System and method for program security protection

1 . A method for program security protection, comprising: obtaining data packets transceived by a first program; analyzing similarities among the obtained data packets for a plurality of transmissions; and determining a security threat to the first program based on the analyzed similarities, wherein: the obtained data packets comprise a first data packet and a second data packet; analyzing the similarities among the obtained data packets comprises determining a number of atomic operations required to change a first string X of the first data packet to a second string Y of the second data packet; the first string X has a length i; the second string Y has a length j; the number of atomic operations required to change the first string X to the second string Y is D(X i , Y j ); and determining the number of atomic operations required to change the first string X of the first data packet to the second string Y of the second data packet comprises: (1) in response to determining the ith string character of the first string is the same as the jth string character of the second string, obtaining D(X i-1 , Y j-1 ) as equal to D(X i , Y j ); (2) in response to determining the ith string character of the first string is different from the jth string character of the second string, obtaining the minimum value of [D(X i-1 , Y j-1 )+1], [D(X i , Y j-1 )+1], and [D(X i-1 , Y j )+1] as equal to D(X i , Y j ); and (3) recursively applying steps (1) and (2) to the first and second strings from their last string characters to obtain D(X i , Y j ). 2 . The method of claim 1 , wherein obtaining the data packets transceived by the first program comprises: obtaining the data packets transceived by the first program via a second program, the second program being configured to relay the transmission between the first program and an external device. 3 . The method of claim 2 , wherein: the first program comprises a software application installed on a computing device; and the second program comprises a man-in-the-middle proxy installed on the computing device. 4 . The method of claim 1 , wherein: the obtained packets comprise at least one of a header, a payload, or a trailer; the header comprises at least one of a Uniform Resource Locator (URL) or one or more parameters; and the parameters comprise at least one of a token, a fingerprint, a time, a key, or a username. 5 . The method of claim 1 , wherein: the plurality of transmissions comprise a first transmission and a second transmission; the first transmission transmits at least first data packets, the first data packets comprising a first time and at least one of a first token or a first fingerprint; the second transmission transmits at least second data packets, the second data packets comprising a second time and at least one of a second token or a second fingerprint; and analyzing the similarities among the obtained data packets for the plurality of transmissions comprises: obtaining (1) similarities between the first time and the second time and (2) at least one of: similarities between the first token and the second token or similarities between the first fingerprint and the second fingerprint. 6 . The method of claim 5 , wherein determining the security threat to the first program based on the analyzed similarities comprises: determining the second transmission as associated with the security threat, in response to determining that (1) the first time is earlier than the second time, and (2) at least one of: the first token and the second token are the same or the first fingerprint and the second fingerprint are the same. 7 . The method of claim 1 , wherein: the atomic operation is selected from: inserting, deleting, or exchanging a string character. 8 . A method for program security protection, comprising: obtaining information of Application Programming Interface (API) calls executed by a first program; analyzing similarities among the obtained API call information; and determining a security threat to the first program based on the analyzed similarities, wherein: the obtained API call information comprises a plurality of API call information strings; analyzing the similarities among the obtained API calls comprises determining a number of atomic operations required to change the plurality of API call information strings to a same string; a first API call information string S has a length i; a second API call information string T has a length j; the number of atomic operations required to change the first API call information string S to the second API call information string T is D(S i , T j ); and determining the number of atomic operations required to change the plurality of API call information strings to the same string comprises: (1) in response to determining the ith string character of the first string is the same as the jth string character of the second string, obtaining D(S i-1 , T j-1 ) as equal to D(S i , T j ); (2) in response to determining the ith string character of the first string is different from the jth string character of the second string, obtaining the minimum value of [D(S i-1 , T j-1 )+1], [D(S i , T j-1 )+1], and [D(S i-1 , T j )+1] as equal to D(S i , T j ); (3) recursively applying steps (1) and (2) to the first and second strings from their last string characters to obtain D(S i , T j ); and (4) recursively applying steps (1) to (3) to all pairs of API call information strings in the plurality of API call information strings. 9 . The method of claim 8 , wherein obtaining information of the API calls executed by the first program comprises: obtaining the API call information for the API calls via a prelog algorithm, the prelog algorithm configured to obtain the API call information, the prelog algorithm being executed before the API call is executed. 10 . The method of claim 9 , wherein: obtaining information of the API calls executed by the first program comprises obtaining the API call information for the API calls via the prelog and an epilog algorithms; the prelog and the epilog algorithms are configured to obtain the API call information; and the epilog algorithm is executed after the API call is executed. 11 . The method of claim 10 , wherein: the first program comprises a software application installed on a computing device; and the prelog algorithm and the epilog algorithm are incorporated into an operating system of the computing device. 12 . The method of claim 8 , wherein: the obtained API call information for each API call comprises at least one of an unencrypted file, a size of data, a start position, a key, or an encrypted file. 13 . The method of claim 8 , wherein: the API calls comprise a plurality of API calls each comprising a key; and analyzing the similarities among the obtained API calls comprises obtaining a similarity among the keys. 14 . The method of claim 13 , wherein: determining the security threat to the first program based on the analyzed similarities comprises determining the plurality of API calls as associated with the security threat, in response to the obtained similarity exceeding a threshold. 15 . The method of claim 8 , wherein: the atomic operation is selected from: inserting, deleting, or exchanging a string character. 16 . A system for program security protection, comprising: a processor; and a non-transitory computer-readable storage medium storing instructions that, when executed by the processor, cause the system to perform a method for program security protection, the method comprising: