JP5478384B2 - Application determination system and program - Google Patents

Description

  The present invention relates to an application determination system that performs determination based on the contents of processing executed by an application. The present invention also relates to a program for causing a computer to function as the application determination system.

  With the widespread use of mobile terminals that use a general-purpose OS (operating system) called an open platform, many applications for mobile terminals are sold and distributed through dedicated sites and personal sites on the communication network (Internet). . Applications for mobile terminals that use a general-purpose OS can be developed and distributed more easily than applications for mobile terminals that use an existing dedicated embedded OS.

  However, along with this, there are also applications that perform behavior that may cause the user's unintentional disadvantage, such as stealing personal information of the user, guiding to a malicious site, and taking over the administrator authority of the OS. Has appeared. Therefore, verifying the safety of an application in advance and detecting an unauthorized application is effective for realizing an environment where users can use the application with peace of mind, and providing an application with verified safety. It is also possible to differentiate from other companies, which is an important technology.

  Patent Document 1 describes a technique for preventing an unauthorized application from being executed in a terminal by performing application authentication when the application is downloaded to a terminal such as a mobile phone.

JP 2008-2521021 A

  As one of methods for determining whether or not the application of interest is an unauthorized application, a method of analyzing the behavior of the application when the application is executed can be considered. There are application logs and kernel logs as logs that record application behavior. The application log is a log in which information related to the execution condition and state of the application is recorded. The kernel log is a log in which information on system calls called by processes related to application processing is recorded.

  In the application log, the timing of starting and ending the process when the application is executed is recorded, but the processing contents of the process are not recorded. On the other hand, although the process contents of the process are recorded in the kernel log, information regarding which application process each process is associated with is not recorded. For this reason, it is difficult to know the details of the behavior of a specific application from each of the application log and the kernel log.

  The application log and the kernel log also record a large amount of information related to processes other than the process corresponding to the behavior of the application of interest. This information is redundant information when analyzing the behavior of the application. Since such redundant information is included, the analysis of the application log and the kernel log becomes inefficient.

  The present invention has been made in view of the above-described problems, and provides an application determination system and program capable of determining whether or not an application of interest is illegal based on a log in which application behavior is recorded. The purpose is to provide.

  The present invention has been made to solve the above problem, and stores a first log in which application identification information and process identification information generated during processing of the application are associated with each other. A log storage unit for storing a second log in which identification information of the process, identification information of a system call called by the process, and execution contents of the system call are associated; and storing a file in a directory A file storage unit for storing; a first extraction unit for extracting identification information of the process associated with identification information of a specific application from the first log; and the first log from the second log. A second extraction unit that extracts a part having the process identification information extracted by the extraction unit, and a part extracted by the second extraction unit. A third extraction unit that extracts the execution content of the system call associated with the identification information of the system call related to the file operation, and the execution content of the system call extracted by the third extraction unit includes the file storage An application determination system comprising: a determination unit that determines whether or not an operation for a specific directory in the unit is indicated.

  In the application determination system according to the present invention, the execution contents of the system call included in the second log are activated by a process corresponding to the process identification information by a predetermined system call that activates another process. Including the identification information of the other process, and the first extraction unit further includes an execution content of the system call associated with the identification information of the process extracted from the first log in the second log. The identification information of the other process included is extracted.

  Also, in the application determination system of the present invention, the determination unit has the highest authority as the authority relating to the use of the function or the change of the setting, with respect to the execution contents of the system call extracted by the third extraction unit. In this case, it is determined whether or not an operation for a directory that can be operated is indicated.

  In the application determination system according to the present invention, the determination unit may use a character string of the operation target directory included in the execution content of the system call extracted by the third extraction unit for use of a function or change of a setting. In the case of having the highest authority as such authority, it is determined whether or not it matches the character string of the directory that can be operated.

  In the application determination system of the present invention, the determination unit indicates an operation on the directory assigned to the specific application in the file storage unit by the execution content of the system call extracted by the third extraction unit. It is characterized by determining whether or not.

  In the application determination system according to the aspect of the invention, the determination unit may be configured such that the character string of the operation target directory included in the execution content of the system call extracted by the third extraction unit is the specific memory in the file storage unit. It is characterized by determining whether or not it matches the character string of the directory assigned to the application.

  In addition, the present invention stores a first log in which application identification information and process identification information generated during processing of the application are associated with each other, and the process identification information and the process A log storage unit for storing a second log in which identification information of the called system call and the execution contents of the system call are associated; a file storage unit for storing a file in a directory; A first extraction unit that extracts identification information of the process associated with identification information of a specific application from the log; and identification information of the process extracted by the first extraction unit from the second log. A second extraction unit that extracts the log that the user has, and a part extracted by the second extraction unit to identify system calls related to file operations. A third extraction unit that extracts the execution content of the system call associated with information, and the execution content of the system call extracted by the third extraction unit performs an operation on a specific directory in the file storage unit. It is a program for causing a computer to function as a determination unit that determines whether or not it is shown.

  According to the present invention, attention is paid by determining whether or not the execution contents of a system call called by a process generated during processing of an application indicates an operation on a specific directory in the file storage unit. It can be determined whether or not the application is illegal.

It is a block diagram which shows the structure of the application determination system by one Embodiment of this invention. It is a block diagram which shows the function structure of the portable terminal which the application determination system by one Embodiment of this invention has. It is a block diagram which shows the function structure of the log analysis apparatus which the application determination system by one Embodiment of this invention has. It is a reference figure which shows the content of the application log in one Embodiment of this invention. It is a reference figure which shows the content of the kernel log in one Embodiment of this invention. It is a block diagram which shows the function structure of the log analysis part in one Embodiment of this invention. It is a reference figure which shows the parent-child relationship of the process in one Embodiment of this invention. It is a sequence diagram which shows the procedure of operation | movement of the application determination system by one Embodiment of this invention. It is a reference figure which shows the structure of the execution file of the application in one Embodiment of this invention. It is a flowchart which shows the procedure of operation | movement of the application determination system by one Embodiment of this invention. It is a reference figure which shows the content of the manifest file in one Embodiment of this invention. It is a reference figure which shows the content of the application log in one Embodiment of this invention. It is a reference figure which shows the content of the kernel log in one Embodiment of this invention. It is a reference figure which shows the content of the kernel log in one Embodiment of this invention. It is a reference figure which shows the directory structure of the file memory | storage part in one Embodiment of this invention. It is a block diagram which shows the function structure of the modification of the application determination system by one Embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  When an application executes a process, an authority relating to use of a function of the terminal and a change in setting is set, and the application can execute the process within the scope of the authority. For example, when the general user authority is set, various processes can be executed within the range of the general user authority. In addition, when the root authority (superuser authority), which is the highest authority (administrator authority), is set, in addition to the processing that is possible within the scope of general user authority, it is possible to change important settings in the terminal, etc. Become.

  Normally, an application is set to operate with a general user authority, and directories that can be accessed by an application with the general user authority set are limited. However, unauthorized applications can exploit OS vulnerabilities to obtain root privileges illegally, change the access privileges (permissions) set in the directory, and freely access directories on mobile devices. As a result, an illegal act such as causing a failure in the mobile terminal or leaking personal information is performed. In the present embodiment, it is determined whether or not the application of interest is an unauthorized application by analyzing the behavior of the application accessing a directory or file.

  FIG. 1 shows the configuration of an application determination system according to an embodiment of the present invention. The application determination system according to the present embodiment includes a mobile terminal 1 such as a mobile phone terminal, a mobile information terminal, and a smartphone, and a log analysis device 2 such as a PC. The portable terminal 1 and the log analysis device 2 are connected by a cable 3 such as RS232C, and the portable terminal 1 can be operated from the log analysis device 2. The application determination system according to the present embodiment is installed in, for example, a company that manages a sales site that sells applications for mobile terminals on a communication network.

  FIG. 2 shows a functional configuration of the mobile terminal 1. The portable terminal 1 includes an application 10, an application log generation unit 11, a kernel log generation unit 12, a log generation control unit 13, an operation information control unit 14, an OS 15, a file storage unit 16, an operation unit 17, a display unit 18, and a communication unit 19. And a work area W1 (log storage unit).

  The application 10, the application log generation unit 11, the kernel log generation unit 12, the log generation control unit 13, the operation information control unit 14, and the OS 15 operate on a work area W1 configured by a device such as an SRAM. These execution files (programs) are stored in the file storage unit 16, and these execution files are activated by being read from the file storage unit 16 into the work area W1. In the work area W1, in addition to processes such as the application 10, various processes not shown are also activated. These processes notify the OS 15 of the call to the system call, and the OS 15 calls the system call, so that each process performs various processes using CPU resources (not shown).

  The application 10 calls a system call for the OS 15 and receives an execution result from the OS 15. As a result, the application 10 executes various processes defined as application processes, accesses the file storage unit 16, and the like.

  The application log generation unit 11 generates an application log (first log) in which information related to the execution condition and state of the application 10 is recorded. The generated application log is held in the work area W1.

  FIG. 4 shows an example of the application log. The application log includes a time stamp 400, a process ID 410, a process ID 420, a message type 430, a message tag, and a message body 440. The time stamp 400 includes a date and time. The behavior of the application is recorded in the application log using a set of one time stamp 400, parent process ID 410, process ID 420, message type 430, message tag and message body 440 as a recording unit. In the example shown in FIG. 4, the contents of the application log for five recording units are shown.

  A process can start another process by calling a process call system call. In the following, the starting process is called a parent process, and the process started by the parent process is called a child process. When the process ID 410 and the process ID 420 are different, the process ID 410 indicates the process ID of the parent process, and the process ID 420 indicates the process ID of the child process. When the process ID 410 and the process ID 420 are the same, the recording units having these process IDs indicate the behavior of the same process.

  The kernel log generation unit 12 generates a kernel log (second log) in which information on a system call called by a process related to the processing of the application 10 is recorded. The generated kernel log is held in the work area W1.

  FIG. 5 shows an example of the kernel log. The kernel log includes a process ID 500 and a message body 510. System call information is recorded in the kernel log using a set of one process ID 500 and message body 510 as a recording unit. In the example shown in FIG. 5, the contents of the kernel log for five recording units are shown. The application log and kernel log have different process ID management systems. For this reason, for the same process, the process ID recorded in the application log and the process ID recorded in the kernel log are different.

  The log generation control unit 13 performs processing for starting the application log generation unit 11 and the kernel log generation unit 12. Further, the log generation control unit 13 performs processing for transmitting the application log and the kernel log to the log analysis device 2.

  The operation information control unit 14 performs control related to operation information input by the operator operating the log analysis device 2. Specifically, the operation information control unit 14 communicates with the log analysis device 2, receives operation information indicating the operation content input to the log analysis device 2, interprets the content of the operation information, and notifies the OS 15 of the operation information. . The OS 15 that has received the notification executes various processes. Further, the operation information control unit 14 receives a notification of the execution result of the process from the OS 15 and transmits execution result information indicating the execution result to the log analysis device 2. In the following description of the operation, description of processing related to the execution result information is omitted.

  The OS 15 controls the scheduling of processes of the application 10, the application log generation unit 11, the kernel log generation unit 12, the log generation control unit 13, and the operation information control unit 14, the allocation of the work area W1, and the like, and the file storage unit 16 The input / output of each device of the operation unit 17, the display unit 18, and the communication unit 19 is controlled.

  The file storage unit 16 is configured by a device such as a flash memory, and stores various files such as an execution file used in the mobile terminal 1. The operation unit 17 includes devices such as keys (buttons) and switches, and outputs a signal based on a result of an operation performed by the operator. The display unit 18 is configured by a device such as a liquid crystal display device, and displays a result of processing executed by the mobile terminal 1, a state of the mobile terminal 1, and the like. The communication unit 19 includes a device such as a communication module, and communicates with the log analysis device 2.

  FIG. 3 shows a functional configuration of the log analysis device 2. The log analysis device 2 includes a log analysis unit 20, an operation information control unit 21, an OS 22, a file storage unit 23, an operation unit 24, a display unit 25, and a communication unit 26.

  The log analysis unit 20, the operation information control unit 21, and the OS 22 operate on a work area W2 configured by a device such as SRAM. These execution files (programs) are stored in the file storage unit 23, and these execution files are activated by being read from the file storage unit 23 into the work area W2. In the work area W2, various processes (not shown) are started in addition to processes such as the log analysis unit 20 and the like. These processes notify the OS 22 of the call of the system call, and the OS 22 calls the system call, so that each process performs various processes using CPU resources (not shown).

  The log analysis unit 20 analyzes the application log and the kernel log received from the mobile terminal 1, and determines whether or not the application of interest is an unauthorized application.

  The operation information control unit 21 performs control related to operation information based on operation contents input by the operator operating the operation unit 24. Specifically, the operation information control unit 21 communicates with the mobile terminal 1, transmits operation information indicating the operation content input to the operation unit 24, and receives execution result information indicating an execution result. The OS 22 controls processing scheduling of the log analysis unit 20 and the operation information control unit 21, assignment of the work area W <b> 2, and the like, as well as the file storage unit 23, the operation unit 24, the display unit 25, and the communication unit 26. Control input and output.

  The file storage unit 23 is composed of a device such as a hard disk drive, and stores various files such as an execution file used in the log analysis device 2. The operation unit 24 is configured by a device such as a keyboard and a mouse, and outputs a signal based on a result of an operation performed by the operator. The display unit 25 includes a device such as a liquid crystal display device, and displays an execution result based on the execution result information, a processing result of the log analysis unit 20, and the like. The communication unit 26 includes a device such as a communication module, and communicates with the mobile terminal 1.

  FIG. 6 shows a functional configuration of the log analysis unit 20. The log analysis unit 20 includes a process ID extraction unit 20a (first extraction unit), a kernel log extraction unit 20b (second extraction unit), a file operation content extraction unit 20c (third extraction unit), a determination unit 20d, And a control unit 20e.

  The process ID extraction unit 20a extracts the process ID of the process related to the processing of the application 10 of interest from the application log. FIG. 7 shows an example of a parent-child relationship of processes. FIG. 7 shows a state in which an init process that is started first on the system starts a child process, and the child process starts its own child process as a parent process.

  As an example, the process sshd (process ID: 2005) of the process group 700 of the application 10 of interest is started by the init process, and the process sshd (process ID: 1921) and the process sshd (process ID: 8167) are started. The process sshd (process ID: 1921) and the process sshd (process ID: 8167) also start child processes. The process ID extraction unit 20a extracts the process ID of each process having a parent-child relationship for the application 10 of interest. That is, in the example shown in FIG. 7, 2005, 1921, 1931, 2333, 2345, 8167, 8323, and 10940 are extracted as process IDs.

  The kernel log extraction unit 20b extracts a part having the process ID extracted by the process ID extraction unit 20a, that is, a part related to processing of the application of interest from the kernel log. The file operation content extraction unit 20c extracts the execution content of the system call related to the file operation from the portion extracted by the kernel log extraction unit 20b. The determination unit 20d determines whether or not the execution content of the system call extracted by the file operation content extraction unit 20c indicates an operation on a specific directory in the file storage unit 16, and thereby the target application 10 is illegal. Whether or not the application is a simple application. The control unit 20e controls processing distribution to the process ID extraction unit 20a, the kernel log extraction unit 20b, the file operation content extraction unit 20c, and the determination unit 20d.

  Next, the operation of the application determination system according to the present embodiment will be described. FIG. 8 shows an operation procedure of the application determination system. Before starting the operation shown in FIG. 8, the application of interest is not installed in the mobile terminal 1, and the operation information control unit 14 is activated in the mobile terminal 1, but the application log generation unit 11, kernel log generation unit 12, The log generation control unit 13 is not activated. Further, before the operation shown in FIG. 8 is started, in the log analysis device 2, it is assumed that the operation information control unit 21 is activated but the log analysis unit 20 is not activated.

  First, in the log analysis device 2, the operator operates the operation unit 24 and inputs an instruction to activate the application log generation unit 11 and the kernel log generation unit 12. When the operation unit 24 is operated, the OS 22 notifies the operation information control unit 21 of the operation content of the operation unit 24. The operation information control unit 21 generates a log generation unit activation instruction that is operation information for activating the application log generation unit 11 and the kernel log generation unit 12 based on the notified operation content. This log generation unit activation instruction is transmitted from the communication unit 26 to the portable terminal 1 (step S100).

  In the portable terminal 1, the communication unit 19 receives a log generation unit activation instruction (step S105). The OS 15 notifies the operation information control unit 14 of a log generation unit activation instruction, and the operation information control unit 14 calls a system call for activating the log generation control unit 13 based on the log generation unit activation instruction. Notify The OS 15 activates the log generation control unit 13, and the activated log generation control unit 13 activates the application log generation unit 11 and the kernel log generation unit 12 (step S110). The activated application log generation unit 11 and kernel log generation unit 12 start generating logs.

  Subsequently, in the log analysis device 2, the operator operates the operation unit 24 and inputs an instruction to install the application to be determined. When the operation unit 24 is operated, the OS 22 notifies the operation information control unit 21 of the operation content of the operation unit 24. The operation information control unit 21 reads out the compressed file of the determination target application from the file storage unit 23 based on the notified operation content. This compressed file is transmitted from the communication unit 26 to the portable terminal 1 (step S115).

  In the portable terminal 1, the communication unit 19 receives the compressed file of the application (Step S120). Subsequently, application installation is executed, and the decompressed application execution file is stored in the file storage unit 16 (step S125).

  FIG. 9 shows the configuration of the execution file of the application. As shown in FIG. 9, an execution file 900 includes an execution code 901 including an instruction sequence, a manifest file 902 including information such as an application package name and components used by the application, a library 903 referred to when the execution code 901 is executed, And a file such as a parameter 904.

  After installing the application, the operator operates the operation unit 17 and inputs an instruction to start the application. When the operation unit 17 is operated, the OS 15 activates the application 10 (step S130). The behavior of the application 10 is recorded as an application log by the application log generation unit 11 and also recorded as a kernel log by the kernel log generation unit 12.

  Subsequently, in the log analysis device 2, the operator operates the operation unit 24 and inputs an instruction to transmit a log. When the operation unit 24 is operated, the OS 22 notifies the operation information control unit 21 of the operation content of the operation unit 24. The operation information control unit 21 generates a log transmission instruction that is operation information for transmitting a log based on the notified operation content. This log transmission instruction is transmitted from the communication unit 26 to the portable terminal 1 (step S135).

  In the portable terminal 1, the communication unit 19 receives a log transmission instruction (step S140). The OS 15 notifies the operation information control unit 14 of a log transmission instruction, and the operation information control unit 14 instructs the log generation control unit 13 to transmit a log via the OS 15 based on the log transmission instruction. The log generation control unit 13 performs processing for transmitting an application log and a kernel log. The application log and the kernel log are transmitted from the communication unit 19 to the log analysis device 2 (step S145).

  In the log analysis device 2, the communication unit 19 receives the application log and the kernel log (step S150). The received application log and kernel log are held in the work area W2. Subsequently, the operator operates the operation unit 24 and inputs an instruction to analyze the log. When the operation unit 24 is operated, the OS 22 activates the log analysis unit 20 (step S155). The log analysis unit 20 analyzes the application log and the kernel log (step S160).

  FIG. 10 shows details of the operation of the log analysis unit 20 in step S160. As described above, the file storage unit 23 stores the compressed file of the application. The process ID extraction unit 20a reads and decompresses the compressed file of the application from the file storage unit 23, and acquires a package name for identifying the application from the manifest file 902 illustrated in FIG. 9 (Step S200).

  FIG. 11 shows an example of a manifest file. A character string 1100 following “package =” indicates a package name. The process ID extraction unit 20a searches for a character string “package =” from the manifest file, and acquires a character string sandwiched between “” ”following the character string as a package name. The manifest file may be transmitted from the portable terminal 1 together with the application log and the kernel log to the log analysis device 2 and used in the log analysis device 2 for log analysis.

  Subsequently, the process ID extraction unit 20a extracts a part having a character string that matches the package name from the application log, and extracts a process ID from the extracted part (step S205). FIG. 12 shows an example of the application log. A character string 1200 following “Start Proc” indicating the start of the process indicates the package name. Further, a number 1210 following “pid =” indicates the process ID of the process started by the application 10. The process ID extraction unit 20a searches the application log for the character string “Start Proc”, and if the character string between the character string and the space between the characters matches the package name acquired in step S200, the package The character string “pid =” is searched from the part following the name, and the number following the character string is acquired as the process ID. This process ID matches the process ID in the kernel log management system.

  Subsequently, the process ID extraction unit 20a uses the process ID extracted in step S205 as the process ID of the parent process (hereinafter referred to as parent process ID), and the process ID of the child process (hereinafter referred to as child process ID) from the kernel log. ) Is extracted (step S210). In the kernel log, the parent process and the child process are also recorded in the part where the system call related to the process generation is recorded. In the present embodiment, attention is paid to fork as a system call related to process generation.

  FIG. 13 shows an example of the kernel log. In the message body of one recording unit 1300, “fork” indicating a system call related to process generation is recorded. Further, the process ID “1391” before the message body indicates the parent process ID, and the last process ID “1392” of the message body indicates the child process ID. The process ID extraction unit 20a searches the kernel log for the character string “fork”, and the parent process ID immediately before the message body including any of those character strings matches the process ID extracted in step S205. In this case, the last process ID of the message body is extracted as a child process ID. The process ID extraction unit 20a repeats the process of extracting the child process ID as described above using the extracted child process ID as the parent process ID.

  Subsequently, the kernel log extraction unit 20b extracts, from the kernel log, a portion (recording unit) in which the process ID that matches the process ID extracted in steps S205 and S210 is recorded at the head of the line (step S215). Since the process ID extracted in steps S205 and S210 is the process ID of the process related to the application 10 of interest, the portion extracted in step S215 indicates the behavior of the application 10.

  Subsequently, the file operation content extraction unit 20c extracts the execution content of the system call related to the file operation from the portion extracted in step S215 (step S220). In this embodiment, attention is focused on read, write, and open as system calls related to file operations.

  FIG. 14 shows an example of a kernel log in which “open” is recorded. In a portion 1400 corresponding to one recording unit, the process ID (695) of the process that called the system call, the system call name (open) for identifying the system call, and the execution contents of the system call are recorded. . The execution contents of the system call include the name of the directory accessed by the system call (/ data / data / xxx / yyy / zzz). The file operation content extraction unit 20c has a process ID that matches the process ID extracted in steps S205 and S210 at the head of the line, and a character string that matches any of “read”, “write”, and “open”. When there is a recording unit in the message body, the message body (or the whole recording unit) of the recording unit is extracted as the execution content of the system call.

  Subsequently, the determination unit 20d determines whether or not the application 10 of interest is an unauthorized application based on the execution contents of the system call extracted in step S220 (step S225). For this determination, an illegal file operation rule defined in advance based on a file operation performed by an unauthorized application is used. The illegal file operation rule is stored in the file storage unit 23.

  In the open platform for mobile terminals, the directory that an application can access is limited to a specific area allocated exclusively for the application. FIG. 15 shows the directory structure of the file storage unit 16. A directory having a hierarchical structure is created in the file storage unit 16. The directory D1 stores an execution file of the installed application. The directory D2 is a directory for storing data used by each application, and directories D3a to D3c having the same name as the name of each application are arranged under the directory D2.

  An application can usually access only a directory corresponding to the application and a directory under the directory. Therefore, an application that accesses a directory dedicated to another application that is different from the directory dedicated to itself is an unauthorized application.

  In FIG. 15, the area ROM is an area where important files such as the OS are stored, and access authority (permission) is set in the area ROM so that an application with general user authority cannot be accessed. ing. This access authority can be changed only when the user has root authority. A malicious application that has illegally acquired the root authority changes the access authority of the area ROM and accesses an important file in the area ROM. Therefore, an application that illegally acquires root authority and accesses the area ROM is an unauthorized application.

  The illegal file operation rule includes the name of the directory as described above that should not be accessed by each application. That is, the illegal file operation rule includes a directory name under the directory D2, which is dedicated to an application other than the application of interest, and a directory name included in the area ROM of FIG.

  The determination unit 20d compares the character string of the execution content of the system call extracted in step S220 with the character string included in the illegal file operation rule, and adds the character string of the execution content of the system call extracted in step S220. If there is a character string that matches the character string included in the illegal file operation rule, it is determined that the application of interest is an illegal application. If there is no character string that matches the character string included in the illegal file operation rule in the character string of the system call execution content extracted in step S220, the determination unit 20d determines that the application of interest is an illegal application. It is determined that it is not.

  In the above determination, an unauthorized application type may be identified based on the contents of the unauthorized file operation rule. For example, if there is a character string that matches the name of a directory dedicated to an application other than the application of interest in the character string of the system call execution content extracted in step S220, the application of interest is managed by another application. It can be identified as an information leakage type application that accesses personal information or the like. In addition, if the character string of the execution contents of the system call extracted in step S220 includes a character string that matches the name of the directory included in the area ROM in FIG. It can be identified as the type of application to be acquired. Depending on the determination result, type information indicating the type of an unauthorized application may be generated and stored in the file storage unit 23 together with the determination result.

  Next, a modification of this embodiment will be described. The mobile terminal 1 may have a log analysis function in the log analysis device 2. FIG. 16 shows a functional configuration of a mobile terminal in which a log analysis function is implemented. A mobile terminal 1a illustrated in FIG. 16 includes a log analysis unit 20 included in the log analysis device 2 illustrated in FIG. 3 in addition to the configuration of the mobile terminal 1 illustrated in FIG. After the application 10 is started, the log analysis unit 20 performs the process shown in FIG. 10 based on the application log and kernel log held in the work area W1. The manifest file is acquired from an application execution file stored in the file storage unit 16. The file storage unit 16 stores an illegal file operation rule. In step S225 of FIG. 10, the illegal file operation rule is used.

  The log analysis device 2 has a log collection function and a log analysis function, but the log collection function may be provided in a device different from the log analysis device 2. For example, a terminal having a function of collecting logs from the portable terminal 1 is prepared, and the log analysis device 2 receives the log from the terminal and performs analysis.

  Each function of the portable terminals 1 and 1a and the log analysis device 2 described above records a program for realizing the operation and function of each device on a computer-readable recording medium, and the program recorded on the recording medium. This is realized by causing the computer to read and execute the program. Here, the “computer” includes a homepage providing environment (or display environment) if the WWW system is used. The “computer-readable recording medium” refers to a storage device such as a portable medium such as a flexible disk, a magneto-optical disk, a ROM, and a CD-ROM, and a hard disk built in the computer. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program described above may be transmitted from a computer storing the program in a storage device or the like to another computer via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting a program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. Further, the above-described program may be for realizing a part of the above-described function. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer, what is called a difference file (difference program) may be sufficient.

  As described above, according to the present embodiment, it is possible to determine whether or not the application of interest is illegal based on the application log and the kernel log that record the behavior of the application. In particular, since it is possible to exclude a large amount of redundant information related to processes other than the process corresponding to the behavior of the application of interest from the analysis target, it is possible to efficiently analyze the application log and kernel log. It is possible to improve the determination accuracy when determining whether or not the application to be performed is illegal.

  In addition, by extracting the child process ID associated with the parent process ID from the kernel log and using it for log analysis, the behavior of the application can be analyzed in more detail, and whether or not the application of interest is illegal It is possible to improve the determination accuracy when determining whether or not.

  Whether or not the execution content of the system call recorded in the kernel log indicates an operation on a directory (a directory in the area ROM in FIG. 15) that can be operated when the user has root authority, or file storage An application for depriving the root authority of the portable terminal or an application for leaking personal information by determining whether or not an operation on a directory (directory D3a to D3c in FIG. 15) assigned to a specific application is indicated in the unit 16 Can be detected.

  As described above, the embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the above-described embodiments, and includes design changes and the like without departing from the gist of the present invention. .

  DESCRIPTION OF SYMBOLS 1, 1a ... Portable terminal, 2 ... Log analysis apparatus, 3 ... Cable, 10 ... Application, 11 ... Application log production | generation part, 12 ... Kernel log production | generation part, 13 ... Log generation control unit, 14, 21 ... operation information control unit, 15, 22 ... OS, 16, 23 ... file storage unit, 17, 24 ... operation unit, 18, 25 ... Display unit 19, 26 ... Communication unit, 20 ... Log analysis unit, 20a ... Process ID extraction unit, 20b ... Kernel log extraction unit, 20c ... File operation content extraction unit, 20d ..Determining unit, 20e ... control unit, W1, W2 ... working area

Claims (7)

A first log in which the identification information of the application and the identification information of the process generated during the processing of the application are associated is stored, and the identification information of the process and the identification of the system call called by the process A log storage unit for storing a second log in which information and execution contents of the system call are associated;
A file storage unit for storing and storing files in a directory;
A first extraction unit that extracts identification information of the process associated with identification information of a specific application from the first log;
A second extraction unit that extracts a part having identification information of the process extracted by the first extraction unit from the second log;
A third extraction unit for extracting the execution contents of the system call associated with the identification information of the system call related to the file operation from the portion extracted by the second extraction unit;
A determination unit that determines whether or not the execution content of the system call extracted by the third extraction unit indicates an operation on a specific directory in the file storage unit;
An application determination system comprising: The execution content of the system call included in the second log includes the identification information of the other process started by a predetermined system call in which the process corresponding to the identification information of the process starts another process,
The first extraction unit further includes, in the second log, the identification information of the other process included in the execution content of the system call associated with the identification information of the process extracted from the first log. The application determination system according to claim 1, wherein the application determination system is extracted.   The determination unit performs an operation on a directory that can be operated when the execution content of the system call extracted by the third extraction unit has the highest authority as the authority relating to the use of the function or the change of the setting. The application determination system according to claim 1, wherein it is determined whether or not the information is indicated.   In the determination unit, the character string of the operation target directory included in the execution content of the system call extracted by the third extraction unit has the highest authority as the authority related to the use of the function or the setting change. 4. The application determination system according to claim 3, wherein it is determined whether or not the character string of the directory that can be operated matches.   The determination unit determines whether the execution content of the system call extracted by the third extraction unit indicates an operation on a directory assigned to the specific application in the file storage unit. The application determination system according to claim 1 or 2.   The determination unit includes a character string of an operation target directory included in the execution contents of the system call extracted by the third extraction unit, and a character string of a directory assigned to the specific application in the file storage unit. 6. The application determination system according to claim 5, wherein it is determined whether or not they match. A first log in which the identification information of the application and the identification information of the process generated during the processing of the application are associated is stored, and the identification information of the process and the identification of the system call called by the process A log storage unit for storing a second log in which information and execution contents of the system call are associated;
A file storage unit for storing and storing files in a directory;
A first extraction unit that extracts identification information of the process associated with identification information of a specific application from the first log;
A second extraction unit that extracts a log having identification information of the process extracted by the first extraction unit from the second log;
A third extraction unit for extracting the execution contents of the system call associated with the identification information of the system call related to the file operation from the portion extracted by the second extraction unit;
A determination unit that determines whether or not the execution content of the system call extracted by the third extraction unit indicates an operation on a specific directory in the file storage unit;
As a program to make the computer function as.

Images