CN108229161A - Using monitoring method, device and terminal - Google Patents
Using monitoring method, device and terminal Download PDFInfo
- Publication number
- CN108229161A CN108229161A CN201611156638.XA CN201611156638A CN108229161A CN 108229161 A CN108229161 A CN 108229161A CN 201611156638 A CN201611156638 A CN 201611156638A CN 108229161 A CN108229161 A CN 108229161A
- Authority
- CN
- China
- Prior art keywords
- daily record
- record data
- pitching pile
- nuclear layer
- inner nuclear
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Alarm Systems (AREA)
Abstract
The present invention proposes a kind of application monitoring method, device and terminal, is related to security technology area.Wherein, a kind of application monitoring method of the invention includes:Daily record data is obtained by inner nuclear layer pitching pile;Abnormal problem is obtained by analyzing daily record data.By such method, it is capable of the calling of direct monitoring and analysis Android bottom key modules, it is monitored in real time so as to fulfill all behaviors on upper strata are applied to Android, it can effectively find the problems such as malice performs code injection and alters program the bytecode of execution certainly, improve the safety of terminal.
Description
Technical field
The present invention relates to security technology area, particularly a kind of application monitoring method, device and terminal.
Background technology
With terminal, the development of application, more and more users in terminal, adopt important application and personal information storage
The operations such as done shopping, paid with mobile terminal are also more and more, prevent terminal by the importance of malware threat also drastically
It improves.
In the terminal, the usage amount of Android system terminal is very huge.Existing Android software sensitive behavior is monitored and is blocked
The mode of cutting is Binder based on android system (adhesive) inter-process communication mechanisms, and process is hooked by Hook (hook) function
Between the Binder information that communicates analyze the sensitive behavior of Android software.
But such method carrys out detection and analysis simply by detection Android inter-process communication mechanisms Binder
Android behaviors, and emerging Android malicious application can perform code by injecting malice in local ccf layer, usurp certainly
Change the bytecode of program execution come around Binder monitorings in ccf layer are opened in, for such rogue program, the prior art is incompetent
For power, it be easy to cause user's loss.
Invention content
It is an object of the present invention to improve the safety of user terminal.
According to an aspect of the present invention, proposition is a kind of applies monitoring method, including:Daily record is obtained by inner nuclear layer pitching pile
Data;Abnormal problem is obtained by analyzing daily record data.
Optionally, daily record data is obtained by inner nuclear layer pitching pile to include:Pass through memory management Key Functions in inner nuclear layer
Pitching pile obtains memory management daily record data, and memory management daily record data, which includes memory loading, memory modification and/or memory, to be replicated.
Optionally, daily record data is obtained by inner nuclear layer pitching pile to include:Pass through file management Key Functions in inner nuclear layer
Pitching pile obtains file management daily record data, and file management daily record data includes file addition, file deletion and/or file modification.
Optionally, daily record data is obtained by inner nuclear layer pitching pile to include:By the pitching pile that Key Functions are driven in inner nuclear layer
Driving daily record data is obtained, driving daily record data includes NFC (Near Field Communication, wireless near field communication
Technology), the daily record data of camera and/or USB (Universal Serial Bus, universal serial bus).
Optionally, abnormal problem includes injection malice execution code and/or alters program the bytecode of execution.
Optionally, it further includes:When determining to be abnormal problem, warning information is sent out.
Optionally, it further includes:Based on Process Tracking ptrace frames system inner nuclear layer pitching pile.
By such method, it is capable of the calling of direct monitoring and analysis Android bottom key modules, so as to fulfill to peace
All behaviors of the Zhuo Yingyong on upper strata are monitored in real time, can effectively find that malice performs code injection and alters program certainly
The problems such as bytecode of execution, improves the safety of terminal.
According to another aspect of the present invention, proposition is a kind of applies monitoring device, including:Pitching pile module, in passing through
Stratum nucleare pitching pile obtains daily record data;Pitching pile log analysis module analyzes daily record data acquisition abnormal problem for passing through.
Optionally, pitching pile module includes:Memory management pitching pile unit, for passing through memory management Key Functions in inner nuclear layer
Pitching pile obtain memory management daily record data, memory management daily record data include memory loading, memory modification and/or memory answer
System.
Optionally, pitching pile module includes:File management pitching pile unit, for passing through file management Key Functions in inner nuclear layer
Pitching pile obtain file management daily record data, file management daily record data include file addition, file delete and/or file repair
Change.
Optionally, pitching pile module includes:Pitching pile unit is driven, the pitching pile of Key Functions is driven to obtain for passing through in inner nuclear layer
Driving daily record data is taken, driving daily record data includes the daily record data of NFC, camera and/or USB.
Optionally, abnormal problem includes injection malice execution code and/or alters program the bytecode of execution.
Optionally, it further includes:Alarm module, for when pitching pile log analysis module determines to be abnormal problem, sending out
Warning information.
Optionally, it further includes:Pitching pile configuration module, for being inserted based on inner nuclear layer of the Process Tracking ptrace frames in system
Stake.
Such device is capable of the calling of direct monitoring and analysis Android bottom key modules, so as to fulfill to Android application
All behaviors on upper strata are monitored in real time, can effectively find that malice performs code injection and alters program execution certainly
The problems such as bytecode, improves the safety of terminal.
According to a further aspect of the invention, a kind of terminal is proposed, including any one the application monitoring being mentioned above
Device.
Such terminal can utilize using monitoring device direct monitoring and analyze the calling of Android bottom key modules, from
And realize all behaviors on upper strata is applied to monitor in real time to Android, can effectively find malice perform code injection and
From the bytecode for alterring program execution the problems such as, improve the safety of terminal.
Description of the drawings
Attached drawing described herein is used to provide further understanding of the present invention, and forms the part of the application, this hair
Bright illustrative embodiments and their description do not constitute improper limitations of the present invention for explaining the present invention.In the accompanying drawings:
Fig. 1 is the flow chart of one embodiment using monitoring method of the present invention.
Fig. 2 is the flow chart of another embodiment using monitoring method of the present invention.
Fig. 3 is the schematic diagram of one embodiment using monitoring device of the present invention.
Fig. 4 is the schematic diagram of another embodiment using monitoring device of the present invention.
Fig. 5 is the schematic diagram of one embodiment of the terminal of the present invention.
Specific embodiment
Below by drawings and examples, technical scheme of the present invention is described in further detail.
The flow chart of one embodiment using monitoring method of the present invention is as shown in Figure 1.
In a step 101, daily record data is obtained by inner nuclear layer pitching pile.In one embodiment, ptrace can be based on
Frame carries out pitching pile for the important module of kernel.
In a step 102, abnormal problem is obtained by analyzing daily record data.In one embodiment, daily record can be analyzed
Data can also be associated analysis to the daily record data of modules, search whether exist malice perform code injection and
From the bytecode for alterring program execution the problems such as.
By such method, it is capable of the calling of direct monitoring and analysis Android bottom key modules, so as to fulfill to peace
All behaviors of the Zhuo Yingyong on upper strata are monitored in real time, can effectively find that malice performs code injection and alters program certainly
The problems such as bytecode of execution, improves safety detection ability, improves the safety of terminal.
The flow chart of another embodiment using monitoring method of the present invention is as shown in Figure 2.
In step 201, memory management daily record data is obtained by the pitching pile of memory management Key Functions in inner nuclear layer, it is interior
Memory loading, memory modification, memory duplication etc. can be included by depositing management daily record data.
In step 202, file management daily record data, text are obtained by the pitching pile of file management Key Functions in inner nuclear layer
Part management daily record data can include file addition, file deletion, file modification etc..
In step 203, by the way that the pitching pile of Key Functions is driven to obtain driving daily record data in inner nuclear layer, daily record number is driven
According to including NFC, camera, USB daily record data etc..
In step 204, abnormal problem is obtained by analyzing daily record data.In one embodiment, memory can be passed through
Daily record data, file management daily record data and the independent analysis and comprehensive analysis that drive daily record data are managed, is obtained abnormal
Daily record data, and then determine whether to be abnormal problem.In one embodiment, abnormal problem includes injection malice execution generation
Code, the bytecode for alterring program execution etc..
By such method, it can be inserted in the key position of inner nuclear layer, such as memory management, file management and driving
Stake and log collection are realized and carry out comprehensively monitoring and log recording to the bytecode that program performs, so as to obtain memory in time
Management, the exception of file management and driving, convenient for it is timely, comprehensively note abnormalities problem, improve safety.
In one embodiment, the test using monitoring method that prototype carries out the present invention may be used.Start first
Application to be analyzed is installed in the performing environment of prototype after hook customizations, loading.And then it is supervised using the hook pitching piles in kernel
Control obtains log information, and analyzes log information.By such method, prototype can be used to carry out measure of merit, optimization should
With monitoring effect, safety is improved.
The schematic diagram of one embodiment using monitoring device of the present invention is as shown in Figure 3.Wherein, 301 energy of pitching pile module
Daily record data is enough obtained by inner nuclear layer pitching pile.It in one embodiment, can be based on ptrace frames for the important of kernel
Module carries out pitching pile.Pitching pile log analysis module 302 can obtain abnormal problem by analyzing daily record data.In one embodiment
In, daily record data can be analyzed, analysis can also be associated to the daily record data of modules, searches whether that there is malice holds
The problems such as line code injects and alters program the bytecode of execution certainly.
Such device is capable of the calling of direct monitoring and analysis Android bottom key modules, so as to fulfill to Android application
All behaviors on upper strata are monitored in real time, can effectively find that malice performs code injection and alters program execution certainly
The problems such as bytecode, improves safety detection ability, improves the safety of terminal.
The schematic diagram of another embodiment using monitoring device of the present invention is as shown in Figure 4.Wherein, memory management pitching pile
Unit 401 can obtain memory management daily record data, memory management day by the pitching pile of memory management Key Functions in inner nuclear layer
Will data can include memory loading, memory modification, memory duplication etc..File management pitching pile unit 402 can pass through inner nuclear layer
The pitching pile of middle file management Key Functions obtains file management daily record data, and file management daily record data can add including file
Add, file deletion, file modification etc..Drive pitching pile unit 403 can be by the way that the pitching pile of Key Functions is driven to obtain in inner nuclear layer
Daily record data is driven, driving daily record data includes daily record data of NFC, camera, USB etc..42 energy of pitching pile log analysis module
It is enough to obtain abnormal problem by analyzing daily record data.In one embodiment, memory management daily record data, file pipe can be passed through
Manage daily record data and drive daily record data independent analysis and comprehensive analysis, obtain abnormal daily record data, so determine be
It is no to be abnormal problem.In one embodiment, abnormal problem includes injection malice execution code, the byte for alterring program execution
Code etc..
Such device can in the key position of inner nuclear layer, such as memory management, file management and driving carry out pitching pile and
Log collection so as to obtain the exception of memory management, file management and driving in time, is asked convenient for timely, comprehensive note abnormalities
Topic improves safety.
The schematic diagram of one embodiment of the terminal of the present invention is as shown in Figure 5.The framework of terminal system include application layer 51,
Ccf layer 52 and inner nuclear layer 53, wherein, inner nuclear layer 53 includes multiple crucial functional units, such as memory management unit 531, file
Administrative unit 532 and driving unit 533 etc..It is located in the inner nuclear layer 53 of terminal using the pitching pile module 54 of monitoring device, it can be with
Including, memory management pitching pile unit 541, file management pitching pile unit 542 and driving pitching pile unit 543, respectively positioned at memory pipe
It manages in unit 531, file management unit 532 and driving unit 533, memory management daily record data, file pipe can be obtained respectively
Manage daily record data and driving daily record data.Pitching pile log analysis module 55 is according to memory management daily record data, file management daily record
Data and driving daily record data carry out independent analysis and comprehensive analysis, obtain abnormal daily record data, and then determine whether to occur
Abnormal problem.
Such terminal can utilize using monitoring device direct monitoring and analyze the calling of Android bottom key modules, from
And realize and all behaviors on upper strata applied to be monitored in real time for Android, can effectively find malice execution code injection with
And the problems such as alterring program the bytecode of execution certainly, safety detection ability is improved, improves the safety of terminal.
Finally it should be noted that:The above embodiments are merely illustrative of the technical scheme of the present invention and are not intended to be limiting thereof;To the greatest extent
The present invention is described in detail with reference to preferred embodiments for pipe, those of ordinary skills in the art should understand that:Still
It can modify to the specific embodiment of the present invention or equivalent replacement is carried out to some technical characteristics;Without departing from this hair
The spirit of bright technical solution should all cover in the claimed technical solution range of the present invention.
Claims (11)
1. a kind of apply monitoring method, which is characterized in that including:
Daily record data is obtained by inner nuclear layer pitching pile;
Abnormal problem is obtained by analyzing the daily record data.
2. according to the method described in claim 1, it is characterized in that,
It is described to be included by inner nuclear layer pitching pile acquisition daily record data:
Memory management daily record data, the memory management day are obtained by the pitching pile of memory management Key Functions in the inner nuclear layer
Will data include memory loading, memory modification and/or memory and replicate;
File management daily record data, the file management day are obtained by the pitching pile of file management Key Functions in the inner nuclear layer
Will data include file addition, file deletion and/or file modification;
And/or
Driving daily record data is obtained by the pitching pile that Key Functions are driven in the inner nuclear layer, the driving daily record data includes near
The daily record data of range wireless communication technologies NFC, camera and/or general-purpose serial bus USB.
3. according to the method described in claim 1, it is characterized in that, the abnormal problem include injection malice perform code and/
Or alter program the bytecode of execution.
4. it according to the method described in claim 1, it is characterized in that, further includes:
When determining to occur the abnormal problem, warning information is sent out.
5. it according to the method described in claim 1, it is characterized in that, further includes:
Based on Process Tracking ptrace frames system inner nuclear layer pitching pile.
6. a kind of apply monitoring device, which is characterized in that including:
Pitching pile module obtains daily record data for passing through inner nuclear layer pitching pile;
Pitching pile log analysis module analyzes the daily record data acquisition abnormal problem for passing through.
7. device according to claim 6, which is characterized in that the pitching pile module includes:
Memory management pitching pile unit, for obtaining memory management day by the pitching pile of memory management Key Functions in the inner nuclear layer
Will data, the memory management daily record data, which includes memory loading, memory modification and/or memory, to be replicated;
File management pitching pile unit, for obtaining file management day by the pitching pile of file management Key Functions in the inner nuclear layer
Will data, the file management daily record data include file addition, file deletion and/or file modification;
And/or
Pitching pile unit is driven, the pitching pile of Key Functions is driven to obtain driving daily record data in the inner nuclear layer for passing through, it is described
Driving daily record data includes the daily record data of the short distance wireless communication technology NFC, camera and/or general-purpose serial bus USB.
8. device according to claim 6, which is characterized in that the abnormal problem include injection malice perform code and/
Or alter program the bytecode of execution.
9. device according to claim 6, which is characterized in that further include:
Alarm module, for when the pitching pile log analysis module determines to occur the abnormal problem, sending out warning information.
10. device according to claim 6, which is characterized in that further include:
Pitching pile configuration module, for based on Process Tracking ptrace frames system inner nuclear layer pitching pile.
11. a kind of terminal, which is characterized in that including applying monitoring device described in claim 6~10 any one.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611156638.XA CN108229161A (en) | 2016-12-15 | 2016-12-15 | Using monitoring method, device and terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611156638.XA CN108229161A (en) | 2016-12-15 | 2016-12-15 | Using monitoring method, device and terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108229161A true CN108229161A (en) | 2018-06-29 |
Family
ID=62651128
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611156638.XA Pending CN108229161A (en) | 2016-12-15 | 2016-12-15 | Using monitoring method, device and terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108229161A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109388538A (en) * | 2018-09-13 | 2019-02-26 | 西安交通大学 | A kind of file operation behavior monitoring method and device based on kernel |
| CN109697163A (en) * | 2018-12-14 | 2019-04-30 | 西安四叶草信息技术有限公司 | Program testing method and equipment |
| CN110413497A (en) * | 2019-07-30 | 2019-11-05 | Oppo广东移动通信有限公司 | Abnormality monitoring method, device, terminal device and computer readable storage medium |
| CN110866226A (en) * | 2019-11-15 | 2020-03-06 | 中博信息技术研究院有限公司 | JAVA application software copyright protection method based on encryption technology |
| CN111382424A (en) * | 2018-12-27 | 2020-07-07 | 全球能源互联网研究院有限公司 | Mobile application sensitive behavior detection method and system based on controlled environment |
| CN111931166A (en) * | 2020-09-24 | 2020-11-13 | 中国人民解放军国防科技大学 | Application program anti-attack method and system based on code injection and behavior analysis |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| US20140245386A1 (en) * | 2012-07-10 | 2014-08-28 | Barak ROSENBERG | System and method for access control management |
| CN105074671A (en) * | 2013-03-27 | 2015-11-18 | 英特尔公司 | Method and system for detecting concurrency programming errors in kernel modules and device drivers |
| CN105184166A (en) * | 2015-10-21 | 2015-12-23 | 南京大学 | Kernel-based Android application real-time behavior analysis method and system |
-
2016
- 2016-12-15 CN CN201611156638.XA patent/CN108229161A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| US20140245386A1 (en) * | 2012-07-10 | 2014-08-28 | Barak ROSENBERG | System and method for access control management |
| CN105074671A (en) * | 2013-03-27 | 2015-11-18 | 英特尔公司 | Method and system for detecting concurrency programming errors in kernel modules and device drivers |
| CN105184166A (en) * | 2015-10-21 | 2015-12-23 | 南京大学 | Kernel-based Android application real-time behavior analysis method and system |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109388538A (en) * | 2018-09-13 | 2019-02-26 | 西安交通大学 | A kind of file operation behavior monitoring method and device based on kernel |
| CN109697163A (en) * | 2018-12-14 | 2019-04-30 | 西安四叶草信息技术有限公司 | Program testing method and equipment |
| CN109697163B (en) * | 2018-12-14 | 2022-03-04 | 西安四叶草信息技术有限公司 | Program testing method and device |
| CN111382424A (en) * | 2018-12-27 | 2020-07-07 | 全球能源互联网研究院有限公司 | Mobile application sensitive behavior detection method and system based on controlled environment |
| CN110413497A (en) * | 2019-07-30 | 2019-11-05 | Oppo广东移动通信有限公司 | Abnormality monitoring method, device, terminal device and computer readable storage medium |
| CN110413497B (en) * | 2019-07-30 | 2024-02-13 | Oppo广东移动通信有限公司 | Abnormality monitoring method, abnormality monitoring device, terminal device and computer-readable storage medium |
| CN110866226A (en) * | 2019-11-15 | 2020-03-06 | 中博信息技术研究院有限公司 | JAVA application software copyright protection method based on encryption technology |
| CN110866226B (en) * | 2019-11-15 | 2022-05-24 | 中博信息技术研究院有限公司 | JAVA application software copyright protection method based on encryption technology |
| CN111931166A (en) * | 2020-09-24 | 2020-11-13 | 中国人民解放军国防科技大学 | Application program anti-attack method and system based on code injection and behavior analysis |
| CN111931166B (en) * | 2020-09-24 | 2021-06-22 | 中国人民解放军国防科技大学 | Application program anti-attack method and system based on code injection and behavior analysis |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108229161A (en) | Using monitoring method, device and terminal | |
| CN102752730B (en) | Method and device for message handling | |
| CN103368904B (en) | The detection of mobile terminal, questionable conduct and decision-making system and method | |
| CN103473844B (en) | Public affairs are rented a house intelligent control method and system | |
| CN107766728A (en) | Mobile application security managing device, method and mobile operation safety protection system | |
| CN105493054B (en) | It is protected using the rapid data of double file system | |
| CN105956474B (en) | Android platform software unusual checking system | |
| US9916442B2 (en) | Real-time recording and monitoring of mobile applications | |
| CN111931166B (en) | Application program anti-attack method and system based on code injection and behavior analysis | |
| WO2009097610A1 (en) | A vmm-based intrusion detection system | |
| CN109388538A (en) | A kind of file operation behavior monitoring method and device based on kernel | |
| CN101582176A (en) | Fire fighting apparatus safety-check management method | |
| CN105868097B (en) | System detection method and its device | |
| CN107092830A (en) | The early warning of IOS Malwares and detecting system and its method based on flow analysis | |
| CN107358103A (en) | The Android sensitive behavior monitoring method and system of pitching pile are called based on sensitivity function | |
| CN106383768A (en) | Mobile device operation behavior-based supervision analysis system and method | |
| CN107302586A (en) | A kind of Webshell detection methods and device, computer installation, readable storage medium storing program for executing | |
| CN103679025B (en) | A kind of malicious code detecting method based on dendritic cell algorithm | |
| CN104091119A (en) | Mobile terminal as well as protection method and protection system of data in mobile terminal | |
| CN110460583A (en) | A kind of sensitive information recording method and device, electronic equipment | |
| CN109388949B (en) | Data security centralized management and control method and system | |
| CN108965251A (en) | A kind of safe mobile phone guard system that cloud combines | |
| CN112351021A (en) | Asset risk detection method and device, readable storage medium and computer equipment | |
| Xu et al. | PLC-SEIFF: A programmable logic controller security incident forensics framework based on automatic construction of security constraints | |
| CN103678985A (en) | Automatic operator tag generating system and automatic operator tag generating method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180629 |
|
| RJ01 | Rejection of invention patent application after publication |