EA038038B1 - Method and system for detecting an emulated mobile operating system using methods of machine learning - Google Patents

Abstract

The invention relates to computer engineering, in particular to methods and systems for detecting an emulated mobile operating system using machine learning techniques to prevent the possibility of an application to be run or to restrict functionality of the application in an emulated environment, or to use this attribute to increase the total risk of transactions (in fraud monitoring systems) made through a mobile banking client software application. The technical result is the lower financial fraud due to high quality of analyzing transactions performed in banking applications running in the emulated operating system. Said result is achieved by a method of detecting an emulated mobile operating system using machine learning techniques, wherein data is collected on a mobile application which is installed on the user's mobile communication device; the data received at the previous step is sent from the user's mobile communication device to the server; a parser selects the obtained data containing the collected features, in accordance with the field names; the selected features are sent to a trained statistical data model located on a server having feature groups which include a group of statistical features, group of dynamic features, user metrics, file metrics, and modified metrics; a decision is made by means of the trained statistical data model of the mobile application installed on a real device or in an emulated mobile operating system.

Description

Technology area

This technical solution relates to the field of computing, and in particular to methods and systems for identifying an emulated mobile operating system using machine learning methods, in order to prevent the possibility of launching an application, or to limit the functionality of a mobile application in an emulated environment.

State of the art

Nowadays, the use of smartphones in daily life is not limited to voice calls and CMC. The ability to download and run programs, as well as mobile Internet access, have led to the emergence of a large number of mobile applications. The functionality of a modern smartphone is made up of browsers, client programs for social networks, office applications and all kinds of services that work on the Web.

At the moment, it is possible to freely launch a mobile application, for example, bank clients, on a variety of software emulators of the Android operating system. Attackers use emulated devices to commit fraudulent activities. in this case, you do not need to buy a new phone to commit another fraud attempt, it is enough to reinstall the emulator, or change a number of parameters in the configuration files.

As disclosed in articles [1, 2], there are methods for determining the emulator based on data received from equipment sensors, such as an accelerometer, gyroscope, GPS, light sensor, and gravity. The outputs of these sensors are based on information gathered from the environment, and therefore emulating them realistically is challenging. The presence of this kind of sensors is the main difference between smartphones and desktop computers. The increasing number of sensors on smartphones offers new possibilities for identifying mobile devices.

However, these technologies may not work or lead to incorrect results if the malicious part of the program code is not present in the anti-virus databases or the code contains hidden and non-obvious malicious behavior. In these cases, the hidden code can be sent to the analyst for review and decision making about the maliciousness of the program. The analyst review process provides accurate results, but it is time consuming and ineffective from this point of view.

The analysis of the prior art allows us to conclude that it is ineffective and, in some cases, it is impossible to use the prior technologies, the disadvantages of which are solved by the present invention.

The essence of the technical solution

A technical problem or a technical problem solved in this technical solution is the identification of an emulated mobile operating system using machine learning methods. The technical result achieved by solving the above problem is to improve the detection accuracy of the emulated mobile operating system using machine learning methods. An additionally manifested technical result is the prevention of the possibility of multiple execution of the first order in mobile applications. Many applications provide discounts / bonuses / points for starting to use their service for the first order of a service / product. The emulated operating system allows one person to execute the first order multiple times.

The specified technical result is achieved through the implementation of a method for identifying an emulated mobile operating system using machine learning methods, in which data is collected on a mobile application that is installed on the user's mobile communication device; sending the data obtained in the previous step from the user's mobile communication device to the server; extracts the received data by means of a parser containing the collected features, in accordance with the names of the fields; directing the selected features to a trained statistical data model located on the server, containing groups of features, which include a group of statistical features, dynamic features, custom metrics, file metrics and modified metrics; make a decision by means of a trained statistical data model, a mobile application is installed on a real device or an emulated mobile operating system.

In some embodiments of the technical solution, data collection on a mobile application is carried out in a JSON file and / or XML and / or YML and / or TXT.

In some implementations of the technical solution, the server is located in the cloud data storage or locally.

In some implementations of the technical solution, the statistical model is logistic regression, or a decision tree, or a random forest, or a naive Bayesian classifier, or a support vector machine.

In some implementations of the technical solution, cross-validation is used to determine the effectiveness of the statistical model.

In some embodiments of the technical solution, the parser parses the elements containing the collected features in accordance with the names of their fields.

- 1 038038

In some embodiments of the technical solution, the parser, after parsing the file, maps features into the table fields into the database.

In some implementations of the technical solution, the mapping of data into table fields into the database occurs by executing an INSERT query.

In some embodiments of the technical solution, when highlighting by means of the parser, the features are divided into static and dynamic.

In some embodiments of the technical solution, dynamic data includes readings from an accelerometer and / or gyroscope and / or a light sensor and / or a magnetic field sensor and / or a motion sensor and / or a distance sensor and / or a rotation sensor.

Each embodiment of the present technology includes at least one of the aforementioned objectives and / or objects, but all are not required. It should be borne in mind that some objects of this technology, obtained as a result of attempts to achieve the above-mentioned goal, may not meet this goal and / or may satisfy other purposes not specifically indicated here.

Additional and / or alternative characteristics, aspects and advantages of embodiments of the present technology will become apparent from the following description, accompanying drawings and the accompanying technology claims.

Brief Description of Drawings

The features and advantages of the present technical solution will become apparent from the following detailed description and the accompanying drawings, in which

FIG. 1 shows a variant of the implementation of the architecture of the detection system for an emulated mobile operating system using machine learning methods;

in fig. 2 shows the structure of an application for collecting data from a device;

in fig. 3 shows an example of coefficients for a logistic regression model;

in fig. 4 shows an example of the significance of the coefficients for a statistical model of a random forest;

in fig. 5 shows the amount of consumed battery charge depending on the used functions of the device;

in fig. 6 shows an embodiment of splitting a dataset and building a model on one piece of data;

in fig. 7 shows an embodiment of a decision tree;

in fig. 8 shows an embodiment of a system for detecting an emulated mobile operating system using machine learning methods;

in fig. 9 shows an embodiment of a system for detecting an emulated mobile operating system using machine learning methods in the form of a block diagram.

Detailed description

This technical solution can be implemented on a computer, in the form of an automated information system (AIS) or a computer-readable medium containing instructions for performing the above method. The technical solution can be implemented as a distributed computer system that can be installed on a centralized server (set of servers). In some implementations, the model can also function locally on the phone as part of a mobile application. User access to the system is possible both from the Internet and from the internal network of an enterprise / organization via a mobile communication device on which software with a corresponding graphical user interface is installed, or a personal computer with access to the web version of the system with a corresponding graphical user interface.

Below will be described the terms and concepts necessary for the implementation of this technical solution.

In this solution, the system means a computer system, a computer (electronic computing machine), CNC (numerical control), PLC (programmable logic controller), computerized control systems and any other devices capable of performing a given, clearly defined sequence of computational operations (actions, instructions ).

A command processing device means an electronic unit or an integrated circuit (microprocessor) that executes machine instructions (programs).

A command processor reads and executes machine instructions (programs) from one or more storage devices. The role of data storage devices can be, but are not limited to, hard disks (HDD), flash memory, ROM (read only memory), solid state drives (SSD), optical drives.

A program is a sequence of instructions intended for execution by a computer control device or a command processing device.

In the context of this description, unless clearly indicated otherwise, a server means a computer program running on the corresponding equipment, which is capable of receiving

- 2 038038 requests (for example, from client devices) over the network and execute these requests or initiate the execution of these requests. The hardware can be one physical computer or one physical computer system, but neither is required for this technology. In the context of this technology, the use of the expression server does not mean that each task (for example, received instructions or requests) or any specific task will be received, performed or initiated for execution by the same server (that is, by the same software and / or hardware); this means that any number of pieces of software or hardware devices may be involved in receiving / transmitting, executing or initiating the execution of any request or the consequences of any request related to a client device, and all of this software and hardware may be one server or multiple servers both are included in the expression at least one server. In the context of the present description, unless clearly indicated otherwise, a client device or a user's mobile communication device means a hardware device capable of operating with software suitable for solving the corresponding task. Thus, examples of client devices (among others) include personal computers (desktops, laptops, netbooks, etc.), smartphones, tablets, and network equipment such as routers, switches, and gateways. It will be appreciated that a device behaving like a client device in the present context may behave like a server with respect to other client devices. The use of the expression client device does not preclude the use of multiple client devices to receive / send, perform or initiate the execution of any task or request, or the consequences of any task or request, or steps of any method described above.

In the context of this description, unless clearly indicated otherwise, the term database means any structured set of data that does not depend on a particular structure, database management software, computer hardware on which the data is stored, used or otherwise made available. for use. The database may reside on the same hardware as the process that stores or uses the information stored in the database, or it may reside on separate hardware, such as a dedicated server or multiple servers.

In the context of the present description, unless clearly indicated otherwise, the term information includes any information that can be stored in a database. Thus, information includes, among others, audiovisual works (images, videos, sound recordings, presentations, etc.), data (location data, digital data, etc.), text (opinions, comments, questions , messages, etc.), documents, tables, etc.

In the context of this description, unless clearly indicated otherwise, the term component refers to software (appropriate for a specific hardware context) that is necessary and sufficient to perform the specified function (s).

In the context of this description, unless clearly indicated otherwise, the term computer-used computer storage media means absolutely any type and nature of media, including RAM, ROM, disks (CDs, DVDs, floppy disks, hard disks, etc.) ), USB flash drives, solid state drives, tape drives, etc.

In the context of the present description, unless clearly indicated otherwise, the words first, second, third, etc. are used as adjectives solely to distinguish the nouns to which they refer from each other, and not for the purpose of describing any specific connection between these nouns. So, for example, it should be borne in mind that the use of the terms first server and third server does not imply any ordering, assignment to a particular type, history, hierarchy or ranking (for example) of servers / between servers, as well as their use (by itself itself) does not imply that a certain second server must necessarily exist in a given situation.

The list of key components of the system for detecting an emulated mobile operating system using machine learning methods, presented in Fig. 8 includes the following items.

A data collector is a mobile application that is installed on an Android device and collects data as shown in FIG. 2, which represent various device metrics detailed below. In some implementations, the data obtained is divided into groups of features, which make it possible to further more accurately classify the belonging of a feature to a particular group.

The group of statistical features may include the presence of a Bluetooth module and the presence of a Vibracall module in the user's mobile communication device. A group of dynamic signs can include readings of an accelerometer, gyroscope, light sensor, linear acceleration sensor, battery level, magnetic field sensor readings, motion sensor readings, distance sensor readings, rotation sensor readings. A group of custom metrics can include characteristics such as

- 3 038038 number of SMS / MMS, number of contacts, number of calls made, number of photos (user files), browser history, etc. The group of file metrics can include, for example, the presence of a file, the presence of the network_thoughput token in the / proc / mosc file, the presence of the Off \ 0 token in the / proc / ioports file, the presence of the / proc / uid_stat file, the presence of the MINOR = 5 token in the / sys / file device / virtual / misc / cpu_dma_latency / uevent. A group of modified metrics that includes a set of different tokens in parameters, for example, the userdebug token in the Build.DISPLAY parameter, userdebug, vbox86 or remix tokens in the Build.FINGERPRINT parameter, etc.

A text parser or parser is located on the server side of the system, parses the data string and maps fields from the JSON file to the database into the database, which may contain signs, into the database fields. Any Open Source product that solves this problem, or a parser of our own design can be used as a JSON parser. Passing data using a JSON file is not the only possible and limiting implementation option. Also, for data transfer, direct queries (Insert command) in the database can be used, or data transfer can be carried out by forming and transferring XML, YML, TXT and other text file formats, without being limited. The database is located on the server side and provides long-term data storage. The database is used in the process of investigating OS mechanisms (for example, Android) to collect and store a list of all metrics that potentially indicate the presence of an emulated environment. The database stores a summary list of metrics.

The statistical model that sits on the back end can be logistic regression, or a decision tree, or a random forest, or a naive Bayesian classifier, or support vector machines and other machine learning algorithms. This statistical model processes and analyzes data with the subsequent formation of the output result (whether the device is an emulator or a real device). The training sample is preliminarily formed and marked. In some implementations, in addition to the training sample, a test sample is used to control the quality of training. To train the statistical model, data is collected from many real devices and many currently available emulators. Then the process of training the model takes place. For example, for a decision tree, the learning process consists in building an optimal tree by searching for features that best divide the entire sample into two classes - emulators and real devices. In a specific implementation of this technical solution, one to three questions must be answered, as shown in FIG. 7, to tell unambiguously whether an emulator or a real device is being used. As an example implementation, the following questions can be used:

is there a uid_stat file in the / proc / directory?

is there a switch file in the / sys / device / virtual / directory?

Have the gyroscope sensor values changed since the last data collection?

In the next step, the effectiveness of the resulting model is tested on various datasets. In some implementations, cross-validation is used for this, according to which the data set is broken down and a statistical model is built on one piece of data (called a training set or training sample), then the model results are validated on another part (called a test set or test sample. ). Thus, in the exemplary implementation, 20 cross-validation cycles were performed. To reduce the scatter of results, different cross-validation cycles were run on different partitions, as shown in FIG. 6. The results for each round of cross-validation are presented below. As an example of implementation, the following describes the algorithm of operation of one of the statistical models, which can be used to identify the emulated environment. The DecisionTree method is one of the most popular methods for solving classification and forecasting problems in the field of machine learning. So, in a particular embodiment, as shown in FIG. 7, the main elements of the decision tree are:

The root of the decision tree is trait f3 - the presence of the / proc / uid_stat file. The internal node of the tree or the node of the check is the f6 feature - the presence of the file / sys / device / virtual / switch. A leaf (end node of a tree) is a solution node or a vertex of an emulator, a real device. The branch of the tree (answer cases) can be Yes or No.

To form a training sample, the infrastructure is prepared, including the work of a data collector, a JSON file parser and a database. The data collector is implemented in the form of a mobile application that is installed on many real devices or in an emulated operating system and collects data on the metrics under study at a specified time interval (for example, once every 5 seconds). The parser of the JSON file and the database are installed on a separate server, which can be located both in the cloud data storage (in a specific implementation example, in MS Azure) or locally. The parser parses the elements of the JSON file containing the collected features in accordance with the names of their fields. Then there is a mapping into the fields of the same name with the JSON file in the database. The example below shows the possible contents of a JSON file, for the case of using the decision trees method, describing the 4 038038 th emulated operating system:

β: 0, f6: 0, gyroscope_value_m: 0.

The algorithm for parsing such a JSON file includes the following steps:

1) reading a JSON file;

2) search for the first token - f3 and write data to variable A;

3) searching for the second token - f6 and writing data to variable B;

4) search for the third token - gyroscope_value_m and write data to variable C.

Then the values of the variables A, B and C are mapped into the table fields in the database for long-term storage and the values of the variables are transferred to the model for analysis and decision-making. Data mapping into table fields in the database is done by executing an INSERT query.

In this technical solution for the implementation of the invention, a data set was collected that included data on 125 features collected from 631 devices (246 - emulators, 385 - real phones). After cleaning and processing the data, the most significant features were selected, which were used to train the final statistical model. The significance of a characteristic is determined based on the efficiency of the partitioning of the dataset, i.e. each of the 125 features is sequentially tested for the ability to reliably divide the generated data set into a set of data from real devices and a set of data from emulators.

Various configurations of the following emulators were used to collect data, provided as examples and not limitation: Andy OS, BlueStacks, Genymotion, KO Player, LeapDroid, MEmu, etc.

And also the following models of real mobile communication devices were used, not limited to: Samsung Galaxy S4, Samsung Galaxy A5, Motorola XT1541, Lenovo A600 Plus.

After analyzing the collected data and selecting the most significant parameters, the following metrics were identified that do not require additional modifications: the presence and availability of the Bluetooth module, the presence of a vibrating alert function, the presence of the network_thoughput token in the / proc / mosc file, the presence of the Off \ 0 token: in the file / proc / ioports, the presence of the file / proc / uid_stat, the presence of the MINOR = 5 token in the file / sys / device / virtual / misc / cpu_dma_latency / uevent, the presence of the file / sys / device / virtual / ppp, the presence of the file / sys / device / virtual / switch, the presence of the file / sys / module / alarm / parameters, the presence of the file / sys / device / system / cpu / cpuO / cpufreq, the presence of the file / sys / device / virntual / misc / android_adb, the presence of the file / proc / sys / net / ipv4 / tcp_syncookies, etc., but not limited to.

The selection of significant features occurs after the formation of the data set. The selection of significant features occurs by analyzing the collected data and selecting features that allow the most efficient division of multiple devices into real devices and emulators. The analysis consists in calculating an indicator of the efficiency of dividing a set of devices into emulators and real devices for each of 125 features sequentially. Then the possibility of modifying the attribute is assessed and the analysis is repeated in the same way. The assessment of the possibility of modifying a feature is analytical in nature and is carried out on the basis of data characteristic of a particular feature. For example, the data returned by telephonyManager.getAIICelllnfo () is a list of GSM, LTE and WCDMA tower IDs. In its original form, this data is not an effective indicator for dividing the entire data set into two groups: 1 - data from emulators, 2 - data from real devices. But after analyzing this data, namely, counting the number of each type of towers in the data from emulators and in data from real devices, it is possible to effectively divide the entire data set according to the following criterion: the presence of LTE and WCDMA towers with a high probability indicates that the data was received from real device. Based on this analytics, two modified features were generated: n_cells_lte - the number of LTE towers, n_cells_wcdma - the number of WCDMA towers in the output of the telephonyManager.getAIICelllnfo () function.

A separate group includes the readings of various sensors. Due to the low accuracy of the readings obtained from them, in the overwhelming majority of cases, the values taken with an interval of at least 5 s differ, even if the devices themselves are stationary. These differences are usually small, but they can be enough to distinguish a real device from an emulator, where the data is static until manually changed. To check the correctness of this assumption, modified signs were added, formed on the basis of readings from sensors. The attribute value for a specific sensor took the value 1 if the sensor readings changed since the last measurement, and 0 if the value did not change.

Then, based on these criteria, a re-analysis was performed for the effectiveness of dividing the entire data set into two groups - data from emulators and data from real devices. Several features have successfully partitioned the dataset and have been used in models. For example, in the above model, the decision tree successfully uses the gyroscope_value_m attribute.

Dynamic data includes readings from the following sensors: accelerometer, gyroscope, light sensor, magnetic field sensor, motion sensor, distance sensor, rotation sensor, and

- 5 038038 others.

Since any manipulations with the device's sensors imply an increased consumption of the device's battery, only static signs are used first, and then dynamic signs are added for use. For testing in a specific implementation example, five classifiers were selected: logistic regression, or a decision tree, or a random forest, or a naive Bayesian classifier, or a support vector machine, as well as other machine learning algorithms.

When analyzing static indicators, the dataset included 25 features listed above. Below are data for 20 iterations of cross-validation based on StratifiedKFold and the roc_auc metric (a metric that evaluates the performance of a classifier that calculates the probability of an object belonging to a positive class).

Partition number i Logistic regression Decision tree Random forest Naive Bayesian classifier Support vector machine one 1.0 0.96 1.0 0.99 1.0 2 1.0 1.0 1.0 1.0 1.0 3 1.0 0.98 1.0 0.98 1.0 4 1.0 0.99 1.0 0.99 1.0 five 1.0 0.97 1.0 0.97 1.0 6 1.0 1.0 1.0 1.0 1.0 7 0.99 0.99 1.0 0.99 1.0 eight 1.0 0.99 1.0 0.99 1.0 nine 1.0 0.99 1.0 0.99 1.0 10 1.0 0.98 1.0 0.98 1.0 AND 1.0 1.0 1.0 1.0 1.0 12 1.0 0.99 1.0 1.0 1.0 13 1.0 0.97 1.0 0.97 1.0 fourteen 0.99 0.98 1.0 0.98 1.0 fifteen 1.0 0.99 1.0 1.0 1.0 sixteen 1.0 1.0 1.0 1.0 1.0 17 0.99 0.99 1.0 0.99 1.0 18 1.0 0.98 1.0 0.98 1.0 nineteen 1.0 0.98 1.0 0.98 1.0 twenty 1.0 1.0 1.0 1.0 1.0

The table shows the performance indicators of the results of the operation of the models without using data from the sensors.

StratifiedKFold is a scikit-learn library class that allows you to split a dataset so that in the resulting datasets the ratio of the number of objects belonging to different classes (emulators and real devices) corresponds to this ratio for the original dataset.

When adding dynamic metrics to the dataset, the total number of features considered in the above manner.

increased to 35. Evaluation of models by similar

Number Logistic Wood Happening Naive Method breaking up kaya decisions ny Bayesian supporting I regression Forest th vectors classification torus one 0.99 0.98 1.0 0.98 1.0 2 0.99 0.96 1.0 0.99 1.0 3 0.99 0.98 1.0 0.98 1.0 4 0.99 0.98 1.0 0.98 1.0 five 1.0 0.99 1.0 0.99 1.0 6 0.99 0.99 1.0 1.0 1.0 7 0.99 0.99 1.0 1.0 1.0 eight 0.99 0.99 1.0 0.99 1.0 nine 0.99 0.99 1.0 0.99 1.0 10 1.0 0.99 1.0 1.0 1.0 AND 0.99 0.99 1.0 0.99 1.0 12 1.0 0.99 1.0 0.99 1.0 13 1.0 0.99 1.0 1.0 1.0 fourteen 1.0 0.95 1.0 1.0 1.0 fifteen 0.99 0.99 1.0 0.99 1.0 sixteen 1.0 0.95 1.0 1.0 1.0 17 0.99 0.99 1.0 1.0 1.0 18 1.0 0.99 1.0 0.99 1.0 nineteen 0.99 0.99 1.0 1.0 1.0 twenty 0.99 0.99 1.0 1.0 1.0

As can be seen from the data presented, the selected features made it possible to build statistical models that demonstrate close to ideal results. According to the results of the tests carried out, the best performance is demonstrated by the case of forest, support vector machine and logistic regression, reaching on the available data the probability of detecting an emulated environment close to 1. FIG. 3-4 show examples of coefficients for these models. All considered statistical models consistently demonstrate high accuracy even without using data from sensors. The latter, although they increase the accuracy of individual models, but, as a rule, require more battery power consumption of the device, which imposes its own limitations. FIG. 5 provides information on energy consumption, depending on the functions used by the user's mobile communication device. The decision-making process consists of the following steps:

data collection;

sending data to a statistical model for analysis;

the formation of the result by the model;

response to the mobile application.

After collecting data and running the parser, the corresponding fields are transferred to the statistical model, where they are analyzed. An example of the analysis process is described above using the decision tree method as an example. The result of the operation of such a model is a verdict that unambiguously determines a mobile application is launched on a real device or in an emulated operating system. The result of the statistical model can be transmitted later to the frod monitoring system for further processing, or to a mobile application to limit the functionality or the possibility of launching it. The process of transferring the result to the application can be carried out using one of the programming interfaces known in the prior art for providing data exchange between processes, for example, Socket, and / or WebSocket, and / or WCF, and / or REST, etc.

For example, an application can check the operating system for an emulated environment at the time of launch, or when certain events occur - registering a new user, changing a password, and others. The architecture of the entire system for detecting an emulated mobile operating system using machine learning methods is shown in FIG. eight.

FIG. 9 shows an example of a computing device 800 that can be used to perform functions for logical processing of the necessary data to implement the claimed method for identifying an emulated mobile operating system using machine learning methods. It should be noted that the user's computing device and server referred to herein may be one of the embodiments of computing device 800.

In general, computing device 800 includes one or more processors 801, combined by a common bus 810, memory means such as RAM 802 and ROM 803, I / O interfaces 804, I / O means 805, and means for networking 806.

The 801 processor (or multiple processors, multi-core processor) can be selected from a wide range of devices currently in use, such as Intel ™, AMD ™, Apple ™, Samsung Exynos ™, MediaTEK ™, Qualcomm Snapdragon ™, and the like.

RAM 802 is a random access memory and is intended for storing machine-readable instructions executed by the processor 801 to perform the necessary operations for logical processing of data. RAM 802 typically contains executable instructions of an operating system and associated software components (applications, software modules, and the like).

ROM 803 is one or more permanent storage devices such as hard disk drive (HDD), solid state data storage device (SSD), flash memory (EEPROM, NAND, etc.), optical storage media (CD-R / RW , DVD-R / RW, BlueRay Disc, MD), etc.

To organize the operation of the components of the device 800 and to organize the operation of external connected devices, various types of I / O 804 interfaces are used. The choice of the appropriate interfaces depends on the specific version of the computing device, which can be, but are not limited to: PCI, AGP, PS / 2, IrDa, FireWire , LPT, COM, SATA, IDE, Lightning, USB (2.0, 3.0, 3.1, micro, mini, type C), TRS / Audio jack (2.5, 3.5, 6.35), HDMI, DVI, VGA, Display Port, RJ45, RS232, etc.

Various means of 805 I / O information are used to ensure user interaction with the computing device 800, for example, a keyboard, display (monitor), touch display, touch pad, joystick, mouse manipulator, light pen, stylus, touch panel, trackball, speakers, microphone, augmented reality, optical sensors, tablet, light indicators, projector, camera, biometric identification (retina scanner, fingerprint scanner, voice recognition module), etc.

The networking means 806 allows the device 800 to transmit data over an internal or external computer network, such as an Intranet, Internet, LAN, and the like. As one or more means 806 can be used, but not limited to: Ethernet card, GSM modem, GPRS modem, LTE modem, 5G modem, satellite communication module, NFC module, Bluetooth and / or BLE module, Wi-Fi module, etc.

Additionally, satellite navigation aids can also be used, such as GPS, GLONASS, BeiDou, Galileo, etc.

The presented application materials disclose preferred examples of the implementation of the technical solution and should not be interpreted as limiting other, particular examples of its implementation that do not go beyond the scope of the claimed legal protection, which are obvious to specialists in the relevant field of technology.

It should be appreciated that the present invention is not limited to the precise construction or implementation that has been described above and illustrated in the accompanying drawings, and various modifications and changes can be made without departing from its scope. It is intended that the scope of the present invention be limited only by the appended claims.

Sources of information used

1. Petsas T. et al. Rage against the virtual machine: hindering dynamic analysis of android malware // Proceedings of the Seventh European Workshop on System Security.

ACM, 2014. P. 5.

2. Jing Y. et al. Morpheus: automatically generating heuristics to detect Android emulators P Proceedings of the 30th Annual Computer Security Applications Conference.

ACM, 2014. P. 216-225.

Claims (11)

CLAIM 1. A method for detecting an emulated mobile operating system using machine learning methods, including the following steps: collecting data on a mobile application that is installed on the user's mobile communication device; sending the data obtained in the previous step from the user's mobile communication device to the server; the extraction of the obtained data is carried out by means of a parser containing the collected features, in accordance with the names of the fields; send the selected features to a trained statistical data model located on the server, containing groups of features, which include a group of statistical features, including the presence of a Bluetooth module and the presence of a Vibracall module (vibration alert) in the user's mobile communication device, dynamic features, including readings of an accelerometer, a gyroscope, light sensor, linear acceleration sensor, battery level, magnetic field sensor readings, motion sensor readings, distance sensor readings, rotation sensor readings, custom metrics, file metrics and modified metrics, including a set of tokens in the parameters of the user's mobile communication device; make a decision to install a mobile application on a real device or in an emulated mobile operating system using a trained statistical data model. 2. The method according to claim 1, characterized in that the collection of data on the mobile application is carried out in a JSON file and / or XML and / or YML and / or TXT. 3. The method according to claim 1, characterized in that the server is located in a cloud storage or locally. 4. The method according to claim 1, characterized in that the statistical model is logistic regression, or a decision tree, or a random forest, or a naive Bayesian classifier, or a support vector machine. 5. The method according to claim 1, characterized in that cross-validation is used to determine the effectiveness of the statistical model. 6. The method according to claim 1, characterized in that the parser parses the elements containing the collected features in accordance with the names of their fields. 7. The method according to claim 1, characterized in that the parser, after parsing the file, maps features into table fields into the database. 8. The method according to claim 7, characterized in that the mapping of data into table fields into the database occurs by executing an INSERT query. 9. The method according to claim 1, characterized in that during the selection by means of the parser the features are divided into static and dynamic. 10. The method according to claim 1, characterized in that the dynamic data includes readings of an accelerometer and / or a gyroscope and / or a light sensor and / or a magnetic field sensor and / or a motion sensor and / or a distance sensor, and / or or a rotation sensor. 11. A system for detecting an emulated mobile operating system using machine learning methods, comprising at least one mobile communication device of the user, on which a mobile application is installed, configured to collect data; directing the received data from the user's mobile communication device to at least one server; at least one server configured to extract the received data from the user's mobile communication device by means of a parser, - 8 038038 and the data contains the collected features, in accordance with the names of the fields; direction by the parser of the selected features into the trained statistical data model containing groups of features, which include a group of statistical features, including the presence of a Bluetooth module and the presence of a Vibracall module (vibration alert) in the user's mobile communication device, dynamic features, including readings of an accelerometer, gyroscope, light sensor, linear acceleration sensor, battery level, magnetic field sensor readings, motion sensor readings, distance sensor readings, rotation sensor readings, custom metrics, file metrics and modified metrics, including a set of tokens in the parameters of the user's mobile communication device; making a decision through a trained statistical data model to install a mobile application on a real device or an emulated mobile operating system.