detecting authenticity of application software, which includes:
acquiring function description information of target application software;
extracting a character string conforming to a preset regular expression rule from the function description information, and obtaining a sample label of the target application software based on the character string;
generating a label to be detected of the target application software by using a dynamic link library corresponding to the target application software and a pre-constructed label model;
and matching the sample label with the label to be detected to judge the authenticity of the target application software.
Optionally, the extracting a character string conforming to a preset regular expression rule from the function description information, and obtaining the sample tag of the target application software based on the character string includes:
matching the function description information with a preset regular expression rule to obtain a character string conforming to the preset regular expression rule;
and matching the character string with the content in a preset tag list to determine a sample tag corresponding to the target application software.
Optionally, the generating the to-be-detected tag of the target application software by using the dynamic link library corresponding to the target application software and a pre-constructed tag model includes:
determining a function called by the target application software from a dynamic link library corresponding to the target application software;
performing logic operation on the function codes among the functions to obtain a software code;
inputting the software code into a pre-constructed label model to obtain a label to be detected of the target application software.
Optionally, before performing the logic operation on the function code corresponding to the function in the dynamic link library, the method further includes:
coding all functions in the dynamic link library according to a preset coding rule to obtain corresponding function codes; wherein, the preset coding rule is that the sum operation result of any two function codes is 0.
Optionally, before generating the label to be detected of the target application software by using the dynamic link library of the target application software and the pre-constructed label model, the method further includes:
acquiring a PE file of the target application software;
and checking the import table of the PE file to determine a dynamic link library corresponding to the target application software.
Optionally, the creating process of the label model includes:
labeling the obtained software codes to obtain training samples containing labeling information;
training a blank model constructed based on an artificial neural network by using the training sample, and performing iterative updating in the training until the model converges to obtain the label model; wherein,
in the construction of the blank model, a Sigmoid function is adopted as an activation function of an artificial neural network, and a cross entropy loss function is utilized to calculate loss values of data to be detected and sample data; the training process of the blank model is a regularized training process.
Optionally, the matching the sample tag with the tag to be detected to determine the authenticity of the target application software includes:
matching operation is carried out on the sample label and the label to be detected by utilizing a cosine similarity algorithm, so that a corresponding scalar value is obtained;
and if the scalar value is smaller than a preset scalar threshold value, judging that the target application software is false software.
In a second aspect, the application discloses an application software authenticity detection device, comprising:
the information acquisition module is used for acquiring the function description information of the target application software;
the sample label generating module is used for extracting character strings conforming to a preset regular expression rule from the function description information and obtaining sample labels of the target application software based on the character strings;
the to-be-detected tag generation module is used for generating a to-be-detected tag of the target application software by utilizing a dynamic link library corresponding to the target application software and a pre-constructed tag model;
and the authenticity judging module is used for matching the sample label with the label to be detected so as to judge the authenticity of the target application software.
In a third aspect, the present application discloses an electronic device comprising:
a memory for storing a computer program;
and the processor is used for executing the computer program to realize the application software authenticity detection method.
In a fourth aspect, the present application discloses a computer-readable storage medium for storing a computer program; the computer program, when executed by the processor, implements the method for detecting authenticity of the application software.
According to the method, the device and the system, the function description information of the target application software is obtained, the character string conforming to the preset regular expression rule is extracted from the function description information, the sample label of the target application software is obtained based on the character string, the dynamic link library corresponding to the target application software and the pre-constructed label model are utilized to generate the label to be detected of the target application software, and finally the sample label is matched with the label to be detected to judge the authenticity of the target application software. Therefore, the function description information of the target application software is used for determining the corresponding sample label, the dynamic link library corresponding to the target application software is read, and the corresponding label to be detected is generated by utilizing the pre-built label model, so that the generated label to be detected can truly reflect the function of the target application software, and finally, the sample label and the label to be detected are compared to detect the authenticity of the target application software.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of an application software authenticity detection method provided by the application;
FIG. 2 is a flowchart of a specific method for detecting authenticity of application software;
FIG. 3 is a schematic diagram of an encoding scheme provided in the present application;
fig. 4 is a schematic structural diagram of an application software authenticity detection device provided in the present application;
fig. 5 is a block diagram of an electronic device provided in the present application.
Detailed Description
In the prior art, the authenticity of the software is detected by a software signature mode, namely, the authenticity of the software is detected by a software signature provided by a trusted manufacturer, but a large amount of unsigned software exists in a network, and the manufacturer cannot be completely trusted, so that the application range of the method is limited, and the authenticity detection capability of the application software is reduced. In order to overcome the technical problems, the application provides a neural network application software authenticity detection method, which can improve the efficiency and accuracy of software authenticity detection.
The embodiment of the application discloses an application software authenticity detection method, which is shown in fig. 1, and can comprise the following steps:
step S11: and acquiring the function description information of the target application software.
In this embodiment, first, functional description information of target application software is obtained; it can be understood that there are many software download sources in the internet, and the target application software sample and the function description information of the target application software can be obtained by using a manual or automatic crawler manner through the software download links provided by the software download sources and the description information of the software functions.
Step S12: and extracting a character string conforming to a preset regular expression rule from the function description information, and obtaining a sample label of the target application software based on the character string.
In this embodiment, after the function description information is obtained, a character string conforming to a preset regular expression rule is extracted from the function description information, and then a sample tag of the target application software is obtained based on the extracted character string. Specifically, a preset regular expression is matched with the acquired functional description information to acquire a character string conforming to the rule of the preset regular expression, and then a corresponding sample tag vector is determined based on the character string so as to facilitate detection in the subsequent step.
Step S13: and generating a label to be detected of the target application software by using the dynamic link library corresponding to the target application software and a pre-constructed label model.
In this embodiment, based on information data in a dynamic link library corresponding to the target application software, and by using a pre-constructed tag model, a corresponding tag to be detected is generated for the target application software. It can be understood that by checking information data in the dynamic link library corresponding to the target application software, the specific realizable function of the target application software can be determined, and then a corresponding label to be detected is generated for the target application software by combining a pre-constructed label model, so that the obtained label to be detected can truly reflect the real function of the target application software.
In this embodiment, before generating the tag to be detected of the target application software by using the dynamic link library of the target application software and the pre-constructed tag model, the method may further include: acquiring PE (Portable Executable ) files of the target application software; and checking the import table of the PE file to determine a dynamic link library corresponding to the target application software. Specifically, a compression package of target application software which is simultaneously acquired when the function description information is acquired is decompressed to acquire a file corresponding to the target application software, and the PE file of the target application software is determined according to the characteristics of the PE file, namely the universal file suffix, the file content format and the signature; and analyzing the PE file to determine an import table of the PE file, and finally determining a dynamic link library and a called function called by the target application software by inquiring the information of the import table.
Step S14: and matching the sample label with the label to be detected to judge the authenticity of the target application software.
In this embodiment, after the sample tag and the to-be-detected tag are obtained, the sample tag and the to-be-detected tag are matched, and then the authenticity of the target application software can be judged through the similarity between the sample tag and the to-be-detected tag.
As can be seen from the above, in this embodiment, by acquiring the function description information of the target application software, extracting a character string conforming to the preset regular expression rule from the function description information, obtaining a sample tag of the target application software based on the character string, generating a tag to be detected of the target application software by using a dynamic link library corresponding to the target application software and a pre-constructed tag model, and finally matching the sample tag with the tag to be detected to determine the authenticity of the target application software. Therefore, the function description information of the target application software is used for determining the corresponding sample label, the dynamic link library corresponding to the target application software is read, and the corresponding label to be detected is generated by utilizing the pre-built label model, so that the generated label to be detected can truly reflect the function of the target application software, and finally, the sample label and the label to be detected are compared to detect the authenticity of the target application software.
The embodiment of the application discloses a specific application software authenticity detection method, which is shown in fig. 2, and can comprise the following steps:
step S21: and acquiring the function description information of the target application software.
Step S22: and matching the function description information with a preset regular expression rule to obtain a character string conforming to the preset regular expression rule.
In this embodiment, after obtaining the function description information of the target application software, firstly, matching a preset regular expression with the function description information to obtain a character string conforming to the rule of the regular expression; specifically, one or more text fields can be matched through matching a preset regular expression and functional description information, so that a character string conforming to a preset regular expression rule is obtained.
Step S23: and matching the character string with the content in a preset tag list to determine a sample tag corresponding to the target application software.
In this embodiment, after the character string is obtained, the character string is matched with the content in the preset tag list, and a sample tag corresponding to the target application software is determined; it can be understood that the preset tag list is a tag list of common software, contains sample character strings conforming to a preset sample rule expression, and generates a number 1 by corresponding the character strings obtained by matching with data in the tag list, if the character strings appear in the tag list, or generates a number 0, thereby realizing conversion from text to number for subsequent comparison detection and storage.
Step S24: determining a function called by the target application software from a dynamic link library corresponding to the target application software; and carrying out logical operation on the function codes among the functions to obtain a software code.
In this embodiment, the PE file of the target application software may be obtained by decompressing the compression packet of the target application software, and then checking the import table of the PE file to determine the dynamic link library corresponding to the target application software. And then determining the function called by the target application software by reading the dynamic link library, and carrying out logic operation on the function codes of the function called by the target application software to obtain the software code corresponding to the target software.
In this embodiment, before performing the logic operation on the function code corresponding to the function in the dynamic link library, the method may further include: coding all functions in the dynamic link library according to a preset coding rule to obtain corresponding function codes; wherein, the preset coding rule is that the sum operation result of any two function codes is 0. For example, in the encoding manner shown in fig. 3, the dynamic link library is taken as a unit, and the function name is encoded, so as to obtain a corresponding dynamic link library containing a function encoding table; the dynamic link library containing the function coding table can be obtained through manual arrangement, wherein the common function library and the function names are collected. By the coding mode, the sum operation result of any two different function codes is 0. The logical operation can be OR operation, after the corresponding dynamic link library is determined, the code of the calling function is obtained through inquiry, and OR operation is carried out on the function code in the dynamic link library, so that the corresponding software code is obtained.
Step S25: inputting the software code into a pre-constructed label model to obtain a label to be detected of the target application software.
In this embodiment, after determining the software code of the target application software, the software code is input into a pre-constructed tag model, and a corresponding vector tag, that is, a tag to be detected of the target application software is obtained through calculation, wherein values of the tag to be detected in different dimensions are all between 0 and 1.
In this embodiment, the creating process of the tag model may include: labeling the obtained software codes to obtain training samples containing labeling information; training a blank model constructed based on an artificial neural network by using the training sample, and performing iterative updating in the training until the model converges to obtain the label model; the method comprises the steps of constructing a blank model, wherein a Sigmoid function is used as an activation function of an artificial neural network in the construction of the blank model, and a cross entropy loss function is used for calculating loss values of data to be detected and sample data; the training process of the blank model is a regularized training process.
It can be appreciated that when creating the tag model, the acquired software code is annotated to obtain a training sample of the model; specifically, the training sample set is used with X i Indicating that i=1, 2 … N, indicates the i-th sample in the training sample set; the label vector for labeling is denoted by Y i Representing a vector of dimension M, Y i (j) J-th dimension label representing i-th sample, j=1, 2 … M, Y i (j) Take a value of 0 or 1, if Y i (j) Taking 0 then represents X i If not belonging to the corresponding j-th dimension label, Y i (j) Taking 1 to represent X i Belonging to the corresponding j-th dimension label. After obtaining a training sample containing labeling information, inputting the training sample into a blank model constructed based on an artificial neural network for training, and performing iterative updating in the training until the model converges, namely, repeatedly iterating until the error of the neural network model is smaller, so as to obtain the label model; the artificial neural network uses a full-connection structure, the network weight is initialized to be a random value, the output layer of the artificial neural network adopts a sigmoid activation function, the number of nodes is M, the loss values of the output layer and the sample labels are calculated by using a cross entropy loss function, a back propagation algorithm is used for learning in the model training process, the weight in the neural network is adjusted, an L2 regularization method is introduced, and the risk of network overfitting is reduced. Therefore, the obtained label model can obtain the corresponding label to be detected according to the input software codes.
Step S26: and matching the sample label and the label to be detected by using a cosine similarity algorithm to obtain a corresponding scalar value.
In this embodiment, after obtaining the sample tag and the tag to be detected of the target application software, a cosine similarity algorithm is used to perform similarity operation on the sample tag and the tag to be detected, so as to obtain a scalar value capable of representing the similarity between the sample tag and the tag to be detected.
Step S27: and if the scalar value is smaller than a preset scalar threshold value, judging that the target application software is false software.
In this embodiment, after calculating the scalar value, the scalar value is compared with a preset scalar threshold, and if the scalar value is smaller than the preset scalar threshold, the target application software may be determined to be a dummy software; the preset scalar threshold may be an empirical value obtained by multiple experiments.
The specific process of the step S21 may refer to the corresponding content disclosed in the foregoing embodiment, and will not be described herein.
As can be seen from the above, in this embodiment, by matching the function description information with a preset regular expression rule, a character string conforming to the preset regular expression rule is obtained, and then the character string is matched with the content in the preset tag list, so as to determine a sample tag corresponding to the target application software. Determining a function called by the target application software from a dynamic link library corresponding to the target application software, performing logic operation on function codes among the functions to obtain a software code, and inputting the software code into a pre-constructed label model to obtain a label to be detected of the target application software; and finally, matching operation is carried out on the sample label and the label to be detected by using a cosine similarity algorithm, so as to obtain a corresponding scalar value. The method comprises the steps that a sample label obtained through function description information and a label to be detected obtained through calculation by using a corresponding dynamic link library and a preset label model can judge whether the actual function of application software is consistent with the description function or not, and then judge whether the application software is false software or not; the sample label is determined based on the functional description information of the target application software, and the label to be detected is determined based on the dynamic link library corresponding to the target application software, so that false software identification is automatically realized without being limited by a use scene, the method can be suitable for application software with signature, without signature and from different channels, the identification efficiency and accuracy are improved, and various risks brought by false software propagation on a network are further reduced.
Correspondingly, the embodiment of the application also discloses a device for detecting the authenticity of the application software, which is shown in fig. 4, and comprises:
an information acquisition module 11, configured to acquire function description information of target application software;
the sample tag generating module 12 is configured to extract a character string conforming to a preset regular expression rule from the function description information, and obtain a sample tag of the target application software based on the character string;
the to-be-detected tag generation module 13 is configured to generate a to-be-detected tag of the target application software by using a dynamic link library corresponding to the target application software and a pre-constructed tag model;
and the authenticity judging module 14 is configured to match the sample tag with the tag to be detected, so as to judge authenticity of the target application software.
In this embodiment, the functional description information of the target application software is obtained, then a character string conforming to a preset regular expression rule is extracted from the functional description information, a sample tag of the target application software is obtained based on the character string, a dynamic link library corresponding to the target application software and a pre-constructed tag model are utilized to generate a tag to be detected of the target application software, and finally the sample tag is matched with the tag to be detected to judge the authenticity of the target application software. Therefore, the function description information of the target application software is used for determining the corresponding sample label, the dynamic link library corresponding to the target application software is read, and the corresponding label to be detected is generated by utilizing the pre-built label model, so that the generated label to be detected can truly reflect the function of the target application software, and finally, the sample label and the label to be detected are compared to detect the authenticity of the target application software.
In some embodiments, the sample tag generation module 12 may specifically include:
the regular expression rule matching unit is used for matching the function description information with a preset regular expression rule to obtain a character string conforming to the preset regular expression rule;
and the sample label determining unit is used for matching the character string with the content in the preset label list so as to determine the sample label corresponding to the target application software.
In some specific embodiments, the to-be-detected tag generating module 13 may specifically include:
the function determining unit is used for determining a function called by the target application software from a dynamic link library corresponding to the target application software;
the software code generating unit is used for carrying out logic operation on the function codes among the functions to obtain a software code;
the to-be-detected label generating unit is used for inputting the software codes into a pre-constructed label model to obtain the to-be-detected label of the target application software.
In some embodiments, the authenticity determination module 14 may specifically include:
the scalar value determining unit is used for carrying out matching operation on the sample tag and the tag to be detected by utilizing a cosine similarity algorithm to obtain a corresponding scalar value;
and the judging unit is used for judging the target application software to be false software if the scalar value is smaller than a preset scalar threshold value.
Further, the embodiment of the application further discloses an electronic device, and referring to fig. 5, the content in the drawing should not be considered as any limitation on the scope of use of the application.
Fig. 5 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. The memory 22 is configured to store a computer program, where the computer program is loaded and executed by the processor 21 to implement relevant steps in the application software authenticity detection method disclosed in any of the foregoing embodiments.
In this embodiment, the power supply 23 is configured to provide an operating voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein; the input/output interface 25 is used for acquiring external input data or outputting external output data, and the specific interface type thereof may be selected according to the specific application requirement, which is not limited herein.
The memory 22 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the resources stored thereon include an operating system 221, a computer program 222, and data 223 including function description information, and the storage may be temporary storage or permanent storage.
The operating system 221 is used for managing and controlling various hardware devices on the electronic device 20 and the computer program 222, so as to implement the operation and processing of the processor 21 on the mass data 223 in the memory 22, which may be Windows Server, netware, unix, linux, etc. The computer program 222 may further include a computer program for performing other specific tasks in addition to the computer program for performing the application software authenticity detection method executed by the electronic device 20 as disclosed in any of the foregoing embodiments.
Further, the embodiment of the application also discloses a computer storage medium, wherein the computer storage medium stores computer executable instructions, and when the computer executable instructions are loaded and executed by a processor, the steps of the application software authenticity detection method disclosed in any embodiment are realized.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above detailed description of the method, the device, the equipment and the medium for detecting the authenticity of the application software provided by the invention applies specific examples to describe the principle and the implementation of the application software, and the description of the above examples is only used for helping to understand the method and the core idea of the application software; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.
Claims (10)
1. The application software authenticity detection method is characterized by comprising the following steps:
acquiring function description information of target application software;
extracting a character string conforming to a preset regular expression rule from the function description information, and obtaining a sample label of the target application software based on the character string;
generating a label to be detected of the target application software by using a dynamic link library corresponding to the target application software and a pre-constructed label model;
and matching the sample label with the label to be detected to judge the authenticity of the target application software.
2. The method for detecting the authenticity of the application software according to claim 1, wherein the extracting a character string conforming to a preset regular expression rule from the function description information, and obtaining a sample tag of the target application software based on the character string, comprises:
matching the function description information with a preset regular expression rule to obtain a character string conforming to the preset regular expression rule;
and matching the character string with the content in a preset tag list to determine a sample tag corresponding to the target application software.
3. The method for detecting the authenticity of the application software according to claim 1, wherein before generating the label to be detected of the target application software by using the dynamic link library of the target application software and the pre-constructed label model, the method further comprises:
acquiring a PE file of the target application software;
and checking the import table of the PE file to determine a dynamic link library corresponding to the target application software.
4. The method for detecting the authenticity of the application software according to claim 1, wherein the generating the label to be detected of the target application software by using the dynamic link library corresponding to the target application software and the pre-constructed label model includes:
determining a function called by the target application software from a dynamic link library corresponding to the target application software;
performing logic operation on the function codes among the functions to obtain a software code;
inputting the software code into a pre-constructed label model to obtain a label to be detected of the target application software.
5. The method for detecting true or false of application software according to claim 4, further comprising, before performing a logical operation on a function code corresponding to a function in the dynamic link library:
coding all functions in the dynamic link library according to a preset coding rule to obtain corresponding function codes; wherein, the preset coding rule is that the sum operation result of any two function codes is 0.
6. The method for detecting authenticity of application software according to claim 4, wherein the creating process of the tag model comprises:
labeling the obtained software codes to obtain training samples containing labeling information;
training a blank model constructed based on an artificial neural network by using the training sample, and performing iterative updating in the training until the model converges to obtain the label model; wherein,
in the construction of the blank model, a Sigmoid function is adopted as an activation function of an artificial neural network, and a cross entropy loss function is utilized to calculate loss values of data to be detected and sample data; the training process of the blank model is a regularized training process.
7. The method for detecting authenticity of application software according to any one of claims 1 to 6, wherein the matching the sample tag with the tag to be detected to determine authenticity of the target application software includes:
matching operation is carried out on the sample label and the label to be detected by utilizing a cosine similarity algorithm, so that a corresponding scalar value is obtained;
and if the scalar value is smaller than a preset scalar threshold value, judging that the target application software is false software.
8. An application software authenticity detection device, comprising:
the information acquisition module is used for acquiring the function description information of the target application software;
the sample label generating module is used for extracting character strings conforming to a preset regular expression rule from the function description information and obtaining sample labels of the target application software based on the character strings;
the to-be-detected tag generation module is used for generating a to-be-detected tag of the target application software by utilizing a dynamic link library corresponding to the target application software and a pre-constructed tag model;
and the authenticity judging module is used for matching the sample label with the label to be detected so as to judge the authenticity of the target application software.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the application software authenticity detection method according to any one of claims 1 to 7.
10. A computer-readable storage medium storing a computer program; wherein the computer program when executed by a processor implements the application software authenticity detection method according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011239787.9A CN112328977B (en) | 2020-11-09 | 2020-11-09 | Application software authenticity detection method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011239787.9A CN112328977B (en) | 2020-11-09 | 2020-11-09 | Application software authenticity detection method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112328977A CN112328977A (en) | 2021-02-05 |
| CN112328977B true CN112328977B (en) | 2024-03-22 |
Family
ID=74316513
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011239787.9A Active CN112328977B (en) | 2020-11-09 | 2020-11-09 | Application software authenticity detection method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112328977B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116820502B (en) * | 2023-07-19 | 2024-04-23 | 天筑科技股份有限公司 | Sustainable operation method, device and equipment for software platform |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104317711A (en) * | 2014-10-22 | 2015-01-28 | 牟永敏 | Path-based method and system for verifying software implementation and design uniformity |
| CN106709336A (en) * | 2015-11-18 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Method and apparatus for identifying malware |
| CN107169021A (en) * | 2017-04-07 | 2017-09-15 | 华为机器有限公司 | Method and apparatus for predicting application function label |
| CN109711163A (en) * | 2018-12-26 | 2019-05-03 | 西安电子科技大学 | Android malware detection method based on API Calls sequence |
| CN110447215A (en) * | 2017-11-10 | 2019-11-12 | 华为技术有限公司 | The dynamic alarm method and terminal of application software malicious act |
| CN110647747A (en) * | 2019-09-05 | 2020-01-03 | 四川大学 | False mobile application detection method based on multi-dimensional similarity |
| CN111382783A (en) * | 2020-02-28 | 2020-07-07 | 广州大学 | Malicious software identification method and device and storage medium |
-
2020
- 2020-11-09 CN CN202011239787.9A patent/CN112328977B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104317711A (en) * | 2014-10-22 | 2015-01-28 | 牟永敏 | Path-based method and system for verifying software implementation and design uniformity |
| CN106709336A (en) * | 2015-11-18 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Method and apparatus for identifying malware |
| CN107169021A (en) * | 2017-04-07 | 2017-09-15 | 华为机器有限公司 | Method and apparatus for predicting application function label |
| CN110447215A (en) * | 2017-11-10 | 2019-11-12 | 华为技术有限公司 | The dynamic alarm method and terminal of application software malicious act |
| CN109711163A (en) * | 2018-12-26 | 2019-05-03 | 西安电子科技大学 | Android malware detection method based on API Calls sequence |
| CN110647747A (en) * | 2019-09-05 | 2020-01-03 | 四川大学 | False mobile application detection method based on multi-dimensional similarity |
| CN111382783A (en) * | 2020-02-28 | 2020-07-07 | 广州大学 | Malicious software identification method and device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112328977A (en) | 2021-02-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107273503B (en) | Method and device for generating parallel text in same language | |
| CN107346336B (en) | Information processing method and device based on artificial intelligence | |
| CN112487149B (en) | Text auditing method, model, equipment and storage medium | |
| CN114330966A (en) | Risk prediction method, device, equipment and readable storage medium | |
| CN111915086A (en) | Abnormal user prediction method and equipment | |
| CN112069498A (en) | SQL injection detection model construction method and detection method | |
| CN110674370A (en) | Domain name identification method and device, storage medium and electronic equipment | |
| CN110705250A (en) | Method and system for identifying target content in chat records | |
| CN111199421B (en) | Social relationship-based user recommendation method and device and electronic equipment | |
| CN112328977B (en) | Application software authenticity detection method, device, equipment and medium | |
| CN111783429A (en) | Information processing method, information processing apparatus, electronic device, and storage medium | |
| CN113836929B (en) | Named entity recognition method, device, equipment and storage medium | |
| CN111274823A (en) | Text semantic understanding method and related device | |
| CN117312535A (en) | Method, device, equipment and medium for processing problem data based on artificial intelligence | |
| CN116127925B (en) | Text data enhancement method and device based on destruction processing of text | |
| CN113592522A (en) | Method and apparatus for processing traffic data, and computer-readable storage medium | |
| CN116166858A (en) | Information recommendation method, device, equipment and storage medium based on artificial intelligence | |
| CN114417251A (en) | Retrieval method, device, equipment and storage medium based on hash code | |
| CN113434695A (en) | Financial event extraction method and device, electronic equipment and storage medium | |
| CN112511643A (en) | Message data extraction method and device | |
| CN113535946A (en) | Text identification method, device and equipment based on deep learning and storage medium | |
| CN112396111A (en) | Text intention classification method and device, computer equipment and storage medium | |
| CN115859911B (en) | Automatic label generation evolution method and device adapting to dynamic change of data | |
| CN111860662B (en) | Training method and device, application method and device of similarity detection model | |
| CN113254635B (en) | Data processing method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |