CN103886253A - Data leakage detection method, device and system - Google Patents
Data leakage detection method, device and system Download PDFInfo
- Publication number
- CN103886253A CN103886253A CN201410116905.5A CN201410116905A CN103886253A CN 103886253 A CN103886253 A CN 103886253A CN 201410116905 A CN201410116905 A CN 201410116905A CN 103886253 A CN103886253 A CN 103886253A
- Authority
- CN
- China
- Prior art keywords
- described application
- operation result
- application
- mark
- version number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/556—Detecting local intrusion or implementing counter-measures involving covert channels, i.e. data leakage between processes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M1/00—Substation equipment, e.g. for use by subscribers
- H04M1/72—Mobile telephones; Cordless telephones, i.e. devices for establishing wireless links to base stations without route selection
- H04M1/724—User interfaces specially adapted for cordless or mobile telephones
- H04M1/72403—User interfaces specially adapted for cordless or mobile telephones with means for local support of applications that increase the functionality
Abstract
The invention provides a data leakage detection method, device and system. The method comprises the steps that when data leakage is detected during operation of an application, leakage characteristics and operation results of the application are obtained, the leakage characteristics and the operation results of the application are stored and are sent to a mobile terminal, and the mobile terminal obtains data corresponding to identification and a version number of the application from a server; under the circumstance that the leakage characteristics and the operation results of the application are obtained, operation characteristics of the application are obtained; the leakage characteristics and the operation characteristics of the application are compared, and if the leakage characteristics are the same as the operation characteristics of the application, the operation results are displayed to a user, and therefore stain tracking is achieved on the mobile terminal; the detection method based on stain tracking is carried out on the server, and usability of the data leakage detection technique is improved and calculation expenses are reduced under the precondition that the accuracy rate is guaranteed.
Description
Technical field
The present invention relates to the communications field, refer more particularly to a kind of method, equipment and system that detects data leak.
Background technology
Due to application software non-increasing income mostly, therefore some Static Analysis Technologies can not be suitable for, existing main dynamic analysis technology has the Android of recompility operating system, make it traceable by the data of stain Taint, if these data send by network, give the whereabouts of user's reminder-data, the shortcoming of the method is that ease for use is bad, need to recompilate operating system, domestic consumer cannot be used, and computing cost is larger.Separately have, realize the object of the responsive behavior of monitoring by repacking the mode of application software, shortcoming is to repack application software may cause new risk, and some software can not be repacked successfully.
In prior art, on Android mobile phone, carry out the method for the responsive behavior monitoring of user and interception and generally monitor Android Inter-Process Communication by the mode of injecting, such as, realize rights management mechanism at Android system, be mainly used in managing the authority of application program, its scope check mechanism mainly depends on the scope check function in libbinder.so dynamic base, in the time that application requests is accessed the sensitive resource of this rights management mechanism definition, connect scope check function, connect scope check function and can verify whether this application has corresponding authority.Therefore the responsive behavior monitoring of the user of most and Interception Technology mainly depend on and inject the object that this dynamic base reaches monitoring and tackles.The shortcoming of the method is that accuracy rate is low, can only monitor single data access behavior, cannot effectively judge whether this access can cause data to reveal, and whether these data can be sent by network, and therefore rate of false alarm is higher.
The detection method of following the trail of based on stain Taint relatively consumes mobile phone resources, and expense is larger, and is difficult for moving on user mobile phone.
Summary of the invention
The embodiment of the present invention provides a kind of method that detects data leak, is intended to solve the detection method that how realizes data leak at mobile terminal.
Detect a method for data leak, described method comprises:
While detecting application operation, whether there is data leak;
Have data leak between the described application run-time of detection time, obtain leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak;
Store leakage feature and the operation result of described application, and leakage feature and the operation result of described application are sent to mobile terminal.
Do not have data leak between the described application run-time of detection time, described method also comprises: the mark of described application, version number are stored in the first list;
Leakage feature and the operation result of the described application of described storage, comprising:
The mark of described application, version number, leakage feature and operation result are stored in the second list.
Described leakage feature and operation result by described application sends to mobile terminal, comprising:
Mark and the version number of the described application sending according to described mobile terminal, from the first list and the second list, data corresponding to the mark of described application and version number are sent to mobile terminal, described data are mark, the version number of described application in the first list, and described data are mark, version number, leakage feature and the operation result of described application in the second list.
Detect a method for data leak, described method comprises:
Send mark and the version number of described application to server, and from described server, obtain the data corresponding to mark and version number of described application, described data comprise mark, the version number of described application, or, mark, version number, leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak;
In the case of the leakage feature and operation result that get described application, obtain the operation characteristic of described application;
Contrast the leakage feature of described application and the operation characteristic of described application, if identical, described operation result is shown to user.
A kind of server, described server comprises:
Whether detecting unit, have data leak during for detection of application operation;
Acquiring unit, for detecting while having data leak between described application run-time, obtains leakage feature and the operation result of described application, and described operation result at least comprises the content of data leak and the destination address of described data leak;
Storage unit, for storing operation characteristic and the operation result of described application;
Transmitting element, for sending to mobile terminal by leakage feature and the operation result of described application.
Detecting while having data leak between described application run-time, described storage unit also for: the mark of described application, version number are stored in to the first list;
Described storage unit is used for:
Have data leak between the described application run-time of detection time, the mark of described application, version number, leakage feature and operation result are stored in the second list.
Described transmitting element specifically for:
Mark and the version number of the described application sending according to described mobile terminal, from the first list and the second list, data corresponding to the mark of described application and version number are sent to mobile terminal, described data are mark, the version number of described application in the first list, and described data are mark, version number, leakage feature and the operation result of described application in the second list.
A kind of mobile terminal, described mobile terminal comprises:
Transmitting element, for send mark and the version number of described application to server, and from described server, obtain the data corresponding to mark and version number of described application, described data comprise mark, the version number of described application, or, mark, version number, leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak;
Acquiring unit, in the case of the leakage feature and operation result that gets described application, obtains the operation characteristic of described application;
Contrast display unit, for contrasting the leakage feature of described application and the operation characteristic of described application, if identical, is shown to user by described operation result.
Detect a system for data leak, described system comprises server and mobile terminal;
Whether described server, have data leak during for detection of application operation; Have data leak between the described application run-time of detection time, obtain leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; Store leakage feature and the operation result of described application, and leakage feature and the operation result of described application are sent to mobile terminal;
Described mobile terminal, for send mark and the version number of described application to server, and from server, obtain the data corresponding to mark and version number of described application, described data comprise mark, the version number of described application, or, mark, version number, leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; In the case of the leakage feature and operation result that get described application, obtain the operation characteristic of described application; Contrast the leakage feature of described application and the operation characteristic of described application, if identical, described operation result is shown to user.
Do not have data leak between the described application run-time of detection time, described method also comprises: the mark of described application, version number are stored in the first list;
Leakage feature and the operation result of the described application of described storage, comprising:
The mark of described application, version number, leakage feature and operation result are stored in the second list;
Described leakage feature and operation result by described application sends to mobile terminal, comprising:
Mark and the version number of the described application sending according to described mobile terminal, from the first list and the second list, data corresponding to the mark of described application and version number are sent to mobile terminal, described data are mark, the version number of described application in the first list, and described data are mark, version number, leakage feature and the operation result of described application in the second list.
The embodiment of the present invention provides a kind of method that detects data leak, and whether described method has data leak while applying operation by detection; Have data leak between the described application run-time of detection time, obtain leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; Store leakage feature and the operation result of described application, and leakage feature and the operation result of described application are sent to mobile terminal, described mobile terminal sends mark and the version number of described application to server, and from server, obtain the data corresponding to mark and version number of described application, described data comprise mark, the version number of described application, or, mark, version number, leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; In the case of the leakage feature and operation result that get described application, obtain the operation characteristic of described application; Contrast the leakage feature of described application and the operation characteristic of described application, if identical, described operation result is shown to user, thereby realize at mobile terminal the detection method that stain is followed the trail of; The detection method of following the trail of based on stain is moved on server, guaranteed under the prerequisite of accuracy rate, improve the ease for use of data leak detection technique and reduce the expense of calculating.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the system construction drawing of a kind of data leak of providing of the embodiment of the present invention;
Fig. 2 is the system construction drawing of the another kind of data leak that provides of the embodiment of the present invention;
Fig. 3 is a kind of method flow diagram that detects data leak that the embodiment of the present invention provides;
Fig. 4 is a kind of method flow diagram that detects data leak that the embodiment of the present invention provides;
Fig. 5 is the equipment structure chart of a kind of server of providing of the embodiment of the present invention;
Fig. 6 is the equipment structure chart of a kind of mobile terminal of providing of the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, rather than whole embodiment.Based on the embodiment in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
With reference to figure 1, Fig. 1 is the system construction drawing of a kind of data leak of providing of the embodiment of the present invention.As shown in Figure 1, the system of described data leak comprises:
Server 101 and mobile terminal 102;
Whether described server 101 has data leak while operation for detection of application; Have data leak between the described application run-time of detection time, obtain leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; Store leakage feature and the operation result of described application, and leakage feature and the operation result of described application are sent to mobile terminal;
Described mobile terminal 102 is for sending mark and the version number of described application to server 101, and from server, obtain the data corresponding to mark and version number of described application, described data comprise mark, the version number of described application, or, mark, version number, leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; In the case of the leakage feature and operation result that get described application, obtain the operation characteristic of described application; Contrast the leakage feature of described application and the operation characteristic of described application, if identical, described operation result is shown to user.
Wherein, described server 101 comprises detecting unit 1011, acquiring unit 1012, storage unit 1013 and transmitting element 1014;
Whether described detecting unit 1011, have data leak during for detection of application operation;
Described acquiring unit 1012, for detecting while having data leak between described application run-time, obtains leakage feature and the operation result of described application, and described operation result at least comprises the content of data leak and the destination address of described data leak;
Described storage unit 1013, for storing operation characteristic and the operation result of described application;
Described transmitting element 1014, for sending to mobile terminal by leakage feature and the operation result of described application.
Described mobile terminal 102 comprises transmitting element 1021, acquiring unit 1022, contrast display unit 1023;
Described transmitting element 1021, for send mark and the version number of described application to server, and from server, obtain the data corresponding to mark and version number of described application, described data comprise mark, the version number of described application, or, mark, version number, leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak;
Described acquiring unit 1022, in the case of the leakage feature and operation result that gets described application, obtains the operation characteristic of described application;
Described contrast display unit 1023, for contrasting the leakage feature of described application and the operation characteristic of described application, if identical, is shown to user by described operation result.
Concrete, on Android system, increasing detecting unit 1011, acquiring unit 1012, storage unit 1013, transmitting element 1014, described detecting unit 1011 is for adopting the method for stain the current data leakage behavior that whether has to be detected.Described acquiring unit 1012 is for obtaining the current operation characteristic of Android system and application, be injected into the service processes of Android system and the process of application by the method for ptrace, obtain the calling data of some key criterion functions such as ioctl, connect, read.In the time that described detecting unit 1011 detects that data are revealed, extract with these data and reveal the relevant behavioural characteristic of behavior.As described in detecting unit 1011 the leakage behavior that has address list detected, the ioctl function call data acquisition that can obtain based on described acquiring unit 1012 is to the data characteristics of address list access.Described mobile terminal obtains system and the current operation characteristic of application by acquiring unit 1022, be injected into the system_server process of Android system and the process of application by the method for ptrace, obtain the calling data of some key criterion functions such as ioctl, connect, read.Increase transmitting element 1021, acquiring unit 1022, contrast display unit 1023 at mobile terminal, whether the operation characteristic of analyzing the application that described acquiring unit 1022 obtains by contrast display unit 1023 is identical with the leakage feature of described application, if discovery matching characteristic, is shown to user by leakage content.
The embodiment of the present invention provides a kind of system that detects data leak, and whether described system has data leak while applying operation by detection; Have data leak between the described application run-time of detection time, obtain leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; Store leakage feature and the operation result of described application, and leakage feature and the operation result of described application are sent to mobile terminal, described mobile terminal sends mark and the version number of described application to server, and from server, obtain the data corresponding to mark and version number of described application, described data comprise mark, the version number of described application, or, mark, version number, leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; In the case of the leakage feature and operation result that get described application, obtain the operation characteristic of described application; Contrast the leakage feature of described application and the operation characteristic of described application, if identical, described operation result is shown to user, thereby realize at mobile terminal the detection method that stain is followed the trail of; The detection method of following the trail of based on stain is moved on server, guaranteed under the prerequisite of accuracy rate, improve the ease for use of data leak detection technique and reduce the expense of calculating.
With reference to figure 2, Fig. 2 is the system construction drawing of the another kind of data leak that provides of the embodiment of the present invention.As shown in Figure 2, increase the function of the modules such as TaintDroid module, injection module on Android system, described TaintDroid module is for adopting the method for stain the current data leakage behavior that whether has to be detected.Described injection module, for obtaining the current operation characteristic of Android system and application, is injected into the service processes of Android system and the process of application by the method for ptrace, obtains the calling data of some key criterion functions such as ioctl, connect, read.In the time that TaintDroid module detects that data are revealed, extract with these data and reveal the relevant behavioural characteristic of behavior.As TaintDroid module detects the leakage behavior that has address list, the ioctl function call data acquisition that can obtain based on injection module is to the data characteristics of address list access.Described mobile terminal obtains system and the current operation characteristic of application by injection module, be injected into the system_server process of Android system and the process of application by the method for ptrace, obtain the calling data of some key criterion functions such as ioctl, connect, read.Increase injection module, analysis engine module, feature synchronization module and respond module etc. at mobile terminal, the real time data producing by injection module described in analysis engine module analysis, and compare one by one with the entry of revealing property data base, if discovery matching characteristic, triggers respond module.Described leakage property data base is to obtain from server by feature synchronization module.Described feature synchronization module is according to the application of the current installation of mobile phone, to server request and the corresponding leakage characteristic of fill application, is saved in local leakage property data base after download.Described respond module refers to be found when data are revealed behavior to notify user, and the destination address of the content of leakage and leakage is shown to user.
The embodiment of the present invention provides a kind of system that detects data leak, and whether described system has data leak while applying operation by detection; Have data leak between the described application run-time of detection time, obtain leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; Store leakage feature and the operation result of described application, and leakage feature and the operation result of described application are sent to mobile terminal, described mobile terminal sends mark and the version number of described application to server, and from server, obtain the data corresponding to mark and version number of described application, described data comprise mark, the version number of described application, or, mark, version number, leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; In the case of the leakage feature and operation result that get described application, obtain the operation characteristic of described application; Contrast the leakage feature of described application and the operation characteristic of described application, if identical, described operation result is shown to user, thereby realize at mobile terminal the detection method that stain is followed the trail of; The detection method of following the trail of based on stain is moved on server, guaranteed under the prerequisite of accuracy rate, improve the ease for use of data leak detection technique and reduce the expense of calculating.
With reference to figure 3, Fig. 3 is a kind of method flow diagram that detects data leak that the embodiment of the present invention provides.As shown in Figure 2, described method comprises:
Concrete, on Android system, increasing detecting unit 1011, acquiring unit 1012, storage unit 1013, transmitting element 1014, described detecting unit 1011 is for adopting the method for stain the current data leakage behavior that whether has to be detected.Described acquiring unit 1012 is for obtaining the current operation characteristic of Android system and application, be injected into the service processes of Android system and the process of application by the method for ptrace, obtain the calling data of some key criterion functions such as ioctl, connect, read.
Concrete, in the time that described detecting unit 1011 detects that data are revealed, extract with these data and reveal the relevant behavioural characteristic of behavior.As described in detecting unit 1011 the leakage behavior that has address list detected, the ioctl function call data acquisition that can obtain based on described acquiring unit 1012 is to the data characteristics of address list access.
Alternatively, do not have data leak between the described application run-time of detection time, described method also comprises: the mark of described application, version number are stored in the first list;
Leakage feature and the operation result of the described application of described storage, comprising:
The mark of described application, version number, leakage feature and operation result are stored in the second list.
Concrete, table 1 is the concrete form of the first list, table 2 is the concrete form of the second list.The mark of described application bag described application by name, described leakage content refers to the content of described application leakage and the destination address of leakage, such as the short message content that is applied as of, current leakage, the destination address that described short message content leaks into is remote server address: 100.10.10.12.
Table 1
Table 2
Alternatively, described leakage feature and operation result by described application sends to mobile terminal, comprising:
Mark and the version number of the described application sending according to described mobile terminal, from the first list and the second list, data corresponding to the mark of described application and version number are sent to mobile terminal, described data are mark, the version number of described application in the first list, and described data are mark, version number, leakage feature and the operation result of described application in the second list.
Described mobile terminal obtains system and the current operation characteristic of application by acquiring unit 1022, be injected into the system_server process of Android system and the process of application by the method for ptrace, obtain the calling data of some key criterion functions such as ioctl, connect, read.Increase transmitting element 1021, acquiring unit 1022, contrast display unit 1023 at mobile terminal, whether the operation characteristic of analyzing the application that described acquiring unit 1022 obtains by contrast display unit 1023 is identical with the leakage feature of described application, if discovery matching characteristic, is shown to user by leakage content.
The embodiment of the present invention provides a kind of method that detects data leak, and whether described method has data leak while applying operation by detection; Have data leak between the described application run-time of detection time, obtain leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; Store leakage feature and the operation result of described application, and leakage feature and the operation result of described application are sent to mobile terminal, described mobile terminal sends mark and the version number of described application to server, and from server, obtain the data corresponding to mark and version number of described application, described data comprise mark, the version number of described application, or, mark, version number, leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; In the case of the leakage feature and operation result that get described application, obtain the operation characteristic of described application; Contrast the leakage feature of described application and the operation characteristic of described application, if identical, described operation result is shown to user, thereby realize at mobile terminal the detection method that stain is followed the trail of; The detection method of following the trail of based on stain is moved on server, guaranteed under the prerequisite of accuracy rate, improve the ease for use of data leak detection technique and reduce the expense of calculating.
With reference to figure 4, Fig. 4 is a kind of method flow diagram that detects data leak that the embodiment of the present invention provides.As shown in Figure 4, said method comprising the steps of:
Concrete, described mobile terminal obtains system and the current operation characteristic of application by acquiring unit 1022, be injected into the system_server process of Android system and the process of application by the method for ptrace, obtain the calling data of some key criterion functions such as ioctl, connect, read.Increase transmitting element 1021, acquiring unit 1022, contrast display unit 1023 at mobile terminal, whether the operation characteristic of analyzing the application that described acquiring unit 1022 obtains by contrast display unit 1023 is identical with the leakage feature of described application, if discovery matching characteristic, is shown to user by leakage content.
The embodiment of the present invention provides a kind of method that detects data leak, and whether described method has data leak while applying operation by detection; Have data leak between the described application run-time of detection time, obtain leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; Store leakage feature and the operation result of described application, and leakage feature and the operation result of described application are sent to mobile terminal, described mobile terminal sends mark and the version number of described application to server, and from server, obtain the data corresponding to mark and version number of described application, described data comprise mark, the version number of described application, or, mark, version number, leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; In the case of the leakage feature and operation result that get described application, obtain the operation characteristic of described application; Contrast the leakage feature of described application and the operation characteristic of described application, if identical, described operation result is shown to user, thereby realize at mobile terminal the detection method that stain is followed the trail of; The detection method of following the trail of based on stain is moved on server, guaranteed under the prerequisite of accuracy rate, improve the ease for use of data leak detection technique and reduce the expense of calculating.
With reference to figure 5, Fig. 5 is the equipment structure chart of a kind of server of providing of the embodiment of the present invention.As shown in Figure 5, described equipment comprises with lower unit:
Whether detecting unit 501, have data leak during for detection of application operation;
Concrete, on Android system, increasing detecting unit 1011, acquiring unit 1012, storage unit 1013, transmitting element 1014, described detecting unit 1011 is for adopting the method for stain the current data leakage behavior that whether has to be detected.Described acquiring unit 1012 is for obtaining the current operation characteristic of Android system and application, be injected into the service processes of Android system and the process of application by the method for ptrace, obtain the calling data of some key criterion functions such as ioctl, connect, read.
Acquiring unit 502, for detecting while having data leak between described application run-time, obtains leakage feature and the operation result of described application, and described operation result at least comprises the content of data leak and the destination address of described data leak;
Concrete, in the time that described detecting unit 1011 detects that data are revealed, extract with these data and reveal the relevant behavioural characteristic of behavior.As described in detecting unit 1011 the leakage behavior that has address list detected, the ioctl function call data acquisition that can obtain based on described acquiring unit 1012 is to the data characteristics of address list access.
Storage unit 503, for storing operation characteristic and the operation result of described application;
Alternatively, detecting while having data leak between described application run-time, described storage unit also for: the mark of described application, version number are stored in to the first list;
Described storage unit 503 for:
Have data leak between the described application run-time of detection time, the mark of described application, version number, leakage feature and operation result are stored in the second list.
Transmitting element 504, for sending to mobile terminal by leakage feature and the operation result of described application.
Alternatively, described transmitting element 504 specifically for:
Mark and the version number of the described application sending according to described mobile terminal, from the first list and the second list, data corresponding to the mark of described application and version number are sent to mobile terminal, described data are mark, the version number of described application in the first list, and described data are mark, version number, leakage feature and the operation result of described application in the second list.
Described mobile terminal obtains system and the current operation characteristic of application by acquiring unit 1022, be injected into the system_server process of Android system and the process of application by the method for ptrace, obtain the calling data of some key criterion functions such as ioctl, connect, read.Increase transmitting element 1021, acquiring unit 1022, contrast display unit 1023 at mobile terminal, whether the operation characteristic of analyzing the application that described acquiring unit 1022 obtains by contrast display unit 1023 is identical with the leakage feature of described application, if discovery matching characteristic, is shown to user by leakage content.
The embodiment of the present invention provides a kind of server, and whether described server has data leak while applying operation by detection; Have data leak between the described application run-time of detection time, obtain leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; Store leakage feature and the operation result of described application, and leakage feature and the operation result of described application are sent to mobile terminal, described mobile terminal sends mark and the version number of described application to server, and from server, obtain the data corresponding to mark and version number of described application, described data comprise mark, the version number of described application, or, mark, version number, leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; In the case of the leakage feature and operation result that get described application, obtain the operation characteristic of described application; Contrast the leakage feature of described application and the operation characteristic of described application, if identical, described operation result is shown to user, thereby realize at mobile terminal the detection method that stain is followed the trail of; The detection method of following the trail of based on stain is moved on server, guaranteed under the prerequisite of accuracy rate, improve the ease for use of data leak detection technique and reduce the expense of calculating.
With reference to figure 6, Fig. 6 is the equipment structure chart of a kind of mobile terminal of providing of the embodiment of the present invention.As shown in Figure 6, described equipment comprises with lower unit:
Transmitting element 601, for send mark and the version number of described application to server, and from described server, obtain the data corresponding to mark and version number of described application, described data comprise mark, the version number of described application, or, mark, version number, leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak;
Acquiring unit 602, in the case of the leakage feature and operation result that gets described application, obtains the operation characteristic of described application;
Contrast display unit 603, for contrasting the leakage feature of described application and the operation characteristic of described application, if identical, is shown to user by described operation result.
Concrete, described mobile terminal obtains system and the current operation characteristic of application by acquiring unit 1022, be injected into the system_server process of Android system and the process of application by the method for ptrace, obtain the calling data of some key criterion functions such as ioctl, connect, read.Increase transmitting element 1021, acquiring unit 1022, contrast display unit 1023 at mobile terminal, whether the operation characteristic of analyzing the application that described acquiring unit 1022 obtains by contrast display unit 1023 is identical with the leakage feature of described application, if discovery matching characteristic, is shown to user by leakage content.
The embodiment of the present invention provides a kind of mobile terminal, and whether described mobile terminal has data leak while applying operation by detection; Have data leak between the described application run-time of detection time, obtain leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; Store leakage feature and the operation result of described application, and leakage feature and the operation result of described application are sent to mobile terminal, described mobile terminal sends mark and the version number of described application to server, and from server, obtain the data corresponding to mark and version number of described application, described data comprise mark, the version number of described application, or, mark, version number, leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; In the case of the leakage feature and operation result that get described application, obtain the operation characteristic of described application; Contrast the leakage feature of described application and the operation characteristic of described application, if identical, described operation result is shown to user, thereby realize at mobile terminal the detection method that stain is followed the trail of; The detection method of following the trail of based on stain is moved on server, guaranteed under the prerequisite of accuracy rate, improve the ease for use of data leak detection technique and reduce the expense of calculating.
The above; only for preferably embodiment of the present invention, but protection scope of the present invention is not limited to this, is anyly familiar with in technical scope that those skilled in the art disclose in the present invention; the variation that can expect easily or replacement, within all should being encompassed in protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection domain of claim.
Claims (10)
1. a method that detects data leak, is characterized in that, described method comprises:
While detecting application operation, whether there is data leak;
Have data leak between the described application run-time of detection time, obtain leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak;
Store leakage feature and the operation result of described application, and leakage feature and the operation result of described application are sent to mobile terminal.
2. method according to claim 1, is characterized in that, do not have data leak between the described application run-time of detection time, described method also comprises: the mark of described application, version number are stored in the first list;
Leakage feature and the operation result of the described application of described storage, comprising:
The mark of described application, version number, leakage feature and operation result are stored in the second list.
3. method according to claim 2, is characterized in that, described leakage feature and operation result by described application sends to mobile terminal, comprising:
Mark and the version number of the described application sending according to described mobile terminal, from the first list and the second list, data corresponding to the mark of described application and version number are sent to mobile terminal, described data are mark, the version number of described application in the first list, and described data are mark, version number, leakage feature and the operation result of described application in the second list.
4. a method that detects data leak, is characterized in that, described method comprises:
Send mark and the version number of described application to server, and from described server, obtain the data corresponding to mark and version number of described application, described data comprise mark, the version number of described application, or, mark, version number, leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak;
In the case of the leakage feature and operation result that get described application, obtain the operation characteristic of described application;
Contrast the leakage feature of described application and the operation characteristic of described application, if identical, described operation result is shown to user.
5. a server, is characterized in that, described server comprises:
Whether detecting unit, have data leak during for detection of application operation;
Acquiring unit, for detecting while having data leak between described application run-time, obtains leakage feature and the operation result of described application, and described operation result at least comprises the content of data leak and the destination address of described data leak;
Storage unit, for storing operation characteristic and the operation result of described application;
Transmitting element, for sending to mobile terminal by leakage feature and the operation result of described application.
6. server according to claim 5, is characterized in that,
Detecting while having data leak between described application run-time, described storage unit also for: the mark of described application, version number are stored in to the first list;
Described storage unit is used for:
Have data leak between the described application run-time of detection time, the mark of described application, version number, leakage feature and operation result are stored in the second list.
7. server according to claim 6, is characterized in that, described transmitting element specifically for:
Mark and the version number of the described application sending according to described mobile terminal, from the first list and the second list, data corresponding to the mark of described application and version number are sent to mobile terminal, described data are mark, the version number of described application in the first list, and described data are mark, version number, leakage feature and the operation result of described application in the second list.
8. a mobile terminal, is characterized in that, described mobile terminal comprises:
Transmitting element, for send mark and the version number of described application to server, and from described server, obtain the data corresponding to mark and version number of described application, described data comprise mark, the version number of described application, or, mark, version number, leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak;
Acquiring unit, in the case of the leakage feature and operation result that gets described application, obtains the operation characteristic of described application;
Contrast display unit, for contrasting the leakage feature of described application and the operation characteristic of described application, if identical, is shown to user by described operation result.
9. a system that detects data leak, is characterized in that, described system comprises server and mobile terminal;
Whether described server, have data leak during for detection of application operation; Have data leak between the described application run-time of detection time, obtain leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; Store leakage feature and the operation result of described application, and leakage feature and the operation result of described application are sent to mobile terminal;
Described mobile terminal, for send mark and the version number of described application to server, and from described server, obtain the data corresponding to mark and version number of described application, described data comprise mark, the version number of described application, or, mark, version number, leakage feature and the operation result of described application, described operation result at least comprises the content of data leak and the destination address of described data leak; In the case of the leakage feature and operation result that get described application, obtain the operation characteristic of described application; Contrast the leakage feature of described application and the operation characteristic of described application, if identical, described operation result is shown to user.
10. system according to claim 9, is characterized in that, do not have data leak between the described application run-time of detection time, described method also comprises: the mark of described application, version number are stored in the first list;
Leakage feature and the operation result of the described application of described storage, comprising:
The mark of described application, version number, leakage feature and operation result are stored in the second list;
Described leakage feature and operation result by described application sends to mobile terminal, comprising:
Mark and the version number of the described application sending according to described mobile terminal, from the first list and the second list, data corresponding to the mark of described application and version number are sent to mobile terminal, described data are mark, the version number of described application in the first list, and described data are mark, version number, leakage feature and the operation result of described application in the second list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410116905.5A CN103886253B (en) | 2014-03-26 | 2014-03-26 | A kind of method, equipment and system for detecting data leak |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410116905.5A CN103886253B (en) | 2014-03-26 | 2014-03-26 | A kind of method, equipment and system for detecting data leak |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103886253A true CN103886253A (en) | 2014-06-25 |
| CN103886253B CN103886253B (en) | 2018-01-19 |
Family
ID=50955139
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410116905.5A Expired - Fee Related CN103886253B (en) | 2014-03-26 | 2014-03-26 | A kind of method, equipment and system for detecting data leak |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103886253B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111090835A (en) * | 2019-12-06 | 2020-05-01 | 支付宝(杭州)信息技术有限公司 | Method and device for constructing file derivative graph |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1036910A (en) * | 1988-04-23 | 1989-11-08 | 赵俊 | A kind of production method of flocculant |
| CN101183414A (en) * | 2007-12-07 | 2008-05-21 | 白杰 | Program detection method, device and program analyzing method |
| CN101686239A (en) * | 2009-05-26 | 2010-03-31 | 中山大学 | Trojan discovery system |
| CN103595731A (en) * | 2013-11-29 | 2014-02-19 | 北京网秦天下科技有限公司 | System and method for protecting account security |
-
2014
- 2014-03-26 CN CN201410116905.5A patent/CN103886253B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1036910A (en) * | 1988-04-23 | 1989-11-08 | 赵俊 | A kind of production method of flocculant |
| CN101183414A (en) * | 2007-12-07 | 2008-05-21 | 白杰 | Program detection method, device and program analyzing method |
| CN101686239A (en) * | 2009-05-26 | 2010-03-31 | 中山大学 | Trojan discovery system |
| CN103595731A (en) * | 2013-11-29 | 2014-02-19 | 北京网秦天下科技有限公司 | System and method for protecting account security |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111090835A (en) * | 2019-12-06 | 2020-05-01 | 支付宝(杭州)信息技术有限公司 | Method and device for constructing file derivative graph |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103886253B (en) | 2018-01-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110363020B (en) | Screen capturing monitoring method, device, computer equipment and storage medium | |
| CN103729595B (en) | A kind of Android application program private data leakage off-line checking method | |
| CN103095457B (en) | A kind of login of application program, verification method | |
| CN109660502A (en) | Detection method, device, equipment and the storage medium of abnormal behaviour | |
| CN102006588B (en) | Method and system for monitoring network behavior of smart mobile phone | |
| US20140004829A1 (en) | Mobile device and method to monitor a baseband processor in relation to the actions on an applicaton processor | |
| US9280665B2 (en) | Fast and accurate identification of message-based API calls in application binaries | |
| CN104200155A (en) | Monitoring device and method for protecting user privacy based on iPhone operating system (iOS) | |
| US10176327B2 (en) | Method and device for preventing application in an operating system from being uninstalled | |
| CN103002342B (en) | Television camera means of defence and system | |
| KR20110128632A (en) | Method and device for detecting malicious action of application program for smartphone | |
| CN105631326A (en) | Security protection method and device for sensitive information | |
| US11675895B2 (en) | Method and device for processing information, equipment, and storage medium | |
| US10754717B2 (en) | Fast and accurate identification of message-based API calls in application binaries | |
| CN113489713A (en) | Network attack detection method, device, equipment and storage medium | |
| CN105373734A (en) | Application data protection method and apparatus | |
| CN105160251A (en) | Analysis method and device of APK (Android Packet) application software behavior | |
| CN104579830A (en) | Service monitoring method and device | |
| CN103699835A (en) | Access control method of resources of Android system | |
| CN103886253A (en) | Data leakage detection method, device and system | |
| CN104992112A (en) | Method and device used for detecting sensitive information leakage of Android | |
| CN106034150B (en) | Application program dynamic pushing method, device and system | |
| CN103281288A (en) | Mobile phone firewall system and mobile phone firewall method | |
| CN113114681B (en) | Test message processing method, device, computer system and readable storage medium | |
| CN104252598A (en) | Method and device for detecting application bugs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180119 Termination date: 20200326 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |