CN105791250B

Movatterモバイル変換

Info

Publication number: CN105791250B
Application number: CN201410831931.6A
Authority: CN
Inventors: 张晓霖; 何博; 张聪; 王亮
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: 360 Technology Group Co Ltd
Priority date: 2014-12-26
Filing date: 2014-12-26
Publication date: 2020-10-02
Anticipated expiration: 2034-12-26
Also published as: CN105791250A

Abstract

The invention discloses an application program detection method and device, wherein the method comprises the following steps: when an application program belonging to the white list runs, acquiring program characteristics of the application program; acquiring an operation list of application programs corresponding to the program characteristics according to the program characteristics; and monitoring the operation of the application program corresponding to the program characteristics according to the operation list. The application program detection method in the embodiment can effectively monitor the operation of the application program in the white list, so that the safety of the program operation in the client is ensured, and the safety of the client is ensured.

Description

Translated fromChinese

应用程序检测方法及装置Application detection method and device

技术领域technical field

本发明涉及网络安全技术，具体涉及一种应用程序检测方法及装置。The invention relates to network security technology, in particular to an application program detection method and device.

背景技术Background technique

传统的恶意程序防杀主要依赖于特征库模式，特征库是由厂商收集到的恶意程序样本的特征码组成，而特征码则是分析工程师从恶意程序中找到和正当软件的不同之处，截取一段类似于“搜索关键词”的程序代码。当查杀过程中，引擎会读取文件并与特征库中的所有特征码“关键词”进行匹配，如果发现文件程序代码被命中，就可以判定该文件程序为恶意程序。The traditional anti-malware program mainly relies on the signature library mode. The signature library is composed of the signature code of the malicious program samples collected by the manufacturer. The signature code is the difference between the malicious program and the legitimate software that the analysis engineer finds and intercepts. A piece of program code similar to "search keywords". During the killing process, the engine will read the file and match all the signature "keywords" in the signature database. If the program code of the file is found to be hit, it can be determined that the program of the file is a malicious program.

之后又衍生出了在本地启发式杀毒的方式，是以特定方式实现的动态高度器或反编译器，通过对有关指令序列的反编译逐步理解和确定其蕴藏的真正动机。恶意程序和正常程序的区别可以体现在许多方面，比如：通常一个应用程序在最初的指令，是检查命令行输入有无参数项、清屏和保存原来屏幕显示等，而恶意程序通常最初的指令则是直接写盘操作、解码指令，或搜索某路径下的可执行程序等相关操作指令序列。这些显著的不同之处，一个熟练的程序员在调试状态下只需一瞥便可一目了然。启发式代码扫描技术实际上就是把这种经验和知识移植到一个查杀病毒软件中的具体程序体现。Later, the local heuristic anti-virus method was derived, which is a dynamic altitude detector or decompiler implemented in a specific way, which gradually understands and determines the real motivation behind it through decompilation of the relevant instruction sequence. The difference between malicious programs and normal programs can be reflected in many aspects. For example, usually the initial instruction of an application program is to check whether there are parameters in the command line input, clear the screen and save the original screen display, etc., while the malicious program is usually the initial instruction. It is a sequence of related operation instructions such as direct disk writing operation, decoding instructions, or searching for executable programs under a certain path. These significant differences can be seen at a glance by a skilled programmer in a debugging state. Heuristic code scanning technology is actually a specific program embodiment of transplanting this experience and knowledge into a virus-killing software.

但是上述查杀恶意软件的方法都是基于恶意行为和/或恶意特征，先对一个程序判定其是否为恶意程序，然后再决定是否进行查杀或清理。这就不可避免导致出现了如下弊端。However, the above methods for detecting and killing malware are all based on malicious behaviors and/or malicious characteristics. First, it is determined whether a program is a malicious program, and then it is decided whether to detect or clean up. This inevitably leads to the following disadvantages.

第一：恶意程序数量呈几何级增长，基于这种爆发式的增速，特征库的生成与更新往往是滞后的，特征库中恶意程序的特征码的补充跟不上层出不穷的未知恶意程序；First: The number of malicious programs increases geometrically. Based on this explosive growth rate, the generation and update of the signature database often lags behind, and the supplementation of the signatures of malicious programs in the signature database cannot keep up with the endless unknown malicious programs;

第二：恶意程序制作者对免杀技术的应用，通过对恶意程序加壳或修改该恶意程序的特征码的手法越来越多的出现；以及许多木马程序采用了更多更频繁快速的自动变形，这些都导致通过恶意行为和/或恶意特征对恶意程序进行判定的难度越来越大，导致较多的恶意程序被确定为白名单，由此，该些恶意程序在设备/客户端中造成破坏。Second: the application of anti-kill technology by malicious program producers, by packing malicious programs or modifying the signature code of the malicious program, more and more methods appear; and many Trojan programs use more frequent and fast automatic deformation, all of which make it more and more difficult to determine malicious programs through malicious behaviors and/or malicious characteristics, resulting in more malicious programs being determined as whitelists. Therefore, these malicious programs are in the device/client cause damage.

鉴于此，如何保证白名单中所有的程序都能够安全运行成为当前需要解决的技术问题。In view of this, how to ensure that all programs in the whitelist can run safely has become a technical problem that needs to be solved at present.

发明内容SUMMARY OF THE INVENTION

针对现有技术中的缺陷，本发明提供了一种应用程序检测方法及装置，该应用程序检测方法能够有效保证客户端中属于白名单的应用程序的安全运行，保证客户端的安全。In view of the defects in the prior art, the present invention provides an application program detection method and device, which can effectively ensure the safe operation of the whitelisted application programs in the client and ensure the security of the client.

第一方面，本发明提供一种应用程序检测装置，包括：In a first aspect, the present invention provides an application detection device, comprising:

程序特征获取单元，用于在属于白名单的应用程序运行时，获取该应用程序的程序特征；a program feature acquiring unit, used for acquiring program features of an application belonging to the whitelist when the application is running;

运行列表获取单元，用于根据所述程序特征获取与所述程序特征对应的应用程序的运行列表；a run list obtaining unit, configured to obtain a run list of the application corresponding to the program feature according to the program feature;

监控单元，用于根据所述运行列表监控与所述程序特征对应的应用程序的运行。A monitoring unit, configured to monitor the running of the application program corresponding to the program feature according to the running list.

可选的，所述运行列表获取单元，具体用于：Optionally, the running list obtaining unit is specifically used for:

将所述程序特征获取单元获取的应用程序的程序特征发送服务器，以使服务器根据预设规则确定与所述程序特征对应的应用程序的运行列表；sending the program feature of the application program acquired by the program feature acquisition unit to the server, so that the server determines the running list of the application program corresponding to the program feature according to a preset rule;

接收所述服务器发送的所述应用程序的运行列表。A running list of the application program sent by the server is received.

将获取的该应用程序的程序特征和所述客户端的系统环境信息发送服务器，以使服务器查找与所述系统环境信息匹配的预设规则，根据查找的预设规则确定与所述程序特征对应的应用程序的运行列表。The acquired program features of the application and the system environment information of the client are sent to the server, so that the server searches for preset rules matching the system environment information, and determines the program features corresponding to the program features according to the searched preset rules. The running list of the application.

将获取的该应用程序的程序特征和所述客户端的系统环境信息发送服务器，以使服务器查找与所述系统环境信息匹配的预设规则，根据查找的预设规则确定与所述程序特征对应的应用程序的运行列表和所述客户端的风险等级。The acquired program features of the application and the system environment information of the client are sent to the server, so that the server searches for preset rules matching the system environment information, and determines the program features corresponding to the program features according to the searched preset rules. A running list of applications and the risk level of said client.

接收所述服务器发送的所述应用程序的运行列表和所述客户端的风险等级；Receive the running list of the application and the risk level of the client sent by the server;

所述监控单元，具体用于：The monitoring unit is specifically used for:

采用所述客户端的风险等级对应的检测规则和所述运行列表监控与所述程序特征对应的应用程序的运行。The execution of the application program corresponding to the program feature is monitored by using the detection rule corresponding to the risk level of the client and the execution list.

可选的，所述监控单元，具体用于：Optionally, the monitoring unit is specifically used for:

在监控到与所述程序特征对应的应用程序的运行行为属于所述运行列表时，拦截该应用程序的运行行为；When monitoring that the running behavior of the application corresponding to the program feature belongs to the running list, intercepting the running behavior of the application;

或者，or,

在监控到与所述程序特征对应的应用程序的运行行为属于所述运行列表时，将该应用程序的运行行为的信息发送所述服务器，以使所述服务器根据统计规则判断是否允许该应用程序继续运行；When monitoring that the running behavior of the application corresponding to the program feature belongs to the running list, send the information of the running behavior of the application to the server, so that the server can judge whether to allow the application according to statistical rules continue to run;

接收所述服务器发送的判断结果，根据所述判断结果对所述应用程序进行处理；receiving the judgment result sent by the server, and processing the application program according to the judgment result;

其中，所述运行列表包括：拦截该应用程序的至少一个运行行为的信息；Wherein, the running list includes: intercepting at least one running behavior of the application;

所述统计规则为根据多个客户端中的该应用程序运行行为统计的。The statistical rules are calculated according to the running behavior of the application in multiple clients.

第二方面，本发明还提供了一种应用程序检测方法，包括：In a second aspect, the present invention also provides an application program detection method, comprising:

在属于白名单的应用程序运行时，获取该应用程序的程序特征；When an application belonging to the whitelist is running, obtain the program characteristics of the application;

根据所述程序特征获取与所述程序特征对应的应用程序的运行列表；Acquire a running list of applications corresponding to the program feature according to the program feature;

根据所述运行列表监控与所述程序特征对应的应用程序的运行。The execution of the application corresponding to the program feature is monitored according to the execution list.

可选的，所述根据所述程序特征获取与所述程序特征对应的应用程序的运行列表，包括：Optionally, obtaining a running list of applications corresponding to the program features according to the program features includes:

将获取的该应用程序的程序特征发送服务器，以使服务器根据预设规则确定与所述程序特征对应的应用程序的运行列表；sending the acquired program features of the application to the server, so that the server determines the running list of the application corresponding to the program features according to preset rules;

所述根据所述运行列表监控与所述程序特征对应的应用程序的运行之前，所述方法还包括：Before monitoring the running of the application corresponding to the program feature according to the running list, the method further includes:

可选的，所述方法还包括：Optionally, the method further includes:

所述接收所述服务器发送的所述应用程序的运行列表，包括：The receiving the running list of the application sent by the server includes:

相应地，所述根据所述运行列表监控与所述程序特征对应的应用程序的运行，包括：Correspondingly, monitoring the running of the application corresponding to the program feature according to the running list includes:

可选的，所述根据所述运行列表监控与所述程序特征对应的应用程序的运行，包括：Optionally, monitoring the running of the application program corresponding to the program feature according to the running list includes:

所述运行列表包括：拦截该应用程序的至少一个运行行为的信息；The running list includes: information that intercepts at least one running behavior of the application;

监控到与所述程序特征对应的应用程序的运行行为属于所述运行列表时，拦截该应用程序的运行行为；When monitoring that the running behavior of the application corresponding to the program feature belongs to the running list, intercepting the running behavior of the application;

或者，or,

监控到与所述程序特征对应的应用程序的运行行为属于所述运行列表时，将该应用程序的运行行为的信息发送所述服务器，以使所述服务器根据统计规则判断是否允许该应用程序继续运行；When monitoring that the running behavior of the application corresponding to the program feature belongs to the running list, send the information of the running behavior of the application to the server, so that the server can judge whether to allow the application to continue according to statistical rules run;

由上述技术方案可知，本发明提供的应用程序检测方法及装置，通过对客户端中属于白名单的应用程序进行监控，例如，首先获取白名单的应用程序运行时的程序特征，将该程序特征发送服务器，进而服务器根据预设规则确定该客户端中的与程序特征对应的应用程序是否有需要拦截的运行行为的运行列表，如果有，则向客户端发送该运行列表，以使客户端根据该运行列表监控当前属于白名单的应用程序的运行，进而可保证客户端中程序运行的安全，且保证客户端的安全。As can be seen from the above technical solutions, the application detection method and device provided by the present invention monitor the applications belonging to the whitelist in the client, for example, first obtain the program features of the whitelisted applications when they are running, and use the program features to monitor the whitelisted applications. Send the server, and then the server determines whether the application corresponding to the program feature in the client has a running list of running behaviors that need to be intercepted according to preset rules, and if so, sends the running list to the client, so that the client can according to the operation list. The running list monitors the running of the applications currently belonging to the whitelist, thereby ensuring the security of the running of the programs in the client and the security of the client.

附图说明Description of drawings

图1为本发明一实施例提供的应用程序检测方法的流程示意图；FIG. 1 is a schematic flowchart of a method for detecting an application program provided by an embodiment of the present invention;

图2为本发明另一实施例提供的应用程序检测方法的流程示意图；2 is a schematic flowchart of a method for detecting an application program provided by another embodiment of the present invention;

图3为本发明一实施例提供的应用程序检测装置的结构示意图。FIG. 3 is a schematic structural diagram of an apparatus for detecting an application program provided by an embodiment of the present invention.

具体实施方式Detailed ways

下面结合附图，对发明的具体实施方式作进一步描述。以下实施例仅用于更加清楚地说明本发明的技术方案，而不能以此来限制本发明的保护范围。The specific embodiments of the invention will be further described below with reference to the accompanying drawings. The following examples are only used to illustrate the technical solutions of the present invention more clearly, and cannot be used to limit the protection scope of the present invention.

图1示出了本发明一实施例提供的应用程序检测方法的流程示意图，如图1所示，本实施例的应用程序检测方法如下所述。FIG. 1 shows a schematic flowchart of a method for detecting an application program provided by an embodiment of the present invention. As shown in FIG. 1 , the method for detecting an application program in this embodiment is as follows.

101、在属于白名单的应用程序运行时，获取该应用程序的程序特征。101. When the application program belonging to the whitelist is running, acquire the program characteristics of the application program.

通常，客户端中下载的应用程序部分属于白名单的应用程序，部分属于黑名单的应用程序，或者，还有部分属于灰名单的应用程序。在实际应用中，如果客户端中下载预运行的应用程序属于黑名单则直接杀掉，如果客户端下载预运行的应用程序属于灰名单，则对该应用程序进行拦截处理。如果客户端下载预运行的应用程序属于白名单，则可直接放行，即运行属于白名单的应用程序的所有运行操作。然而由于恶意程序的增加速度过快，且有其他原因，可能会出现将属于恶意程序的应用程序划分到白名单，由此，需要对白名单中的应用程序的运行进行进一步的监控。Generally, some applications downloaded in the client belong to whitelisted applications, some blacklisted applications, or some greylisted applications. In practical applications, if the pre-running application downloaded by the client belongs to the blacklist, it is directly killed, and if the pre-running application downloaded by the client belongs to the graylist, the application is intercepted. If the pre-running application downloaded by the client belongs to the whitelist, it can be released directly, that is, to run all the running operations of the application that belongs to the whitelist. However, due to the rapid increase of malicious programs and other reasons, applications belonging to malicious programs may be classified into a whitelist. Therefore, it is necessary to further monitor the operation of the applications in the whitelist.

在本实施例中，客户端中每一应用程序的可通过该应用程序的MD5值来区分。In this embodiment, each application in the client can be distinguished by the MD5 value of the application.

可理解的是，MD5的作用是让大容量信息在用数字签名软件签署私人密钥前被"压缩"成一种保密的格式(就是把一个任意长度的字节串变换成一定长的十六进制数字串)。MD5的典型应用是对一段信息(Message)产生信息摘要(Message-Digest)，以防止被篡改。Understandably, the purpose of MD5 is to allow bulk messages to be "compressed" into a secure format (that is, to convert an arbitrary-length byte string into a certain length of hexadecimal) before signing the private key with digital signature software. string of numbers). A typical application of MD5 is to generate a message digest (Message-Digest) for a piece of information (Message) to prevent tampering.

MD5可以为任何文件(不管其大小、格式、数量)产生一个同样独一无二的“数字指纹”，如果任何人对文件做了任何改动，其MD5值也就是对应的“数字指纹”都会发生变化。MD5 can generate an equally unique "digital fingerprint" for any file (regardless of its size, format, and quantity). If anyone makes any changes to the file, its MD5 value, that is, the corresponding "digital fingerprint" will change.

也就是说，MD5值可为每一程序的程序特征，即应用程序的静态特征，经由MD5(Message-Digest Algorithm5，信息-摘要算法)运算得出的。程序特征还可为其他唯一标识该程序的特征码，如SHA1码，或CRC码等，本实施例不对其进行限定。That is to say, the MD5 value may be a program feature of each program, that is, a static feature of an application program, obtained through MD5 (Message-Digest Algorithm5, message-digest algorithm) operation. The program features may also be other feature codes that uniquely identify the program, such as SHA1 codes, or CRC codes, etc., which are not limited in this embodiment.

102、根据所述程序特征获取与所述程序特征对应的应用程序的运行列表。102. Acquire a running list of the application corresponding to the program feature according to the program feature.

具体的，将获取的该应用程序的程序特征发送服务器，以使服务器根据预设规则确定与所述程序特征对应的应用程序的运行列表。Specifically, the acquired program feature of the application program is sent to the server, so that the server determines the running list of the application program corresponding to the program feature according to a preset rule.

该服务器可以为云端服务器。The server can be a cloud server.

也就是说，云端服务器中可动态统计有各种应用程序的规则，并能够确定该些应用程序的运行行为是否影响客户端的安全，为此，对每一客户端中属于白名单的应用程序可建立有运行列表。该处云端服务器中的预设规则可为：拦截规则、防御规则、数据处理规则等。That is to say, the cloud server can dynamically count the rules of various applications, and can determine whether the running behavior of these applications affects the security of the client. Create a run list. The preset rules in the cloud server may be: interception rules, defense rules, data processing rules, and the like.

举例来说，运行列表可包括：拦截该应用程序的至少一个运行行为的信息。由此，可保证客户端中该应用程序的安全运行。For example, the running list may include information for intercepting at least one running behavior of the application. Thereby, the safe operation of the application in the client can be guaranteed.

接收所述云端服务器发送的所述应用程序的运行列表。A running list of the application program sent by the cloud server is received.

103、根据所述运行列表监控与所述程序特征对应的应用程序的运行。103. Monitor the running of the application corresponding to the program feature according to the running list.

例如，监控到与所述MD5值对应的应用程序的运行行为属于所述运行列表时，拦截该应用程序的运行行为；For example, when monitoring that the running behavior of the application corresponding to the MD5 value belongs to the running list, intercepting the running behavior of the application;

或者，在其他实施例中，步骤103还可具体为：监控到与所述MD5值对应的应用程序的运行行为属于所述运行列表时，将该应用程序的运行行为的信息发送所述云端服务器，以使所述云端服务器根据统计规则判断是否允许该应用程序继续运行；Or, in other embodiments,step 103 may further include: when monitoring that the running behavior of the application corresponding to the MD5 value belongs to the running list, sending the information about the running behavior of the application to the cloud server , so that the cloud server judges whether to allow the application to continue to run according to statistical rules;

接收所述云端服务器发送的判断结果，根据所述判断结果对所述应用程序进行处理；receiving the judgment result sent by the cloud server, and processing the application according to the judgment result;

本实施例的应用程序检测方法，通过对客户端中属于白名单的应用程序进行监控，例如，首先获取白名单的应用程序运行时的程序特征，将该程序特征发送云端服务器，进而云端服务器根据预设规则确定该客户端中的与程序特征对应的应用程序是否有需要拦截的运行行为的运行列表，如果有，则向客户端发送该运行列表，以使客户端根据该运行列表监控当前属于白名单的应用程序的运行，进而可保证客户端中程序运行的安全，且保证客户端的安全。The application detection method of this embodiment monitors the whitelisted applications in the client, for example, firstly obtains the program characteristics of the whitelisted applications when they are running, sends the program characteristics to the cloud server, and then the cloud server according to The preset rules determine whether the application corresponding to the program feature in the client has a running list of running behaviors that need to be intercepted, and if so, send the running list to the client, so that the client can monitor the current The running of the whitelisted applications can further ensure the security of the running of the programs in the client and the security of the client.

图2示出了本发明一实施例提供的应用程序检测方法的流程示意图，如图2所示，本实施例的应用程序检测方法如下所述。FIG. 2 shows a schematic flowchart of a method for detecting an application program provided by an embodiment of the present invention. As shown in FIG. 2 , the method for detecting an application program in this embodiment is as follows.

201、确定属于白名单的应用程序。201. Determine the applications that belong to the whitelist.

举例来说，客户端可定期对合法程序进行收集，甄别出所述合法程序的程序特征和/或程序行为；对所述程序特征和/或程序行为进行保存以生成白名单。For example, the client may periodically collect legitimate programs, identify program characteristics and/or program behaviors of the legitimate programs, and store the program characteristics and/or program behaviors to generate a whitelist.

具体地，云端服务器的数据库中建立有合法程序的白名单，客户端对一程序的程序特征和/或程序行为在进行收集并发送到云端服务器进行查询，云端服务器可根据所述程序特征和/或程序行为在所述白名单中进行分析比对，根据比对结果对所述程序进行判定并反馈给所述客户端。例如，如果比对一致，则，确定该程序可为属于白名单的应用程序。Specifically, a whitelist of legitimate programs is established in the database of the cloud server, and the client is collecting the program features and/or program behavior of a program and sending it to the cloud server for query. Or the program behavior is analyzed and compared in the whitelist, and the program is judged according to the comparison result and fed back to the client. For example, if the comparison is consistent, it is determined that the program may be an application program belonging to the white list.

即，客户端根据判定结果对恶意程序行为进行拦截，终止执行恶意程序。That is, the client intercepts the malicious program behavior according to the determination result, and terminates the execution of the malicious program.

可理解的是，云端服务器的数据库中的白名单可为技术人员周期性通过手工、利用蜘蛛或网络爬虫和/或用户上传对合法程序进行收集获取的。即通过手工或通过工具自动甄别所述合法程序的程序特征和/或程序行为并保存在白名单中。It is understandable that the whitelist in the database of the cloud server may be collected and obtained by the technical personnel periodically through manual, spider or web crawler and/or user uploading of legitimate programs. That is, the program features and/or program behaviors of the legitimate program are automatically identified manually or through tools and stored in a white list.

202、在属于白名单的应用程序运行时，获取该应用程序的MD5值。202. When the application belonging to the whitelist is running, obtain the MD5 value of the application.

也就是说，客户端中启动属于白名单的应用程序时，可获取该应用程序的MD5值。That is to say, when an application belonging to the whitelist is started in the client, the MD5 value of the application can be obtained.

203、将获取的该应用程序的MD5值和所述客户端的系统环境信息发送云端服务器，以使云端服务器查找与所述系统环境信息匹配的预设规则，根据查找的预设规则确定与所述MD5值对应的应用程序的运行列表。203. Send the obtained MD5 value of the application and the system environment information of the client to the cloud server, so that the cloud server searches for a preset rule that matches the system environment information, and determines, according to the searched preset rule, which matches the system environment information. The running list of the application corresponding to the MD5 value.

在其他实施例中，还可将获取的该应用程序的MD5值和所述客户端的系统环境信息发送云端服务器，以使云端服务器查找与所述系统环境信息匹配的预设规则，根据查找的预设规则确定与所述MD5值对应的应用程序的运行列表和所述客户端的风险等级等信息。In other embodiments, the obtained MD5 value of the application and the system environment information of the client can also be sent to the cloud server, so that the cloud server can search for a preset rule matching the system environment information. A rule is set to determine information such as the running list of the application corresponding to the MD5 value and the risk level of the client.

通常，该处客户端的风险等级可为云端服务器根据客户端发送的该程序的MD5值和系统环境信息确定的，如果客户端的风险等级小于预设的安全信任值，则可直接判定该MD5值对应的程序属于恶意程序。该客户端可直接拦截该程序所有的运行行为。Usually, the risk level of the client here can be determined by the cloud server according to the MD5 value of the program sent by the client and the system environment information. If the risk level of the client is less than the preset security trust value, it can be directly determined that the MD5 value corresponds to programs are malicious. The client can directly intercept all running behaviors of the program.

204、接收所述云端服务器发送的所述应用程序的运行列表。204. Receive a running list of the application sent by the cloud server.

举例来说，运行列表可包括：拦截该应用程序的至少一个运行行为的信息。For example, the running list may include information for intercepting at least one running behavior of the application.

在其他实施例中，该步骤204可为：接收所述云端服务器发送的所述应用程序的运行列表和所述客户端的风险等级等信息。In other embodiments, thestep 204 may be: receiving information such as the running list of the application and the risk level of the client sent by the cloud server.

205、根据所述运行列表监控与所述MD5值对应的应用程序的运行。205. Monitor the running of the application corresponding to the MD5 value according to the running list.

举例来说，应用程序在客户端中的运行可包括：进程创建、线程创建、文件读写操作、注册表读写操作、注册表该写操作、堆栈操作、和/或，线程注入的操作等。For example, the running of the application in the client may include: process creation, thread creation, file read and write operations, registry read and write operations, registry write operations, stack operations, and/or thread injection operations, etc. .

在本实施例中，如果监控到与所述MD5值对应的应用程序的运行行为属于所述运行列表，则拦截该应用程序的运行行为；或者，禁止该应用程序的运行行为。例如，拦截该应用程序的进程创建，或者，拦截该应用程序某一线程的创建等。本实施例不对其进行限定，可根据实际需要设置。In this embodiment, if it is monitored that the running behavior of the application corresponding to the MD5 value belongs to the running list, the running behavior of the application is intercepted; or, the running behavior of the application is prohibited. For example, the process creation of the application is intercepted, or the creation of a thread of the application is intercepted. This embodiment does not limit it, and can be set according to actual needs.

在其他实施例中，还可采用所述客户端的风险等级对应的检测规则和所述运行列表监控与所述MD5值对应的应用程序的运行。In other embodiments, the detection rule corresponding to the risk level of the client and the running list may also be used to monitor the running of the application corresponding to the MD5 value.

可理解的是，每一客户端中预存有不同风险等级对应的程序检测规则，进而在客户端获知该客户端的风险等级时，采用该风险等级对应的程序检测规则对客户端中的运行的程序进行再次检测/监控。It is understandable that program detection rules corresponding to different risk levels are pre-stored in each client, and when the client learns the risk level of the client, the program detection rules corresponding to the risk level are used to detect programs running in the client. Perform re-inspection/monitoring.

本实施例的应用程序检测方法，首先确定客户端中属于白名单的应用程序，进而对客户端中属于白名单的应用程序进行监控，例如，首先获取白名单的应用程序运行时的MD5值，将该MD5值发送云端服务器，进而云端服务器根据预设规则确定该客户端中的与MD5值对应的应用程序是否有需要拦截的运行行为的运行列表，如果有，则向客户端发送该运行列表，以使客户端根据该运行列表监控当前属于白名单的应用程序的运行，进而可保证客户端中程序运行的安全，且保证客户端的安全。In the application detection method of this embodiment, firstly determine the whitelisted applications in the client, and then monitor the whitelisted applications in the client, for example, first obtain the MD5 value of the whitelisted applications when they are running, The MD5 value is sent to the cloud server, and the cloud server determines whether the application corresponding to the MD5 value in the client has a running list of running behaviors that need to be intercepted according to preset rules, and if so, sends the running list to the client. , so that the client can monitor the running of the applications currently belonging to the whitelist according to the running list, thereby ensuring the security of the running of the programs in the client and the security of the client.

图3示出了本发明一实施例提供的应用程序检测装置的结构示意图，如图3所示，本实施例的应用程序检测装置包括：程序特征获取单元31、运行列表获取单元32和监控单元33；FIG. 3 shows a schematic structural diagram of an application program detection apparatus provided by an embodiment of the present invention. As shown in FIG. 3 , the application program detection apparatus of this embodiment includes: a programfeature acquisition unit 31 , a runlist acquisition unit 32 , and amonitoring unit 33;

其中，程序特征获取单元31用于在属于白名单的应用程序运行时，获取该应用程序的程序特征；Wherein, the programfeature obtaining unit 31 is used to obtain the program feature of the application program belonging to the whitelist when the application program is running;

运行列表获取单元32，用于根据所述程序特征获取与所述程序特征对应的应用程序的运行列表；a runlist obtaining unit 32, configured to obtain a run list of the application program corresponding to the program feature according to the program feature;

监控单元33，用于根据所述运行列表监控与所述程序特征对应的应用程序的运行。Themonitoring unit 33 is configured to monitor the operation of the application program corresponding to the program feature according to the operation list.

举例来说，该处的运行列表可包括：拦截该应用程序的至少一个运行行为的信息；For example, the running list here may include: information for intercepting at least one running behavior of the application;

相应地，监控单元33可具体用于，监控到与所述程序特征对应的应用程序的运行行为属于所述运行列表时，拦截该应用程序的运行行为；Correspondingly, themonitoring unit 33 may be specifically configured to intercept the running behavior of the application when monitoring the running behavior of the application corresponding to the program feature belongs to the running list;

或者，监控单元33可具体用于，监控到与所述程序特征对应的应用程序的运行行为属于所述运行列表时，将该应用程序的运行行为的信息发送所述云端服务器，以使所述云端服务器根据统计规则判断是否允许该应用程序继续运行；Or, themonitoring unit 33 may be specifically configured to, when monitoring the running behavior of the application corresponding to the program feature belongs to the running list, send the information of the running behavior of the application to the cloud server, so that the The cloud server judges whether to allow the application to continue to run according to the statistical rules;

在一种可能的实现方式中，前述的运行列表获取单元32可具体用于，将所述程序特征获取单元获取的应用程序的程序特征发送服务器，以使服务器根据预设规则确定与所述程序特征对应的应用程序的运行列表；In a possible implementation manner, the aforementioned runlist obtaining unit 32 may be specifically configured to send the program features of the application programs obtained by the program feature obtaining unit to the server, so that the server can determine the program features related to the program according to preset rules. The running list of the application corresponding to the feature;

在另一种可能的实现方式中，前述的运行列表获取单元32，具体用于：In another possible implementation manner, the aforementioned runninglist obtaining unit 32 is specifically used for:

将获取的该应用程序的程序特征和所述客户端的系统环境信息发送云端服务器，以使云端服务器查找与所述系统环境信息匹配的预设规则，根据查找的预设规则确定与所述程序特征对应的应用程序的运行列表。Send the acquired program features of the application and the system environment information of the client to the cloud server, so that the cloud server searches for preset rules that match the system environment information, and determines the program features according to the searched preset rules. The run list of the corresponding application.

在另一种可能的实现方式中，前述的运行列表获取单元32还可具体用于，将获取的该应用程序的程序特征和所述客户端的系统环境信息发送云端服务器，以使云端服务器查找与所述系统环境信息匹配的预设规则，根据查找的预设规则确定与所述程序特征对应的应用程序的运行列表和所述客户端的风险等级；In another possible implementation manner, the aforementioned runlist obtaining unit 32 may also be specifically configured to send the obtained program features of the application and the system environment information of the client to the cloud server, so that the cloud server can search for and The preset rules matched by the system environment information, and the running list of the application programs corresponding to the program features and the risk level of the client are determined according to the searched preset rules;

相应地，前述的运行列表获取单元32，还用于接收所述云端服务器发送的所述应用程序的运行列表和所述客户端的风险等级；Correspondingly, the aforementioned runninglist obtaining unit 32 is further configured to receive the running list of the application and the risk level of the client sent by the cloud server;

前述的监控单元33可具体用于采用所述客户端的风险等级对应的检测规则和所述运行列表监控与所述程序特征对应的应用程序的运行。Theaforementioned monitoring unit 33 may be specifically configured to monitor the running of the application corresponding to the program feature by using the detection rule corresponding to the risk level of the client and the running list.

前述监控单元33，具体用于：Theaforementioned monitoring unit 33 is specifically used for:

或者，or,

此外，本实施例的应用程序检测装置可执行前述的图1至图2所示的方法实施例中的流程，本实施例不在此进行详述。In addition, the application program detection apparatus of this embodiment can execute the processes in the foregoing method embodiments shown in FIG. 1 to FIG. 2 , which are not described in detail in this embodiment.

本实施例的应用程序检测装置，首先通过程序特征获取单元获取白名单的应用程序运行时的程序特征，通过发送单元将该程序特征发送云端服务器，进而云端服务器根据预设规则确定该客户端中的与程序特征对应的应用程序是否有需要拦截的运行行为的运行列表，如果有，则向客户端发送该运行列表，以使监控单元根据接收单元接收的该运行列表监控当前属于白名单的应用程序的运行，进而可保证客户端中程序运行的安全，且保证客户端的运行安全，提升客户体验。In the application detection device of this embodiment, first, the program feature acquisition unit obtains the program features of the whitelisted application programs when they are running, and the sending unit sends the program features to the cloud server, and then the cloud server determines the program features in the client according to preset rules. Whether the application corresponding to the program feature has a running list of running behaviors that need to be intercepted, and if so, send the running list to the client, so that the monitoring unit can monitor the applications currently belonging to the whitelist according to the running list received by the receiving unit. The operation of the program can further ensure the safety of the program in the client, and ensure the safety of the client, and improve the customer experience.

本发明以Windows系统为例说明，并不限定上述方法用于iOS、Android等操作系统中。The present invention is described by taking the Windows system as an example, and the above method is not limited to be used in operating systems such as iOS and Android.

本发明的说明书中，说明了大量具体细节。然而，能够理解，本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中，并未详细示出公知的方法、结构和技术，以便不模糊对本说明书的理解。In the description of the present invention, numerous specific details are set forth. It will be understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.

类似地，应当理解，为了精简本发明公开并帮助理解各个发明方面中的一个或多个，在上面对本发明的示例性实施例的描述中，本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而，并不应将该公开的方法解释呈反映如下意图：即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说，如下面的权利要求书所反映的那样，发明方面在于少于前面公开的单个实施例的所有特征。因此，遵循具体实施方式的权利要求书由此明确地并入该具体实施方式，其中每个权利要求本身都作为本发明的单独实施例。Similarly, it is to be understood that in the above description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together into a single embodiment in order to simplify the present disclosure and to aid in the understanding of one or more of the various aspects of the invention. , figures, or descriptions thereof. However, this method of disclosure should not be construed to reflect the intention that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

本领域技术人员可以理解，可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在于该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件，以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是互相排斥之处，可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述，本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different in the embodiment. The modules or units or components in the embodiments may be combined into one module or unit or component, and further they may be divided into multiple sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method so disclosed may be employed in any combination, except to the extent that at least some of such features and/or procedures or elements are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

此外，本领域的技术人员能够理解，尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征，但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如，在下面的权利要求书中，所要求保护的实施例的任意之一都可以以任意的组合方式来使用。Furthermore, those skilled in the art will appreciate that although some of the embodiments described herein include certain features, but not others, included in other embodiments, that combinations of features of different embodiments are intended to be within the scope of the invention within and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

本发明的各个部件实施例可以以硬件实现，或者以在一个或者多个处理器上运行的软件模块实现，或者以它们的组合实现。本领域的技术人员应当理解，可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的一种浏览器终端的设备中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如，计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上，或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到，或者在载体信号上提供，或者以任何其他形式提供。Various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that, in practice, a microprocessor or a digital signal processor (DSP) may be used to implement some or all functions of some or all components in a device for a browser terminal according to an embodiment of the present invention . The present invention can also be implemented as apparatus or apparatus programs (eg, computer programs and computer program products) for performing part or all of the methods described herein. Such a program implementing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such signals may be downloaded from Internet sites, or provided on carrier signals, or in any other form.

应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制，并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中，不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中，这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that the above-described embodiments illustrate rather than limit the invention, and that alternative embodiments may be devised by those skilled in the art without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several different elements and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. do not denote any order. These words can be interpreted as names.

最后应说明的是：以上各实施例仅用以说明本发明的技术方案，而非对其限制；尽管参照前述各实施例对本发明进行了详细的说明，本领域的普通技术人员应当理解：其依然可以对前述各实施例所记载的技术方案进行修改，或者对其中部分或者全部技术特征进行等同替换；而这些修改或者替换，并不使相应技术方案的本质脱离本发明各实施例技术方案的范围，其均应涵盖在本发明的权利要求和说明书的范围当中。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The technical solutions described in the foregoing embodiments can still be modified, or some or all of the technical features thereof can be equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the embodiments of the present invention. The scope of the invention should be included in the scope of the claims and description of the present invention.

Claims

Translated fromChinese

1.一种应用程序检测装置，其特征在于，包括：1. an application program detection device, is characterized in that, comprises:

运行列表获取单元，用于将所述应用程序的程序特征发送服务器，以使服务器根据预设规则确定与所述程序特征对应的应用程序的运行列表，并接收所述服务器发送的所述应用程序的运行列表；A running list obtaining unit, configured to send the program features of the application to the server, so that the server determines the running list of the application corresponding to the program feature according to a preset rule, and receives the application sent by the server 's run list;

监控单元，用于根据所述运行列表监控与所述程序特征对应的应用程序的运行，包括：在监控到与所述程序特征对应的应用程序的运行行为属于所述运行列表时，拦截该应用程序的运行行为；或者，在监控到与所述程序特征对应的应用程序的运行行为属于所述运行列表时，将该应用程序的运行行为的信息发送服务器，以使所述服务器根据统计规则判断是否允许该应用程序继续运行；接收所述服务器发送的判断结果，根据所述判断结果对所述应用程序进行处理；a monitoring unit, configured to monitor the running of the application corresponding to the program feature according to the running list, including: intercepting the application when monitoring that the running behavior of the application corresponding to the program feature belongs to the running list The running behavior of the program; or, when monitoring that the running behavior of the application program corresponding to the program feature belongs to the running list, send the information of the running behavior of the application program to the server, so that the server can judge according to the statistical rules Whether to allow the application to continue running; receive the judgment result sent by the server, and process the application according to the judgment result;

其中，所述运行列表包括：拦截该应用程序的至少一个运行行为的信息；所述统计规则为根据多个客户端中的该应用程序运行行为统计的；Wherein, the running list includes: information of intercepting at least one running behavior of the application; the statistical rules are statistics based on the running behavior of the application in multiple clients;

所述程序特征获取单元，还用于定期对合法程序的程序特征和/或程序行为在进行收集并发送到服务器，由所述服务器根据所述程序特征和/或程序行为在预先建立有合法程序的云端白名单中进行分析比对，根据比对结果对所述程序进行判定并反馈给所述客户端，以对合法程序的程序特征和/或程序行为进行保存后生成白名单。The program feature acquisition unit is also used to periodically collect program features and/or program behaviors of legal programs and send them to the server, and the server pre-establishes legal programs according to the program features and/or program behaviors. Analysis and comparison are performed in the cloud whitelist of the legitimate program, and the program is judged according to the comparison result and fed back to the client, so as to generate a whitelist after saving the program characteristics and/or program behavior of the legitimate program.

2.根据权利要求1所述的装置，其特征在于，所述运行列表获取单元，具体用于：2. The apparatus according to claim 1, wherein the running list acquisition unit is specifically used for:

3.根据权利要求1所述的装置，其特征在于，所述运行列表获取单元，具体用于：3. The apparatus according to claim 1, wherein the running list obtaining unit is specifically used for:

4.根据权利要求3所述的装置，其特征在于，所述运行列表获取单元，具体用于：4. The apparatus according to claim 3, wherein the running list acquisition unit is specifically used for:

5.一种应用程序检测方法，其特征在于，包括：5. an application program detection method, is characterized in that, comprises:

将所述应用程序的程序特征发送至服务器，以使服务器根据预设规则确定与所述程序特征对应的应用程序的运行列表，接收所述服务器发送的所述应用程序的运行列表；sending the program features of the application to the server, so that the server determines a running list of the application corresponding to the program feature according to a preset rule, and receives the running list of the application sent by the server;

根据所述运行列表监控与所述程序特征对应的应用程序的运行，包括：监控到与所述程序特征对应的应用程序的运行行为属于所述运行列表时，拦截该应用程序的运行行为；或者，监控到与所述程序特征对应的应用程序的运行行为属于所述运行列表时，将该应用程序的运行行为的信息发送服务器，以使所述服务器根据统计规则判断是否允许该应用程序继续运行；接收所述服务器发送的判断结果，根据所述判断结果对所述应用程序进行处理；Monitoring the running of the application corresponding to the program feature according to the running list includes: intercepting the running behavior of the application when monitoring the running behavior of the application corresponding to the program feature belongs to the running list; or , when monitoring that the running behavior of the application corresponding to the program feature belongs to the running list, send the information of the running behavior of the application to the server, so that the server can judge whether to allow the application to continue to run according to statistical rules ; Receive the judgment result sent by the server, and process the application program according to the judgment result;

所述方法还包括：定期对合法程序的程序特征和/或程序行为在进行收集并发送到服务器，由所述服务器根据所述程序特征和/或程序行为在预先建立有合法程序的云端白名单中进行分析比对，根据比对结果对所述程序进行判定并反馈给所述客户端，以对合法程序的程序特征和/或程序行为进行保存后生成白名单。The method further includes: periodically collecting program features and/or program behaviors of legal programs and sending them to a server, and the server pre-establishes a cloud whitelist with legal programs according to the program features and/or program behaviors. Analysis and comparison are performed in the computer, and the program is judged according to the comparison result and fed back to the client, so as to generate a whitelist after saving the program characteristics and/or program behavior of the legitimate program.

6.根据权利要求5所述的方法，其特征在于，所述根据所述程序特征获取与所述程序特征对应的应用程序的运行列表，包括：6 . The method according to claim 5 , wherein the obtaining, according to the program feature, a running list of applications corresponding to the program feature comprises: 6 .

7.根据权利要求5所述的方法，其特征在于，所述根据所述程序特征获取与所述程序特征对应的应用程序的运行列表，包括：7. The method according to claim 5, wherein the obtaining, according to the program feature, a running list of applications corresponding to the program feature comprises:

8.根据权利要求7所述的方法，其特征在于，所述方法还包括：8. The method according to claim 7, wherein the method further comprises: