CN102209326A - Malicious behavior detection method and system based on smartphone radio interface layer - Google Patents

Malicious behavior detection method and system based on smartphone radio interface layer Download PDF

Info

Publication number
CN102209326A
CN102209326A CN2011101331366A CN201110133136A CN102209326A CN 102209326 A CN102209326 A CN 102209326A CN 2011101331366 A CN2011101331366 A CN 2011101331366A CN 201110133136 A CN201110133136 A CN 201110133136A CN 102209326 A CN102209326 A CN 102209326A
Authority
CN
China
Prior art keywords
data
module
communication
user
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011101331366A
Other languages
Chinese (zh)
Other versions
CN102209326B (en
Inventor
蔡雪飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING ZHONGYAN RUIFENG INFORMATION TECHNOLOGY RESEARCH ISTITUTE (LIMITED PARTNERSHIP)
Original Assignee
BEIJING ZHONGYAN RUIFENG INFORMATION TECHNOLOGY RESEARCH ISTITUTE (LIMITED PARTNERSHIP)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING ZHONGYAN RUIFENG INFORMATION TECHNOLOGY RESEARCH ISTITUTE (LIMITED PARTNERSHIP) filed Critical BEIJING ZHONGYAN RUIFENG INFORMATION TECHNOLOGY RESEARCH ISTITUTE (LIMITED PARTNERSHIP)
Priority to CN2011101331366A priority Critical patent/CN102209326B/en
Publication of CN102209326A publication Critical patent/CN102209326A/en
Priority to PCT/CN2012/071773 priority patent/WO2012159474A1/en
Application granted granted Critical
Publication of CN102209326B publication Critical patent/CN102209326B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/50Service provisioning or reconfiguring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephone Function (AREA)

Abstract

The invention relates to a malicious behavior detection method and a malicious behavior detection system based on a smartphone radio interface layer. In the invention, when an operating system exchanges data with underlying radio hardware, data command is monitored and subjected to decoding analysis and relevant information, such as dialing condition, voice communication condition, data communication condition, short message communication condition and the like of an application layer of the operating system, about data communication with the radio hardware are precisely acquired from the underlying radio hardware, a system defect that in the smartphone operating system architecture, the smartphone current communication state cannot be globally acquired from the underlying radio hardware is overcome; and acquired relevant application programs, communication state data information of the underlying radio hardware and relevant application programs of a smartphone operating system user layer are subjected to intelligent behavior matching, so application programs having legitimate data communication behaviors and application programs having illegitimate data communication behaviors are distinguished, and then timely powerful protection can be provided aiming at various malicious software behaviors and the security of smartphone users is improved.

