CN104992117A - Abnormal behavior detection method and behavior model establishment method of HTML5 mobile application program - Google Patents
Abnormal behavior detection method and behavior model establishment method of HTML5 mobile application program Download PDFInfo
- Publication number
- CN104992117A CN104992117A CN201510333162.1A CN201510333162A CN104992117A CN 104992117 A CN104992117 A CN 104992117A CN 201510333162 A CN201510333162 A CN 201510333162A CN 104992117 A CN104992117 A CN 104992117A
- Authority
- CN
- China
- Prior art keywords
- interface
- application program
- information
- behavior
- described application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Abstract
The invention puts forward an abnormal behavior detection method of an HTML5 mobile application program, which comprises the steps that the application program is operated; interface information of at least one interface in which the application program is located during operation is extracted, and behavior event information of the application program generated when the application program is located in each of the interfaces is extracted; a behavior model of the application program is established according to the interface information of the at least one interface and the behavior event information corresponding to each of the interfaces; and the behavior model of the application program is compared with an original behavior motel of the application program which is established in advance, and whether the application program contains behavior behaviors is judged according to comparison results. The abnormal behavior detection method provided by the embodiment of the invention can establish the accurate and complete behavior model for the application program and effectively extract and detect the abnormal behaviors of the application program. In addition, the invention also puts forward a behavior model establishment method of the HTML5 mobile application program.
Description
Technical field
The present invention relates to network technology and field of information security technology, particularly a kind of anomaly detection method of HTML5 mobile applications and behavior model method for building up.
Background technology
The opening of Android Android system becomes the mobile platform of current main flow, but also makes it become the primary challenge target of malicious application.According to correlation report display, the malicious application quantity in Android platform accounts for and moves integrally malicious application quantity and sharply rise.Malicious application is once mounted execution, numerous private datas of user can be obtained easily, as geographical location information, address list, schedule, note, mail etc., also in the unwitting situation of user, value-added service can be subscribed on backstage simultaneously, consume customer flow and telephone expenses.Nowadays, with electronic transaction, internet finance and the fast development of mobile payment, even occurred stealing user's bank card information, stealing the financial crime behaviors such as brush credit card.These malicious application appearing at Android platform to privacy of user, property even personal safety constitute great threat.
Due to the introducing of HTML5 (Hypertext Markup Language5, the 5th generation HTML (Hypertext Markup Language)) technology, mobile platform faces severeer security situation.HTML5 application operates in the browser environment that system provides (as WebView, webpage knows figure), it comprises the code of separate sources, as applied self or third-party Java code (a kind of programming language), HTML5 or JavaScript (a kind of script) code.These codes have the authority identical with application itself in android system.This phenomenon, the authority that the code especially making third party introduce has application can bring great potential safety hazard.Because HTML5 application is still web application in essence, therefore PC (Personal Computer, personal computer) traditional Web attack mode of holding, as cross-site scripting attack (Cross-Site Scripting, XSS) etc. can appear at mobile terminal equally.Once malicious script injects intended application, this script will obtain all authorities of application, is difficult to estimate to the loss that user causes.
The security of current application programs detects, and be usually divided into two kinds of methods: one is static analysis, application programs carries out dis-assembling, and obtain the bytecode etc. of program's source code or compiling pilot process, application programs security is analyzed on this basis.As: the API (Application ProgrammingInterface, application programming interface) that the bytecode obtained by analyzing decompiling obtains application program calls dependence with detection of malicious behavior; But because the processing mode of compiler there are differences, compilation process possibility hidden parts malicious act, list carries out static analysis from code angle and application programs security cannot carry out comprehensive assessment.Another kind of detection method is performance analysis, and in program operation process, dynamic acquisition program running log, analyzes its security.As: the system call sequence in record application operational process sets up application behavior pattern, and the malicious act of carrying out based on pattern match detects.But the detection of Behavior-based control pattern needs to obtain malicious act pattern in advance can carry out follow-up matching detection flow process, effectively cannot detect emerging malicious act.
Therefore, need to be proposed one comprehensively, effectively, application behavior detection method accurately.
Summary of the invention
The present invention is intended at least to solve one of technical matters existed in prior art.
For this reason, first object of the present invention is the anomaly detection method proposing a kind of HTML5 mobile applications, can set up accurate, complete behavior model for application program, effectively extracts the abnormal behaviour detecting application program.
Second object of the present invention is the method for building up of the behavior model proposing a kind of HTML5 mobile applications.
For reaching above-mentioned purpose, embodiment proposes a kind of anomaly detection method of HTML5 mobile applications according to a first aspect of the present invention, comprises the following steps: run application; Extract the interface information at least one interface of described application program residing in operational process, and extract the behavior event information of described application program when being in each interface; The behavior model to be measured of described application program is set up according to behavior event information corresponding to the interface information at least one interface described and each interface; The behavior model to be measured of described application program and the primitive behavior model of described application program set up in advance are compared, and judges whether described application program comprises abnormal behaviour according to comparison result.
The anomaly detection method of the HTML5 mobile applications of the embodiment of the present invention, by extracting the behavior event of application program operational process and residing interface information thereof, the i.e. running environment of application program, to generate behavior model accordingly, and by by the behavior model and primitive behavior model compare and judge whether application program comprises abnormal behaviour, compared with correlation technique, effectively can extract the whole behavior event informations in HTML5 mobile applications operational process, and behavior event residing program context environmental information (interface information) when occurring, thus can accordingly for HTML5 mobile applications is set up accurately, complete behavior model, thus, effectively can extract the abnormal behaviour detecting application program, especially attacked for zero day, distortion is attacked and code injection attack has good Detection results.
Second aspect present invention embodiment proposes a kind of behavior model method for building up of HTML5 mobile applications, comprises the following steps: run application; Extract the interface information at all interfaces of described application program residing in operational process, and extract the behavior event information of described application program when being in each interface; The behavior model of described application program is set up according to behavior event information corresponding to the interface information at described all interfaces and each interface.
The behavior model method for building up of the HTML5 mobile applications of the embodiment of the present invention, by extracting the behavior event of application program operational process and residing interface information thereof, the i.e. running environment of application program, to set up the two dimensional model comprising above two elements accordingly.Compared with correlation technique, effectively can extract the whole behavior event informations in HTML5 mobile applications operational process, and behavior event residing program context environmental information (interface information) when occurring, thus accordingly for application program sets up accurate, complete primitive behavior model and model to be measured, follow-up Programmable detection can be made more comprehensively with effective.
Additional aspect of the present invention and advantage will part provide in the following description, and part will become obvious from the following description, or be recognized by practice of the present invention.
Accompanying drawing explanation
Above-mentioned and/or additional aspect of the present invention and advantage will become obvious and easy understand from accompanying drawing below combining to the description of embodiment, wherein:
Fig. 1 is the process flow diagram of the anomaly detection method of application program according to an embodiment of the invention;
Fig. 2 is the process flow diagram of the anomaly detection method of application program according to the present invention's specific embodiment;
Fig. 3 is the process flow diagram of the behavior model method for building up of application program according to an embodiment of the invention;
Fig. 4 is according to an embodiment of the invention for the unusual checking system architecture schematic diagram of HTML5 mobile applications.
Embodiment
Below with reference to the accompanying drawings describe the anomaly detection method of the application program according to the embodiment of the present invention, device, the behavior model method for building up of application program and device, wherein same or similar label represents same or similar element or has element that is identical or similar functions from start to finish.Being exemplary below by the embodiment be described with reference to the drawings, only for explaining the present invention, and can not limitation of the present invention being interpreted as.
At present, all non-application programs running environment of detection method for application behavior carries out recording and detecting.When the behavior event of application program occurs, residing program context environment is requisite key message in program behavior event modeling process, and extremely provides important references for whether determining program behavior exists.So, be application program, especially be necessary based on comprising residing program execution enviroment information when behavior occurs in mobile applications (hereinafter referred to as the HTML5 application) behavior model set up of HTML5 technology, this information can be performance analysis and unusual checking provides accurate, complete application behavior record.
For this reason, embodiments of the invention propose a kind of anomaly detection method and behavior model method for building up of HTML5 mobile applications.
Fig. 1 is the process flow diagram of the anomaly detection method of HTML5 mobile applications according to an embodiment of the invention.
As shown in Figure 1, according to the anomaly detection method of the HTML5 mobile applications of the embodiment of the present invention, comprise the following steps: S1, run application; S2, extracts the interface information at least one interface of application program residing in operational process, and extracts the behavior event information of application program when being in each interface; S3, sets up the behavior model of application program according to behavior event information corresponding to the interface information at least one interface and each interface; S4, compares the behavior model of application program and the primitive behavior model of application program set up in advance, and judges whether application program comprises abnormal behaviour according to comparison result.
In an embodiment of the present invention, application program is HTML5 mobile applications.
In one embodiment of the invention, the primitive behavior model of application program is when application program is run first, sets up according to the interface information extracted in application program operational process and corresponding behavior event information.Application program is run first and can be guaranteed that application program is the state not being modified, being attacked, and does not comprise abnormal behaviour putting before this in the behavior model obtained, therefore can be used for follow-up unusual checking.
Therefore, in one embodiment of the invention, the step setting up primitive behavior model can also be comprised.
Particularly, the primitive behavior model setting up application program can comprise the following steps: when application program is run first, extract the interface information at all interfaces of application program residing in operational process first, and extract the behavior event information of application program when being in each interface; The primitive behavior model of application program is set up according to behavior event information corresponding to the interface information at all interfaces in operational process first and each interface.
Fig. 2 is the process flow diagram of the anomaly detection method of application program according to the present invention's specific embodiment, as shown in Figure 2, comprises the following steps:
S201, runs application.
Wherein, in one embodiment of the invention, application program can be the mobile applications based on HTML5 technology, namely by the application program for mobile terminal that HTML5 writes.Thus can carry out effectively comprehensively detecting to the abnormal behaviour of HTML5 mobile applications by embodiments of the invention.Be described for HTML5 mobile applications in an embodiment of the present invention.
S202, extracts the interface information at least one interface of application program residing in operational process, and extracts the behavior event information of application program when being in each interface.
The interface of following three kinds of different levels is mainly contained: activity interface, html interface and jQuery interface in HTML5 application:
1, Activity interface: primary Android Java is applied, the corresponding activity in each interface of application.But in HTML5 application, the logic of application program uses the network programming language such as HTML, JavaScript, CSS (Cascading Style Sheet, Cascading Style Sheet) to describe, and operates in WebView built-in browser environment.So each activity of HTML5 application can generate a WebView, can load multiple html file, present multiple html interface in a WebView.
2, html interface: as above, HTML5 application uses the network programming language in write html file to state the pattern at interface and the function of application, therefore the general WebView only needing an activity and generate, loads multiple html file to present different interfaces in this WebView.
3, jQuery interface: the time of the html file to be loaded such as user during in order to reduce interface switching, jQuery develops a kind of new changing interface mode, namely only needs a html file, wherein comprises multiple jQuery interface.This html file of complete loading when application start, during user's interface switching (being now jQuery interface), without the need to loading new html file, only need be directly switch into another jQuery interface portion in this html file.
In HTML5 application, modal interface is html interface and jQuery interface.An activity is only needed to realize all functions although HTML5 application is general, but still can contain multiple activity in theory, such as, adding the situation such as advertisement activity or certain functional module activity, corresponding multiple activity is had.Therefore, in HTMl5 application, also there is the new interface generated by new activity.
For HTML5 mobile applications, there are three kinds of different interfaces, android system source code is modified, in the function at newly-built three kinds of interfaces, increase the function obtaining interface information respectively.When new interface is set up in HTML5 application, call the function in Event Distillation module, in user behaviors log, write corresponding interface information (name at activity interface, the ID at the URL of html interface, jQuery interface).
The behavior event of HTML5 application is divided into two kinds: network behavior and local behavior.Wherein, network behavior refers to mutual with remote server of HTML5 application, sends HTTP request realize by application to server.Local behavior refers to the interface that HTML5 application is provided by the Mobile solution Development Framework that is representative with PhoneGap (a Development Framework of increasing income), call corresponding API and realize access to local system resource, as searched contact person, obtain geographical location information, to call shooting first-class.Therefore, behavior event information can comprise API application programming interface recalls information and HTTP request information.
Wherein, interface information also can be called program context environment when behavior event occurs.
Process performed by step S202, namely in application program operational process, the running environment (WebView) of monitoring application program, and program context environment when the behavior event of extract real-time application program (as call PhoneGap API or send HTTP request etc.) and behavior event the occur information of interface, place (during the behavior generation).
Particularly, in one embodiment of the invention, extract the interface information at least one interface of application program residing in operational process and extract the behavior event information of application program when being in each interface, specifically can comprise: when application program sets up an interface in operational process, call interface information and obtain the interface information that function extracts interface; After setting up interface, extract further API Calls information when application program is in interface and/or HTTP request information.
Closer, for the extraction of interface information, for three kinds of different interfaces in HTML5 application, android system source code can be modified, in the function at newly-built three kinds of interfaces, increase the function for obtaining interface information respectively, namely interface information obtains function.When HTML5 be applied in operational process set up new interface time, call interface information obtain function, extract corresponding interface information, and will extract interface information write user behaviors log.Wherein, interface information can comprise the name (title) at activity interface, the URL (Uniform Resource Locator, resource locator) of html interface, the ID (Identity, Identity Code) at jQuery interface.
For the extraction of behavior event information, in the behavior event functions (referring to the android system function that can extract critical behavior information) of android system source code WebKit engine (browser engine of increasing income) part, function can be extracted by increase behavior event information.When behavior event occurs, behavior event information will be called and extract function, extract the information such as the title of the behavior such as PhoneGap API Calls and HTTP request event, and write user behaviors log.
As from the foregoing, for the ease of setting up behavior model according to the interface information extracted and behavior event information, can interface information and behavior event information be exported to user behaviors log, thus set up behavior model according to user behaviors log.Therefore, embodiments of the invention also can comprise step S203.
S203, writes user behaviors log by the interface information extracted and behavior event information.
In one embodiment of the invention, user behaviors log can adopt XML format.Wherein, root element is <log> element, for recording whole behavior event; The daughter element of <log> element is some <interface> elements, for recording the interface information of application single interface, the daughter element of <interface> element is a <name> element and some <action> elements; <name> element for recording the particular content of interface information, as the name at activity interface, the ID etc. at the URL of html interface, jQuery interface; <action> element for recording behavior event information, i.e. API Calls information (title of the API called) and/or HTTP request information (HTTP request sent).
In an embodiment of the present invention, according to above form, the interface information extracted and behavior event information can be write user behaviors log.Wherein, arbitrary string can be adopted as <action> element codomain and <name> element codomain.
Be below the example of a user behaviors log:
Behavior daily record can embody following information:
1, <name>file: //android/asset/www/index.html</nameGreatT.Gr eaT.GT represents that the current application interface of application program is html interface, and the URL of this html interface is " file: //android/asset/www/index.html ".
2, <action>API_call@contacts@search</action> represents that the current behavior event of application program is API Calls, and the API called " contacts search " by name, namely search contact person API.
Should be appreciated that in the present embodiment, user behaviors log have employed XML format, be only exemplary, carry out subsequent treatment to facilitate, but the present invention is not limited thereto, in practical application, the concrete form of user behaviors log is had no requirement, also other form can be adopted, as long as comprise same information.
S204, sets up the behavior model of application program according to behavior event information corresponding to the interface information at least one interface and each interface.
In one embodiment of the invention, multiple two tuples can be generated according to the corresponding relation of interface information and behavior event information, and the behavior model of vertical application program is set up according to multiple binary, wherein, first element of two tuples to be measured is interface information, and second element is the behavior event information set corresponding with interface information.
Wherein, the behavior model M of application program can represent by following sequence:
{<State_0>,<State_1>…<State_i>…},
In sequence, each element is two tuples, and wherein, in sequence, i-th element <State_i> is (S
i, T
i), (S
i, T
i) ∈ M, i be nonnegative integer, behavior model M is all set with the interface information of corresponding relation and two tuples of behavior event information composition in the interface information and behavior event extracted.Wherein, S
ifor application state, i.e. interface information, its value is the character string of the mark at three kinds of interfaces, i.e. the ID at the name at activity interface, URL and the jQuery interface of html interface;
for application state S
ilower operating state set, the i.e. set of behavior event information, wherein t
ijfor S
ia lower jth operating state, the title of the API that its value is called for application program or the HTTP request character string sent, n
ifor S
ilower operating state sum, its value is nonnegative integer, and the value of j is less than or equal to n for being more than or equal to 0
inonnegative integer.
In one embodiment of the invention, the model of application program can be set up according to the definition of above-mentioned behavior model according to user behaviors log.Particularly, the value of the daughter element <name> element of each <interface> element in user behaviors log can be extracted as application state " S
i", and it can be used as the first element of every a line in a two-dimensional array; Then the value of the <action> daughter element of each <interface> element in user behaviors log is extracted as application state " S
i" under operating state " t
ij", and write the application state " S of first intermediate value belonging to this operating state in above-mentioned two-dimensional array
i" row in; Finally, will the array polymerization of each application state and the operating state that comprises thereof be recorded, and be formed and record all application states of whole application program and the two-dimensional array of operating state, namely complete the foundation of the behavior model of application program.
S205, if application program is for run first, then using the primitive behavior model of the behavior model of application program as application program, and stores.
If application program is for run first, then can guarantee that HTML5 application is not modified, does not suffer any attack.Putting before this, by all interfaces of said process traversal applications program, and all behavior events under triggering each interface, and the behavior model generated, it is the complete application behavior model of this application program, can using the behavior model as the primitive behavior model of application program, and stored in primitive behavior model bank, using the reference as follow-up test.
At this, the primitive behavior model of application program can be comprised multiple two tuples and be called multiple original two tuples.
S206, if application program is not for run first, then using the to be measured model of the behavior model of application program as application program, and compare with the primitive behavior model of the application program set up in advance, and judge whether application program comprises abnormal behaviour according to comparison result.
In one embodiment of the invention, the first interface information set (i.e. interface information set to be measured) can be generated according to the whole interface informations comprised in multiple two tuples to be measured, and generate second contact surface information aggregate (i.e. original interface information aggregate) according to the whole interface informations comprised in multiple original two tuples; Judge that whether the first interface information set is consistent with second contact surface information aggregate; If the first interface information set and second contact surface information aggregate inconsistent, then judge that application program exists abnormal behaviour.If the first interface information set is consistent with second contact surface information aggregate, it is then index with interface information, the first behavior event information set (namely to be measured is event information set) is generated according to the corresponding behavior event information of interface information each in multiple two tuples to be measured, and the second behavior event information set (namely original is event information set) corresponding according to each interface information in multiple original two tuples; Judge that whether the first behavior event information set is consistent with the second behavior event information set; If inconsistent, then judge that application program exists abnormal behaviour.
Particularly, available S '={ S
0', S
1' ..., S
i' ... representing the first interface information set, i.e. in the behavior model of application program to be measured, application state used (interface information) set, uses S={S
0, S
1..., S
i... represent all application states (interface information) set in primitive behavior model, use
represent the first behavior event information set, i.e. application state S in the behavior model of application program to be measured
i' under everything state (behavior event information) set, use
represent the second behavior event information set, i.e. application state S in primitive behavior model
ilower everything state (behavior event information) is gathered.
So, that is, if any one occurring in the following two kinds situation, think that application program exists abnormal behaviour:
If 1 S ≠ S ', namely compare the application state that application program is run for the first time, occur new application state when testing in this application program, then show that this application program is attacked or is modified;
If 2 S=S ', then show that in the behavior model of this application program, all application states are identical with primitive behavior model, then all application states of further traversal applications program, for arbitrary application state S
ilower everything state set T
iand T
i', if there is T
i≠ T
i', namely compare application program when running for the first time, there is new operating state in this application program, then show that this application program is attacked or is modified under same application state.
Further, record can be carried out to the emerging application state detected and/or new operating state, namely, the interface information at place when the abnormal behaviour event information that records application program comprises and abnormal behaviour event occur, and generate application safety analysis report, so that application safety analyst analyzes application to be measured.
The anomaly detection method of the HTML5 mobile applications of the embodiment of the present invention, by extracting the behavior event of HTML5 mobile applications operational process and residing interface information thereof, the i.e. running environment of application program, to generate behavior model accordingly, and by by the behavior model and primitive behavior model compare and judge whether application program comprises abnormal behaviour, compared with correlation technique, effectively can extract the whole behavior event informations in HTML5 mobile applications operational process, and behavior event residing program context environmental information (interface information) when occurring, thus can accordingly for HTML5 mobile applications is set up accurately, complete behavior model, thus, effectively can extract the abnormal behaviour detecting application program, especially attacked for zero day, distortion is attacked and code injection attack has good Detection results.
In order to realize above-described embodiment, the present invention also proposes a kind of behavior model method for building up of HTML5 mobile applications.
Fig. 3 is the process flow diagram of the behavior model method for building up of HTML5 mobile applications according to an embodiment of the invention.As shown in Figure 3, the behavior model method for building up of the HTML5 mobile applications of the embodiment of the present invention comprises the following steps.
S301, runs application.
Wherein, in one embodiment of the invention, application program can be the mobile applications based on HTML5 technology, namely by the application program for mobile terminal that HTML5 writes.Thus can carry out effectively comprehensively detecting to the abnormal behaviour of HTML5 mobile applications by embodiments of the invention.Be described for HTML5 mobile applications in an embodiment of the present invention.
S302, extracts the interface information at all interfaces of application program residing in operational process, and extracts the behavior event information of application program when being in each interface.
The interface of following three kinds of different levels is mainly contained: activity interface, html interface and jQuery interface in HTML5 application:
1, Activity interface: primary Android Java is applied, the corresponding activity in each interface of application.But in HTML5 application, the logic of application program uses the network programming language such as HTML, JavaScript, CSS (Cascading Style Sheet, Cascading Style Sheet) to describe, and operates in WebView built-in browser environment.So each activity of HTML5 application can generate a WebView, can load multiple html file, present multiple html interface in a WebView.
2, html interface: as above, HTML5 application uses the network programming language in write html file to state the pattern at interface and the function of application, therefore the general WebView only needing an activity and generate, loads multiple html file to present different interfaces in this WebView.
3, jQuery interface: the time of the html file to be loaded such as user during in order to reduce interface switching, jQuery develops a kind of new changing interface mode, namely only needs a html file, wherein comprises multiple jQuery interface.This html file of complete loading when application start, during user's interface switching (being now jQuery interface), without the need to loading new html file, only need be directly switch into another jQuery interface portion in this html file.
In HTML5 application, modal interface is html interface and jQuery interface.An activity is only needed to realize all functions although HTML5 application is general, but still can contain multiple activity in theory, such as, adding the situation such as advertisement activity or certain functional module activity, corresponding multiple activity is had.Therefore, in HTMl5 application, also there is the new interface generated by new activity.
For HTML5 mobile applications, there are three kinds of different interfaces, android system source code is modified, in the function at newly-built three kinds of interfaces, increase the function obtaining interface information respectively.When new interface is set up in HTML5 application, call the function in Event Distillation module, in user behaviors log, write corresponding interface information (name at activity interface, the ID at the URL of html interface, jQuery interface).
The behavior event of HTML5 application is divided into two kinds: network behavior and local behavior.Wherein, network behavior refers to mutual with remote server of HTML5 application, sends HTTP request realize by application to server.Local behavior refers to the interface that HTML5 application is provided by the Mobile solution Development Framework that is representative with PhoneGap (a Development Framework of increasing income), call corresponding API and realize access to local system resource, as searched contact person, obtain geographical location information, to call shooting first-class.Therefore, behavior event information can comprise API application programming interface recalls information and HTTP request information.
Wherein, interface information also can be called program context environment when behavior event occurs.
Process performed by step S102, namely in application program operational process, the running environment (WebView) of monitoring application program, and program context environment when the behavior event of extract real-time application program (as call PhoneGap API or send HTTP request etc.) and behavior event the occur information of interface, place (during the behavior generation).
Particularly, in one embodiment of the invention, extract the interface information at all interfaces of application program residing in operational process and extract the behavior event information of application program when being in each interface, specifically can comprise: when application program sets up an interface in operational process, call interface information and obtain the interface information that function extracts interface; After setting up interface, extract further API Calls information when application program is in interface and/or HTTP request information.
Closer, for the extraction of interface information, for three kinds of different interfaces in HTML5 application, android system source code can be modified, in the function at newly-built three kinds of interfaces, increase the function for obtaining interface information respectively, namely interface information obtains function.When HTML5 be applied in operational process set up new interface time, call interface information obtain function, extract corresponding interface information, and will extract interface information write user behaviors log.Wherein, interface information can comprise the name (title) at activity interface, the URL (Uniform Resource Locator, resource locator) of html interface, the ID (Identity, Identity Code) at jQuery interface.
For the extraction of behavior event information, in the behavior event functions (referring to the android system function that can extract critical behavior information) of android system source code WebKit engine (browser engine of increasing income) part, function can be extracted by increase behavior event information.When behavior event occurs, behavior event information will be called and extract function, extract the information such as the title of the behavior such as PhoneGap API Calls and HTTP request event, and write user behaviors log.
As from the foregoing, for the ease of setting up behavior model according to the interface information extracted and behavior event information, can interface information and behavior event information be exported to user behaviors log, thus set up behavior model according to user behaviors log.
In one embodiment of the invention, user behaviors log can adopt XML format.Wherein, root element is <log> element, for recording whole behavior event; The daughter element of <log> element is some <interface> elements, for recording the interface information of application single interface, the daughter element of <interface> element is a <name> element and some <action> elements; <name> element for recording the particular content of interface information, as the name at activity interface, the ID etc. at the URL of html interface, jQuery interface; <action> element for recording behavior event information, i.e. API Calls information (title of the API called) and/or HTTP request information (HTTP request sent).
In an embodiment of the present invention, according to above form, the interface information extracted and behavior event information can be write user behaviors log.Wherein, arbitrary string can be adopted as <action> element codomain and <name> element codomain.
Be below the example of a user behaviors log:
Behavior daily record can embody following information:
1, <name>file: //android/asset/www/index.html</nameGreatT.Gr eaT.GT represents that the current application interface of application program is html interface, and the URL of this html interface is " file: //android/asset/www/index.html ".
2, <action>API_call@contacts@search</action> represents that the current behavior event of application program is API Calls, and the API called " contacts search " by name, namely search contact person API.
Should be appreciated that in the present embodiment, user behaviors log have employed XML format, be only exemplary, carry out subsequent treatment to facilitate, but the present invention is not limited thereto, in practical application, the concrete form of user behaviors log is had no requirement, also other form can be adopted, as long as comprise same information.
S303, sets up the behavior model of application program according to behavior event information corresponding to the interface information at all interfaces and each interface.
In one embodiment of the invention, multiple two tuples can be generated according to the corresponding relation of interface information and behavior event information, and the behavior model of vertical application program is set up according to multiple binary, wherein, first element of two tuples is interface information, and second element is the behavior event information set corresponding with interface information.
Wherein, the behavior model M of application program can represent by following sequence:
{<State_0>,<State_1>…<State_i>…},
In sequence, each element is two tuples, and wherein, in sequence, i-th element <State_i> is (S
i, T
i), (S
i, T
i) ∈ M, i be nonnegative integer, behavior model M is all set with the interface information of corresponding relation and two tuples of behavior event information composition in the interface information and behavior event extracted.Wherein, S
ifor application state, i.e. interface information, its value is the character string of the mark at three kinds of interfaces, i.e. the ID at the name at activity interface, URL and the jQuery interface of html interface;
for application state S
ilower operating state set, the i.e. set of behavior event information, wherein t
ijfor S
ia lower jth operating state, the title of the API that its value is called for application program or the HTTP request character string sent, n
ifor S
ilower operating state sum, its value is nonnegative integer, and the value of j is less than or equal to n for being more than or equal to 0
inonnegative integer.
In one embodiment of the invention, the model of application program can be set up according to the definition of above-mentioned behavior model according to user behaviors log.Particularly, the value of the daughter element <name> element of each <interface> element in user behaviors log can be extracted as application state " S
i", and it can be used as the first element of every a line in a two-dimensional array; Then the value of the <action> daughter element of each <interface> element in user behaviors log is extracted as application state " S
i" under operating state " t
ij", and write the application state " S of first intermediate value belonging to this operating state in above-mentioned two-dimensional array
i" row in; Finally, will the array polymerization of each application state and the operating state that comprises thereof be recorded, and be formed and record all application states of whole application program and the two-dimensional array of operating state, namely complete the foundation of the behavior model of application program.
Individual in one embodiment of the invention, if application program is for run first, then using the primitive behavior model of the behavior model of application program as application program, and can store.If application program is not for run first, then can using the to be measured model of the behavior model of application program as application program.
If application program is for run first, then can guarantee that HTML5 application is not modified, does not suffer any attack.Putting before this, by all interfaces of said process traversal applications program, and all behavior events under triggering each interface, and the behavior model generated, it is the complete application behavior model of this application program, can using the behavior model as the primitive behavior model of application program, and stored in primitive behavior model bank, using the reference as follow-up test.
When the operation again of application program, can according to extracting the interface information at all interfaces and corresponding behavior event information set up the behavior model of this application program in operational process again, and as the model to be measured of this application program, and compared by the primitive behavior model of behavior model to be measured with the application program set up in advance, and carry out unusual checking according to comparison result application programs.Thus effectively can extract the abnormal behaviour detecting application program.
The behavior model method for building up of the HTML5 mobile applications of the embodiment of the present invention, by extracting the behavior event of application program operational process and residing interface information thereof, the i.e. running environment of application program, to set up the two dimensional model comprising above two elements accordingly.Compared with correlation technique, effectively can extract the whole behavior event informations in HTML5 mobile applications operational process, and behavior event residing program context environmental information (interface information) when occurring, thus accordingly for application program sets up accurate, complete primitive behavior model or model to be measured, follow-up Programmable detection can be made more comprehensively with effective.
Fig. 4 is according to an embodiment of the invention for the unusual checking system architecture schematic diagram of HTML5 mobile applications.System comprises: extraction module 10, set up module 20 and detection module 30.
Wherein, this system is input as HTML5 mobile applications, and this system provides running environment (WebView) for HTML5 mobile applications.
Particularly, extraction module 10 can monitor the running environment of HTML5 mobile applications, and program context environment when being occurred by the behavior event (for android system, as called PhoneGap API or sending HTTP request etc.) of the extract real-time application program such as PhoneGap plug-in unit, HTML/CSS, JavaScript and the behavior event information of interface, place (during the behavior generation).
Set up module 20 can set up this application program behavior model according to the behavior event of extraction module 10 extraction and corresponding interface information.If this application program is for run first, then the behavior model as primitive behavior model storage to primitive behavior model bank.If not running first, then as the behavior model to be measured of this application program.
The behavior model to be measured of HTML5 mobile applications to be measured and primitive behavior model can be compared by detection module 30, and carry out unusual checking according to comparison result to application program to be measured.
Describe and can be understood in process flow diagram or in this any process otherwise described or method, represent and comprise one or more for realizing the module of the code of the executable instruction of the step of specific logical function or process, fragment or part, and the scope of the preferred embodiment of the present invention comprises other realization, wherein can not according to order that is shown or that discuss, comprise according to involved function by the mode while of basic or by contrary order, carry out n-back test, this should understand by embodiments of the invention person of ordinary skill in the field.
In flow charts represent or in this logic otherwise described and/or step, such as, the sequencing list of the executable instruction for realizing logic function can be considered to, may be embodied in any computer-readable medium, for instruction execution system, device or equipment (as computer based system, comprise the system of processor or other can from instruction execution system, device or equipment instruction fetch and perform the system of instruction) use, or to use in conjunction with these instruction execution systems, device or equipment.With regard to this instructions, " computer-readable medium " can be anyly can to comprise, store, communicate, propagate or transmission procedure for instruction execution system, device or equipment or the device that uses in conjunction with these instruction execution systems, device or equipment.The example more specifically (non-exhaustive list) of computer-readable medium comprises following: the electrical connection section (electronic installation) with one or more wiring, portable computer diskette box (magnetic device), random access memory (RAM), ROM (read-only memory) (ROM), erasablely edit ROM (read-only memory) (EPROM or flash memory), fiber device, and portable optic disk ROM (read-only memory) (CDROM).In addition, computer-readable medium can be even paper or other suitable media that can print described program thereon, because can such as by carrying out optical scanning to paper or other media, then carry out editing, decipher or carry out process with other suitable methods if desired and electronically obtain described program, be then stored in computer memory.
Should be appreciated that each several part of the present invention can realize with hardware, software, firmware or their combination.In the above-described embodiment, multiple step or method can with to store in memory and the software performed by suitable instruction execution system or firmware realize.Such as, if realized with hardware, the same in another embodiment, can realize by any one in following technology well known in the art or their combination: the discrete logic with the logic gates for realizing logic function to data-signal, there is the special IC of suitable combinational logic gate circuit, programmable gate array (PGA), field programmable gate array (FPGA) etc.
Those skilled in the art are appreciated that realizing all or part of step that above-described embodiment method carries is that the hardware that can carry out instruction relevant by program completes, described program can be stored in a kind of computer-readable recording medium, this program perform time, step comprising embodiment of the method one or a combination set of.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing module, also can be that the independent physics of unit exists, also can be integrated in a module by two or more unit.Above-mentioned integrated module both can adopt the form of hardware to realize, and the form of software function module also can be adopted to realize.If described integrated module using the form of software function module realize and as independently production marketing or use time, also can be stored in a computer read/write memory medium.
The above-mentioned storage medium mentioned can be ROM (read-only memory), disk or CD etc.
In the description of this instructions, specific features, structure, material or feature that the description of reference term " embodiment ", " some embodiments ", " example ", " concrete example " or " some examples " etc. means to describe in conjunction with this embodiment or example are contained at least one embodiment of the present invention or example.In this manual, identical embodiment or example are not necessarily referred to the schematic representation of above-mentioned term.And the specific features of description, structure, material or feature can combine in an appropriate manner in any one or more embodiment or example.
Although illustrate and describe embodiments of the invention, those having ordinary skill in the art will appreciate that: can carry out multiple change, amendment, replacement and modification to these embodiments when not departing from principle of the present invention and aim, scope of the present invention is by claim and equivalency thereof.
Claims (10)
1. an anomaly detection method for HTML5 mobile applications, is characterized in that, comprises the following steps:
Run application;
Extract the interface information at least one interface of described application program residing in operational process, and extract the behavior event information of described application program when being in each interface;
The behavior model to be measured of described application program is set up according to behavior event information corresponding to the interface information at least one interface described and each interface;
The behavior model to be measured of described application program and the primitive behavior model of described application program set up in advance are compared, and judges whether described application program comprises abnormal behaviour according to comparison result.
2. the anomaly detection method of HTML5 mobile applications as claimed in claim 1, it is characterized in that, described behavior event information comprises API application programming interface recalls information and http hypertext transfer protocol solicited message, the interface information at least one interface of the described application program of described extraction residing in operational process also extracts the behavior event information of described application program when being in each interface, specifically comprises:
When described application program sets up an interface in operational process, call interface information and obtain the interface information that function extracts described interface;
After setting up described interface, extract further API Calls information when described application program is in described interface and/or HTTP request information.
3. the anomaly detection method of HTML5 mobile applications as claimed in claim 1, it is characterized in that, behavior event information corresponding to the interface information at least one interface described in described basis and each interface sets up the behavior model to be measured of described application program, specifically comprises:
Corresponding relation according to described interface information and behavior event information generates multiple two tuples to be measured, and the behavior model to be measured of vertical described application program is set up according to described multiple binary to be measured, wherein, first element of described two tuples to be measured is interface information, and second element is the behavior event information set corresponding with described interface information.
4. the anomaly detection method of HTML5 mobile applications as claimed in claim 3, it is characterized in that, the primitive behavior model of described application program comprises multiple original two tuples, the behavior model to be measured of described application program and the primitive behavior model of described application program set up in advance are compared and are carried out unusual checking according to comparison result to described application program, specifically comprises:
Whole interface informations according to comprising in described multiple two tuples to be measured generate the first interface information set, and generate second contact surface information aggregate according to the whole interface informations comprised in described multiple original two tuples;
Judge that whether described first interface information set is consistent with described second contact surface information aggregate;
If described first interface information set and described second contact surface information aggregate inconsistent, then judge that described application program exists abnormal behaviour.
5. the anomaly detection method of HTML5 mobile applications as claimed in claim 4, is characterized in that, also comprise:
If described first interface information set is consistent with described second contact surface information aggregate, it is then index with interface information, the first behavior event information set is generated according to the corresponding behavior event information of interface information each in described multiple two tuples to be measured, and the second behavior event information set corresponding according to each interface information in described multiple original two tuples;
Judge that whether described first behavior event information set is consistent with described second behavior event information set;
If inconsistent, then judge that described application program exists abnormal behaviour.
6. the anomaly detection method of HTML5 mobile applications as claimed in claim 1, is characterized in that, also comprise:
When described application program is run first, extract the interface information at all interfaces of described application program residing in operational process first, and extract the behavior event information of described application program when being in each interface;
The primitive behavior model of described application program is set up according to behavior event information corresponding to the interface information at described all interfaces described in operational process first and each interface.
7. a behavior model method for building up for HTML5 mobile applications, is characterized in that, comprise the following steps:
Run application;
Extract the interface information at all interfaces of described application program residing in operational process, and extract the behavior event information of described application program when being in each interface;
The behavior model of described application program is set up according to behavior event information corresponding to the interface information at described all interfaces and each interface.
8. the behavior model method for building up of HTML5 mobile applications as claimed in claim 7, it is characterized in that, described behavior event information comprises API application programming interface recalls information and http hypertext transfer protocol solicited message, the interface information at all interfaces of the described application program of described extraction residing in operational process also extracts the behavior event information of described application program when being in each interface, specifically comprises:
When described application program sets up an interface in operational process, call interface information and obtain the interface information that function extracts described interface;
After setting up described interface, extract further API Calls information when described application program is in described interface and/or HTTP request information.
9. the behavior model method for building up of HTML5 mobile applications as claimed in claim 7, it is characterized in that, behavior event information corresponding to the described interface information according to described all interfaces and each interface sets up the behavior model of described application program, specifically comprises:
Corresponding relation according to described interface information and behavior event information generates multiple two tuples, and sets up the behavior model of vertical described application program according to described multiple binary.
10. the behavior model method for building up of HTML5 mobile applications as claimed in claim 7, is characterized in that,
If described application program is for run first, then using the primitive behavior model of the behavior model of described application program as described application program, and be stored to primitive behavior model bank;
If described application program is not for run first, then using the to be measured behavior model of the behavior model of described application program as described application program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510333162.1A CN104992117B (en) | 2015-06-16 | 2015-06-16 | The anomaly detection method and behavior model method for building up of HTML5 mobile applications |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510333162.1A CN104992117B (en) | 2015-06-16 | 2015-06-16 | The anomaly detection method and behavior model method for building up of HTML5 mobile applications |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104992117A true CN104992117A (en) | 2015-10-21 |
| CN104992117B CN104992117B (en) | 2018-04-13 |
Family
ID=54303930
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510333162.1A Active CN104992117B (en) | 2015-06-16 | 2015-06-16 | The anomaly detection method and behavior model method for building up of HTML5 mobile applications |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104992117B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105528295A (en) * | 2016-01-04 | 2016-04-27 | 北京航空航天大学 | Method and device for detecting abnormal behaviors of mobile application program |
| CN105824714A (en) * | 2016-03-14 | 2016-08-03 | 联想(北京)有限公司 | Information processing method and electronic equipment |
| CN106788896A (en) * | 2016-12-27 | 2017-05-31 | 北京五八信息技术有限公司 | The method for uploading and device of daily record data |
| CN107864066A (en) * | 2017-08-24 | 2018-03-30 | 平安普惠企业管理有限公司 | Offline H5 pages monitoring method, device, equipment and readable storage medium storing program for executing |
| CN108364078A (en) * | 2018-03-07 | 2018-08-03 | 广州图普网络科技有限公司 | Abnormal behavior judges system and method |
| WO2018196559A1 (en) * | 2017-04-26 | 2018-11-01 | 腾讯科技(深圳)有限公司 | Method and apparatus for dealing with abnormality of application program, and storage medium |
| CN108763059A (en) * | 2018-04-24 | 2018-11-06 | 阿里巴巴集团控股有限公司 | A kind of method for detecting abnormality, device and equipment |
| CN109639559A (en) * | 2017-10-09 | 2019-04-16 | 北京国双科技有限公司 | A kind of wechat H5 propagates method for monitoring and analyzing and relevant device |
| CN109791588A (en) * | 2017-06-27 | 2019-05-21 | 赛门铁克公司 | Alleviate malicious action associated with graphical user-interface element |
| CN109976854A (en) * | 2019-03-22 | 2019-07-05 | 维沃移动通信有限公司 | A kind of applied program processing method and terminal device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101964026A (en) * | 2009-07-23 | 2011-02-02 | 中联绿盟信息技术(北京)有限公司 | Method and system for detecting web page horse hanging |
| CN102542186A (en) * | 2010-12-15 | 2012-07-04 | 财团法人资讯工业策进会 | Malicious program detection device and malicious program detection method |
| CN103559446A (en) * | 2013-11-13 | 2014-02-05 | 厦门市美亚柏科信息股份有限公司 | Dynamic virus detection method and device for equipment based on Android system |
| US20150067845A1 (en) * | 2013-08-27 | 2015-03-05 | International Business Machines Corporation | Detecting Anomalous User Behavior Using Generative Models of User Actions |
-
2015
- 2015-06-16 CN CN201510333162.1A patent/CN104992117B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101964026A (en) * | 2009-07-23 | 2011-02-02 | 中联绿盟信息技术(北京)有限公司 | Method and system for detecting web page horse hanging |
| CN102542186A (en) * | 2010-12-15 | 2012-07-04 | 财团法人资讯工业策进会 | Malicious program detection device and malicious program detection method |
| US20150067845A1 (en) * | 2013-08-27 | 2015-03-05 | International Business Machines Corporation | Detecting Anomalous User Behavior Using Generative Models of User Actions |
| CN103559446A (en) * | 2013-11-13 | 2014-02-05 | 厦门市美亚柏科信息股份有限公司 | Dynamic virus detection method and device for equipment based on Android system |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105528295A (en) * | 2016-01-04 | 2016-04-27 | 北京航空航天大学 | Method and device for detecting abnormal behaviors of mobile application program |
| CN105528295B (en) * | 2016-01-04 | 2018-12-14 | 北京航空航天大学 | Mobile applications anomaly detection method and device |
| CN105824714A (en) * | 2016-03-14 | 2016-08-03 | 联想(北京)有限公司 | Information processing method and electronic equipment |
| CN106788896A (en) * | 2016-12-27 | 2017-05-31 | 北京五八信息技术有限公司 | The method for uploading and device of daily record data |
| WO2018196559A1 (en) * | 2017-04-26 | 2018-11-01 | 腾讯科技(深圳)有限公司 | Method and apparatus for dealing with abnormality of application program, and storage medium |
| US10838838B2 (en) | 2017-04-26 | 2020-11-17 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for dealing with abnormality of application program and storage medium |
| CN109791588A (en) * | 2017-06-27 | 2019-05-21 | 赛门铁克公司 | Alleviate malicious action associated with graphical user-interface element |
| CN109791588B (en) * | 2017-06-27 | 2023-10-13 | 诺顿身份保护公司 | Mitigating malicious actions associated with graphical user interface elements |
| CN107864066A (en) * | 2017-08-24 | 2018-03-30 | 平安普惠企业管理有限公司 | Offline H5 pages monitoring method, device, equipment and readable storage medium storing program for executing |
| CN109639559A (en) * | 2017-10-09 | 2019-04-16 | 北京国双科技有限公司 | A kind of wechat H5 propagates method for monitoring and analyzing and relevant device |
| CN108364078A (en) * | 2018-03-07 | 2018-08-03 | 广州图普网络科技有限公司 | Abnormal behavior judges system and method |
| CN108763059A (en) * | 2018-04-24 | 2018-11-06 | 阿里巴巴集团控股有限公司 | A kind of method for detecting abnormality, device and equipment |
| CN109976854A (en) * | 2019-03-22 | 2019-07-05 | 维沃移动通信有限公司 | A kind of applied program processing method and terminal device |
| CN109976854B (en) * | 2019-03-22 | 2023-02-24 | 维沃移动通信有限公司 | Application processing method and terminal equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104992117B (en) | 2018-04-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104992117A (en) | Abnormal behavior detection method and behavior model establishment method of HTML5 mobile application program | |
| CN108667855B (en) | Network flow abnormity monitoring method and device, electronic equipment and storage medium | |
| CN107832619B (en) | Automatic application program vulnerability mining system and method under Android platform | |
| US9584543B2 (en) | Method and system for web integrity validator | |
| CN105528295B (en) | Mobile applications anomaly detection method and device | |
| US9219787B1 (en) | Stateless cookie operations server | |
| CN107852412B (en) | System and method, computer readable medium for phishing and brand protection | |
| US8621613B1 (en) | Detecting malware in content items | |
| CN103593605A (en) | Android platform applications dynamic analysis system based on permission use behaviors | |
| CN111737692B (en) | Application program risk detection method and device, equipment and storage medium | |
| CN103996007A (en) | Testing method and system for Android application permission leakage vulnerabilities | |
| CN104067283A (en) | Identifying trojanized applications for mobile environments | |
| US10084819B1 (en) | System for detecting source code security flaws through analysis of code history | |
| CN104281808A (en) | Universal detection method for malicious act of Android system | |
| CN102467628A (en) | Method for protecting data based on browser kernel intercept technology | |
| CN105488400A (en) | Comprehensive detection method and system of malicious webpage | |
| US10129278B2 (en) | Detecting malware in content items | |
| CN107103243B (en) | Vulnerability detection method and device | |
| CN112307464A (en) | Fraud identification method and device and electronic equipment | |
| CN110070360B (en) | Transaction request processing method, device, equipment and storage medium | |
| CN109543409B (en) | Method, device and equipment for detecting malicious application and training detection model | |
| CN114398673A (en) | Application compliance detection method and device, storage medium and electronic equipment | |
| CN108462749B (en) | Web application processing method, device and system | |
| Shahriar et al. | Design and development of Anti-XSS proxy | |
| KR101480040B1 (en) | Method, system and computer readable recording medium for web-page monitoring |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |