CN103500307A - Mobile internet malignant application software detection method based on behavior model - Google Patents

Abstract

The invention provides a mobile internet malicious application software detection method based on a behavior model. The operation steps of the method include that (1) to-be-detected mobile internet application software is analyzed by means of a Hidden Markov Model to obtain the similarity of a basic operation type of the current software relative to each kind of software, and a similarity vector is formed; (2) arrangement is carried out on the basis of the similarity vector and a type detection vector is obtained; (3) an off-line training mode is adopted, a non-malicious behavior model is built by the method based on a neural network, and according to the well-trained model, whether the current application software is the malicious application software is judged in an on-line test mode.

Description

A kind of mobile Internet malicious application software detecting method based on behavior model

Technical field

The present invention relates to a kind of mobile Internet malicious application software detecting method, exactly, relate to a kind of mobile Internet malicious application software detecting method based on behavior model, belong to the field of information security technology of application software malice property analysis under mobile internet environment.

Background technology

Be accompanied by the arrival in mobile Internet epoch, from strength to strength, popularity is also more and more higher for the performance of mobile intelligent terminal, adds that the whole world is all promoting even 4G mobile network's development of 3G, and the mobile network provides environment for the smart mobile phone application at a high speed.The user starts to consume the application such as music, electronic product, film, map, game on mobile intelligent terminal, also utilizes the mobile intelligent terminal communication exchange, as social networks Facebook, Twitter, microblogging etc. simultaneously.But a large amount of terminal softwares and application also mean a large amount of security risks, for all kinds of attacks just appearance after 04 year of terminal device.Security threat and security risk that at present mobile intelligent terminal faces mainly comprise three aspects:: the one, and the leak of self system or software; The 2nd, Malware (virus, wooden horse etc.); The 3rd, occur illegal in perhaps the service.The potential safety hazard that specifically may exist comprises: the service application that individual privacy is revealed, personal identification is usurped, security breaches are stolen, existed to application security, location, position, mobile phone viruses, information etc.

Research for the mobile intelligent terminal security fields is a newer direction and problem, and this also will become the focus of network safety filed along with the continuous increase of mobile device user.Domestic and international research in this respect is few at present, mainly comprise the research of policy rules and technical research, technical research is divided into two parts: a part is to seek safe solution from hardware aspect, think that simple software solution can not meet all kinds of threats from complicated mobile network, all expects to carry out seeking solution from hardware aspect now both at home and abroad.And the terminal security that appears as of credible calculating provides a kind of new thinking.Aspect software, each network security business, as Symantec, this base of kappa, trend etc. all start to be devoted to the security solution of intelligent mobile terminal, and domestic Rising etc. also start to have the research of some Related products, but technology is still in the imperfection stage.

The safety problem run into traditional computer is the same, and mobile intelligent terminal has also run into same problem, virus, and rogue program, the infringement of wooden horse etc. also starts to have appeared on terminal, to the terminal user, has brought many infringements.Such as the equipment travelling speed is slack-off, even crash, the not clear increase of expense etc.And, when hand-held terminal device becomes the center of people's information, the information on equipment of being stored in is more and more and importance is increasing, if device losses or utilized by other people, consequence is by hardly imaginable.Therefore terminal security can not be ignored, and according to now, from the multiple threat of each side, it is numerous that software scenario relates to technology.

In the field of intelligent mobile terminal safety, the gordian technique that software scenario relates to comprises that critical data is secret, the renewal optimization of the detection of file access control, intelligent anti-theft, rogue program, software etc.For the safety of hand-held intelligent terminal equipment main solution both domestic and external, have at present: the Related products such as Symantec Mobile Security for Symbian, this base mobile phone version 7.0 of kappa, F-Secure Mobile Security, Trend Micro's mobile security spirit, German G-Data, Avira, Panda, McAfee Mobile Security, Qihoo, Rising Antivirus mobile phone version.

Internationally famous anti-virus mechanism for testing AV-Comparatives has issued the manual examining report of antivirus software Malware in September.Test macro and environment final updating time are August 12.This time, from German G-Data, with 99.7% high number percent, win first place, Avira, Panda is number two respectively, three, and F-Secure following closely shows slightly literary excellence, and the number percent with 99.3% is number four.Although domestic Qihoo enters the second camp, owing to using little red umbrella, BD and the engine of oneself, omit number close with AVIRA in essence, and the wrong report number, far away higher than Avira, is also to be much more slowly than little red umbrella on sweep velocity.

In these products, external Related product technology is relatively ripe, but the function imperfection, and function implementation efficiency etc. is to be improved; By these Related products, introduce knownly, these products all can provide and comprise virus, and the detection of the rogue programs such as wooden horse etc. can provide to file the protection of email message etc. simultaneously.Yet the principle of the killing rogue program that these products are used is to detect the process of virus signature, this is the method for rogue program of determining by detecting each generic attributes such as file.This detection method is the scheme that on computer, killing virus is used, its shortcoming is to detect unknown virus, and needs the renewal of virus base, and this is slower for processing speed, the terminal device of resource-constrained is a huge challenge, therefore also needs deep research.And domestic Related product is still in the free download operational phase, a lot of gordian techniquies are not yet ripe.

In sum, all the more important of the effect of mobile Internet application software in people life, and the method for mobile Internet malicious application software detection is ripe not enough.For this reason, how mobile Internet malicious application software is comprehensively and effectively detected and just become the new problem that scientific and technical personnel pay close attention in the industry.

Summary of the invention

In view of this, the purpose of this invention is to provide a kind of mobile Internet malicious application software detecting method based on behavior model, while using the method to detect mobile Internet malicious application software, we only need to be to the software action modeling of non-malice, this environmental model adopts dual nested mode, bottom is hidden Markov model, and upper strata is neural network model.Because the definition for non-malicious act under mobile internet environment is easier than the definition of malicious act, so while using the method to analyze malicious application software, more comprehensively with effective.

In order to achieve the above object, the invention provides a kind of mobile Internet malicious application software detecting method based on behavior model, it is characterized in that, described method comprises following operation steps:

(1) utilize Hidden Markov Model (HMM) to be analyzed mobile Internet application software to be detected, obtain the similarity degree of present procedure with respect to each behavior type, form similarity vector;

(2) arranged on the basis of similarity vector, obtained the type detection vector;

(3) first adopt the off-line training mode, use the method based on neural network to set up non-malicious act overall model, then, according to the model trained, by the mode of on-line testing, judge whether current application software is malicious application software.

Described step (1) further comprises following content of operation:

(11) move the mobile Internet application software of required analysis, its behavior is monitored, according to the duration of setting, carry out staging treating, the behavioral data of mobile Internet application software is divided into to a behavior section sequence;

(12) feature of each behavior section in extraction behavior section sequence: the average occupancy of section CPU, the average occupancy of section internal memory, section privacy access times, section wifi network holding time, section 2G/3G network holding time, section camera opening times, fragment position acquisition of information, section apparatus information acquiring.

(13) utilize Hidden Markov Model (HMM) to operate and carry out modeling and detection basic software: first in training process, to adopt the Baum-Welch algorithm to adjust the parameters in Hidden Markov Model (HMM), after obtaining each corresponding model, calculate and detect again the application software of current detection and the similarity degree of each model with the Viterbi algorithm, be the maximum likelihood value, form maximum likelihood value vector on the basis of maximum likelihood value.

Described step (12) further comprises following content of operation:

(121) a section CPU average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to CPU;

(122) a section internal memory average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to internal memory;

(123) section privacy access times refer to the total degree of application software calling party address list, picture and note in storage and monitoring time segment;

(124) a section network holding time refers to that application software accesses the time of wifi network in storage and monitoring time segment;

(125) a section camera opening times refers to that application software opens the number of times of mobile phone cam in storage and monitoring time segment;

(126) the fragment position acquisition of information has indicated application software whether to obtain customer position information in storage and monitoring time segment, if having, this is characterized as 1, if do not have, this is characterized as 0;

(127) the section apparatus information acquiring has indicated application software whether to obtain IMEI number, baseband version, these facility informations of kernel version in storage and monitoring time segment, if having, this is characterized as 1, if do not have, this is characterized as 0.

Described step (13) further comprises following content of operation:

(131) set and need set up altogether N kind basic software action type, the behavior of current application to be detected and the similarity degree of i type wherein, the maximum likelihood value is c _i, so, the maximum likelihood value of current application to be detected vector is c=[c ₁, c ₂..., c _n]

Described step (2) further comprises following content of operation:

(21) if be less than or equal to 1/N when former generation detects the behavior of application with the similarity degree of i kind basic operation type wherein, we think that the matching degree of current application to be detected and this action type is lower so, for subsequent analysis is simple, its similarity is modified to 0.That is:

$d_i=\left\{\begin{array}{cc}{c}_i& \mathrm{if}{c}_i>\frac{1}{N}\\ 0& \mathrm{if}{c}_i\≤\frac{1}{N}\end{array}\right.$

Wherein, d _ibe known as the modified value of maximum likelihood value;

(22) on the basis of maximum likelihood value modified value, internus detects vector:

Type detection vector d=[d ₁, d ₂..., d _n]

Described step (3) further comprises following content of operation:

(31) set up non-malicious act model for application software, model representation is:

$y=\underset{i=1}{\overset{N}{\mathrm{\Σ}}}{w}_i-\mathrm{\θ}$

Wherein, y means the output of this neural network, w _imean between non-malicious act and various software basic operation to be mutually related weighted value, θ means abnormal threshold value.

(32) gather a large amount of non-malicious application software sample, use the mode of off-line training, after utilizing neural network to be trained non-malicious act, obtain between non-malicious act and the basic action type of each software being mutually related weighted value and the threshold value of malicious act;

(33) utilize the mode of on-line testing, the type detection of current application software vector input neural network is calculated, if the output of neural network is greater than 0, mean that current application software is not malicious application software; If the output of neural network is less than 0, mean that current application software is malicious application software.

The present invention is a kind of mobile Internet malicious application software detecting method based on behavior model, its innovation technically be mainly from by set up non-malicious act model made up in the past set up that the malicious act model causes can't Test database the problem of the malicious act that do not have, below be described in detail.

At first, the research big city of prior art selects the malicious application software action is carried out to modeling, for example, people can think and steal telex network record, steal the behavior such as user's documentum privatum and be malicious act and it is carried out to modeling, then judge whether current application to be detected belongs to these classifications.But, if predefined malicious act has occurred not have, such as revealing user geographic position etc., so existing technical scheme can't be made correct judgement.And the present invention selects non-malicious act is carried out to modeling, as everyone knows, the definition of non-malicious act and statistics are more accurate and comprehensive for malicious act, and fully can be according to people experience in daily life obtain, for example, the normal behaviour of mobile Internet application software usually only include chat on line, download file, game, video-see etc.The definition of non-malicious act also convenient than the definition of malicious act.For this reason, the present invention proposes to carry out modeling for non-malicious act, can to mobile Internet malicious application software, be detected more comprehensively and effectively.

In addition, when setting up non-malice model, existing technology is all much directly to collect non-malicious act model Direct Modeling.Because the application of software data of non-malice is also diversified, this Method Modeling can need very large training sample database usually, and in training process, easily causes model not restrained.For this reason, the present invention proposes non-malicious act is further divided, and is divided into various basic software class of operations, as, non-malicious act model is by surfing the Net, seeing what these basic software class of operations such as video, download, navigation formed.We train respectively these basic software action types, and explore these models by the neural network model on upper strata and combined in which way in software action.Do like this, do not need to gather too much sample and just can train relatively comprehensively model reliably, make the method more fast, correct and practical, can meet the growth requirement of mobile Internet malicious application software.

The accompanying drawing explanation

Fig. 1 is the operation steps process flow diagram that the present invention is based on the mobile Internet malicious application software detection of behavior model.

Fig. 2 is the process flow diagram of step (1) the similarity vector forming process in the inventive method.

Fig. 3 is the process flow diagram of the non-malicious act model training in the inventive method

Fig. 4 is that the step (3) in the inventive method judges whether current application software to be detected is the process flow diagram of malicious application software.

Embodiment

For making the purpose, technical solutions and advantages of the present invention clearer, below in conjunction with the test situation of drawings and Examples, the present invention is described in further detail.

The present invention is a kind of mobile Internet malicious application software detecting method based on behavior model, the method is first to move application software to be detected and extract the characteristic parameter in running software a period of time, the hidden Markov model that recycles these parameters and several basic software action types is compared, and tries to achieve similarity vector.Then, carry out simple process on the basis of similarity vector.Finally, utilize on this basis non-malicious act model to be analyzed, judge whether current application software to be detected is malicious application software.The present invention, when the detection of malicious application software, can overcome weak point incomplete to the malicious act definition in prior art and that training dataset is too huge.

Referring to Fig. 1, illustrate that the present invention analyzes operation steps and embodiments of the invention and the simulation scenarios of the method for malicious application software according to behavior model:

Step 1, utilize Hidden Markov Model (HMM) to be analyzed mobile Internet application software to be detected, obtain the similarity degree of present procedure with respect to each behavior type, form similarity vector;

Referring to Fig. 2, specifically introduce the following concrete operations content that this step 1 comprises:

(11) move the mobile Internet application software of required analysis, its behavior is monitored, record its behavioural characteristic within longer a period of time, according to the duration of setting, carry out staging treating, the behavioral data of mobile Internet application software is divided into to a behavior section sequence; In proof procedure, we are about 1-2 hour to total monitoring time of each application program, and in segmentation process, the time of each segmentation is 300s.

(12) feature of each behavior section in extraction behavior section sequence: the average occupancy of section CPU, the average occupancy of section internal memory, section privacy access times, section wifi network holding time, section 2G/3G network holding time, section camera opening times, fragment position acquisition of information, section apparatus information acquiring.The average occupancy of these time stage casing CPU refer to application software in storage and monitoring time segment average p.s. the occupancy to CPU; Section internal memory average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to internal memory; Section privacy access times refer to the total degree of application software calling party address list, picture and note in storage and monitoring time segment; Section network holding time refers to that application software accesses the time of wifi network in storage and monitoring time segment; Section camera opening times refers to that application software opens the number of times of mobile phone cam in storage and monitoring time segment; The fragment position acquisition of information has indicated application software whether to obtain customer position information in storage and monitoring time segment, if having, this is characterized as 1, if do not have, this is characterized as 0; The section apparatus information acquiring has indicated application software whether to obtain IMEI number, baseband version, these facility informations of kernel version in storage and monitoring time segment, if having, this is characterized as 1, if do not have, this is characterized as 0.

(13) utilize Hidden Markov Model (HMM) to operate and carry out modeling and detection basic software: first in training process, to adopt the Baum-Welch algorithm to adjust the parameters in Hidden Markov Model (HMM), after obtaining each corresponding model, calculate and detect again the application software of current detection and the similarity degree of each model with the Viterbi algorithm, be the maximum likelihood value, form maximum likelihood value vector on the basis of maximum likelihood value.

Because hidden Markov model HMM(Hidden Markov is Models) characterising parameter rule and be widely used in time dependent behavioural analysis system over time preferably.The inventive method is also to utilize Hidden Markov Model (HMM) to operate and carry out modeling and detection basic software: first in training process, adopt the Baum-Welch algorithm to adjust the parameters in Hidden Markov Model (HMM), after obtaining each corresponding model, calculate and detect again the application software of current detection and the similarity degree of each model with the Viterbi algorithm, it is the maximum likelihood value, then, the maximum likelihood value is integrated, formed the likelihood value vector.

The concrete grammar that is integrated into the likelihood value vector is:

(131) set and need set up altogether N kind basic software action type, the behavior of current application to be detected and the similarity degree of i type wherein, the maximum likelihood value is c _i, so, the maximum likelihood value of current application to be detected vector is c=[c ₁, c ₂..., c _n]

Step 2, on the basis of maximum likelihood value vector, arranged, filtering noise disturbs, and internus detects vector;

The specific practice of this step is:

(21) if be less than or equal to 1/N when former generation detects the behavior of application with the similarity degree of i kind basic operation type wherein, we think that the matching degree of current application to be detected and this action type is lower so, for subsequent analysis is simple, its similarity is modified to 0.That is:

$d_i=\left\{\begin{array}{cc}{c}_i& \mathrm{if}{c}_i>\frac{1}{N}\\ 0& \mathrm{if}{c}_i\≤\frac{1}{N}\end{array}\right.$

Wherein, d _ibe known as the modified value of maximum likelihood value;

(22) on the basis of maximum likelihood value modified value, internus detects vector:

Type detection vector d=[d ₁, d ₂..., d _n]

After obtaining the type detection vector, the present invention utilizes neural network to carry out modeling to non-malicious act model, and take the mode of on-line testing and judge whether current application to be detected is malicious application software.This is also the emphasis step in the present invention: step 3.

Step 3, first adopt the off-line training mode, use the method based on neural network to set up non-malicious application software action model, then, according to the model trained, by the mode of on-line testing, judge whether current application software to be detected is malicious application software.

Referring to Fig. 3, the concrete operations content of introducing off-line training part in this step 3 is:

(31) set up non-malicious act model for application software, model representation is:

$y=\underset{i=1}{\overset{N}{\mathrm{\Σ}}}{w}_i-\mathrm{\θ}$

Wherein, y means the output of this neural network, w _imean between non-malicious act and various software basic operation to be mutually related weighted value, θ means abnormal threshold value.

(32) gather a large amount of non-malicious application software sample, use the mode of off-line training, after utilizing neural network to be trained non-malicious act, obtain between non-malicious act and the basic action type of each software being mutually related weighted value and the threshold value of malicious act;

As shown in Figure 4, in step 3, the main content of operation of on-line testing part is:

(33) utilize the mode of on-line testing, the type detection of current application software vector input neural network is calculated, if the output of neural network is greater than 0, mean that current application software is not malicious application software; If the output of neural network is less than 0, mean that current application software is malicious application software.

In a word, the test of emulation embodiment of the present invention is successfully, has realized goal of the invention.

Claims (7)

1. the mobile Internet malicious application software detecting method based on behavior model, is characterized in that, described method comprises following operation steps:

(1) utilize Hidden Markov Model (HMM) to be analyzed mobile Internet application software to be detected, obtain the similarity degree of present procedure with respect to the basic action type of each software, form similarity vector;

(2) arranged on the basis of similarity vector, obtained the type detection vector;

(3) first adopt the off-line training mode, use the method based on neural network to set up non-malicious application behavior model, then, according to the model trained, by the mode of on-line testing, judge whether current application software is malicious application software.

2. method according to claim 1 is characterized in that:

Described step (1) further comprises following content of operation:

(11) move the mobile Internet application software of required analysis, its behavior is monitored, according to the duration of setting, carry out staging treating, the behavioral data of mobile Internet application software is divided into to a behavior section sequence;

(12) feature of each behavior section in extraction behavior section sequence: the average occupancy of section CPU, the average occupancy of section internal memory, section privacy access times, section wifi network holding time, section 2G/3G network holding time, section camera opening times, fragment position acquisition of information, section apparatus information acquiring.

(13) utilize Hidden Markov Model (HMM) to operate and carry out modeling and detection basic software: first in training process, to adopt the Baum-Welch algorithm to adjust the parameters in Hidden Markov Model (HMM), after obtaining each corresponding model, calculate and detect again the application software of current detection and the similarity degree of each model with the Viterbi algorithm, be the maximum likelihood value, form maximum likelihood value vector on the basis of maximum likelihood value.

3. method according to claim 2 is characterized in that:

Described step (12) further comprises following content of operation:

(121) a section CPU average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to CPU;

(122) a section internal memory average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to internal memory;

(123) section privacy access times refer to the total degree of application software calling party address list, picture and note in storage and monitoring time segment;

(124) a section network holding time refers to that application software accesses the time of wifi network in storage and monitoring time segment;

(125) a section camera opening times refers to that application software opens the number of times of mobile phone cam in storage and monitoring time segment;

(126) the fragment position acquisition of information has indicated application software whether to obtain customer position information in storage and monitoring time segment, if having, this is characterized as 1, if do not have, this is characterized as 0;

(127) the section apparatus information acquiring has indicated application software whether to obtain IMEI number, baseband version, these facility informations of kernel version in storage and monitoring time segment, if having, this is characterized as 1, if do not have, this is characterized as 0.

4. method according to claim 2 is characterized in that:

Described step (13) further comprises following content of operation:

(131) set and need set up altogether N kind basic software action type, the behavior of current application to be detected and the similarity degree of i type wherein, the maximum likelihood value is c _i, so, the maximum likelihood value of current application to be detected vector is c=[c ₁, c ₂..., c _n]

5. method according to claim 1 is characterized in that:

Described step (2) further comprises following content of operation:

(21) if be less than or equal to 1/N when former generation detects the behavior of application with the similarity degree of i kind basic operation type wherein, we think that the matching degree of current application to be detected and this action type is lower so, for subsequent analysis is simple, its similarity is modified to 0.That is:

$d_i=\left\{\begin{array}{cc}{c}_i& \mathrm{if}{c}_i>\frac{1}{N}\\ 0& \mathrm{if}{c}_i\≤\frac{1}{N}\end{array}\right.$

Wherein, d _ibe known as the modified value of maximum likelihood value;

(22) on the basis of maximum likelihood value modified value, internus detects vector:

Type detection vector d=[d ₁, d ₂..., d _n]

6. method according to claim 2, it is characterized in that: the setting duration scope in described step (11) is the short time duration of 200s to 500s.

7. method according to claim 1 is characterized in that:

Described step (3) further comprises following content of operation:

(31) set up non-malicious act model for application software, model representation is:

$y=\underset{i=1}{\overset{N}{\mathrm{\Σ}}}{w}_i-\mathrm{\θ}$

Wherein, y means the output of this neural network, w _imean between non-malicious act and various software basic operation to be mutually related weighted value, θ means abnormal threshold value.

(32) gather a large amount of non-malicious application software sample, use the mode of off-line training, after utilizing neural network to be trained non-malicious act, obtain between non-malicious act and the basic action type of each software being mutually related weighted value and the threshold value of malicious act;

(33) utilize the mode of on-line testing, the type detection of current application software vector input neural network is calculated, if the output of neural network is greater than 0, mean that current application software is not malicious application software; If the output of neural network is less than 0, mean that current application software is malicious application software.

Images