JP2013174959A - Application inspection system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an application inspection system which can show a user a security risk even for an application such as a grayware.SOLUTION: A cluster extracting means 225 extracts a lowest cluster to which communication packets of an application to be inspected are allocated by using a cluster classification result 217 which stores analyzed clusters prepared by means of hierarchical clustering at a degree of similarity exhibited at a transmission destination with respect to communication packets extracted from a communication log obtained after executions of a plurality of applications; the cluster extracting means 225 counts, as a common cluster number, the number of clusters each which contains one or more lowest cluster extracted from a cluster at an arbitrary hierarchical level located between a highest level and a lowest level of analyzed cluster so as to output as an evaluation value. Evaluation means 226 makes an evaluation that a degree of influence by the application to be inspected is higher as the evaluation value output from the cluster extracting means 225 is larger. A result output means 227 outputs an evaluation result of the evaluation means 226 as an evaluation result of the application to be inspected.

Description

  The present invention relates to an application inspection system that inspects a terminal application that runs on a mobile terminal.

  A mobile terminal such as a smartphone, a mobile information terminal, or a mobile phone stores various personal information such as location information, an address book, and a schedule as well as information such as a user's telephone number and mail address. On the other hand, terminal application programs (hereinafter simply referred to as applications) for mobile terminals such as mail software, game software, and convenient tools developed by various vendors are freely installed and used by these users. Is done.

  By the way, since such an application is arbitrarily developed by various vendors, for example, when a user uses the application, an individual stored in the portable terminal without asking for the user's permission is used. There is a risk of sending information to the outside. In addition, there is a possibility that data is transmitted to the outside even when the user is not operating the portable terminal. In this way, even if there is a possibility that personal information may be transmitted in a situation unintended by the user, it is necessary to use it for the convenience of functions and services provided by the application as the main purpose. A person installs an application on a mobile terminal and uses it.

  On the other hand, service providers that provide a wide variety of applications are designed to inspect applications that are scheduled to be provided for known malware or spyware, and techniques for inspecting applications are known (for example, Patent Document 1).

  In Patent Document 1, in order to profile many programs easily and in a short time, a program is executed by a virtual operating system, an operation characteristic is found from the operation history of the program, and the type of program is, for example, “macro virus”. There have been proposed program analysis methods classified as “bot”, “P2P worm”, “spyware”, “Trojan horse”, and “non-malicious program”.

JP 2008-129707 A

  However, it has been difficult to cope with grayware by the conventional method. Here, grayware is a function that operates normally within the range approved by the user (that is, the function / service provided by the application as the main purpose), and further, the personal information in the terminal is externally output regardless of the user's intention. It is an application that is vaguely distinguished from spyware whose main purpose is collecting information. Such grayware has a number of different destinations from external transmission to receive legitimate services approved by the user and external transmission to transmit personal information in the terminal that is not intended by the user. Because it is transmitted to the outside, even if it cannot be determined that it is generally bad, some users want to treat it as an application that may be disadvantageous.

  Therefore, the present invention has an object to evaluate such grayware so that it can be shown how it may be affected in terms of security when a user operates an application on a terminal. .

  In order to solve such a problem, the present invention stores an analyzed cluster created by hierarchical clustering with a similarity of destinations for communication packets extracted from communication logs in which a plurality of applications are executed. Extract the lowest cluster in the analyzed cluster to which each communication packet extracted from the communication log executed from the storage unit and the communication log executing the inspection target application is allocated, and in any hierarchy between the highest and lowest of the analyzed cluster The number of clusters including one or more of the lowest clusters in the cluster is counted as the number of common clusters, and the cluster extraction means that uses the number of common clusters as an evaluation value; Evaluation means that evaluates as high, and the evaluation result as the evaluation result of the application to be inspected And a result output unit for outputting the output. As a result, using the results of statistically classifying multiple applications into similar application groups based on the destination, and focusing on one application to be inspected, the degree of influence is greater for applications belonging across different application groups Can be calculated high.

  In such an application inspection system, it is preferable that the cluster extraction unit counts the number of the lowest clusters extracted for the inspection target application as the lowest cluster number and adds it to the evaluation value. As a result, the degree of influence can be calculated higher for applications that appear more frequently in the application group to which they belong.

  In the application inspection system, it is preferable that the analyzed cluster is created by further performing hierarchical clustering using the similarity of the transmission contents of the communication packet. Thereby, it is possible to evaluate using the result of classifying the application to be inspected into similar application groups based not only on the transmission destination but also on the transmission content.

  According to the present invention, there is provided an application inspection system that evaluates grayware so that a security risk that can be affected in terms of security when a user operates an application on a terminal is shown. be able to.

It is a figure explaining the application test | inspection system by this invention. It is an image figure of the classification result of the application by the present invention. It is a processing flowchart which classifies a plurality of applications and generates an analyzed cluster. It is a process flowchart which produces | generates the analyzed cluster when an application is newly added. It is a process flowchart which test | inspects the application of test | inspection using the analyzed cluster.

  Hereinafter, an application inspection system according to the present invention will be described with reference to the drawings. FIG. 1 is a block diagram of an application inspection system according to the present invention. An application inspection system 1 shown in FIG. 1 is configured by connecting an application inspection server device 2, an external server 4, and a mobile terminal 5 via a network 3.

  The application inspection server apparatus 2 is an apparatus that inspects an application to be inspected, and includes a storage unit 21, a control unit 22, a communication unit 23, and a display operation unit 24. The application inspection server device 2 may be a personal computer or server that emulates a portable terminal that installs and executes an application and executes the application.

  The storage unit 21 is a storage device such as a ROM, a RAM, and a magnetic hard disk, and stores various programs and various data. The application program 211, unique information 212, communication log 213, operation log 214, cluster 215, and analyzed cluster 216 are stored. And a cluster classification result 217 storage area.

  The application program 211 is an area that stores a plurality of applications to be inspected. For example, when N applications are inspected, N applications of applications 1 to N are stored in the application program 211.

  The unique information 212 is an area for storing a plurality of unique information unique to the mobile terminal stored in the mobile terminal. The unique information includes, for example, a terminal unique number assigned to identify the mobile terminal, various terminal identification information, position information indicating the current position by latitude and longitude, address book, mail information, schedule information, and the like.

  The communication log 213 is an area for storing a communication log generated when an application to be inspected is executed.

  The operation log 214 is an area for storing an operation log generated when the inspection target application is executed. The operation log includes an operation log storing the input made by the user to the input reception of the application.

  The cluster 215 is an area for storing clusters used for clustering processing for classification evaluation described later. A communication log is extracted from the communication log 216, assigned as a cluster, and stored in the cluster 215.

  The analyzed cluster 216 is a hierarchy of clusters that have been extracted from the cluster 215 during clustering processing for classification evaluation, which will be described later, have been analyzed, and clusters that are newly created with the closest distance between other clusters. This is the area to be stored.

  The cluster classification result 217 is an area for storing the hierarchical structure of the cluster of the analyzed cluster 216 when the clustering process for classification evaluation is completed as a cluster classification result. FIG. 2 shows an output image of the cluster classification result 217. The outer end cluster is the first saved cluster assigned to the cluster 215 from the communication log. As a result of the clustering process, a single cluster is collected at the center.

  The control unit 22 is constituted by a CPU, an MPU, and the like, and processes the overall control of the application inspection server apparatus 2 according to a program, and performs communication log acquisition means 221, operation log acquisition means 222, cluster creation means 223, and intercluster distance calculation means. 224, cluster extraction means 225, evaluation means 226, and result output means 227.

  The communication log acquisition unit 221 is performed via the communication unit 23 when data is transmitted to the external server 4 during execution of each application stored in the application program 211 and when data is received from the external server 4. A transmission / reception communication log is acquired and stored in the communication log 213.

  The operation log acquisition unit 222 stores, in the operation log 214, a log of operations performed by the user during execution of each application stored in the application program 211. Further, when the application reads from the unique information 212 during the execution of each application stored in the application program 211, the operation log acquisition unit 222 stores in the operation log 214 when and what information is acquired.

  When creating a cluster, the cluster creation means 223 takes out a communication log of external transmission from the communication log storage unit, and stores the extracted communication log as a cluster in the cluster 215 of the storage unit 21. In addition, the cluster creation means 223 moves independently in the clustering process, applies hierarchical clustering to the clusters stored in the cluster 215, classifies the application, and saves the new cluster created during the classification in the cluster 215 again. At the same time, the cluster is stored in the analyzed cluster 216. Specifically, the cluster creation unit 223 calculates an inter-cluster distance between one cluster extracted from the cluster 215 while focusing on the inter-cluster distance calculation unit 224 as a processing target and another cluster stored in the cluster 215. The cluster to be processed and the cluster having the shortest distance between the clusters are collected to create a new cluster, the cluster before the grouping is deleted from the cluster 215, the new cluster is saved in the cluster 215, and the cluster before the grouping And new clusters are hierarchically stored in the analyzed cluster 216. When the clustering is completed, the contents of the analyzed cluster 216 at that time are stored in the cluster classification result 217 as the classification results of a plurality of applications.

  The inter-cluster distance calculation unit 224 calculates the distance between clusters between the designated cluster and the cluster stored in the cluster 215 in response to a request from the cluster creation unit 223. Then, the cluster having the closest intercluster distance to the designated cluster is output.

  The cluster extraction unit 225 extracts the lowest cluster belonging to the specific application designated as the inspection target from the plurality of application classification results stored in the cluster classification result 217, and sets the number of the extracted lowest clusters as the lowest. Count as the number of clusters. In addition, the number of clusters in any upper hierarchy including the extracted lowest cluster is counted as the number of common clusters. The number of common clusters is an evaluation value that can be used to evaluate whether the lowest cluster appears across different application groups in a specified arbitrary upper hierarchy. It is assumed that the highest hierarchy and the lowest hierarchy are not included in the upper hierarchy for obtaining the number of common clusters, and the upper hierarchy is designated by an arbitrary hierarchy between the highest hierarchy and the lowest hierarchy. Note that the uppermost layer is created as a single cluster, that is, since all the lowermost clusters are included, it is not a target of any upper layer.

  The evaluation unit 226 evaluates the degree of influence of the application to be inspected. For this reason, the evaluation unit 226 evaluates the degree of influence of the application to be inspected as the evaluation value increases with the number of lowest clusters output from the cluster extraction unit 225 as an evaluation value. Further, the evaluation unit 226 evaluates that the influence degree of the application to be inspected is higher as the evaluation value is larger, with the number of common clusters output from the cluster extraction unit 225 as the evaluation value. The evaluation unit 226 may use the sum of the lowest cluster number and the common cluster number as the evaluation value.

  The result output means 227 displays the degree of influence of the application to be inspected output from the evaluation means 226 on the display operation unit 24, and when it receives a request from the outside via the network 3, transmits it to the outside and outputs it. Further, by using the classification results of a plurality of applications stored in the cluster classification result 217, it is possible to identify the classification result for a specified specific application and the lowest cluster extracted by the cluster extraction means 225 in the cluster classification result 217. May be output as a state of appearance frequency.

  The communication unit 23 is an interface that communicates with the external server 4 via the network 3 and corresponds to the network to be connected.

  The display operation unit 24 is an input / output interface configured by a liquid crystal display with a touch panel and the like, and accepts screen display and confirmation operation during application execution. The display operation unit 24 may include a display device having only a display function and an input device such as an operation button.

  The network 3 is connected to the application inspection server device 2 and the external server 4 and is a network such as a wide area communication network such as the Internet or a closed area communication network. It may be a general telephone line network.

  The external server 4 is a server that provides functions and services provided by the application as a main purpose via the network 3 and a server that collects information when the application arbitrarily transmits personal information in the terminal to the outside. .

  The mobile terminal 5 is a device that is possessed by the user and in which an application is installed based on the evaluation result, and is a smartphone, a mobile information terminal, a mobile phone, or the like.

  Here, a method for calculating the distance between clusters for the communication log will be described. Clustering is performed by obtaining the similarity of HTTP packets included in the communication log and using the similarity of HTTP packets as the distance between clusters. At this time, the similarity of the HTTP packet included in the communication log is obtained from the HTTP packet transmission destination similarity and the HTTP packet transmission content similarity.

  First, the HTTP packet transmission destination similarity will be described. The HTTP packet transmission destination similarity is calculated using the similarity of the transmission destination IP address, the similarity of the Port number, and the similarity of the Host header (hereinafter simply referred to as the Host header) in the HTTP header field. The similarity of the destination IP address applies the longest match of the upper bits of the IP address, the similarity of the Port number applies whether or not the values are the same, and the similarity of the Host header indicates the edit distance indicating the distance of the character string Apply.

For example, a case where the HTTP packet transmission destination similarity of two HTTP packets P _x and P _y is obtained will be described. Here, the destination of an arbitrary HTTP packet P _n is configured as P _n = {ip _n ; port _n ; host _n } using a destination IP address ip _n , a port number port _n, and a Host header host _n. Let's say.

First, the destination IP address similarity will be described. When the destination IP address and IPv4, IP addresses ^is an address space of ^{2 32,} every 8 highest bits, the range of IP addresses. Since an IP address is assigned to a user for each certain range, in the case of the same organization or network, there is a high possibility that the upper bits are common. Therefore, in the HTTP packets P _x and P _y , the similarity between IP addresses can be obtained by obtaining the longest matching bit number from the heads of the two IP addresses ip _x and ip _y .

Next, the Port number similarity will be described. Port numbers ^is a space of ^{2 16,} part of the Port numbers are most often used is registered for a particular service. Therefore, in the HTTP packets P _x and P _y , the similarity of the Port numbers can be obtained by determining whether or not the two Port numbers port _x and port _y match.

Next, the Host header similarity will be described. The Host header is a character string composed of a host name and a domain name as FQDN. Therefore, when the edit distance is used as the distance between the arbitrary character strings, the similarity of the Host header in the HTTP packets P _x and P _y can be obtained by determining the edit distance between the two Host headers host _x and host _y .

Accordingly, when the destination IP address similarity, the Port number similarity, and the Host header similarity obtained for the HTTP packets P _x and P _y are used, for example, simple addition, HTTP packet transmission of two HTTP packets P _x and P _y is performed. The degree of similarity can be used.

  Next, HTTP packet transmission content similarity will be described. The HTTP packet transmission content similarity is calculated using the Request-Line, Cookie, and Message-Body similarity in the HTTP header field. The similarity of each element is obtained by normalized compression distance (NCD) using the Colmo golf complexity.

For example, a case will be described in which the HTTP packet transmission content similarity between two HTTP packets P _x and P _y is obtained. Here, the transmission content of an arbitrary HTTP packet P _n is as follows: Request-Line included in the HTTP packet is set to rline _n , Cookie is set to cookie _n , Message-Body is set to body _n , P _n = {rline _n ; cookie _n ; _n }.

Since Request-Line, Cookie, and Message-Body are all composed of character strings, and the values differ depending on the application or service, the distance as the amount of information is used without depending on the context of the character string, using the Colmo Golf complexity. The similarity can be obtained by using an NCD capable of obtaining. The Request-Line similarity in HTTP packets P _x and P _y can be obtained by obtaining the NCD of rline _x and rline _y . Further, the cookie similarity in the HTTP packets P _x and P _y can be obtained by obtaining NCDs of cookie _x and cookie _y . Further, the Message-Body similarity in the HTTP packets P _x and P _y can be obtained by obtaining the NCD of body _x and body _y .

Therefore, Request-Line similarity calculated for HTTP packets P _x and P _y, cookie similarity using the similarity of Message-Body, for example, when simply added, HTTP packet transmission of two HTTP packets P _x and P _y The content similarity can be set.

  Next, a clustering method will be described. A cluster is configured in units of applications or HTTP packets. In addition, since the application in the application unit is a set of HTTP packets, hierarchical clustering of HTTP packets is performed. As described above, the hierarchical clustering of HTTP packets uses the distance of HTTP packet similarity based on the HTTP packet destination similarity and the HTTP packet transmission content similarity as described above. The group average method is used for clustering.

  With reference to FIG. 3, the processing flow of the classification evaluation of the application inspection server apparatus 2 for all of the applications 1 to N stored in the application program 211 will be described. Note that the processing flow described below is controlled by a program executed by the control unit 22.

  When an instruction to start classification evaluation of a plurality of applications is received, the process starts and all the applications to be inspected are executed (step S1). At this time, the communication log acquisition unit 221 acquires the communication log of the application, and stores the acquired communication log in the communication log 213. Further, the operation log acquisition unit 222 acquires an operation log of the application, and stores the acquired operation log in the operation log 214.

  Next, the cluster creation unit 223 extracts a communication packet such as an HTTP packet from the communication log 213 (step S2). Then, the cluster creation means 223 assigns a cluster for each extracted communication packet, and stores the assigned cluster in the cluster 215 (step S3).

  The cluster creation means 223 checks the number of clusters stored in the cluster 215 (step S4), and if the number of clusters in the cluster 215 is 1 (step S4-Yes), the process proceeds to step S8. If the number of clusters in the cluster 215 is not 1 (step S4-No), one arbitrary cluster is extracted from the cluster 215 as a processing target (step S5). At this time, the number of clusters is decremented by -1 because the number of clusters is reduced by one by taking out the clusters.

  Next, the cluster creation unit 223 calls the inter-cluster distance calculation unit 224 so as to calculate the inter-cluster distance between the extracted cluster to be processed and another cluster. The intercluster distance calculation means 224 calculates the intercluster distance between the extracted cluster to be processed and all other clusters stored in the cluster 215 (step S6). When the inter-cluster distance is obtained, the cluster creation means 223 combines the extracted clusters that are closest to the processing target cluster into a single cluster as a new cluster, and the new cluster is combined into the cluster 215 and the analyzed cluster 216. Store and return to step S4 (step S7). At this time, the cluster having the shortest distance between the clusters to be processed extracted from the cluster 215 in step S5 is also extracted from the cluster 215. Therefore, the new cluster created as one unit is stored in the cluster 215. However, the number of clusters in the cluster 215 does not increase or decrease. The analyzed cluster 216 includes two clusters extracted from the cluster 216 (that is, the cluster extracted in step S5 as a processing target and the cluster having the shortest distance between the processing target cluster and the cluster in step S7). It is hierarchically stored how the extracted clusters are combined into one new cluster.

  In step S8, the cluster stored in the analyzed cluster 216 is stored in the cluster classification result 217 as a classification result of a plurality of applications, and the process ends.

  Thereby, it is possible to newly classify a plurality of applications based on the similarity between the transmission destination and the transmission content based on the communication log.

  Next, a processing flow for performing classification evaluation by adding a new application program to a plurality of applications stored in the application program 211 will be described with reference to FIG. The purpose of adding a new application is to calculate a distance from the cluster of the communication log of the new application to a cluster that has been classified by applying clustering in the process of FIG. 3 and obtain a new classification result. Therefore, processing is performed using clusters stored in the analyzed cluster 216 as classified clusters. At this time, the process is started by specifying in advance which hierarchy to add.

  First, the new application is executed, and the communication log acquisition unit 221 acquires the communication log of the new application and stores it in the communication log 213 (step S11). Then, in the cluster creation means 223, an HTTP packet is extracted from the communication log 213 from the communication log 213 (step S12), a cluster is assigned to each extracted HTTP packet, and stored in the cluster 215 (step S13).

  The cluster creation means 223 confirms the number of clusters stored in the cluster 215 (step S14), and if the number of clusters in the cluster 215 is 0 (step S14-Yes), the process proceeds to step S18. If the number of clusters in the cluster 215 is not 0 (step S14-No), one arbitrary cluster still remaining as an unprocessed cluster is extracted from the new cluster added in step S13 from the cluster 215 (step S15). At this time, one cluster is reduced and the number of clusters is -1.

  The inter-cluster distance calculation means 224 calculates the inter-cluster distance between the cluster to be processed extracted in step S15 and all the clusters of the hierarchy designated to be added stored in the analyzed cluster 216 (step S16). ).

  Next, the cluster creation means 223 collects the clusters having the closest distance between the clusters to be processed as a new cluster into one cluster, stores the new cluster in the analyzed cluster 216, and returns to step S14 (step S14). S17). At this time, in the analyzed cluster 216, where the clusters extracted in step S15 are added and combined into one cluster is hierarchically stored.

  In step S18, a new classification result is generated from the cluster of each layer stored in the analyzed cluster 216, newly stored in the cluster classification result 217, and the process ends. The result stored in the cluster classification result 217 becomes a classification result of a plurality of applications to which a new application is added.

  Thereby, a classification result can be obtained even if a new application is added to an existing classified cluster. In the processing flow of FIG. 4, clustering is performed from the distance between clusters with the cluster of the layer to be added. Therefore, when clustering is performed again including the increased number of applications as in the processing flow of FIG. 3. In comparison, the accuracy of the classification result is inferior, but the processing amount is small, which is effective when it is desired to obtain the classification result quickly.

  Next, a processing flow for extracting only the classification for the inspection target application from the classification result and outputting the result will be described with reference to FIG. This processing is performed when individual application evaluation is performed after the classification results of a plurality of applications in FIG. 3 and FIG. 4 are obtained, and when an individual evaluation result inquiry for an application scheduled to be used is answered from the mobile terminal 5 Etc. are executed.

  The lowest cluster in the hierarchical clustering can be distinguished for each application. Therefore, when the cluster extraction unit 225 extracts the lowest cluster for each application in the classification result stored in the cluster classification result 217, the appearance status in the application can be grasped. At this time, in the cluster classification result, since the classification result is obtained as an application group having a similar transmission destination and an application group having a similar transmission content, the frequency at which the same application appears in different application groups can be obtained. For all applications, find the frequency that belongs to different application groups, sort by frequency value, and relatively high frequency, that is, the application that belongs to multiple different application groups affects more like grayware It can be said that the degree is great.

  In FIG. 5, the application to be inspected and the hierarchy to be used for the evaluation value are specified, and the inspection process is started. First, the cluster extraction unit 225 initializes the value of the lowest cluster number to 0, and reads out the classification results of a plurality of applications from the cluster classification result 217 (step S21). Next, the cluster extraction means 225 selects one of the lowest clusters of the read classification results as a processing target (Step S22).

  It is determined whether the lowest cluster selected as the processing target is a cluster of the application to be inspected (step S23). If it is the cluster of the application to be inspected (step S23-Yes), the cluster to be processed is extracted, the lowest cluster number is counted up as +1 (step S24), and the process proceeds to step S25. If it is not the cluster of the application to be inspected (step S23-No), the process proceeds to step S25.

  In step S25, it is determined whether confirmation has been completed for all the lowest clusters. If the confirmation has been completed for all the lowest clusters (step S25—Yes), the cluster extraction unit 225 completes the extraction of the lowest cluster of the application to be inspected and the count of the lowest clusters. Then, an upper layer cluster including one or more lowest clusters extracted from clusters in the specified upper layer is extracted, and the number of clusters is counted as the number of common clusters (step S26). On the other hand, if the confirmation has not been completed for all the lowest clusters (step S25-No), the process returns to step S22, and the extraction of the lowest cluster of the application to be inspected and the counting of the lowest cluster number are continued.

  Next, the evaluation unit 226 evaluates the degree of influence using the lowest cluster number and the common cluster number output from the cluster extraction unit 225 as evaluation values (step S27). At this time, the greater the number of lowest clusters, the higher the degree of influence is evaluated. Further, the greater the number of common clusters, the higher the degree of influence is evaluated. Then, the result output means 227 outputs the degree of influence output by the evaluation means 226 as the evaluation result of the application to be inspected (Step S28), and the process is terminated.

  For example, when acquiring terminal information for the purpose of advertisement distribution and usage statistics with a grayware application, multiple applications in the mobile terminal may be communicating with the same server. It is possible to classify into application groups based on the similarity of and to determine the likelihood of grayware using the result. In this way, by grasping statistical trends obtained from a plurality of applications, it is possible to extract transmission intentions and uses that have not been known so far and reflect them again in the evaluation of a single application.

The present invention is not limited to the above-described embodiment, and many changes and modifications can be made. For example, when the HTTP packet is extracted from the communication packet 213 from the communication log 213 in step S2 and step S12, the operation log 214 acquired by the operation log acquisition unit 222 is also referred to, and whether or not the communication packet is due to the user's intention. Such information may be added. At this time, using the added information indicating whether or not it is due to the user's intention, the communication packet according to the user's intention is clearly identified as a classification evaluation without assigning a cluster in step S3 and step S13. It may be removed from the subject. In addition, information is stored in advance as a white list for transmission destinations of communication packets according to the user's intention even if the purpose is clear and there is no user operation, and the communication packets to be extracted are extracted in steps S2 and S12. It may be excluded. As a result, the number of clusters to be processed can be reduced, the clustering process can be performed efficiently, and the number of the lowest clusters constituting the evaluation value can be reduced.

DESCRIPTION OF SYMBOLS 1 ... Application inspection system 2 ... Application inspection server apparatus 21 ... Memory | storage part 211 ... Application program 212 ... Specific information 213 ... Communication log 214 ... Operation log 215 ... Cluster 216: Analyzed cluster 217 ... Cluster classification result 22 ... Control unit 221 ... Communication log acquisition means 222 ... Operation log acquisition means 223 ... Cluster creation means 224 ... Intercluster distance Calculation means 225 ... Cluster extraction means 226 ... Evaluation means 227 ... Result output means 23 ... Communication section 24 ... Display operation section 3 ... Network 4 ... External server 5 ... Mobile device

Claims (3)

A storage unit that stores the analyzed cluster created by hierarchical clustering with the similarity of the transmission destination with respect to the communication packet extracted from the communication log that executed a plurality of applications,
The lowest cluster in the analyzed cluster to which each communication packet extracted from the communication log executing the inspection target application is assigned is extracted, and the highest cluster is placed in a cluster of any hierarchy between the highest and lowest of the analyzed cluster. A cluster extraction unit that counts the number of clusters including one or more subordinate clusters as the number of common clusters, and uses the number of common clusters as an evaluation value;
An evaluation means for evaluating that the greater the evaluation value is, the higher the degree of influence of the application is;
A result output unit for outputting the evaluation result as an evaluation result of the inspection target application; and
An application inspection system characterized by comprising:
The application inspection system according to claim 1, wherein the cluster extraction unit counts the number of the lowest clusters extracted for the inspection target application as the lowest cluster number, and adds the counted number to the evaluation value.
3. The application inspection system according to claim 1, wherein the analyzed cluster is created by further performing hierarchical clustering using a similarity of transmission contents of communication packets.