Embodiment
Below in conjunction with the drawings and specific embodiments a kind of security protection system and method based on program behavior provided by the invention is described in detail.
In the following description, a plurality of different aspects of the present invention will be described, yet, for those skilled in the art, can only utilize more of the present invention or entire infrastructure or flow process are implemented the present invention.For the definition of explaining, set forth specific number, configuration and order, but clearly, do not had also can to implement the present invention under the situation of these specific detail.In other cases, in order not obscure the present invention, will no longer be described in detail for some well-known features.
Generally speaking, as shown in Figure 1, the security protection system of a kind of mobile device based on program behavior provided by the invention comprises terminal equipment 100 and server 200, server comprises receiver module 201, is used for expecting that from terminal equipment 100 or terminal equipment the source program server end that downloads receives this program.
Terminal equipment 100 is meant via communications facility and operator's equipment or the mutual equipment of application server, terminal equipment 100 is arranged on the place that makes things convenient for that utilizes communications facility to connect work with server usually, it is mainly combined by communication interface control device and input/output unit special-purpose or that select, and mobile terminal device is not limited by the region, and is more flexible.Terminal equipment of the present invention includes but not limited to mobile communication equipment (such as cell-phone, smart phone), portable entertainment device (such as the IPAD of Apple, the GALAXY of Samsung, the PS series of Sony) or the like.
The application's terminal equipment 100 has receiving port and transmit port, and receiving port is used to receive the software program from application server, and the software program that transmit port is used for being received sends to server 200.The application server here includes but not limited to: provide software download application server, carrier server, with terminal equipment carry out session conversation server, provide the application server of remote support and the static state and the dynamic state server of other types to terminal equipment.
Generally speaking, as shown in Figure 1, the application's server 200 comprises receiver module 201, distribution module 202, detection module 203, comparison module 204 and report generation module 205.Wherein, receiver module 201 is used for receiving software program or the alternative document that sends from terminal equipment 100; Distribution module 202 is used for one of them the simulator that the software program that will be received or alternative document are distributed to " cloud " be made up of processor; Detection module 203 is used for detecting the software program that the hourglass model at server 200 moves or the behavior of alternative document; Comparison module 204 is used for the behavior of the implementation of detected this software program or alternative document and the behavior storehouse in the server 200 are compared, know it whether is existing behavior, comparison module 204 also directly with the software program that received or other software directly and the software in the behavior storehouse carry out static state and compare; Report generation module 205 is used for the behavior carried out at the hourglass model according to software program or alternative document, and the close friend or the extent of injury of evaluation software program or alternative document provide analysis report to terminal equipment 100.
Further, describe the structure and the concrete running of security protection system in detail with reference to figure 1.Terminal equipment 100 actives or passive after above-mentioned application server receives installation file or executable file, can automatically the file that is received be sent to the application's server 200, perhaps the user is according to the server 200 that self manually the file that is received is sent to the application for the degree of awareness and the confidence level of this document.For the cellphone subscriber who uses Android (Andriod) operating system, when receiving .apk file, executable file .exe or arbitrary alternative document, active or the manual server 200 that this document is sent to the application, before not receiving the analysis report of feedback information from the application's server 200, do not move this document, and adopt denial measure for the self-operating behavior of this document.
Receiver module 201 is used for receiving software program or the alternative document that sends from terminal equipment 100.Receiver module 201 uses polling mechanisms or intercepts mechanism, the information that the self terminal equipment 100 of collecting sends, and will received file or program related with these terminal equipment 100 foundation, obtain the facility information of this terminal equipment 100.
Distribution module 202 is used for one of them the simulator that the software program that will be received or alternative document are distributed to " cloud " be made up of processor.The application's server 200 is at multitask, multi-user's work, and the software simulation execution environment of self setting comprises the high in the clouds that is made of a plurality of processors, and received software program is distributed according to the idle degree of the processor in high in the clouds.Such Simulation execution environment comprises virtual machine, simulator and hourglass model, and virtual machine is used for pseudo-terminal equipment, and simulator is used for simulating the operation of institute's receiving software or executable file, and hourglass is used for knowing the implementation and the result of executable file.
Detection module 203 is used for detecting the software program that the hourglass model at server 200 moves or the behavior of alternative document.Carry out the virtual execution of Malware at server 200 ends, the software of malicious act is installed in the environment of virtual execution, generate the hourglass of the environment of virtual execution, obtain the behavior and the trace information of this software.Particularly, this software of operation on virtual machine, substep is carried out each operating procedure of this software, in the implementation of each operating procedure, the memory location of the dateout of monitoring hourglass and expectation visit, sensitive position and sensitive document place are set the control point, when the carry out desired of this software is visited these positions or expectation when reading these files, this control point will trigger automatically, report the behavior to detection module 203, and read operation and memory location are sent to report generation module 205.
For example, for common employed mobile phone, the behavior that is monitored comprises: send note and multimedia message, telephone directory on visit mobile phone or the SIM card is created network and is connected (GPRS, EDGE, 3G etc.), the visit bluetooth is visited infrared, the visit WLAN (wireless local area network), visit GPS terminal, visit action sensor, visit camera, the visit microphone is visited other sensitive datas.
In addition, according to the performed behavior of installation process and installation back of install software, can define the extent of injury of concrete action.With the sending short message by mobile phone breath is example, can think that following action has potential hazard: under the table send note on the backstage, people outside the telephone directory sends short messages, the number of the business of sending short messages increment provider, send note to contact persons all in the telephone directory, the frequency that sends note is very high, and 11 send note between the 6:00 AM at night.
The monitoring activity of being carried out for for mobile phone terminal equipment is shown below, classifies these behaviors as emphasis monitoring behavior and dangerous act:
The inquiry address list
Insert the contact person
The deletion contact person
Upgrade the contact person
5) Send DataSMS to XXXXXXX sends data message to XXXXXX
6) Send SMS to XXXXXXX Context:MMMMMM sends note to XXXXX, and content is MMMMMM
Inquire about IMSI number
Enquiring telephone number
The inquiry IMEI number
Inquire about SIM number
Http connects
12) Define URL:XXXXXXXX definition URL link address XXXXXX
13) Define URI:XXXXXXXX definition URI link address XXXXXX
14) (XXXX is that the file beginning is the system file address, and the http beginning is the network address, and start-up routine can define file address accesses network can define the http address)
URL connects
Http Client accesses network
Open bluetooth
18) Open Camera Preview opens the camera preview
Report generation module 205 is used for the behavior carried out at the hourglass model according to software program or alternative document, and the close friend or the extent of injury of evaluation software program or alternative document provide analysis report to terminal equipment.Wherein, by analyzing act of execution and the trace information that above-mentioned detection module is known, these behaviors and information are evaluated according to the objective extent of injury; According to the evaluation score, judge whether this software is Malware.Particularly, can utilize the Bayesian decision system, analysis behavior and action sequence provide the safety grading of this behavior, judge whether this software is Malware.
And can provide effective protectiving scheme according to its extent of injury, to the prevention of harmful act two kinds of implementations can be arranged, based on the system and the expert system of strategy.For the system based on strategy, which behavior the keeper can define is forbidden, and which behavior is allowed to.Is with the short message example, the rule that can be defined as follows: allow to send note to value added service provider? allow in backstage transmission note? perhaps other.For expert system, can use expertise and domain knowledge to judge malicious act, and each behavior provided certain mark (0-9, number is big more represents that more danger is big more), with the note is that example provides following rule and mark: high-frequency ground sent note, as 1 minute 10------mark: 3; Send the number of note, as------marks: 6 such as 10086,1066907703 to value added service provider; Send note to unacquainted people, and frequency is very high------mark: 7; Send the number of note to value added service provider, and frequency is very high------mark: 7; 11 send note number------marks: 9 to value added service provider to high-frequency ground between the 6:00 AM at night.
Order for calling API can be defined as follows rule: if these API have revised registration table, visited user's personal information, and set up the network connection, just can think that it is a spyware of stealing personal information.For the hardware device of visit mobile phone, the order that is defined as follows: the function of visit GPS, the visit action sensor, and set up the network connection, if satisfied this order, just can think that this software is the spyware of location.
Fig. 2 illustrates the analysis report of carrying out the application software that a mobile phone terminal equipment sent, the cellphone subscriber visits after the network linking, this network linking sends a file automatically or links to terminal equipment, this terminal equipment sends to this link the application's server 200, send to the application's server 200 after perhaps this document being downloaded, the application's server 200 moves this document step by step in this locality, obtains the information of this document.Among the figure, the right side is a running, and a power consumption parameter and visit situation are shown, and provides executive button; The access links that carry out for each performed operation of step of this document in the left side, the information of transmission, and for bigger technology spanned file, can carry out logic integration, the generation technique report to these files.
Fig. 3 illustrates the safety message that is produced, and according to the described technical report of Fig. 2, these behavioural characteristics is analyzed, and according to the above-mentioned objective standard of comparison and the extent of injury, gives the safety grading of outfile, and report back is given the user of terminal equipment.As shown in Figure 3, the file for the execution of Fig. 2 according to the analysis to its technical report, provides the file that this software belongs to degree of danger.
Comparison module 204 is used for the behavior of the implementation of detected this software program or alternative document and the behavior storehouse in the server are compared, and knows whether be existing behavior.Comparison module 204 also directly with the software program that received or other software directly and the software in the behavior storehouse carry out the static state comparison.
When the report generation module provides the analysis-by-synthesis report for a file after, this document can be preserved, afterwards when new file arrives, before can detecting at the operation action of execute file, file attribute of this document and the file of being preserved are carried out the static state comparison, to improve operational efficiency.
In another embodiment of the application, a kind of safety protecting method of the mobile device based on program behavior is provided, the environment of this method operation comprises terminal equipment 100 and server 200, server comprises receiver module 201, is used for expecting that from terminal equipment or terminal equipment the source program server end that downloads receives this program.
Terminal equipment is meant via communications facility and operator's equipment or the mutual equipment of application server, terminal equipment is arranged on the place that makes things convenient for that utilizes communications facility to connect work with server usually, it is mainly combined by communication interface control device and input/output unit special-purpose or that select, and mobile terminal device is not limited by the region, and is more flexible.Terminal equipment of the present invention includes but not limited to mobile communication equipment (such as cell-phone, smart phone), portable entertainment device (such as the IPAD of Apple, the GALAXY of Samsung, the PS series of Sony) or the like.
Terminal equipment 100 has receiving port and transmit port, and receiving port is used to receive the software program from application server, and the software program that transmit port is used for being received sends to server 200.The application server here includes but not limited to: provide software download application server, carrier server, with terminal equipment carry out session conversation server, provide the application server of remote support and the static state and the dynamic state server of other types to terminal equipment.
Generally speaking, the application's method comprises: software program or alternative document that step 10), reception send from terminal equipment; Step 20), the software program that received or alternative document are distributed to one of them simulator in " cloud " formed by processor; Step 30), detect the software program in the hourglass model of server, move or the behavior of alternative document; Step 40), according to the behavior that software program or alternative document are carried out in the hourglass model, the close friend or the extent of injury of evaluation software program or alternative document provide analysis report to terminal equipment.This method also comprises: behavior in the implementation of detected software program or alternative document and the behavior storehouse in the server are compared, know it whether is existing behavior, perhaps directly with the software program that received or other software directly and the software in the behavior storehouse carry out the static state comparison.
Further, describe the concrete running of safety protecting method in detail with reference to figure 1.Terminal equipment 100 actives or passive after above-mentioned application server receives installation file or executable file, can automatically the file that is received be sent to the application's server 200, perhaps the user is according to the server that self manually the file that is received is sent to the application for the degree of awareness and the confidence level of this document.For the cellphone subscriber who uses Android operating system, when receiving .apk installation file, executable file or arbitrary alternative document, active or the manual server that this document is sent to the application, before not receiving the analysis report of feedback information from the application's server, do not move this document, and adopt denial measure for the self-operating behavior of this document.
In the step 10), use polling mechanism or intercept mechanism, the information that the self terminal equipment of collecting sends, and will received file or program related with these terminal equipment 100 foundation, obtain the facility information of this terminal equipment 100.
Step 20) in, the software program that received or alternative document are distributed to one of them simulator in " cloud " be made up of processor.The application's server is at multitask, multi-user's work, and the software simulation execution environment of self setting comprises the high in the clouds that is made of a plurality of processors, and distribution is distributed according to the idle degree of the processor in high in the clouds received software program with this software program.Such Simulation execution environment comprises virtual machine, simulator, hourglass model, and virtual machine is used for pseudo-terminal equipment, and simulator is used for simulating the operation of institute's receiving software or executable file, and hourglass is used for knowing the implementation and the result of executable file.
Step 30) in, the software program that detection moves in the hourglass model of server or the behavior of alternative document.Carry out the virtual execution of Malware at server end, the software of malicious act is installed in the environment of virtual execution, generate the hourglass of the environment of virtual execution, obtain the behavior and the trace information of this software.Particularly, this software of operation on virtual machine, substep is carried out each operating procedure of this software, in the implementation of each operating procedure, the control point is set with sensitive position and sensitive document place in the memory location of the dateout of monitoring hourglass and expectation visit, when the carry out desired of this software is visited these positions or expectation when reading these files, this control point will trigger automatically, reports the behavior to detection module, and read operation and memory location are sent to the report generation module.
For example, for common employed mobile phone, the behavior that is monitored comprises: send note and multimedia message, telephone directory on visit mobile phone or the SIM card is created network and is connected (GPRS, EDGE, 3G etc.), the visit bluetooth is visited infrared, the visit WLAN (wireless local area network), visit GPS terminal, visit action sensor, visit camera, the visit microphone is perhaps visited other sensitive datas.
In addition, according to performed behavior, can define the extent of injury of concrete action.With the sending short message by mobile phone breath is example, can think that following action has potential hazard: under the table send note on the backstage, people outside the telephone directory sends short messages, the number of the business of sending short messages increment provider, send note to contact persons all in the telephone directory, the frequency that sends note is very high, and 11 send note between the 6:00 AM at night.
Step 40) in, according to the behavior that software program or alternative document are carried out in the hourglass model, the close friend or the extent of injury of evaluation software program or alternative document provide analysis report to terminal equipment.Wherein, by analyzing act of execution and the trace information that above-mentioned detection module is known, these behaviors and information are evaluated according to the objective extent of injury; According to the evaluation score, judge whether this software is Malware.Particularly, can utilize the Bayesian decision system, analysis behavior and action sequence provide the safety grading of this behavior, judge whether this software is Malware.
Further, can provide effective protectiving scheme, to the prevention of harmful act two kinds of implementations can be arranged, based on the system and the expert system of strategy according to its extent of injury.For the system based on strategy, which behavior the keeper can define is forbidden, and which behavior is allowed to.With the short message is example, the rule that can be defined as follows: whether allow to send note to value added service provider, whether allow to send note on the backstage, perhaps other.For expert system, can use expertise and domain knowledge to judge malicious act, and each behavior provided certain mark (0-9, number is big more represents that more danger is big more), with the note is that example provides following rule and mark: high-frequency ground sent note, as 1 minute 10------mark: 3; Send the number of note, as------marks: 6 such as 10086,1066907703 to value added service provider; Send note to unacquainted people, and frequency is very high------mark: 7; Send the number of note to value added service provider, and frequency is very high------mark: 7; 11 send note number------marks: 9 to value added service provider to high-frequency ground between the 6:00 AM at night.
Order for calling API can be defined as follows rule: if these API have revised registration table, visited user's personal information, and set up the network connection, just can think that it is a spyware of stealing personal information.For the hardware device of visit mobile phone, the order that is defined as follows: the function of visit GPS, the visit action sensor, and set up the network connection, if satisfied this order, just can think that this software is the spyware of location.
In addition, step 50) in, provide after the analysis-by-synthesis report for a file, this document can be preserved, afterwards when new file arrives, can be before the operation action of execute file detect, the file attribute of this document advanced the file of being preserved is carried out static state comparison, with the raising operational efficiency.
It should be noted that at last, above embodiment is only in order to describe technical scheme of the present invention rather than the present technique method is limited, the present invention can extend to other modification, variation, application and embodiment on using, and therefore thinks that all such modifications, variation, application, embodiment are in spirit of the present invention and teachings.