KR101803889B1 - Method and apparatus for detecting malicious application based on risk - Google Patents

Abstract

According to an embodiment of the present invention, a method for detecting a malicious application comprises the following steps. A malicious application detection apparatus extracts a source code of an application. The malicious application detection apparatus generates n-dimensional coordinates according to whether first to n^th features are included in the source code. The malicious application detection apparatus calculates a degree of risk of the application with a value derived by multiplying the n-dimensional coordinates by a weighted value for each coordinate and adding the multiplied values thereafter. And the malicious application detection apparatus determines a malicious state by using the degree of risk.

Description

TECHNICAL FIELD The present invention relates to a method and an apparatus for detecting a malicious application based on a risk,

The present invention relates to a method and apparatus for detecting malicious applications based on risk. And more particularly, to a method of detecting maliciousness of a new type of mobile application according to the degree of use of an API (Application Programming Interface) or the like which is mainly used in a malicious mobile application and a device performing the method.

Apple's iPhone, launched in Korea in late 2009, and Android-based smartphones, such as Samsung's Galaxy since then, have revolutionized the world. The appearance of these smart devices and various mobile applications based on them has changed the pattern of life.

However, as mobile applications become more active and widespread, cases of malicious attacks have increased. In particular, the iPhone's iOS operating system is relatively less popular due to Apple's closed market policy, but Google's Android operating system is releasing a variety of malicious applications due to Google's open market policy.

Especially, if you look at the distribution process of malicious application in Android-based applications, repackaging method that re-distributes malicious code to existing mobile application is main. Because mobile applications have a very short life span and many new applications appear every day, repackaging methods are used to easily create and distribute malicious applications.

In other words, mobile applications have a short lifecycle because of easy installation and deletion, so malicious mobile applications also have a short life cycle. This is mainly due to the fact that malicious code is redistributed by installing malicious code in a mobile application that is normally distributed, rather than creating a new malicious code.

Although many variant malicious applications are emerging by the repackaging method, it is not efficient to analyze and respond to all of them. The malicious application of repackaging method is inefficient because it is the source code of each existing application except for the arbitrary inserted malicious code, and analyzing all of them is costly.

Therefore, there is a need for a method that can quickly and easily judge the malicious nature of a new application based on the risk calculated by quantifying the dangerous degree of the API which is mainly used in a malicious mobile application distributed by a repackaging method.

KR 10-2004-0056998 A "Apparatus and method for detecting malicious code by risk assessment" (2004.07.01)

The present invention provides a method for detecting a malicious mobile application based on a risk and an apparatus for performing the method.

The technical problems of the present invention are not limited to the above-mentioned technical problems, and other technical problems which are not mentioned can be clearly understood by those skilled in the art from the following description.

According to an aspect of the present invention, there is provided a malicious application detection method comprising: extracting a source code of an application; Generating the n-dimensional coordinates according to whether or not the malicious application detection apparatus includes the first feature to the n-th feature in the source code; The malicious application detection device calculating the risk of the application by multiplying the n-dimensional coordinates by a weight for each coordinate, And determining whether the malicious application detection apparatus is malicious based on the risk.

In one embodiment, extracting the source code may include decompiling or disassembling the application to extract the source code.

In another embodiment, the first to n-th features are API or system commands selected in advance through a learning process for a normal application and a malicious application.

In yet another embodiment, the weights for each coordinate are values previously determined for normal applications and malicious applications using genetic algorithms.

In another embodiment, the step of calculating the risk may include scaling the n-dimensional coordinates by multiplying the weights by the respective coordinates, and adding the sum to a range of 0 to 100.

In yet another embodiment, the step of determining whether the malicious object is malicious may include determining whether the malicious object is malicious by comparing the risk with a preset threshold value.

According to another aspect of the present invention, there is provided an apparatus for detecting a malicious application, the apparatus comprising: a network interface; One or more processors; A memory for loading a computer program executed by the processor; And a storage for storing an application, the computer program comprising: an operation of extracting a source code of the application; Generating an n-dimensional coordinate according to whether the source code includes the first feature to the n-th feature; An operation of calculating the risk of the application by multiplying the n-dimensional coordinates by a weight for each coordinate; And an operation of determining whether the malicious result is obtained using the risk level.

According to the malicious detection method of the present invention, maliciousness of a new application can be determined by quickly responding to an action of distributing various variant malicious applications by a repackaging method. This protects the privacy of application users and minimizes the impact of malicious applications.

The effects of the present invention are not limited to the effects mentioned above, and other effects not mentioned can be clearly understood to those of ordinary skill in the art from the following description.

1 is a flowchart of a risk-based malicious application detection method according to an embodiment of the present invention.
2 is a diagram for explaining a risk-based malicious application detection method according to an embodiment of the present invention.
FIGS. 3 to 5 are views for explaining a process of selecting features that can be used in an embodiment of the present invention.
6A to 6E are diagrams for explaining a genetic algorithm that can be used in an embodiment of the present invention.
7 is a hardware block diagram of a risk-based malicious application detection apparatus according to an embodiment of the present invention.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. BRIEF DESCRIPTION OF THE DRAWINGS The advantages and features of the present invention and the manner of achieving them will become apparent with reference to the embodiments described in detail below with reference to the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. Is provided to fully convey the scope of the invention to those skilled in the art, and the invention is only defined by the scope of the claims. Like reference numerals refer to like elements throughout the specification.

Unless defined otherwise, all terms (including technical and scientific terms) used herein may be used in a sense that is commonly understood by one of ordinary skill in the art to which this invention belongs. Also, commonly used predefined terms are not ideally or excessively interpreted unless explicitly defined otherwise. The terminology used herein is for the purpose of illustrating embodiments and is not intended to be limiting of the present invention. In the present specification, the singular form includes plural forms unless otherwise specified in the specification.

It is noted that the terms "comprises" and / or "comprising" used in the specification are intended to be inclusive in a manner similar to the components, steps, operations, and / Or additions.

Hereinafter, the present invention will be described in more detail with reference to the accompanying drawings.

1 is a flowchart of a risk-based malicious application detection method according to an embodiment of the present invention.

Referring to FIG. 1, an application is first collected (S1100). The application to be collected here is a new application to be analyzed. Except for applications that have already been collected and judged to be malicious / benign, new applications are collected through the official market, private market, online, etc.

Next, a certificate of the collected application is extracted (S1200). For Android-based applications, it is required to sign when creating and distributing apk. At this point, you must sign the application using the certificate. For more information about signing applications, visit https://developer.android.com/studio/publish/app-signing.html Google's developer information site.

A blacklist or whitelist can be applied to the extracted certificate. In other words, the certificate that signed the application on Android is a tool to author and distribute the application.

FIG. 1 illustrates a case where a white list is applied. If the certificate extracted from the new application is a certificate already registered in the whitelist (S1300), the new application is determined to be a normal application because it is an application distributed by the authenticated user (S1900), and a process of detecting whether the new application is malicious Lt; / RTI >

If the certificate extracted from the new application is not a certificate registered in the whitelist, the new application may be determined to be a suspicious application that may be a malicious application, and the process of detecting whether the new application is malicious may be continued.

Although not shown in Fig. 1, this is similar to the case of the black list. For example, if the certificate extracted from the new application is a certificate already registered in the black list, it is determined that the new application is a malicious application because it is an application distributed by the user who has been distributing the malicious application (S1800) End the detection process.

If the certificate extracted from the new application is not a certificate registered in the black list, the new application may be determined as a suspicious application which may be a malicious application, and the process of detecting whether the new application is malicious may be continued.

If the certificate extracted from the new application is neither in the black list nor in the whitelist, the malicious application or normal application is not yet determined. Therefore, additional analysis is required because it is in a suspicious state. For further analysis, you need to extract the source code from the new application.

Next, the source code of the suspicious new application is extracted. The source code of the apk file, which is the installation file of the Android application, can be extracted by decompiling and disassembling. For the JAVA language, convert the source code to binary form for use by the JVM. You can get the source code with the original java extension by using binary with class extension JAD (JAVA Decompiler).

After extracting the source code, the degree of similarity with the source code of the application that has been determined to be malicious has been calculated (S1400). Malicious applications deployed by repackaging methods are often spread by injecting malicious code, so most of the methods are reused as they are.

Therefore, to speed up comparisons, you can sort the method names, extract unnecessary libraries, extract the binaries on a method basis, extract the hash values based on the method, extract malicious application-based binaries, Extracts the values, compares them, and calculates the similarity.

The similarity calculated by the method of the new application and the method determined based on the existing malicious application is compared with a preset threshold value in step S1500. If the threshold is equal to or greater than the threshold value, the new application is determined to be a malicious application in step S1800. And terminates the process of detecting whether or not it is detected.

If the degree of similarity between the new application and the application determined to be a malicious application is smaller than a predetermined threshold value, the process can still continue as a suspicious condition and detect the maliciousness of the new application.

At this time, it is possible to judge whether the new application is malicious by various methods. For example, an apk file of a suspicious new application may be loaded from an Android emulator, the new application may be executed to monitor what action is performed, and the malicious result may be determined according to the result. This analysis is often called dynamic analysis.

Or the API used in the source code extracted from the suspicious new application, and judges that the new application is malicious if it is similar to the pattern of the API used mainly in the malicious application. Such an analysis is often called static analysis.

Dynamic analysis is an advantageous method when it is difficult to extract the source code of the application to be analyzed. However, static analysis is more suitable for Android based applications because it is easy to extract source code through decompilation.

In addition, dynamic analysis requires a lot of time and load to run the emulator and monitor its operation. In this regard, many applications are pouring in a day, and it is inefficient to detect variant malicious applications through dynamic analysis.

From this point of view, we will apply the static analysis method to judge the maliciousness through the analysis of the source code. To do so, the API is extracted from the source code of the new application, and the risk is calculated by comparing with the API extracted from the source code of the malicious application (S1600).

The risk calculated by the API of the new application and the application determined to be malicious in the past is compared with a preset threshold value in step S1700. If the threshold is greater than the threshold value, the new application is determined to be a malicious application in step S1800. And terminates the process of detecting whether or not it is detected.

If the risk level of the new application is smaller than the predetermined threshold value, the new application is determined to be a normal application (S1900), and the process of detecting the maliciousness of the new application can be continued. Through this process, it is possible to finally detect the maliciousness of a new application.

Referring to FIG. 1, it is possible to perform a first inspection using a black list and a whitelist, a second inspection using a similarity with an application judged to be malicious, and an operation using an API used in a malicious application A third level of risk-based inspection can ultimately determine whether a new application is malicious.

2 is a diagram for explaining a risk-based malicious application detection method according to an embodiment of the present invention.

Referring to FIG. 2, the process of calculating the risk of the third inspection described above with reference to FIG. 1 can be described in detail. In the present invention, a genetic algorithm is used to calculate the risk. In order to do this, it is necessary to perform a learning process using an application determined to be malicious in advance. Detects the malicious nature of the new application in real time using the model created in the learning process.

In FIG. 2, the layout processing area on the left side shows a learning process, and the right-side real-time processing area shows a process of determining whether a new application is malicious. First, looking at the batch processing area, the malicious behavior is characterized in the malicious application.

Here, the characteristics of malicious behavior include, for example, an attempt to access the device's contact information, an attempt to access the device's SMS, an attempt to access the location information of the device, and an attempt to execute the system commands of the Android operating system. Of course, these behaviors are not always linked to malicious behavior, so it is necessary to use them to learn.

The process of learning malicious behavior feature is learning using genetic algorithm. A genetic algorithm is a global optimization technique developed by John Holland in 1975 as a computational model based on the natural world evolution process, and is one of the techniques for solving optimization problems. As a representative technique of evolutionary computation that mimics the evolution of living things, it has borrowed a lot from the process of actual evolution, and there are variations (mutation) and mating operations. Also, terms such as generation, population, etc. are used in the course of problem solving.

Genetic algorithms have basic theories of natural biogenesis, parallel and global search algorithms, Darwin's theory of survival of the fittest. Genetic algorithms produce increasingly better solutions by expressing possible solutions to the problem that they want to solve in a given form of data structure and gradually transforming them. Here, the data structure representing the solutions can be expressed as evolution, the process of creating a better solution by transforming genes.

In other words, a genetic algorithm can be said to be a simulated evolutionary search algorithm to find a solution x that optimizes some unknown function Y = f (x). Genetic algorithms can be applied to all problems that can be expressed by replacing the problem with a form that can be used by the genetic algorithm rather than an approach to solving a problem rather than an algorithm for solving a specific problem.

In general, if the problem is too complex to be computed, the genetic algorithm can be used as a method to obtain a solution close to the optimal solution even if the actual optimal solution is not obtained. In this case, it does not perform better than the algorithm that is optimized to solve the problem, but it can show the most acceptable level of harm.

Evolutionary strategies, genetic programming, and many other types of theories and techniques have recently been actively researched as algorithms that mimic such evolutionary processes, ie natural selection and genetic rules. Genetic algorithms are the most basic and representative of these algorithms and are widely applied to solve complex problems that are non-linear or non-computable in natural science / engineering and humanities and social sciences.

This genetic algorithm is used to determine the suitability of malicious behavior weights. This allows you to determine the weight value of each action that better distinguishes between actual malicious and general applications. For example, you can define 35 behaviors in advance and record 1 or 0 for each action depending on whether the action is in the source code or not. Then a feature vector of size 35 is obtained for each application.

We can obtain a constant value by adding weights for each coordinate to the 35-dimension vector thus obtained. We refer to this as a risk and weights can be determined through genetic algorithm learning to calculate this risk.

For convenience of comparison, it is assumed that the risk is scaled to have a value from -1 to 1. If the risk has a value of -1, it can be judged to be negative. That is, if the risk has a value of -1, it is a normal application. Conversely, if the risk has a value of 1, it can be judged positive. That is, if the risk has a value of 1, it is a malicious application.

By applying the genetic algorithm to learning data that has been judged to be a malicious application or a normal application in the past, optimum weighting is determined while repeating substitution, selection, intersection, and mutation processes. More information on genetic algorithms can be found at https://en.wikipedia.org/wiki/Genetic_algorithm.

Returning to FIG. 2, a genetic algorithm is used to generate a weight for each characteristic of malicious behavior, and a threshold value for maliciousness is generated. We explained the genetic algorithms and set the values as 0 and 1 according to whether the corresponding API appears in the source code for each feature, multiply the weights by 35 for each characteristic, and add the value as the risk.

In this case, for the convenience of judgment, when the risk is scaled from -1 to 1, the specific value among the values between -1 and 1 is set as a threshold value for judging maliciousness. For example, if the risk score obtained by adding the weights of each coordinate to feature coordinates is greater than 0.5, it is judged to be malicious.

To do this, weigh the values so that the risk is a normal or malicious application. That is, a weight value should be set to have a value close to -1 for an application determined to be normal so as to have a value close to 1 for an application determined to be malicious.

After determining the weights and the thresholds for judging whether the malicious result is malicious or not, it is possible to utilize the threshold values to determine whether maliciousness of a new application is actually occurring. That is, as a result of the weight and the threshold being learned through learning, it can be stored in the mobile malicious application database.

The weights and threshold values stored in the mobile malicious application database are provided in the process of determining whether the new application is malicious in the real-time processing area. Referring to the real-time processing area in FIG. 2, first, an apk file of a new application is collected.

Next, although not shown in FIG. 2, the first application using the black list and the whitelist is performed for the application, and if there is a suspicion even after the first inspection, the method similarity with the malicious application is obtained to determine whether the application is malicious Perform a secondary inspection and, if suspicious after the secondary inspection, perform a third inspection to determine the risk.

In the process of obtaining the risk, a 35-dimensional feature vector having values of 0 and 1 is obtained according to whether a specific API is included in the source code of a new application, and the risk is calculated by multiplying each coordinate by a weight. It is determined whether or not the new application is malicious.

2, the size of the feature vector has been described in terms of 35 dimensions. However, this is for the purpose of understanding the invention only, and is not intended to limit the invention. Therefore, the size of the feature vector may have various dimensions. In this case, a list of APIs which can be used as each coordinate of the feature vector is as shown in Table 1 below.

API analysis role Malicious sendTextMessage Spreading of smsing message / transmission of acquisition information Send message height getMessageBody Text message takeover Acquiring Message Content lowness getOriginatingAddress Odd number calling Get Caller ID height createFormPDU Malicious character generation / Raw character deception Raw PDU conversion height aboardBroadcast Forced termination of character receiving broadcast Sequential forward broadcast termination height setRingerMode Hiding the text message Tone ring mode height setComponetEnable
Setting Hide the smsing app icon Switching package components state height Android.app.action
ADD_DEVICE_ADMIN Limit / intercept removal of smsing apps Administrator mode (system app) registration height ContactsContract
$ contacts Take the user's address book Address Book Management Provider lowness lockNow Presence conceal / force lock Switch lock screen height wipeData Delete smsing app evidence Delete user data height getLatitude Takeover of user location information Latitude lowness getLongitude Takeover of user location information Hardness lowness getLastKnownLocation Takeover of user location information Last user saved lowness getAccounts Takeover of user account information Provide full account information on device lowness

Table 1 shows a list of APIs commonly used in malicious applications among Android common APIs and their risks. The feature vectors can be extracted based on whether or not such APIs are present in the source code of the new application. In addition to these common Android APIs, external commands such as Table 2 can also be used to extract feature vectors.

command analysis role Malicious killProcess Force application termination Not applicable lowness getAsciiBytes String conversion Not applicable lowness shell Execute shell command Not applicable height copyClassDex Copy externally executed binary files Not applicable lowness copyFile Copy tool executable Not applicable height copyLib Obfuscation / malicious library copy Not applicable height Chmod Grant permission to run malicious files File Permission Change Tool lowness

As shown in Table 2, even if the source code of the new application includes an external command in addition to the Android common API, it may be a malicious application. Therefore, it is possible to generate feature vectors by checking whether these APIs or commands are included in the source code.

FIGS. 3 to 5 are views for explaining a process of selecting features that can be used in an embodiment of the present invention.

Table 1 and Table 2 describe the analysis of features based on APIs and commands. At this time, it is important to select which API and instruction. For example, if the malicious application or the normal application among the Android common APIs is used without any difference, the corresponding API will not be used to calculate the feature vector.

Therefore, it is important to decide which API to use and which instruction to use to analyze the feature. To do this, it is necessary to analyze patterns of APIs and commands that are used in malicious applications and malicious applications. This is a process performed in the batch processing area described above with reference to FIG.

For example, Table 3 shows the characteristic behaviors that are mainly used for 1138 malicious applications and 1009 normal applications.

type Act normal malignity Device Information getDeviceID 736 867 getSubscriberID 54 632 getNetworkOperatorName 382 628 getNetworkOperator 692 672 getNwtworkContryISO 264 323 getSimSerialNumber 140 730 getLine1Number 292 1052 getAccounts 290 7 getSimContryISO 182 283 getSimOperator 285 367 getSimState 151 296 SMS / MMS sendTestMessage 46 505 sendDataMessage One 0 getMessageBody 54 841 getOriginatingAddress 32 790 getTimestampMillis 345 350 createFromPDU 85 897 aboutBroadcast 35 886 getDisplayMessageBody 48 58 getDisplayOriginaltingAddress 23 107 Location Information getLattitude 776 76 getLongitude 776 76 getLastKnownLocation 414 46 Contact ContactsContract $ Contracts 248 563 Transmission Through setEntity 766 745 isConnected 841 524 Administrator Android.app.action.ADD_DEVICE_ADMIN 7 800 Telepony setRingerMode 25 774 onCallSatateChanged 108 282 setResultData 21 90 Record setOutPutFile 58 79 Icon Hinding setComponentEnabledSetting 76 920 XML Parsing getSharedPreferences 983 1019 putString 935 996 Screen Lock lockNow 5 152 Factory Reset wipeData 4 13 Process Exit killProcess 268 6 Certificates NPKI 20 496

As you can see in Table 3, you can see how many different types of APIs and commands appear in normal and malicious applications. If a particular API appears only in a malicious application, the risk is high if the new application includes many of these APIs. That is, it can be determined that the possibility of the malicious application is high.

On the other hand, if a particular API appears only in a normal application, the risk is low when a new application includes a large number of such APIs. That is, it can be determined that there is a high possibility that the application is a normal application. The frequency of occurrence of a specific API in a malicious application and the frequency of appearance in a normal application are shown in FIGS. 3 to 5.

Referring to FIG. 3, a normal application refers to an application that is produced and distributed by Google, and a malicious application refers to a smashing application that takes a user's personal information. In each application, about 11 APIs related to terminal information from getDeviceID to getSimState are used, and APIs used mainly in normal applications and malicious applications can be identified.

Similarly, referring to FIG. 4, it can be seen that approximately eight APIs related to SMS / MMS are graphically visualized in frequency of use in malicious applications and normal applications. Also, referring to FIG. 5, a graph of frequency of use for the remaining types of Table 3 can be seen. Let's take a look at the case of selecting the feature behaviors and learning the weights by the genetic algorithm for each feature action.

6A to 6E are diagrams for explaining a genetic algorithm that can be used in an embodiment of the present invention.

Referring to FIG. 6A, a screen displaying lines 246 to 252 can be seen. If you look at line 246, you can see that the first value is 1, after that 0 and 1 are displayed up to 40 digits. The first value indicates whether the application is malicious or not, which is a malicious application because it has a value of 1, as described above.

Then 40 digits are marked with 0 and 1 depending on whether 40 APIs and commands selected by the feature are included in the source code of the malicious application. In this way, learning data based on real malicious applications and actual normal applications up to line 252 is prepared.

Referring to FIG. 6A, lines 246 to 249 are malicious applications, and line 250 to line 252 are normal applications. FIG. 6A shows a part of data of a real malicious application prepared for learning and an actual normal application, and it is helpful to set more accurate weights as the number of learning data increases.

FIG. 6B shows an experiment result in the case where the weight values in the following Table 4 determined by the genetic algorithm are applied to the learning data in FIG. 6A.

turn Characteristic weight One getMessageBody 2.000703 2 getOriginatingAddress -1.2143 3 createFromPDU 1.335572 4 abortBroadcast 1.132763 5 setRingerMode 1.00092 6 setComponentEnabledSetting 0.680461 7 Android.app.action.ADD_DEVICE_ADMIN 0.691742 8 ContactsContract% Contacts 1.383585 9 NPKI -0.37357 10 lockNow 0.95864 11 wipeData 0.588097 12 getLatitude 0.562591 13 getLongitude -0.59751 14 getLastKnownLocation -1.22455 15 getAccounts -1.01545 16 killProcess -1.56521 17 getAsciiBytes -1.83888 18 classes.dex -0.95635 19 shell 0.8809 20 copyClassDex 0.910162 21 copyFile -1.57676 22 copyLib 1.718544 23 chmod 1.030479 24 shield -0.44892 25 assets -0.17721 26 classloader -1.10432 27 ... ...

As a result of performing weighted learning using the genetic algorithm and performing the learning using the set weights, 323 cases were actually malignant, but 6 cases were judged to be malignant. Likewise, the number of cases judged to be malicious by the general public is 5, and the number of cases judged to be general is 331.

FIG. 6C is a graphical representation of the process of determining the threshold value in the situation of FIG. 6B. Using the weights in Table 4, the risk was calculated to have a maximum value of 18.1958 and a minimum value of -10.5051. In this case, for the sake of judgment, it is most preferable to determine the threshold value to judge whether malicious or general is 37 when the risk is scaled from 0 to 100.

That is, if the risk is scaled to a value from 0 to 100 and the risk of scaling exceeds 37, it is judged to be malicious. Through the learning process, we can determine the weight for calculating the risk and the threshold value for judging whether or not it is malicious. Such a learning process can be performed repeatedly.

6D to 6E show statistical indices such as a false positive rate by calculating a risk value and setting a threshold value under different weights. In this way, it is possible to quickly detect variant malicious applications distributed through repackaging method, by applying the process to the process of determining the optimal weight and threshold value through the iterative learning and determining whether the new application is malicious.

7 is a hardware block diagram of a risk-based malicious application detection apparatus according to an embodiment of the present invention.

Referring to FIG. 7, the risk-based malicious application detection device 10 may include one or more processors 510, memory 520, storage 560, and interface 570. The processor 510, the memory 520, the storage 560, and the interface 570 transmit and receive data via the system bus 550.

The processor 510 executes a computer program loaded into the memory 520 and the memory 520 loads the computer program from the storage 560. [ The computer program may include a source code extraction operation 521, a risk computing operation 523, and a maliciousness determination operation 525.

The source code extraction operation 521 collects new applications through the interface 570 through the official market, the black market, the SNS, a private bulletin board, or the like, to be judged as malicious. The collected applications are stored in the apk file 561 of the storage 560 via the system bus 550.

Next, the source code extraction operation 521 extracts the source code from the apk file 561 through decompilation and disassembly. The extracted source code is stored in the source code 563 of the storage 560 via the system bus 550.

The risk computing operation 523 examines whether the source code 563 of the storage 560 includes an API or a command that is characteristic. For example, if 40 APIs or commands are selected in advance, 40-dimensional coordinates having values of 0 and 1 can be obtained depending on whether 40 APIs or commands are included.

The obtained feature or feature vector is multiplied by a weight for each coordinate to calculate the risk. The weights to be multiplied by each feature coordinate are stored in the malicious code API pattern 567 of the storage. The weights to be multiplied by the numerical values indicating the types of the APIs and the commands and the presence or absence of the respective APIs and commands are selected and determined in advance through learning. The risk obtained using the feature API of the new application is then stored in the similarity 565 of the storage 560 via the system bus 550.

The malicious nature determination application 525 determines that the collected new application is malicious when the risk level 565 of the storage 560 is equal to or greater than a preset threshold value. Here, the threshold value can be set through learning using an application that has previously been determined to be malicious.

Each component in FIG. 7 may refer to software or hardware such as an FPGA (Field Programmable Gate Array) or an ASIC (Application-Specific Integrated Circuit). However, the components are not limited to software or hardware, and may be configured to be addressable storage media, and configured to execute one or more processors. The functions provided in the components may be implemented by a more detailed component, or may be implemented by a single component that performs a specific function by combining a plurality of components.

While the present invention has been described in connection with what is presently considered to be practical exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, You will understand. It is therefore to be understood that the above-described embodiments are illustrative in all aspects and not restrictive.

Claims (7)

The malicious application detection device extracting a source code of a new application;
The malicious application detection device extracts a method from the source code and compares the first binary corresponding to the method with the second binary corresponding to the method included in the application classified as malicious, step;
The malicious application detection device calculating a risk for the new application when the similarity is less than a predetermined threshold value; And
Wherein the malicious application detection device includes a step of determining whether the new application is malicious using the risk,
The step of calculating the risk includes:
Based on the features included in the first learning target application classified as malicious, generates n-dimensional first learning target feature vectors tagged with maliciousness, and based on the features included in the second classified learning application, A second step of generating an n-dimensional second learning target feature vector tagged with the first learning target feature vector;
A second step of performing learning on the first learning object feature vector and the second learning object feature vector using a genetic algorithm and updating a weight for each feature through the learning;
Repeating the first step and the second step to determine a feature weight for each feature constituting the n-dimensional feature vector;
Generating an n-dimensional detection target feature vector based on whether each of the first to n-th features is included in the source code of the new application; And
Calculating a risk of the new application through a weighted sum of values of each element constituting the feature vector to be detected and the weights of the determined features;
How to detect malicious applications. The method according to claim 1,
The step of extracting the source code includes:
And decompiling or disassembling the new application to extract the source code.
How to detect malicious applications. The method according to claim 1,
The first to n < th >
Wherein the first instruction is an API or a system instruction selected from features included in the first learning target application and features included in the second learning target application on the basis of an appearance frequency,
How to detect malicious applications. delete The method according to claim 1,
The step of calculating the risk comprises:
And scaling the values calculated by summing the weights of the respective features constituting the feature vector to be detected and the weights of the determined features to fall within a range of 0 to 100,
How to detect malicious applications. The method according to claim 1,
Wherein the step of determining whether the malicious result is malicious or not,
And comparing the risk with a preset threshold value to determine whether or not the risk is malicious.
How to detect malicious applications. Network interface;
One or more processors;
A memory for loading a computer program executed by the processor; And
Including storage for storing new applications,
The computer program comprising:
An operation of extracting a source code of the new application;
Extracting a method from the source code, comparing the first binary corresponding to the method and the second binary corresponding to the method included in the application classified as malicious, in a method unit, and calculating the similarity;
Computing a risk for the new application if the similarity is less than a predetermined threshold; And
And an operation of determining whether the new application is malicious using the risk,
The operation for calculating the above-
Based on the features included in the first learning target application classified as malicious, generates n-dimensional first learning target feature vectors tagged with maliciousness, and based on the features included in the second classified learning application, A first operation for generating an n-dimensional second learning-target feature vector tagged with the first training feature vector;
A second operation that performs learning on the first learning object feature vector and the second learning object feature vector using a genetic algorithm and updates a weight for each feature through the learning;
An operation of repeating the first operation and the second operation to determine a feature weight for each feature constituting the n-dimensional feature vector;
Generating an n-dimensional feature vector to be detected based on whether each of the first to n-th features is included in the source code of the new application; And
And calculating the risk of the new application through a weighted sum of a value of each element constituting the feature vector to be detected and a weight value of the determined feature,
Malicious application detection device.

Images