CN107358101B - Lego software detection method and system based on authority mode - Google Patents
Lego software detection method and system based on authority mode Download PDFInfo
- Publication number
- CN107358101B CN107358101B CN201710504921.5A CN201710504921A CN107358101B CN 107358101 B CN107358101 B CN 107358101B CN 201710504921 A CN201710504921 A CN 201710504921A CN 107358101 B CN107358101 B CN 107358101B
- Authority
- CN
- China
- Prior art keywords
- software
- detected
- permission
- application software
- authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 claims description 32
- 238000004458 analytical method Methods 0.000 claims description 11
- 230000006837 decompression Effects 0.000 claims description 3
- 238000000605 extraction Methods 0.000 claims description 3
- 238000001514 detection method Methods 0.000 abstract description 27
- 230000000694 effects Effects 0.000 abstract description 8
- 238000005516 engineering process Methods 0.000 abstract description 7
- 230000008901 benefit Effects 0.000 abstract description 4
- 238000012360 testing method Methods 0.000 description 7
- 230000002155 anti-virotic effect Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 4
- 230000006378 damage Effects 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 235000015122 lemonade Nutrition 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000007667 floating Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000001939 inductive effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000035772 mutation Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a lasso software detection method and a lasso software detection system based on an authority mode, which comprises the following steps: decompressing the received APK file in the application software to be detected; analyzing an android Manifest.xml file from an APK file in application software to be detected; extracting the authority applied by the application software to be detected from the android manifest.xml file; judging whether the number of the authorities applied by the application software to be detected is less than a fixed value X, if not, judging that the application software to be detected is non-lasso software; if so, matching the authority applied by the application software to be detected with a given authority mode, and if the matching is successful, judging the application software to be detected as lasso software; otherwise, the application software to be detected is judged to be non-lasso software. The detection method has the advantages of good detection effect, high detection efficiency, low system overhead and no interference of a code confusion technology.
Description
Technical Field
The invention relates to the technical field of android intelligent terminal use safety, in particular to a method and a system for detecting Lesog software based on an authority mode.
Background
The application software brings high efficiency and convenience to users, and meanwhile, potential safety hazards such as malicious software infection and privacy disclosure are exposed. The lasso malware threatens the user to pay unlocking or decryption cost by means of locking the mobile device of the user, encrypting or deleting files of the user and the like. Currently, the mutation and the addition of Lesog software are faster and faster. How to quickly and effectively detect the lasso code in Android (Android) application also becomes one of the hot research problems in the current mobile security field.
The attack principle of the lasso software is various, but the purpose of the lasso software is to enable a user not to normally use a screen or a file of an android intelligent terminal such as a mobile phone. The Lesso software attack mode mainly comprises the following steps: a) the mobile phone screen is maliciously placed on the top of the floating window, and the full screen is placed on the top of the floating window and cannot be cleaned, so that the mobile phone screen cannot be normally used; b) maliciously eliminating touch response, and setting touch feedback of the virtual keys and the mobile phone touch screen as invalid to make the touch area unable to respond to the operation of the user; c) the malicious top page is set, the top Activity is monitored at regular time, and if the malicious top page is detected not to be a program of the malicious top page, the malicious top page is restarted to cover the original page and end the original background process; d) and inducing a user to activate the equipment manager, wherein the lasso software can force the mobile phone to be set with an unlocking code under the condition that the user does not know once the user activates the equipment manager, so that the mobile phone is locked.
Some Lego software detection technologies appear at home and abroad at present, but the technologies still have some defects, which are detailed as follows:
(1) federico Maggi of Milan-Engineers university of Italy proposes a method for detecting Lesog software, HELDRIID, which mainly carries out reverse analysis on an applied APK file and obtains an applied source code and a resource file by means of decompilation and the like. The hedroid has mainly three detectors that can be executed in parallel: a threat text detector, an encryption detector, and a lock screen detector. If the HELDOID detects that the application has the three behaviors, the HELDOID is determined as lasso software, and if only the threatening text is detected, the HELDOID is determined as threatening software. Although the method can go deep into a code layer, detection is time-consuming, and with the continuous and powerful of a code obfuscation algorithm and a code obfuscation tool, a source code obtained by applying decompilation is often an obfuscated code, so that the static code analysis method may have small errors; on the other hand, some benign applications may also encrypt files for some purpose, some benign screen-locking applications may also have screen-locking behavior, and the hemdoid, if detecting these encryption and screen-locking behaviors, may misjudge these applications as lasso software.
(2) Francesco mercando, university of sanneau, italy, proposed a formalized method to test the lesonaire software. This formalized approach is divided into three sub-processes: formal model construction, sequential logic construction and lasso software detection. Although the detection rate of the method is high, the formalized model is excessively complicated to construct, and the detection efficiency is not high. In addition, the data set used by Mercaldo in the experiment is obtained many years ago, and the lemo software is increasingly updated and varies, so that the detection effect of the Mercaldo tool for the lemo software is unknown.
(3) Daniele Sgandura of the English empire institute of technology proposes a method combining static analysis and dynamic analysis, which is called as an automatic analysis method, the static analysis used determines possible attack paths based on Android API calls and existing attack modes, and the dynamic analysis used executes programs in a limited range according to the possible attack paths and focuses on monitoring possible security vulnerabilities and attacks. The goal of Sgancurra is to implement a high-performance tool for effectively detecting Lesojous software under an Android platform. Unfortunately, however, they have not implemented corresponding tools.
In summary, the existing lasso software detection method still has some disadvantages. Therefore, there is a need to develop a lasso software detection technique that is not interfered by a code obfuscation technique, has a low system overhead, and has a good detection effect and high detection efficiency. And this is also the subject of the present invention.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide the lasso software detection method based on the authority mode, which has good detection effect, high detection efficiency, small system overhead and no interference of a code confusion technology; the lasso software detection method can enable an intelligent terminal user to be far away from damage of lasso software.
A second object of the present invention is to provide a lemonade software detection system based on authority mode for implementing the above method.
The first purpose of the invention is realized by the following technical scheme: a lasso software detection method based on an authority mode comprises the following steps:
s1, when receiving the application software to be detected, firstly, decomposing and extruding an APK file in the application software to be detected;
s2, resolving an android manifest. Extracting the authority applied by the application software to be detected from the android manifest.xml file;
s3, judging whether the number of the authorities applied by the application software to be detected is smaller than a fixed value X, if so, entering the step S4, and if not, judging that the application software to be detected is non-lasso software;
s4, matching the authority applied by the application software to be detected with a given authority mode, and if the matching is successful, judging the application software to be detected as lasso software; otherwise, the application software to be detected is judged to be non-lasso software.
Preferably, the first and second liquid crystal materials are,
in step S4, the given permission modes include four kinds, which are respectively a first permission mode, a second permission mode, a third permission mode and a fourth permission mode; wherein
The first permission mode is formed by combining the following four permissions: internet, identity, software, firmware, STATE, and identity, system, ALERT, WINDOW;
when the authority applied by the application software to be detected comprises four authorities in the first authority mode, the authority applied by the application software to be detected is successfully matched with the first authority module, and the application software to be detected is judged to be lasso software;
the second permission mode is formed by combining the following five permissions: issue, permission, read _ PHONE _ STATE, issue, permission, receive _ BOOT _ complete, issue, permission, get _ TASKS, issue, permission, kill _ backshunt _ process, and issue, permission, write _ extra _ STORAGE;
when the authority applied by the application software to be detected comprises five authorities in the second authority mode, the authority applied by the application software to be detected is successfully matched with the second authority module, and the application software to be detected is judged to be the lasso software;
the third permission mode is formed by combining the following four permissions: internet, identity, root, complete, STATE, and identity, bind, DEVICE, ADMIN;
when the authority applied by the application software to be detected comprises four authorities in the third authority mode, the authority applied by the application software to be detected is successfully matched with the third authority module, and the application software to be detected is judged to be lasso software;
the fourth permission mode is formed by combining the following four permissions: internet, identity, book, PHONE, STATE, and identity, person, LOCK;
and when the authority applied by the application software to be detected comprises four authorities in the fourth authority mode, the authority applied by the application software to be detected is successfully matched with the fourth authority module, and the application software to be detected is judged to be the lasso software.
Preferably, the fixed value X is 17-20.
Further, the fixed value X is 17.
The second purpose of the invention is realized by the following technical scheme: a Legionella software detection system based on privilege mode, comprising:
the decompression module is used for decompressing the APK file in the application software to be detected when the application software to be detected is received;
the analysis module is used for analyzing an android manifest.
The permission extraction module is used for extracting the permission applied by the application software to be detected from the android manifest.
The permission number comparison module is used for comparing the permission number applied by the application software to be detected with a fixed value X and outputting a comparison result;
the permission pattern matching module is used for matching the permission applied by the application software to be detected with a given permission pattern and outputting a matching result when the comparison result output by the permission number comparison module is that the permission number applied by the application software to be detected is less than a fixed value X;
the lasso software judging module is used for judging that the application software to be detected is non-lasso software according to the comparison result output by the permission number comparison module, wherein when the comparison result output by the permission number comparison module is that the permission number applied by the application software to be detected is greater than or equal to a fixed value X, the application software to be detected is judged to be non-lasso software; and the permission mode matching module is used for judging whether the empirical software to be detected is Lesox software according to the matching result output by the permission mode matching module, wherein when the matching result output by the permission mode matching module is successful, the application software to be detected is judged to be Lesox software, otherwise, the application software to be detected is judged to be non-Lesox software.
Preferably, the given permission modes include four permission modes, which are a first permission mode, a second permission mode, a third permission mode and a fourth permission mode respectively; wherein
The first permission mode is formed by combining the following four permissions: internet, identity, software, firmware, STATE, and identity, system, ALERT, WINDOW;
when the authority applied by the application software to be detected comprises five authorities in the first authority mode, the matching result output by the authority mode matching module is successful in matching, and the lasso software judging module judges that the application software to be detected is lasso software;
the second permission mode is formed by combining the following five permissions: issue, permission, read _ PHONE _ STATE, issue, permission, receive _ BOOT _ complete, issue, permission, get _ TASKS, issue, permission, kill _ backshunt _ process, and issue, permission, write _ extra _ STORAGE;
when the authority applied by the application software to be detected comprises five authorities in the second authority mode, the matching result output by the authority mode matching module is successful in matching, and the lasso software judging module judges that the application software to be detected is lasso software;
the third permission mode is formed by combining the following four permissions: internet, identity, root, complete, STATE, and identity, bind, DEVICE, ADMIN;
when the authority applied by the application software to be detected comprises four authorities in the third authority mode, the matching result output by the authority mode matching module is successful in matching, and the lasso software judging module judges that the application software to be detected is lasso software;
the fourth permission mode is formed by combining the following four permissions: internet, identity, book, PHONE, STATE, and identity, person, LOCK;
when the authority applied by the application software to be detected comprises four authorities in the fourth authority mode, the matching result output by the authority mode matching module is successful in matching, and the lasso software judging module judges that the application software to be detected is lasso software.
Preferably, the fixed value X is 17-20.
Preferably, the fixed value X is 17.
Compared with the prior art, the invention has the following advantages and effects:
(1) when receiving application software to be detected, the lasso software detection method based on the authority mode firstly decomposes APK files in the application software to be detected; analyzing an android Manifest.xml file from an APK file in application software to be detected, and extracting the authority applied by the application software to be detected from the android Manifest.xml file; when the number of the authorities applied by the application software to be detected is more than or equal to a fixed value X, directly judging the application software to be detected as non-lasso software, otherwise, matching the authorities applied by the application software to be detected with a given authority mode; and if the matching is successful, judging the application software to be detected as lasso software, otherwise, judging the application software to be detected as non-lasso software. The Lesox software detection method is used for detecting application software to be detected based on the given authority mode, and has the advantages of high detection rate and low false alarm rate, so that the Lesox software detection method has a good detection effect; the intelligent terminal user can be far away from the harm of the lasso software.
(2) In the lasso software detection method based on the authority mode, whether the lasso software is detected or not is distinguished by analyzing the authority applied by the application to be detected in the authority mode matching process, wherein the authority applied by the application to be detected can be directly obtained through an android manifest.
(3) The lasso software detection method based on the authority mode does not need to acquire the source code of the application to be detected, so that even if the application to be detected uses code confusion or code encryption technology, the lasso software detection method cannot be influenced. Therefore, the method for detecting the Lesox software cannot be interfered by code confusion or code encryption technology;
(4) the lasso software detection method based on the authority mode uses a static detection technology, does not need to run a program, and therefore has low real-time requirement on a system and low system overhead.
Drawings
FIG. 1 is a flow chart of a Lexus software detection method of the present invention.
FIG. 2 is a block diagram of the Lesog software detection system of the present invention.
Detailed Description
The present invention will be described in further detail with reference to examples and drawings, but the present invention is not limited thereto.
Examples
The embodiment discloses a lasso software detection method based on an authority mode, as shown in fig. 1, the steps are as follows:
s1, when receiving the application software to be detected, firstly, decomposing and extruding an APK file in the application software to be detected;
s2, resolving an android manifest. Extracting the authority applied by the application software to be detected from the android manifest.xml file;
s3, judging whether the number of the authorities applied by the application software to be detected is smaller than a fixed value X, if so, entering the step S4, and if not, judging that the application software to be detected is non-lasso software; the fixed value X is 17 to 20, and in this embodiment, the fixed value X is 17.
S4, matching the authority applied by the application software to be detected with a given authority mode, and if the matching is successful, judging the application software to be detected as lasso software; otherwise, the application software to be detected is judged to be non-lasso software.
In this embodiment, the authority modes given in step S4 include four types, which are a first authority mode, a second authority mode, a third authority mode and a fourth authority mode, respectively; wherein:
the first permission mode is formed by combining the following four permissions: internet, identity, software, firmware, STATE, and identity, system, ALERT, WINDOW; when the authority applied by the application software to be detected comprises four authorities in the first authority mode, the authority applied by the application software to be detected is successfully matched with the first authority module, and the application software to be detected is judged to be lasso software;
the second permission mode is formed by combining the following five permissions: issue, permission, read _ PHONE _ STATE, issue, permission, receive _ BOOT _ complete, issue, permission, get _ TASKS, issue, permission, kill _ backshunt _ process, and issue, permission, write _ extra _ STORAGE; when the authority applied by the application software to be detected comprises five authorities in the second authority mode, the authority applied by the application software to be detected is successfully matched with the second authority module, and the application software to be detected is judged to be the lasso software;
the third permission mode is formed by combining the following four permissions: internet, identity, root, complete, STATE, and identity, bind, DEVICE, ADMIN; when the authority applied by the application software to be detected comprises four authorities in the third authority mode, the authority applied by the application software to be detected is successfully matched with the third authority module, and the application software to be detected is judged to be lasso software;
the fourth permission mode is formed by combining the following four permissions: internet, identity, book, PHONE, STATE, and identity, person, LOCK; and when the authority applied by the application software to be detected comprises four authorities in the fourth authority mode, the authority applied by the application software to be detected is successfully matched with the fourth authority module, and the application software to be detected is judged to be the lasso software.
Internet refers to a right to use the internet to complete some network operations;
permission, receive _ BOOT _ complete refers to the permission of the device to start a program of the device after being restarted;
permission, read _ PHONE _ STATE, refers to the right to read the PHONE STATE;
permission android, permission, system _ ALERT _ WINDOW refers to permission to display a system WINDOW;
permission, get _ TASKS refers to the permission to obtain the task information currently running;
authority, permission, kill _ backskround _ process refers to the authority to end the BACKGROUND process;
permission write _ exterior STORAGE refers to the permission of EXTERNAL STORAGE of the read-write device
Permission, bind _ DEVICE _ ADMIN refers to the authority of bound DEVICE management
Permission LOCK refers to the permission that the background process is still running after the device screen is closed
The embodiment also discloses a lasso software detection system based on the authority mode for realizing the lasso software detection method, and the environment configuration of the lasso software detection system is illustrated as ① operating system, Windows 7 ② running environment, version ③ software environment above JDK1.5, Eclipse 4.6.0.
As shown in fig. 2, the lasso software detection system of the present embodiment includes:
the decompression module is used for decompressing the APK file in the application software to be detected when the application software to be detected is received;
the analysis module is used for analyzing an android manifest.
The permission extraction module is used for extracting the permission applied by the application software to be detected from the android manifest.
The permission number comparison module is used for comparing the permission number applied by the application software to be detected with a fixed value X and outputting a comparison result; in the embodiment, the fixed value X is 17-20, and the fixed value X is 17.
The permission pattern matching module is used for matching the permission applied by the application software to be detected with a given permission pattern and outputting a matching result when the comparison result output by the permission number comparison module is that the permission number applied by the application software to be detected is less than a fixed value X;
the lasso software judging module is used for judging that the application software to be detected is non-lasso software according to the comparison result output by the permission number comparison module, wherein when the comparison result output by the permission number comparison module is that the permission number applied by the application software to be detected is greater than or equal to a fixed value X, the application software to be detected is judged to be non-lasso software; and the permission mode matching module is used for judging whether the empirical software to be detected is Lesox software according to the matching result output by the permission mode matching module, wherein when the matching result output by the permission mode matching module is successful, the application software to be detected is judged to be Lesox software, otherwise, the application software to be detected is judged to be non-Lesox software.
The authority modes given in the embodiment include four types, which are a first authority mode, a second authority mode, a third authority mode and a fourth authority mode respectively; wherein
The first permission mode is formed by combining the following four permissions: internet, identity, software, firmware, STATE, and identity, system, ALERT, WINDOW; when the authority applied by the application software to be detected comprises five authorities in the first authority mode, the matching result output by the authority mode matching module is successful in matching, and the lasso software judging module judges that the application software to be detected is lasso software;
the second permission mode is formed by combining the following five permissions: issue, permission, read _ PHONE _ STATE, issue, permission, receive _ BOOT _ complete, issue, permission, get _ TASKS, issue, permission, kill _ backshunt _ process, and issue, permission, write _ extra _ STORAGE; when the authority applied by the application software to be detected comprises five authorities in the second authority mode, the matching result output by the authority mode matching module is successful in matching, and the lasso software judging module judges that the application software to be detected is lasso software;
the third permission mode is formed by combining the following four permissions: internet, identity, root, complete, STATE, and identity, bind, DEVICE, ADMIN; when the authority applied by the application software to be detected comprises four authorities in the third authority mode, the matching result output by the authority mode matching module is successful in matching, and the lasso software judging module judges that the application software to be detected is lasso software;
the fourth permission mode is formed by combining the following four permissions: internet, identity, book, PHONE, STATE, and identity, person, LOCK; when the authority applied by the application software to be detected comprises four authorities in the fourth authority mode, the matching result output by the authority mode matching module is successful in matching, and the lasso software judging module judges that the application software to be detected is lasso software.
In this embodiment, an experimental data set is selected, and then the lasso software detection method based on the authority mode in this embodiment and the hetroid lasso software detection method in the prior art are adopted to respectively detect the experimental data set; the experimental data set is an android application software set and comprises benign application software data sets and Legioner software data sets, the benign application software data sets comprise 600 benign application software, the Legioner software data sets comprise 675 Legioner software, and the experimental data are selected by the following method:
the benign application software can not damage the mobile phone system in the normal use process of the user, and can not generate the behavior which damages the benefit of the user. In the aspect of selecting benign application software, the Tengchong official application market-Tengchong application treasure is selected as a channel for acquiring the benign application software; there are surveys that only less than 0.005% of the applications downloaded from Tencent apps are determined to be malicious applications. In consideration of the difference of different types of application software, 21 types of applications in the App market are selected, and the application software with the downloading amount of 30 th of each type is downloaded, so that the applications have high popularity and public praise, and no safety problem occurs in the using process of a user. To further ensure the reliability of the data set, the benign application software samples are uploaded to VirusTotal, and for each uploaded application software, VirusTotal generates a scan report containing the scanning results of 57 antivirus software for the application, and only when one application software is marked as benign application software by all antivirus software, the application software is put into Benignware-1 in the benign application software data set, and 600 application software are put into the embodiment.
In the embodiment, the Legos software is acquired from Federico Maggi, and Maggi collects a large amount of Legos software through various channels such as an online forum, a malicious software library, a commercial antivirus company and the like. Maggi divides the data set into two parts, one part is used as a training set (Ransomware-1, 232 applications in total), the applications in the training set are all known and determined Lesson software, the other part is used as a testing set (Ransomware-2, 443 applications in total), and the applications in the testing set are unknown and to-be-detected applications. To ensure the reliability of the experimental data, we uploaded these applications to VirusTotal and only added one application to the lemonade dataset when it was marked as malicious by 5 antivirus software, in this way 675 lemonades were obtained.
Respectively detecting a benign application software data set Benigwar-1 in an experimental data set and a test set Ransomware-2 in a Lesojous software data set by using a Lesojous software detection method and an HELDRID Lesojous software detection method in the embodiment; in the method for detecting the Lexus software, 414 Lexus software are detected in a test set Ranomware-2 in a Lexus software data set, and 17 Lexus software are detected in a benign application software data set Benignware-1; the results of the two methods are shown in table 1 below;
TABLE 1
| Detection method | Detection rate | False alarm rate |
| HELDROID | 84.65% | 4.17% |
| Based on privilege mode | 93.45% | 2.83% |
As can be seen from the detection results in table 1, the lasso software detection method based on the authority mode in this embodiment has a higher detection rate and a lower false alarm rate, which indicates that, compared with the heldoid lasso software detection method, the lasso software detection method based on the authority mode in this embodiment has a better detection effect.
Ten detections are performed on the test set Rancommware-2 in the Lesoh software data set by respectively adopting the Lesoh software detection method and the HELDRID Lesoh software detection method in the embodiment, the time consumed by the two methods for performing the ten detections is counted, and then the average value is taken as the average time required by each detection, as shown in the following table 2;
TABLE 2
| Detection method | Detection of elapsed time |
| HEIDROID | 273s |
| Based on privilege mode | 8.97s |
As can be seen from table 2, in this embodiment, the lasso software detection method detects that 443 application software applications in the Ransomware-2 test set in the lasso software data set require 8.97 seconds in total, and the detection time of each application software application only needs 0.02 second. The average detection time of the method for detecting the hedroid lasso software is 30 times as long as that of the method in the embodiment, which shows that the lasso software detection method based on the authority mode has high detection efficiency. The detecting efficiency of the lasso software is high, mainly because the permission is adopted to distinguish whether the lasso software is the lasso software, the applied permission is easily obtained in the Android manifest file; while the hedroid method analyzes the source code and resource files of an application, this method of reverse analysis is often time consuming and labor intensive.
The above embodiments are preferred embodiments of the present invention, but the present invention is not limited to the above embodiments, and any other changes, modifications, substitutions, combinations, and simplifications which do not depart from the spirit and principle of the present invention should be construed as equivalents thereof, and all such changes, modifications, substitutions, combinations, and simplifications are intended to be included in the scope of the present invention.
Claims (4)
1. A lasso software detection method based on an authority mode is characterized by comprising the following steps:
s1, when receiving the application software to be detected, firstly, decomposing and extruding an APK file in the application software to be detected;
s2, resolving an android manifest. Extracting the authority applied by the application software to be detected from the android manifest.xml file;
s3, judging whether the number of the authorities applied by the application software to be detected is smaller than a fixed value X, if so, entering the step S4, and if not, judging that the application software to be detected is non-lasso software;
s4, matching the authority applied by the application software to be detected with a given authority mode, and if the matching is successful, judging the application software to be detected as lasso software; otherwise, judging the application software to be detected as non-lasso software;
in step S4, the given permission modes include four kinds, which are respectively a first permission mode, a second permission mode, a third permission mode and a fourth permission mode; wherein
The first permission mode is formed by combining the following four permissions: internet, identity, software, firmware, internet, software, etc.;
when the authority applied by the application software to be detected comprises four authorities in the first authority mode, the authority applied by the application software to be detected is successfully matched with the first authority module, and the application software to be detected is judged to be lasso software;
the second permission mode is formed by combining the following five permissions: address.permission.READ _ PHO NE _ STATE, address.permission.RECEIVE _ BOOT _ COMPLETED, address.permission.GET _ TASKS, address.permission.KILL _ BACKGROUND _ PROCESSES, and address.permission.WRITE _ EXTERNAL _ STORAGE;
when the authority applied by the application software to be detected comprises five authorities in the second authority mode, the authority applied by the application software to be detected is successfully matched with the second authority module, and the application software to be detected is judged to be the lasso software;
the third permission mode is formed by combining the following four permissions: internet, identity, root, complete, identity, read, peer, equipment, etc.;
when the authority applied by the application software to be detected comprises four authorities in the third authority mode, the authority applied by the application software to be detected is successfully matched with the third authority module, and the application software to be detected is judged to be lasso software;
the fourth permission mode is formed by combining the following four permissions: internet, identity, book _ BOOT _ complete, identity, read _ P hole _ STATE, and identity, wake _ LOCK;
when the authority applied by the application software to be detected comprises four authorities in the fourth authority mode, the authority applied by the application software to be detected is successfully matched with the fourth authority module, and the application software to be detected is judged to be lasso software;
and the fixed value X is 17-20.
2. The method of claim 1, wherein said fixed value X is 17.
3. A lasso software detection system based on privilege modes, comprising:
the decompression module is used for decompressing the APK file in the application software to be detected when the application software to be detected is received;
the analysis module is used for analyzing an android manifest.
The permission extraction module is used for extracting the permission applied by the application software to be detected from the android manifest.
The permission number comparison module is used for comparing the permission number applied by the application software to be detected with a fixed value X and outputting a comparison result;
the permission pattern matching module is used for matching the permission applied by the application software to be detected with a given permission pattern and outputting a matching result when the comparison result output by the permission number comparison module is that the permission number applied by the application software to be detected is less than a fixed value X;
the lasso software judging module is used for judging that the application software to be detected is non-lasso software according to the comparison result output by the permission number comparison module, wherein when the comparison result output by the permission number comparison module is that the permission number applied by the application software to be detected is greater than or equal to a fixed value X, the application software to be detected is judged to be non-lasso software; the permission mode matching module is used for outputting a matching result according to the permission mode, judging whether the empirical software to be detected is Lesox software or not, wherein when the matching result output by the permission mode matching module is successful, the application software to be detected is judged to be Lesox software, otherwise, the application software to be detected is judged to be non-Lesox software;
the given permission modes comprise four kinds which are respectively a first permission mode, a second permission mode, a third permission mode and a fourth permission mode; wherein
The first permission mode is formed by combining the following four permissions: internet, identity, software, firmware, internet, software, etc.;
when the authority applied by the application software to be detected comprises five authorities in the first authority mode, the matching result output by the authority mode matching module is successful in matching, and the lasso software judging module judges that the application software to be detected is lasso software;
the second permission mode is formed by combining the following five permissions: address.permission.READ _ PHO NE _ STATE, address.permission.RECEIVE _ BOOT _ COMPLETED, address.permission.GET _ TASKS, address.permission.KILL _ BACKGROUND _ PROCESSES, and address.permission.WRITE _ EXTERNAL _ STORAGE;
when the authority applied by the application software to be detected comprises five authorities in the second authority mode, the matching result output by the authority mode matching module is successful in matching, and the lasso software judging module judges that the application software to be detected is lasso software;
the third permission mode is formed by combining the following four permissions: internet, identity, root, complete, identity, read, peer, equipment, etc.;
when the authority applied by the application software to be detected comprises four authorities in the third authority mode, the matching result output by the authority mode matching module is successful in matching, and the lasso software judging module judges that the application software to be detected is lasso software;
the fourth permission mode is formed by combining the following four permissions: internet, identity, book _ BOOT _ complete, identity, read _ P hole _ STATE, and identity, wake _ LOCK;
when the authority applied by the application software to be detected comprises four authorities in the fourth authority mode, the matching result output by the authority mode matching module is successful in matching, and the lasso software judging module judges that the application software to be detected is lasso software;
and the fixed value X is 17-20.
4. A privilege mode based software detection system according to claim 3, wherein said fixed value X is 17.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710504921.5A CN107358101B (en) | 2017-06-28 | 2017-06-28 | Lego software detection method and system based on authority mode |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710504921.5A CN107358101B (en) | 2017-06-28 | 2017-06-28 | Lego software detection method and system based on authority mode |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107358101A CN107358101A (en) | 2017-11-17 |
| CN107358101B true CN107358101B (en) | 2020-05-08 |
Family
ID=60273116
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710504921.5A Active CN107358101B (en) | 2017-06-28 | 2017-06-28 | Lego software detection method and system based on authority mode |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107358101B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109977671B (en) * | 2019-03-14 | 2020-10-30 | 西安电子科技大学 | Compiler modification-based Android screen-locking type lasso software detection method |
| CN110889115A (en) * | 2019-11-07 | 2020-03-17 | 国家计算机网络与信息安全管理中心 | Malicious push behavior detection method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103400076A (en) * | 2013-07-30 | 2013-11-20 | 腾讯科技(深圳)有限公司 | Method, device and system for detecting malicious software on mobile terminal |
| CN104462971A (en) * | 2014-12-17 | 2015-03-25 | 北京奇虎科技有限公司 | Malicious application program recognition method and device according to application program declaration characteristics |
| CN105631338A (en) * | 2014-10-31 | 2016-06-01 | 重庆重邮信科通信技术有限公司 | Application security authentication method and terminal |
| CN106874761A (en) * | 2016-12-30 | 2017-06-20 | 北京邮电大学 | A kind of Android system malicious application detection method and system |
-
2017
- 2017-06-28 CN CN201710504921.5A patent/CN107358101B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103400076A (en) * | 2013-07-30 | 2013-11-20 | 腾讯科技(深圳)有限公司 | Method, device and system for detecting malicious software on mobile terminal |
| CN105631338A (en) * | 2014-10-31 | 2016-06-01 | 重庆重邮信科通信技术有限公司 | Application security authentication method and terminal |
| CN104462971A (en) * | 2014-12-17 | 2015-03-25 | 北京奇虎科技有限公司 | Malicious application program recognition method and device according to application program declaration characteristics |
| CN106874761A (en) * | 2016-12-30 | 2017-06-20 | 北京邮电大学 | A kind of Android system malicious application detection method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107358101A (en) | 2017-11-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Sato et al. | Detecting android malware by analyzing manifest files | |
| Sathyanarayan et al. | Signature generation and detection of malware families | |
| Alzaylaee et al. | DynaLog: An automated dynamic analysis framework for characterizing android applications | |
| CN108268771B (en) | Apparatus and method for indicating malicious object and non-transitory computer readable medium | |
| US7721333B2 (en) | Method and system for detecting a keylogger on a computer | |
| EP3420489B1 (en) | Cybersecurity systems and techniques | |
| US9158915B1 (en) | Systems and methods for analyzing zero-day attacks | |
| Chaba et al. | Malware detection approach for android systems using system call logs | |
| US11861006B2 (en) | High-confidence malware severity classification of reference file set | |
| WO2012103646A1 (en) | Determining the vulnerability of computer software applications to privilege-escalation attacks | |
| Choi et al. | Personal information leakage detection method using the inference-based access control model on the Android platform | |
| Malhotra et al. | A survey on various malware detection techniques on mobile platform | |
| KR102180098B1 (en) | A malware detecting system performing monitoring of malware and controlling a device of user | |
| CN107358101B (en) | Lego software detection method and system based on authority mode | |
| Aslan | Performance comparison of static malware analysis tools versus antivirus scanners to detect malware | |
| Najari et al. | Malware detection using data mining techniques | |
| Wichmann et al. | Using infection markers as a vaccine against malware attacks | |
| Kim et al. | Runtime detection framework for android malware | |
| Bhatt et al. | iABC: Towards a hybrid framework for analyzing and classifying behaviour of iOS applications using static and dynamic analysis | |
| Shibija et al. | A machine learning approach to the detection and analysis of android malicious apps | |
| Alharbi et al. | A Systematic Review of Android Malware Detection Techniques. | |
| Hein | Permission based malware protection model for android application | |
| US11281772B2 (en) | Systems and methods to detect key loggers | |
| CN109840417B (en) | Malicious software detection method and device | |
| Deepserish et al. | PET-Droid: Android Malware Detection Using Static Analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |