CN109117635B

CN109117635B - Virus detection method and device for application program, computer equipment and storage medium

Info

Publication number: CN109117635B
Application number: CN201811042877.1A
Authority: CN
Inventors: 雷经纬
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2018-09-06
Filing date: 2018-09-06
Publication date: 2023-07-04
Anticipated expiration: 2038-09-06
Also published as: WO2020048392A1; CN109117635A

Abstract

The invention discloses a virus detection method and device of an application program, computer equipment and a storage medium, and belongs to the technical field of electronics. The method comprises the following steps: according to a virus detection instruction of a target application program, acquiring at least one function execution information of the target application program, wherein the at least one function execution information is used for recording a function executed by the target application program in the running process; generating a function execution image of the target application program according to at least one function execution information of the target application program; extracting image features of the function execution image; and marking the target application program as virus when the similarity of the image characteristic and the virus image characteristic is larger than a similarity threshold value. By adopting the invention, the accuracy of virus detection can be improved.

Description

Virus detection method and device for application program, computer equipment and storage medium

Technical Field

The present invention relates to the field of electronic technologies, and in particular, to a method and apparatus for detecting viruses in an application program, a computer device, and a storage medium.

Background

With the wide application of terminals, the security of terminals is also receiving increasing attention. Viruses of application programs bring benefit loss and trouble to users, for example, viruses automatically send short messages in the background to subscribe fee deduction services, and economic loss is brought under the condition that users are not aware; viruses can also maliciously push spam advertisements, which causes trouble to users.

The detection of viruses has important significance for the safety and convenience of the terminal. First, the source code of a known virus may be analyzed to determine the signature of the virus, which may be a continuous binary segment of the source code. Then, when detecting whether any application program is virus, the source code of the application program can be obtained, whether the source code of the application program contains the characteristic code of the virus or not is judged, and if so, the application program is the virus.

However, to avoid detection, the source code of the virus may be modified to yield a distorted virus. Because the current virus source code is changed and is not the same as the original virus source code, a detection result inconsistent with the actual situation can be obtained when the current virus source code is detected, namely the virus cannot be detected, the hit rate is lower, and the accuracy of virus detection is poor.

Disclosure of Invention

The embodiment of the invention provides a virus detection method and device for an application program, computer equipment and a storage medium, which can solve the problem of poor accuracy of virus detection of the application program. The technical scheme is as follows:

in one aspect, a method for detecting viruses of an application program is provided, the method comprising:

according to a virus detection instruction of a target application program, acquiring at least one function execution information of the target application program, wherein the at least one function execution information is used for recording a function executed by the target application program in the running process;

generating a function execution image of the target application program according to at least one function execution information of the target application program;

extracting image features of the function execution image;

marking the target application as a virus when the similarity of the image features and the virus image features is greater than a similarity threshold

according to a virus detection instruction of a target application program, a simulator is called, and the target application program is loaded to the simulator for operation, wherein the simulator is used for simulating an isolated operation environment;

Acquiring function execution information of the target application program in the running process to obtain at least one piece of function execution information, wherein the at least one piece of function execution information is used for recording the function executed by the target application program in the simulator in running;

sending a virus detection request to a server, wherein the virus detection request carries the at least one function execution information, and the virus detection request is used for indicating the server to detect the target application program;

and carrying out virus prompt according to the received virus detection result, wherein the virus detection result is obtained based on the at least one function execution information.

In one aspect, there is provided a virus detection apparatus for an application program, the apparatus comprising:

the system comprises an acquisition module, a control module and a control module, wherein the acquisition module is used for acquiring at least one function execution information of a target application program according to a virus detection instruction of the target application program, and the at least one function execution information is used for recording the function executed by the target application program in the running process;

the generating module is used for generating a function execution image of the target application program according to at least one function execution information of the target application program;

The extraction module is used for extracting image characteristics of the function execution image;

and the determining module is used for marking the target application program as virus when the similarity of the image characteristics and the virus image characteristics is greater than a similarity threshold value.

the call module is used for calling a simulator according to a virus detection instruction of a target application program, and loading the target application program to the simulator for operation, wherein the simulator is used for simulating an isolated operation environment;

the acquisition module is used for acquiring the function execution information of the target application program in the running process to obtain at least one piece of function execution information, wherein the at least one piece of function execution information is used for recording the function executed by the target application program in the running process of the simulator;

the sending module is used for sending a virus detection request to a server, wherein the virus detection request carries the at least one function execution information and is used for indicating the server to detect the target application program;

and the prompting module is used for prompting the virus according to the received virus detection result, and the virus detection result is obtained based on the at least one function execution information.

In one aspect, a server is provided, the server including a processor and a memory, the memory storing at least one instruction, the at least one instruction being loaded and executed by the processor to implement a virus detection method for any of the above applications.

In one aspect, a computer readable storage medium having stored therein at least one instruction loaded and executed by the processor to implement a virus detection method for any of the above applications is provided.

The technical scheme provided by the embodiment of the invention has the beneficial effects that:

in the embodiment of the invention, because the viruses of the application program have certain specific function execution behaviors, even if the source codes of the viruses are changed, the functions of the viruses are not changed generally, so that the server detects the viruses based on the function execution information of the application program, and the deformed viruses can be detected, thereby having stronger generalization capability. And, based on the higher characteristic reliability of the image extraction, the embodiment of the invention generates the function execution image by utilizing the function execution information of the application program, and compares the image characteristic corresponding to the application program to be detected with the virus image characteristic, thereby improving the accuracy of virus detection.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic illustration of an implementation environment provided by an embodiment of the present invention;

FIG. 2 is a schematic view of another implementation environment provided by an embodiment of the present invention;

FIG. 3 is a schematic view of yet another implementation environment provided by an embodiment of the present invention;

FIG. 4 is a flowchart of a method for detecting viruses of an application program according to an embodiment of the present invention;

FIG. 5 is a schematic diagram of a function execution image according to an embodiment of the present invention;

FIG. 6 is a schematic diagram of determining similarity according to an embodiment of the present invention;

FIG. 7 is a schematic diagram of a virus detection system according to an embodiment of the present invention;

FIG. 8 is a schematic diagram of a process flow of a detection flow control submodule according to an embodiment of the present invention;

FIG. 9 is a schematic diagram of a process flow of a behavioral fingerprint extraction submodule according to an embodiment of the present invention;

FIG. 10 is a flowchart of a method for virus detection of an application program according to an embodiment of the present invention;

FIG. 11 is a schematic diagram of a processing flow of a virus library generation submodule according to an embodiment of the present invention;

FIG. 12 is a schematic diagram of a similarity measurement submodule process flow provided by an embodiment of the present invention;

FIG. 13 is a flowchart of a method for detecting viruses of an application program according to an embodiment of the present invention;

FIG. 14 is a flowchart of a method for detecting viruses in an application program according to an embodiment of the present invention;

FIG. 15 is a schematic diagram of a virus detection device for an application according to an embodiment of the present invention;

FIG. 16 is a schematic diagram of a virus detection device for an application according to an embodiment of the present invention;

fig. 17 is a schematic structural diagram of a server according to an embodiment of the present invention;

fig. 18 is a block diagram of a terminal according to an embodiment of the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the embodiments of the present invention will be described in further detail with reference to the accompanying drawings.

In the embodiment of the invention, various functions are executed by the application program when the application program runs, and each function executed by the application program has the characteristics, so that the application program can be uniquely represented by the function executed by one application program, and the application program can be distinguished by the characteristics of the function executed by the application program, namely, the characteristics of the function executed by the application program can play the role of the fingerprint of the application program, and the characteristics can be called as the behavior fingerprint of the application program for visual understanding. It will be appreciated that, for viruses, even if the source code of the virus changes, the function performed by the virus will not generally change, for example, a fee deduction type virus may still perform the function of automatically sending a short message. Thus, if the application is a virus, its function execution information matches the function execution characteristics of the corresponding virus type. Based on such thinking, the embodiment of the invention can record the function execution condition of the application program and detect the virus of the application program based on the recorded function execution condition, thereby improving the accuracy of virus detection and avoiding the condition of missed detection and false detection caused by the fine change of the virus.

In the embodiment of the invention, the function execution information of the application program is referred to as information for recording the function executed by the application program in the running process, and can be used for indicating the function execution condition of the application program, for example, when and what kind of functions are executed by one application program.

Based on the above principle, when implementing the embodiment of the present invention, the implementation may be performed based on various implementation environments, for example, fig. 1 is a diagram of an implementation environment of a virus detection method of an application program provided by the embodiment of the present invention. The environment in which the virus detection method of the application program is implemented may include at least one user equipment 101, a server 102 for providing services to the at least one user equipment 101.

Wherein the at least one user equipment 101 is connected to the server 102 through a wireless or wired network, the at least one user equipment 101 may be a computer device or a smart terminal or the like capable of accessing the server 102. An application client for virus detection may be installed on the user device 101 to interact with the server 102 through the application client, thereby acquiring a virus detection service provided by the server 102. For example, the application client may be an application management client, and may provide services such as virus detection service, application information, application download, and application update.

At least one virus library may be maintained in the server 102, and the server 102 may be a background server of the application client. The server 102 may also provide services such as application information, application downloads, application updates, etc. to the user device via the application client. Of course, the server 102 may also provide a publishing interface through which the user device may publish applications.

Specifically, in conjunction with the implementation environment diagram shown in fig. 1, the server may provide virus detection service for any user equipment, that is, the user equipment may initiate a virus detection request to the server, and when the server receives the virus detection request sent by the user equipment, the server may trigger a virus detection flow. The virus detection request may carry an identifier of the target application program to be detected, so that the server performs virus detection on the target application program stored on the server, and of course, the virus detection request may also carry the target application program, so as to provide the target application program to the server for virus detection. Of course, the server may also periodically perform virus detection on the application program stored on the server, or trigger the virus detection flow when receiving an application program newly issued by any user equipment.

When the server detects viruses of the target application program, the server can acquire the function execution information of the target application program, in a possible implementation manner, a simulator can be installed in the server and used for simulating the running environment of the user equipment, and correspondingly, the process of acquiring the function execution information by the server comprises the following steps: the server calls a simulator, loads a target application program to the simulator to operate, records the function execution information of the target application program in the operation process, and acquires at least one recorded function execution information. When the simulator is used for running the application program, the damage of viruses to the server can be avoided, and the safety of virus detection is improved.

The simulator can be a simulator of an android system, and can run an android application program. Of course, the simulator may also be an IOS simulator, a Windows simulator, or the like, and may run a corresponding application program, which is not limited herein.

The function execution information may include a function identifier and a function execution time of the executed function, and when the server runs the target application in the simulator, the server may record the function identifier and the function execution time of the function as one function execution information and store the function identifier and the function execution time as one function execution information each time the target application executes a function in the simulator. Wherein the function identifier may be used to represent the type of function, and the function identifier may be a digital identifier, so as to define the type of function that the virus may execute as much as possible. For example, the range of the function identifier is [0, 255], based on the range of the value, the function identifier 01 is defined as sending a short message, 02 is calling a voice recorder, 03 is calling a popup, 04 is calling a camera, and the like. The function execution time may be a trigger time of the function.

It should be noted that, the recorded at least one function execution information may be ordered from early to late according to the function execution time, so that the order of the function execution information may be indicative of the order of the function execution. For example, when the target application program sends a short message, the function identifier 01 and the function execution time 10 of the short message are recorded: 30, etc. as a piece of function execution information; when the camera is called, recording a function identifier 05 and a function execution time 10 of the called camera: 33, etc.; when calling the recording pen, recording the function identification 03 and the function execution time 10 of calling the recording pen: 49, etc. and the target application program is operated for a period of time, the following function execution information can be obtained:

01，10：30；

05，10：33；

03，10：49；

……

the above describes the recording mode of the function execution information and the recorded content, and the server may have various modes when acquiring the function execution information, and the following descriptions are respectively given:

in the first mode, the server records function execution information of the target application program within a first preset duration.

The server can run the target application program in the simulator, each time the target application program executes a function in the simulator, the server can record the function identification and the function execution time of the function, store the function identification and the function execution time as one function execution information, stop running after a first preset time length, and store at least one recorded function execution information. For example, the server may run the target application for 15 minutes and obtain the function execution information within the 15 minutes. The virus detection is carried out based on the function executed by the target application program within the preset time, so that the obtained function execution information of the virus can be ensured to comprise all functions of the target application program, and the accuracy of the virus detection is improved.

Of course, the above manner provides a recording manner in which the operation duration is the same as the preset duration, and in some embodiments, the operation duration may also be greater than the preset duration, that is, the server may operate the target application in the simulator, each time the target application executes a function in the simulator, the server may record the function identifier and the function execution time of the function, store the function identifier and the function execution time as one function execution information, stop operation after the second preset duration, store the recorded at least one function execution information, and extract the function execution information in the first preset duration from the stored function execution information. In the embodiment of the present invention, the starting point of the first preset duration is not limited, and may be an operation starting point or a time point after the operation starting point, where the starting point of the first preset duration may be a time point for ensuring that the initialization of the target application is completed, and so on. For example, the server may run the target application for 20 minutes, and when performing virus detection, obtain the function execution information within 15 minutes, which may be the function execution information within the first 15 minutes or the last 15 minutes, or may be the function execution information within any 15 minutes in the middle, which is not limited in the embodiment of the present invention.

In the second mode, the server acquires function execution information recorded by a target running process of the target application program in a plurality of running processes, wherein the target running process is the running process with the largest number of the recorded function execution information.

The server can operate the target application program for multiple times, count the number of the function execution information in each operation process, and obtain the number of the function execution information in each operation process, so as to determine the target operation process, namely, the operation process with the maximum number of the function execution information, and perform the subsequent virus detection process based on the function execution information recorded in the target operation process. By the alternative mode, the obtained function execution information of the application program can be ensured to be more accurate, the actual function of the application program can be reflected, and the accuracy of virus detection is improved.

Of course, the two alternatives can be combined, that is, the server can acquire the function execution information recorded in the first preset duration in each running process of the multiple running processes, and then perform the subsequent virus detection process based on the function execution information recorded in the target running process in each running process.

The above process of specifically obtaining the function execution information is performed based on the implementation environment shown in fig. 1, and another implementation environment is provided in the embodiment of the present invention, as shown in fig. 2, where the implementation environment includes: at least one user device 201 and a server 202. The function of the user equipment 201 is the same as the function of the user equipment 101, the user equipment 201 may further have a function of running a target application program to record the function execution information of the target application program, and after the user equipment 201 obtains the function execution information of the target application program, the user equipment 201 may send the function execution information of the target application program to the server 202, and the server 202 may perform virus detection based on the function execution information of the target application program. In the implementation environment shown in fig. 2, the virus detection method of the application program may be implemented by a server. The process of obtaining the function execution information by the server comprises the following steps: the server receives at least one function execution information during the running of the target application on another device. In one embodiment, the process specifically includes: the user equipment operates the target application program, at least one function execution information of the target application program is recorded in the operation process, a virus detection request is sent to a server, the virus detection request carries the at least one function execution information of the target application program, the server receives the virus detection request, and the at least one function execution information of the target application program is extracted from the virus detection request. It should be noted that, the process of acquiring the at least one function execution information of the target application program on the user equipment is the same as the process of acquiring the function execution information by the server, and will not be described herein. Further, when the server obtains the virus detection result through detection, the virus detection result may be sent to the user equipment, and when the user equipment receives the virus detection result, virus prompting may be performed based on the virus detection result, for example, when the virus detection result indicates that the application program is a virus, the application program is prompted to be a virus, and when the virus detection result indicates that the application program is not a virus, the application program is prompted to be a non-virus, and of course, when the virus detection result indicates that the application program is suspicious, the application program may also be prompted to have a risk, operation is not suggested, and so on.

In the embodiment of the invention, the method for detecting viruses is implemented by a server and outputting the detection result of viruses is illustrated by way of example, however, the method for detecting viruses can also be implemented by a virus detection application program installed on the user equipment, and accordingly, the virus detection application program can be configured with a local virus database, and the application program installed on the user equipment can be detected offline by the local virus database. For this reason, the embodiment of the present invention further provides an implementation environment, referring to fig. 3, and fig. 3 provides an implementation environment of the embodiment of the present invention. The implementation environment may include at least one user device 301 and a server 302. The user device 301 may have a virus detection application installed thereon and also has at least one virus library stored thereon for virus detection. When any application program is run, the user equipment 301 may record and store the function execution information in the running process, so as to perform virus detection later. Optionally, the user may record and store the function execution information of the target application program in the running process when the user device 301 triggers virus detection of the target application program, so as to detect whether the target application program is a virus based on the function execution information. The user equipment may perform virus prompting based on the virus detection result. The virus prompting method may be the same as that provided in the above embodiments, and will not be described here.

In the implementation environment shown in fig. 3, the virus detection method of the application program may be implemented by a virus detection application program on the user equipment. The processing of the virus detection application to acquire the function execution information may be as follows: the virus detection application obtains at least one function execution information of a locally stored target application.

In the following, a virus detection process of an application program will be described, as shown in fig. 4, taking a case of performing virus detection based on a server in the implementation environment shown in fig. 1 as an example, fig. 4 is a flowchart of a virus detection method of an application program according to the present invention, where the process flow of the method may include the following steps:

400. the user device sends the target application to the server.

401. After receiving the target application program, the server acquires at least one function execution information of the target application program in the running process.

The step of obtaining the function execution information by the server in step 401 may refer to the obtaining process in the above embodiment, and will not be described herein.

In the above steps 400 to 401, only the server is used to perform virus detection after the user equipment issues the target application program on the server, and in some embodiments, the user equipment may also send only a virus detection request, where the virus detection request carries the target application program or the identifier of the target application program, so as to instruct the server to perform virus detection. Of course, in some embodiments, the server may also initiate virus detection on its own for any application, which is not limited by the embodiments of the present invention.

402. The server constructs a function execution sequence based on the function identification in the at least one function execution information according to the function execution time in the at least one function execution information.

The function execution sequence may consist of a function identification. Specifically, each piece of function execution information generated by the server during the running process of the target application to be detected, which is acquired in step 401 above, includes information such as a function identifier, a function execution time, and the like. The server can determine the arrangement sequence of the function identifiers according to the function execution time in the function execution information, and then can form the function execution sequence of the function identifiers according to the arrangement sequence.

In a possible implementation manner, the server may arrange the function identifiers according to the chronological order, and the specific processing in step 402 may be as follows: determining a function execution sequence of the at least one function execution information based on the function execution time in the at least one function execution information, and sequencing the function identifications in the at least one function execution information according to the function execution sequence to obtain a function execution sequence.

When the server arranges the function execution information according to the time sequence, the arrangement sequence of the function execution information is the function execution sequence, and the server can form the function identification into a corresponding function execution sequence according to the function execution sequence.

Specifically, there are two methods for constructing the function execution sequence, and the following description will be given respectively:

first, when constructing the function execution sequence, the server may compose the function identifier into a corresponding function execution sequence according to the function execution sequence. For example, when the recorded function execution information is (01, 10:30;05, 10:33;03, 10:49; …), the function identifications are arranged according to the function execution information, and a decimal sequence (1, 5,3 …) may be obtained, and the decimal sequence may be a corresponding function execution sequence.

Secondly, when constructing the function execution sequence, the server may acquire the function execution time of each two adjacent function execution information, calculate the time interval between each two adjacent function identifiers, and then, the server may arrange the function identifiers according to the function execution sequence, and may add a corresponding time interval identifier between the two adjacent function identifiers to obtain a corresponding function execution sequence. For example, the function execution sequence may be (1,0,0,5,0,3, …), where a "0" is identified for a time interval.

In practice, the processing may be performed based on any of the above-described methods for constructing a function execution sequence.

403. The server converts the function identification in the function execution sequence into pixel points, and generates a function execution image of the target application program.

After the server obtains the decimal function execution sequence in step 402, it may convert it into hexadecimal function execution sequence, that is, obtain (01, 05, 03, …). The server may then convert the value of each function identifier into a pixel value, each function identifier being a pixel point, constituting a function execution image. Wherein the range of pixel values may be [0, 255].

Since the range of function identifiers is set within [0, 255], each function identifier in the hexadecimal function execution sequence can be converted into one pixel value, that is, the function execution sequence is converted into a corresponding function execution image, which can be a 1× n function execution image. Of course, the function execution sequence may be further divided into a plurality of sequence segments, and then spliced into a matrix form of a plurality of rows and a plurality of columns, and then converted into the function execution image based on the above manner, which is not limited herein. For example, each function identifier of the function execution sequence may be converted to a gray value within [0, 255] correspondingly, and the resulting function execution image may be a gray image, which is shown in the function execution image schematic diagram of fig. 5; alternatively, each function identifier of the function execution sequence may also generate pixel values of three RGB channels through a conversion algorithm, and in this case, the function execution image formed by three RGB channels may be a color image.

For the first method of constructing the function execution sequence in step 402, the pixel value of each pixel of the function execution image generated by the server may be used to represent the type of the function, the arrangement order of the pixels may be the function execution order of the plurality of function execution information, and two adjacent pixels may be used to represent two functions that are continuously executed. For example, the pixel point of the function execution image may be (01, 05, 03, …).

For the second method of constructing the function execution sequence in step 402, similar to the first method, the pixel value of the server-generated function execution image may represent a time interval unit in addition to the type of the function. For example, the pixel value 00 in the above-described second embodiment may represent one time interval unit, and for (01, 00, 00, 05, 00, 03, …), 2 time interval units may represent the trigger time interval of the function 01 and the function 05, 1 time interval unit may represent the trigger time interval of the function 05 and the function 03, and so on.

The server may generate a function execution image of the target application based on the plurality of function execution information of the target application, and steps 402-403 may be one possible implementation. Of course, the server may also generate the function execution image of the target application program according to at least one function execution information of the target application program by other methods. A method for generating a function execution image is described below, in which a specific process for constructing a function execution sequence may be as follows: arranging at least one piece of function execution information based on a preset function execution information arrangement rule, and forming a function execution sequence according to the sequence of the arranged function execution information by using function identifiers in the arranged at least one piece of function execution information.

The preset function execution information arrangement rule may be in order of the number of execution times from large to small. The server may count the number of each function identifier in the obtained at least one function execution information, and sort the function identifiers in order from the larger number to the smaller number. The greater the number of function identifications, the greater the number of times the target application program performs the function. The server may then construct a function execution sequence according to the ordering of the function identifications and the number of function identifications. For example, when the number of times of execution of the function 01 is 3 and the number of times of execution of the function 03 is 1 and the number of times of execution of the function 05 is 2, the function execution sequence (1,1,1,5,5,3) can be obtained.

The function execution information arrangement rule may be set according to actual requirements, which is not limited in the embodiment of the present invention.

404. The server extracts image features of the function execution image of the target application.

The server can call an image feature extraction model to extract the image features of the function execution image generated in the process. For example, the image feature extraction model may be an image feature extraction model based on SIFT algorithm, an image feature extraction model based on machine learning algorithm, or the like, and is not limited thereto. Correspondingly, the extracted image features can be feature vectors, feature matrixes and the like, and the image features can comprise at least one feature vector or at least one feature matrix.

Taking an image feature extraction model based on a SIFT algorithm as an example, the extracted image features are described as follows:

the server invokes an image feature extraction model based on the SIFT algorithm to perform feature extraction on the function execution image, so that at least one SIFT feature vector can be obtained, and one SIFT feature vector can be composed of 64 floating point numbers, and the dimension of the SIFT feature vector is not limited. The number of SIFT feature vectors corresponding to the function execution images of different applications may be different. In general, a function execution image may extract a set of SIFT feature vectors, for example, the set of SIFT feature vectors may include 5 SIFT feature vectors, recorded as samples X: [0.1234,0.154 … ], [0.134,0.5154 … ], [0.1254,0.4521 … ].

After the server acquires the image features corresponding to the target application program, the similarity between the image features and the virus image features can be calculated. Before this, virus image features need to be extracted, which will be described below:

the server may obtain at least one virus sample of a known virus type, run each virus sample in a simulator, perform the processing of steps 201-204, extract virus image features based on the same method as the target application to be detected, and will not be described in detail here.

Taking the image feature extraction model based on the SIFT algorithm as an example, the final server may output and obtain at least one set of SIFT feature vectors corresponding to the virus sample. Optionally, when the server outputs a set of SIFT feature vectors, the server may add an identifier of a corresponding virus type to the set of SIFT feature vectors, and the format may be "virus type: SIFT feature vector set ", e.g., fraud class: [0.1234,0.154 … ], [0.134,0.5154 … ], [0.1254,0.4521 … ].

Further, the server may store the determined virus image characteristics of the at least one virus type in a virus library. In the subsequent use, if the virus image feature of the new virus sample needs to be added, the virus image feature can be determined based on the method, and the virus library is updated, which is not described herein.

405. The server traverses virus image features of multiple virus types, and each time traverses virus image features of one virus type, the similarity between the image features and the virus image features of the virus type is obtained.

The image features or virus image features of one virus type in the virus library may comprise at least one feature vector or feature matrix.

In one possible implementation, the server may traverse all virus types in the virus library, determining the similarity of virus image features to image features for each virus type. For example, in the case where the image feature is a feature matrix, the rank of the image feature and the rank of the virus image feature may be determined separately, and further, the ratio of the rank of the image feature and the rank of the virus image feature may be determined, and the ratio may be determined as the similarity.

The specific processing of step 405 described above may be as follows, taking feature vectors as an example: determining a vector distance of each target feature vector of the image feature to each feature vector of the virus image feature of the virus type, determining a number of vector distances less than a distance threshold as a similarity of the image feature and the virus image feature of the virus type

For a target feature vector of the target application, the server may traverse feature vectors for each virus type stored in the virus library to determine vector distances, respectively. The server compares all target feature vectors of the target application program with feature vectors of all virus types stored in the virus library, so that the comprehensiveness of virus detection can be ensured.

The server may calculate the distance between the image feature and the virus image feature based on a distance algorithm, which may be, for example, a euclidean distance algorithm, a manhattan distance algorithm, or the like, the closer the distance is, the higher the similarity is.

Taking Euclidean distance algorithm as an example, for 64-dimensional SIFT feature vectors, one SIFT feature vector of image features is set as (x ₁ ,x ₂ ,...,x ₆₄ ) A SIFT feature vector of the virus image feature is (y ₁ ,y ₂ ,...,y ₆₄ ) The vector distance d can be calculated based on the following formula (1):

according to the method provided by the embodiment of the invention, the range of the calculated vector distance can be between 0 and 1, and the distance threshold can be set to be 0.2. When the vector distance is less than 0.2, the two SIFT feature vectors can be considered similar.

For the case where only one feature vector or one feature matrix is included in an image feature or virus image feature of one virus type, the reciprocal of the vector distance may be regarded as the similarity, and the reciprocal of the vector threshold may be regarded as the similarity threshold. When the vector distance is less than the distance threshold, the similarity is greater than the similarity threshold.

Taking the feature vector as an example, since a plurality of feature vectors can be included in the image features, the number of feature vectors which are included in the image features corresponding to the target application and are similar to the virus image features of a certain virus type can be used to measure whether the image features corresponding to the target application are similar to the virus image features of the virus type. The more similar feature vectors, the more similar the image features are indicated. For example, as shown in the schematic diagram of determining similarity in fig. 6, the target application to be detected has sim_1=1 with the similar feature vector of virus type 1, sim_2=0 with the similar feature vector of virus type 2, sim_3=4 with the similar feature vector of virus type 3, and so on.

Of course, the server may also calculate the similarity of the image features and the virus image features based on a similarity algorithm, e.g., a cosine similarity algorithm, solving for Jaccard similarity coefficients, etc. The embodiment of the invention does not limit the specific algorithm for determining the similarity.

406. When the similarity of the image feature and the virus image feature is greater than a similarity threshold, the server marks the target application as a virus.

The server may determine whether the similarity under the determination in step 405 is greater than a similarity threshold, and if any similarity is greater than the similarity threshold, the server may determine that the target application is a virus, and may further tag the target application. If the similarity is not greater than the similarity threshold, whether the target application is virus cannot be judged, and the server can temporarily judge that the target application is safe. If the target application program which is judged to be safe is actually virus, the target application program may be detected by other virus detection methods in the subsequent use process, or the virus image characteristics corresponding to the target application program are added into a virus library, and the virus detection method provided by the embodiment of the invention is used for detecting the virus during re-detection.

In one possible implementation, after determining the similarity between the lower image feature and each virus type in step 405, the server may obtain a similarity maximum value, and determine whether the similarity maximum value is greater than a similarity threshold. If the maximum similarity is greater than the similarity threshold, indicating that the target application program is a virus; if the maximum value of the similarity is not greater than the similarity threshold, the fact that the rest similarities are not greater than the similarity threshold is indicated, the safety of the target application program can be temporarily judged, comparison of each similarity with the similarity threshold can be avoided, and processing efficiency is improved. At this time, if the maximum value of the similarity is greater than the similarity threshold, the virus type of the virus image feature corresponding to the maximum value of the similarity can be determined as the target virus type of the target application program, so that the accuracy of virus detection is improved, and accurate countermeasures are taken, so that the safety is improved.

For example, the similarity threshold may be set to 3, and after the similarity of the target application to be detected for each virus type may be determined in step 405, a similarity maximum value sim_3=4 may be obtained and compared with the similarity threshold 3. Readily available 4 > 3, the target application can be determined to be a virus.

If the server provides the service of virus detection for the application market, the target application program can be refused to be delivered to the application market or be taken off the shelf from the application market when the target application program is judged to be a virus. If the server provides services for virus detection for other devices, the results of the virus detection may be sent to the device for the user to decide to continue using the target application or uninstall.

For example, as shown in the schematic diagram of the virus detection system shown in fig. 7, the virus detection system may be composed of 4 sub-modules, such as a detection flow control sub-module, a behavior fingerprint extraction sub-module, a virus library generation sub-module, and a similarity degree sub-module. The detection flow control sub-module can call the other 3 sub-modules and can be used for realizing the flow of the whole virus detection; the behavior fingerprint extraction sub-module can be used for extracting image features, namely, the image features of the function execution image are behavior fingerprints; the virus library generation sub-module can call the behavior fingerprint extraction sub-module, and the generated virus library can store virus image characteristics of at least one virus type; the similarity degree sub-module can be used for determining the similarity of the image features corresponding to the target application program and the virus image features. The processing flow diagram of the detection flow control submodule is shown in fig. 8, the processing flow diagram of the behavior fingerprint extraction submodule is shown in fig. 9, the processing flow diagram of the virus detection method of the application program is shown in fig. 10, the processing flow diagram of the virus library generation submodule is shown in fig. 11, and the processing flow diagram of the similarity measurement submodule is shown in fig. 12.

The process of the step 401 may be implemented by the detection flow control submodule invoking the behavioral fingerprint extraction submodule, the process of the steps 402 to 404 may be implemented by the behavioral fingerprint extraction submodule, the process of generating virus image features in the step 404 may be implemented by the virus library generation submodule invoking the behavioral fingerprint extraction submodule, the process of the step 405 may be implemented by the detection flow control submodule invoking the similarity measure submodule, and the process of the step 406 may be implemented by the detection flow control submodule.

In the following, a virus detection process of an application program will be described, as shown in fig. 13, by taking a virus detection based on interaction between a server and a user device in the implementation environment shown in fig. 2 as an example, fig. 13 is a flowchart of a virus detection method of an application program of the present invention, where the process flow of the method may include the following steps:

1300. and the user equipment acquires at least one function execution information of the target application program in the running process according to the virus detection instruction.

1301. The user equipment sends a virus detection request to the server, wherein the virus detection request carries at least one function execution information of the target application program in the running process.

1302. After receiving the virus detection request, the server constructs a function execution sequence according to the function execution time in the at least one piece of function execution information based on the function identifier in the at least one piece of function execution information.

1303. The server converts the function identification in the function execution sequence into pixel points, and generates a function execution image of the target application program.

1304. The server extracts image features of the function execution image of the target application.

1305. The server traverses virus image features of multiple virus types, and each time traverses virus image features of one virus type, the similarity between the image features and the virus image features of the virus type is obtained.

1306. When the similarity of the image feature and the virus image feature is greater than a similarity threshold, the server marks the target application as a virus.

1307. And the server sends the virus detection result to the user equipment.

1308. And after receiving the virus detection result, the user equipment carries out virus prompt.

In the embodiment of the invention, because the viruses of the application program have certain specific function execution behaviors, even if the source codes of the viruses are changed, the functions of the viruses are not changed generally, so that the server detects the viruses based on the function execution information of the application program, and the deformed viruses can be detected, thereby having stronger generalization capability. And, based on the higher characteristic reliability of the image extraction, the embodiment of the invention generates the function execution image by utilizing the function execution information of the application program, and compares the image characteristic corresponding to the application program to be detected with the virus image characteristic, thereby improving the accuracy of virus detection. Further, the user equipment sends the function execution information acquired in the running process to the server for detection, so that the processing pressure of the server can be reduced.

In the following, a virus detection process of an application program will be described, as shown in fig. 14, by taking a virus detection based on interaction between a server and a user device in the implementation environment shown in fig. 2 as an example, fig. 14 is a flowchart of a virus detection method of an application program of the present invention, where the process flow of the method may include the following steps:

1401. And the user equipment acquires at least one function execution information of the target application program in the running process according to the virus detection instruction.

1402. The user equipment constructs a function execution sequence based on the function identification in the at least one function execution information according to the function execution time in the at least one function execution information.

1403. The user equipment converts the function identification in the function execution sequence into pixel points to generate a function execution image of the target application program.

1404. The user device extracts image features of the function execution image of the target application.

1405. The user equipment traverses virus image features of multiple virus types, and each time traverses virus image features of one virus type, the similarity between the image features and the virus image features of the virus type is obtained.

1406. When the similarity of the image feature and the virus image feature is greater than a similarity threshold, the user device marks the target application as a virus.

1407. And the user equipment prompts the virus according to the virus detection result.

In the embodiment of the invention, because the viruses of the application program have certain specific function execution behaviors, even if the source codes of the viruses are changed, the functions of the viruses are not changed generally, so that the server detects the viruses based on the function execution information of the application program, and the deformed viruses can be detected, thereby having stronger generalization capability. And, based on the higher characteristic reliability of the image extraction, the embodiment of the invention generates the function execution image by utilizing the function execution information of the application program, and compares the image characteristic corresponding to the application program to be detected with the virus image characteristic, thereby improving the accuracy of virus detection. Furthermore, the user equipment performs the virus detection based on the local virus database, so that the virus detection can be completed in an offline scene.

Based on the same technical conception, the embodiment of the invention also provides a virus detection device of the application program, and the device can be the server. As shown in fig. 15, the apparatus includes:

an obtaining module 1510, configured to obtain, according to a virus detection instruction for a target application program, at least one function execution information of the target application program, where the at least one function execution information is used to record a function executed by the target application program in a running process;

a generating module 1520, configured to generate a function execution image of the target application program according to at least one function execution information of the target application program;

an extraction module 1530 for extracting image features of the function execution image;

a determining module 1540 is configured to flag the target application as a virus when the similarity of the image feature and the virus image feature is greater than a similarity threshold.

Optionally, the obtaining module 1510 is configured to:

invoking a simulator, loading the target application program to the simulator for operation, recording function execution information of the target application program in the operation process, and obtaining at least one recorded function execution information, wherein the simulator is used for simulating the operation environment of user equipment; or (b)

And receiving at least one piece of function execution information recorded in the process that the target application program runs on another device.

Optionally, the at least one function execution information includes:

at least one piece of function execution information recorded by the target application program in the running process of the first preset duration; or alternatively, the first and second heat exchangers may be,

and at least one function execution information recorded by the target application program in a target operation process of a plurality of operation processes, wherein the target operation process is the operation process with the largest amount of recorded information in the plurality of operation processes.

Optionally, each piece of function execution information includes a function identifier and a function execution time, and the generating module 1520 is configured to:

constructing a function execution sequence based on the function identifications in the at least one piece of function execution information according to the function execution time in the at least one piece of function execution information, wherein the function execution sequence is composed of the plurality of function identifications;

and converting the function identification in the function execution sequence into pixel points to generate a function execution image of the target application program.

Optionally, the generating module 1520 is configured to:

determining the function execution sequence of the at least one piece of function execution information based on the function execution time in the at least one piece of function execution information, and sequencing the function identifiers in the at least one piece of function execution information according to the function execution sequence to obtain a function execution sequence.

Optionally, the generating module 1520 is configured to:

based on a preset function execution information arrangement rule, arranging the at least one piece of function execution information, and forming a function execution sequence according to the sequence of the arranged function execution information by using function identifiers in the arranged at least one piece of function execution information.

Optionally, the determining module 1540 is configured to:

traversing virus image features of multiple virus types, and acquiring similarity between the image features and the virus image features of the virus types by traversing the virus image features of one virus type each time;

and marking the target application program as a virus when the similarity maximum value is larger than the similarity threshold value.

Optionally, the image feature comprises a plurality of target feature vectors, and the virus image feature comprises a plurality of feature vectors;

the determining module 1540 is configured to:

determining a vector distance of each target feature vector of the image feature to each feature vector of the virus image feature of the virus type, determining a number of vector distances less than a distance threshold as a similarity of the image feature and the virus image feature of the virus type.

Optionally, the determining module 1540 is further configured to:

And determining the virus type of the virus image characteristic corresponding to the similarity maximum as the target virus type of the target application program.

The specific manner in which the various modules perform the operations in the apparatus of the above embodiments have been described in detail in connection with the embodiments of the method, and will not be described in detail herein.

It should be noted that: in the virus detection device for application program provided in the above embodiment, only the division of the above functional modules is used for illustration when detecting viruses, and in practical application, the above functional allocation may be performed by different functional modules according to needs, that is, the internal structure of the server is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the apparatus for detecting viruses of an application program provided in the above embodiment and the method embodiment for detecting viruses of an application program belong to the same concept, and detailed implementation processes of the apparatus and the method embodiment are detailed and will not be described herein.

Based on the same technical conception, the embodiment of the invention also provides a virus detection device of the application program, and the device can be the user equipment. As shown in fig. 16, the apparatus includes:

a calling module 1610, configured to call a simulator according to a virus detection instruction for a target application program, and load the target application program to the simulator for running, where the simulator is configured to simulate an isolated running environment;

an obtaining module 1620, configured to obtain function execution information of the target application in a running process, to obtain at least one function execution information, where the at least one function execution information is used to record a function executed by the target application when running in the simulator;

a sending module 1630, configured to send a virus detection request to a server, where the virus detection request carries the at least one function execution information, and the virus detection request is used to instruct the server to detect the target application program;

the prompting module 1640 is configured to prompt for a virus according to a received virus detection result, where the virus detection result is obtained based on the at least one function execution information.

Optionally, the acquiring module 1620 is configured to:

acquiring function execution information of the target application program in the running process of a first preset duration;

or alternatively, the first and second heat exchangers may be,

and acquiring the function execution information of the target application program in a plurality of running processes, and acquiring at least one piece of function execution information recorded in the target running process in the plurality of running processes, wherein the target running process is the running process with the largest quantity of the recorded information in the plurality of running processes.

Fig. 17 is a schematic structural diagram of a server according to an embodiment of the present invention, where the server 1700 may have a relatively large difference due to different configurations or performances, and may include one or more processors (central processing units, CPU) 1701 and one or more memories 1702, where at least one instruction is stored in the memories 1702, and the at least one instruction is loaded and executed by the processors 1701 to implement the following virus detection method steps of an application program:

extracting image features of the function execution image;

and marking the target application program as virus when the similarity of the image characteristic and the virus image characteristic is larger than a similarity threshold value.

Optionally, the at least one instruction is loaded and executed by the processor 1701 to implement the method steps of:

invoking a simulator, loading the target application program to the simulator for operation, recording function execution information of the target application program in the operation process, and obtaining a plurality of recorded function execution information, wherein the simulator is used for simulating the operation environment of user equipment; or (b)

Optionally, each piece of function execution information includes a function identifier and a function execution time, and the at least one instruction is loaded and executed by the processor 1701 to implement the following method steps:

Constructing a function execution sequence based on the function identifications in the at least one piece of function execution information according to the function execution time in the at least one piece of function execution information, wherein the function execution sequence consists of the function identifications, and the sequence of the function identifications in the function execution sequence is the function execution sequence;

determining a function execution sequence of the at least one piece of function execution information based on the function execution time in the at least one piece of function execution information, and sequencing function identifiers in the at least one piece of function execution information according to the function execution sequence to obtain a function execution sequence.

arranging the at least one piece of function execution information based on a preset function execution information arrangement rule, and forming a function execution sequence according to the sequence of the arranged function execution information by using function identifiers in the arranged at least one piece of function execution information.

Optionally, the virus image features include virus image features of at least one virus type;

the at least one instruction is loaded and executed by the processor 1701 to implement the method steps of:

Fig. 18 is a block diagram of a terminal according to an embodiment of the present invention. The terminal 1800 may be: a smart phone, a tablet computer, an MP3 player (Moving Picture Experts Group Audio Layer III, motion picture expert compression standard audio plane 3), an MP4 (Moving Picture Experts Group Audio Layer IV, motion picture expert compression standard audio plane 4) player, a notebook computer, or a desktop computer. The terminal 1800 may also be referred to as a user device, portable terminal, laptop terminal, desktop terminal, or the like.

In general, the terminal 1800 includes: a processor 1801 and a memory 1802.

Processor 1801 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The processor 1801 may be implemented in at least one hardware form of DSP (Digital Signal Processing ), FPGA (Field-Programmable Gate Array, field programmable gate array), PLA (Programmable Logic Array ). The processor 1801 may also include a main processor and a coprocessor, the main processor being a processor for processing data in an awake state, also referred to as a CPU (Central Processing Unit ); a coprocessor is a low-power processor for processing data in a standby state. In some embodiments, the processor 1801 may integrate a GPU (Graphics Processing Unit, image processor) for rendering and rendering of content required to be displayed by the display screen. In some embodiments, the processor 1801 may also include an AI (Artificial Intelligence ) processor for processing computing operations related to machine learning.

The memory 1802 may include one or more computer-readable storage media, which may be non-transitory. The memory 1802 may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in memory 1802 is used to store at least one instruction for execution by processor 1801 to implement a virus detection method for an application provided by a method embodiment in the present application.

In some embodiments, the terminal 1800 may also optionally include: a peripheral interface 1803 and at least one peripheral. The processor 1801, memory 1802, and peripheral interface 1803 may be connected by a bus or signal line. The individual peripheral devices may be connected to the peripheral device interface 1803 by buses, signal lines or circuit boards. Specifically, the peripheral device includes: at least one of radio frequency circuitry 1804, a touch display screen 1805, a camera 1806, audio circuitry 1807, a positioning assembly 1808, and a power supply 1809.

The peripheral interface 1803 may be used to connect I/O (Input/Output) related at least one peripheral device to the processor 1801 and memory 1802. In some embodiments, processor 1801, memory 1802, and peripheral interface 1803 are integrated on the same chip or circuit board; in some other embodiments, either or both of the processor 1801, memory 1802, and peripheral interface 1803 may be implemented on separate chips or circuit boards, which is not limited in this embodiment.

The Radio Frequency circuit 1804 is configured to receive and transmit RF (Radio Frequency) signals, also known as electromagnetic signals. The radio frequency circuit 1804 communicates with a communication network and other communication devices via electromagnetic signals. The radio frequency circuit 1804 converts electrical signals to electromagnetic signals for transmission, or converts received electromagnetic signals to electrical signals. Optionally, the radio frequency circuit 1804 includes: antenna systems, RF transceivers, one or more amplifiers, tuners, oscillators, digital signal processors, codec chipsets, subscriber identity module cards, and so forth. The radio frequency circuitry 1804 may communicate with other terminals via at least one wireless communication protocol. The wireless communication protocol includes, but is not limited to: metropolitan area networks, various generations of mobile communication networks (2G, 3G, 4G, and 5G), wireless local area networks, and/or WiFi (Wireless Fidelity ) networks. In some embodiments, the radio frequency circuitry 1804 may also include NFC (Near Field Communication ) related circuitry, which is not limited in this application.

The display 1805 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When the display 1805 is a touch display, the display 1805 also has the ability to collect touch signals at or above the surface of the display 1805. The touch signal may be input as a control signal to the processor 1801 for processing. At this point, the display 1805 may also be used to provide virtual buttons and/or a virtual keyboard, also referred to as soft buttons and/or a soft keyboard. In some embodiments, the display 1805 may be one, providing a front panel of the terminal 1800; in other embodiments, the display 1805 may be at least two, disposed on different surfaces of the terminal 1800 or in a folded configuration; in still other embodiments, the display 1805 may be a flexible display disposed on a curved surface or a folded surface of the terminal 1800. Even more, the display screen 1805 may be arranged in an irregular pattern other than rectangular, i.e., a shaped screen. The display 1805 may be made of LCD (Liquid Crystal Display ), OLED (Organic Light-Emitting Diode) or other materials.

The camera assembly 1806 is used to capture images or video. Optionally, the camera assembly 1806 includes a front camera and a rear camera. Typically, the front camera is disposed on the front panel of the terminal and the rear camera is disposed on the rear surface of the terminal. In some embodiments, the at least two rear cameras are any one of a main camera, a depth camera, a wide-angle camera and a tele camera, so as to realize that the main camera and the depth camera are fused to realize a background blurring function, and the main camera and the wide-angle camera are fused to realize a panoramic shooting and Virtual Reality (VR) shooting function or other fusion shooting functions. In some embodiments, the camera assembly 1806 may also include a flash. The flash lamp can be a single-color temperature flash lamp or a double-color temperature flash lamp. The dual-color temperature flash lamp refers to a combination of a warm light flash lamp and a cold light flash lamp, and can be used for light compensation under different color temperatures.

The audio circuitry 1807 may include a microphone and a speaker. The microphone is used for collecting sound waves of users and the environment, converting the sound waves into electric signals, and inputting the electric signals to the processor 1801 for processing, or inputting the electric signals to the radio frequency circuit 1804 for realizing voice communication. For stereo acquisition or noise reduction purposes, the microphone may be multiple, and disposed at different locations of the terminal 1800. The microphone may also be an array microphone or an omni-directional pickup microphone. The speaker is then used to convert electrical signals from the processor 1801 or the radio frequency circuit 1804 into sound waves. The speaker may be a conventional thin film speaker or a piezoelectric ceramic speaker. When the speaker is a piezoelectric ceramic speaker, not only the electric signal can be converted into a sound wave audible to humans, but also the electric signal can be converted into a sound wave inaudible to humans for ranging and other purposes. In some embodiments, the audio circuitry 1807 may also include a headphone jack.

The location component 1808 is utilized to locate a current geographic location of the terminal 1800 to enable navigation or LBS (Location Based Service, location-based services). The positioning component 1808 may be a positioning component based on the united states GPS (Global Positioning System ), the beidou system of china, the grainer system of russia, or the galileo system of the european union.

A power supply 1809 is used to power the various components in the terminal 1800. The power supply 1809 may be an alternating current, a direct current, a disposable battery, or a rechargeable battery. When the power supply 1809 includes a rechargeable battery, the rechargeable battery may support wired or wireless charging. The rechargeable battery may also be used to support fast charge technology.

In some embodiments, the terminal 1800 also includes one or more sensors 1810. The one or more sensors 1810 include, but are not limited to: acceleration sensor 1811, gyroscope sensor 1812, pressure sensor 1813, fingerprint sensor 1814, optical sensor 1815, and proximity sensor 1816.

The acceleration sensor 1811 may detect the magnitudes of accelerations on three coordinate axes of a coordinate system established with the terminal 1800. For example, the acceleration sensor 1811 may be used to detect components of gravitational acceleration on three coordinate axes. The processor 1801 may control the touch display screen 1805 to display a user interface in either a landscape view or a portrait view based on gravitational acceleration signals acquired by the acceleration sensor 1811. The acceleration sensor 1811 may also be used for acquisition of motion data of a game or a user.

The gyro sensor 1812 may detect a body direction and a rotation angle of the terminal 1800, and the gyro sensor 1812 may collect a 3D motion of the user to the terminal 1800 in cooperation with the acceleration sensor 1811. The processor 1801 may implement the following functions based on the data collected by the gyro sensor 1812: motion sensing (e.g., changing UI according to a tilting operation by a user), image stabilization at shooting, game control, and inertial navigation.

Pressure sensor 1813 may be disposed on a side frame of terminal 1800 and/or below touch display 1805. When the pressure sensor 1813 is disposed at a side frame of the terminal 1800, a grip signal of the terminal 1800 by a user may be detected, and the processor 1801 performs a left-right hand recognition or a shortcut operation according to the grip signal collected by the pressure sensor 1813. When the pressure sensor 1813 is disposed at the lower layer of the touch screen 1805, the processor 1801 controls the operability control on the UI interface according to the pressure operation of the user on the touch screen 1805. The operability controls include at least one of a button control, a scroll bar control, an icon control, and a menu control.

The fingerprint sensor 1814 is used to collect a fingerprint of the user, and the processor 1801 identifies the identity of the user according to the fingerprint collected by the fingerprint sensor 1814, or the fingerprint sensor 1814 identifies the identity of the user according to the collected fingerprint. Upon recognizing that the user's identity is a trusted identity, the processor 1801 authorizes the user to perform relevant sensitive operations including unlocking the screen, viewing encrypted information, downloading software, paying for and changing settings, etc. The fingerprint sensor 1814 may be provided on the front, back or side of the terminal 1800. When a physical key or vendor Logo is provided on the terminal 1800, the fingerprint sensor 1814 may be integrated with the physical key or vendor Logo.

The optical sensor 1815 is used to collect the ambient light intensity. In one embodiment, the processor 1801 may control the display brightness of the touch display screen 1805 based on the intensity of ambient light collected by the optical sensor 1815. Specifically, when the ambient light intensity is high, the display brightness of the touch display screen 1805 is turned up; when the ambient light intensity is low, the display brightness of the touch display screen 1805 is turned down. In another embodiment, the processor 1801 may also dynamically adjust the shooting parameters of the camera assembly 1806 based on the intensity of ambient light collected by the optical sensor 1815.

A proximity sensor 1816, also known as a distance sensor, is typically provided on the front panel of the terminal 1800. Proximity sensor 1816 is used to collect the distance between the user and the front face of terminal 1800. In one embodiment, when the proximity sensor 1816 detects that the distance between the user and the front face of the terminal 1800 gradually decreases, the processor 1801 controls the touch display 1805 to switch from the bright screen state to the off-screen state; when the proximity sensor 1816 detects that the distance between the user and the front of the terminal 1800 gradually increases, the touch display 1805 is controlled by the processor 1801 to switch from the off-screen state to the on-screen state.

Those skilled in the art will appreciate that the structure shown in fig. 18 is not limiting and may include more or fewer components than shown, or may combine certain components, or may employ a different arrangement of components.

In an exemplary embodiment, a computer readable storage medium, such as a memory comprising instructions executable by a processor in a device to perform the virus detection method of the application described above, is also provided. For example, the computer readable storage medium may be ROM, random Access Memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.

It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program for instructing relevant hardware, where the program may be stored in a computer readable storage medium, and the storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.

The foregoing description of the preferred embodiments of the invention is not intended to limit the invention to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims

1. A method for detecting viruses in an application, the method comprising:

constructing a function execution sequence based on the function identifier in the at least one piece of function execution information according to the function execution time in the at least one piece of function execution information, wherein the function execution sequence is composed of the function identifiers;

converting the function identification in the function execution sequence into pixel points to generate a function execution image of the target application program;

extracting image features of the function execution image;

2. The method of claim 1, wherein the obtaining at least one function execution information of the target application program comprises:

3. The method of claim 1, wherein the at least one function execution information comprises:

and the target application program records at least one function execution information in a target operation process of a plurality of operation processes, wherein the target operation process is the operation process with the largest amount of recorded information in the plurality of operation processes.

4. The method of claim 1, wherein the constructing a function execution sequence according to the function execution time in the at least one piece of function execution information based on the function identification in the at least one piece of function execution information includes:

determining a function execution order of the at least one function execution information based on a function execution time in the at least one function execution information;

and sequencing the function identifiers in the at least one piece of function execution information according to the function execution sequence to obtain a function execution sequence.

5. The method of claim 1, wherein the determining that the target application is a virus when the similarity of the image feature and the virus image feature is greater than a similarity threshold comprises:

6. The method of claim 5, wherein the image features comprise a plurality of target feature vectors and the virus image features comprise a plurality of feature vectors;

the obtaining the similarity of the image feature and the virus image feature of the virus type comprises the following steps:

7. The method of claim 5, wherein the method further comprises:

8. A method for detecting viruses in an application, the method comprising:

a virus detection request is sent to a server, the virus detection request carries the at least one piece of function execution information, the virus detection request is used for indicating the server to construct a function execution sequence based on function identifications in the at least one piece of function execution information according to the function execution time in the at least one piece of function execution information, the function execution sequence consists of the function identifications, the function identifications in the function execution sequence are converted into pixel points, a function execution image of the target application program is generated, image features of the function execution image are extracted, and when the similarity of the image features and virus image features is larger than a similarity threshold, the target application program is marked as a virus;

9. The method of claim 8, wherein the obtaining the function execution information of the target application during the running process includes:

or alternatively, the first and second heat exchangers may be,

the method comprises the steps of obtaining function execution information of a target application program in a multi-time operation process, and obtaining at least one piece of function execution information recorded in the target operation process in the multi-time operation process, wherein the target operation process is the operation process with the largest quantity of information recorded in the multi-time operation process.

10. A virus detection device for an application program, the device comprising:

a generating module, configured to construct a function execution sequence according to a function execution time in the at least one piece of function execution information based on a function identifier in the at least one piece of function execution information, where the function execution sequence is composed of the function identifiers; converting the function identification in the function execution sequence into pixel points to generate a function execution image of the target application program;

11. A virus detection device for an application program, the device comprising:

a sending module, configured to send a virus detection request to a server, where the virus detection request carries the at least one function execution information, where the virus detection request is used to instruct the server to construct a function execution sequence based on a function identifier in the at least one function execution information according to a function execution time in the at least one function execution information, where the function execution sequence is composed of the function identifiers, convert the function identifier in the function execution sequence into a pixel point, generate a function execution image of the target application, extract an image feature of the function execution image, and mark the target application as a virus when a similarity between the image feature and a virus image feature is greater than a similarity threshold;

12. A computer device comprising a processor and a memory, the memory having stored therein at least one instruction that is loaded and executed by the processor to implement a virus detection method of an application according to any one of claims 1 to 7; or, a virus detection method of an application program as claimed in any one of claims 8 to 9.

13. A computer readable storage medium having stored therein at least one instruction that is loaded and executed by a processor to implement the method of virus detection of an application of any one of claims 1 to 7; or, a virus detection method of an application program as claimed in any one of claims 8 to 9.