CN114422221A - Detection algorithm, device, electronic equipment and storage medium for counterfeit application link - Google Patents
Detection algorithm, device, electronic equipment and storage medium for counterfeit application link Download PDFInfo
- Publication number
- CN114422221A CN114422221A CN202210013019.4A CN202210013019A CN114422221A CN 114422221 A CN114422221 A CN 114422221A CN 202210013019 A CN202210013019 A CN 202210013019A CN 114422221 A CN114422221 A CN 114422221A
- Authority
- CN
- China
- Prior art keywords
- application
- identified
- link
- standard
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 43
- 238000004422 calculation algorithm Methods 0.000 title claims abstract description 25
- 238000000034 method Methods 0.000 claims abstract description 20
- 238000012545 processing Methods 0.000 claims abstract description 13
- 238000005516 engineering process Methods 0.000 claims description 6
- 238000004891 communication Methods 0.000 claims description 4
- 239000000126 substance Substances 0.000 claims description 2
- 230000000694 effects Effects 0.000 abstract description 6
- 206010011971 Decreased interest Diseases 0.000 abstract description 2
- 238000012015 optical character recognition Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000010219 correlation analysis Methods 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 241000251468 Actinopterygii Species 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000009193 crawling Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000012567 pattern recognition method Methods 0.000 description 1
- 238000006116 polymerization reaction Methods 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000010845 search algorithm Methods 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000005507 spraying Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the invention discloses a detection algorithm, a detection device, electronic equipment and a storage medium for counterfeit application links. The method comprises the following steps: if the original link relates to application downloading, determining a link to be identified; processing according to the link to be identified to obtain the application to be identified, and determining attribute information to be identified and feature information to be identified of the application to be identified; determining the similar standard application of the link to be identified according to the attribute information to be identified; and determining whether the link to be identified belongs to the counterfeit application link or not according to the feature information to be identified and the standard feature information applied by the similar standard. The invention can automatically detect the counterfeit APP download links scattered at each corner of the Internet, so as to reduce or avoid the loss of interests of enterprises and individuals caused by counterfeit APP and attack and prevent information network criminal activities.
Description
Technical Field
The present disclosure relates to the field of network security, and in particular, to a method and an apparatus for detecting counterfeit application links, an electronic device, and a storage medium.
Background
In the growth process of applying the well-spraying type to a large number of mobile phone terminals, a large number of applications are accumulated in the market, the applications are various and the fish eyes are mixed, and the applications are various and even some applications are malicious. Due to the fact that the number of users is large, the loss of a user group is huge along with the participation of more and more counterfeit applications, and the detection of the counterfeit applications is not slow at all.
The purpose of imitating APP is not limited to the following points: 1. the counterfeit finance APP is used for the purposes of financial fraud, malicious account transfer, information monitoring, secret stealing and the like; 2. the counterfeit social APP is used for stealing numbers and passwords, releasing advertisements and the like; 3. imitating the hot APP, packaging for the second time, and inserting an advertisement code or a trojan to obtain benefits; 4. the competitor competes maliciously and provides maliciousness APP to blacken the original APP. At present, APP in each large application mall is crawled based on a web crawler to detect in a plurality of modes for detecting counterfeit APP at home and abroad, the mode only needs to monitor each application mall to realize APP downloading link grabbing, but at present, each application mall is forced to monitor pressure, the on-shelf auditing of the APP is strict, some counterfeit APP making groups are not propagated through the regular application mall any more, the counterfeit APPs are put on a self-built website, and then the counterfeit APP installation links are published in channels such as each large forum, interest circles, posts, social groups and short messages, so that the schemes for detecting the APP by crawling the application mall are invalid.
For the fake APP download information scattered in each corner of the Internet, a special robot is required to be inserted in a social interest group, a super phone/post bar/interest circle for monitoring, and for the acquisition of some special information (such as short message records), the mobile user needs to obtain independent authorization or the user actively reports related records.
Disclosure of Invention
The embodiment of the invention provides a method and a device for detecting a counterfeit application link, electronic equipment and a storage medium, so as to realize the function of detecting the counterfeit application link.
According to an aspect of the embodiments of the present invention, an embodiment of the present invention provides a detection algorithm for spoofing application links, where the algorithm includes:
if the original link relates to application downloading, determining a link to be identified;
processing according to the link to be identified to obtain the application to be identified, and determining attribute information to be identified and feature information to be identified of the application to be identified;
determining the similar standard application of the link to be identified according to the attribute information to be identified;
and determining whether the link to be identified belongs to the counterfeit application link or not according to the feature information to be identified and the standard feature information applied by the similar standard.
According to another aspect of the embodiments of the present invention, an apparatus for detecting counterfeit application link is provided, where the apparatus includes:
the link identification module is used for determining the link to be identified if the original link relates to application downloading;
the to-be-identified application determining module is used for processing according to the to-be-identified link to obtain the to-be-identified application and determining to-be-identified attribute information and to-be-identified characteristic information of the to-be-identified application;
the standard application acquisition module is used for determining similar standard applications of the links to be identified according to the attribute information to be identified;
and the link detection module is used for determining whether the link to be identified belongs to the counterfeit application link or not according to the feature information to be identified and the standard feature information applied by the similar standard.
According to another aspect of the embodiments of the present invention, there is provided an electronic device including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform a method of detection of counterfeit application links provided by any embodiment of the disclosure.
According to another aspect of embodiments of the present invention, there is provided a non-transitory computer-readable storage medium storing computer instructions for causing a computer to perform a method for detecting a counterfeit application link provided by any of the embodiments of the present disclosure.
The embodiment of the invention can automatically detect the counterfeit APP download links scattered at each corner of the Internet, so as to reduce or avoid the loss of interests of enterprises and individuals caused by the counterfeit APP and attack and prevent information network criminal activities.
Drawings
Fig. 1 is a schematic flowchart of a counterfeit application link detection algorithm according to an embodiment of the present invention.
Fig. 2 is a schematic flowchart of a counterfeit application link detection algorithm according to a second embodiment of the present invention.
Fig. 3 is a schematic flowchart of a counterfeit application link detection algorithm according to a third embodiment of the present invention.
Fig. 4 is a structural diagram of a counterfeit application link detection apparatus according to a fourth embodiment of the present invention.
Fig. 5 is a schematic structural diagram of an electronic device according to a fifth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a schematic flowchart of a counterfeit application link detection algorithm according to an embodiment of the present invention, and the embodiment of the present disclosure is applicable to a case of counterfeit application link detection. The method may be performed by a detection device emulating application linking, which may be implemented in hardware and/or software. Referring to fig. 1, the algorithm specifically includes the following:
Wherein the original link is a URL (Uniform Resource Locator) link captured from a web site group, and the web site group includes at least one of: web pages, forums, or groups of communication tools, such as web communities, text messages, social groups, APPs, and the like.
Specifically, the original link captured from the network station group is obtained, the original link is adopted to conduct N times of recursion analysis to obtain an analysis result, whether the analysis result comprises an application download link or not is determined according to an application download keyword, if yes, the original link is determined to relate to application download, and the included application download link is used as a link to be identified. Wherein the keywords refer to file formats of the application program package, such as apk, ipa and hap.
For example, the original link may be collected to the original content through a series of web crawlers, a robot installed in a social group, or a short message collection robot with which the user individually authorizes consent. The web crawler is a program or script for automatically capturing web information according to a certain rule, and common crawler algorithms include a Fish Search algorithm, a Sharksearch algorithm and the like. In one embodiment, the chat log raw content may be obtained by a group chat robot of a QQ group.
Specifically, a URL link is extracted from original content, the original link is subjected to N times of recursive analysis, then URL file suffix identification is carried out on an analysis result, if mobile APP suffixes such as apk, ipa and hap are contained, the link is considered to be an APP download link, and the link is used as a link to be identified. In practice, the download link of the counterfeit application is usually subjected to multiple masqueradings, for example, the original link is redirected for multiple times, and at this time, the URL file suffix identification directly performed on the original link cannot make a reasonable judgment. In this embodiment, the original link is recursively resolved N times to obtain an actual link, for example, according to the original link, the DNS server starts recursively searching from the root domain name server to find the IP address of the domain name, after the IP address is obtained, the browser sends an HTTP request to the web server, and according to the response of the server, the browser tracks the redirection address, and performs the above process for multiple times until the actual link is obtained.
Specifically, the original content may be identified by an OCR (Optical Character Recognition) identification technology, a keyword of a URL link therein is extracted, or a recursive parsing result of the original link is identified, and generally, when a link is a download link, the link points to a file format, for example, a download link of a certain version of the Android QQ is htps:// down.qq.com/qweb qqqqqqq _1/Android _ apk/Android _8.8.50.6735_537101929.32.hb2.apk, the link includes a keyword "apk", and a common mobile application package file format includes apk, ipa, hap, and the like, so that it may be determined whether the original link relates to an application download by suffix identification of the URL file, and if an application download is designed, it is determined to be a link to be identified.
And 120, processing according to the link to be identified to obtain the application to be identified, and determining attribute information to be identified and feature information to be identified of the application to be identified.
The application to be identified is the application pointed by the link to be identified, and can be obtained by downloading according to the link to be identified. The attribute information to be identified comprises at least one item of attribute information of the application to be identified, which is as follows: APP version, APP application name, APP icon, or APP size; the feature information to be identified comprises at least one of the following feature information of the application to be identified: application signature, application size, or application file directory.
Specifically, the link to be identified is downloaded and the download result is deduplicated according to the above determination, the APP after deduplication is analyzed through the open source framework, and finally, the features of the analyzed APP are extracted, wherein the features mainly include APPID (the unique installation ID of the APP in the system, defined by the enterprise to which the APP belongs), APP version, application name (the name displayed on the desktop of the mobile user), APP icon (the icon displayed to the mobile user), APP size, file directory and the like.
And step 130, determining the similar standard application of the link to be identified according to the attribute information to be identified.
Wherein, the similar standard application of the link to be identified refers to an official application obtained again according to the attribute information to be identified. For example, the application may be downloaded from the official website or the authoritative application store of the APP through the attribute information to be identified, for example, if the attribute information to be identified of the APP includes the application name QQ and the application version Android _8.8.50, the standard QQ application may be downloaded again through the QQ official website.
And step 140, determining whether the link to be identified belongs to the counterfeit application link or not according to the feature information to be identified and the standard feature information applied by the similar standard.
Specifically, the same APP analysis is carried out on similar standard applications of the links to be identified, standard characteristic information of the similar standard applications is obtained, and whether the links to be identified belong to counterfeit application links or not can be determined through comparison of the characteristic information. In an example, information such as an APP application name, an APP icon, an APP size, an APP signature, and an APPID is compared, and if a gap exists, the APP is considered as a counterfeit APP.
According to the technical scheme of the embodiment, if the original link relates to application downloading, the link to be identified is determined; processing according to the link to be identified to obtain the application to be identified, and determining attribute information to be identified and feature information to be identified of the application to be identified; determining the similar standard application of the link to be identified according to the attribute information to be identified; according to the standard characteristic information of waiting to discern characteristic information and similar standard application, confirm whether it links to belong to counterfeit application to wait to discern the link, the technical scheme of this embodiment has the commonality, can realize the detection to arbitrary counterfeit APP, can automatic detection scatter the counterfeit APP download link in each corner of internet to alleviate or avoid enterprise and personal interests loss that counterfeit APP brought, strike and take precautions against information network criminal activity.
Example two
Fig. 2 is a schematic flowchart of a counterfeit application link detection algorithm according to a second embodiment of the present invention. The present embodiment is an optional solution proposed on the basis of the above embodiments, and the technical solution in the present embodiment may be combined with various optional solutions in one or more of the above embodiments. Referring to fig. 2, the detection algorithm for counterfeit application links provided in this embodiment includes:
The application name to be identified is the application name of the application to be identified, the application to be identified can be analyzed through the application analysis tool, and the application name of the application to be identified is obtained from an analysis result.
And 240, comparing the application name to be identified with the standard application name to obtain an application name comparison result.
And step 250, determining the similar standard application of the link to be identified according to the application name comparison result.
In a specific example, a standard application library may be established in advance, and the standard application may be matched from the application library according to the attribute information to be identified, so as to avoid that the standard application needs to be re-acquired every detection, where the attribute information is partially similar, which may be considered to be matched to the standard application, and if the standard application is not matched from the standard application library, the standard application may be acquired from an authoritative approach according to the attribute information to be identified.
For example, the application name to be matched may be matched with a standard APP application name in the application library, and if there is an inclusion relationship, the associated standard APP is determined; the example can be split into single characters for matching with standard APP application names in an application library, if a certain APP application name contains the character, the APP is determined to be a similar standard application to be identified and linked, and for example, a list of standard APP application names can be made according to the standard APP application name in the application library, and the application name to be matched is matched with the standard APP list, so that the situation that the application name of the standard application needs to be obtained again in each detection is avoided.
And after determining the standard APP, comparing the characteristic information to determine whether the link to be identified belongs to the counterfeit application link.
And step 260, determining whether the link to be identified belongs to the counterfeit application link or not according to the feature information to be identified and the standard feature information applied by the similar standard.
Specifically, firstly, a version number is determined according to attribute information to be identified, then, preset version features are found according to the version number and are compared with standard feature information of a similar standard application in the same version, illustratively, information such as the size of an APP, an APP signature and an APPID is compared, and if a difference exists, the application to be identified is considered as a counterfeit application; in an example, more detailed comparison is performed according to the analysis result of the application, whether a file directory of the application to be identified has a Trojan or not is identified, whether the file directory is modified or not and whether the signature is tampered or not is identified, and if yes, the link to be identified is determined to belong to a counterfeit application link.
In a specific example, aggregation correlation analysis is performed on the identified counterfeit APP information, and various early warning conditions are provided, for example, warning is given when the propagation volume of a certain counterfeit APP in the whole network reaches a certain threshold value in the same day; the comprehensive propagation quantity of certain type of counterfeit APP in recent days reaches a threshold value for warning; a specific counterfeit APP alarm occurs; for example, the warning information is taken as a public sentiment clue and synchronized to enterprises, network police and even reach users in the modes of short messages, micro messages, microblogs, announcements and the like.
The technical scheme of this embodiment, will treat discernment application name and standard application name and compare, obtain application name comparison result, compare the result according to the application name, confirm the similar standard application of treating discernment link, further carry out the characteristic information and compare, judge whether treat discernment link belongs to counterfeit application and link, the detection that counterfeit APP at each corner of internet downloaded the link has been realized, counterfeit APP information that the while discerned is done the polymerization correlation analysis, carry out the early warning to the mobile subscriber who is suffering or will suffer from counterfeit APP infringement and the enterprise that genuine APP belongs to, information network criminal activity has been struck.
EXAMPLE III
Fig. 3 is a schematic flowchart of a counterfeit application link detection algorithm according to a third embodiment of the present invention. The present embodiment is an optional solution proposed on the basis of the above embodiments, and the technical solution in the present embodiment may be combined with various optional solutions in one or more of the above embodiments. Referring to fig. 3, the detection algorithm for counterfeit application links provided in this embodiment includes:
And 320, processing according to the link to be identified to obtain the application to be identified, and determining attribute information to be identified and feature information to be identified of the application to be identified.
And step 330, extracting the application icon to be identified from the attribute information to be identified.
The application icon to be identified is an application icon of the application to be identified; the application to be identified can be analyzed through the application analysis tool, and the application name and the application icon of the application to be identified are obtained from the analysis result
And 340, comparing the application icon to be identified with the standard application icon to obtain an application icon comparison result.
And 350, determining the similar standard application of the link to be identified according to the comparison result of the application icons.
Specifically, binaryzation is carried out on the application icon to be identified to obtain a gray level application icon to be identified; comparing pixel points in the gray application icon to be identified with the standard gray application icon of any standard application; and if the number of the successfully compared pixel points is greater than the first pixel number threshold and less than the second pixel number threshold, taking the standard application as the similar standard application of the link to be identified. Wherein the first pixel threshold and the second pixel threshold can be set by the user himself, for example, the first pixel threshold is set to 80%, and the second threshold is set to 100%; the standard grayscale application icon may be a binarized icon of a standard application icon in a preset application library, specifically, all the standard application icons may be binarized in advance and stored as a standard grayscale application icon set, so that the standard grayscale application icon is prevented from being re-determined during each detection.
Illustratively, the obtained application icon to be identified is binarized, that is, the icon picture is converted into a point with only black and white pixels, then the point is compared with black and white icons of standard applications in a preset application library pixel by pixel, if more than 80% and less than 100% of pixels are equal, the icon of the APP is considered to be similar to a predefined legal version icon, and then the APP is determined to be the similar standard application of the link to be identified.
In a specific example, extracting characters to be recognized in an application icon to be recognized based on an OCR technology; and comparing the characters to be recognized with the standard characters in the standard application icons of any standard application, and if the characters to be recognized and the standard characters have a complete inclusion relationship, using the standard application as a similar labeling application of the links to be recognized.
Specifically, in practice, there may be characters in the application icon, for example, "twenty-one", "new edition", and other characters, at this time, the OCR technology may be used to perform recognition, and the similar standard application of the link to be recognized is determined by comparing the characters in the application icon to be recognized with the standard characters in the standard application icon of any standard application. Illustratively, identifying an application icon to be identified through a public OCR technology, extracting characters contained in the icon, wherein the characters comprise information such as a font format and the like, comparing the information with standard characters in a standard application icon of any standard application, and if the extracted characters of the application icon to be identified and the standard characters of the standard application icon have a complete inclusion relationship, namely each character of the standard characters is contained in the extracted characters of the application icon to be identified, considering that the icon of the application to be identified is similar to a legal icon, determining that the APP is a similar standard application of a link to be identified. In a specific example, the method includes pre-extracting standard characters of a standard application icon, and performing pre-processing to generate a preset white list, where the pre-processing includes: the method comprises the steps of word segmentation, character scrambling and the like, the situation that characters of a standard application icon need to be extracted again in each detection is avoided, the extracted characters in the application icon to be recognized can be preprocessed in the same way as the above, then the extracted characters are matched with a preset white list, if the extracted characters and the standard characters in the white list have a complete inclusion relationship, the icon of the application to be recognized is considered to be similar to a legal version icon, and then the application corresponding to the successfully matched standard characters can be determined to be the similar standard application of the link to be recognized.
It should be noted that any one of the above methods or a combination of the two methods can be used to implement the method, and the similar standard application of the link to be identified is determined according to the comparison result of the application icons.
In an example, the similar standard application of the link to be identified may be determined jointly according to the application name comparison result and the application icon comparison result, and after the similar standard APP is determined, the characteristic information is compared to determine whether the link to be identified belongs to the counterfeit application link.
And step 360, determining whether the link to be identified belongs to the counterfeit application link or not according to the feature information to be identified and the standard feature information applied by the similar standard.
Specifically, can carry out the comparison of standard characteristic information after the similar standard APP that the result was confirmed according to the application name comparison alone, in order to confirm whether waiting to discern the link belongs to counterfeit application and linking, if there is not the problem in the comparison, continue to compare the APP icon, judge whether the APP icon counterfeits, if the APP icon is compared has the problem, then confirm whether waiting to discern the link belongs to counterfeit application and linking, if the APP icon is compared and does not have the problem, carry out the comparison of standard characteristic information once more according to the comparison result of APP icon, in order to confirm whether waiting to discern the link belongs to counterfeit application and linking.
This embodiment has further optimized on the basis of above-mentioned scheme according to application icon comparison result, confirms that the similar standard who treats the discernment and link is used, the deterministic efficiency that similar standard used has been improved, further promote and judge whether the discernment links belong to counterfeit application and link the probability, the detection that the counterfeit APP at each corner of internet downloaded and linked has been realized, can detect counterfeit APP and download and link by automation, in order to alleviate or avoid enterprise and personal interests loss that counterfeit APP brought, strike and take precautions against information network criminal activities.
Example four
Fig. 4 is a structural diagram of an apparatus for detecting counterfeit application link according to a fourth embodiment of the present invention, where the apparatus 400 specifically includes: a link identification module 410, an application to be identified determination module 420, a similar standard application acquisition module 430, and a link detection module 440, wherein,
the link identification module is used for determining the link to be identified if the original link relates to application downloading;
the to-be-identified application determining module is used for processing according to the to-be-identified link to obtain the to-be-identified application and determining to-be-identified attribute information and to-be-identified characteristic information of the to-be-identified application;
the similar standard application acquisition module is used for determining the similar standard application of the link to be identified according to the attribute information to be identified;
and the link detection module is used for determining whether the link to be identified belongs to the counterfeit application link or not according to the feature information to be identified and the standard feature information applied by the similar standard.
The detection device that counterfeit application linked that this application embodiment provided can automated inspection scatter and fall in the counterfeit APP download link in each corner of internet to alleviate or avoid enterprise and personal interests loss that counterfeit APP brought, strike and take precautions against information network criminal activity.
The link identification module is specifically used for acquiring original links captured from a network station group; the network station group comprises at least one of the following: web pages, forums, or communication tool groups; carrying out N times of recursive analysis by adopting the original link to obtain an analysis result, and determining whether the analysis result comprises an application download link according to the application download key word; if so, determining that the original link relates to application downloading, and taking the included application downloading link as the link to be identified.
The similar standard application acquisition module is specifically used for extracting an application name to be identified and an application icon to be identified from the attribute information to be identified; comparing the application name to be identified with the standard application name to obtain an application name comparison result; comparing the application icon to be identified with the standard application icon to obtain an application icon comparison result; and determining the similar standard application of the link to be identified according to the application name comparison result and/or the application icon comparison result.
The similar standard application acquisition module also comprises a first icon comparison unit, wherein the first icon comparison unit is used for carrying out binarization on the application icon to be identified to obtain a gray level application icon to be identified; comparing pixel points in the gray application icon to be identified with the standard gray application icon of any standard application; and if the number of the successfully compared pixel points is greater than the first pixel number threshold and less than the second pixel number threshold, taking the standard application as the similar standard application of the link to be identified.
The similar standard application acquisition module further comprises a second icon comparison unit, wherein the second icon comparison unit is used for extracting characters to be recognized in the application icons to be recognized based on an OCR technology; and comparing the characters to be recognized with the standard characters in the standard application icons of any standard application, and if the characters to be recognized and the standard characters have a complete inclusion relationship, taking the standard application as the similar standard application of the links to be recognized.
Optionally, the feature information to be identified includes at least one of the following feature information of the application to be identified: application signature, application size, or application file directory.
The detection device for the counterfeit application link can be used for realizing any detection algorithm of the counterfeit application link, and has corresponding functional modules and beneficial effects for executing the algorithm. For technical details that are not described in detail in this embodiment, reference may be made to the occlusion pattern recognition method provided in any embodiment of the present disclosure.
In the technical scheme of the application, the collection, storage, use, processing, transmission, provision, disclosure and the like of the personal information of the related user all accord with the regulations of related laws and regulations, and do not violate the customs of the public order.
EXAMPLE five
Fig. 5 is a schematic structural diagram of an electronic device according to a fifth embodiment of the present invention, as shown in fig. 5, the electronic device 500 includes a processor 510, a memory 520, an input device 530, and an output device 540; the number of the processors 510 in the electronic device may be one or more, and one processor 510 is taken as an example in fig. 5; the processor 510, the memory 520, the input device 530 and the output device 540 in the electronic apparatus may be connected by a bus or other means, and the connection by the bus is exemplified in fig. 5.
The memory 520 is a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the detection algorithm of the counterfeit application link in the embodiment of the present invention (for example, the link identification module 410, the to-be-identified application determination module 420, the similar standard application acquisition module 430, and the link detection module 440 in the detection apparatus of the counterfeit application link). The processor 510 executes various functional applications and data processing of the electronic device by executing software programs, instructions and modules stored in the memory 520, namely, implements the detection method of counterfeit application links described above.
The memory 520 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 71 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 71 may further include memory located remotely from the processor 70, which may be connected to the device/terminal/server via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 530 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the electronic apparatus. The output device 540 may include a display device such as a display screen.
EXAMPLE six
An embodiment of the present invention further provides a storage medium containing computer-executable instructions, which when executed by a computer processor, perform an algorithm for detection of counterfeit application links, the algorithm comprising:
if the original link relates to application downloading, determining a link to be identified;
processing according to the link to be identified to obtain the application to be identified, and determining attribute information to be identified and feature information to be identified of the application to be identified;
determining the similar standard application of the link to be identified according to the attribute information to be identified;
and determining whether the link to be identified belongs to the counterfeit application link or not according to the feature information to be identified and the standard feature information applied by the similar standard.
Of course, the storage medium provided by the embodiment of the present invention contains computer-executable instructions, and the computer-executable instructions are not limited to the method operations described above, and may also perform related operations in the detection algorithm for counterfeit application links provided by any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the above search apparatus, each included unit and module are merely divided according to functional logic, but are not limited to the above division as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. A detection algorithm for spoofing application links, comprising:
if the original link relates to application downloading, determining a link to be identified;
processing according to the link to be identified to obtain the application to be identified, and determining attribute information to be identified and feature information to be identified of the application to be identified;
determining the similar standard application of the link to be identified according to the attribute information to be identified;
and determining whether the link to be identified belongs to the counterfeit application link or not according to the feature information to be identified and the standard feature information applied by the similar standard.
2. The method of claim 1, wherein determining the link to be identified if the original link involves an application download comprises:
acquiring original links captured from a network station group; the network station group comprises at least one of the following: web pages, forums, or communication tool groups;
carrying out N times of recursive analysis by adopting the original link to obtain an analysis result, and determining whether the analysis result comprises an application download link according to the application download key word;
if so, determining that the original link relates to application downloading, and taking the included application downloading link as the link to be identified.
3. The method according to claim 1, wherein the determining the similar standard application of the link to be identified according to the attribute information to be identified comprises:
extracting an application name to be identified and an application icon to be identified from the attribute information to be identified;
comparing the application name to be identified with the standard application name to obtain an application name comparison result;
comparing the application icon to be identified with the standard application icon to obtain an application icon comparison result;
and determining the similar standard application of the link to be identified according to the application name comparison result and/or the application icon comparison result.
4. The method according to claim 3, wherein comparing the application icon to be identified with the standard application icon to obtain an application icon comparison result comprises:
carrying out binarization on the application icon to be identified to obtain a gray level application icon to be identified;
comparing pixel points in the gray application icon to be identified with the standard gray application icon of any standard application;
and if the number of the successfully compared pixel points is greater than the first pixel number threshold and less than the second pixel number threshold, taking the standard application as the similar standard application of the link to be identified.
5. The method according to claim 3, wherein comparing the application icon to be identified with the standard application icon to obtain an application icon comparison result comprises:
extracting characters to be recognized in the application icons to be recognized based on an OCR technology;
and comparing the characters to be recognized with the standard characters in the standard application icons of any standard application, and if the characters to be recognized and the standard characters have a complete inclusion relationship, taking the standard application as the similar standard application of the links to be recognized.
6. The method according to claim 1, wherein the feature information to be identified comprises at least one of the following feature information of an application to be identified: application signature, application size, or application file directory.
7. A counterfeit application link detection apparatus, comprising:
the link identification module is used for determining the link to be identified if the original link relates to application downloading;
the to-be-identified application determining module is used for processing according to the to-be-identified link to obtain the to-be-identified application and determining to-be-identified attribute information and to-be-identified characteristic information of the to-be-identified application;
the similar standard application acquisition module is used for determining the similar standard application of the link to be identified according to the attribute information to be identified;
and the link detection module is used for determining whether the link to be identified belongs to the counterfeit application link or not according to the feature information to be identified and the standard feature information applied by the similar standard.
8. The apparatus of claim 7, wherein the link identification module is specifically configured to:
acquiring original links captured from a network station group; the network station group comprises at least one of the following: web pages, forums, or communication tool groups;
carrying out N times of recursive analysis by adopting the original link to obtain an analysis result, and determining whether the analysis result comprises an application download link according to the application download key word;
if so, determining that the original link relates to application downloading, and taking the included application downloading link as the link to be identified.
9. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the counterfeit application link detection algorithm of any of claims 1-6.
10. A storage medium containing computer executable instructions, wherein the computer executable instructions, when executed by a computer processor, are for performing a detection algorithm for mock application linkage according to any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210013019.4A CN114422221A (en) | 2022-01-07 | 2022-01-07 | Detection algorithm, device, electronic equipment and storage medium for counterfeit application link |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210013019.4A CN114422221A (en) | 2022-01-07 | 2022-01-07 | Detection algorithm, device, electronic equipment and storage medium for counterfeit application link |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114422221A true CN114422221A (en) | 2022-04-29 |
Family
ID=81271003
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210013019.4A Withdrawn CN114422221A (en) | 2022-01-07 | 2022-01-07 | Detection algorithm, device, electronic equipment and storage medium for counterfeit application link |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114422221A (en) |
-
2022
- 2022-01-07 CN CN202210013019.4A patent/CN114422221A/en not_active Withdrawn
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113098870B (en) | Phishing detection method and device, electronic equipment and storage medium | |
| CN108881265B (en) | Network attack detection method and system based on artificial intelligence | |
| EP2729895B1 (en) | Syntactical fingerprinting | |
| CN108471429B (en) | Network attack warning method and system | |
| CN108683687B (en) | Network attack identification method and system | |
| US10721245B2 (en) | Method and device for automatically verifying security event | |
| CN108881263B (en) | Network attack result detection method and system | |
| US20170243003A1 (en) | Identifying bots | |
| EP2859495B1 (en) | Malicious message detection and processing | |
| CN110177114B (en) | Network security threat indicator identification method, equipment, device and computer readable storage medium | |
| CN108833185B (en) | Network attack route restoration method and system | |
| CN101964025A (en) | XSS (Cross Site Scripting) detection method and device | |
| CN104766014A (en) | Method and system used for detecting malicious website | |
| CN110035075A (en) | Detection method, device, computer equipment and the storage medium of fishing website | |
| CN1703868A (en) | Method and apparatus for authenticating electronic mail | |
| CN111104579A (en) | Identification method and device for public network assets and storage medium | |
| CN107800686B (en) | Phishing website identification method and device | |
| CN102647408A (en) | Method for judging phishing website based on content analysis | |
| CN109862021B (en) | Method and device for acquiring threat information | |
| US20220200959A1 (en) | Data collection system for effectively processing big data | |
| CN103488947A (en) | Method and device for identifying instant messaging client-side account number stealing Trojan horse program | |
| CN104158828A (en) | Method and system for identifying doubtful phishing webpage on basis of cloud content rule base | |
| CN112307464A (en) | Fraud identification method and device and electronic equipment | |
| CN112182614A (en) | Dynamic Web application protection system | |
| CN109756467B (en) | Phishing website identification method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20220429 |
|
| WW01 | Invention patent application withdrawn after publication |