CN103136476A - Mobile intelligent terminal malicious software analysis system - Google Patents
Mobile intelligent terminal malicious software analysis system Download PDFInfo
- Publication number
- CN103136476A CN103136476A CN2011103927453A CN201110392745A CN103136476A CN 103136476 A CN103136476 A CN 103136476A CN 2011103927453 A CN2011103927453 A CN 2011103927453A CN 201110392745 A CN201110392745 A CN 201110392745A CN 103136476 A CN103136476 A CN 103136476A
- Authority
- CN
- China
- Prior art keywords
- intelligent terminal
- mobile intelligent
- software
- analysis
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
A mobile intelligent terminal malicious software analysis system comprises a mobile intelligent terminal client program, a software behavior information analysis background server, a client-side and background server communication protocol, and a distributed operating environment, wherein the mobile intelligent terminal client program is used for collecting behavior information in software operation and sending the information to the background server; the software behavior information analysis background server adopts related algorithms to analyze software behavior information, judges whether software has malicious behaviors or not, and returns analysis results to a mobile intelligent terminal; the client-side and background server communication protocol is used for achieving data communication between a client-side and the background server; and the distributed operating environment is used for providing mass data of software behavior analysis. According to the mobile intelligent terminal malicious software analysis system, emerging malicious software can be effectively detected, and system resource overhead of the mobile intelligent terminal on malicious software detection is reduced.
Description
Technical field
The present invention relates to malware detection, particularly relate to the mobile intelligent terminal malware detection.
Background technology
Along with fast development economic and science and technology, the range of application of mobile Internet historical background lower network becomes more extensive, and contacting of people's daily life, work and network is more and more tightr.The infiltration of mobile intelligent terminal is that very strong driving force has been injected in the mobile Internet development, and wherein, the intelligent terminal of a plurality of kinds of smart mobile phone, panel computer, electronic reader becomes the electronic product that enjoys the consumer to favor.But the development of mobile intelligent terminal and universal also provide new platform for spreading fast of Malware.The traditional computer Malware gradually with goal displacement to mobile intelligent terminal, especially use intelligent mobile phone platform more and more widely.The user is being faced with traditional computer situation the same virus and wooden horse spreads unchecked; Individual privacy is invaded and is leaked; The situation that refuse messages and harassing call emerge in an endless stream.These have not only had influence on personal lifestyle, also brought the economic loss of different depths, the safety problem of mobile intelligent terminal has caused common concern, and corresponding malware detection techniques also emerges in an endless stream, and mainly is divided into traditional and the large class of unconventional malware detection techniques two.
The main principle of traditional malware detection techniques is the characteristic sequence (Signature) that whether occurs in trace routine being added in feature database, if there is such sequence so this software just very likely be judged as Malware, otherwise this software can be judged as normal software.The detectability of tradition malware detection techniques depends on feature database to a great extent, and whether feature database can in time be updated the directly impact detection of the Malware of appearance recently, and this affects the protection effect of traditional malware detection method.
The main principle of non-traditional malware detection techniques is the detection of dynamic various attributes relevant to program in the process of program operation, thereby the different attribute of foundation is analyzed and whether software is had malicious act detected.Existing research realizes this dynamic testing method from different angles, the instruction stream when researchist once moved according to routine analyzer comes detection of malicious software, when also once moving according to routine analyzer to the operation detection Malware of sensitive data, also once come detection of malicious software according to the situation of the api function that calls in the routine analyzer operational process, and also had the researchist to come detection of malicious software according to the system core function of routine analyzer run time call.These methods can both overcome traditional malware detection method can't make rapidly the shortcoming of detection to emerging Malware, but has difference on performance.
Come relative on the implementation other non-traditional malware detection methods of method of detection of malicious software simpler according to analysis software run time call system core function.Application software is by the use of calling system core function realization to system core resource, this mechanism realizes by the system call interfaces that system offers application program, just can objectively respond out the behavior of application program to the situation of calling of system core function in each program of this interface monitor.Set up the system call vector of software according to these data, thereby adopt related algorithm vector analysis to be reached the purpose that detects software.
The core of intelligent terminal Malware behavioural analysis is the analytical algorithm of being correlated with, and the present invention adopts neural network to complete processing to the software action data.Due to the apish brain of neural network, adopt adaptive algorithm, has higher level of intelligence, and stronger fault-tolerant ability makes the neural network can be the same with the Human Visual System, remove identifying object according to the principal character of object, neural network also has self study, self organizing function and inducing ability in addition.These characteristics make neural network can well complete the identification of Malware.
The Distributed Architecture that the present invention adopts and the analytical approach of neural network are to being the improvement to existing intelligent terminal malware detection techniques.
Summary of the invention
The technical problem to be solved in the present invention is to improve above-mentioned the deficiencies in the prior art, and proposes a kind of detection method of mobile intelligent terminal Malware, can reduce expense, raising detection efficiency that terminal detects.
The technical scheme that the present invention solves the problems of the technologies described above employing comprises, proposes a kind of mobile intelligent terminal Malware behavioural analysis system, comprising:
One mobile intelligent terminal client-side program, the behavioural information when collecting end message and running software sends to background server with this information;
One software action information analysis background server adopts related algorithm that software action information is analyzed, and judges whether software has malicious act, and analysis result is returned to mobile intelligent terminal;
One client and background server communication protocol are in order to the data communication between realizing both; And
One distributed running environment is in order to the mass data that provides system's operation platform also to analyze for software action.
This mobile intelligent terminal client-side program is collected the relevant information of mobile intelligent terminal, and this information comprises mounted program listing on facility information and this equipment.
Relevant information when this mobile intelligent terminal client-side program is collected running software, this information refer to the system call journal file from the audible software running process of system call interfaces prison.
This information analysis background server obtains the data that client-side program sends, and therefrom extracts the system call journal file in software running process.
This information analysis background server is set up the system call vector of software to the system call journal file that extracts, with the reaction software action.
This information analysis background server adopts algorithm that the system call vector of software is analyzed, and judges the software classification.
This information analysis background server passes to client with the result of software action analysis, provides information to the user.
This client and background server communication protocol can guarantee data can be between both transmission accurately, and can resist correlation attack.
This distributed running environment will provide operation platform for the enforcement of system.
This distributed running environment will provide a large amount of True Datas for behavioural analysis, set up the behavior pattern of behavioural analysis for background server.
Compared with prior art, mobile intelligent terminal Malware behavioural analysis of the present invention system, by distributed overall framework and employing neural network, behavioral data is processed, reduced to detect the expense to mobile intelligent terminal system resource, strengthened the efficient of malware detection.
Description of drawings
Fig. 1 is the structural representation of mobile intelligent terminal malware analysis system embodiment of the present invention.
Fig. 2 is the analysis of neural network algorithm schematic diagram of mobile intelligent terminal malware analysis system embodiment of the present invention.
Fig. 3 is individual layer, the mononeuron layered perception neural networks schematic diagram of mobile intelligent terminal malware analysis system embodiment of the present invention.
Embodiment
Be described in further detail below in conjunction with the embodiment shown in accompanying drawing, describe as an example of common leakage of personal information Malware example.
Referring to Fig. 1, mobile intelligent terminal malware analysis system embodiment of the present invention, roughly comprise a mobile intelligent terminal client-side program, one software action information analysis background server, mobile intelligent terminal is connected by network with the information analysis background server, one client and background server communication protocol guarantee that the communication security between mobile intelligent terminal and information analysis background server is reliable, and a distributed running environment.Wherein,
The behavioural information of mobile intelligent terminal client-side program during in order to the software matrix information collecting device-dependent message, terminal and install and running software, the behavior, information specifically referred to the information of the system core function that software calls in operational process, and client-side program sends to background server with information by agreement and carries out analyzing and processing after collecting.For the leakage of personal information Malware, can comprise non-button operation, self-starting in its behavioural information and to obtaining of ad hoc network access etc., the behavior of these cores will provide foundation for analysis of neural network.
Software action information analysis background server is mainly to extract according to agreement the data of receiving, emphasis goes out the information of relevant software action from the extracting data of receiving, according to neural network algorithm, these information are processed, by the identification to certain software action information, detect this software and whether have malicious act, and with this software demarcation in affiliated classification.Then object information is sent to client-side program according to agreement, for reference.For its detailed process of leakage of personal information Malware:
1. feature is obtained
With " button " feature in leakage of personal information Malware operational process, " self-starting " feature and " ad hoc network access " feature feature as behavioural analysis.
2. neural network
L proper vector table: will have or not button, whether self-starting and whether visit and specially ask that three features of network use respectively " 0 " " 1 " expression, be designated as vector [1 1 1] for Malware (without button, self-starting, access ad hoc network) feature, normal software (button, non-self-starting, access proper network are arranged) feature is designated as vector [0 0 0], and method obtains the proper vector table accordingly.
L individual layer but neuron layered perception neural networks: the input vector of network comprises 3 elements, the span of each input element [0 1]; Neuron adopts the hardlim transition function, relates to accordingly layered perception neural networks:
Hard lim(n)=
;
L output is a binary set (0 or 1,1 represents virus characteristic, and 0 represents non-viral feature)
L adopts the learning method of supervision that following Virus Sample is trained:
The l input vector:
P =
;
L object vector: T=[1 010 0].
L obtains weight matrix by training: a=
HardLim (P1 * 2+P2 * 2+P3 * 1-3)
After the behavioural information that the client that receives the l background server transmits, carry out above-mentioned analysis, when the Euclidean distance of program behavior feature and the behavioural characteristic ([1 1 1]) of virus greater than with the Euclidean distance of normal software ([0 0 0]) time neural network it be viral with automatic decision.
In above-mentioned analysis of neural network process, can improve the input analytical approach, the pattern class of program behavior is divided into normal procedure, rogue program and might have the program of malicious act.Category division refinement more with program.
What client and background server communication protocol adopted is the HTTPS agreement, compares with traditional http protocol, and the HTTPS agreement is by the be encrypted transmission of SSL+HTTP protocol construction, the procotol of authentication, than http protocol safety.Realize that with this agreement communicating by letter between client and background server can prevent that non-authorised software from analyzing background server to behavioural information and sending relevant information and malicious attacker and forge the destruction such as misdata system and normally move.
Distributed running environment can provide implementing platform for whole system, because whole system is based on distributed structure/architecture, adopting such framework is mainly the finiteness of considering the mobile intelligent terminal computational resource, and the analysis of behavioural information is placed on the resource overhead that the background server end can reduce mobile intelligent terminal.Simultaneously, need to provide a large amount of software action data for it as the neural network algorithm of behavioural analysis core, carry out self study for it, set up the behavior pattern classification of various softwares, this is the basis of carrying out malware detection.When the behavioural information of certain software arrives background server, can first calculate the Euclidean distance of its behavior vector and existing all kinds of Mode behavior vectors, thereby provide foundation for its classification.
Compared with prior art, mobile intelligent terminal malware analysis of the present invention system, considered mobile intelligent terminal Malware has been detected the resource overhead that is and the efficient that Malware is detected, in the situation that not only reduce mobile intelligent terminal computational resource expense but also guarantee malware detection efficient, thereby select Distributed Architecture and neural network the behavioural information analysis of software to be reached the purpose of malware detection.Adopting the present invention to carry out malware detection can effectively detect emerging Malware.
Above, only be the present invention's preferred embodiment, be intended to further illustrate the present invention, but not it is limited.All simple replacements of carrying out according to above-mentioned word and the disclosed content of accompanying drawing are all at the row of the rights protection scope of this patent.
Claims (10)
1. a mobile intelligent terminal malware analysis system, is characterized in that, comprising:
One mobile intelligent terminal client-side program, the behavioural information when collecting end message and running software sends to background server with this information;
One software action information analysis background server adopts related algorithm that software action information is analyzed, and judges whether software has malicious act, and analysis result is returned to mobile intelligent terminal;
One client and background server communication protocol are in order to the data communication between realizing both; And
One distributed running environment is in order to the mass data that provides system's operation platform also to analyze for software action.
2. mobile intelligent terminal malware analysis as claimed in claim 1 system, is characterized in that, this mobile intelligent terminal client-side program is collected the relevant information of mobile intelligent terminal, and this information comprises mounted program listing on facility information and this equipment.
3. mobile intelligent terminal malware analysis as claimed in claim 1 system, it is characterized in that, relevant information when this mobile intelligent terminal client-side program is collected running software, this information refer to the system call journal file from the audible software running process of system call interfaces prison.
4. mobile intelligent terminal malware analysis as claimed in claim 1 system, is characterized in that, this information analysis background server obtains the data that client-side program sends, and therefrom extracts the system call journal file in software running process.
5. mobile intelligent terminal malware analysis as claimed in claim 4 system, is characterized in that, this information analysis background server is set up the system call vector of software to the system call journal file that extracts, with the reflection software action.
6. mobile intelligent terminal malware analysis as claimed in claim 5 system, is characterized in that, this information analysis background server adopts algorithm that the system call vector of software is analyzed, and judges the software classification.
7. mobile intelligent terminal malware analysis as claimed in claim 1 system, is characterized in that, this information analysis background server passes to client with the result of software action analysis, provides information to the user.
8. mobile intelligent terminal malware analysis as claimed in claim 1 system, is characterized in that, this client and background server communication protocol can guarantee that data can transmission accurately between both, and can resist correlation attack.
9. mobile intelligent terminal malware analysis as claimed in claim 1 system, is characterized in that, this distributed running environment will provide operation platform for the enforcement of system.
10. mobile intelligent terminal malware analysis as claimed in claim 1 system, is characterized in that, this distributed running environment will provide a large amount of True Datas for behavioural analysis, set up the behavior pattern of behavioural analysis for background server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011103927453A CN103136476A (en) | 2011-12-01 | 2011-12-01 | Mobile intelligent terminal malicious software analysis system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011103927453A CN103136476A (en) | 2011-12-01 | 2011-12-01 | Mobile intelligent terminal malicious software analysis system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103136476A true CN103136476A (en) | 2013-06-05 |
Family
ID=48496293
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011103927453A Pending CN103136476A (en) | 2011-12-01 | 2011-12-01 | Mobile intelligent terminal malicious software analysis system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103136476A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104424440A (en) * | 2013-09-03 | 2015-03-18 | 韩国电子通信研究院 | Apparatus and method for multi-checking for mobile malware |
| CN104636914A (en) * | 2013-11-06 | 2015-05-20 | 中国银联股份有限公司 | Method and device for carrying out payment based on communication device application evaluation |
| CN104751052A (en) * | 2013-12-30 | 2015-07-01 | 南京理工大学常熟研究院有限公司 | Dynamic behavior analysis method for mobile intelligent terminal software based on support vector machine algorithm |
| WO2016169390A1 (en) * | 2015-04-23 | 2016-10-27 | 腾讯科技(深圳)有限公司 | Application security protection method, terminal, and storage medium |
| CN108173854A (en) * | 2017-12-28 | 2018-06-15 | 广东电网有限责任公司东莞供电局 | A kind of safety monitoring method of electric power proprietary protocol |
| CN108959921A (en) * | 2018-05-30 | 2018-12-07 | 盘石软件(上海)有限公司 | A kind of malware analysis method based on intelligent terminal chip |
| CN109344614A (en) * | 2018-07-23 | 2019-02-15 | 厦门大学 | A kind of Android malicious application online test method |
| CN110119621A (en) * | 2019-05-05 | 2019-08-13 | 网御安全技术(深圳)有限公司 | Attack defense method, system and the defence installation that pathological system calls |
| CN111462410A (en) * | 2019-12-25 | 2020-07-28 | 哈尔滨理工大学 | Smart mobile phone cabinet based on cloud security |
| CN112989204A (en) * | 2021-04-14 | 2021-06-18 | 江苏国信安网络科技有限公司 | Mobile phone application tracing analysis method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101894230A (en) * | 2010-07-14 | 2010-11-24 | 国网电力科学研究院 | Static and dynamic analysis technology-based host system security evaluation method |
| CN101924761A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Method for detecting malicious program according to white list |
| CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
| CN102082802A (en) * | 2011-03-01 | 2011-06-01 | 陈彪 | Behavior-based mobile terminal security protection system and method |
-
2011
- 2011-12-01 CN CN2011103927453A patent/CN103136476A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101894230A (en) * | 2010-07-14 | 2010-11-24 | 国网电力科学研究院 | Static and dynamic analysis technology-based host system security evaluation method |
| CN101924761A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Method for detecting malicious program according to white list |
| CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
| CN102082802A (en) * | 2011-03-01 | 2011-06-01 | 陈彪 | Behavior-based mobile terminal security protection system and method |
Non-Patent Citations (1)
| Title |
|---|
| 田四梅 等: "基于神经网络的智能手机安全监控系统", 《现代电信科技》, no. 9, 30 September 2010 (2010-09-30), pages 58 - 60 * |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104424440A (en) * | 2013-09-03 | 2015-03-18 | 韩国电子通信研究院 | Apparatus and method for multi-checking for mobile malware |
| CN104636914B (en) * | 2013-11-06 | 2019-05-10 | 中国银联股份有限公司 | A kind of method and apparatus that the applicating evaluating based on communication equipment is paid |
| CN104636914A (en) * | 2013-11-06 | 2015-05-20 | 中国银联股份有限公司 | Method and device for carrying out payment based on communication device application evaluation |
| CN104751052A (en) * | 2013-12-30 | 2015-07-01 | 南京理工大学常熟研究院有限公司 | Dynamic behavior analysis method for mobile intelligent terminal software based on support vector machine algorithm |
| WO2016169390A1 (en) * | 2015-04-23 | 2016-10-27 | 腾讯科技(深圳)有限公司 | Application security protection method, terminal, and storage medium |
| CN106156619A (en) * | 2015-04-23 | 2016-11-23 | 腾讯科技(深圳)有限公司 | Application safety means of defence and device |
| US11055406B2 (en) | 2015-04-23 | 2021-07-06 | Tencent Technology (Shenzhen) Company Limited | Application security protection method, terminal, and storage medium |
| CN108173854A (en) * | 2017-12-28 | 2018-06-15 | 广东电网有限责任公司东莞供电局 | A kind of safety monitoring method of electric power proprietary protocol |
| CN108959921A (en) * | 2018-05-30 | 2018-12-07 | 盘石软件(上海)有限公司 | A kind of malware analysis method based on intelligent terminal chip |
| CN109344614A (en) * | 2018-07-23 | 2019-02-15 | 厦门大学 | A kind of Android malicious application online test method |
| CN110119621A (en) * | 2019-05-05 | 2019-08-13 | 网御安全技术(深圳)有限公司 | Attack defense method, system and the defence installation that pathological system calls |
| CN111462410A (en) * | 2019-12-25 | 2020-07-28 | 哈尔滨理工大学 | Smart mobile phone cabinet based on cloud security |
| CN112989204A (en) * | 2021-04-14 | 2021-06-18 | 江苏国信安网络科技有限公司 | Mobile phone application tracing analysis method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103136476A (en) | Mobile intelligent terminal malicious software analysis system | |
| Boukhtouta et al. | Network malware classification comparison using DPI and flow packet headers | |
| Gaber et al. | Injection attack detection using machine learning for smart IoT applications | |
| US8775333B1 (en) | Systems and methods for generating a threat classifier to determine a malicious process | |
| US11595435B2 (en) | Methods and systems for detecting phishing emails using feature extraction and machine learning | |
| Ahmed et al. | Network traffic analysis based on collective anomaly detection | |
| Yu et al. | Improving the quality of alerts and predicting intruder’s next goal with Hidden Colored Petri-Net | |
| CN110135166B (en) | Detection method and system for service logic vulnerability attack | |
| CN103500307A (en) | Mobile internet malignant application software detection method based on behavior model | |
| Li et al. | Opcode sequence analysis of Android malware by a convolutional neural network | |
| Piskozub et al. | Malalert: Detecting malware in large-scale network traffic using statistical features | |
| Alzahrani et al. | SMS mobile botnet detection using a multi-agent system: research in progress | |
| KR102259760B1 (en) | System for providing whitelist based abnormal process analysis service | |
| CN111049783A (en) | Network attack detection method, device, equipment and storage medium | |
| Wang et al. | TextDroid: Semantics-based detection of mobile malware using network flows | |
| Hemdan et al. | Cybercrimes investigation and intrusion detection in internet of things based on data science methods | |
| CN114785563A (en) | Encrypted malicious flow detection method for soft voting strategy | |
| CN110365625B (en) | Internet of things security detection method and device and storage medium | |
| CN113132329A (en) | WEBSHELL detection method, device, equipment and storage medium | |
| CN111049828B (en) | Network attack detection and response method and system | |
| Vuong et al. | N-tier machine learning-based architecture for DDoS attack detection | |
| Hu et al. | An adaptive smartphone anomaly detection model based on data mining | |
| US20230164180A1 (en) | Phishing detection methods and systems | |
| CN112235242A (en) | C & C channel detection method and system | |
| Kosamkar et al. | Data Mining Algorithms for Intrusion Detection System: An Overview |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20130605 |
|
| RJ01 | Rejection of invention patent application after publication |