CN108595954A - A kind of malicious act monitoring method based on run time verification - Google Patents
A kind of malicious act monitoring method based on run time verification Download PDFInfo
- Publication number
- CN108595954A CN108595954A CN201810313657.1A CN201810313657A CN108595954A CN 108595954 A CN108595954 A CN 108595954A CN 201810313657 A CN201810313657 A CN 201810313657A CN 108595954 A CN108595954 A CN 108595954A
- Authority
- CN
- China
- Prior art keywords
- malicious act
- application
- user
- application program
- called
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The malicious act monitoring method based on run time verification that the invention discloses a kind of, is related to field of computer technology, this method includes:When software exercise asks sensitive information, before handling this request, it must be called by the system of linux kernel, this method hooking system service call and carries out data parsing in kernel spacing, whether malicious act is belonged to according to the application behavior that the calling Data Detection application program after parsing executes in real time by monitor, if belong to malicious act, warning message is sent to user;This method can access the practical process performings of Android application programs at runtime, and to monitor application program, whether there is or not malicious acts, it is a kind of dynamic monitoring method of lightweight, and android system need not be changed too much, monitoring method is more acurrate, deployment is more efficient, cost is lower.
Description
Technical field
The present invention relates to field of computer technology, especially a kind of malicious act monitoring method based on run time verification.
Background technology
With the fast development of Android (Android) systems and smart mobile phone, Android application programs present explosive
Growth, the thing followed is the safety issue of android system, malicious application to the malicious attack of mobile terminal,
To getting worse the problems such as stealing of user privacy information.
Many normal application programs can be embedded into malicious code and are uploaded to as malicious application and repacking
The markets Android, the malice that the security mechanism built in existing Android can not usually intercept this kind of malicious application are asked
It asks, in order to solve this safety issue, the malware detection methods that Android system compares mainstream at present include mainly static state
Detection and dynamic detection.One typical case of static detection is Saint frames, and the center element of Saint frames is that a process is repaiied
The Android application programs installation procedure and AppPolicy Provider changed, self-defined installation procedure may insure installing
When only install do not violate stored in AppPolicy Provider strategy application program, be mostly based on as third-party application
Program static allocation permission may execute determining application program at runtime or the operation that does not execute, and dependence is stronger, when going out
When now new rogue program, can not usually it accurately identify.One typical case of dynamic detection is TaintDroid, and TaintDroid is
One of entire Android storehouses is widely changed, third party application when tracking sensitive traffic is run, these are repaiied
Changing allows the in any form or directly upper transmitting files of TaintDroid to detect when leakage sensitive data, but TaintDroid
In order to track the service condition of sensitive data in the entire system, sensitive data is actually polluted, while also bringing along height
Up to 27% run time expense.
Invention content
The present inventor is regarding to the issue above and technical need, it is proposed that a kind of malicious act monitoring based on run time verification
Method, this method are based on run time verification, are a kind of dynamic monitoring methods of lightweight, can access Android at runtime
The practical process performing of application program monitors application program whether there is or not malicious act, monitoring method is more acurrate, deployment is more efficient,
Cost is lower.
Technical scheme is as follows:
A kind of malicious act monitoring method based on run time verification, this method include:
In system operation, when detecting application requests sensitive information, the intercept process in kernel spacing
The system of its information is called;
Establish the two-way communication link between kernel spacing and user's space;
Calling data after being parsed in the user space to the calling data for the system calling intercepted;
Calling data after parsing are transmitted to monitor, the application program that application program executes in real time is detected by monitor
Whether behavior belongs to malicious act;
When detecting that application behavior belongs to malicious act, then warning information is issued the user with.
Its further technical solution is that this method further includes:
Malicious act is preset with default description language description, obtains the corresponding description data of each default malicious act;
Whether the application behavior that detection application program executes in real time belongs to malicious act, including:
Calling data description data corresponding with each default malicious act after the parsing are compared;
If comparing successfully, it is determined that application behavior belongs to malicious act.
Its further technical solution is, when detecting application requests sensitive information, to be intercepted in kernel spacing
The system for handling its information is called, including:
It is inserted into kprobes in predetermined system calling;
When the system for detecting that application program executes is called, using kprobes with non-intruding mode hooking system service call.
Its further technical solution is the two-way communication link established between kernel spacing and user's space, including:
The two-way communication link between kernel spacing and user's space is established based on Netlink sockets.
