WO2015120756A1

WO2015120756A1 - Method and device for identifying security of application process

Info

Publication number: WO2015120756A1
Application number: PCT/CN2015/070361
Authority: WO
Inventors: 李宇; 温铭; 张家柱; 郑振宇
Original assignee: 北京奇虎科技有限公司; 奇智软件（北京）有限公司
Priority date: 2014-02-14
Filing date: 2015-01-08
Publication date: 2015-08-20

Abstract

A method and device for identifying security of an application process. The method comprises: a feature server end receives an identification request of a first feature terminal with respect to the security of an application process (101); an acquisition request for an executable file corresponding to the application process is transmitted to at least one second feature terminal, where the acquisition request carries unique identification information of the application process, the executable file records operational behaviors of the application process when running, and the feature server end is a service end for intranet-based security management for the first feature terminal and for the second feature terminal (102); and, finding the executable file corresponding to the application process on the basis of the unique identification information, and identifying the security of the application process according to the executable file (103). Obviated is the need for a terminal to upload all executable files of application processes of unknown security, and uploading is done only when needed, thus conserving network bandwidth and server disk space.

Description

Method and device for identifying application security

Technical field

The present invention relates to Internet technologies, and in particular, to an authentication method for application security, and an authentication device for application security.

Background technique

Cloud is a metaphor for the Internet and the network. It represents the abstraction of the Internet and the underlying infrastructure. It can be roughly divided into public cloud security systems and private cloud security systems.

A public cloud security system usually refers to a cloud security system that third-party vendors can use directly to external users through their own infrastructure. The private cloud security system is placed in a private environment. For example, enterprises, governments, and other organizations establish themselves in the equipment room, or the operators are well-built, but the whole is leased to an organization. Users outside the organization cannot access or use it. Private cloud security systems are built by an organization to provide the most effective control over data, security, and quality of service.

The private cloud security system is applicable to a fully enclosed enterprise intranet environment, and is composed of multiple terminals and servers for managing the terminal. The terminal can upload the identifier of the application to be authenticated to the server, and the server according to the local security authentication database. The corresponding relationship between the saved program identifier and its security, the application is authenticated securely, and the authentication result is returned to the terminal, thereby realizing the security management of the terminal.

The problems in the above prior art are:

The security authentication database of the private cloud security system is updated from the public cloud security system, and some programs specific to the intranet may not be authenticated. In this case, the server needs to further obtain other files of the program from the terminal for security authentication. According to some reasons, if the related files of the program are lost on the original terminal for some reason, for example, some virus files may delete all related files after running, in which case the program cannot be authenticated securely. .

Summary of the invention

In view of the above problems, the present invention has been made in order to provide an authentication method for application security and an authentication device for application security that overcome the above problems or at least partially solve the above problems.

According to an aspect of the present invention, an authentication method for application security is provided, including:

The feature server receives an authentication request of the first feature terminal for security of the application;

Sending, to the at least one second feature terminal, an acquisition request for an executable file corresponding to the application, where the acquisition request carries unique identification information of the application, wherein the executable file records the application runtime The service server is a server that performs security management on the first feature terminal and the second feature terminal based on an intranet;

Searching for an executable file corresponding to the application according to the unique identification information, and authenticating the security of the application according to the executable file.

The present invention provides a method for changing the security of an application, including:

The first feature server authenticates the security of the application of the feature terminal, and sends the authenticated security to the feature terminal for saving. The first feature server is accessible to the feature terminal through the intranet. Server side;

Receiving, by the feature terminal, an acquisition request for a plurality of change files, where the change file is used to correct security of an application saved by the feature terminal;

Extracting, according to the obtaining request, a plurality of change files, where the change file carries a corresponding file processing level;

And extracting the plurality of changed files according to different file processing levels, and respectively transmitting the change files to the feature terminals according to the classification, so that the feature terminals respectively follow the change files of different file processing levels. Different processing methods are used for processing.

According to another aspect of the present invention, an authentication method for application security is provided, including:

The second feature terminal receives the acquisition request of the executable file corresponding to the application sent by the feature server, and the acquisition request is sent after the feature server receives the authentication request of the first feature terminal for the security of the application. The obtaining request carries the unique identification information of the application, wherein the executable file records an operation behavior of the application when the application is running, and the feature server is based on the intranet to the first feature terminal and a server that performs security management on the second feature terminal;

Searching for an executable file corresponding to the application locally according to the unique identification information, and sending the executable file to the feature server to perform security on the application according to the executable file. Identification.

According to another aspect of the present invention, an apparatus for authenticating application security is provided, including:

a program authentication request module, configured to receive, by the feature server, an authentication request of the security of the first feature terminal to the application;

a first executable file requesting module, configured to send, to the at least one second feature terminal, an acquisition request for an executable file corresponding to the application, where the acquisition request carries unique identification information of the application, where The executable file records an operation behavior of the application when the application is running, and the feature server is a server that performs security management on the first feature terminal and the second feature terminal based on an intranet;

An executable file receiving module, configured to search for an executable file corresponding to the application according to the unique identifier information;

The first security authentication module is configured to authenticate the security of the application according to the executable file.

The present invention provides an apparatus for changing the security of an application, comprising:

a security authentication module, configured to identify, by the first feature server, the security of the application of the feature terminal, and send the authenticated security to the feature terminal for saving, where the first feature server is the feature The server that the terminal can access through the intranet;

And a change obtaining request, configured to receive an acquisition request of the feature terminal for multiple change files, where the change file is used to correct security of an application saved by the feature terminal;

a file extraction module, configured to extract a plurality of change files according to the obtaining request, where the change file carries a corresponding file processing level;

a file classification module, configured to perform multiple extracted change files according to different file processing levels classification;

The file sending module is configured to separately send the change file to the feature terminal according to the classification, so that the feature terminal processes the change files of different file processing levels according to different processing manners.

Obtaining a request receiving module, configured to receive, by the second feature terminal, an acquisition request for an executable file corresponding to the application sent by the feature server, where the obtaining request receives, by the feature server, the first feature terminal to the application After the authentication request is sent, the obtaining request carries unique identification information of the application, wherein the executable file records an operation behavior of the application when the application is running, and the feature server is based on an intranet pair The first feature terminal and the second feature terminal perform a security management server;

An executable file searching module, configured to locally search for an executable file corresponding to the application according to the unique identifier information, and send the executable file to the feature server to follow the executable file pair The security of the application is authenticated.

The present invention provides a program comprising readable code that, when executed on a terminal device, causes the terminal device to perform the method of authenticating the application security.

The present invention provides a readable medium in which the program is stored.

According to the embodiment of the present invention, after receiving the authentication request of the first feature terminal for the application security, the second feature terminal is requested to acquire the executable file of the application program to identify the security of the application according to the executable file. Thus, in the case where the executable file of the first feature terminal is lost, the executable file can also be searched for on the second feature terminal different from the first feature terminal.

According to the embodiment of the present invention, the terminal does not actively upload the executable file, but needs to further request the executable file from the server to the terminal. Therefore, the terminal does not need to upload the executable file of all the unknown security applications, only when needed. When uploading, it saves network bandwidth resources and server disk space.

The above description is only an overview of the technical solutions of the present invention, and the above-described and other objects, features and advantages of the present invention can be more clearly understood. Specific embodiments of the invention are set forth below.

DRAWINGS

Various other advantages and benefits will become apparent to those skilled in the art from a The drawings are only for the purpose of illustrating the preferred embodiments and are not to be construed as limiting. Throughout the drawings, the same reference numerals are used to refer to the same parts. In the drawing:

1 shows a flow chart of an authentication method for application security according to an embodiment of the present invention;

2 is a flow chart showing an authentication method of application security according to another embodiment of the present invention;

3 is a block diagram showing the structure of an authentication device for application security according to an embodiment of the present invention;

4 is a block diagram showing the structure of an authentication device for application security according to another embodiment of the present invention;

FIG. 5 is a flow chart showing a method for changing the security of an application according to an embodiment of the present invention; FIG.

6 is a flow chart showing a method for changing the security of an application according to another embodiment of the present invention;

FIG. 7 is a block diagram showing the structure of a device for changing the security of an application according to an embodiment of the present invention; FIG.

FIG. 8 is a block diagram showing the structure of a device for changing the security of an application according to another embodiment of the present invention; FIG.

Figure 9 shows a block diagram of a server configured to perform the method according to the present invention;

Figure 10 illustrates a memory unit configured to hold or carry program code that implements the method in accordance with the present invention.

detailed description

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While the embodiments of the present invention have been shown in the drawings, the embodiments Rather, these embodiments are provided so that this disclosure will be more fully understood and the scope of the disclosure will be fully disclosed.

Embodiments of the invention may be applied to computer systems/servers that operate with numerous other general purpose or special purpose computing system environments or configurations. Examples of well-known computing systems, environments, and/or configurations suitable for use with computer systems/servers include, but are not limited to, personal computer systems, server computer systems, thin clients, thick clients, handheld or laptop devices, based on Microprocessor systems, set-top boxes, programmable consumer electronics, networked personal computers, small computer systems, mainframe computer systems, and distributed cloud computing technology environments including any of the above, and the like.

The computer system/server can be described in the general context of computer system executable instructions (such as program modules) being executed by a computer system. Generally, program modules may include routines, programs, target programs, components, logic, data structures, and the like that perform particular tasks or implement particular abstract data types. The computer system/server can be implemented in a distributed cloud computing environment where tasks are performed by remote processing devices that are linked through a communication network. In a distributed cloud computing environment, program modules may be located on a local or remote computing system storage medium including storage devices.

Referring to FIG. 1 , a flowchart of an authentication method for application security according to an embodiment of the present invention is shown, which may specifically include:

Step 101: The first feature server receives an authentication request of the first feature terminal for security of the application.

The first feature server is a server accessible by a specific terminal, that is, a private cloud security system. The private cloud security system is mostly installed in the intranet of the enterprise, and can manage each terminal of the intranet. The specific terminal that can access the private cloud security system and the first feature server are in the same intranet. In the embodiment of the present invention, the first feature terminal and the second feature terminal are used to distinguish two different specific terminals, that is, the second The feature terminal and the first feature terminal are two different terminals in the same network, and the first feature server can be accessed through the intranet.

The first feature terminal may send an authentication request to the application to the first feature server, requesting the first feature server to authenticate the security of the application. In the embodiment of the present invention, the application may be an application that the first feature terminal is downloading, installing, starting, or saving.

Specifically, the first feature terminal may request the first feature server to authenticate the security of the application in multiple application scenarios, and the first feature terminal may request the first feature server to the application when downloading the application. The security is authenticated; when installing the application, the first feature server can also be requested to authenticate the security of the application; when the application is launched by clicking an application shortcut or a program file, The first feature server may also be requested to authenticate the security of the application; or the first feature terminal may locally store multiple applications, and may request the first feature server pair according to a certain frequency. The security of the saved application is authenticated.

Step 102: Send, to the at least one second feature terminal, an acquisition request for an executable file corresponding to the application, where the acquisition request carries unique identification information of the application, where the executable file records the application. The operating behavior of the program during operation, the first feature server is a server that performs security management on the first feature terminal and the second feature terminal based on the intranet.

In the embodiment of the present invention, after receiving the authentication request sent by the first feature terminal, the system further requests the executable file corresponding to the application to perform security identification according to the executable file. For various reasons, the executable file of the application is often lost on the original terminal. In this embodiment of the present invention, the method for the entire network in the local area network to pass the original file is proposed, that is, different from other methods. The second feature terminal of the first feature terminal requests the executable file.

An executable file is a file that records the operational behavior of an application when it runs, and can be part of the application file or part of the application file, or other file that characterizes the operational behavior of the application at runtime. Among them, the application file can be a executable file (PE file), the PE file is a program file on the Microsoft Windows operating system, common EXE, DLL, OCX, SYS, COM are PE files, each application is There is a corresponding PE file.

In the embodiment of the present invention, the acquiring request for the executable file of the application may be sent to one or more second feature terminals, and when the obtaining request for the executable file is sent to a second feature terminal, the second feature terminal may be There is also no executable file, and the request needs to be sent again. Therefore, it is preferable to send an acquisition request for the executable file to the plurality of second feature terminals.

In the embodiment of the present invention, the unique identification information is a hash value of the executable file of the application, or digital certificate information that uniquely identifies the publisher of the application.

Specifically, the PE file is composed of an MS-DOS executable body, a file header, an optional header, a data directory, a section header, and a section. In the present invention, keywords of each structure in the file header of the PE file may be used as a preset. Keywords, to determine whether each file corresponding to the application is an application file. The unique HASH value of the executable file can then be calculated by the MD5 algorithm (Message Digest Algorithm MD5, Information Digest Algorithm Fifth Edition). A typical application of the MD5 algorithm is to generate a message-digest for a piece of information, so that the large-capacity information is "compressed" into a secret format before signing the private key with the digital signature software, that is, an arbitrary length. The byte string is transformed into a string of hexadecimal digits of a certain length to ensure complete and consistent information transmission. To prevent being tampered with.

For example, through the MD5 algorithm, the unique 32-bit HASH value of the executable file WINWORD.EXE is calculated to be 54525786F76E6CD2BA29E2B7B1B28939.

Certainly, it is feasible for a person skilled in the art to use other algorithms to calculate the hash value of the executable file according to actual conditions. For example, algorithms such as sha-1, RIPEMD, and Haval are used, and the present application does not need to be limited thereto.

In the embodiment of the present invention, the unique identification information may also be digital certificate information that uniquely identifies the publisher of the application. Digital certificate information is part of a digital signature, which is a digital signature that uses digital certificate information to identify the publisher of the software and a code signing certificate issued by a Windows trusted root certification authority. The software code is guaranteed to come from the real issuer and the software code is not illegally tampered with. The data certificate information of different application publishers is different, therefore, the number The certificate information uniquely identifies the publisher of the application.

In other words, the digital signature consists of the hash value of the executable file of the application that is encrypted and the digital certificate information of the publisher. For example, the publisher's digital certificate information contained in the digital signature of the executable WINDOW.EXE is Microsoft Code Signing PCA.

Step 103: Search for an executable file corresponding to the application according to the unique identifier information, and identify the security of the application according to the executable file.

When the unique identification information is a hash value of the executable file of the application, the application may be uniquely identified, and the corresponding application may be uniquely determined according to the unique identification information, and the unique identification information is a publisher that uniquely identifies the application. When the digital certificate information is present, when only one application of the publisher exists in the private cloud security system, the corresponding application may be uniquely determined according to the unique identification information, and when the application exists on the second feature terminal, the unique application may be The identification information determines the corresponding application, and further finds the corresponding executable file, and returns the executable file to the feature server for security authentication.

In a specific implementation, the security of the application may be determined by analyzing the executable file, or may be further analyzed by uploading the executable file to the server side of the public cloud security system, and the specific analysis method may adopt the prior art. In any way, the invention is not limited thereto.

According to the embodiment of the present invention, after receiving the authentication request of the first feature terminal for the application security, the second feature terminal is requested to acquire the executable file of the application program to identify the security of the application according to the executable file. Therefore, in the case that the executable file of the first feature terminal is lost, the executable file can also be searched for maximum in the internal network by using the second feature terminal different from the first feature terminal, thereby avoiding file loss as much as possible. In the case, and because the terminal does not actively upload the executable file, but needs to further request the executable file from the server to the terminal, the terminal does not need to upload the executable file of all the unknown security applications, only in need When uploading, it saves network bandwidth resources and server disk space.

In the embodiment of the present invention, the step of authenticating the security of the application according to the executable file may further include:

Sub-step S11, determining whether the operational behavior of the application running by the executable file has a target behavior characteristic to identify the security of the application, and the target behavior characteristic is a virus file running. Behavioral characteristics.

Virus files have some common destructive behaviors at runtime, such as duplicate code replication, rewriting system files, and sending data to the outside world over the network.

In virus activity, the most basic action is to copy itself, attach the virus code to other program files that are not infected with the virus or other files related to computer execution, or copy it to key parts of the computer system so that it can be obtained frequently. Opportunities to perform can even be controlled first when the computer is booted; or copied to removable storage media so that it can be propagated to other computers. In addition to trying to replicate itself, a vicious virus performs various destructive operations, such as rewriting system files, maliciously deleting viruses, and destroying various useful files on a computer system. These malicious operations can cause some key problems in the system. The loss of sexual information or the destruction of important programs eventually leads to the collapse of the computer system. Some viruses also automatically connect to the external network, and the fixed IP of the external network always sends data, which affects the security of the computer.

The application's executable records the operational behavior of the application at run time and can be analyzed by the executable Whether the operation behavior of the file record has the characteristics of the operational behavior of the virus, so as to judge whether the application is safe or not, and the destructive operation behavior generally includes unconventional operations on the computer system or operations that cause malicious results, such as connecting the external network to send data. , performing multiple copies of code operations or accessing and rewriting system files, etc., can also include other kinds of virus behavior characteristics.

In the embodiment of the present invention, the sub-step S11 may specifically include:

Sub-step S11-1, disassembling the executable file of the application to obtain an assembly source corresponding to the application;

Sub-step S11-2, analyzing whether the operation behavior of the assembly source at runtime is a target behavior characteristic, and the target behavior characteristic is a behavior characteristic of a virus file runtime, if the operation behavior of the assembly source at runtime is at least A target behavior feature, wherein the security of the application is a dangerous file, and if the operational behavior of the assembly source at runtime does not have any one of the target behavior characteristics, the security of the application is a security file.

Disassembly is the process of turning object code into assembly code. Usually, the program is written in a high-level language such as C, Pascal, etc., and then compiled to generate executable files that can be directly executed by the computer system. Disassembly means that the machine language of these executable files is decompiled into Assembly language or other high-level language.

The executable file corresponds to the source code of the application by disassembling the executable file. The executable file records the behavior characteristics of the application runtime, and the recorded operation behavior can be obtained by analyzing the source code, if the operation behavior of the application is At least one target behavior characteristic of the virus determines that the security of the application is a dangerous file. If there is no target behavior characteristic, the security of the application is a security file.

In a preferred example of the present invention, when determining whether the operation behavior of the application has the target behavior feature, the virtual operating environment may be virtualized in a real operating system by using a software-implemented method, the data of the environment, and the running result and the real The operating system is completely isolated. In this environment, the source code is run, and the operational behavior of the application is recorded, and the behavioral characteristics of the operational behavior are analyzed and further compared with the target behavior characteristics.

In another preferred example of the present invention, before determining whether the operation behavior of the application has the target behavior feature, the instruction or instruction set corresponding to the virus destructive behavior may be preset, and in the judgment, the application source code is encoded. The contained instruction or set of instructions is extracted, and since a corrupted behavior of the virus consists of a series of instructions or sets of instructions that perform destructive operations, each of said instructions or sets of instructions produces at least one independent destructive operation. Behavior, therefore, if the application's instruction or instruction set contains at least one virus corresponding instruction code, it can be known that the application has a virus-like operation behavior, and if it does not contain any virus corresponding instruction code, it can be determined The security of the application is a dangerous file.

In an embodiment of the present invention, further preferably, the authentication request may carry unique identification information of the application, where the unique identification information is a hash value of the executable file of the application, or a certificate that uniquely identifies the application. Digital certificate information for the first feature server to authenticate the application according to the unique identification information.

Specifically, the first feature server is configured with a security identification database that includes the unique identification information of the application and the security correspondence. Before the step 102, the method may further include:

The first feature server determines that the unique identifier information does not exist in the security authentication database, or finds the security corresponding to the application in the security identification database according to the unique identifier information. Non-secure documents.

In an application scenario of the embodiment of the present invention, the private cloud security system is deployed in a closed intranet environment, and may use some applications that are dedicated to the intranet but not used by the external network, because the security of the private cloud security system is authenticated. The database is updated from the public cloud security system. Therefore, using the security authentication database may not be able to authenticate the application requesting authentication. In this case, the first feature server searches for the unique identifier of the application in the security authentication database. Information, and may determine that the unique identification information does not exist in the security authentication database, and therefore, the executable file of the application may be further requested to perform security authentication.

In another application scenario of the embodiment of the present invention, when the application is not a security file in the private cloud security system, the executable file corresponding to the application may be further requested. For example, the security of an application is divided into security files, unknown files, and disabled files. When the security is identified as an unknown file or the file is disabled, the executable file is further requested. In a specific implementation, the types and the number of security classifications may also be set as needed, and the present invention does not limit this.

In the embodiment of the present invention, the method may further include: before the step of sending an acquisition request for the executable file corresponding to the application to the at least one second feature terminal, the method may further include:

Sending an acquisition request for the executable file corresponding to the application to the first feature terminal, and receiving a message that the first feature terminal feeds back that the executable file does not exist.

In a specific implementation, before the executable file is requested by the second feature terminal, the executable file may be requested from the first feature terminal, and returned to the first feature server when the first feature terminal does not have the executable file. The message that does not exist, and then further requests the executable file to the second feature terminal.

In an embodiment of the present invention, further preferably, the second feature terminal stores a correspondence between the unique identification information of the application and the save path of the executable file in the second feature terminal, where the receiving The step of the second executable terminal corresponding to the executable file corresponding to the application searched by the unique identifier information includes:

Sub-step S21: Receive an executable file that is extracted by the second feature terminal according to the unique identification information and the corresponding relationship, and is extracted according to the save path.

The second feature terminal may record a save path of the executable file of the application, and record a correspondence between the save path and the unique identifier information of the application, so that the application may be found in the corresponding relationship according to the unique identifier information of the application. The executable file of the program is in the save path of the second feature terminal, and the executable file is extracted according to the save path.

Referring to FIG. 2, a flowchart of an authentication method for application security according to another embodiment of the present invention is shown, which may specifically include:

Step 201: The second feature terminal receives a request for acquiring an executable file corresponding to the application sent by the first feature server, where the acquiring request receives, by the first feature server, the first feature terminal for the application. After the authentication request is sent, the obtaining request carries unique identification information of the application, wherein the executable file records an operation behavior of the application when the application is running, and the first feature server is based on the internal The server that performs security management on the first feature terminal and the second feature terminal by the network.

Step 202: Search for an executable file corresponding to the application locally according to the unique identifier information, and send the executable file to the first feature server to use the executable file according to the executable file. Program The safety is identified.

In an embodiment of the present invention, preferably, the unique identification information is a hash value of an executable file of the application, or digital certificate information that uniquely identifies a publisher of the application.

In the embodiment of the present invention, preferably, the second feature terminal stores a correspondence between the unique identification information of the application and the save path of the executable file in the second feature terminal, where the unique identifier is The steps to find the executable file corresponding to the application locally include:

Sub-step S31, determining, according to the unique identifier information and the correspondence, a save path of the executable file in the second feature terminal;

Sub-step S32, the executable file corresponding to the application extracted according to the save path.

In the embodiment of the present invention, preferably, before the step of sending the executable file to the first feature server, the method further includes:

Sending a query request for the executable file to the first feature server;

Receiving, by the first feature server, a message that does not receive an executable file sent by another second feature terminal.

In the embodiment of the present invention, after receiving the authentication request for the application security, the first feature server may request the executable file from the one or more second feature terminals. The feature terminal requests the executable file, and more than one second feature terminal may exist the executable file, and only one of the second feature terminals needs to upload the executable file, so after the second feature terminal finds the executable file, And sending a query request for the executable file to the first feature server, and if the first feature server does not receive the executable file sent by the other second feature terminal, notifying the message to the second feature of sending the query request The terminal then uploads the executable file by the second feature terminal, and has received the executable file uploaded by the other second feature terminal, and the notification has been received, and the second feature terminal that does not need to send the query request uploads the executable file again. This can avoid the waste of bandwidth resources when multiple terminals repeatedly upload files.

It should be noted that, for the foregoing method embodiments, for the sake of simple description, they are all expressed as a series of action combinations, but those skilled in the art should understand that the present invention is not limited by the described action sequence, because In accordance with the present invention, certain steps may be performed in other sequences or concurrently. In addition, those skilled in the art should also understand that the embodiments described in the specification are all preferred embodiments, and the actions involved are not necessarily required by the present invention.

Referring to FIG. 3, a block diagram of an apparatus for authenticating an application security according to an embodiment of the present invention is shown.

The program identification requesting module 301 is configured to receive, by the first feature server, an authentication request of the first feature terminal for security of the application;

The first executable file requesting module 302 is configured to send, to the at least one second feature terminal, an acquisition request for the executable file corresponding to the application, where the acquisition request carries the unique identification information of the application, where The executable file records an operation behavior of the application when the application is running, and the first feature server is a server that performs security management on the first feature terminal and the second feature terminal based on an intranet;

In the embodiment of the present invention, preferably, the authentication request carries unique identification information of the application, and the first feature server is preset with security including a unique identifier information of the application and a security correspondence relationship. Identification database;

The device also includes:

a second security authentication module, configured to determine, by the first feature server, that the unique identifier information does not exist in the security authentication database, or find the foregoing in the security identification database according to the unique identifier information The security corresponding to the application is not a secure file.

In the embodiment of the present invention, preferably, the device further includes:

a second executable file requesting module, configured to send, to the first feature terminal, an acquisition request for an executable file corresponding to the application, and receive the executable file that is not fed back by the first feature terminal Message.

In the embodiment of the present invention, preferably, the first security authentication module is specifically configured to analyze whether the operation behavior of the application program recorded by the executable file has a target behavior feature to the application The security of the program is characterized, and the target behavior is characterized by behavioral characteristics of the virus file at runtime.

In the embodiment of the present invention, preferably, the first security authentication module includes:

Disassembling the executable file of the application to obtain an assembly source corresponding to the application;

Analyzing whether the operational behavior of the assembly source at runtime has a target behavior characteristic, and the target behavior characteristic is a behavior characteristic of a virus file during runtime;

If the operational behavior of the assembly source at runtime has at least one target behavior characteristic, the security of the application is a dangerous file;

If the operational behavior of the assembly source at runtime does not have any of the target behavior characteristics, the security of the application is a secure file.

In the embodiment of the present invention, preferably, the target behavior feature includes connecting an external network to send data, performing an operation of copying the code multiple times, or accessing and rewriting the system file.

In the embodiment of the present invention, preferably, the second feature terminal stores a unique identification letter of the application. Corresponding relationship between the information and the executable file in the save path of the second feature terminal;

The executable file receiving module is configured to receive an executable file that is determined by the second feature terminal to determine a save path according to the unique identifier information and the corresponding relationship, and is extracted according to the save path.

Referring to FIG. 4, a block diagram of an apparatus for identifying an application security according to an embodiment of the present invention is shown.

The obtaining request receiving module 401 is configured to receive, by the first feature terminal, an acquisition request for the executable file corresponding to the application sent by the first feature server, where the obtaining request receives the first feature terminal pair at the first feature server After the authentication request of the security of the application is sent, the obtaining request carries unique identification information of the application, wherein the executable file records an operation behavior of the application when the application is running, the first feature The server is a server that performs security management on the first feature terminal and the second feature terminal based on the intranet;

The executable file searching module 402 is configured to locally search for an executable file corresponding to the application according to the unique identifier information, and send the executable file to the first feature server to follow the The execution file authenticates the security of the application.

In the embodiment of the present invention, preferably, the second feature terminal stores a correspondence between the unique identification information of the application and the save path of the executable file in the second feature terminal, and the executable file The lookup module includes:

a path determining submodule, configured to determine, according to the unique identifier information and the correspondence, a save path of the executable file in the second feature terminal;

An executable file extraction submodule, configured to execute the executable file corresponding to the application according to the save path.

a query request sending module, configured to send a query request for the executable file to the first feature server;

The message receiving module is configured to receive, by the first feature server, a message that is not received by the other second feature terminal and is sent by the executable file.

According to the embodiment of the present invention, after receiving the authentication request of the first feature terminal for the application security, the second feature terminal is requested to acquire the executable file of the application program to identify the security of the application according to the executable file. So that in the case where the executable file of the first feature terminal is lost, it may also be different from the first feature The executable file is searched for on the second feature terminal of the terminal.

Referring to FIG. 5, a flowchart of a method for changing the security of an application according to an embodiment of the present invention is shown.

Step 501: The first feature server authenticates the security of the application of the first feature terminal, and sends the authenticated security to the first feature terminal for saving. The first feature server is the The first feature terminal is a server accessible through an intranet.

In the embodiment of the present invention, the first feature server is a server accessible by a specific terminal, that is, a private cloud security system, and the feature terminal that can access the private cloud security system and the private cloud security system server are in the same intranet, in a specific In the implementation, the private cloud security system is mostly installed in the intranet of the enterprise, and can manage each terminal of the intranet of the enterprise.

The first feature terminal may request the first feature server to authenticate the security of the application when downloading, installing, starting, or saving the application. In a specific implementation, when the authentication is requested, the feature identifier of the application may be sent to the first feature server, where the first feature server saves the correspondence between the feature identifier and the security of the application, and determines the application according to the feature identifier. After the security, the security can be sent to the first feature terminal. The feature identifier may be a hash value of the executable file of the application, or may be digital certificate information that uniquely identifies the publisher of the application.

In a specific implementation, the security of the application includes three levels of normal, disabled, and unknown, and may also be set according to specific requirements, which is not limited by the present invention.

Step 502: Receive an acquisition request of the first feature terminal for multiple change files, where the change file is used to modify security of an application saved by the first feature terminal.

In a private cloud security system, file security changes often occur. Changes to an application's security can be recorded in the change file. The change file is stored on the feature server according to the security of the application. The first feature terminal may request the change file from the first feature server to obtain a change in the security of the application, and let the terminal use the new file security to implement terminal security management.

Step 503: Extract a plurality of change files according to the obtaining request, where the change file carries a corresponding file processing level.

The requested change file may be further extracted according to the terminal's request for obtaining the change file. For example, the change file corresponding to an application may be requested or the change file generated by a certain time period may be requested. In the embodiment of the present invention, the file processing level is set separately for the change file of the application program. In a specific implementation, the file processing level may be set according to specific application requirements, for example, the file processing level is performed according to the source of the change file. Setting, you can also set the file processing level according to the program type corresponding to the change file.

When the file processing level is set according to the source of the change file, different file processing levels are set for the change that the administrator actively modifies and the changes of other sources, and can be divided into the first file processing level and the second file processing level. Or divided into advanced file processing level and low-level file processing level.

Step 504: classify the extracted multiple change files according to different file processing levels, and send the change files to the first feature terminal according to the classification, so that the first feature terminal is targeted to different files. The processing level change files are processed according to different processing methods.

According to the change file, the change file according to the file processing level can be classified, and the change files having the same file processing level are classified into one class, and are respectively sent to the first feature terminal according to the classification, and the first feature terminal receives the change file respectively sent by the classification. After that, the change files for different classes, that is, different file processing levels, are processed according to different processing methods. Therefore, according to the embodiment of the present invention, a change file having a high file processing level and a change file having a low file processing level can be separately sent and processed separately, so that a change file having a higher processing level can be processed in the case of a large number of changed files. It is sent separately from the change file with higher processing level, which avoids the security risk caused by the high-level change file being sent to the terminal in time, and can make the process of file security change effective, fast and reliable.

In a preferred embodiment of the present invention, the step of separately transmitting the change file to the first feature terminal according to the classification may include:

Sub-step S41: Sending the change files having different file processing levels to the first feature terminal through different transmission paths.

When the change file with different file processing levels is sent to the first feature terminal, the change can be sent through different transmission paths, and the first feature terminal can receive the change file with different file processing levels through different transmission paths, thereby making the file The change files with different processing levels will not interfere with each other in the process of transmission to the terminal, and avoid the security risks caused by the high-level change files being sent to the terminal in time, so that the process of file security change becomes effective. Fast and reliable.

Further, the sub-step S41 may include:

Sub-step S41-1, sending the change files with different file processing levels to the first feature terminal through different preset ports or communication channels of the first feature server;

Or, in step S41-2, the change files having different file processing levels are respectively sent to the first feature terminal through different preset interfaces of the first feature terminal;

Or, in sub-step S41-3, the change files having different file processing levels are respectively sent to different preset folders of the first feature terminal.

In the embodiment of the present invention, the change file with different file processing levels is transmitted through different transmission paths, which may be sent to the first feature terminal through different preset ports of the server, and different preset ports and first features of the server Different data transmission paths are formed between the terminals. In this case, the terminal and the server issue one of the file processing level change files according to the original protocol (for example, HTTP-Hypertext Transfer Protoco, HTTP hypertext transfer protocol), and add a new change file notification protocol respectively. The other file processing level change files are issued, and the protocol format can be consistent with the original format. For example, the file processing level includes a high file processing level and a low file processing level. A high file processing level change notification is sent through a new notification protocol, and a low file processing level change notification is delivered through the original notification protocol.

In the embodiment of the present invention, the first feature terminal may be sent to the first feature terminal through a different communication channel, and multiple communication channels are constructed between the server link layer and the first feature terminal link layer for respectively transmitting different file processing levels. The change file may be sent by the server to the first feature terminal through a different preset interface of the first feature terminal. The first feature terminal has a plurality of different preset interfaces, and different preset interfaces form different data transmission paths with the server; or different folders may be preset in the feature terminal for storing different file processing levels. Change files, each folder and server form a different data transmission path.

In another preferred embodiment of the present invention, the step of separately transmitting the change file to the first feature terminal according to the classification may include:

Sub-step S51, sorting the extracted plurality of change files according to corresponding file processing levels, and extracting the change files one by one according to the sorting and transmitting the change files to the first feature terminal.

In another preferred embodiment, when the change file is sent according to the classification, in order to send the change file with a higher processing level to the terminal in time, the change file with a high file processing level may be preferentially sent to the first feature terminal, specifically In other words, the change file is sorted according to the level of the corresponding file processing level, and the change file with the higher file processing level is preferentially sent to the first feature terminal, and the change file with higher processing level can be avoided. Failure to send the terminal to the terminal poses a security risk, making the process of file security change effective, fast, and reliable.

In the embodiment of the present invention, the step of processing, by the first feature terminal, the change files of different file processing levels according to different processing manners includes:

Sub-step S61, the first feature terminal respectively creates a corresponding process for the change files of different file processing levels or respectively processes with different threads.

In the embodiment of the present invention, the first feature terminal may establish multiple threads to process different file processing level change files, or may use different threads for different file processing level change files to process different file processing levels. The processing of the files does not interfere with each other.

Preferably, when the first feature terminal creates different threads to respectively process the change files having different file processing levels, the processing speed of the thread corresponding to the file with a higher file processing level is higher than the file with the lower file processing level. Threads, which allow for faster processing of change files at high file processing levels.

In the embodiment of the present invention, the obtaining request is generated according to the change file that the first feature terminal already exists, and the step 503 may further include:

Sub-step S71, extracting a change file after the generation time of the change file existing in the first feature terminal is generated according to the acquisition request.

After receiving the acquisition request, the first feature server returns the change file according to the acquisition request. In a specific implementation, the terminal may already have a partial change file, and the change file returned according to the acquisition request is generated at the terminal. The change file after the generation time of the change file, that is, the change file for generating the time update, in other words, the terminal receives the change file that does not exist locally, and returns the change file in an incremental manner, thereby avoiding the terminal meeting. Requesting the same change file multiple times will not result in repeated downloading of data, avoiding wasting the bandwidth of the upgraded server.

In a preferred example of the present invention, the acquisition request carries time information, the time information is used to mark a generation time of a recent change file, and the latest change file is a change existing in the first feature terminal. A change file whose time is closest to the current time is generated in the file;

The sub-step S71 includes:

Sub-step S71-1, extracting the generation time at which the generation time is marked by the time information carried in the acquisition request After the change file.

In this embodiment, in the process of generating an acquisition request according to the change file that the first feature terminal already exists, the time information is added to the acquisition request, and the time information is used to mark the generation time of the latest change file, which is described in the embodiment of the present invention. The latest change file is a change file that is generated by the terminal and has the closest time to the current time. For example, the terminal has 95 change files, and the search time can be found according to the information identifier carried in the change file. The latest change file is sent to the first feature server according to the generation time of the change file.

In this embodiment, the time information may be the number of the change file determined by the first feature server according to the sequence of generation time of each change file, or the change file may be served by the first feature. The generation time of the end, or other information generated according to the generation time of the latest change file.

In this embodiment, preferably, the change file of the first feature server carries the information identifier, and the information identifier may be the number of the change file determined by the first feature server according to the generation time sequence of each change file, or may be The generation time of the change file on the first feature server.

When the information identifier is the number of the change file determined by the first feature server according to the generation time sequence of each change file, the information identifier may be directly used as time information; when the information identifier is the change file, the first The generation time of the feature server may directly use the information identifier as time information or other information generated according to the generation time of the latest change file as time information.

For example, when the information identifier is the number of the change file determined in the order of generation of each change file, such as 1, 2, 3, ... 95, the most recent change file is a change file with the information identifier of 95, and the information can be The identifier 95 is sent to the first feature server as the time information, so that the first feature server returns the change file according to the latest information identifier; when the information identifier is the time when the first feature server generates the change file, the time can be extracted. The information identifier of the change file closest to the present is 2013-11-12-11:14 as time information, and other information generated according to the generation time of the latest change file may be used as time information, for example, the generation time is 12 bits. The digital combination 201311121114 is sent to the first feature server.

In another preferred example of the present invention, the acquisition request carries time information, and the time information is used to indicate that the first feature terminal does not exist and the generation of a certain change file exists in the first feature server Time, the time information is obtained by comparing a change file list requested by the first feature server with a change file local to the first feature terminal;

The sub-step S71 includes:

Sub-step S71-2, the generation time is the generation time marked by the time information carried in the acquisition request, and the change file after the generation time indicated by the time information carried by the acquisition request is generated.

Different from the previous example, in the example, before the request for the change file, the first feature terminal may first request, from the first feature server, a list of change files that exists in the first feature server, and the change file list may be It includes all the change files existing on the first feature server or the generation time of all the change files after the specified time. According to the generation time of each change file existing on the change file list and the generation time of each change file existing in the terminal, it is possible to know which change files exist in the terminal. According to the result of the comparison, the generation time information of the change file does not exist according to the terminal. The specified time may be the time when the terminal last acquired the change file, and may be set according to specific application requirements.

For example, when the information is identified as a number, the terminal has 95 change files, and the first feature server has 100 change files. The change file list includes the generation time of 100 change files or the time after the terminal last acquired the change file. When the change time of the file is generated, the terminal compares the change file list with the generation time of the change file existing in the terminal, and the change file that does not exist is the five change files with the information identifiers 96 to 100, and the time information can identify the five change files. Change the generation time of a change file in the file.

After receiving the time information indicating the generation time of a certain change file that does not exist in the terminal, the first feature server may generate the time indicated by the time information carried in the acquisition request, and the time when the generation time is carried in the acquisition request. The change file after the generation time indicated by the information is returned to the terminal, in other words, the change file that does not exist in the terminal, and the other change file whose generation time is after the change file are returned to the terminal, and the returned ones are returned. The number can be set in advance, and the present invention does not limit this.

In another preferred example of the present invention, the acquisition request carries time information, and the time information is used to indicate that the first feature terminal does not exist and the at least one change file of the first feature server exists. Time, the time information is obtained by comparing a change file list requested to the first feature server with a change file local to the first feature terminal;

The sub-step S71 includes:

Sub-step S71-3, extracting a change file in which the generation time is the generation time indicated by the time information carried in the acquisition request.

Unlike the previous example, in this example, the time information indicates the generation time of at least one change file that the terminal does not exist. For example, when the information identifier is a number, the terminal has 95 change files, and the first feature server has 100 change files, and the change file that the terminal does not exist is the five change files whose information identifiers are 96 to 100, and the time information can be identified. The generation time of one or more change files in these five change files.

After receiving the time information of the generation time of the at least one change file that does not exist, the first feature server may return the change file whose generation time is the generation time indicated by the time information carried in the acquisition request to the terminal. In other words, a change file that does not exist in the terminal indicated by the time information is returned to the terminal.

In a specific implementation, the acquiring request may further carry the number of the changed file that is requested to be acquired, and the first feature server extracts the number of the changed files that are less than or equal to the requested change file in the found change file. At least one change file is returned to the terminal.

When the acquisition request carries the number of the change files requested to be obtained, the change file may be returned according to the number of requests, since each downloaded file only contains the required files and there is no repeated download, thereby avoiding the problem of large amount of downloaded data, Upgrading the bandwidth of the server creates a lot of stress.

According to the embodiment of the present invention, after the first feature server classifies the change file requested by the feature terminal according to the corresponding file processing level, the change file is respectively sent to the first feature terminal according to the classification, and the first feature terminal processes the file for different files. The change files of the level are processed according to different processing manners. According to the embodiment of the present invention, the change file with a high file processing level and the change file with a low file processing level can be separately sent according to the file processing level, and are processed for different file processing levels. The files are processed separately by different processing methods, so that in the case of a large number of changed files, it is possible to avoid the change of the processing file with a lower processing level affecting the transmission of the change file with a higher processing level, and avoid the failure of the processing file with a higher processing level. The security risks caused by timely sending to the terminal to the terminal make the process of file security change effective, fast and reliable.

Referring to FIG. 6, a flowchart of a method for changing the security of an application according to another embodiment of the present invention is shown.

Step 601: The first feature server authenticates the security of the application of the first feature terminal, and sends the authenticated security to the feature terminal for saving, where the first feature server is the first The server that the feature terminal can access through the intranet.

Step 602: The first feature server generates the change file, and adds a file processing level to the change file according to the change source, where the change file is used for an application saved by the first feature terminal. Security is corrected, the file processing level including a first file processing level and a second file processing level.

According to the background art, there are two main reasons for the change of file security. One is the file security change caused by the administrator of the private cloud security system directly modifying the security of an application, and the second is through the offline query tool. File security changes caused by import or file proxy queries. In the embodiment of the present invention, the file processing level is divided into two according to the source of the change, which are the first file processing level and the second file processing level respectively, and the file source corresponding to the first file processing level may be the administrator actively acting on the server. The change made, the file source corresponding to the second file processing level may be a change made after the public cloud security system queries security by offline or online, and the first file processing level is higher than the second file processing level.

Specifically, when the change file carries the first processing level, the step 602 may include:

Sub-step S81, receiving security for the application modification submitted by the first feature server, and correcting the security of the first feature server authentication saved by the feature terminal according to the modified security. A change file that carries the first file processing level.

In the embodiment of the present invention, the security of the application may be modified on the first feature server, and after receiving the modified security, the server generates a change file according to the modified security to perform security on the application. The change, and since the source of the change is a change submitted by the server, the first file processing level can be added for the generated change file.

When the first file processing level is higher than the second file processing level, and the change file carries the second processing level, the step 602 includes:

Sub-step S82, the first feature server requests the second feature server to authenticate the security of the application, and the second feature server is a server that is accessible through the Internet in the Internet;

Sub-step S83, generating, according to the security of the second feature server, a change file that corrects the security of the first feature server authentication saved by the feature terminal, where the change file carries the second file processing level. .

After the first feature terminal requests the first feature server to authenticate the security of the application, when the authentication result is unknown security, the first feature server may further request the second feature server to secure the application. The second feature server is a server that is accessible through the Internet in the Internet, that is, a public cloud security system. For example, in the initial stage of the deployment of the private cloud security system, the first feature terminal reports a large number of files to the first feature server, and the first feature server accumulates a large number of files whose file level is unknown. When the second feature server is used, the second feature server may be further requested to perform security authentication on the application. Since the identification result of the first feature server is unknown security, the server is authenticated according to the second feature. Security can generate a change file that corrects application security. Since the source of the change is a file security change caused by a file agent query, a second file processing level can be added to the change file.

Sub-step S84, the first feature server connects the second feature server to identify the security of the application by using the first feature terminal, and the second feature server is configured to pass through the Internet. Internet accessible server;

Sub-step S85, generating, according to the security of the second feature server, a change file that corrects the security of the first feature server authentication saved by the first feature terminal, where the change file carries the second file. Processing level.

When the first feature server cannot connect to the Internet, the second feature server can be used to query the security of the application in an off-line manner. For example, in the isolated network environment, just entering the initial stage of the private cloud security system deployment, the first The feature terminal reports a large number of files to the server. The first feature server accumulates a large number of files with unknown file levels. You can export the list of unknown security applications through offline query tools, and then connect to the Internet. On the terminal, the first feature terminal performs a file cloud security system query, that is, the first feature terminal requests the second feature server to authenticate the security of the application by connecting to the Internet, and then the query result is imported into the offline query tool. The first feature server of a private cloud security system. Since the source of the change is a file security change caused by the offline query tool import, a second file processing level can be added to the change file.

When a private cloud security system administrator manages an application, if the security of a file is found to be incorrectly flagged, for example, the security error flag is normal or disabled, the file is modified by the file management interface of the private cloud security system. Security, the administrator directly changes the security of a file to change the security of the file, in many cases because the original file security is not correct, security issues have emerged, therefore, the change It is a management measure implemented by an administrator who has encountered a security problem. In other words, an administrator-adjusted security policy is an important program or an emergency program that compares priority to file security changes caused by offline query tool import or file agent query. Higher, these file security changes require fast and reliable notification to the terminal to help enterprise users reduce security risks.

According to the background art, if the change notification is sent to the terminal in the order of the change occurrence time, the more important change cannot be processed in time, and if a large number of file level change notifications are not sent to the terminal, the terminal There is also no security risk associated with administrator-adjusted file security changes.

According to the embodiment of the present invention, the corresponding file processing level can be set for the change of different sources. As described above, the file security change corresponding setting caused by the administrator directly modifying the security of the application on the first server end A file processing level, the file security change caused by the offline query tool import or the file proxy query corresponds to the second file processing level, so that the change files of different sources are respectively sent to the terminal, thereby avoiding the influence of the second file processing level change file. A file processing level change file is sent.

When the extracted multiple modified files are sorted according to the corresponding file processing level, and the modified file is sent to the feature terminal one by one according to the sorting, since the first file processing level is higher than the second file processing level, The change file of the first file processing level is preferentially sent to the terminal, and the administrator's change to the application is prioritized.

In a specific implementation, two different processes may be created or two different threads are used to process two levels of change files. When two threads are used for processing, the processing speed of the thread corresponding to the first file processing level may be The thread corresponding to the second file processing level is higher, so that the change made by the administrator on the first server can be quickly issued, and the security of a file is changed to be disabled or released in time.

Step 603: Receive an acquisition request of the first feature terminal for multiple change files.

Step 604: Extract a plurality of change files according to the obtaining request, where the change file carries a corresponding file processing level.

Step 605: classify the extracted multiple change files according to different file processing levels, and send the change files to the first feature terminal according to the classification, so that the first feature terminal is targeted to different files. The processing level change files are processed according to different processing methods.

According to the embodiment of the present invention, the first feature server classifies the change file requested by the feature terminal according to the corresponding file processing level, and then sends the change file to the feature terminal according to the classification, and the change file of the feature terminal for different file processing levels is performed by the feature terminal. According to the embodiment of the present invention, the change file with high file processing level and the change file with low file processing level can be separately sent according to the file processing level, and different files are used for different file processing levels. The processing mode is separately processed, so that when a large number of changed files are accumulated, the change file with a lower processing level can be prevented from affecting the sending of the change file with a higher processing level, and the change file with a higher processing level is prevented from being sent to the terminal in time. The security risks to the terminal make the process of file security change effective, fast and reliable.

Referring to FIG. 7, a block diagram of a device for changing the security of an application according to an embodiment of the present invention is shown.

The security authentication module 701 is configured to identify, by the first feature server, the security of the application of the first feature terminal, and send the authenticated security to the first feature terminal for saving, the first feature service The end is a server accessible by the first feature terminal through an intranet;

The change obtaining request 702 is configured to receive an acquisition request of the first feature terminal for the plurality of change files, where the change file is used to modify the security of an application saved by the first feature terminal;

The file extraction module 703 is configured to extract a plurality of change files according to the obtaining request, where the change file carries a corresponding file processing level;

a file classification module 704, configured to classify the extracted multiple change files according to different file processing levels;

The file sending module 705 is configured to separately send the change file to the first feature terminal according to the classification, so that the first feature terminal processes the change files of different file processing levels according to different processing manners.

In the embodiment of the present invention, the file sending module is configured to send the change files having different file processing levels to the first feature terminal through different transmission paths.

In the embodiment of the present invention, preferably, the file sending module includes:

The first sending sub-module is configured to send the change files with different file processing levels to the first feature terminal through different preset ports or communication channels of the first feature server;

Or the second sending sub-module is configured to send the change files with different file processing levels to the first feature terminal through different preset interfaces of the first feature terminal;

Or the third sending submodule is configured to separately send the change files having different file processing levels to different preset folders of the first feature terminal.

In the embodiment of the present invention, preferably, the file sending module is configured to sort the extracted multiple change files according to a corresponding file processing level, and extract the change files one by one according to the sorting and send the change file to the first feature. terminal.

In the embodiment of the present invention, preferably, the file extraction module is configured to extract, according to the obtaining request, a change file that is generated after a generation time of a change file that has existed in the feature terminal.

In the embodiment of the present invention, preferably, the obtaining request carries time information, where the time information is used to mark a generation time of a recent change file, and the latest change file is a change file that the first feature terminal already exists. Generate a change file whose time is closest to the current time;

The file extraction module includes:

The first extraction submodule is configured to extract a change file after the generation time indicated by the time information carried by the acquisition request.

In the embodiment of the present invention, preferably, the acquiring request carries time information, where the time information is used to indicate that the first feature terminal does not exist and the generation time of a certain change file existing by the first feature server is The time information is obtained by comparing a change file list requested by the first server with a change file local to the first feature terminal;

The file extraction module includes:

The second extraction submodule is configured to extract a generation time that is generated by the time information carried by the acquisition request, and a change file that is generated after the generation time indicated by the time information carried by the acquisition request.

In the embodiment of the present invention, preferably, the acquiring request carries time information, where the time information is used to mark a generation time of the at least one change file that the first feature terminal does not exist and the first feature server exists. The time information is obtained by comparing a change file list requested to the first feature server with a change file local to the first feature terminal;

The file extraction module includes:

The third extraction submodule is configured to extract a change file that generates a generation time indicated by the time information carried by the acquisition request.

In the embodiment of the present invention, preferably, the security of the application includes three levels: normal, disabled, and unknown.

According to the embodiment of the present invention, the first feature server endifies the change file requested by the feature terminal according to the corresponding file. After the processing level is classified, the change file is sent to the feature terminal according to the classification, and the change file of the different file processing level is processed by the feature terminal according to different processing manners. According to the embodiment of the present invention, the file processing level can be high. Change files with low change level and file processing level are sent separately according to the file processing level, and are processed separately for different file processing level files, so that the processing level can be avoided in the case of a large number of changed files. The change file affects the sending of change files with higher processing level, and avoids the security risks caused by the high-level change files being sent to the terminal in time, making the process of file security change effective, fast and reliable.

Referring to FIG. 8, a block diagram of a device for changing the security of an application according to an embodiment of the present invention is shown.

The security authentication module 801 is configured to identify, by the first feature server, the security of the application of the first feature terminal, and send the authenticated security to the first feature terminal for saving, the first feature service The terminal is a server accessible by the first feature terminal through an intranet.

The change file generating module 802 is configured to generate, by the first feature server, the change file, where the file processing level includes a first file processing level and a second file processing level.

The change obtaining request 803 is configured to receive an acquisition request of the first feature terminal for the plurality of change files, where the change file is used to modify the security of an application saved by the first feature terminal;

The file extraction module 804 is configured to extract a plurality of change files according to the obtaining request, where the change file carries a corresponding file processing level;

a file classification module 805, configured to classify the extracted multiple change files according to different file processing levels;

The file sending module 806 is configured to separately send the change file to the first feature terminal according to the classification, so that the first feature terminal processes the change files of different file processing levels according to different processing manners.

In the embodiment of the present invention, preferably, the first file processing level is higher than the second file processing level, and when the change file carries the first processing level, the change file generating module may include:

a security receiving module, configured to receive security submitted by the first feature server for the application modification;

a first file generating submodule, configured to generate, according to the modified security, a change file that corrects security of the first feature server authentication saved by the first feature terminal, where the change file carries a first file processing level .

In the embodiment of the present invention, preferably, the first file processing level is higher than the second file processing level, and when the change file carries the second processing level, the change file generating module may include:

a first authentication request sub-module, configured by the first feature server to request the second feature server to authenticate the security of the application, where the second feature server is accessible through the Internet in the Internet. Server;

a second file generating submodule, configured to generate, according to the security of the second feature server authentication, a change file that corrects the security of the first feature server authentication saved by the first feature terminal, the change File Carry the second file processing level.

In the embodiment of the present invention, when the change file carries the second processing level, the change file generating module may include:

a second authentication requesting sub-module, configured to identify, by the first feature server, the security of the application by connecting the second feature server to the first feature terminal, where the second feature server is Set up a server accessible on the Internet via the Internet;

a third file generating submodule, configured to generate, according to the security of the second feature server authentication, a change file that corrects the security of the first feature server authentication saved by the first feature terminal, the change The file carries a second file processing level.

In the embodiment of the present invention, preferably, the file sending module may be specifically configured to send the change file to the first feature terminal according to a classification, so that the first feature terminal is processed for different file processing levels. The change files are created separately or processed by different threads.

In the embodiment of the present invention, preferably, when the first feature terminal creates different threads to separately process the change files having different file processing levels, the processing speed of the thread corresponding to the file with a higher file processing level is higher than the file processing level. The thread corresponding to the low change file.

For the above-mentioned application security device identification device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.

The various embodiments in the present specification are described in a progressive manner, and each embodiment focuses on differences from other embodiments, and the same similar parts between the various embodiments can be referred to each other.

It will be readily apparent to those skilled in the art that any combination of the above embodiments is possible, and any combination between the above embodiments is an embodiment of the present invention, but due to space limitations, the present specification is hereby Not detailed one by one.

The algorithms and displays provided herein are not inherently related to any particular computer, virtual system, or other device. Various general purpose systems can also be used with the teaching based on the teachings herein. The structure required to construct such a system is apparent from the above description. Moreover, the invention is not directed to any particular programming language. It is to be understood that the invention may be embodied in a variety of programming language, and the description of the specific language has been described above in order to disclose the preferred embodiments of the invention.

In the description provided herein, numerous specific details are set forth. However, it is understood that the embodiments of the invention may be practiced without these specific details. In some instances, well-known methods have not been shown in detail, Structure and technology so as not to obscure the understanding of this specification.

Similarly, the various features of the invention are sometimes grouped together into a single embodiment, in the above description of the exemplary embodiments of the invention, Figure, or a description of it. However, the method disclosed is not to be interpreted as reflecting the intention that the claimed invention requires more features than those recited in the claims. Rather, as the following claims reflect, inventive aspects reside in less than all features of the single embodiments disclosed herein. Therefore, the claims following the specific embodiments are hereby explicitly incorporated into the embodiments, and each of the claims as a separate embodiment of the invention.

Those skilled in the art will appreciate that the modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components. In addition to such features and/or at least some of the processes or units being mutually exclusive, any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined. Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.

In addition, those skilled in the art will appreciate that, although some embodiments described herein include certain features that are included in other embodiments and not in other features, combinations of features of different embodiments are intended to be within the scope of the present invention. Different embodiments are formed and formed. For example, in the following claims, any one of the claimed embodiments can be used in any combination.

The various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that some or all of the functionality of some or all of the components of the authentication device for application security in accordance with embodiments of the present invention may be implemented in practice using a microprocessor or digital signal processor (DSP). . The invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein. Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.

For example, FIG. 9 shows a terminal device that can implement an authentication method of application security according to the present invention. The terminal device conventionally includes a processor 910 and a program product or readable medium in the form of a memory 920. Memory 920 can be an electronic memory such as a flash memory, EEPROM (Electrically Erasable Programmable Read Only Memory), EPROM, or ROM. Memory 920 has a memory space 930 of program code 931 configured to perform any of the method steps described above. For example, storage space 930 configured as program code can include various program code 931 that are each configured to implement various steps in the above methods. These program codes can be read from or written to one or more program products. These program products include program code carriers such as memory cards. Such a program product is typically a portable or fixed storage unit as described with reference to FIG. The storage unit may have a storage section, a storage space, and the like arranged similarly to the storage 920 in the terminal device of FIG. The program code can be compressed, for example, in an appropriate form. Typically, the storage unit includes a readable code 931', ie Code read by a processor, such as 910, that when executed by a terminal device causes the terminal device to perform various steps in the methods described above.

"an embodiment," or "an embodiment," or "an embodiment," In addition, it is noted that the phrase "in one embodiment" is not necessarily referring to the same embodiment.

It is to be noted that the above-described embodiments are illustrative of the invention and are not intended to be limiting, and that the invention may be devised without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as a limitation. The word "comprising" does not exclude the presence of the elements or steps that are not recited in the claims. The word "a" or "an" The invention can be implemented by means of hardware comprising several distinct elements and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by the same hardware item. The use of the words first, second, and third does not indicate any order. These words can be interpreted as names.

Claims

An authentication method for application security, including:

The first feature server receives an authentication request of the first feature terminal for security of the application;

Sending, to the at least one second feature terminal, an acquisition request for an executable file corresponding to the application, where the acquisition request carries unique identification information of the application, wherein the executable file records the application runtime The operation of the first feature server is a server that performs security management on the first feature terminal and the second feature terminal based on the intranet;

Searching for an executable file corresponding to the application according to the unique identification information, and authenticating the security of the application according to the executable file.
The method of claim 1, the unique identification information being a hash value of an executable file of the application, or digital certificate information uniquely identifying a publisher of the application.
The method of claim 1, wherein the authentication request carries unique identification information of the application, and the first feature server is preset with security including a unique identification information of the application and a security correspondence relationship. Identification database;

Before the step of sending an acquisition request for the executable file corresponding to the application to the at least one second feature terminal, the method further includes:

The first feature server determines that the unique identifier information does not exist in the security authentication database, or finds that the security corresponding to the application is not secure in the security authentication database according to the unique identifier information. file.
The method of claim 1, before the step of transmitting an acquisition request for the executable file corresponding to the application to the at least one second feature terminal, the method further comprising:

Sending an acquisition request for the executable file corresponding to the application to the first feature terminal, and receiving a message that the first feature terminal feeds back that the executable file does not exist.
The method of claim 1, wherein the step of authenticating the security of the application in accordance with the executable file comprises:

The security of the application is identified by analyzing whether the operation behavior of the application runtime recorded by the executable file has a target behavior characteristic, and the target behavior characteristic is a behavior characteristic of a virus file during runtime .
The method according to claim 5, wherein the step of authenticating the security of the application by analyzing whether the operational behavior of the application runtime recorded by the executable file has a target behavior characteristic comprises:

Disassembling the executable file of the application to obtain an assembly source corresponding to the application;

Analyzing whether the operational behavior of the assembly source at runtime has a target behavior characteristic, and the target behavior characteristic is a behavior characteristic of a virus file during runtime;

If the operational behavior of the assembly source at runtime has at least one target behavior characteristic, the security of the application is a dangerous file;

If the operational behavior of the assembly source at runtime does not have any of the target behavior characteristics, the security of the application is a secure file.
The method of claim 5, the target behavior characteristic comprising connecting an external network to transmit data, performing an operation of copying the code multiple times, or accessing and overwriting the system file.
The method of claim 1, wherein the second feature terminal stores a correspondence between the unique identification information of the application and a save path of the executable file in the second feature terminal, and the receiving second The steps of the executable file corresponding to the application that the feature terminal searches according to the unique identification information include:

Receiving, by the second feature terminal, an executable file that is determined according to the unique identification information and the corresponding relationship and is extracted according to the save path.
The method of claim 1 further comprising:

The first feature server authenticates the security of the application of the first feature terminal, and sends the authenticated security to the first feature terminal for saving. The first feature server is the first feature. The server that the terminal can access through the intranet;

Receiving, by the first feature terminal, an acquisition request for a plurality of change files, where the change file is used to modify security of an application saved by the first feature terminal;

Extracting, according to the obtaining request, a plurality of change files, where the change file carries a corresponding file processing level;

Sorting the extracted multiple change files according to different file processing levels, and respectively transmitting the change files to the first feature terminal according to the classification, so that the first feature terminal is for different file processing levels. The change files are processed according to different processing methods.
The method of claim 9, wherein the step of separately transmitting the change file to the first feature terminal according to the classification comprises:

The change files having different file processing levels are respectively sent to the first feature terminal through different transmission paths.
The method of claim 10, wherein the step of transmitting the change files having different file processing levels to the first feature terminal through different transmission paths respectively includes:

Transmitting the change files with different file processing levels to the first feature terminal through different preset ports or communication channels of the first feature server;

Or, the change files having different file processing levels are respectively sent to the first feature terminal through different preset interfaces of the first feature terminal;

Or, the change files having different file processing levels are respectively sent to different preset folders of the first feature terminal.
The method of claim 9, wherein the step of separately transmitting the change file to the first feature terminal according to the classification comprises:

The extracted plurality of change files are sorted according to corresponding file processing levels, and the change files are extracted one by one according to the sort and sent to the first feature terminal.
The method of claim 9 further comprising:

The first feature server generates the change file, and the file processing level includes a first file processing level and a second file processing level.
The method according to claim 13, wherein the first file processing level is higher than the second file processing level, and when the change file carries the first processing level, the first feature server generates a step file of the change file. include:

Receiving the security corrected for the application submitted by the first feature server, and generating a change file for correcting the security of the first feature server authentication saved by the first feature terminal according to the modified security The change file carries a first file processing level.
The method of claim 13, wherein the first file processing level is higher than the second file processing level, and when the change file carries the second processing level, the step of the first feature server generating the change file includes :

The first feature server requests the second feature server to authenticate the security of the application, and the second feature server is a server that is accessible through the Internet in the Internet;

And generating, according to the security of the second feature server authentication, a change file that corrects the security of the first feature server authentication saved by the first feature terminal, where the change file carries a second file processing level.
The method of claim 13, wherein when the change file carries the second processing level, the step of the first feature server generating the change file comprises:

The first feature server connects the second feature server to the security of the application by using the first feature terminal, and the second feature server is accessible through the Internet in the Internet. Server;

And generating, according to the security of the second feature server authentication, a change file that corrects the security of the first feature server authentication saved by the first feature terminal, where the change file carries a second file processing level.
The method according to claim 9 or 13, wherein the step of processing, by the first feature terminal, the change files of different file processing levels according to different processing modes respectively comprises:

The first feature terminal respectively creates a corresponding process for different file processing level change files or processes different threads respectively.
The method according to claim 17, when the first feature terminal creates different threads to respectively process change files having different file processing levels, the processing speed of the thread corresponding to the file with a higher file processing level is higher than the file processing level. The thread corresponding to the low change file.
The method of claim 9, wherein the obtaining request is generated according to the change file that the first feature terminal already exists, and the step of extracting the plurality of change files according to the obtaining request comprises:

A change file after the generation time of the change file existing in the first feature terminal is generated according to the acquisition request.
The method of claim 19, wherein the acquisition request carries time information, the time information is used to mark a generation time of a recent change file, and the latest change file is a change file that the first feature terminal already exists. Generate a change file whose time is closest to the current time;

The step of extracting the change file after the generation time of the change file that has existed at the first feature terminal according to the acquisition request includes:

The change file whose generation time is after the generation time indicated by the time information carried by the acquisition request is extracted.
The method of claim 19, wherein the obtaining request carries time information, and the time information is used to indicate that the first feature terminal does not exist and the generation time of a certain change file existing by the first feature server is The time information is obtained by comparing a change file list requested by the first server with a change file local to the first feature terminal;

The step of extracting the change file after the generation time of the change file that has existed at the first feature terminal according to the acquisition request includes:

Extracting the generation time indicated by the time information carried by the acquisition request, and generating a change file after the generation time indicated by the time information carried by the acquisition request.
The method of claim 19, the obtaining request carrying time information, the time information is used to mark a generation time of the at least one change file that the first feature terminal does not exist and the first feature server exists, The time information is obtained by comparing a change file list requested to the first feature server with a change file local to the first feature terminal;

The step of extracting the change file after the generation time of the change file that has existed at the first feature terminal according to the acquisition request includes:

The change file whose generation time is the generation time indicated by the time information carried in the acquisition request is extracted.
The method of claim 9 wherein the security of the application comprises three levels of normal, disabled, and unknown.
An authentication method for application security, including:

The second feature terminal receives the acquisition request of the executable file corresponding to the application sent by the first feature server, where the acquisition request receives the security of the first feature terminal to the application at the first feature server After the authentication request is sent, the obtaining request carries unique identification information of the application, wherein the executable file records an operation behavior of the application when the application is running, and the first feature server is based on an intranet a server that performs security management on the first feature terminal and the second feature terminal;

Searching for an executable file corresponding to the application locally according to the unique identification information, and sending the executable file to the first feature server to secure the application according to the executable file. Sexual identification.
The method of 24, the unique identification information is a hash value of an executable file of the application, or digital certificate information uniquely identifying a publisher of the application.
The method of claim 24, wherein the second feature terminal stores a correspondence between the unique identification information of the application and a save path of the executable file in the second feature terminal, where the unique identifier information is The steps to find the executable file corresponding to the application locally include:

Determining, according to the unique identifier information and the corresponding relationship, a save path of the executable file in the second feature terminal;

An executable file corresponding to the application extracted according to the save path.
The method of claim 24, before the step of transmitting the executable file to the feature server, the method further comprising:

Sending a query request for the executable file to the feature server;

Receiving a message fed back by the feature server that does not receive an executable file sent by another second feature terminal.
An authentication device for application security, comprising:

a program authentication request module, configured to receive, by the first feature server, an authentication request of the security of the first feature terminal to the application;

a first executable file requesting module, configured to send, to the at least one second feature terminal, an acquisition request for an executable file corresponding to the application, where the acquisition request carries unique identification information of the application, where The executable file records an operation behavior of the application when the application is running, and the first feature server is a server that performs security management on the first feature terminal and the second feature terminal based on an intranet;

An executable file receiving module, configured to search for an executable file corresponding to the application according to the unique identifier information;

The first security authentication module is configured to authenticate the security of the application according to the executable file.
The apparatus of claim 28, the unique identification information being a hash value of an executable file of the application, or digital certificate information uniquely identifying a publisher of the application.
The apparatus according to claim 28, wherein the authentication request carries unique identification information of the application, and the first feature server is preset with security including a unique identification information of the application and a security correspondence relationship. Identification database;

The device also includes:

a second security authentication module, configured to determine, by the first feature server, that the unique identifier information does not exist in the security authentication database, or find the foregoing in the security identification database according to the unique identifier information The security corresponding to the application is not a secure file.
The apparatus of claim 28, further comprising:

a second executable file requesting module, configured to send, to the first feature terminal, an acquisition request for an executable file corresponding to the application, and receive the executable file that is not fed back by the first feature terminal Message.
The apparatus of claim 29, wherein the first security authentication module is configured to analyze whether the operational behavior of the application running by the executable file has a target behavior characteristic to analyze the application The security of the program is characterized, and the target behavior is characterized by behavioral characteristics of the virus file at runtime.
The apparatus of claim 32, the first security authentication module is configured to:

Disassembling the executable file of the application to obtain an assembly source corresponding to the application;

Analyzing whether the operational behavior of the assembly source at runtime has a target behavior characteristic, and the target behavior characteristic is a behavior characteristic of a virus file during runtime;

If the operational behavior of the assembly source at runtime has at least one target behavior characteristic, the security of the application is a dangerous file;

If the operational behavior of the assembly source at runtime does not have any of the target behavior characteristics, the security of the application is a secure file.
30. The apparatus of claim 32, the target behavior characteristic comprising connecting an external network to transmit data, performing an operation of copying the code multiple times, or accessing and overwriting the system file.
The apparatus according to claim 28, wherein the second feature terminal stores a correspondence between unique identification information of the application and a save path of the executable file in the second feature terminal;

The executable file receiving module is configured to receive an executable file that is determined by the second feature terminal to determine a save path according to the unique identifier information and the corresponding relationship, and is extracted according to the save path.
The apparatus of claim 28, further comprising:

a security authentication module, configured to identify, by the first feature server, the security of the application of the first feature terminal, and send the authenticated security to the first feature terminal for saving, the first feature server a server accessible by the intranet for the first feature terminal;

a change obtaining request, configured to receive an acquisition request of the first feature terminal for a plurality of change files, where the change file is used to modify a security of an application saved by the first feature terminal;

a file extraction module, configured to extract a plurality of change files according to the obtaining request, where the change file carries a corresponding file processing level;

a file classification module, configured to classify the extracted multiple change files according to different file processing levels;

And a file sending module, configured to separately send the change file to the first feature terminal according to the classification, so that the first feature terminal processes the change files of different file processing levels according to different processing manners.
The device according to claim 36, wherein the file sending module is configured to send the change files having different file processing levels to the first feature terminal through different transmission paths.
The apparatus of claim 37, the file sending module comprising:

The first sending sub-module is configured to send the change files with different file processing levels to the first feature terminal through different preset ports or communication channels of the first feature server;

Or the second sending sub-module is configured to send the change files with different file processing levels to the first feature terminal through different preset interfaces of the first feature terminal;

Or the third sending submodule is configured to separately send the change files having different file processing levels to different preset folders of the first feature terminal.
The device according to claim 36, wherein the file sending module is configured to sort the extracted plurality of change files according to a corresponding file processing level, and extract the change files one by one according to the sorting and send the change file to the first feature. terminal.
The apparatus of claim 36, further comprising:

And a change file generating module, configured to generate, by the first feature server, the change file, where the file processing level includes a first file processing level and a second file processing level.
The apparatus of claim 40, wherein the first file processing level is higher than the second file processing level, and when the change file carries the first processing level, the change file generating module comprises:

a security receiving module, configured to receive security submitted by the first feature server for the application modification;

a first file generating submodule, configured to generate, according to the modified security, a change file that corrects security of the first feature server authentication saved by the first feature terminal, where the change file carries the first file processing level do not.
The apparatus of claim 40, wherein the first file processing level is higher than the second file processing level, and when the change file carries a second processing level, the change file generating module comprises:

a first authentication request sub-module, configured by the first feature server to request the second feature server to authenticate the security of the application, where the second feature server is accessible through the Internet in the Internet. Server;

a second file generating submodule, configured to generate, according to the security of the second feature server authentication, a change file that corrects the security of the first feature server authentication saved by the first feature terminal, the change The file carries a second file processing level.
The apparatus of claim 40, when the change file carries a second processing level, the change file generating module comprises:

a second authentication requesting sub-module, configured to identify, by the first feature server, the security of the application by connecting the second feature server to the first feature terminal, where the second feature server is Set up a server accessible on the Internet via the Internet;

a third file generating submodule, configured to generate, according to the security of the second feature server authentication, a change file that corrects the security of the first feature server authentication saved by the first feature terminal, the change The file carries a second file processing level.
The device according to claim 36 or 40, wherein the file sending module is configured to separately send the change file to the first feature terminal according to a classification, so that the first feature terminal is for different file processing levels The change files are created separately or processed by different threads.
The apparatus according to claim 44, when the first feature terminal creates different threads to respectively process change files having different file processing levels, the processing speed of the thread corresponding to the file with a higher file processing level is higher than the file processing level. The thread corresponding to the low change file.
The device according to claim 46, wherein the file extraction module is configured to extract, according to the acquisition request, a change file after the generation time of the change file that the time exists in the first feature terminal.
The apparatus according to claim 46, wherein the acquisition request carries time information, the time information is used to mark a generation time of a recent change file, and the latest change file is a change file existing in the first feature terminal. Generate a change file whose time is closest to the current time;

The file extraction module includes:

The first extraction submodule is configured to extract a change file after the generation time indicated by the time information carried by the acquisition request.
The device of claim 46, wherein the acquisition request carries time information, and the time information is used to indicate that the first feature terminal does not exist and the generation time of a certain change file existing by the first feature server is The time information is obtained by comparing a change file list requested by the first server with a change file local to the first feature terminal;

The file extraction module includes:

a second extraction submodule, configured to extract a generation time that is generated by the time information carried by the acquisition request, and a change time after the generation time indicated by the time information carried by the acquisition request Pieces.
The device of claim 46, wherein the acquisition request carries time information, the time information is used to indicate a generation time of the at least one change file that the first feature terminal does not exist and the first feature server exists, The time information is obtained by comparing a change file list requested to the first feature server with a change file local to the first feature terminal;

The file extraction module includes:

The third extraction submodule is configured to extract a change file that generates a generation time indicated by the time information carried by the acquisition request.
The apparatus of claim 36, wherein the security of the application comprises three levels of normal, disabled, and unknown.
An authentication device for application security, comprising:

Obtaining a request receiving module, configured to receive, by the second feature terminal, an acquisition request for an executable file corresponding to the application sent by the first feature server, where the obtaining request receives the first feature terminal to the application at the feature server After the authentication request of the security of the program is sent, the obtaining request carries the unique identification information of the application, wherein the executable file records an operation behavior of the application when the application is running, and the first feature server is a server for performing security management on the first feature terminal and the second feature terminal based on an intranet;

An executable file searching module, configured to locally search for an executable file corresponding to the application according to the unique identification information, and send the executable file to the first feature server to follow the executable The file authenticates the security of the application.
The apparatus of claim 51, the unique identification information being a hash value of an executable file of the application, or digital certificate information uniquely identifying a publisher of the application.
The apparatus according to claim 51, wherein the second feature terminal stores a correspondence between unique identification information of the application and a save path of the executable file in the second feature terminal, the executable file The lookup module includes:

a path determining submodule, configured to determine, according to the unique identifier information and the correspondence, a save path of the executable file in the second feature terminal;

An executable file extraction submodule, configured to execute the executable file corresponding to the application according to the save path.
The apparatus of claim 51, further comprising:

a query request sending module, configured to send a query request for the executable file to the first feature server;

And a message receiving module, configured to receive, by the first feature server, a message that does not receive an executable file sent by another second feature terminal.
A program comprising readable code, when the readable code is run on a terminal device, causing the terminal device to perform an authentication method of the application security according to any one of claims 1-27.
A readable medium storing the program of claim 55.