WO2014048195A1 - Android software malicious behavior detection method, system and device - Google Patents

Android software malicious behavior detection method, system and device Download PDF

Info

Publication number
WO2014048195A1
WO2014048195A1 PCT/CN2013/082163 CN2013082163W WO2014048195A1 WO 2014048195 A1 WO2014048195 A1 WO 2014048195A1 CN 2013082163 W CN2013082163 W CN 2013082163W WO 2014048195 A1 WO2014048195 A1 WO 2014048195A1
Authority
WO
WIPO (PCT)
Prior art keywords
function
malicious
unit
behavior
feature information
Prior art date
Application number
PCT/CN2013/082163
Other languages
French (fr)
Chinese (zh)
Inventor
巫妍
程绍银
蒋凡
Original Assignee
中兴通讯股份有限公司
中国科学技术大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司, 中国科学技术大学 filed Critical 中兴通讯股份有限公司
Publication of WO2014048195A1 publication Critical patent/WO2014048195A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect

Definitions

  • the present invention relates to communication technologies, and in particular, to a method, system and device for detecting malicious behavior of Android software. Background technique
  • mobile terminals generally adopt Android system, but the software distribution channels of Android system are diverse and lack effective supervision. Users are easy to install malware, resulting in malicious consumption of user fees and malicious deletion of personal information, which affects user experience.
  • the detection methods of malware in the related art include: detecting by means of virus killing; dynamic real-time monitoring software running and interacting with an external environment to determine whether the software is malware.
  • the above method for detecting malware by means of virus detection and killing depends on the virus signature, and the newly released software needs to manually analyze the virus signature, so the detection result has a certain lag period; and the dynamic real-time detection method depends on For a specific trigger condition, if the malicious behavior hidden in the software triggers a complicated condition, it may not be detected for a long time whether the software is malware. Summary of the invention
  • the embodiments of the present invention provide a method, a system, and a device for detecting malicious behavior of an Android software, which can determine whether a malicious behavior is hidden in the software to be detected without a virus signature, and is not subject to software malicious behavior. limits.
  • An embodiment of the present invention provides a method for detecting malicious behavior of an Android software, where the method includes: Simulating execution of the software to be detected, and identifying, as a sensitive behavior, a behavior of a function that matches the sensitive feature information of the software to be detected and the pre-stored sensitive feature information;
  • the sensitive behavior of the malicious feature information of the called function in the sensitive behavior and the pre-saved malicious feature information is identified as a malicious behavior.
  • the sensitive feature information includes: a function name, a function class name, a function parameter type, and a function parameter number;
  • the malicious feature information includes: a function name, a function parameter constant value.
  • the method before the performing the software to be detected, the method further includes:
  • the bytecode file in the installation package of the detection software is disassembled, and the program structure is constructed and the program execution path is solved according to the disassembled program code.
  • the method further includes:
  • the instructions in the program execution path are analyzed, and when the instruction introduces an instruction into a constant value, the introduced constant value is recorded and the constant value is propagated downward in the program execution path.
  • the method further includes:
  • the risk level of the malicious behavior is determined according to the function name and the function parameter constant value of the called function in the malicious behavior, and the mapping relationship between the pre-stored function name, the function parameter constant value and the danger level.
  • the method further includes:
  • the detection result is generated according to the dangerous level of the malicious behavior, and the detection result is reported to the user through a user interface (UI, User Interface).
  • UI User Interface
  • the embodiment of the present invention further provides a server, where the server includes an analog execution unit, a detection rule storage unit, an identification unit, and a matching unit;
  • the simulation execution unit is configured to simulate execution of software to be detected
  • the detection rule storage unit is configured to store sensitive feature information and malicious feature information; and the matching unit is configured to: when the analog execution unit calls a function, the called The sensitive feature information of the function is matched with the sensitive feature information in the detecting rule storage unit; the malicious feature information of the called function is matched with the malicious feature information in the detecting rule storage unit, and the called function is the identity unit identifier
  • the called function is configured to: when the matching unit matches the sensitive feature information, the behavior of the function that successfully matches the sensitive feature information is identified as a sensitive behavior; When the malicious feature information is successful, the sensitive behavior that matches the successful matching of the malicious feature information is identified as a malicious behavior.
  • the sensitive feature information includes: a function name, a function class name, a function parameter type, and a function parameter number;
  • the malicious feature information includes: a function name, a function parameter constant value.
  • the server further includes:
  • the program structure construction unit is configured to construct a program structure according to the program code after the preprocessing unit disassembles the program code according to the bytecode file;
  • the program execution path solving unit is configured to solve a program execution path according to the program structure after the program structure building unit constructs a program structure.
  • the simulation execution unit is further configured to execute a program execution path solved by the path solving unit according to the program, and sequentially analyze an instruction in the program execution path;
  • the server further includes: a constant value analyzing unit configured to: when the analog execution unit analyzes that the instruction in the program execution path is a constant value import instruction, record the introduced constant value and lower the constant value in the program execution path propagation.
  • a constant value analyzing unit configured to: when the analog execution unit analyzes that the instruction in the program execution path is a constant value import instruction, record the introduced constant value and lower the constant value in the program execution path propagation.
  • the server further includes:
  • a hazard rating unit configured to calculate a function name and a function parameter constant value according to the called function in the malicious behavior, and a pre-saved function name, a function parameter constant value, and a danger level
  • the mapping relationship determines the risk level of the malicious behavior.
  • the server further includes: a detection result saving unit and a malicious behavior reporting unit; wherein
  • the risk rating unit is further configured to generate a detection result according to a malicious behavior risk level
  • the detection result saving unit is configured to save the detection result generated by the risk rating unit
  • the malicious behavior reporting unit is configured to report the detection result saved by the detection result saving unit to the user through the client UI after the simulation execution unit simulates executing the software to be detected.
  • the embodiment of the present invention further provides an Android software malicious behavior detecting system, where the system includes: a client and a server;
  • the client is configured to enable the user to upload an installation package of the software to be tested to the server through the UI running on the client; receive the detection result sent by the server, and report the user through the UI;
  • the server is configured to identify, as a sensitive behavior, a behavior of a function that matches the sensitive feature information to be detected and the pre-stored sensitive feature information; and the malicious feature information of the called function in the sensitive behavior is The sensitive behavior of the saved malicious feature information is identified as malicious behavior.
  • the server includes a simulation execution unit, a detection rule storage unit, an identification unit, and a matching unit; the server further includes: a preprocessing unit, a program structure construction unit, a program execution path solving unit, and a constant value analysis unit; The server further includes: a hazard rating unit, a detection result saving unit, and a malicious behavior reporting unit; each unit function is the same as described above.
  • the sensitive feature information of the software calling function to be detected and the sensitive feature stored by the server are simulated by executing all the instructions in the software to be detected. The information is matched.
  • the malicious feature information of the called function in the sensitive behavior is further matched with the malicious feature information stored by the server. If the matching is successful, the software to be detected is determined to be malware. In this way, when detecting the software to be tested, there is no need to use the virus signature, and there is no problem that the detection result has a lag period; no limitation of the condition of the malicious behavior of the software to be detected is complicated, and the malicious behavior detection of the software can be performed accurately and timely. .
  • FIG. 1 is a schematic flowchart of a method for detecting malicious behavior of an Android software according to an embodiment of the present invention
  • FIG. 2 is a schematic structural diagram of a malicious behavior detection system for an Android software according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of detecting malicious behavior of an Android software according to an embodiment of the present invention
  • FIG. 1 is a schematic flowchart of an implementation method for detecting malicious behavior of an Android software according to an embodiment of the present invention. As shown in FIG. 1 , the method includes the following steps:
  • Step 101 Simulate execution of the software to be detected, and identify the behavior of the function that matches the sensitive feature information of the software to be detected and the pre-stored sensitive feature information as a sensitive behavior.
  • the sensitive feature information includes: a function name, a function class name, a function parameter type, and a function parameter number, and a function can be uniquely determined by a function name, a function class name, a function parameter number, and a function parameter type.
  • the server locally stores the sensitive feature information of the dangerous function, and the dangerous function is a library function that is invoked when the malicious behavior in the software to be detected is implemented.
  • the malicious behavior in the software to be detected includes: sending a fixed content short message to a fixed number, and ordering a server provider (SP, Service Provider) service without consuming the user to consume the user fee; opening a fixed unified resource Locator (URL, Universal Resource Locator) to consume user fees; execute fixed system commands to modify or delete user files.
  • SP Service Provider
  • URL Universal Resource Locator
  • the above malicious behavior needs to be implemented by calling a dangerous function and introducing a certain number of values of a type constant to the parameters of the dangerous function, the fixed content short message, fixed number, fixed URL and fixed system command in the software code to be detected.
  • a parameter that introduces a dangerous function as a constant of a fixed string or an immediate value.
  • the function call is identified as a sensitive behavior for further detection. Determine if the function call is malicious.
  • the installation package of the software to be detected may be obtained by the user uploading the installation package of the software to be detected after the user uploads the file, and disassembling the bytecode file in the installation package. And build the program structure and solve the program execution path according to the disassembled program code.
  • the installation package format is an installation package based on the APK format of the Android system, and the unpacking tool is run on the server to operate the installation package, and a bytecode file in the dex format is obtained, and the byte in the dex format is obtained.
  • the code file is an executable file on the Dalvik virtual machine, and the Dalvik virtual machine is an application environment for running software in the Android system.
  • the disassembly tool is run to disassemble the bytecode file, according to the disassembled
  • the program code analyzes program structure information by using a script, and the program structure information includes: an instruction structure, a basic block structure, a function structure, a class structure, a function call graph, a control flow graph, and a fixed string table.
  • the script structure is used to analyze the program structure information and is not related to the technical domain of the disassembly tool;
  • the instruction structure includes the address, operation code and operand of the instruction;
  • the basic block structure includes the basic block number and the first address.
  • the program execution path is an instruction execution sequence for running all the instructions in the disassembled program code.
  • the instruction structure, and the basic block Structure, function structure and class structure starting from the entry function of the disassembled program code, analyzing the instruction execution sequence of the current function, the above analysis operation adopts the graph traversal algorithm, so that for the branch instruction in the function, each guarantee can be guaranteed
  • the branch block is executed at least once; for the loop body in the function, the instruction of the loop body part is guaranteed to be executed at least once;
  • the instruction structure, the basic block structure, the function structure and the class structure, the function called by each function call point in the current function is analyzed, and the connection relationship between the current function and the called function is established to analyze the The instruction execution sequence of the calling function; when the function called by the function call point is a thread start function, a virtual function or an interface function, the following processing is also required:
  • the instruction in the program execution path is analyzed, and when the instruction is a constant value introduction instruction, the introduced constant value is recorded and the constant value is executed in the program. Propagating down the path; the constants include immediate and fixed strings;
  • the instruction in the program execution path is a constant value to introduce an instruction
  • the constant value introduction instruction introduces a constant value in the form of an immediate value
  • the value of the immediate value directly introduced is recorded, and the corresponding variable in the program execution path is marked as a constant state.
  • the constant value import instruction introduces a constant value in the form of a fixed string
  • the fixed string table is searched for the fixed string table to obtain the value of the fixed string, the value of the introduced fixed string is recorded, and the program is executed.
  • the corresponding variable in the path is marked as a constant state;
  • the instruction is an instruction for a constant value containing a operand for a variable, according to the semantic information of the current instruction, the corresponding variable is marked as a constant state in the program execution path, and the introduced constant value is recorded;
  • Step 102 Identify, as a malicious behavior, a sensitive behavior that matches the malicious feature information of the called function in the sensitive behavior with the pre-stored malicious feature information.
  • the malicious feature information includes: a function name, and a function parameter constant value.
  • step 101 in the process of simulating execution of the software to be detected, if the sensitive feature information of the function called by the software to be detected matches the sensitive feature information of a dangerous function saved locally by the server, it is determined that the function call meets the preliminary behavior of the malicious behavior.
  • Feature ie: sending a fixed content SMS to a fixed number, opening a fixed URL or executing a fixed system command, and the fixed content SMS, fixed number, fixed URL and fixed system commands introduce dangerous function parameters in the form of constant values To implement sensitive behavior.
  • the malicious feature information of the function called in the sensitive behavior that has been identified in the software to be detected is matched with the malicious feature information of the pre-stored dangerous function to further determine the Whether the sensitive behavior is malicious, that is, sending a fixed content SMS to a fixed number, whether to order a service to the SP to consume the user fee; opening a fixed URL, whether to open the network IP (Internet Protocol, Internet Protocol) address To cause the consumption of user fees; execute a fixed system command, whether it causes loss to the user's files. If yes, the function call is identified as a malicious behavior, and the software to be detected is determined to be malware.
  • the risk level of the malicious behavior is also assessed, and the detection result is generated according to the risk level of the malicious behavior.
  • the detection result is passed through the client UI (User Interface, user). Interface) report users to make users Understand the relevant information of the malware; the detection results include: the dangerous level of malicious behavior, the function name and class name of the dangerous function in the malicious behavior, the function name of the function of the malicious behavior, the malicious behavior type and the malicious behavior description.
  • the function name and the function parameter constant value of the malicious behavior calling function are respectively matched with the locally pre-stored evaluation rule to determine the danger level, wherein
  • the rating rule describes a hazard level corresponding to a different function and its function parameter constant value, the hazard level being determined according to the degree of loss to the user, for example, the hazard level of the malicious act of ordering multiple SP services to consume the user fee is more than The level of danger of malicious behavior that orders an SP service to consume user fees is high.
  • FIG. 2 is a schematic structural diagram of a malicious software behavior detection system for an Android software according to an embodiment of the present invention. As shown in FIG. 2, the system includes: a server 21 and a client 22:
  • the server 21 is configured to identify, as a sensitive behavior, a behavior of a function that matches the to-be-detected software call sensitive feature information and the pre-stored sensitive feature information; and the malicious feature information of the called function in the sensitive behavior is pre-saved The sensitive behavior of the malicious feature information matching, identified as malicious behavior;
  • the client 22 is configured to enable the user to upload an installation package of the software to be detected to the server 21 through the UI running on the client 22; receive the detection report sent by the server 21, and report the user through the UI.
  • the server 21 includes: an emulation execution unit 2101, a detection rule storage unit 2102, a matching unit 2103, and an identification unit 2104;
  • the simulation execution unit 2101 is configured to simulate executing the software to be detected
  • the detection rule storage unit 2102 is configured to store the sensitive feature information and the malicious feature information.
  • the matching unit 2103 is configured to simulate the sensitive function information of the called function and the sensitivity in the detection rule storage unit 2102 when the simulation execution unit 2101 calls the function.
  • the feature information is matched; the malicious feature information of the called function is matched with the malicious feature information in the detection rule storage unit, and the called function is adjusted in the sensitive behavior identified by the identity unit 2104 Use a function;
  • the identifier unit 2104 is configured to identify, when the matching unit 2103 matches the sensitive feature information, the behavior of the function that successfully matches the sensitive feature information is a sensitive behavior; when the matching unit 2103 matches the malicious feature information successfully, the malicious feature information is matched. Successful sensitive behavior is identified as malicious.
  • the sensitive feature information includes: a function name, a function class name, a function parameter type, and a function parameter number;
  • the malicious feature information includes: a function name, a function parameter constant value.
  • the server 21 further includes: a preprocessing unit 2105, a program structure building unit 2106, a program execution path solving unit 2107, and a constant value analyzing unit 2108;
  • the pre-processing unit 2105 is configured to receive an installation package of the software to be detected uploaded by the user through the client 22, and disassemble the bytecode file in the installation package;
  • the program structure construction unit 2106 is configured to construct a program structure according to the program code after the pre-processing unit 2105 disassembles the program code according to the bytecode file;
  • the program execution path solving unit 2107 is configured to solve the program execution path according to the program structure after the program structure building unit 2106 constructs the program structure.
  • the simulation execution unit 2101 is further configured to execute the program execution path solved by the path execution unit 2107 according to the program, and sequentially analyze the instructions in the program execution path;
  • the server 21 also includes a constant value analysis unit 2108 configured to record the introduced constant value and propagate the constant value down in the program execution path when the analog execution unit 2101 analyzes that the instruction in the program execution path is a constant value introduction instruction.
  • the server 21 further includes: a risk rating unit 2109 configured to calculate a function name and a function parameter constant value of the called function according to the malicious behavior, and a mapping relationship between the pre-saved function name, the function parameter constant value, and the danger level. , determining the level of danger of the malicious act.
  • the server 21 further includes: a detection result holding unit 2110 and a malicious behavior reporting unit 2111; wherein
  • the hazard rating unit 2109 is further configured to generate a detection result according to the risk level of the malicious behavior
  • the detection result saving unit 2110 is configured to save the detection result generated by the risk rating unit 2109;
  • the malicious behavior reporting unit 2111 is configured to report the detection result saved by the detection result holding unit 2110 to the user through the client 22 UI after the simulation execution unit 2101 simulates execution of the software to be detected.
  • the behavior reporting unit 2111 can be implemented by a central processing unit (CPU) in a server 21, a digital signal processor (DSP), or a Field Programmable Gate Array (FPGA).
  • CPU central processing unit
  • DSP digital signal processor
  • FPGA Field Programmable Gate Array
  • the detection rule storage unit 2102 and the detection result holding unit 2110 may each be implemented by a memory in the server 21, and the detection rule storage unit 2102 and the detection result holding unit 2110 may be implemented by the same memory in the server 21 or by a server. Different memory implementations in 21.
  • FIG. 3 is a schematic diagram of an implementation process for detecting malicious behavior of an Android software according to an embodiment of the present invention. The following is an example of the hippoSMS to be detected, as shown in FIG. 3, including the following steps:
  • Step 301 The server receives the software to be detected uploaded by the client, and performs preprocessing.
  • the user uploads the installation package hippoSMS.apk corresponding to the to-be-detected software hippoSMS to the server through the client UI, and the server decompresses the installation package by using the decompression software, and extracts the bytecode file in the installation package, and the suffix is dex. And run the disassembly tool on the bytecode file Disassemble and output the program code.
  • the decompression software may adopt WINRAR or APKTOOL, and the disassembly tool may adopt IDA pro (Interactive Disassembler Professional).
  • Step 302 The server builds the program structure and solves the program execution path according to the disassembled program code.
  • the server constructs a program structure according to the disassembled program code, and the program structure includes: an instruction structure, a basic block structure, a function structure, a class structure, a function call graph, a control flow graph, and a string table; and according to the above program Structure, solver execution path.
  • the instruction in the third line is a function call instruction
  • the called function is not a thread start function, a virtual function or an interface function, and directly finds the called function according to the function call graph to establish a connection relationship between the current function and the function. , and enter the called function to execute the program Path solving operation;
  • the instruction in the fourth line is a system function call instruction, and the function is a thread initialization function.
  • the class name of the initialization parameter is Download$myThread
  • the vl object is bound to the ⁇ object, and the class name of the ⁇ object is marked as
  • the class name of the vl object is Download$myThread, and continue to look down the run function in Downloads myThread;
  • the instruction in the fifth line of code is the thread start function call instruction, and the class name of the ⁇ parameter is Downloads myThread.
  • the run function in Downloads myThread will continue to be searched, and the name of the called function will be changed from Thread.start to Download$myThread. .run, and solve the program execution path for the function Do wnload$myThread.run.
  • Step 303 The server analyzes the instructions in the execution path, and when the instruction introduces an instruction into a constant value, records the introduced constant value and propagates the constant value downward in the program execution path.
  • the first line instruction is a constant value introduction instruction
  • v7 is defined as a string constant a8
  • a8 is a fixed string
  • the instruction introduces a constant value in the form of a string, and queries in a fixed string table by using a8 as an index.
  • the second line to the fourth line of instructions are constant value introduction instructions, and are in the form of strings Introduce a constant value, query the value of the corresponding string in the fixed string table with v6, v5, and v4 as indexes, mark v6, v5, and v4 as constant states, and record the value of the corresponding string, where v6
  • the value is 1066156686
  • the value of v5 is data
  • the value of v4 is an empty string.
  • the instruction of the 5th line is a function call instruction
  • the values of the argument variables this, v6, v7, v4 and this are passed to the Call the function MessageService.sendsms, and initialize the corresponding parameters of the function Messa geService.sendsms to the values of this, p0, pl, p2 and p3 to the value of the argument passed to the called function, further to the function MessageService.sendsms
  • the instructions are analyzed.
  • the first line instruction introduces the instruction as a constant value, and introduces the constant value in the form of an immediate value.
  • the instruction introduces the immediate value 0 into the variable v2, marks the v2 variable as a constant state, and records the value of v2 as immediate. Number 0;
  • the second line instruction is analyzed to introduce an instruction for the constant value of the variable v1 containing the operand, which introduces the value of the parameter ⁇ into vl.
  • the argument corresponding to the parameter ⁇ is the string v6, and V6 is assigned the value of 1066156686, then the value of ⁇ is the value of the string v6 1066156686; according to the semantic information of the instruction, the variable vl is marked as a constant state, and the value of vl is recorded as a constant value of 1066156686;
  • the third line instruction is analyzed to introduce a constant value containing the operand for the variable V3, which The instruction introduces the value of the formal parameter pl into v3.
  • the actual parameter corresponding to the formal parameter pi is the string v7, and v7 is assigned the value 8, and the value of pl is the value 8 of the string v7;
  • Semantic information mark v3 as a constant state, and record the value of v3 as a constant value of 8;
  • the fourth line instruction is analyzed as the system function call instruction. Since the called function SmsManager.sendTextMessage is a library function, the called function analysis cannot be entered, and the process proceeds to step 304.
  • Step 304 The server matches the sensitive feature information of the function called by the software to be detected with the locally stored sensitive feature information.
  • the server locally maintains detection rules to store sensitive feature information and malicious feature information, and uses the same detection rule for XML (Extensible Markup Language, Extensible Markup Language) for sensitive feature information and malicious feature information of the same risk function.
  • XML Extensible Markup Language
  • Extensible Markup Language Extensible Markup Language
  • the detection rules for the function SmsManager. sendTextMessage can be described as follows:
  • ⁇ ParaTypeList> list of parameter types, the parameter type of the function whose function class name is SmsManager, where the first three function parameters are of type String (string), and the latter two function parameters are of type system-defined type.
  • the list matches the first three functions whose function type is a string;
  • ⁇ ParamSize> A function that matches the number of arguments of the function to 6.
  • the first argument of each function is the this pointer, and the number of arguments here is the number containing the this pointer;
  • ⁇ KeyParamList> Matches the parameter information of one or more functions, and the matching rule of each parameter is represented by ⁇ KeyParam>;
  • ⁇ KeyParam> contains a matching rule for a parameter
  • ⁇ ParamPos> The position of the parameter to be matched, counting from 0;
  • ⁇ ParamValue> The value of the parameter to be matched, the characteristics of the value are described by a regular expression
  • ⁇ SinkType> The behavior type of the function.
  • the server analyzes that the fourth line of the code segment 3 is a function call instruction, and the called function is a library function, the sensitive feature of the called function is matched with the sensitive feature information in the detection rule of the code segment 4, wherein
  • the sensitive feature information includes a function name, a function parameter class name, a function parameter type, and a function parameter number, and the processing is as follows:
  • Step 305 The server matches the malicious feature information of the function called by the software to be detected with the locally saved malicious feature information.
  • the malicious feature information includes: a function name, and a function parameter constant value.
  • step 304 after the call of the function SmsManager.sendTextMessage is identified as a sensitive behavior, in this step, the server performs the following processing:
  • Step 306 The server evaluates the risk level of the malicious behavior, generates the detection result, and reports the user through the client.
  • the generated detection result is: Hazard level: high;
  • Type of malicious behavior malicious deduction
  • the detection result server is sent to the client, and is displayed by the client through the UI to report to the user.
  • the software to be detected is simulated, and the sensitive feature information and the malicious feature information of the function to be detected by the software to be detected are matched with the pre-stored sensitive feature information and the malicious feature information, and if the matching is successful, the method is determined.
  • Function calls are malicious.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)
  • Stored Programmes (AREA)

Abstract

Disclosed in an embodiment of the present invention are an Android software malicious behavior detection method, system and device, the method comprising: simulating the execution of to-be-detected software; matching the sensitive characteristic information and malicious characteristic information of a function invoked by the to-be-detected software with pre-stored sensitive characteristic information and malicious characteristic information; if the matching succeeds, then determining the function invoking as a malicious behavior. The technical solution in the embodiment of the present invention avoids the problem of being unable to determine whether the to-be-detected software is malicious software due to the detection lag phase and the complicated conditions for triggering malicious behaviors of malicious software in the relevant art.

Description

检测安卓软件恶意行为的方法、 系统及设备 技术领域  Method, system and device for detecting malicious behavior of Android software
本发明涉及通信技术, 尤其涉及一种检测安卓 (Android )软件恶意行 为的方法、 系统及设备。 背景技术  The present invention relates to communication technologies, and in particular, to a method, system and device for detecting malicious behavior of Android software. Background technique
目前移动终端普遍采用安卓系统, 但安卓系统的软件发布渠道多样且 缺乏有效监督, 用户很容易安装恶意软件, 导致用户资费被恶意消耗、 个 人信息被恶意删除, 影响用户体验。  At present, mobile terminals generally adopt Android system, but the software distribution channels of Android system are diverse and lack effective supervision. Users are easy to install malware, resulting in malicious consumption of user fees and malicious deletion of personal information, which affects user experience.
相关技术中恶意软件的检测方法包括: 以病毒查杀的方式进行检测; 动态实时监控软件的运行及其与外部环境的交互, 以确定该软件是否为恶 意软件。  The detection methods of malware in the related art include: detecting by means of virus killing; dynamic real-time monitoring software running and interacting with an external environment to determine whether the software is malware.
上述采用病毒查杀的方式来检测恶意软件的方法, 依赖于病毒特征码, 对于新发布的软件需要人工分析出病毒特征码, 因此检测结果存在一定的 滞后期; 而动态实时检测的方法依赖于特定的触发条件, 若软件中隐藏的 恶意行为触发条件复杂, 则可能长时间无法检测出该软件是否为恶意软件。 发明内容  The above method for detecting malware by means of virus detection and killing depends on the virus signature, and the newly released software needs to manually analyze the virus signature, so the detection result has a certain lag period; and the dynamic real-time detection method depends on For a specific trigger condition, if the malicious behavior hidden in the software triggers a complicated condition, it may not be detected for a long time whether the software is malware. Summary of the invention
有鉴于此, 本发明实施例提供一种检测安卓软件恶意行为的方法、 系 统及设备, 无需病毒特征码, 即可确定待检测软件中是否隐藏恶意行为, 且不受软件恶意行为触发条件复杂度的限制。  In view of this, the embodiments of the present invention provide a method, a system, and a device for detecting malicious behavior of an Android software, which can determine whether a malicious behavior is hidden in the software to be detected without a virus signature, and is not subject to software malicious behavior. limits.
为达到上述目的, 本发明实施例的技术方案是这样实现的:  To achieve the above objective, the technical solution of the embodiment of the present invention is implemented as follows:
本发明实施例提供了一种检测安卓软件恶意行为的方法, 所述方法包 括: 模拟执行待检测软件, 将所述待检测软件调用敏感特征信息与预先保 存的敏感特征信息匹配的函数的行为, 标识为敏感行为; An embodiment of the present invention provides a method for detecting malicious behavior of an Android software, where the method includes: Simulating execution of the software to be detected, and identifying, as a sensitive behavior, a behavior of a function that matches the sensitive feature information of the software to be detected and the pre-stored sensitive feature information;
将所述敏感行为中被调用函数的恶意特征信息, 与预先保存的恶意特 征信息匹配的敏感行为, 标识为恶意行为。  The sensitive behavior of the malicious feature information of the called function in the sensitive behavior and the pre-saved malicious feature information is identified as a malicious behavior.
优选地, 所述敏感特征信息包括: 函数名、 函数类名、 函数参数类型 和函数参数个数;  Preferably, the sensitive feature information includes: a function name, a function class name, a function parameter type, and a function parameter number;
所述恶意特征信息包括: 函数名、 函数参数常量值。  The malicious feature information includes: a function name, a function parameter constant value.
优选地, 所述模拟执行待检测软件之前, 所述方法还包括:  Preferably, before the performing the software to be detected, the method further includes:
对待检测软件的安装包中的字节码文件进行反汇编, 根据反汇编出的 程序代码, 构建程序结构并求解程序执行路径。  The bytecode file in the installation package of the detection software is disassembled, and the program structure is constructed and the program execution path is solved according to the disassembled program code.
优选地, 所述方法还包括:  Preferably, the method further includes:
分析所述程序执行路径中的指令, 并在所述指令为常量值引入指令时, 记录引入的常量值并将常量值在程序执行路径中向下传播。  The instructions in the program execution path are analyzed, and when the instruction introduces an instruction into a constant value, the introduced constant value is recorded and the constant value is propagated downward in the program execution path.
优选地, 所述方法还包括:  Preferably, the method further includes:
根据所述恶意行为中被调用函数的函数名和函数参数常量值, 以及预 先保存的函数名、 函数参数常量值与危险等级的映射关系, 确定所述恶意 行为的危险等级。  The risk level of the malicious behavior is determined according to the function name and the function parameter constant value of the called function in the malicious behavior, and the mapping relationship between the pre-stored function name, the function parameter constant value and the danger level.
优选地, 模拟执行待检测软件完毕后, 所述方法还包括:  Preferably, after the simulation execution of the software to be detected is completed, the method further includes:
根据所述恶意行为的危险等级生成检测结果, 并将所述检测结果通过 客户端用户界面 ( UI, User Interface )报告用户。  The detection result is generated according to the dangerous level of the malicious behavior, and the detection result is reported to the user through a user interface (UI, User Interface).
本发明实施例还提供了一种服务器, 所述服务器包括模拟执行单元, 检测规则存储单元、 标识单元和匹配单元; 其中,  The embodiment of the present invention further provides a server, where the server includes an analog execution unit, a detection rule storage unit, an identification unit, and a matching unit;
所述模拟执行单元, 配置为模拟执行待检测软件;  The simulation execution unit is configured to simulate execution of software to be detected;
所述检测规则存储单元, 配置为存储敏感特征信息和恶意特征信息; 所述匹配单元, 配置为所述模拟执行单元调用函数时, 将所述被调用 函数的敏感特征信息与检测规则存储单元中的敏感特征信息进行匹配; 将 被调用函数的恶意特征信息与检测规则存储单元中的恶意特征信息进行匹 配, 所述被调用函数为所述标识单元标识的敏感行为中的被调用函数; 所述标识单元, 配置为在所述匹配单元匹配敏感特征信息成功时, 将 调用敏感特征信息匹配成功的函数的行为标识为敏感行为; 在所述匹配单 元匹配恶意特征信息成功时, 将调用恶意特征信息匹配成功的敏感行为标 识为恶意行为。 The detection rule storage unit is configured to store sensitive feature information and malicious feature information; and the matching unit is configured to: when the analog execution unit calls a function, the called The sensitive feature information of the function is matched with the sensitive feature information in the detecting rule storage unit; the malicious feature information of the called function is matched with the malicious feature information in the detecting rule storage unit, and the called function is the identity unit identifier The called function is configured to: when the matching unit matches the sensitive feature information, the behavior of the function that successfully matches the sensitive feature information is identified as a sensitive behavior; When the malicious feature information is successful, the sensitive behavior that matches the successful matching of the malicious feature information is identified as a malicious behavior.
优选地, 所述敏感特征信息包括: 函数名、 函数类名、 函数参数类型 和函数参数个数;  Preferably, the sensitive feature information includes: a function name, a function class name, a function parameter type, and a function parameter number;
所述恶意特征信息包括: 函数名、 函数参数常量值。  The malicious feature information includes: a function name, a function parameter constant value.
优选地, 所述服务器还包括: 编;  Preferably, the server further includes:
所述程序结构构建单元, 配置为在所述预处理单元根据字节码文件反 汇编出程序代码后, 根据所述程序代码构建程序结构;  The program structure construction unit is configured to construct a program structure according to the program code after the preprocessing unit disassembles the program code according to the bytecode file;
所述程序执行路径求解单元, 配置为在所述程序结构构建单元构建出 程序结构后, 根据所述程序结构求解程序执行路径。  The program execution path solving unit is configured to solve a program execution path according to the program structure after the program structure building unit constructs a program structure.
优选地, 所述模拟执行单元, 还配置为根据所述程序执行路径求解单 元求解出的程序执行路径, 顺序分析程序执行路径中的指令;  Preferably, the simulation execution unit is further configured to execute a program execution path solved by the path solving unit according to the program, and sequentially analyze an instruction in the program execution path;
所述服务器还包括: 常量值分析单元, 配置为在所述模拟执行单元分 析出程序执行路径中的指令为常量值引入指令时, 记录引入的常量值并在 程序执行路径中将常量值向下传播。  The server further includes: a constant value analyzing unit configured to: when the analog execution unit analyzes that the instruction in the program execution path is a constant value import instruction, record the introduced constant value and lower the constant value in the program execution path propagation.
优选地, 所述服务器还包括:  Preferably, the server further includes:
危险等级评定单元, 配置为根据所述恶意行为中被调用函数的函数名 和函数参数常量值, 以及预先保存的函数名、 函数参数常量值与危险等级 的映射关系, 确定所述恶意行为的危险等级。 a hazard rating unit configured to calculate a function name and a function parameter constant value according to the called function in the malicious behavior, and a pre-saved function name, a function parameter constant value, and a danger level The mapping relationship determines the risk level of the malicious behavior.
优选地, 所述服务器还包括: 检测结果保存单元和恶意行为报告单元; 其中,  Preferably, the server further includes: a detection result saving unit and a malicious behavior reporting unit; wherein
所述危险等级评定单元, 还配置为根据恶意行为危险等级生成检测结 果;  The risk rating unit is further configured to generate a detection result according to a malicious behavior risk level;
所述检测结果保存单元, 配置为保存所述危险等级评定单元生成的检 测结果;  The detection result saving unit is configured to save the detection result generated by the risk rating unit;
所述恶意行为报告单元, 配置为在所述模拟执行单元模拟执行待检测 软件完毕后, 将所述检测结果保存单元保存的检测结果通过客户端 UI报告 给用户。  The malicious behavior reporting unit is configured to report the detection result saved by the detection result saving unit to the user through the client UI after the simulation execution unit simulates executing the software to be detected.
本发明实施例还提供了一种安卓软件恶意行为检测系统, 所述系统包 括: 客户端和服务器; 其中,  The embodiment of the present invention further provides an Android software malicious behavior detecting system, where the system includes: a client and a server;
所述客户端, 配置为使用户通过运行在客户端的 UI向服务器上传待检 测软件的安装包; 接收服务器发送的检测结果, 通过 UI报告用户;  The client is configured to enable the user to upload an installation package of the software to be tested to the server through the UI running on the client; receive the detection result sent by the server, and report the user through the UI;
所述服务器, 配置为将所述待检测软件调用敏感特征信息与预先保存 的敏感特征信息匹配的函数的行为, 标识为敏感行为; 将所述敏感行为中 被调用函数的恶意特征信息, 与预先保存的恶意特征信息匹配的敏感行为, 标识为恶意行为。  The server is configured to identify, as a sensitive behavior, a behavior of a function that matches the sensitive feature information to be detected and the pre-stored sensitive feature information; and the malicious feature information of the called function in the sensitive behavior is The sensitive behavior of the saved malicious feature information is identified as malicious behavior.
优选地, 所述服务器包括模拟执行单元, 检测规则存储单元、 标识单 元和匹配单元; 所述服务器还包括: 预处理单元、 程序结构构建单元、 程 序执行路径求解单元和常量值分析单元; 所述服务器还包括: 危险等级评 定单元、 检测结果保存单元和恶意行为报告单元; 各单元功能与上面所述 相同。  Preferably, the server includes a simulation execution unit, a detection rule storage unit, an identification unit, and a matching unit; the server further includes: a preprocessing unit, a program structure construction unit, a program execution path solving unit, and a constant value analysis unit; The server further includes: a hazard rating unit, a detection result saving unit, and a malicious behavior reporting unit; each unit function is the same as described above.
本发明实施例所提供的技术方案中, 通过模拟执行待检测软件中的全 部指令, 将待检测软件调用函数的敏感特征信息与服务器存储的敏感特征 信息进行匹配, 在确定函数调用为敏感行为时, 进一步将敏感行为中被调 用函数的恶意特征信息与服务器存储的恶意特征信息进行匹配, 若匹配成 功, 则确定待检测软件为恶意软件。 如此, 对待检测软件进行检测时, 无 需利用病毒特征码, 不存在检测结果有滞后期的问题; 不受待检测软件恶 意行为触发条件复杂与否的限制, 可准确及时地对软件进行恶意行为检测。 附图说明 In the technical solution provided by the embodiment of the present invention, the sensitive feature information of the software calling function to be detected and the sensitive feature stored by the server are simulated by executing all the instructions in the software to be detected. The information is matched. When the function call is determined to be a sensitive behavior, the malicious feature information of the called function in the sensitive behavior is further matched with the malicious feature information stored by the server. If the matching is successful, the software to be detected is determined to be malware. In this way, when detecting the software to be tested, there is no need to use the virus signature, and there is no problem that the detection result has a lag period; no limitation of the condition of the malicious behavior of the software to be detected is complicated, and the malicious behavior detection of the software can be performed accurately and timely. . DRAWINGS
图 1为本发明实施例检测安卓软件恶意行为方法的实现流程示意图; 图 2为本发明实施例安卓软件恶意行为检测系统的组成结构示意图; 图 3为本发明实施例检测安卓软件恶意行为的实现流程示意图。 具体实施方式  1 is a schematic flowchart of a method for detecting malicious behavior of an Android software according to an embodiment of the present invention; FIG. 2 is a schematic structural diagram of a malicious behavior detection system for an Android software according to an embodiment of the present invention; FIG. 3 is a schematic diagram of detecting malicious behavior of an Android software according to an embodiment of the present invention; Schematic diagram of the process. detailed description
下面结合附图及具体实施例对本发明再作进一步详细的说明。  The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.
图 1 为本发明实施例检测安卓软件恶意行为方法的实现流程示意图, 如图 1所示, 包括以下步骤:  FIG. 1 is a schematic flowchart of an implementation method for detecting malicious behavior of an Android software according to an embodiment of the present invention. As shown in FIG. 1 , the method includes the following steps:
步骤 101 : 模拟执行待检测软件, 将所述待检测软件调用敏感特征信息 与预先保存的敏感特征信息匹配的函数的行为, 标识为敏感行为。  Step 101: Simulate execution of the software to be detected, and identify the behavior of the function that matches the sensitive feature information of the software to be detected and the pre-stored sensitive feature information as a sensitive behavior.
其中, 所述敏感特征信息包括: 函数名、 函数类名、 函数参数类型和 函数参数个数, 通过函数名、 函数类名、 函数参数个数和函数参数类型, 可唯一确定某一函数。  The sensitive feature information includes: a function name, a function class name, a function parameter type, and a function parameter number, and a function can be uniquely determined by a function name, a function class name, a function parameter number, and a function parameter type.
其中, 服务器在本地保存危险函数的敏感特征信息, 所述危险函数为 待检测软件中恶意行为在实施时调用的库函数。  The server locally stores the sensitive feature information of the dangerous function, and the dangerous function is a library function that is invoked when the malicious behavior in the software to be detected is implemented.
其中, 待检测软件中的恶意行为, 包括: 发送固定内容的短信给固定 号码, 在用户不知情的情况下订购服务器提供商(SP, Service Provider )服 务,以消耗用户资费;打开固定的统一资源定位符( URL, Universal Resource Locator ), 以消耗用户资费;执行固定的系统命令, 以修改或删除用户文件。 上述恶意行为需要通过调用危险函数, 并给所述危险函数的参数引入一定 数量的类型为常量的值来实施,所述固定内容的短信、固定号码、固定 URL 和固定系统命令在待检测软件代码中以固定字符串或立即数的常量形式引 入危险函数的参数。 如此, 在模拟执行待检测软件过程中, 若待检测软件 调用函数的敏感特征信息与服务器本地保存的某个危险函数的敏感特征信 息匹配, 则标识该函数调用为敏感行为, 以进行进一步检测, 确定该函数 调用是否为恶意行为。 The malicious behavior in the software to be detected includes: sending a fixed content short message to a fixed number, and ordering a server provider (SP, Service Provider) service without consuming the user to consume the user fee; opening a fixed unified resource Locator (URL, Universal Resource Locator) to consume user fees; execute fixed system commands to modify or delete user files. The above malicious behavior needs to be implemented by calling a dangerous function and introducing a certain number of values of a type constant to the parameters of the dangerous function, the fixed content short message, fixed number, fixed URL and fixed system command in the software code to be detected. A parameter that introduces a dangerous function as a constant of a fixed string or an immediate value. In this way, in the process of simulating execution of the software to be detected, if the sensitive feature information of the software calling function to be detected matches the sensitive feature information of a dangerous function saved locally by the server, the function call is identified as a sensitive behavior for further detection. Determine if the function call is malicious.
在步骤 101 —个优选的实施方式中, 获取待检测软件的安装包可以采 用用户通过客户端上传的方式, 获取到待检测软件的安装包后, 对安装包 中的字节码文件进行反汇编, 并根据反汇编出的程序代码, 构建程序结构 并求解程序执行路径。  In a preferred embodiment, the installation package of the software to be detected may be obtained by the user uploading the installation package of the software to be detected after the user uploads the file, and disassembling the bytecode file in the installation package. And build the program structure and solve the program execution path according to the disassembled program code.
其中, 所述安装包格式为基于安卓系统的 apk格式的安装包, 在服务 器上运行解包工具对安装包操作, 可得到 dex格式的字节码(bytecode )文 件, 所述 dex格式的字节码文件为 Dalvik虚拟机上的一种可执行文件, 所 述 Dalvik虚拟机为安卓系统中用于运行软件的应用环境。  The installation package format is an installation package based on the APK format of the Android system, and the unpacking tool is run on the server to operate the installation package, and a bytecode file in the dex format is obtained, and the byte in the dex format is obtained. The code file is an executable file on the Dalvik virtual machine, and the Dalvik virtual machine is an application environment for running software in the Android system.
在本发明实施例对字节码进行反汇编, 根据反汇编出的程序代码, 构 建程序结构的一个优选的实施方式中, 运行反汇编工具对字节码文件进行 反汇编, 根据反汇编出的程序代码, 利用脚本分析出程序结构信息, 所述 程序结构信息包括: 指令结构、 基本块结构、 函数结构、 类结构、 函数调 用图、 控制流图和固定字符串表。 其中, 利用脚本调用反汇编工具分析出 程序结构信息为反汇编工具相关技术范畴, 不再赘述; 所述指令结构包括 指令的地址、 操作码、 操作数; 基本块结构包括基本块编号、 首地址、 尾 地址、 所在函数、 块中的指令; 所述函数结构包括函数首地址、 函数名、 函数内的所有基本块; 所述类结构包括类名、 属性列表、 函数列表; 所述 固定字符串表保存程序信息中出现的固定字符串。 其中, 所述程序执行路径为运行反汇编出的程序代码中全部指令的指 令执行序列, 在本发明实施例求解程序执行路径的一个优选的实施方式中, 根据控制流图、 指令结构、 基本块结构、 函数结构和类结构, 从反汇编出 的程序代码的入口函数开始, 分析出当前函数的指令执行序列, 上述分析 操作采用图的遍历算法, 如此, 对于函数中的分支指令, 可保证每个分支 块至少被执行一次; 对于函数中的循环体, 可保证循环体部分的指令至少 被执行一遍; In a preferred embodiment of constructing a program structure according to the disassembled program code in the embodiment of the present invention, the disassembly tool is run to disassemble the bytecode file, according to the disassembled The program code analyzes program structure information by using a script, and the program structure information includes: an instruction structure, a basic block structure, a function structure, a class structure, a function call graph, a control flow graph, and a fixed string table. The script structure is used to analyze the program structure information and is not related to the technical domain of the disassembly tool; the instruction structure includes the address, operation code and operand of the instruction; the basic block structure includes the basic block number and the first address. , a tail address, a function, an instruction in a block; the function structure includes a function first address, a function name, and all basic blocks within the function; the class structure includes a class name, a property list, and a function list; The table holds a fixed string that appears in the program information. The program execution path is an instruction execution sequence for running all the instructions in the disassembled program code. In a preferred embodiment of the solution execution path of the embodiment of the present invention, according to the control flow graph, the instruction structure, and the basic block Structure, function structure and class structure, starting from the entry function of the disassembled program code, analyzing the instruction execution sequence of the current function, the above analysis operation adopts the graph traversal algorithm, so that for the branch instruction in the function, each guarantee can be guaranteed The branch block is executed at least once; for the loop body in the function, the instruction of the loop body part is guaranteed to be executed at least once;
根据函数调用图、 指令结构、 基本块结构、 函数结构和类结构, 分析 出当前函数中每个函数调用点被调用的函数, 建立当前函数和被调用函数 之间的连接关系, 以分析出被调用函数的指令执行序列; 对于函数调用点 调用的函数为线程启动函数、 虚函数或接口函数时, 还需要进行下列处理: According to the function call graph, the instruction structure, the basic block structure, the function structure and the class structure, the function called by each function call point in the current function is analyzed, and the connection relationship between the current function and the called function is established to analyze the The instruction execution sequence of the calling function; when the function called by the function call point is a thread start function, a virtual function or an interface function, the following processing is also required:
( 1 )若当前函数调用点为线程启动函数调用, 则根据线程初始化时参 数的类名, 查找该类中的 run函数作为实际被调用的函数; (1) If the current function call point is a thread start function call, find the run function in the class as the actually called function according to the class name of the parameter at the time of thread initialization;
( 2 )若当前函数调用点为虚函数或接口函数, 则根据当前函数中 this 实参的类名, 查找类中的同名函数, 作为实际被调用的函数。  (2) If the current function call point is a virtual function or an interface function, the function of the same name in the class is searched for as the actual called function according to the class name of the this actual parameter in the current function.
在本发明实施例模拟执行待检测软件的一个优选的实施方式中, 分析 程序执行路径中的指令, 并在所述指令为常量值引入指令时, 记录引入的 常量值并将常量值在程序执行路径中向下传播; 所述常量包括立即数和固 定字符串;  In a preferred embodiment of the simulation execution software to be detected in the embodiment of the present invention, the instruction in the program execution path is analyzed, and when the instruction is a constant value introduction instruction, the introduced constant value is recorded and the constant value is executed in the program. Propagating down the path; the constants include immediate and fixed strings;
程序执行路径中的指令为常量值引入指令时, 若常量值引入指令是以 立即数的形式引入常量值, 则记录直接引入的立即数的值, 将程序执行路 径中相应的变量标记为常量状态; 若常量值引入指令是以固定字符串的形 式引入常量值, 则以固定字符串名为索引查找固定字符串表得到固定字符 串的值, 记录引入的固定字符串的值, 并将程序执行路径中相应的变量标 记为常量状态; 在所述指令为针对变量的且含有操作数的常量值引入指令时, 则根据 当前指令的语义信息, 在程序执行路径中将相应的变量标记为常量状态, 并记录引入的常量值; When the instruction in the program execution path is a constant value to introduce an instruction, if the constant value introduction instruction introduces a constant value in the form of an immediate value, the value of the immediate value directly introduced is recorded, and the corresponding variable in the program execution path is marked as a constant state. If the constant value import instruction introduces a constant value in the form of a fixed string, the fixed string table is searched for the fixed string table to obtain the value of the fixed string, the value of the introduced fixed string is recorded, and the program is executed. The corresponding variable in the path is marked as a constant state; When the instruction is an instruction for a constant value containing a operand for a variable, according to the semantic information of the current instruction, the corresponding variable is marked as a constant state in the program execution path, and the introduced constant value is recorded;
在所述指令以函数返回指令的形式引入常量值, 且所述函数返回指令 返回的常量值影响实参变量时, 在程序执行路径中将相应的实参变量标记 为常量状态, 并记录引入实参变量的常量值。  When the instruction introduces a constant value in the form of a function return instruction, and the function returns a constant value returned by the instruction to affect the actual parameter variable, the corresponding actual parameter variable is marked as a constant state in the program execution path, and the record is introduced into the real The constant value of the argument.
步骤 102: 将所述敏感行为中被调用函数的恶意特征信息, 与预先保存 的恶意特征信息匹配的敏感行为, 标识为恶意行为。  Step 102: Identify, as a malicious behavior, a sensitive behavior that matches the malicious feature information of the called function in the sensitive behavior with the pre-stored malicious feature information.
其中, 所述恶意特征信息包括: 函数名、 函数参数常量值。  The malicious feature information includes: a function name, and a function parameter constant value.
步骤 101 中, 在模拟执行待检测软件过程中, 若待检测软件调用的函 数的敏感特征信息与服务器本地保存的某个危险函数的敏感特征信息匹 配, 则确定所述函数调用符合恶意行为的初步特征, 即: 发送固定内容的 短信给固定号码、 打开固定的 URL或执行固定的系统命令, 且所述固定内 容的短信、 固定号码、 固定 URL和固定系统命令以常量值的形式引入危险 函数参数, 来实施敏感行为。  In step 101, in the process of simulating execution of the software to be detected, if the sensitive feature information of the function called by the software to be detected matches the sensitive feature information of a dangerous function saved locally by the server, it is determined that the function call meets the preliminary behavior of the malicious behavior. Feature, ie: sending a fixed content SMS to a fixed number, opening a fixed URL or executing a fixed system command, and the fixed content SMS, fixed number, fixed URL and fixed system commands introduce dangerous function parameters in the form of constant values To implement sensitive behavior.
在步骤 102—个优选的实施方式中, 将待检测软件中已被标识的敏感 行为中被调用的函数的恶意特征信息, 与预先保存的危险函数的恶意特征 信息进行匹配, 以进一步确定所述敏感行为是否为恶意行为, 即: 发送固 定内容的短信给固定号码, 是否为向 SP订购服务, 以消耗用户资费; 打开 固定的 URL, 是否为打开网络 IP ( Internet Protocol, 网际互连协议 )地址, 以造成用户资费的消耗; 执行固定的系统命令, 是否对用户的文件造成损 失。 若是, 则标识该函数调用为恶意行为, 确定待检测软件为恶意软件。  In a preferred embodiment, the malicious feature information of the function called in the sensitive behavior that has been identified in the software to be detected is matched with the malicious feature information of the pre-stored dangerous function to further determine the Whether the sensitive behavior is malicious, that is, sending a fixed content SMS to a fixed number, whether to order a service to the SP to consume the user fee; opening a fixed URL, whether to open the network IP (Internet Protocol, Internet Protocol) address To cause the consumption of user fees; execute a fixed system command, whether it causes loss to the user's files. If yes, the function call is identified as a malicious behavior, and the software to be detected is determined to be malware.
在步骤 102—个优选的实施方式中, 还评定恶意行为的危险等级, 根 据恶意行为的危险等级生成检测结果, 在模拟执行待检测软件完毕后, 将 检测结果通过客户端 UI ( User Interface, 用户界面)报告用户, 以使用户 了解恶意软件的相关信息; 所述检测结果包括: 恶意行为的危险等级、 恶 意行为中危险函数的函数名和类名、 恶意行为所在函数的函数名、 恶意行 为类型和恶意行为描述。 In a preferred embodiment, the risk level of the malicious behavior is also assessed, and the detection result is generated according to the risk level of the malicious behavior. After the simulation execution of the software to be detected is completed, the detection result is passed through the client UI (User Interface, user). Interface) report users to make users Understand the relevant information of the malware; the detection results include: the dangerous level of malicious behavior, the function name and class name of the dangerous function in the malicious behavior, the function name of the function of the malicious behavior, the malicious behavior type and the malicious behavior description.
在本发明实施例服务器评定恶意行为的危险等级一个优选的实施方式 中, 分别根据恶意行为调用函数的函数名和函数参数常量值, 与本地预先 保存的评定规则进行匹配, 以评定危险等级, 其中, 所述评定规则描述了 不同函数及其函数参数常量值对应的危险等级, 所述危险等级根据对用户 造成损失的程度制定,例如订购多次 SP服务以消耗用户资费的恶意行为的 危险等级较仅订购一次 SP服务以消耗用户资费的恶意行为的危险等级高。  In a preferred embodiment of the risk rating of the malicious behavior of the server according to the embodiment of the present invention, the function name and the function parameter constant value of the malicious behavior calling function are respectively matched with the locally pre-stored evaluation rule to determine the danger level, wherein The rating rule describes a hazard level corresponding to a different function and its function parameter constant value, the hazard level being determined according to the degree of loss to the user, for example, the hazard level of the malicious act of ordering multiple SP services to consume the user fee is more than The level of danger of malicious behavior that orders an SP service to consume user fees is high.
图 2 为本发明实施例安卓软件恶意行为检测系统的组成结构示意图, 如图 2所示, 所述系统包括: 服务器 21和客户端 22: 其中,  2 is a schematic structural diagram of a malicious software behavior detection system for an Android software according to an embodiment of the present invention. As shown in FIG. 2, the system includes: a server 21 and a client 22:
服务器 21, 配置为将所述待检测软件调用敏感特征信息与预先保存的 敏感特征信息匹配的函数的行为, 标识为敏感行为; 将所述敏感行为中被 调用函数的恶意特征信息, 与预先保存的恶意特征信息匹配的敏感行为, 标识为恶意行为;  The server 21 is configured to identify, as a sensitive behavior, a behavior of a function that matches the to-be-detected software call sensitive feature information and the pre-stored sensitive feature information; and the malicious feature information of the called function in the sensitive behavior is pre-saved The sensitive behavior of the malicious feature information matching, identified as malicious behavior;
客户端 22,配置为使用户通过运行在客户端 22的 UI向服务器 21上传 待检测软件的安装包; 接收服务器 21发送的检测报告, 通过 UI报告用户。  The client 22 is configured to enable the user to upload an installation package of the software to be detected to the server 21 through the UI running on the client 22; receive the detection report sent by the server 21, and report the user through the UI.
优选地,服务器 21包括:模拟执行单元 2101、检测规则存储单元 2102、 匹配单元 2103和标识单元 2104; 其中,  Preferably, the server 21 includes: an emulation execution unit 2101, a detection rule storage unit 2102, a matching unit 2103, and an identification unit 2104;
模拟执行单元 2101, 配置为模拟执行待检测软件;  The simulation execution unit 2101 is configured to simulate executing the software to be detected;
检测规则存储单元 2102, 配置为存储敏感特征信息和恶意特征信息; 匹配单元 2103, 配置为模拟执行单元 2101调用函数时, 将所述被调用 函数的敏感特征信息与检测规则存储单元 2102 中的敏感特征信息进行匹 配; 将被调用函数的恶意特征信息与检测规则存储单元中的恶意特征信息 进行匹配, 所述被调用函数为所述标识单元 2104标识的敏感行为中的被调 用函数; The detection rule storage unit 2102 is configured to store the sensitive feature information and the malicious feature information. The matching unit 2103 is configured to simulate the sensitive function information of the called function and the sensitivity in the detection rule storage unit 2102 when the simulation execution unit 2101 calls the function. The feature information is matched; the malicious feature information of the called function is matched with the malicious feature information in the detection rule storage unit, and the called function is adjusted in the sensitive behavior identified by the identity unit 2104 Use a function;
标识单元 2104, 配置为在匹配单元 2103匹配敏感特征信息成功时, 将 调用敏感特征信息匹配成功的函数的行为标识为敏感行为; 在匹配单元 2103 匹配恶意特征信息成功时, 将调用恶意特征信息匹配成功的敏感行为 标识为恶意行为。  The identifier unit 2104 is configured to identify, when the matching unit 2103 matches the sensitive feature information, the behavior of the function that successfully matches the sensitive feature information is a sensitive behavior; when the matching unit 2103 matches the malicious feature information successfully, the malicious feature information is matched. Successful sensitive behavior is identified as malicious.
优选地, 所述敏感特征信息包括: 函数名、 函数类名、 函数参数类型 和函数参数个数;  Preferably, the sensitive feature information includes: a function name, a function class name, a function parameter type, and a function parameter number;
所述恶意特征信息包括: 函数名、 函数参数常量值。  The malicious feature information includes: a function name, a function parameter constant value.
优选地,服务器 21还包括:预处理单元 2105、程序结构构建单元 2106、 程序执行路径求解单元 2107和常量值分析单元 2108; 其中,  Preferably, the server 21 further includes: a preprocessing unit 2105, a program structure building unit 2106, a program execution path solving unit 2107, and a constant value analyzing unit 2108;
预处理单元 2105,配置为接收用户通过客户端 22上传的待检测软件的 安装包, 并对安装包中的字节码文件进行反汇编;  The pre-processing unit 2105 is configured to receive an installation package of the software to be detected uploaded by the user through the client 22, and disassemble the bytecode file in the installation package;
程序结构构建单元 2106,配置为在预处理单元 2105根据字节码文件反 汇编出程序代码后, 根据所述程序代码构建程序结构;  The program structure construction unit 2106 is configured to construct a program structure according to the program code after the pre-processing unit 2105 disassembles the program code according to the bytecode file;
程序执行路径求解单元 2107,配置为在程序结构构建单元 2106构建出 程序结构后, 根据所述程序结构求解程序执行路径。  The program execution path solving unit 2107 is configured to solve the program execution path according to the program structure after the program structure building unit 2106 constructs the program structure.
优选地,模拟执行单元 2101,还配置为根据程序执行路径求解单元 2107 求解出的程序执行路径, 顺序分析程序执行路径中的指令;  Preferably, the simulation execution unit 2101 is further configured to execute the program execution path solved by the path execution unit 2107 according to the program, and sequentially analyze the instructions in the program execution path;
服务器 21还包括常量值分析单元 2108, 配置为在模拟执行单元 2101 分析出程序执行路径中的指令为常量值引入指令时, 记录引入的常量值并 在程序执行路径中将常量值向下传播。  The server 21 also includes a constant value analysis unit 2108 configured to record the introduced constant value and propagate the constant value down in the program execution path when the analog execution unit 2101 analyzes that the instruction in the program execution path is a constant value introduction instruction.
优选地, 服务器 21还包括: 危险等级评定单元 2109, 配置为根据所述 恶意行为中被调用函数的函数名和函数参数常量值, 以及预先保存的函数 名、 函数参数常量值与危险等级的映射关系, 确定所述恶意行为的危险等 级。 优选地, 服务器 21还包括: 检测结果保存单元 2110和恶意行为报告 单元 2111 ; 其中, Preferably, the server 21 further includes: a risk rating unit 2109 configured to calculate a function name and a function parameter constant value of the called function according to the malicious behavior, and a mapping relationship between the pre-saved function name, the function parameter constant value, and the danger level. , determining the level of danger of the malicious act. Preferably, the server 21 further includes: a detection result holding unit 2110 and a malicious behavior reporting unit 2111; wherein
危险等级评定单元 2109, 还配置为根据所述恶意行为的危险等级生成 检测结果;  The hazard rating unit 2109 is further configured to generate a detection result according to the risk level of the malicious behavior;
检测结果保存单元 2110,配置为保存危险等级评定单元 2109生成的检 测结果;  The detection result saving unit 2110 is configured to save the detection result generated by the risk rating unit 2109;
恶意行为报告单元 2111,配置为在模拟执行单元 2101模拟执行待检测 软件完毕后, 将检测结果保存单元 2110保存的检测结果通过客户端 22 UI 报告给用户。  The malicious behavior reporting unit 2111 is configured to report the detection result saved by the detection result holding unit 2110 to the user through the client 22 UI after the simulation execution unit 2101 simulates execution of the software to be detected.
实际应用中,所述模拟执行单元 2101、 匹配单元 2103、标识单元 2104、 预处理单元 2105、 程序结构构建单元 2106、 程序执行路径求解单元 2107、 常量值分析单元 2108、 危险等级评定单元 2109和恶意行为报告单元 2111 均可由服务器 21中的中央处理器( CPU, Central Processing Unit )、 数字信 号处理器 (DSP, Digital Signal Processor )或现场可编程门阵列 ( FPGA, Field Programmable Gate Array ) 实现;  In practical applications, the simulation execution unit 2101, the matching unit 2103, the identification unit 2104, the pre-processing unit 2105, the program structure construction unit 2106, the program execution path solving unit 2107, the constant value analysis unit 2108, the risk rating unit 2109, and the malicious The behavior reporting unit 2111 can be implemented by a central processing unit (CPU) in a server 21, a digital signal processor (DSP), or a Field Programmable Gate Array (FPGA).
所述检测规则存储单元 2102和检测结果保存单元 2110均可由服务器 21 中的存储器实现, 且所述检测规则存储单元 2102和检测结果保存单元 2110既可由服务器 21中的同一个存储器实现, 也可由服务器 21中的不同 存储器实现。  The detection rule storage unit 2102 and the detection result holding unit 2110 may each be implemented by a memory in the server 21, and the detection rule storage unit 2102 and the detection result holding unit 2110 may be implemented by the same memory in the server 21 or by a server. Different memory implementations in 21.
图 3 为本发明实施例检测安卓软件恶意行为的实现流程示意图, 以下 以待检测软件为 hippoSMS为例, 如图 3所示, 包括以下步骤:  FIG. 3 is a schematic diagram of an implementation process for detecting malicious behavior of an Android software according to an embodiment of the present invention. The following is an example of the hippoSMS to be detected, as shown in FIG. 3, including the following steps:
步骤 301 : 服务器接收客户端上传的待检测软件, 并进行预处理。  Step 301: The server receives the software to be detected uploaded by the client, and performs preprocessing.
本步骤中, 用户通过客户端 UI向服务器上传待检测软件 hippoSMS对 应的安装包 hippoSMS.apk, 服务器利用解压软件对安装包进行解压, 提取 出安装包中的字节码文件, 其后缀为 dex, 并运行反汇编工具对字节码文件 进行反汇编, 输出程序代码。 In this step, the user uploads the installation package hippoSMS.apk corresponding to the to-be-detected software hippoSMS to the server through the client UI, and the server decompresses the installation package by using the decompression software, and extracts the bytecode file in the installation package, and the suffix is dex. And run the disassembly tool on the bytecode file Disassemble and output the program code.
其中, 所述解压软件可以采用 WINRAR或 APKTOOL, 所述反汇编工 具可以采用 IDA pro ( Interactive Disassembler professional, 交互式反汇 编工具专业版)。  The decompression software may adopt WINRAR or APKTOOL, and the disassembly tool may adopt IDA pro (Interactive Disassembler Professional).
步骤 302: 服务器根据反汇编出的程序代码, 构建程序结构并求解程序 执行路径。  Step 302: The server builds the program structure and solves the program execution path according to the disassembled program code.
本步骤中, 服务器根据反汇编出的程序代码构建程序结构, 该程序结 构包括: 指令结构、 基本块结构、 函数结构、 类结构、 函数调用图、 控制 流图和字符串表; 并根据上述程序结构, 求解程序执行路径。  In this step, the server constructs a program structure according to the disassembled program code, and the program structure includes: an instruction structure, a basic block structure, a function structure, a class structure, a function call graph, a control flow graph, and a string table; and according to the above program Structure, solver execution path.
本步骤中, 若针对以下代码段 1求解程序执行路径,  In this step, if the program execution path is solved for the following code segment 1,
代码段 1  Code segment 1
1 : new-instance v0, < t: Thread >  1 : new-instance v0, < t: Thread >
2: new-instance vl, < t: Download$myThread >  2: new-instance vl, < t: Download$myThread >
3 : invoke-direct { vl, this } , < void Downloads myThread. < init > ( ref ) >  3 : invoke-direct { vl, this } , < void Downloads myThread. < init > ( ref ) >
4: invoke-direct { vO, vl }, <void Thread. < init > ( ref ) > 5: invoke-virtual < vO > , <void Thread, start ( ) >  4: invoke-direct { vO, vl }, <void Thread. < init > ( ref ) > 5: invoke-virtual < vO > , <void Thread, start ( ) >
则服务器进行以下处理:  Then the server performs the following processing:
分析出代码段第 1行中的指令定义了一个线程类, 此时 vO的类名标记 为 Thread;  Analysis of the instruction in the first line of the code segment defines a thread class, at this time the class name of the vO is marked as Thread;
分析出第 2行中的指令定义了一个用户定义的类, 此时 vl的类名标记 为 Download$myThread;  It is analyzed that the instruction in the second line defines a user-defined class, and the class name of vl is marked as Download$myThread;
分析出第 3行中的指令是一个函数调用指令, 且被调用函数不是线程 启动函数、 虚函数或接口函数, 则直接根据函数调用图查找被调用函数, 以建立当前函数与被函数的连接关系, 并进入被调用函数进行程序执行路 径的求解操作; Analyze that the instruction in the third line is a function call instruction, and the called function is not a thread start function, a virtual function or an interface function, and directly finds the called function according to the function call graph to establish a connection relationship between the current function and the function. , and enter the called function to execute the program Path solving operation;
分析出第 4行中的指令为系统函数调用指令, 且该函数是线程初始化 函数, 初始化参数的类名为 Download$myThread, 则将 vl对象与 νθ对象 绑定, 将 νθ对象的类名标记为 vl对象的类名 Download$myThread, 并继 续向下查找 Downloads myThread中的 run函数;  Analyze that the instruction in the fourth line is a system function call instruction, and the function is a thread initialization function. The class name of the initialization parameter is Download$myThread, and the vl object is bound to the νθ object, and the class name of the νθ object is marked as The class name of the vl object is Download$myThread, and continue to look down the run function in Downloads myThread;
分析出第 5行代码中指令为线程启动函数调用指令, νθ参数的类名为 Downloads myThread, 此时将继续查找 Downloads myThread中的 run函数, 将被调函数名由 Thread.start改为 Download$myThread.run, 并针对函数 Do wnload$myThread.run进行程序执行路径的求解操作。  The instruction in the fifth line of code is the thread start function call instruction, and the class name of the νθ parameter is Downloads myThread. At this point, the run function in Downloads myThread will continue to be searched, and the name of the called function will be changed from Thread.start to Download$myThread. .run, and solve the program execution path for the function Do wnload$myThread.run.
步骤 303: 服务器分析程序执行路径中的指令, 并在所述指令为常量值 引入指令时, 记录引入的常量值并将常量值在程序执行路径中向下传播。  Step 303: The server analyzes the instructions in the execution path, and when the instruction introduces an instruction into a constant value, records the introduced constant value and propagates the constant value downward in the program execution path.
若程序执行路径中的指令为以下代码段 2,  If the instruction in the program execution path is the following code segment 2,
代码段 2  Code segment 2
1 : const-string v7, a8  1 : const-string v7, a8
2: const-string v6, al 066156686  2: const-string v6, al 066156686
3: const-string v5, aData O  3: const-string v5, aData O
4: const-string v4, empty str  4: const-string v4, empty str
5: invoke— virtual { this, v6, v7, this }, < void MessageService.send sms<ref, ref, ref, ref> 5: invoke—virtual { this, v6, v7, this }, < void MessageService.send sms<ref, ref, ref, ref>
则服务器进行以下处理:  Then the server performs the following processing:
分析出第 1行指令为常量值引入指令, 定义 v7为字符串常量 a8, a8 为固定字符串, 则该指令是以字符串的形式引入常量值, 以 a8为索引在固 定字符串表中查询固定字符串 a8的值, 其值为 8, 则将 v7变量标记成常量 状态, 并将 V7的值记录为 8;  It is analyzed that the first line instruction is a constant value introduction instruction, and v7 is defined as a string constant a8, a8 is a fixed string, then the instruction introduces a constant value in the form of a string, and queries in a fixed string table by using a8 as an index. Fixed the value of the string a8, the value of 8, then mark the v7 variable as a constant state, and record the value of V7 as 8;
分析出第 2行到第 4行指令为常量值引入指令, 且是以字符串的形式 引入常量值, 分别以 v6、 v5和 v4为索引在固定字符串表中查询对应的字 符串的值, 将 v6、 v5和 v4标记为常量状态, 并记录下对应的字符串的值, 其中 v6的值为 1066156686, v5的值为 data, v4的值是一个空字符串; 分析出第 5行指令为函数调用指令, 则将实参变量 this、 v6、 v7、 v4 和 this的值传递到被调用函数 MessageService.sendsms中, 并将函数 Messa geService.sendsms相应的形参 this、 p0、 pl、 p2和 p3值初始化为传递到被 调用函数中的实参的值,进一步对函数 MessageService.sendsms内的指令进 行分析。 Analyze that the second line to the fourth line of instructions are constant value introduction instructions, and are in the form of strings Introduce a constant value, query the value of the corresponding string in the fixed string table with v6, v5, and v4 as indexes, mark v6, v5, and v4 as constant states, and record the value of the corresponding string, where v6 The value is 1066156686, the value of v5 is data, and the value of v4 is an empty string. If the instruction of the 5th line is a function call instruction, the values of the argument variables this, v6, v7, v4, and this are passed to the Call the function MessageService.sendsms, and initialize the corresponding parameters of the function Messa geService.sendsms to the values of this, p0, pl, p2 and p3 to the value of the argument passed to the called function, further to the function MessageService.sendsms The instructions are analyzed.
若函数 MessageService.sendsms内的指令 口以下代码段 3所示, 代码段 3  If the command in the function MessageService.sendsms is shown in the following code segment 3, code segment 3
1 : const/4 v2, 0  1 : const/4 v2, 0
2: move— object vl, ρθ  2: move_ object vl, ρθ
3: move— object v3, pi  3: move_ object v3, pi
4: invoke-virtual/range { v0..v5 } , < void SmsManager. sendTextMes sage ( ref, ref, ref, ref, ref ) >  4: invoke-virtual/range { v0..v5 } , < void SmsManager. sendTextMes sage ( ref, ref, ref, ref, ref ) >
则服务器进行以下处理:  Then the server performs the following processing:
分析出第 1 行指令为常量值引入指令, 且是以立即数的形式引入常量 值, 该指令将立即数 0引入变量 v2, 则将 v2变量标记为常量状态, 并将 v2的值记录为立即数 0;  Analyze that the first line instruction introduces the instruction as a constant value, and introduces the constant value in the form of an immediate value. The instruction introduces the immediate value 0 into the variable v2, marks the v2 variable as a constant state, and records the value of v2 as immediate. Number 0;
分析出第 2行指令为针对变量 vl的含有操作数的常量值引入指令, 该 指令将形参 ρθ的值引入 vl, 在代码段 2中, 形参 ρθ对应的实参为字符串 v6, 且 v6被赋值 1066156686, 则 ρθ的值为字符串 v6的值 1066156686; 根据该指令的语义信息, 将变量 vl标记成常量状态, vl的值记录为常量值 1066156686;  The second line instruction is analyzed to introduce an instruction for the constant value of the variable v1 containing the operand, which introduces the value of the parameter ρθ into vl. In the code segment 2, the argument corresponding to the parameter ρθ is the string v6, and V6 is assigned the value of 1066156686, then the value of ρθ is the value of the string v6 1066156686; according to the semantic information of the instruction, the variable vl is marked as a constant state, and the value of vl is recorded as a constant value of 1066156686;
分析出第 3行指令为针对变量 V3的含有操作数的常量值引入指令, 该 指令将形参 pl的值引入 v3, 在代码段 2中, 形参 pi对应的实参为字符串 v7 , 且 v7被赋值 8, 则 pl的值为字符串 v7的值 8; 根据该指令的语义信 息, 将 v3标记成常量状态, v3的值记录为常量值 8; The third line instruction is analyzed to introduce a constant value containing the operand for the variable V3, which The instruction introduces the value of the formal parameter pl into v3. In the code segment 2, the actual parameter corresponding to the formal parameter pi is the string v7, and v7 is assigned the value 8, and the value of pl is the value 8 of the string v7; Semantic information, mark v3 as a constant state, and record the value of v3 as a constant value of 8;
分析出第 4行指令为系统函数调用指令,由于被调用函数 SmsManager. sendTextMessage是库函数,无法进入被调用函数分析,转入步骤 304处理。  The fourth line instruction is analyzed as the system function call instruction. Since the called function SmsManager.sendTextMessage is a library function, the called function analysis cannot be entered, and the process proceeds to step 304.
步骤 304:服务器将待检测软件调用的函数的敏感特征信息与本地保存 的敏感特征信息进行匹配。  Step 304: The server matches the sensitive feature information of the function called by the software to be detected with the locally stored sensitive feature information.
本实施例中, 服务器在本地维护检测规则以保存敏感特征信息和恶意 特征信息, 且针对同一危险函数的敏感特征信息和恶意特征信息用同一条 检测规则以 XML ( Extensible Markup Language, 可扩展标记语言)描述, 针对函数 SmsManager. sendTextMessage的检测规则可描述如下:  In this embodiment, the server locally maintains detection rules to store sensitive feature information and malicious feature information, and uses the same detection rule for XML (Extensible Markup Language, Extensible Markup Language) for sensitive feature information and malicious feature information of the same risk function. Description, the detection rules for the function SmsManager. sendTextMessage can be described as follows:
代码段 4 Code segment 4
<Function> <Function>
< FunName > sendTextMessage < /FunName >  < FunName > sendTextMessage < /FunName >
< ClassName > SmsManager < /ClassName >  < ClassName > SmsManager < /ClassName >
<ParaTypeList> < SmsManager, String, String , String, Pendinglntent, Pendinglntent</ ParaTypeList>  <ParaTypeList> < SmsManager, String, String , String, Pendinglntent, Pendinglntent</ ParaTypeList>
< ParamSize > 6 < /ParamSize >  < ParamSize > 6 < /ParamSize >
< KeyParamList>  < KeyParamList>
< KeyParam >  < KeyParam >
< ParamPos > 1 < /ParamPos >  < ParamPos > 1 < /ParamPos >
< ParamValue > Λ10[0 - 9] { 3, 18 } $ < /ParamValue>< ParamValue > Λ 10[0 - 9] { 3, 18 } $ </ParamValue>
< SinkType > SEND— SMS < /SinkType > < SinkType > SEND — SMS < /SinkType >
< /KeyParam >  < /KeyParam >
< KeyParamList >  < KeyParamList >
< Function> 其中, 上述字段的含义分别为: <Function> The meanings of the above fields are:
<FunName>: 匹配函数名为 sendTextMessage的函数;  <FunName>: Matches the function named sendTextMessage;
<ClassName>: 匹配的函数类名为 SmsManager的函数;  <ClassName>: The function class that matches is named SmsManager;
<ParaTypeList>: 参数类型列表, 对函数类名为 SmsManager的函数的 参数类型, 其中, 前三个函数参数的类型为 String (字符串), 后两个函数 参数的类型为系统定义的类型, 该列表匹配前三个函数参数类型为字符串 的函数;  <ParaTypeList>: list of parameter types, the parameter type of the function whose function class name is SmsManager, where the first three function parameters are of type String (string), and the latter two function parameters are of type system-defined type. The list matches the first three functions whose function type is a string;
<ParamSize>: 匹配函数的参数个数为 6的函数, 对非静态函数而言, 每个函数的第一个参数为 this指针,此处的参数个数是包含 this指针在内的 个数;  <ParamSize>: A function that matches the number of arguments of the function to 6. For non-static functions, the first argument of each function is the this pointer, and the number of arguments here is the number containing the this pointer;
<KeyParamList>: 匹配一个或多个函数的参数信息, 每个参数的匹配 规则用 <KeyParam>表示;  <KeyParamList>: Matches the parameter information of one or more functions, and the matching rule of each parameter is represented by <KeyParam>;
<KeyParam>: 包含了一个参数的匹配规则;  <KeyParam>: contains a matching rule for a parameter;
<ParamPos>: 需要匹配的参数的位置, 从 0开始计数;  <ParamPos>: The position of the parameter to be matched, counting from 0;
<ParamValue>: 需要匹配的参数的值, 值的特征采用正则表达式描述; <ParamValue>: The value of the parameter to be matched, the characteristics of the value are described by a regular expression;
<SinkType>: 函数的行为类型。 <SinkType>: The behavior type of the function.
本步骤中, 当服务器分析到代码段 3第 4行指令为函数调用指令, 且 被调用函数为库函数时, 将被调用函数的敏感特征与代码段 4检测规则中 的敏感特征信息匹配, 其中, 所述敏感特征信息包括函数名、 函数参数类 名、 函数参数类型和函数参数个数, 处理如下:  In this step, when the server analyzes that the fourth line of the code segment 3 is a function call instruction, and the called function is a library function, the sensitive feature of the called function is matched with the sensitive feature information in the detection rule of the code segment 4, wherein The sensitive feature information includes a function name, a function parameter class name, a function parameter type, and a function parameter number, and the processing is as follows:
经过上述对代码段 3 的分析, 可得出被调用函数的函数名、 函数参数 类名、 函数参数类型和函数参数个数分别为: sendTextMessage 、 SmsManager, String和 6, 其中, 由于被调用函数为非静态函数, 所以函数 参数个数 6为包含 this指针在内的个数。 符合代码段 4检测规则中针对被 调用函数的敏感特征信息的描述, 则标识所述函数调用为敏感行为。 步骤 305:服务器将待检测软件调用的函数的恶意特征信息与本地保存 的恶意特征信息进行匹配。 After the above analysis of the code segment 3, it can be concluded that the function name, function parameter class name, function parameter type and function parameter number of the called function are: sendTextMessage, SmsManager, String and 6, respectively, because the called function is Non-static function, so the number of function arguments 6 is the number including the this pointer. Consistent with the description of the sensitive feature information of the called function in the code segment 4 detection rule, the function call is identified as a sensitive behavior. Step 305: The server matches the malicious feature information of the function called by the software to be detected with the locally saved malicious feature information.
其中, 所述恶意特征信息包括: 函数名、 函数参数常量值。  The malicious feature information includes: a function name, and a function parameter constant value.
在步骤 304中, 函数 SmsManager. sendTextMessage的调用被标识为敏 感行为之后, 本步骤中, 服务器进行如下处理:  In step 304, after the call of the function SmsManager.sendTextMessage is identified as a sensitive behavior, in this step, the server performs the following processing:
分析出代码段 4检测规则中恶意特征信息 <ParamValue>字段中的正则 表达式描述的对象, 为以字符 10开头的长度为 5到 20的字符串, 且函数 SmsManager. sendTextMessage 除 this 指针夕卜的第 1 个参数的值为 1066156686 , 符合该正则表达式的描述, 则标记该函数调用为恶意行为, 结合代码段中的<8^11^> 6>的描述, 确定待检测软件为自动发送短信的恶 意软件。  Analyze the object described by the regular expression in the malicious feature information <ParamValue> field in the code segment 4 detection rule, which is a string of length 5 to 20 starting with the character 10, and the function SmsManager. sendTextMessage except the this pointer The value of the first parameter is 1066156686. If the description of the regular expression is met, the function call is marked as malicious. Combine the description of <8^11^> 6> in the code segment to determine that the software to be detected is automatically sending SMS. Malware.
步骤 306: 服务器评定恶意行为的危险等级, 生成检测结果并通过客户 端报告用户。  Step 306: The server evaluates the risk level of the malicious behavior, generates the detection result, and reports the user through the client.
本步骤中,针对步骤 305恶意特征信息的匹配结果,生成的检测结果为: 危险等级: 高;  In this step, for the matching result of the malicious feature information in step 305, the generated detection result is: Hazard level: high;
危险函数名: sendTextMessage;  Dangerous function name: sendTextMessage;
危险函数类名: SmsManager;  Dangerous function class name: SmsManager;
恶意行为所在函数的函数名: SmsManager;  The function name of the function where the malicious behavior is located: SmsManager;
恶意行为所在函数的类名: MessageService;  The class name of the function where the malicious behavior is located: MessageService;
恶意行为类型: 恶意扣费;  Type of malicious behavior: malicious deduction;
恶意行为描述: 向 sp号码 1066156686发送短信订购服务。  Description of malicious behavior: Send SMS subscription service to sp number 1066156686.
所述检测结果服务器发送给客户端, 并由客户端通过 UI显示, 以报告 给用户。  The detection result server is sent to the client, and is displayed by the client through the UI to report to the user.
以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明保护 范围。 工业实用性 The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Industrial applicability
本发明实施例中, 模拟执行待检测软件, 将待检测软件调用的函数的 敏感特征信息和恶意特征信息, 依次与预先保存的敏感特征信息和恶意特 征信息进行匹配, 若匹配成功, 则确定该函数调用为恶意行为。 应用本发 明实施例的技术方案, 避免了相关安卓恶意软件检测技术存在检测滞后期 的问题, 同时避免了由于恶意行为触发条件复杂导致无法确定待检测软件 是否为恶意软件的问题。  In the embodiment of the present invention, the software to be detected is simulated, and the sensitive feature information and the malicious feature information of the function to be detected by the software to be detected are matched with the pre-stored sensitive feature information and the malicious feature information, and if the matching is successful, the method is determined. Function calls are malicious. By applying the technical solution of the embodiment of the present invention, the problem that the related Android malware detection technology has a detection lag period is avoided, and the problem that the software to be detected is malware cannot be determined due to the complicated trigger condition of the malicious behavior.

Claims

权利要求书 claims
1、 一种检测安卓软件恶意行为的方法, 所述方法包括: 1. A method for detecting malicious behavior of Android software. The method includes:
模拟执行待检测软件, 将所述待检测软件调用敏感特征信息与预先保 存的敏感特征信息匹配的函数的行为, 标识为敏感行为; Simulate the execution of the software to be detected, and mark the behavior of the software to be detected as sensitive behavior by calling a function that matches the sensitive feature information with the pre-saved sensitive feature information;
将所述敏感行为中被调用函数的恶意特征信息, 与预先保存的恶意特 征信息匹配的敏感行为, 标识为恶意行为。 The sensitive behavior that matches the malicious characteristic information of the called function in the sensitive behavior with the pre-saved malicious characteristic information is identified as a malicious behavior.
2、 根据权利要求 1所述的方法, 其中, 2. The method according to claim 1, wherein,
所述敏感特征信息包括: 函数名、 函数类名、 函数参数类型和函数参 数个数; The sensitive feature information includes: function name, function class name, function parameter type and number of function parameters;
所述恶意特征信息包括: 函数名、 函数参数常量值。 The malicious characteristic information includes: function name, function parameter constant value.
3、根据权利要求 1所述的方法, 其中, 所述模拟执行待检测软件之前, 所述方法还包括: 3. The method according to claim 1, wherein before the simulation executes the software to be detected, the method further includes:
对待检测软件的安装包中的字节码文件进行反汇编, 根据反汇编出的 程序代码, 构建程序结构并求解程序执行路径。 Disassemble the bytecode files in the installation package of the software to be detected, build the program structure and solve the program execution path based on the disassembled program code.
4、 根据权利要求 3所述的方法, 其中, 所述方法还包括: 4. The method according to claim 3, wherein the method further includes:
分析所述程序执行路径中的指令, 并在所述指令为常量值引入指令时, 记录引入的常量值并将常量值在程序执行路径中向下传播。 Analyze instructions in the program execution path, and when the instruction is a constant value introduction instruction, record the introduced constant value and propagate the constant value downward in the program execution path.
5、 根据权利要求 1、 2、 3或 4所述的方法, 其中, 所述方法还包括: 根据所述恶意行为中被调用函数的函数名和函数参数常量值, 以及预 先保存的函数名、 函数参数常量值与危险等级的映射关系, 确定所述恶意 行为的危险等级。 5. The method according to claim 1, 2, 3 or 4, wherein the method further includes: based on the function name and function parameter constant value of the function called in the malicious behavior, as well as the pre-saved function name and function The mapping relationship between parameter constant values and risk levels determines the risk level of the malicious behavior.
6、 根据权利要求 5所述的方法, 其中, 所述模拟执行待检测软件完毕 后, 所述方法还包括: 6. The method according to claim 5, wherein after the simulation execution of the software to be tested is completed, the method further includes:
根据所述恶意行为的危险等级生成检测结果, 并将所述检测结果通过 客户端用户界面 UI报告用户。 A detection result is generated according to the risk level of the malicious behavior, and the detection result is reported to the user through the client user interface UI.
7、 一种服务器, 所述服务器包括模拟执行单元, 检测规则存储单元、 标识单元和匹配单元; 其中, 7. A server, the server includes a simulation execution unit, a detection rule storage unit, an identification unit and a matching unit; wherein,
所述模拟执行单元, 配置为模拟执行待检测软件; The simulation execution unit is configured to simulate execution of the software to be tested;
所述检测规则存储单元, 配置为存储敏感特征信息和恶意特征信息; 所述匹配单元, 配置为在所述模拟执行单元调用函数时, 将被调用函 数的敏感特征信息与检测规则存储单元中的敏感特征信息进行匹配; 将被 调用函数的恶意特征信息与检测规则存储单元中的恶意特征信息进行匹 配, 所述被调用函数为所述标识单元标识的敏感行为中的被调用函数; 所述标识单元, 配置为在所述匹配单元匹配敏感特征信息成功时, 将 调用敏感特征信息匹配成功的函数的行为标识为敏感行为; 在所述匹配单 元匹配恶意特征信息成功时, 将调用恶意特征信息匹配成功的敏感行为标 识为恶意行为。 The detection rule storage unit is configured to store sensitive feature information and malicious feature information; the matching unit is configured to, when the simulation execution unit calls a function, compare the sensitive feature information of the called function with the value in the detection rule storage unit Match the sensitive feature information; Match the malicious feature information of the called function with the malicious feature information in the detection rule storage unit, where the called function is the called function in the sensitive behavior identified by the identification unit; the identification unit, configured to identify the behavior of calling a function that successfully matches the sensitive feature information as a sensitive behavior when the matching unit successfully matches the sensitive feature information; when the matching unit successfully matches the malicious feature information, calls the malicious feature information to match Successful sensitive actions are identified as malicious actions.
8、 根据权利要求 7所述的服务器, 其中, 8. The server according to claim 7, wherein,
所述敏感特征信息包括: 函数名、 函数类名、 函数参数类型和函数参 数个数; The sensitive feature information includes: function name, function class name, function parameter type and number of function parameters;
所述恶意特征信息包括: 函数名、 函数参数常量值。 The malicious characteristic information includes: function name, function parameter constant value.
9、 根据权利要求 7所述的服务器, 其中, 所述服务器还包括: 编; 9. The server according to claim 7, wherein the server further includes: editor;
程序结构构建单元, 配置为在所述预处理单元根据字节码文件反汇编 出程序代码后, 艮据所述程序代码构建程序结构; A program structure construction unit configured to construct a program structure based on the program code after the preprocessing unit disassembles the program code according to the bytecode file;
程序执行路径求解单元, 配置为在所述程序结构构建单元构建出程序 结构后, 根据所述程序结构求解程序执行路径。 The program execution path solving unit is configured to solve the program execution path according to the program structure after the program structure construction unit constructs the program structure.
10、 根据权利要求 9所述的服务器, 其中, 10. The server according to claim 9, wherein,
所述模拟执行单元, 还配置为根据所述程序执行路径求解单元求解出 的程序执行路径, 顺序分析程序执行路径中的指令; The simulation execution unit is also configured to solve the problem according to the program execution path solving unit. The program execution path, sequentially analyzes the instructions in the program execution path;
所述服务器还包括: 常量值分析单元, 配置为在所述模拟执行单元分 析出程序执行路径中的指令为常量值引入指令时, 记录引入的常量值并在 程序执行路径中将常量值向下传播。 The server also includes: a constant value analysis unit configured to, when the simulation execution unit analyzes that an instruction in the program execution path is a constant value introduction instruction, record the introduced constant value and move the constant value downward in the program execution path. spread.
11、 根据权利要求 7、 8、 9或 10所述的服务器, 其中, 所述服务器还 包括: 11. The server according to claim 7, 8, 9 or 10, wherein the server further includes:
危险等级评定单元, 配置为根据所述恶意行为中被调用函数的函数名 和函数参数常量值, 以及预先保存的函数名、 函数参数常量值与危险等级 的映射关系, 确定所述恶意行为的危险等级。 The risk level assessment unit is configured to determine the risk level of the malicious behavior based on the function name and function parameter constant value of the called function in the malicious behavior, as well as the mapping relationship between the pre-saved function name, function parameter constant value and risk level. .
12、 根据权利要求 11所述的服务器, 所述服务器还包括: 检测结果保 存单元和恶意行为报告单元; 其中, 12. The server according to claim 11, the server further comprising: a detection result storage unit and a malicious behavior reporting unit; wherein,
所述危险等级评定单元, 还配置为根据所述恶意行为的危险等级生成 检测结果; The risk level assessment unit is also configured to generate detection results according to the risk level of the malicious behavior;
所述检测结果保存单元, 配置为保存所述危险等级评定单元生成的检 测结果; The detection result storage unit is configured to save the detection results generated by the risk level assessment unit;
所述恶意行为报告单元, 配置为在所述模拟执行单元模拟执行待检测 软件完毕后, 将所述检测结果保存单元保存的检测结果通过客户端 UI报告 给用户。 The malicious behavior reporting unit is configured to report the detection results saved by the detection result saving unit to the user through the client UI after the simulation execution unit completes the simulation execution of the software to be detected.
13、 一种安卓软件恶意行为检测系统, 所述系统包括: 客户端和服务 器; 其中, 13. An Android software malicious behavior detection system, the system includes: a client and a server; wherein,
所述客户端, 配置为使用户通过运行在客户端的 UI向服务器上传待检 测软件的安装包; 接收服务器发送的检测结果, 通过 UI报告用户; The client is configured to enable the user to upload the installation package of the software to be detected to the server through the UI running on the client; receive the detection results sent by the server, and report to the user through the UI;
所述服务器, 配置为将所述待检测软件调用敏感特征信息与预先保存 的敏感特征信息匹配的函数的行为, 标识为敏感行为; 将所述敏感行为中 被调用函数的恶意特征信息, 与预先保存的恶意特征信息匹配的敏感行为, 标识为恶意行为。 The server is configured to identify the behavior of the software to be detected calling a function that matches the sensitive feature information with the pre-saved sensitive feature information as a sensitive behavior; and compare the malicious feature information of the called function in the sensitive behavior with the pre-saved sensitive feature information. The saved malicious signature information matches the sensitive behavior, Identified as malicious behavior.
14、 根据权利要求 13所述的系统, 其中, 所述服务器为权利要求 7至 12任一项所述的服务器。 14. The system according to claim 13, wherein the server is the server according to any one of claims 7 to 12.
PCT/CN2013/082163 2012-09-29 2013-08-23 Android software malicious behavior detection method, system and device WO2014048195A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210376038.X 2012-09-29
CN201210376038.XA CN102945347B (en) 2012-09-29 2012-09-29 A kind of method, system and equipment detecting Android malware

Publications (1)

Publication Number Publication Date
WO2014048195A1 true WO2014048195A1 (en) 2014-04-03

Family

ID=47728288

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/082163 WO2014048195A1 (en) 2012-09-29 2013-08-23 Android software malicious behavior detection method, system and device

Country Status (2)

Country Link
CN (1) CN102945347B (en)
WO (1) WO2014048195A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106663172A (en) * 2014-07-23 2017-05-10 高通股份有限公司 Methods and systems for detecting malware and attacks that target behavioral security mechanisms of a mobile device

Families Citing this family (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014048194A1 (en) * 2012-09-29 2014-04-03 中兴通讯股份有限公司 Android malicious application program detection method, system and device
CN102945347B (en) * 2012-09-29 2016-02-24 中兴通讯股份有限公司 A kind of method, system and equipment detecting Android malware
US9058494B2 (en) * 2013-03-15 2015-06-16 Intel Corporation Method, apparatus, system, and computer readable medium to provide secure operation
CN103246846A (en) * 2013-04-24 2013-08-14 北京网秦天下科技有限公司 Method and device for detecting safety of customized ROM (read only memory)
CN103473507B (en) * 2013-09-25 2016-03-30 西安交通大学 A kind of Android malicious code detecting method
CN103473509A (en) * 2013-09-30 2013-12-25 清华大学 Android platform malware automatic detecting method
CN103685251B (en) * 2013-12-04 2016-08-17 电子科技大学 A kind of Android malware detection platform towards mobile Internet
CN103701800A (en) * 2013-12-25 2014-04-02 贝壳网际(北京)安全技术有限公司 Cookie processing method, cookie processing device, browser and client
CN104899505A (en) * 2014-03-07 2015-09-09 北京奇虎科技有限公司 Software detection method and software detection device
CN104079673B (en) * 2014-07-30 2018-12-07 北京奇虎科技有限公司 A kind of methods, devices and systems for preventing DNS from kidnapping in application downloading
CN104268473B (en) * 2014-09-23 2017-05-24 龙芯中科技术有限公司 Method and device for detecting application programs
CN105989294B (en) * 2015-02-17 2019-02-26 华为技术有限公司 Android installation kit detection method and device
CN106156630A (en) * 2015-04-23 2016-11-23 阿里巴巴集团控股有限公司 The leak detection method of a kind of application program installation kit and device
CN104978527B (en) * 2015-07-30 2017-12-08 深圳数字电视国家工程实验室股份有限公司 A kind of method and device of calculation procedure section
CN106778261A (en) * 2015-11-20 2017-05-31 中兴通讯股份有限公司 The treating method and apparatus of camouflage applications
CN106815524B (en) * 2015-11-27 2020-05-15 阿里巴巴集团控股有限公司 Malicious script file detection method and device
CN105404583B (en) * 2015-12-04 2017-10-20 中科信息安全共性技术国家工程研究中心有限公司 The quick detection of APK a kind of and the method for improving unit resource utilization rate
CN105740706B (en) * 2015-12-25 2019-05-07 哈尔滨安天科技股份有限公司 Heuristic sample testing method and system based on API Name and immediate
CN106940775B (en) * 2016-01-04 2020-07-14 阿里巴巴集团控股有限公司 Vulnerability detection method and device for application program
CN108062472A (en) * 2016-11-07 2018-05-22 武汉安天信息技术有限责任公司 The detection method and system of application are extorted under a kind of Android platform
CN107016286B (en) * 2016-12-30 2019-09-24 深圳市安之天信息技术有限公司 A kind of malicious code randomization recognition methods and system based on random-tracking
CN109214179B (en) * 2017-06-30 2021-04-27 武汉斗鱼网络科技有限公司 Program module security detection method and device
CN107577944A (en) * 2017-09-08 2018-01-12 杭州安恒信息技术有限公司 Website malicious code detecting method and device based on code syntax analyzer
CN108040064A (en) * 2017-12-22 2018-05-15 北京知道创宇信息技术有限公司 Data transmission method, device, electronic equipment and storage medium
CN108875361A (en) * 2017-12-28 2018-11-23 北京安天网络安全技术有限公司 A kind of method, apparatus of monitoring programme, electronic equipment and storage medium
CN108491722A (en) * 2018-03-30 2018-09-04 广州汇智通信技术有限公司 A kind of malware detection method and system
CN108959092B (en) * 2018-07-09 2022-03-18 中国联合网络通信集团有限公司 Software behavior analysis method and system
CN109101815B (en) * 2018-07-27 2023-04-07 平安科技(深圳)有限公司 Malicious software detection method and related equipment
CN109815701B (en) * 2018-12-29 2022-04-22 奇安信安全技术(珠海)有限公司 Software security detection method, client, system and storage medium
CN110362995B (en) * 2019-05-31 2022-12-02 电子科技大学成都学院 Malicious software detection and analysis system based on reverse direction and machine learning
CN111078234B (en) * 2019-12-06 2023-06-02 广州微算互联信息技术有限公司 Method, system, device and storage medium for dynamically limiting installation and uninstallation of Android system of cloud mobile phone
CN111597552B (en) * 2020-04-15 2023-11-10 深圳市捷顺科技实业股份有限公司 Code scanning method and terminal equipment
CN113222053B (en) * 2021-05-28 2022-03-15 广州大学 Malicious software family classification method, system and medium based on RGB image and Stacking multi-model fusion
CN113434872A (en) * 2021-08-27 2021-09-24 迅管(深圳)科技有限公司 Database security system capable of recognizing and defending against malicious programs
CN116451229B (en) * 2023-06-14 2023-09-12 北京长亭科技有限公司 Malicious software detection method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101359352A (en) * 2008-09-25 2009-02-04 中国人民解放军信息工程大学 API use action discovering and malice deciding method after confusion of multi-tier synergism
US20110047620A1 (en) * 2008-10-21 2011-02-24 Lookout, Inc., A California Corporation System and method for server-coupled malware prevention
CN102012988A (en) * 2010-12-02 2011-04-13 张平 Automatic binary unwanted code behavior analysis method
CN102110220A (en) * 2011-02-14 2011-06-29 宇龙计算机通信科技(深圳)有限公司 Application program monitoring method and device
CN102945347A (en) * 2012-09-29 2013-02-27 中兴通讯股份有限公司 Method, system and device for detecting Android malicious software

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101359352A (en) * 2008-09-25 2009-02-04 中国人民解放军信息工程大学 API use action discovering and malice deciding method after confusion of multi-tier synergism
US20110047620A1 (en) * 2008-10-21 2011-02-24 Lookout, Inc., A California Corporation System and method for server-coupled malware prevention
CN102012988A (en) * 2010-12-02 2011-04-13 张平 Automatic binary unwanted code behavior analysis method
CN102110220A (en) * 2011-02-14 2011-06-29 宇龙计算机通信科技(深圳)有限公司 Application program monitoring method and device
CN102945347A (en) * 2012-09-29 2013-02-27 中兴通讯股份有限公司 Method, system and device for detecting Android malicious software

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106663172A (en) * 2014-07-23 2017-05-10 高通股份有限公司 Methods and systems for detecting malware and attacks that target behavioral security mechanisms of a mobile device

Also Published As

Publication number Publication date
CN102945347A (en) 2013-02-27
CN102945347B (en) 2016-02-24

Similar Documents

Publication Publication Date Title
WO2014048195A1 (en) Android software malicious behavior detection method, system and device
US11798028B2 (en) Systems and methods for monitoring malicious software engaging in online advertising fraud or other form of deceit
JP5425699B2 (en) Information processing apparatus, test case generation method, program, and recording medium
Zheng et al. Statically locating web application bugs caused by asynchronous calls
CN103279710B (en) Method and system for detecting malicious codes of Internet information system
BR102015017215A2 (en) computer-implemented method for classifying mobile applications, and computer program encoded on non-transient storage medium
CN102622536A (en) Method for catching malicious codes
US9575793B1 (en) Identifying kernel data structures
Sahar et al. Towards energy aware object-oriented development of android applications
CN110765459A (en) Malicious script detection method and device and storage medium
Thomas et al. Stringer: Measuring the importance of static data comparisons to detect backdoors and undocumented functionality
WO2015084664A1 (en) Directed execution of dynamic programs in isolated environments
CN106663171B (en) Browser simulator device, browser simulator building device, browser simulation method, and browser simulation building method
CN109933977A (en) A kind of method and device detecting webshell data
Erinle Performance testing with JMeter 2.9
Wen et al. Protocol vulnerability detection based on network traffic analysis and binary reverse engineering
JP2016099857A (en) Fraudulent program handling system and fraudulent program handling method
CN114969760A (en) Vulnerability detection method and device, computer readable medium and electronic equipment
CN109359045B (en) Test method, device, equipment and storage medium
CN106709350A (en) Virus detection method and device
WO2016168428A1 (en) Cross-site scripting detection method
Perrone et al. On the automation of computer network simulators
WO2014048194A1 (en) Android malicious application program detection method, system and device
CN116775034A (en) Method, device and equipment for constructing kernel observation program
CN113660230B (en) Cloud security protection testing method and system, computer and readable storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13841220

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13841220

Country of ref document: EP

Kind code of ref document: A1