The method have the benefit that:
The malicious act monitoring method based on run time verification that this application discloses a kind of, this method are based on run time verification
Design can collect system calling, the practical process performing of access application of software, be supervised according to practical process performing dynamic
Surveying application program, whether there is or not malicious acts, are a kind of lightweight but dynamic monitoring method, supplement Static Analysis Technology well.
In addition, the application combines the advantages of method centered on platform and application-centered, first floor system need not be carried out
Too many modification, but application program interaction can be tracked until operating system kernel level is other, efficiency is higher but cost for deployment
It is relatively low, and the present invention is applicable not only to the application program specially prepared, and all the elements suitable for being executed in system, therefore
The scope of application is also relatively wide, and scalability is more excellent.
Description of the drawings
Fig. 1 is the flow chart of the malicious act monitoring method disclosed in the present application based on run time verification.
Specific implementation mode
The following further describes the specific embodiments of the present invention with reference to the drawings.
The malicious act monitoring method based on run time verification that this application discloses a kind of, this method are used for Android systems
In system, the application includes mainly two chief components, and one is frame for mobile phone A ndroid system actions, another
A is the part for analysis, which is transmitted to monitor by event and is detected with time sequencing collection system event.This
Invention is obtained firstly the need of the malicious act for describing default Malware in the form of code by a kind of default description language
The corresponding description data of each default malicious act, what user defines and belongs to malicious act, for example, application program is on startup
Start, checks the position of equipment later, be then attached to internet (position may be transmitted), this just belongs to malicious act.Really
So, be not the application program that each inquiring position is then attached to internet it is malice, but many so-called " spies
Software " is appeared not to toy (such as wallpaper) application program of harm by disguising oneself as, these application programs do not have reasonable ground
It acts in the above described manner.The application includes that information is stolen, permission upgrading, startup malice loads and rate are asked with default malicious act
For asking, the description data of the main system actions of Android are as follows, and the application does not repeat each system action:
φ1::=getDeviceId@IPhoneSubInfo;
φ2::=getSubscriberId@IphoneSubInfo;
φ3::=getIccSerialNumber@IPhoneSubInfo;
φ4::=getLine1Number@IPhoneSubInfo;
φ5::=getDeviceSvn@IPhoneSubInfo;
QUERY@IContentProvider.regex(uri,”.*calls*”);
QUERY@IContentProvider.regex(uri,”.*contacts*”);
QUERY@IContentProvider.regex(uri,”.*phones*”);
QUERY@IContentProvider.regex(uri,”.*bookmarks*”);
QUERY@IContentProvider.regex(uri,”.*preferapn*”);
QUERY@IContentProvider.regex(uri,”.*sms*”);
so_execv@syscall.regex(args,”.*logcat.*”);
Then for above-mentioned several default malicious acts can be described for:
1, information is stolen:For φ i ∈ [1,14], information steals behavior and can be described as
2, permission upgrades:Some Malwares require the access rights for oneself having very high, permission upgrading behavior can be described as:do_execv@syscall.regex(args,”.*su|pm(un)install|
amstart.*”)。
3, start malice to load:Some Malwares require broadcast to start some services after system start-up, start malice
Load behavior can be described as:system#scheduleReceiver@
IApplicationThread.(regex(intent,ci)∧regex(txt,:.*<pkg>.*”))。
4, rate are asked:Some Malwares have some payment requests, rate request behavior that can be described as:
sendText@ISms.inContactBook(dest);
finishReceiver@IActivityManager.regex
(abort,“true”))。
Concrete operation step of the present invention in system operation is as follows, please refers to Fig.1:
1st step:System is carried out first in kernel spacing calls interception.In android system, the behavior of application program
It must finally be called by a system in linux kernel, when application program, which executes predetermined system, to be called, it is believed that should
There is similar above-mentioned malicious act in application program, such as request sensitive information or connect with the external world, predetermined system call be with it is upper
It states that malicious act is corresponding, can also be that any one system in android system is called, it can be by User Defined.
Such as in this application, to want to examine in the undelegated application program by short message sending user information of user to one
For survey, predetermined system calling includes that open systems are called, connect systems are called, execve systems are called, ioctl systems
Call etc..At this time we can utilize Android safe design, control the application program of license in need operation stream
Journey.In this application, when detecting application requests sensitive information, using the internal debugging mechanism kprobes of kernel with
The system of its information of non-intruding mode intercept process is called, the hold-up interception method need not to android system or application program into
Row optimization, more specifically, the application constructs the kernel module of a customization, which includes by skeleton code (institute
The probe of meaning) small bit call processing routine method.These kprobes are added dynamically to following default by the application
During system is called:
1, sys open (const char user*filename ...), the file for opening filename is written and read;
2, sys connect (int sockfd, const struct sockaddr*addr ...), addr include built
The addresses IPv4 or IPv6 of vertical Internet connections.
3, do execve (char*filename, char user*user*argv ...), filename is to use parameter
The program or shell scripts that argv is executed.
4, ioctl (...), for controlling kernel driver, such as Android Binder driver.
2nd step establishes the two-way communication link between kernel spacing and user's space, only occurred in due to event interception in
Inside nuclear space, dependent on the Java API of Android, (Application Programming Interface, are answered for anti-marshalling
With Program Interfaces), so needing a kind of mechanism, allow data being transmitted to user's space from kernel spacing, namely transmit
To application program;Simultaneously, it is also desirable to allow user from application program controlling kernel module, such as be opened from application program
Or close event intercepts.However, there is no built-in methods to be used as solution by Android, therefore the application uses
Netlink sockets establish the two-way communication link between kernel spacing and user's space, and Netlink is one and is based on socket
Linux kernel mechanism, the realization of communication end point is put into kernel module by the application, not only can realize kernel spacing with
The two-way communication of user's space, but also Android frames are completely without being changed.Netlink allows one readjustment of statement
Method receives kernel data, therefore does not need the event of poll kernel module, and the application uses reflection and Java local interfaces
(JNI) method in Java is registered, if giving the data forwarding that is received from Netlink to it, it is by automatic trigger.
3rd step will parse again after the calling data transmission to user's space of the system intercepted calling.System is called
Calling data generally include call parameter and calling process etc..System calls the parameter of ioctl (...) to carry out information
Coding, and information is passed to by internal system by Android intercommunication mechanism Binder and carries out relevant operation, in kernel sky
Between it is middle intercept be a C-structure, it is by Binder drivers from the information-package that sender replicates to the address of receiving process
In space, since information can not be directly acquired, need to be decoded to obtain decoded calling after obtaining calling data
Data.The way of the application is:The field buffering area directly intercepted from binding Transaction Information creates a Parcel object, will
The specific system of solutions methods of Android are applied to it, i.e. readString (), readInt (), readFloat () etc., but are
Efficiency, Parcel objects lack the information about their appearance sequences, that is to say, that we must be called with correctly sequence
System of solutions method reads the parameter of coding, therefore can not access parameter easily.But during the formal system of solutions, counterfoil is known
Its agency of road how use corresponding method writeString (), writeInt (), the coding parameters such as writeFloat (),
By checking several proxy class, it is observed that the sequence that their parameter usually occurs with them in corresponding method signature
It is identical, therefore can be by mapping come the type of the title and form and parameter that obtain signature, but only called
Interface and method name could use under the premise of being had revealed that.
Calling data after parsing are transmitted to monitor by the 4th step, are answered by what monitor detection application program executed in real time
Whether belong to malicious act with program behavior, monitor is retouched the calling data after parsing are corresponding with each default malicious act
State data to be compared, if comparing successfully, it is determined that application program executed is malicious act, and application program execute be with
Default malicious act corresponding to calling data namely this method after parsing can not only monitor an application program, and whether there is or not violations
The desired behavior of user, moreover it is possible to detect what behavior is the application program specifically done.
5th step then issues the user with warning message when detecting that application behavior belongs to malicious act.
Above-described is only the preferred embodiment of the application, and present invention is not limited to the above embodiments.It is appreciated that this
The other improvements and change that field technology personnel directly export or associate without departing from the spirit and concept in the present invention
Change, is considered as being included within protection scope of the present invention.
Claims (4)
1. a kind of malicious act monitoring method based on run time verification, which is characterized in that the method includes:
In system operation, when detecting application requests sensitive information, its letter of intercept process in kernel spacing
The system of breath is called;
Establish the two-way communication link between kernel spacing and user's space;
Calling data after being parsed in the user space to the calling data for the system calling intercepted;
Calling data after parsing are transmitted to monitor, the application that the application program executes in real time is detected by the monitor
Whether program behavior belongs to malicious act;
When detecting that the application behavior belongs to malicious act, then warning information is issued the user with.
2. according to the method described in claim 1, it is characterized in that, the method further includes:
Malicious act is preset with default description language description, obtains the corresponding description data of each default malicious act;
Whether the application behavior that the detection application program executes in real time belongs to malicious act, including:
Calling data description data corresponding with each default malicious act after the parsing are compared;
If comparing successfully, it is determined that the application behavior belongs to malicious act.
3. according to the method described in claim 1, it is characterized in that, described when detecting application requests sensitive information,
The system of its information of intercept process is called in kernel spacing, including:
It is inserted into kprobes in predetermined system calling;
When the system for detecting that application program executes is called, the system is intercepted with non-intruding mode using kprobes and is called.
4. according to the method described in claim 1, it is characterized in that, it is described establish it is two-way between kernel spacing and user's space
Communication connection, including:
The two-way communication link between kernel spacing and user's space is established based on Netlink sockets.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810313657.1A CN108595954A (en) | 2018-04-10 | 2018-04-10 | A kind of malicious act monitoring method based on run time verification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810313657.1A CN108595954A (en) | 2018-04-10 | 2018-04-10 | A kind of malicious act monitoring method based on run time verification |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108595954A true CN108595954A (en) | 2018-09-28 |
Family
ID=63621449
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810313657.1A Pending CN108595954A (en) | 2018-04-10 | 2018-04-10 | A kind of malicious act monitoring method based on run time verification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108595954A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111783081A (en) * | 2020-06-08 | 2020-10-16 | Oppo广东移动通信有限公司 | Malicious process processing method, terminal device and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103368904A (en) * | 2012-03-27 | 2013-10-23 | 百度在线网络技术(北京)有限公司 | Mobile terminal, and system and method for suspicious behavior detection and judgment |
| CN106850582A (en) * | 2017-01-05 | 2017-06-13 | 中国电子科技网络信息安全有限公司 | A kind of APT Advanced threat detection methods based on instruction monitoring |
-
2018
- 2018-04-10 CN CN201810313657.1A patent/CN108595954A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103368904A (en) * | 2012-03-27 | 2013-10-23 | 百度在线网络技术(北京)有限公司 | Mobile terminal, and system and method for suspicious behavior detection and judgment |
| CN106850582A (en) * | 2017-01-05 | 2017-06-13 | 中国电子科技网络信息安全有限公司 | A kind of APT Advanced threat detection methods based on instruction monitoring |
Non-Patent Citations (1)
| Title |
|---|
| 马红素: "《Android开放平台应用程序的安全检测系统设计与实现》", 《中国优秀硕士学位论文全文数据库_信息科技辑》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111783081A (en) * | 2020-06-08 | 2020-10-16 | Oppo广东移动通信有限公司 | Malicious process processing method, terminal device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8099472B2 (en) | System and method for a mobile cross-platform software system | |
| CN103279706B (en) | Intercept the method and apparatus installing Android application program in the terminal | |
| CN101714201B (en) | Code signing system and method | |
| US10867041B2 (en) | Static and dynamic security analysis of apps for mobile devices | |
| US8893222B2 (en) | Security system and method for the android operating system | |
| US8443439B2 (en) | Method and system for mobile network security, related network and computer program product | |
| RU2535175C2 (en) | System and method for detecting malware by creating isolated environment | |
| US20140013429A1 (en) | Method for processing an operating application program and device for the same | |
| US20120240235A1 (en) | Methods and systems for providing a framework to test the security of computing system over a network | |
| Eder et al. | Ananas-a framework for analyzing android applications | |
| US20110055848A1 (en) | Launching an midp-based target application from a launcher application | |
| CN103856446A (en) | Login method and device, and open platform system | |
| WO2007125422A2 (en) | System and method for enforcing a security context on a downloadable | |
| US11157618B2 (en) | Context-based analysis of applications | |
| US20150150119A1 (en) | Framework for fine-grain access control from high-level application permissions | |
| KR20110128632A (en) | Method and device for detecting malicious action of application program for smartphone | |
| CN105631312A (en) | Method and system for processing rogue programs | |
| CN111614624A (en) | Risk detection method, device, system and storage medium | |
| CN105550584A (en) | RBAC based malicious program interception and processing method in Android platform | |
| CN101448005B (en) | Method, system and equipment for data security detection in gateway | |
| CN113987468A (en) | Security check method and security check device | |
| CN104486292A (en) | Enterprise-resource safety-access control method, device and system | |
| Sohr et al. | Software security aspects of Java-based mobile phones | |
| CN108595954A (en) | A kind of malicious act monitoring method based on run time verification | |
| CN117032894A (en) | Container security state detection method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180928 |