Description

Malicious act detection method and system based on the smart mobile phone radio interface layer
Technical field
The invention belongs to the mobile communication technology field, specifically, relate to a kind of malicious act detection method and system, can effectively protect smart mobile phone application program malice communication behavior based on the smart mobile phone radio interface layer.
Background technology
Along with the operation system of smart phone of main flow is selected to use by the increasing cell phone manufacturer of continuous development of mobile phone operating system technology in the own new product of releasing, operation system of smart phone has very big difference in the installation of software and application facet and conventional mobile phone.Traditional mobile phone has only prefabricated several single software function, can not satisfy user's various demands, and in the operation system of smart phone of main flow, can be convenient to use the notion of a kind of " software market ", by the Internet, directly use mobile phone from up to ten thousand kinds are used, to select the application program of own needs and be mounted in the mobile phone.But when enjoying various convenient that the numerous application of smart mobile phone brought as people, dimly do not know under cover many malice functions in numerous softwares, as: certain picture application software is wherein being hidden the function of sending short messages steathily, promptly in normal use software, under the table some information is sent in the number of deducting fees, causes the user to produce the telephone expenses of great number.Perhaps, the spyware that has is sent to user's individual privacy such as associated person information, short message content, message registration or the like on the particular server, causes all information of user to be revealed.Though there is relevant audit in operation system of smart phone manufacturer when these application software enter software market, often always there is fish that has escape the net to avoid the examination of software vendor by variety of way.And operation system of smart phone is limited by the total system frame structure when detecting for malice communication behavior, causes providing detection function or method about the communication behavior.
Give an example as Android with the Google exploitation:
The all application program of Android operating system all independent operating in the DalvikVM virtual machine, the characteristics of its virtual machine are all to provide virtual running environment at each application program, all communication operations are all directly directly mutual by virtual machine and hardware, and the application program that common developer can develop by Application Framework (application framework) also is to run in the DalvikVM virtual machine, the characteristic of DalvikVM virtual machine can only be obtained the data communication operation relevant with own program, can not obtain the communication data operation that other is running application in the operating system, develop a application software that can monitoring cell-phone communication behavior because this specific character of DalvikVM virtual machine causes that a lot of well-known safety products exploitation commercial cities fail, comprise that Google oneself is also untapped and go out corresponding product.
Summary of the invention
At the above-mentioned shortcoming and defect of operation system of smart phone for communication monitoring existence; the object of the present invention is to provide a kind of method of carrying out communication behavior detection based on radio interface layer; thereby can make accurate judgement to the software malicious act fast, reach protection smart mobile phone user's purpose.
Specifically, a kind of malicious act detection method based on the smart mobile phone radio interface layer comprises the steps:
A. operation system of smart phone user application layer monitoring module is by monitoring in real time, collect the information of the relevant communication operation that the user carries out in the interactive application mode, and the information of the communication operation of will being correlated with is committed to CPU;
B. the data communication interface layer between radio interface layer monitoring module real-time monitoring intelligent mobile phone operating system and the radio hardware equipment, when operation system of smart phone and radio hardware device talk, the radio interface layer monitoring module is caught the initial data coding between operating system and the radio interface layer; When the radio interface layer monitoring module captures the initial data coding, enter step C, otherwise, will continue circulation, capture the initial data coding when waiting for communication;
C. according to different data command types, the initial data coding that the data decode module is caught the radio interface layer monitoring module carries out data decode, and decoded initial data coding is committed to CPU; After CPU is finished wherein internal core module data stream and is handled operating process, related data information and each module result data are committed to data statistics module, and data statistics module is kept at related data information and each module result data in the database.Wherein, related data information is meant comes data message and other input data to monitoring module.The calculating dateout of each module that the module result data is meant.
The phone application layer of operation system of smart phone is single finger conversation scope, and user application layer comprises note, phone, data communication etc.
Further, described step C also comprises the steps:
C1. CPU is committed to intelligent analysis module with the associative operation information of decoded initial data coding of data decode module and the collection of user application layer monitoring module;
C2. intelligent analysis module will be compared from the communication behavioural characteristic of radio bottom and the communication behavioural characteristic of the same type between the operating system layer, if the communication behavioural characteristic of operating system layer and the communication characteristic behavior of radio bottom are complementary, then enter step C3, if the communication behavioural characteristic does not match or the communication behavioural characteristic meets the related setting rule limits, then relevant information is committed to user prompt module, and enters step C4;
C3. the communication information of will being correlated with is committed to data statistics module, and the data statistics module communication information of will being correlated with is kept in the database;
C4. user prompt module will be checked the information type, produce different reminding methods according to different information types at the smart mobile phone User Interface: information type does not match for the communication behavioural characteristic, then point out the current user who is operating that improper data communication behavioural characteristic is arranged, and point out the user to block communication and still let pass; As information type is that native system is set rule limits, then blocks this communication automatically and points out the user;
C5. communication blocking-up module will be blocked current ongoing communication behavioural characteristic according to this supervisory control system user's selection, CPU is committed to data statistics module with related data information and each module result data, and data statistics module is kept at related data information in the database.
In steps A, described relevant communication operation comprises: call, send note, accesses network.
In step B, describedly catch initial data coding from radio interface layer and comprise following at least a: SIM PIN, IO, IMSI/IMEI, telephone state, network state inquiry, network settings, note, PDP connection, power supply and reset, assistant service, supplier's definition and support that active request instruction, network state change, new message notice, new USSD notice, signal strength signal intensity and time changes passive request instruction.Wherein, SIM PIN is client identification module (SIM, Subscriber Identity Model) PIN (PIN, Personal Identification Number), IO is input and output, IMSI/IMEI is international mobile subscriber identity (IMSI, International Mobile Subscriber Identity)/international mobile Equipment Identification Code (IMEI, International Mobile Equipment Identity), PDP is connected to packet data protocol and connects (PDP, Packet Data Protocol), new USSD notice is unstructured supplementary data traffic (USSD, Unstructured Supplementary Service Data).
Described telephone state comprises dialing or replys or quiet.
Described network settings are at least a in forbidding, transmit, selecting.
In step C, described different data command type comprises: client identification module PIN, input and output, international mobile subscriber identity, international mobile Equipment Identification Code, telephone state and action, network state inquiry, network settings, note, PDP be connected packet data protocol, power supply and reset, active request instructions such as assistant service, supplier definition and support thereof, and passive request instructions such as network state changes, new message notice, new USSD notice, signal strength signal intensity and time change.
In step C, the internal core module comprises intelligent analysis module, user prompt module, communication blocking-up module and data statistics module.Described data message and each module result data comprise: the initial data coding and the related data statistics of decoded radio interface layer.
In step C1, described decoded initial data coding refers to the instruction behind the coding is reduced to and active and the identical presumptive instruction of passive instruction.
In step C2, described communication behavioural characteristic does not match does not have communication but interface layer has communication or interface layer not to have communication but application layer has communication for client layer; Setting restriction rule comprises following at least a: limiting program, limited number of times, ways to restrain, binding hours, native system default limit or User Defined restriction.
In step C5, described each module result data comprises interception outcome record and relevant information.
The present invention also aims to provide a kind of malicious act detection system based on the smart mobile phone radio interface layer, comprise user application layer monitoring module, radio interface layer monitoring module, data decode module, CPU, the information of the relevant communication operation that described user application layer monitoring module real-time collecting user carries out in the interactive application mode, and the information of the communication operation of will being correlated with is committed to CPU;
Described radio interface layer monitoring module is by the data communication interface layer between monitoring intelligent mobile phone operating system and the radio hardware equipment, catch the initial data coding of the dependent instruction information and the content of operation system of smart phone and mobile phone wireless electricity hardware device in real time, and the initial data coding is committed to the data decode module;
The encode reduction and decoding of the dependent instruction information of operation system of smart phone that described data decode module will be obtained the radio interface layer monitoring module and mobile phone wireless electricity equipment and the initial data of content, restoring operation system applies layer instruction corresponding and related data, the data decode module is committed to CPU with decoded initial data coding.
Described CPU comprises: intelligent analysis module, user prompt module, communication blocking-up module and data statistics module, wherein, described intelligent analysis module, be used for and carry out intelligent compare of analysis from the decoded original coding of described data decode module and the data of user application layer monitoring module, according to analysis result invoke user reminding module;
Described user prompt module, link to each other with described intelligent analysis module, be used for generating different prompting modes according to the operating system user application layer of different information smart mobile phones, and select or native system relevant limit rule according to the user, to current detection to the communication behavior carry out control operation, when user or the current communication of native system selection blocking-up, then can call communication blocking-up module;
Described communication blocking-up module links to each other with described user prompt module, is used for the selection result according to user or native system, current ongoing data communication application specific data is connected block operation, stops ongoing data manipulation;
Described data statistics module, link to each other with other each modules in the described CPU with intelligent analysis module, be used for information and result data in other each modules of CPU are compiled, and collected information is saved in database.
Wherein, information in each module of other in the CPU and result data are consistent with aforesaid related data information and each module result data.
Different informations or different prompting modes comprise that prompting prevention, prompting operation, user select to allow or stop.
The dependent instruction information and the content of mobile phone wireless electricity hardware device are meant note or phone or network operation.
Described data message and result data comprise flow, the linking number that has stoped, the user definition restriction rule that the total time of calling, the total degree that sends note, network connect.
The present invention carries out data monitoring by the radio interface layer to operation system of smart phone; when operation system of smart phone and bottom radio hardware (baseband base band) when carrying out the exchanges data communication; monitor its data command and to the instruction analysis of decoding; accurately from bottom (base band; baseband) know whether the phone application layer (Phone Application) among Fig. 1 dials; speech communication; data communication; short message communication etc. and the relevant details of bottom radio hardware data communication; remedy the operation system of smart phone framework and can't know the system defect of current phone data communication state from the bottom radio hardware; and the related application of the related application that gets access to and bottom radio hardware communication state data message and operation system of smart phone client layer carried out the intelligent behavior coupling; distinguishing which application program is legal data communication behavior; which application program is illegal data communication behavior; thereby can provide strong protection in time at various Malware behaviors, improve smart mobile phone user's overall security.
Description of drawings
Accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creativeness, work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the malicious act detection system flow chart that the present invention is based on radio interface layer
Fig. 2 is the malicious act detection system structure chart that the present invention is based on radio interface layer;
Fig. 3 is the real malicious act detection method flow chart based on radio interface layer of the present invention.
Reference numeral:
201. user application layer monitoring module 202. radio interface layer monitoring modules
203. data decode module 204. CPU
2041. intelligent analysis module 2042. user prompt module
2043. communication blocking-up module 2044. data statistics module
Embodiment
The invention provides a kind of detection method and system, thereby can make accurate judgement to malicious act fast, reach protection smart mobile phone user's purpose based on smart mobile phone radio interface layer communication behavior.The key step of detection method comprises supervisory user application layer communication simultaneously and the communication of smart mobile phone radio interface layer, use two kinds of data fields to tell normal users communication or improper user communication, and point out the user to select blocking-up still to let pass or handle current ongoing communication to connect according to system convention, subsequently result is saved to database.
Fig. 1 is the malicious act detection system flow chart that the present invention is based on radio interface layer, details are as follows: in the conventional operation system of smart phone, the phone application layer provides several application data communication interface types commonly used, these several application data communication interface types are by phone application layer call operation system layer, the data communication interface corresponding with the phone application layer is passed to operating system layer with communication request from the phone application layer.
In embodiments of the present invention, phone application layer in the operation system of smart phone is responsible for the unified process user application program routine relevant with communication and is used communication, comprising: call, send SMS message, Communications service, transfer of data, the phone application layer is committed to the operating system layer radio interface layer relevant with phone application (RIL, Radio Interface Layer) in order with this class request.Radio interface layer is committed to radio finger daemon (Radio Daemon) after the upper strata instruction request is encapsulated according to format, finger daemon will instruct (promptly according to the upper strata instruction after the format encapsulation) to be sent to manufacturer's radio interface layer (Vendor RIL), after manufacturer's radio interface layer gets access to request the different requests of correspondence be generated the AT instruction and directly call base band (BaseBand).The present invention is then by the data call between monitoring radio interface layer RIL and the base band BaseBand, directly obtain call instruction and parameter from bottom, thereby know whether upper strata operating system has the data communication behavior, after monitoring bottom generation communication request, (different with the operation system of smart phone application layer again according to instruction, might refer to operating system layer and user application layer) communication operation compares, can distinguish which communication operation is artificial the generation, and which communication operation is that Malware produces.Whether as to detect current connection be to be produced by Malware, then point out the user to need to cut off and connect, or cut off current ongoing malice and connect by this supervisory control system is moving.
Note with the Android operation system of smart phone is sent as example below, and describing detection system of the present invention in detail is how to obtain communication data from the bottom detection to go forward side by side every trade for judging.
As shown in Figure 1, when user application layer need send note with the relevant note transmission method in the program frame in the call operation system layer, note method in the program frame is responsible for the wireless finger daemon in the user's space class libraries in the call operation system layer, wireless finger daemon in the user's space in the operating system layer is responsible for upper strata (user application layer or application framework) call parameters is passed to the radio interface layer RIL of manufacturer interface, and the radio interface layer RIL of manufacturer interface is responsible for and the base band communication.When finger daemon in operating system layer and the RIL of manufacturer carry out data passes, monitor data method and call parameters just can know whether operating system layer is sending the operation of note, and can reduction of data will be caught, can learn the Content of Communication relevant with note, as: information such as short message content, note receiving number.In Android operating system, the note router that system carries is to use the note transmission method in the application framework when sending note, and third party application also is to use this sending method.Can in the note data storehouse that operating system carries, write down the short message content that had sent just now but different is when note router that operating system carries sends note at every turn, comprise number information etc., but third-party application program can't enter the note data storehouse with the note record that has sent.Obtain the relevant information of transmission note when the supervisory control system layer after, record in information and the system's note database of record is compared, if there is this note record in the note database of record, so current note is sent by the user, otherwise this note is sent by program.By above method, can judge communication application program accurately, distinguish user's operation or application program operation, reach the purpose that behavior detects.
Fig. 2 is the malicious act detection system structure chart that the present invention is based on radio interface layer, for ease of explanation, the part relevant with the embodiment of the invention only is shown, this detection system can be integrated in the portable terminal, for example mobile phone, personal digital assistant PDA (Personal Digital Assistant), panel computer etc. are realized the detection to malicious act.
User application layer monitoring module 201 is used for the normal communication behavioural characteristic of monitoring intelligent mobile phone operating system user, and wherein communication behavioural characteristic comprises to be called, and sends note, receives note, data transmission etc.The particular event that can produce outbox when carrying out the note transmission as the note router that carries by operating system as the user can read and the note related content after monitoring this incident of generation, comprising: short message content, information such as recipient.User application layer monitoring module 201 will be timely the user communication delivery of content that monitors to CPU 204.
Radio interface layer monitoring module 202, be used for the initial data communication of the relevant radio communication between operation system of smart phone radio interface layer monitor operating system and communication apparatus, for example, when application program when sending short message content abc to telephone number 10086, can call the communication that the radio hardware equipment with bottom carries out by radio interface layer RIL, because historical reasons, most of bottom communication apparatus all adopt AT command set to carry out communication.Instruction is:
AT>AT+CMGS=13
AT>00010005810180f600000341f118
AT<+CMGS:0
After capturing instruction request, radio interface layer monitoring module 202 instruction request can be sent to data decode module 203.
Data decode module 203 is carried out coding and decoding according to the different pieces of information instruction set that receives to the data that receive, and will encode by corresponding algorithm reduction becoming Content of Communication.As when receiving instruction for AT+CMGS=13, can judge the short message of the current instruction that receives, and subsidiary 00010005810180f600000341f118 data use agreement data cell PDU (Protocol Data Unit) coding is decoded for the transmission ASCII fromat.Also for sending content abc, recipient's telephone number 10086 is sent to CPU 204 with decoded relevant information by protocol Data Unit PDU data algorithm decoding back data.
As shown in Figure 2, in embodiments of the present invention, CPU comprises: intelligent analysis module 2041, be used in the future analysing and comparing to the data of the same type that user application layer monitoring module 201 and radio interface layer monitoring module 202 are gathered, when the data that data of being gathered when user application layer monitoring module 201 and radio interface layer module 202 are gathered have consistency, intelligent analysis module 2041 concludes that promptly current data communication is produced by user's active operation, belong to the normal communication behavior, if communication behavior and content that the data that data that user application layer module 201 is gathered and radio interface layer module 202 are gathered are inconsistent or current belong to the native system limited field, intelligent analysis module 2041 is sent to user prompt module 2042 with related information content, and calls this user prompt module 2042.
User prompt module 2042 is produced different information type user prompt frames according to different notification type methods at the smart mobile phone User Interface.Different information types then points out the active user that improper data communication behavior is arranged for current for not matching, and the prompting user is the prevention communication or lets pass that if the user selects to stop communication, user prompt module 2042 can be called communication blocking-up module 2043.If this communication behavior belongs to the limited field of native system, user prompt module 2042 can be called communication blocking-up module 2043 automatically so, and prompting user connection is blocked.
Communication blocking-up module 2043 is blocked current ongoing data communication according to native system or user's selection.For calling, then hang up current phone as current data communication behavioural characteristic; The data communication behavioural characteristic is that network connects, and then hangs up network; The data communication behavioural characteristic then stops note to send for sending note.
In the database that data statistics module 2044 deposits native system in to the data message and the result data of each module in the future.Data message and result data comprise the total time of calling, the total degree that sends note, the flow of network connection, the linking number that has stoped, user definition restriction rule etc.
Fig. 3 is the malicious act detection system flow chart that the present invention is based on radio interface layer, as shown in Figure 3, below introduce in detail malicious act detection system flow process based on radio interface layer.
1. user application layer monitoring module and radio interface layer monitoring module begin the communication behavior of monitoring intelligent mobile phone;
2. this supervisory control system judges whether monitor-interface captures data: if the data of capturing are then carried out data decode; If not capturing data catches with regard to continuing to wait for;
3. decoded data are committed to CPU, CPU is carried out the behavior association analysis with data, determines that current connection is to belong to user's operation, still belongs to malicious act or native system rule limits;
4. belong to non-artificial operation generation or belong to the native system rule limits if detect the result, then point out the current user who is operating, otherwise, this detection finished;
5. notification type as required judges whether to produce prompt window, if need to produce prompt window, then produces prompt window in the active user system, otherwise directly blocks communication;
User prompt module will be checked the information type, produce different reminding methods according to different information type modes at the smart mobile phone User Interface: information type does not match for the communication behavior, then point out the current user who is operating that improper data communication behavior is arranged, and the prompting user is the blocking-up communication or let pass; As information type is the rule limits that native system is set, and then blocks this communication automatically and points out the user; Described communication behavior does not match to client layer does not have communication but interface layer has communication, and perhaps interface layer does not have communication but application layer has communication.The setting restriction rule comprises: limiting program, limited number of times, ways to restrain, binding hours, native system default limit, User Defined restriction etc.
6. deposit operating result and module information in malicious act monitoring system database, and finish this time to detect.
Carry out data monitoring by radio interface layer to operation system of smart phone; when operation system of smart phone and bottom radio hardware are carried out the exchanges data communication; the data command of monitoring intelligent mobile phone operating system and bottom radio hardware and to the data instructions analysis of decoding; accurately know from bottom whether the operating system application layer dials; speech communication; data communication; the relevant details of short message communication etc. and radio hardware data communication; remedy the operation system of smart phone framework and can't know the system defect of current phone data communication state from the bottom overall situation; and with the related application of the related application that obtains and bottom radio hardware communication state data message and operation system of smart phone client layer carry out the intelligent behavior coupling (related application "; 3 of " bottom radio hardware communication state data message " and " related applications of operation system of smart phone client layer " be coupling simultaneously); distinguishing which application program is legal data communication behavior; which application program is illegal data communication behavior; thus can provide strong protection in time at various Malware behaviors, the fail safe of raising smart mobile phone whole user.
It should be noted that, one of ordinary skill in the art will appreciate that the whole or part step that realizes in the said method execution mode is to instruct relevant hardware to finish by program, described program can be stored in computer and the mobile phone read/write memory medium, and alleged here storage medium can be ROM/RAM, disk, CD etc.Above embodiment is only unrestricted in order to technical scheme of the present invention to be described, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that, can make amendment or be equal to replacement technical scheme of the present invention, and not breaking away from the spirit and scope of technical solution of the present invention, it all should be encompassed in the claim scope of the present invention.

Claims (10)

1. the malicious act detection method based on the smart mobile phone radio interface layer is characterized in that, comprises the steps:
A. operation system of smart phone user application layer monitoring module is by monitoring in real time, collect the information of the relevant communication operation that the user carries out in the interactive application mode, and the information of the communication operation of will being correlated with is committed to CPU;
B. the data communication interface layer between radio interface layer monitoring module real-time monitoring intelligent mobile phone operating system and the radio hardware equipment, when operation system of smart phone and radio hardware device talk, the radio interface layer monitoring module is caught the initial data coding between operating system and the radio interface layer; When the radio interface layer monitoring module captures the initial data coding, enter step C, otherwise, will continue circulation, capture the initial data coding when waiting for communication;
C. according to different data command types, the initial data coding that the data decode module is caught the radio interface layer monitoring module carries out data decode, and decoded initial data coding is committed to CPU; After CPU is finished wherein internal core module data stream and is handled operating process, related data information and each module result data are committed to data statistics module, and data statistics module is kept at related data information and each module result data in the database.
2. malicious act detection method according to claim 1 is characterized in that described step C also comprises the steps:
C1. CPU is committed to intelligent analysis module with the associative operation information of decoded initial data coding of data decode module and the collection of user application layer monitoring module;
C2. intelligent analysis module will be compared from the communication behavioural characteristic of radio bottom and the communication behavioural characteristic of the same type between the operating system layer, if the communication behavioural characteristic of operating system layer and the communication characteristic behavior of radio bottom are complementary, then enter step C3, if the communication behavioural characteristic does not match or the communication behavioural characteristic meets the related setting rule limits, then relevant information is committed to user prompt module, and enters step C4;
C3. the communication information of will being correlated with is committed to data statistics module, and the data statistics module communication information of will being correlated with is kept in the database;
C4. user prompt module will be checked the information type, produce different reminding methods according to different information type modes at the smart mobile phone User Interface: information type does not match for the communication behavioural characteristic, then point out the current user who is operating that improper data communication behavioural characteristic is arranged, and point out the user to block communication and still let pass; As information type is that native system is set rule limits, then blocks this communication automatically and points out the user;
C5. communication blocking-up module will be blocked current ongoing communication behavioural characteristic according to this supervisory control system user's selection, CPU is committed to data statistics module with related data information and each module result data, and data statistics module is kept at related data information in the database.
3. malicious act detection method according to claim 1 is characterized in that, in steps A, described relevant communication operation comprises: call, send note, accesses network; In step B, describedly catch initial data coding from radio interface layer and comprise following at least a: SIM PIN, IO, IMSI/IMEI, telephone state, network state inquiry, network settings, note, PDP connection, power supply and reset, assistant service, supplier's definition and support that active request instruction, network state change, new message notice, new USSD notice, signal strength signal intensity and time changes passive request instruction; Described telephone state comprises dialing or replys or quiet; Described network settings are at least a in forbidding, transmit, selecting; Described network settings are at least a in forbidding, transmit, selecting.
4. malicious act detection method according to claim 1, it is characterized in that, in step C, described different data command type comprises: the client identification module PIN, input and output, international mobile subscriber identity, international mobile Equipment Identification Code, telephone state and action, the network state inquiry, network settings, note, PDP connects packet data protocol, power supply and resetting, assistant service, active request instructions such as supplier's definition and support thereof, and network state changes, the new message notice, new USSD notice, passive request instructions such as signal strength signal intensity and time change; The internal core module comprises intelligent analysis module, user prompt module, communication blocking-up module and data statistics module; Described data message and each module result data comprise: the initial data coding and the related data statistics of decoded radio interface layer.
5. malicious act detection method according to claim 2 is characterized in that, in step C1, described decoded initial data coding refers to the instruction behind the coding is reduced to and active and the identical presumptive instruction of passive instruction; In step C2, described communication behavioural characteristic does not match does not have communication but interface layer has communication or interface layer not to have communication but application layer has communication for client layer; Setting restriction rule comprises following at least a: limiting program, limited number of times, ways to restrain, binding hours, native system default limit or User Defined restriction; In step C5, described each module result data comprises interception outcome record and relevant information.
6. malicious act detection system based on the smart mobile phone radio interface layer, it is characterized in that, comprise user application layer monitoring module, radio interface layer monitoring module, data decode module, CPU, the information of the relevant communication operation that described user application layer monitoring module real-time collecting user carries out in the interactive application mode, and the information of the communication operation of will being correlated with is committed to CPU;
Described radio interface layer monitoring module is by the data communication interface layer between monitoring intelligent mobile phone operating system and the radio hardware equipment, catch the initial data coding of the dependent instruction information and the content of operation system of smart phone and mobile phone wireless electricity hardware device in real time, and the initial data coding is committed to the data decode module;
The encode reduction and decoding of the dependent instruction information of operation system of smart phone that described data decode module will be obtained the radio interface layer monitoring module and mobile phone wireless electricity equipment and the initial data of content, restoring operation system applies layer instruction corresponding and related data, the data decode module is committed to CPU with decoded initial data coding.
7. malicious act detection system according to claim 6, it is characterized in that, described CPU comprises: intelligent analysis module, user prompt module, communication blocking-up module and data statistics module, wherein, described intelligent analysis module, be used for and carry out intelligent compare of analysis from the decoded original coding of described data decode module and the data of user application layer monitoring module, according to analysis result invoke user reminding module;
Described user prompt module, link to each other with described intelligent analysis module, be used for generating different prompting modes according to the operating system user application layer of different information smart mobile phones, and select or native system relevant limit rule according to the user, to current detection to the communication behavior carry out control operation, when user or the current communication of native system selection blocking-up, then can call communication blocking-up module;
Described communication blocking-up module links to each other with described user prompt module, is used for the selection result according to user or native system, current ongoing data communication application specific data is connected block operation, stops ongoing data manipulation;
Described data statistics module, link to each other with other each modules in the described CPU with intelligent analysis module, be used for information and result data in other each modules of CPU are compiled, and collected information is saved in database.
8. malicious act detection system according to claim 7 is characterized in that, different prompting modes comprises that prompting prevention, prompting operation, user select to allow or stop.
9. malicious act detection system according to claim 6 is characterized in that, the dependent instruction information and the content of mobile phone wireless electricity hardware device comprise note or phone or network operation.
10. according to each described malicious act detection system of claim 7 to 9, it is characterized in that described data message and result data comprise flow, the linking number that has stoped, the user definition restriction rule that the total time of calling, the total degree that sends note, network connect.
CN2011101331366A 2011-05-20 2011-05-20 Malicious behavior detection method and system based on smartphone radio interface layer Active CN102209326B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN2011101331366A CN102209326B (en) 2011-05-20 2011-05-20 Malicious behavior detection method and system based on smartphone radio interface layer
PCT/CN2012/071773 WO2012159474A1 (en) 2011-05-20 2012-02-29 Malicious behavior detection method and system based on smartphone radio interface layer

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2011101331366A CN102209326B (en) 2011-05-20 2011-05-20 Malicious behavior detection method and system based on smartphone radio interface layer

Publications (2)

Publication Number Publication Date
CN102209326A true CN102209326A (en) 2011-10-05
CN102209326B CN102209326B (en) 2013-09-11

Family

ID=44697948

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2011101331366A Active CN102209326B (en) 2011-05-20 2011-05-20 Malicious behavior detection method and system based on smartphone radio interface layer

Country Status (2)

Country Link
CN (1) CN102209326B (en)
WO (1) WO2012159474A1 (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404706A (en) * 2011-11-24 2012-04-04 中兴通讯股份有限公司 Method for managing tariff safety and mobile terminal
CN102769703A (en) * 2012-07-17 2012-11-07 青岛海信移动通信技术股份有限公司 Mobile phone terminal and firewall monitoring method
WO2012159474A1 (en) * 2011-05-20 2012-11-29 北京中研瑞丰信息技术研究所(有限合伙) Malicious behavior detection method and system based on smartphone radio interface layer
CN103108320A (en) * 2011-11-15 2013-05-15 网秦无限(北京)科技有限公司 Method and system for monitoring application program of mobile device
WO2013107301A1 (en) * 2012-01-20 2013-07-25 腾讯科技(深圳)有限公司 Application processing method and mobile terminal
CN103634268A (en) * 2012-08-20 2014-03-12 中国联合网络通信集团有限公司 A safety control method and an apparatus
CN103763675A (en) * 2014-01-24 2014-04-30 惠州Tcl移动通信有限公司 User behavior analyzing and prompting method and system based on mobile terminal
CN103891242A (en) * 2011-10-13 2014-06-25 迈可菲公司 System and method for profile based filtering of outgoing information in a mobile environment
CN104008332A (en) * 2014-04-30 2014-08-27 浪潮电子信息产业股份有限公司 Intrusion detection system based on Android platform
CN104144414A (en) * 2013-07-16 2014-11-12 腾讯科技(深圳)有限公司 Information intercepting method and device
CN104217164A (en) * 2014-09-11 2014-12-17 工业和信息化部电子第五研究所 Method and device for detecting malicious software of intelligent mobile terminal
WO2015027722A1 (en) * 2013-08-27 2015-03-05 中兴通讯股份有限公司 Unstructured supplementary service data processing method and device
WO2016058408A1 (en) * 2014-10-17 2016-04-21 中兴通讯股份有限公司 Short-message protection method and apparatus for terminal
WO2017190436A1 (en) * 2016-05-06 2017-11-09 中兴通讯股份有限公司 Data processing method and apparatus
CN107613050A (en) * 2017-08-31 2018-01-19 努比亚技术有限公司 A kind of method and mobile terminal for obtaining mobile terminal state
CN109813955A (en) * 2019-02-25 2019-05-28 努比亚技术有限公司 Charging voltage abnormal prompt method, system, wearable device and storage medium
CN112469065A (en) * 2020-12-23 2021-03-09 北京春笛网络信息技术服务有限公司 Keep-alive detection method for 5G short message all-in-one machine
CN112615961A (en) * 2020-12-25 2021-04-06 珠海格力电器股份有限公司 Method and device for processing short message sending request

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI699987B (en) * 2019-01-09 2020-07-21 澔鴻科技股份有限公司 Control method of vehicle-mounted networked electronic system
CN115297186A (en) * 2022-06-11 2022-11-04 深圳市卓讯通信息技术有限公司 Open CPU development device for intelligent wearable device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070077931A1 (en) * 2005-10-03 2007-04-05 Glinka Michael F Method and apparatus for wireless network protection against malicious transmissions
US20080148403A1 (en) * 2006-12-13 2008-06-19 Microsoft Corporation Distributed malicious software protection in file sharing environments
CN101901321A (en) * 2010-06-04 2010-12-01 华为终端有限公司 Method, device and system for defending malicious program for terminal
CN201690605U (en) * 2010-05-27 2010-12-29 张为志 Safety system based on intelligent mobile terminal
CN102006588A (en) * 2010-12-28 2011-04-06 北京安天电子设备有限公司 Method and system for monitoring network behavior of smart mobile phone

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010067263A2 (en) * 2008-12-10 2010-06-17 Padmanabhan Dr Sekhar A system for protection and backup of information in a mobile cell unit
CN101784054A (en) * 2009-01-20 2010-07-21 华为终端有限公司 Method for preventing rogue software of mobile phone, terminal, server and system thereof
CN101984692B (en) * 2010-11-15 2017-07-28 中兴通讯股份有限公司 A kind of method and device for preventing Malware from sending data
CN102209326B (en) * 2011-05-20 2013-09-11 北京中研瑞丰信息技术研究所(有限合伙) Malicious behavior detection method and system based on smartphone radio interface layer

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070077931A1 (en) * 2005-10-03 2007-04-05 Glinka Michael F Method and apparatus for wireless network protection against malicious transmissions
US20080148403A1 (en) * 2006-12-13 2008-06-19 Microsoft Corporation Distributed malicious software protection in file sharing environments
CN201690605U (en) * 2010-05-27 2010-12-29 张为志 Safety system based on intelligent mobile terminal
CN101901321A (en) * 2010-06-04 2010-12-01 华为终端有限公司 Method, device and system for defending malicious program for terminal
CN102006588A (en) * 2010-12-28 2011-04-06 北京安天电子设备有限公司 Method and system for monitoring network behavior of smart mobile phone

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012159474A1 (en) * 2011-05-20 2012-11-29 北京中研瑞丰信息技术研究所(有限合伙) Malicious behavior detection method and system based on smartphone radio interface layer
CN103891242B (en) * 2011-10-13 2017-04-19 迈可菲公司 System and method for profile based filtering of outgoing information in a mobile environment
CN103891242A (en) * 2011-10-13 2014-06-25 迈可菲公司 System and method for profile based filtering of outgoing information in a mobile environment
CN103108320A (en) * 2011-11-15 2013-05-15 网秦无限(北京)科技有限公司 Method and system for monitoring application program of mobile device
WO2013075458A1 (en) * 2011-11-24 2013-05-30 中兴通讯股份有限公司 Method for managing charge security and mobile terminal
CN102404706B (en) * 2011-11-24 2014-08-13 中兴通讯股份有限公司 Method for managing tariff safety and mobile terminal
CN102404706A (en) * 2011-11-24 2012-04-04 中兴通讯股份有限公司 Method for managing tariff safety and mobile terminal
JP2015510170A (en) * 2012-01-20 2015-04-02 騰訊科技(深▲せん▼)有限公司 Application processing method and mobile terminal
WO2013107301A1 (en) * 2012-01-20 2013-07-25 腾讯科技(深圳)有限公司 Application processing method and mobile terminal
US9609142B2 (en) 2012-01-20 2017-03-28 Tencent Technology (Shenzhen) Company Limited Application processing method and mobile terminal
CN103220662B (en) * 2012-01-20 2016-01-20 腾讯科技(深圳)有限公司 A kind of processing method of application program and mobile terminal
CN102769703A (en) * 2012-07-17 2012-11-07 青岛海信移动通信技术股份有限公司 Mobile phone terminal and firewall monitoring method
CN103634268B (en) * 2012-08-20 2016-12-21 中国联合网络通信集团有限公司 Method of controlling security and device
CN103634268A (en) * 2012-08-20 2014-03-12 中国联合网络通信集团有限公司 A safety control method and an apparatus
CN104144414A (en) * 2013-07-16 2014-11-12 腾讯科技(深圳)有限公司 Information intercepting method and device
WO2015027722A1 (en) * 2013-08-27 2015-03-05 中兴通讯股份有限公司 Unstructured supplementary service data processing method and device
CN103763675A (en) * 2014-01-24 2014-04-30 惠州Tcl移动通信有限公司 User behavior analyzing and prompting method and system based on mobile terminal
CN104008332A (en) * 2014-04-30 2014-08-27 浪潮电子信息产业股份有限公司 Intrusion detection system based on Android platform
CN104217164A (en) * 2014-09-11 2014-12-17 工业和信息化部电子第五研究所 Method and device for detecting malicious software of intelligent mobile terminal
WO2016058408A1 (en) * 2014-10-17 2016-04-21 中兴通讯股份有限公司 Short-message protection method and apparatus for terminal
CN105578433A (en) * 2014-10-17 2016-05-11 中兴通讯股份有限公司 Short message protection method and device of terminal
WO2017190436A1 (en) * 2016-05-06 2017-11-09 中兴通讯股份有限公司 Data processing method and apparatus
CN107613050A (en) * 2017-08-31 2018-01-19 努比亚技术有限公司 A kind of method and mobile terminal for obtaining mobile terminal state
CN107613050B (en) * 2017-08-31 2019-11-15 努比亚技术有限公司 A kind of method and mobile terminal obtaining mobile terminal state
CN109813955A (en) * 2019-02-25 2019-05-28 努比亚技术有限公司 Charging voltage abnormal prompt method, system, wearable device and storage medium
CN112469065A (en) * 2020-12-23 2021-03-09 北京春笛网络信息技术服务有限公司 Keep-alive detection method for 5G short message all-in-one machine
CN112615961A (en) * 2020-12-25 2021-04-06 珠海格力电器股份有限公司 Method and device for processing short message sending request

Also Published As

Publication number Publication date
CN102209326B (en) 2013-09-11
WO2012159474A1 (en) 2012-11-29

Similar Documents

Publication Publication Date Title
CN102209326B (en) Malicious behavior detection method and system based on smartphone radio interface layer
CN103716785B (en) A kind of mobile Internet safety service system
CN103067918B (en) Method, device and system of privacy data anonymization in communication network
CN103532927A (en) Financial cloud safety service platform based on mobile terminal and data protection method
KR20120096983A (en) Malware detection method and mobile terminal therefor
CN109543405A (en) A kind of privacy calls Activity recognition method and electronic equipment
CN104038613A (en) Method and apparatus for information security management
CN102665176A (en) System and method for safely monitoring by mobile terminal
CN107862091A (en) Realize the control method and device of web page access
CN102158830B (en) Real time monitoring system for mobile network spam
US9609142B2 (en) Application processing method and mobile terminal
CN106878965B (en) A kind of method and apparatus for assessing mobile terminal performance
CN104239790B (en) Treatment method of virus and device
CN103167502B (en) Based on the method for the illegal calling of OTA technology regulation
CN111901790A (en) Method, device, electronic device and storage medium for identifying telecommunication fraud
CN109104429B (en) Detection method for phishing information
CN113727288B (en) Silence customer service robot based on 5G message
CN110502407A (en) A kind of automation O&M monitoring method and system
CN107371141B (en) Junk information monitoring method and device and communication system
CN108763074A (en) A kind of method and device of SDK tests
CN105050091A (en) Eavesdropping behavior detecting method and device
CN103139740B (en) The identification of a kind of illegal signaling, processing method and device
CN103037337A (en) Method intercepting sent short message and device thereof
CN108093450A (en) A kind of method for switching network and terminal device
CN104581729A (en) Junk information processing method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant