CN104182688A - Android malicious code detection device and method based on dynamic activation and behavior monitoring - Google Patents

Android malicious code detection device and method based on dynamic activation and behavior monitoring Download PDF

Info

Publication number
CN104182688A
CN104182688A CN201410424250.8A CN201410424250A CN104182688A CN 104182688 A CN104182688 A CN 104182688A CN 201410424250 A CN201410424250 A CN 201410424250A CN 104182688 A CN104182688 A CN 104182688A
Authority
CN
China
Prior art keywords
monitoring
application
behavior
unit
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410424250.8A
Other languages
Chinese (zh)
Inventor
徐国爱
张淼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING SOFTSEC TECHNOLOGY Co Ltd
Original Assignee
BEIJING SOFTSEC TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING SOFTSEC TECHNOLOGY Co Ltd filed Critical BEIJING SOFTSEC TECHNOLOGY Co Ltd
Priority to CN201410424250.8A priority Critical patent/CN104182688A/en
Publication of CN104182688A publication Critical patent/CN104182688A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Telephonic Communication Services (AREA)
  • Telephone Function (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed is an android malicious code detection device and method based on dynamic activation and behavior monitoring. According to the device, behaviors of a cellphone terminal automatically installing and starting an application to be detected and automatically activating the application are controlled; meanwhile, during the whole running process of the application, information of the cellphone terminal, such as file access, short message sending, network connection, traffic, system resource usage and hardware resource access, is monitored in real time, malicious behaviors of malicious codes are detected, a detection report is generated and provided for a user, and behaviors of the application under detection are dynamically detected. The device comprises an application behavior dynamic activation module, an application behavior real-time monitoring module and a detection result analysis module. The device and the method have the innovative advantages that all control and interface operations are achieved for the application by a software interaction technology, all application behaviors are dynamically activated, all-function automatic monitoring and detection is achieved for the application on the premise of finishing self-functions, and detection can be comprehensive and complete.

Description

Android malicious code pick-up unit and method based on dynamically active and behavior monitoring
Technical field
The present invention relates to a kind of detection technique of Android application malicious act, exactly, relate to a kind of Android malicious code pick-up unit and method based on dynamically active and behavior monitoring, belong to the technical field of the application safety in information security.
Background technology
At present, detect the technology of analyzing for Android malicious application, both at home and abroad after deliberation for many years, common testing tool has: DroidRange, TaintDroid and AppInspector etc., carry out brief introduction to these instruments respectively below:
DroidRanger has summed up behavioural characteristic and two kinds of heuristic rules of ten kinds of known Android Malwares, is used for detecting unknown application program.The method can detect known malicious behavior rapidly, but it adopts manual analysis mode mostly for emerging application program, therefore testing result exists certain hysteresis.
TaintDroid is a system-level dynamic real-time analysis instrument, adopts dynamic dataflow analytical approach, and the back-end data stream of monitoring application program, to the malicious act of finding that application may exist.
AppInspector adopts dynamic analysing method, can automatically generate input, and in program process log, whether the log information by analytic record there is malicious act in the middle of detecting application program.This instrument depends on specific trigger condition, but how it is for triggering the comparatively malicious act of complicated application program of logic, exists significantly not enough.
At present, the detection method of Android application program malicious act is mainly contained to following two kinds:
(A) according to the mode of checking and killing virus, detect: by analyzing grammer, structure, process and the interface etc. of the program after source program or dis-assembling, control stream and data stream to Key Functions, key variables are followed the trail of, mate again responsive behavior and malicious act in analytical review program with the rule of conduct analysis of malicious application.The method, except can finding known malicious application, can also be found suspicious malice sample by a series of malice characteristic behaviors, and for depth analysis, further object-based intelligent identification technology is confirmed in research.
According to the mode of checking and killing virus, be that the malicious act that may exist Android application program is carried out Static Detection, extracted feature, then carry out characteristic matching with the malicious act rule of application program.This method depends critically upon a malicious act rule base: only have the malicious act that is found and adds this rule base to be just detected, and for the novel malicious behavior that is not yet added into malicious act rule base, just cannot use characteristic matching technique screen; Can only, according to existing experience and knowledge, adopt manual analysis mode, so there is certain lag period in testing result.
(B) adopt the method for dynamic monitoring, dynamically, the execution of monitoring application program in real time, and detecting alternately this application program and external environment condition, then, adopt the analytical approach of dynamic dataflow, the back-end data stream of monitoring application program, to the malicious act of finding that this application may exist.
Adopting the method for dynamic monitoring is by the implementation of dynamic real-time monitor application program, and detects the mutual of this application and its external environment condition.But application program is all carried out based on given script conventionally, and the execution sequence step of program is write into script.Yet most of malicious acts are often more hidden, its execution depends on specific trigger condition.How to realize and trigger the malicious act that logic is comparatively complicated, the same existence of the method is significantly not enough.
The safety problem of Android application program is more and more paid close attention at present.The security threat that Android application may exist (comprise networking automatically in backstage, automatic transceiving note and calling party privacy file etc.) is also very many, grievous injury user benefit.Therefore, scientific and technical personnel are concerned about these security threats that how to solve Android application program very much in the industry, and the focus problem using it as research and development.
Summary of the invention
In view of this, the object of this invention is to provide a kind of Android malicious code pick-up unit and detection method thereof based on dynamically active and behavior monitoring, the present invention is a kind of testing tool of robotization, by controlling mobile phone terminal, can prepare with startup the application detecting by Auto-mounting, the behavior of automatic activation application, mobile phone terminal is monitored in real time simultaneously, and in the whole process of application operation, from file access, note sends, network connects and flow, system resource takies with multi-aspect informations such as hardware resource access carries out terminal monitoring, detect the malicious act of finding that malicious code carries out.
In order to achieve the above object, the invention provides a kind of Android malicious code pick-up unit based on dynamically active and behavior monitoring, it is characterized in that: described pick-up unit is controlled mobile phone terminal Auto-mounting and started the application of preparing detection, the behavior of automatic activation application; Simultaneously in the whole process of application operation, this mobile phone terminal of monitoring comprises file access, note transmission, network connection and flow thereof in real time, system resource takies and the information of hardware resource access, the malicious act that detection of malicious code carries out, and generate examining report and offer user, complete the detection of dynamic to the behavior of detected application; Be provided with application behavior dynamically active module, application behavior real-time monitoring module and Analysis of test results processing module totally three composition modules: wherein:
Application behavior dynamically active module, is responsible for Android application to be detected automatically to complete installation, the start-up and operation of application, and even unloads; And in operational process, the operation behavior of automatic activation application, to its behavior is carried out to background monitoring, then sends to Analysis of test results processing module by the execution result of application; Be provided with: start unit, automatic operating unit and sectional drawing analytic unit totally three assemblies are installed;
Application behavior real-time monitoring module, be responsible for according to the analysis to common invasion operating process and Android operating system principle of work, from various system calls, screen and may produce the system call function of malicious act and rewrite, and after increase monitoring function, be pushed to mobile phone terminal, make it when completing dynamically active application behavior, mobile phone terminal is monitored in real time; In the whole process of also automatically moving in application program, monitor respectively this mobile phone terminal file whether accessed, network connection and flow thereof, note send, system resource takies and the much information of hardware resource access, whether detection of malicious code produces malicious act; Again the monitored results of application behavior is delivered to Analysis of test results processing module; Be provided with following six assemblies: file monitor unit, networking monitoring unit, note send monitoring unit, system resource takies monitoring means, hardware resource access monitoring unit and kernel-user interface section;
Analysis of test results processing module, is responsible for receiving respectively the sectional drawing of application behavior dynamically active module submission and the text of identifying from sectional drawing, and the various monitoring record files of application behavior real-time monitoring module submission, then analyzes and generate examining report; Be provided with text and record analysis unit and report generation unit.
In order to achieve the above object, the present invention also provides the detection method of the Android malicious code pick-up unit that a kind of employing the present invention is based on dynamically active and behavior monitoring, it is characterized in that: at Android, apply in automatic operational process, utilize all controls and interface thereof in automatic operation application, the various actions of this application of dynamically active, start these behaviors of background monitoring simultaneously, and the interface content of text extracting in operational process is mated with the monitoring record analysis of backstage behavior, generate the safety detection report of this application, for user, consult; Described method comprises following operation steps:
Step 1, pre-service: search, determine and rewrite the system call program that may have malicious act, after adding monitoring function, this system call program is pushed to mobile phone terminal;
Step 2, install and start: utilize data line, mobile phone terminal is connected to after computer, start and move described Android malicious code pick-up unit, the installation start unit of application behavior dynamically active module is just pushed to mobile phone terminal automatically by Android to be detected application, then installs and starts this Android application program;
Step 3, dynamically active: all control properties in current interface are obtained in the automatic operating unit circulation of application behavior dynamically active module, parse its coordinate figure, and generate corresponding script for each control; Recycling script executing means is carried out these scripts, and the artificial Application Program Interface control of clicking of simulation, completes the dynamically active to this application behavior, and the sectional drawing of generation is submitted to Analysis of test results processing module together with text;
Step 4, background monitoring: each monitoring unit of application behavior dynamically active module open be pushed in advance mobile phone terminal, whether acquisition terminal file accessed, network connection and flow, short message receiving-transmitting, system resource takies and each monitoring unit of hardware resource access much information, application behavior to dynamically active is monitored, generate corresponding monitoring record, then submit to Analysis of test results processing module;
Step 5, text and record analysis: the sectional drawing that the text in Analysis of test results processing module and record analysis unit provide respectively step 3 and 4 and text and behavior monitoring log file are resolved, then analysis result is submitted to report generation unit;
Step 6, generates report: the analysis result that step 5 is provided gathers integration, generates final examining report.
Innovative technology feature of the present invention and advantage are:
(1) in the process that application is detected, by obtaining control data stream with communicating by letter of mobile phone terminal, and this data stream is resolved, the absolute coordinate of automatic acquisition control, generates python script.
(2) carry out script, utilize software interactive technology to complete the operation of all controls and interface in application programs, the behavior of all application of dynamically active, realizes the detection of application being carried out to global function covering, guarantees the comprehensive and integrality detecting.
(3) Android system kernel is recompilated, again according to the in-depth analysis to the principle of work of common invasion operating process and operating system, examination may produce the system call function of malicious act, and rewrite it, so that it increases monitoring function completing on the basis of self function, utilize hook technology to realize the abduction of these system calls and record, thereby make this pick-up unit can realize the monitoring to the various actions in application.
In a word, pick-up unit of the present invention can be applied with startup by Auto-mounting, and the behavior of automatic activation application, then these application behaviors are monitored in real time, and record possible malicious act and generate monitoring report, thereby complete the detection of dynamic to the behavior of detected application.
Accompanying drawing explanation
Fig. 1 is that the Android malicious code structure of the detecting device that the present invention is based on dynamically active and behavior monitoring forms schematic diagram.
Fig. 2 is the operation steps flow diagram of Android malicious code pick-up unit detection method of the present invention.
Fig. 3 is kernel-telex network implementation procedure schematic diagram in Android malicious code pick-up unit of the present invention.
Embodiment
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing, the present invention is described in further detail.
The present invention is the Android malicious code pick-up unit based on dynamically active and behavior monitoring, and this device is control mobile phone terminal Auto-mounting and start the application of preparing detection, the behavior of automatic activation application; Simultaneously in the whole process of application operation, this mobile phone terminal of monitoring comprises file access, note transmission, network connection and flow thereof in real time, system resource takies and the information of hardware resource access, the malicious act that detection of malicious code carries out, and generate examining report and offer user, complete the detection of dynamic to the behavior of detected application.
Referring to Fig. 1, three that introduce in Android malicious code pick-up unit of the present invention form module: application behavior dynamically active module, application behavior real-time monitoring module and Analysis of test results processing module:
(1) application behavior dynamically active module: be responsible for Android application to be detected automatically to complete installation, the start-up and operation of application, so that unloading; And in operational process, the operation behavior of automatic activation application, to its behavior is carried out to background monitoring, then sends to Analysis of test results processing module by the execution result of application.Be provided with: start unit, automatic operating unit and sectional drawing analytic unit totally three assemblies are installed, and the function declaration of these assemblies is as follows:
Start unit is installed, for by data line, mobile phone terminal is connected to computer, and guarantee between the two can normal delivery information after, install and start application.
Automatic operating unit, for carrying out socket Socket with mobile phone terminal, communicate by letter, obtain and resolve control traffic flow information, from traffic flow information, parse coordinate data, utilize these coordinate datas to calculate control absolute coordinates, robotization generates and touches script, input script, sectional drawing script and return to script and carry out it, and application is manually clicked in simulation, the behavior of dynamically active application.
Sectional drawing analytic unit, for constantly obtain the sectional drawing of current interface at application operational process, and use the picture recognition method of setting to resolve the picture of intercepting, and obtain the content of text of this picture, be submitted to together text and record analysis unit in Analysis of test results processing module.
(2) application behavior real-time monitoring module: be responsible for according to the in-depth analysis to common invasion operating process and Android operating system principle of work, from various system calls, screen and may produce the system call function of malicious act and rewrite, and after increase monitoring function, be pushed to mobile phone terminal, make it when completing dynamically active application behavior, mobile phone terminal is monitored in real time.Also in application program automatically in the whole process of operation, monitor respectively whether this terminal document is accessed, network connection and flow thereof, note send, system resource takies and the much information of hardware resource access, whether detection of malicious code produces malicious act.Again the monitored results of application behavior is delivered to Analysis of test results processing module.Be provided with following six assemblies: file monitor unit, networking monitoring unit, note send monitoring unit, system resource takies monitoring means, hardware resource access monitoring unit and kernel-user interface section.The function introduction of these six assemblies is as follows:
File monitor unit, for catching the file of the needs monitoring that user stipulates at configuration file, then to these file implementing monitorings: any malicious application in test process is all stored and put on record the read-write operation of this monitored file, then pass to kernel-user interface section.
Networking monitoring unit, for the control situation of monitoring and measuring application program to network channel, the surfing flow of Real-Time Monitoring mobile phone terminal, examination utilizes the behavior of network transmitting-receiving malicious data information, and monitoring and record the loss information of the data traffic of non-user behavior, more above-mentioned information is passed to kernel-user interface section.
Note sends monitoring unit, and the situation of controlling for monitoring and measuring application program to short message channel is screened the behavior of sending/receiving malice note, and monitors and record the backstage behavior of sending short messages steathily, more above-mentioned information is passed to kernel-user interface section.
System resource takies monitoring means, for the take situation of monitoring and measuring application program to system software and hardware resources, the hardware information that comprises application program each sampling time is used in observation process CPU, internal memory and flash memory, screen and record the malicious act of destroying system running environment, more above-mentioned information is passed to kernel-user interface section.
Hardware resource access monitoring unit, because of application, using the hard-wired function of mobile phone terminal is all to complete by the hardware drive program in kernel, therefore this unit calls for the various hardware drive programs of monitoring cell-phone terminal, thereby monitor and record corresponding application operating behavior, then this information is passed to kernel-user interface section.
Kernel-user interface section, is delivered to the program of user's state for the various monitor messages that described each monitoring unit is sent, save as corresponding monitoring report, then submit to Analysis of test results processing module.
(3) Analysis of test results processing module: be responsible for receiving respectively the sectional drawing of application behavior dynamically active module submission and the text of identifying from sectional drawing, and the various monitoring record files of application behavior real-time monitoring module submission, then analyze and generate examining report; Be provided with two assemblies: text and record analysis unit and report generation unit.The function declaration of these two assemblies is as follows:
Text and record analysis unit, for to coming sectional drawing and the text of self-application behavior dynamically active module to mate with the content of sensitive word database, detect in the text of applying and whether have sensitive information and record it, then be submitted to report generation module; To coming the various monitoring record files of self-application behavior real-time monitoring module to resolve, also analysis result is submitted to report generation unit simultaneously.
Report generation unit, for the analysis result of text and record analysis unit is gathered to integration, generates final examining report, for user, consults.
The present invention is based on the detection method of the Android malicious code pick-up unit of dynamically active and behavior monitoring, to apply in automatic operational process at Android, utilize all controls and interface thereof in automatic operation application, the various actions of this application of dynamically active, start these behaviors of background monitoring simultaneously, and the interface content of text extracting in operational process is mated with the monitoring record analysis of backstage behavior, generate the safety detection report of this application, for user, consult.
Referring to Fig. 2, introduce the following concrete operation step of the Android application program malicious act pick-up unit that the present invention is based on dynamically active and behavioural analysis:
Step 1, pre-service: search, determine and rewrite the system call program that may have malicious act, after adding monitoring function, this system call program is pushed to mobile phone terminal.This step 1 comprises following content of operation:
(11) because original kernel is not supported user program dynamic load in system kernel, Gu Cong android official website obtains after the linux kernel source code recompility of respective version, makes kernel file support dynamic load and unloading user program.
(12) according to the process of the invasion operation to common and the analysis of Android operating system principle of work, examination may produce the following various system call functions of malicious act: sys_open, sys_close, sys_mkdir_, sys_write, sys_rename and sys_rmdir, rewrite again above-mentioned various system call function, generate new system call program, make it increase monitoring function completing on self function basis.
(13) the system call program of rewriting is pushed to terminal operating system, makes it to monitor each self-corresponding system call behavior; Once find that the behavior of calling is with regard to kidnapping immediately and record, for generating monitoring record file.
Referring to Fig. 3, introduce the concrete operations content of this step (13): the system call program that increases monitoring function is pushed to after mobile phone terminal, opens monitoring.When finding to be applied in when increasing the system call program of monitoring function and call, just automatically record this calls behavior to kernel watchdog routine, then by a kind of mode Netlink socket that carries out bidirectional data transfers between kernel and user application, information is passed in the program of user's state, save as corresponding monitoring report.
Step 2, install and start: utilize data line, mobile phone terminal is connected to after computer, start and move Android malicious code pick-up unit of the present invention, the installation start unit of application behavior dynamically active module is just pushed to Android to be detected application after mobile phone terminal automatically, installs and starts this Android application program.
Step 3, dynamically active: all control properties in current interface are obtained in the automatic operating unit circulation of application behavior dynamically active module, parse its coordinate figure, and generate corresponding script for each control.Recycling script executing means is carried out these scripts, and the artificial Application Program Interface control of clicking of simulation, completes the dynamically active to this application behavior, and the sectional drawing of generation is submitted to Analysis of test results processing module together with text.This step 3 comprises following content of operation:
(31) obtain control absolute coordinates: the automatic operating unit in application behavior dynamically active module carries out Socket with mobile phone terminal communicates by letter, and obtains and resolve control traffic flow information, therefrom extracts the attribute information of control coordinate figure; Because the control of application program is all regular figure, then according to its transverse and longitudinal coordinate X 1and Y 1height height and the width width of value and control, utilize following two formula: with calculate the absolute coordinates (X of control 2, Y 2), for generation script, use.
(32) generate and carry out script: automatic operating unit generates and comprises touch, input, sectional drawing and the script returning and carry out it according to the script edit standard of control absolute coordinate and setting, the artificial control of clicking application interface of simulation, completes the dynamically active to application behavior.
(33) sectional drawing identify picture: in the operational process of application program, automatic operating unit constantly obtains the sectional drawing of the current interface in operational process, and is submitted to sectional drawing analytic unit; Sectional drawing analytic unit is used the picture recognition method of setting to resolve this sectional drawing, obtains the content of text of this sectional drawing, then text is submitted to together with sectional drawing to text and record analysis unit in Analysis of test results processing module.
Step 4, background monitoring: each monitoring unit of application behavior dynamically active module is opened and is pushed in advance mobile phone terminal, acquisition terminal file whether accessed, network connection and flow, short message receiving-transmitting, system resource takies and each monitoring unit of hardware resource access much information, and the behavior of dynamically active is monitored, generate corresponding monitoring record, then submit to Analysis of test results processing module.
In this step 4, each monitoring unit in application behavior real-time monitoring module is carried out following one or more content of operation (the priority sequential of following operations content is all random):
(41) file monitor: file monitor elements capture user writes the privacy file that will monitor in configuration file, and these files are monitored; Because system is the whether called implementing monitoring of privacy file that user in configuration file is set to the monitoring of file, any malicious application to the read-write operation of monitored file all by the file monitor journal file being recorded in mobile phone terminal.Therefore the particular content of file monitor comprises: malicious application process tag, malicious action mode and monitoring period.
(42) networking monitoring: the control situation of networking monitoring unit monitoring and measuring application program to network channel, and its surfing flow of Real-Time Monitoring, examination utilizes the behavior of network sending/receiving malicious data information, also the data traffic of non-user behavior is run off and is monitored and record.Networking monitoring operation comprises: the malice that adopts broadcast Interception Mechanism, flow file monitor or system API Calls intercepting and capturing mode to monitor application backstage is networked and expended the behavior of flow, and is recorded in networking monitoring user behaviors log file; Particular content comprises: the information of malicious application process tag, networking mode, the flow expending and packet.
(43) note sends monitoring: note sends the control situation of monitoring unit monitoring and measuring application program to short message channel, the behavior of screening sending/receiving malice short message; Also by the behavior of capture systems note API Calls, monitor the behavior of sending short messages steathily, and above-mentioned information is all recorded in message monitoring user behaviors log file.The particular content of monitoring comprises: malicious application process tag, note destination address, short message content and transmitting time.
(44) system resource takies monitoring: system resource takies monitoring unit monitoring and the take situation of register system application program to software and hardware resources in system.The particular content of monitoring comprises: in observation process, system application is the service condition to hardware such as CPU, internal memory and flash memories in each sampling time, and is recorded in system resource and takies in monitoring user behaviors log file.
(45) hardware resource access monitoring: because system applies is that calling mobile phone terminal hardware is realized its concrete function, and be to realize by the hardware drive program in kernel to calling of mobile phone terminal hardware; Therefore the call implementing monitoring of hardware resource access monitoring unit to the various hardware drive programs in mobile phone terminal, for obtaining the information of access hardware resource behavior.The particular content of monitoring comprises: the hardware access record of SD card, bluetooth, camera and microphone, and be recorded in hardware resource access monitoring journal file.
Step 5, text and record analysis: the sectional drawing that the text in Analysis of test results processing module and record analysis unit provide respectively step 3 and 4 and text and behavior monitoring log file are resolved, then analysis result is submitted to report generation unit;
Step 6, generates report: the analysis result that step 5 is provided gathers integration, generates final examining report.
The present invention has carried out the test of Multi simulation running embodiment, and the result of test is successfully, has realized goal of the invention.

Claims (9)

1. the Android malicious code pick-up unit based on dynamically active and behavior monitoring, is characterized in that: described pick-up unit is controlled mobile phone terminal Auto-mounting and started the application of preparing detection, the behavior of automatic activation application; Simultaneously in the whole process of application operation, this mobile phone terminal of monitoring comprises file access, note transmission, network connection and flow thereof in real time, system resource takies and the information of hardware resource access, the malicious act that detection of malicious code carries out, and generate examining report and offer user, complete the detection of dynamic to the behavior of detected application; Be provided with application behavior dynamically active module, application behavior real-time monitoring module and Analysis of test results processing module totally three composition modules: wherein:
Application behavior dynamically active module, is responsible for Android application to be detected automatically to complete installation, the start-up and operation of application, and even unloads; And in operational process, the operation behavior of automatic activation application, to its behavior is carried out to background monitoring, then sends to Analysis of test results processing module by the execution result of application; Be provided with: start unit, automatic operating unit and sectional drawing analytic unit totally three assemblies are installed;
Application behavior real-time monitoring module, be responsible for according to the analysis to common invasion operating process and Android operating system principle of work, from various system calls, screen and may produce the system call function of malicious act and rewrite, and after increase monitoring function, be pushed to mobile phone terminal, make it when completing dynamically active application behavior, mobile phone terminal is monitored in real time; In the whole process of also automatically moving in application program, monitor respectively whether this mobile phone terminal file accessed, network connection and flow thereof, note send, system resource takies and the much information of hardware resource access, whether detection of malicious code produces malicious act; Again the monitored results of application behavior is delivered to Analysis of test results processing module; Be provided with following six assemblies: file monitor unit, networking monitoring unit, note send monitoring unit, system resource takies monitoring means, hardware resource access monitoring unit and kernel-user interface section;
Analysis of test results processing module, is responsible for receiving respectively the sectional drawing of application behavior dynamically active module submission and the text of identifying from sectional drawing, and the various monitoring record files of application behavior real-time monitoring module submission, then analyzes and generate examining report; Be provided with text and record analysis unit and report generation unit.
2. device according to claim 1, is characterized in that: the function of each assembly in described application behavior dynamically active module is as follows:
Start unit is installed, for by data line, mobile phone terminal is connected to computer, and guarantee between the two can normal delivery information after, install and start application;
Automatic operating unit, for carrying out socket Socket with mobile phone terminal, communicate by letter, obtain and resolve control traffic flow information, from traffic flow information, parse coordinate data, utilize these coordinate datas to calculate control absolute coordinates, robotization generates and touches script, input script, sectional drawing script and return to script and carry out it, and application is manually clicked in simulation, the behavior of dynamically active application;
Sectional drawing analytic unit, for constantly obtain the sectional drawing of current interface at application operational process, and use the picture recognition method of setting to resolve the picture of intercepting, and obtain the content of text of this picture, be submitted to together text and record analysis unit in Analysis of test results processing module.
3. device according to claim 1, is characterized in that: the function of each assembly in described application behavior real-time monitoring module is as follows:
File monitor unit, for catching the file of the needs monitoring that user stipulates at configuration file, then to these file implementing monitorings: any malicious application in test process is all stored and put on record the read-write operation of this monitored file, then pass to kernel-user interface section;
Networking monitoring unit, for the control situation of monitoring and measuring application program to network channel, the surfing flow of Real-Time Monitoring mobile phone terminal, examination utilizes the behavior of network transmitting-receiving malicious data information, and monitoring and record the loss information of the data traffic of non-user behavior, more above-mentioned information is passed to kernel-user interface section;
Note sends monitoring unit, and the situation of controlling for monitoring and measuring application program to short message channel is screened the behavior of sending/receiving malice note, and monitors and record the backstage behavior of sending short messages steathily, more above-mentioned information is passed to kernel-user interface section;
System resource takies monitoring means, for the take situation of monitoring and measuring application program to system software and hardware resources, the hardware information that comprises application program each sampling time is used in observation process CPU, internal memory and flash memory, screen and record the malicious act of destroying system running environment, more above-mentioned information is passed to kernel-user interface section;
Hardware resource access monitoring unit, because of application, using the hard-wired function of mobile phone terminal is all to complete by the hardware drive program in kernel, therefore this unit calls for the various hardware drive programs of monitoring cell-phone terminal, thereby monitor and record corresponding application operating behavior, then this information is passed to kernel-user interface section;
Kernel-user interface section, is delivered to the program of user's state for the various monitor messages that described each monitoring unit is sent, save as corresponding monitoring report, then submit to Analysis of test results processing module.
4. device according to claim 1, is characterized in that: the function of each assembly in described Analysis of test results processing module is as follows:
Text and record analysis unit, for to coming sectional drawing and the text of self-application behavior dynamically active module to mate with the content of sensitive word database, detect in the text of applying and whether have sensitive information and record it, then be submitted to report generation module; To coming the various monitoring record files of self-application behavior real-time monitoring module to resolve, also analysis result is submitted to report generation unit simultaneously;
Report generation unit, for the analysis result of text and record analysis unit is gathered to integration, generates final examining report, for user, consults.
5. a detection method that adopts the Android malicious code pick-up unit based on dynamically active and behavior monitoring claimed in claim 1, it is characterized in that: at Android, apply in automatic operational process, utilize all controls and interface thereof in automatic operation application, the various actions of this application of dynamically active, start these behaviors of background monitoring simultaneously, and the interface content of text extracting in operational process is mated with the monitoring record analysis of backstage behavior, generate the safety detection report of this application, for user, consult; Described method comprises following operation steps:
Step 1, pre-service: search, determine and rewrite the system call program that may have malicious act, after adding monitoring function, this system call program is pushed to mobile phone terminal;
Step 2, install and start: utilize data line, mobile phone terminal is connected to after computer, start and move this Android malicious code pick-up unit, the installation start unit of application behavior dynamically active module is just pushed to Android to be detected application after mobile phone terminal automatically, installs and starts this Android application program;
Step 3, dynamically active: all control properties in current interface are obtained in the automatic operating unit circulation of application behavior dynamically active module, parse its coordinate figure, and generate corresponding script for each control; Recycling script executing means is carried out these scripts, and the artificial Application Program Interface control of clicking of simulation, completes the dynamically active to this application behavior, and the sectional drawing of generation is submitted to Analysis of test results processing module together with text;
Step 4, background monitoring: each monitoring unit of application behavior dynamically active module open be pushed in advance mobile phone terminal, whether acquisition terminal file accessed, network connection and flow, short message receiving-transmitting, system resource takies and each monitoring unit of hardware resource access much information, application behavior to dynamically active is monitored, generate corresponding monitoring record, then submit to Analysis of test results processing module;
Step 5, text and record analysis: the sectional drawing that the text in Analysis of test results processing module and record analysis unit provide respectively step 3 and 4 and text and behavior monitoring log file are resolved, then analysis result is submitted to report generation unit;
Step 6, generates report: the analysis result that step 5 is provided gathers integration, generates final examining report.
6. method according to claim 5, is characterized in that: described step 1 comprises following content of operation:
(11) because original kernel is not supported user program dynamic load in system kernel, Gu Cong android official website obtains after the linux kernel source code recompility of respective version, makes kernel file support dynamic load and unloading user program;
(12) according to the process of the invasion operation to common and the analysis of Android operating system principle of work, examination may produce the following various system call functions of malicious act: sys_open, sys_close, sys_mkdir_, sys_write, sys_rename and sys_rmdir, rewrite again above-mentioned various system call function, generate new system call program, make it increase monitoring function completing on self function basis;
(13) the system call program of rewriting is pushed to terminal operating system, makes it to monitor each self-corresponding system call behavior once find that the behavior of calling is with regard to kidnapping immediately and record, for generating monitoring record file.
7. method according to claim 6, is characterized in that: described step (13) comprises following content of operation: the system call program that increases monitoring function is pushed to after mobile phone terminal, opens monitoring; When finding to be applied in when increasing the system call program of monitoring function and call, just automatically record this calls behavior to kernel watchdog routine, then by a kind of mode Netlink socket that carries out bidirectional data transfers between kernel and user application, information is passed in the program of user's state, save as corresponding monitoring report.
8. method according to claim 5, is characterized in that: described step 3 comprises following content of operation:
(31) obtain control absolute coordinates: the automatic operating unit in application behavior dynamically active module carries out Socket with terminal communicates by letter, and obtains and resolve control traffic flow information, therefrom extracts the attribute information of control coordinate figure; Again according to its transverse and longitudinal coordinate X 1and Y 1height height and the width width of value and control, utilize following two formula: with calculate the absolute coordinates (X of control 2, Y 2), for generation script, use;
(32) generate and carry out script: automatic operating unit generates and comprises touch, input, sectional drawing and the script returning and carry out it according to the script edit standard of control absolute coordinate and setting, the artificial control of clicking application interface of simulation, completes the dynamically active to application behavior;
(33) sectional drawing identify picture: in the operational process of application program, automatic operating unit constantly obtains the sectional drawing of the current interface in operational process, and is submitted to sectional drawing analytic unit; Sectional drawing analytic unit is used the picture recognition method of setting to resolve this sectional drawing, obtains the content of text of this sectional drawing, then text is submitted to together with sectional drawing to text and record analysis unit in Analysis of test results processing module.
9. method according to claim 5, is characterized in that: in described step 4, each monitoring unit in application behavior real-time monitoring module is carried out following one or more content of operation, and the priority sequential of following operations content is all random:
(41) file monitor: file monitor elements capture user writes the privacy file that will monitor in configuration file, and these files are monitored; Because system is the whether called implementing monitoring of privacy file that user in configuration file is set to the monitoring of file, any application program to the read-write operation of monitored file all by the file monitor journal file being recorded in mobile phone terminal; Therefore the particular content of file monitor comprises: malicious application process tag, malicious action mode and monitoring period;
(42) networking monitoring: the control situation of networking monitoring unit monitoring and measuring application program to network channel, and its surfing flow of Real-Time Monitoring, examination utilizes the behavior of network sending/receiving malicious data information, also the data traffic of non-user behavior is run off and is monitored and record; Networking monitoring operation comprises: the malice that adopts broadcast Interception Mechanism, flow file monitor or system API Calls intercepting and capturing mode to monitor application backstage is networked and expended the behavior of flow, and is recorded in networking monitoring user behaviors log file; Particular content comprises: the information of malicious application process tag, networking mode, the flow expending and packet;
(43) note sends monitoring: note sends the control situation of monitoring unit monitoring and measuring application program to short message channel, the behavior of screening sending/receiving malice short message; alsoby the behavior of capture systems note API Calls, monitor the behavior of sending short messages steathily, and above-mentioned information is all recorded in message monitoring user behaviors log file; The particular content of monitoring comprises: malicious application process tag, note destination address, short message content and transmitting time;
(44) system resource takies monitoring: system resource takies monitoring unit monitoring and the take situation of register system application program to software and hardware resources in system; The particular content of monitoring comprises: in observation process, system application is the service condition to CPU, internal memory and flash memory in each sampling time, and is recorded in system resource and takies in monitoring user behaviors log file;
(45) hardware resource access monitoring: because system applies is that calling mobile phone terminal hardware is realized its concrete function, and be to realize by the hardware drive program in kernel to calling of mobile phone terminal hardware; Therefore the call implementing monitoring of hardware resource access monitoring unit to the various hardware drive programs in mobile phone terminal, for obtaining the information of access hardware resource behavior; The particular content of monitoring comprises: the hardware access record of SD card, bluetooth, camera and microphone, and be recorded in hardware resource access monitoring journal file.
CN201410424250.8A 2014-08-26 2014-08-26 Android malicious code detection device and method based on dynamic activation and behavior monitoring Pending CN104182688A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410424250.8A CN104182688A (en) 2014-08-26 2014-08-26 Android malicious code detection device and method based on dynamic activation and behavior monitoring

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410424250.8A CN104182688A (en) 2014-08-26 2014-08-26 Android malicious code detection device and method based on dynamic activation and behavior monitoring

Publications (1)

Publication Number Publication Date
CN104182688A true CN104182688A (en) 2014-12-03

Family

ID=51963720

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410424250.8A Pending CN104182688A (en) 2014-08-26 2014-08-26 Android malicious code detection device and method based on dynamic activation and behavior monitoring

Country Status (1)

Country Link
CN (1) CN104182688A (en)

Cited By (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104462979A (en) * 2014-12-26 2015-03-25 深圳数字电视国家工程实验室股份有限公司 Automatic dynamic detection method and device of application program
CN104462973A (en) * 2014-12-18 2015-03-25 上海斐讯数据通信技术有限公司 System and method for detecting dynamic malicious behaviors of application program in mobile terminal
CN104850793A (en) * 2015-05-28 2015-08-19 成都中科创达软件有限公司 Android system intelligent control and management method
CN104866761A (en) * 2015-06-01 2015-08-26 成都中科创达软件有限公司 High-security Android intelligent terminal
CN105187390A (en) * 2015-08-10 2015-12-23 济南大学 Active mobile terminal malicious software network traffic data set acquisition method and system
CN105760760A (en) * 2015-01-05 2016-07-13 润钜股份有限公司 Intelligent device and method for dynamically detecting application program and computer program product
CN105809035A (en) * 2016-03-07 2016-07-27 南京邮电大学 Android application real-time behavior based malicious software detection method and system
CN105828408A (en) * 2015-01-08 2016-08-03 中兴通讯股份有限公司 Method and device for controlling internet surfing time
CN105956468A (en) * 2016-04-22 2016-09-21 中国科学院信息工程研究所 Method and system for detecting Android malicious application based on file access dynamic monitoring
CN105975856A (en) * 2015-09-25 2016-09-28 武汉安天信息技术有限责任公司 Method and system for dynamic virus detection of mobile terminal
CN106326001A (en) * 2015-07-06 2017-01-11 联想(北京)有限公司 Information processing method and electronic device
CN106407098A (en) * 2015-07-27 2017-02-15 腾讯科技(深圳)有限公司 Application program state monitoring method and device
CN106547699A (en) * 2016-11-30 2017-03-29 安徽金曦网络科技股份有限公司 Code detection system
CN106709352A (en) * 2015-11-12 2017-05-24 阿里巴巴集团控股有限公司 Sample processing method, apparatus and system
CN107332811A (en) * 2016-04-29 2017-11-07 阿里巴巴集团控股有限公司 The methods, devices and systems of intrusion detection
CN107967426A (en) * 2017-11-27 2018-04-27 华中科技大学 A kind of detection method, defence method and the system of linux kernel Data attack
CN108734007A (en) * 2017-04-13 2018-11-02 中国移动通信集团上海有限公司 A kind of processing method and processing device of monitoring application program
CN108920954A (en) * 2018-06-28 2018-11-30 中国科学院软件研究所 A kind of malicious code automatic detection platform and method
CN109033835A (en) * 2018-07-23 2018-12-18 成都立鑫新技术科技有限公司 A kind of method of isomery detection malicious code of mobile terminal with double engines
CN109522189A (en) * 2017-09-19 2019-03-26 北京国双科技有限公司 A kind of data monitoring method, apparatus and system
CN109583192A (en) * 2018-12-08 2019-04-05 公安部第三研究所 A kind of fixed safety system of mobile terminal application and method based on emulation
CN109614797A (en) * 2018-12-14 2019-04-12 北京车和家信息技术有限公司 Software checking and killing method, device and equipment are extorted in the screen locking of vehicle-mounted information and entertainment system
CN110889113A (en) * 2019-10-30 2020-03-17 泰康保险集团股份有限公司 Log analysis method, server, electronic device and storage medium
CN111708698A (en) * 2020-06-16 2020-09-25 中国银行股份有限公司 Application program simulation filing method and related device
CN112131110A (en) * 2020-09-21 2020-12-25 安徽捷兴信源信息技术有限公司 Multisource heterogeneous data probe method and device of smart phone system
CN112565274A (en) * 2020-12-11 2021-03-26 国家计算机网络与信息安全管理中心江苏分中心 Method and system for intelligently identifying malicious APP
CN113672902A (en) * 2021-08-31 2021-11-19 挂号网(杭州)科技有限公司 Application program detection method, device, equipment and storage medium
CN113923111A (en) * 2020-06-22 2022-01-11 中兴通讯股份有限公司 Method, device, equipment and storage medium for automatically collecting application internet surfing messages
CN114996708A (en) * 2022-08-08 2022-09-02 中国信息通信研究院 Method and device for studying and judging fraud-related mobile phone application, electronic equipment and storage medium
CN116545642A (en) * 2023-01-07 2023-08-04 杭州融至兴科技有限公司 Terminal monitoring management system for specific environment
CN116628684A (en) * 2023-07-19 2023-08-22 杭州海康威视数字技术股份有限公司 Mobile application security risk monitoring and early warning method, system and device and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110088042A (en) * 2010-01-28 2011-08-03 주식회사 안철수연구소 Apparatus and method for automatically discriminating malicious code
CN103186740A (en) * 2011-12-27 2013-07-03 北京大学 Automatic detection method for Android malicious software
CN103559446A (en) * 2013-11-13 2014-02-05 厦门市美亚柏科信息股份有限公司 Dynamic virus detection method and device for equipment based on Android system
CN103685251A (en) * 2013-12-04 2014-03-26 电子科技大学 Android malicious software detecting platform oriented to mobile internet

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110088042A (en) * 2010-01-28 2011-08-03 주식회사 안철수연구소 Apparatus and method for automatically discriminating malicious code
CN103186740A (en) * 2011-12-27 2013-07-03 北京大学 Automatic detection method for Android malicious software
CN103559446A (en) * 2013-11-13 2014-02-05 厦门市美亚柏科信息股份有限公司 Dynamic virus detection method and device for equipment based on Android system
CN103685251A (en) * 2013-12-04 2014-03-26 电子科技大学 Android malicious software detecting platform oriented to mobile internet

Cited By (45)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104462973B (en) * 2014-12-18 2017-11-14 上海斐讯数据通信技术有限公司 The dynamic malicious act detecting system and method for application program in mobile terminal
CN104462973A (en) * 2014-12-18 2015-03-25 上海斐讯数据通信技术有限公司 System and method for detecting dynamic malicious behaviors of application program in mobile terminal
CN104462979B (en) * 2014-12-26 2017-11-07 深圳数字电视国家工程实验室股份有限公司 The automation dynamic testing method and device of a kind of application program
CN104462979A (en) * 2014-12-26 2015-03-25 深圳数字电视国家工程实验室股份有限公司 Automatic dynamic detection method and device of application program
CN105760760A (en) * 2015-01-05 2016-07-13 润钜股份有限公司 Intelligent device and method for dynamically detecting application program and computer program product
CN105828408A (en) * 2015-01-08 2016-08-03 中兴通讯股份有限公司 Method and device for controlling internet surfing time
CN104850793A (en) * 2015-05-28 2015-08-19 成都中科创达软件有限公司 Android system intelligent control and management method
CN104850793B (en) * 2015-05-28 2017-09-29 成都中科创达软件有限公司 A kind of Android system intelligent control management method
CN104866761A (en) * 2015-06-01 2015-08-26 成都中科创达软件有限公司 High-security Android intelligent terminal
CN104866761B (en) * 2015-06-01 2017-10-31 成都中科创达软件有限公司 A kind of high security Android intelligent terminal
CN106326001B (en) * 2015-07-06 2023-07-21 联想(北京)有限公司 Information processing method and electronic equipment
CN106326001A (en) * 2015-07-06 2017-01-11 联想(北京)有限公司 Information processing method and electronic device
CN106407098A (en) * 2015-07-27 2017-02-15 腾讯科技(深圳)有限公司 Application program state monitoring method and device
CN105187390B (en) * 2015-08-10 2018-10-19 济南大学 Active mobile terminal Malware network flow data collection acquisition methods and system
CN105187390A (en) * 2015-08-10 2015-12-23 济南大学 Active mobile terminal malicious software network traffic data set acquisition method and system
CN105975856B (en) * 2015-09-25 2019-03-08 武汉安天信息技术有限责任公司 A kind of mobile terminal virus dynamic testing method and system
CN105975856A (en) * 2015-09-25 2016-09-28 武汉安天信息技术有限责任公司 Method and system for dynamic virus detection of mobile terminal
CN106709352A (en) * 2015-11-12 2017-05-24 阿里巴巴集团控股有限公司 Sample processing method, apparatus and system
CN106709352B (en) * 2015-11-12 2019-09-24 阿里巴巴集团控股有限公司 Sample processing method, apparatus and system
CN105809035B (en) * 2016-03-07 2018-11-09 南京邮电大学 The malware detection method and system of real-time behavior is applied based on Android
CN105809035A (en) * 2016-03-07 2016-07-27 南京邮电大学 Android application real-time behavior based malicious software detection method and system
CN105956468A (en) * 2016-04-22 2016-09-21 中国科学院信息工程研究所 Method and system for detecting Android malicious application based on file access dynamic monitoring
CN105956468B (en) * 2016-04-22 2018-12-28 中国科学院信息工程研究所 A kind of Android malicious application detection method and system based on file access dynamic monitoring
CN107332811A (en) * 2016-04-29 2017-11-07 阿里巴巴集团控股有限公司 The methods, devices and systems of intrusion detection
CN106547699A (en) * 2016-11-30 2017-03-29 安徽金曦网络科技股份有限公司 Code detection system
CN108734007A (en) * 2017-04-13 2018-11-02 中国移动通信集团上海有限公司 A kind of processing method and processing device of monitoring application program
CN109522189B (en) * 2017-09-19 2022-06-21 北京国双科技有限公司 Data monitoring method, device and system
CN109522189A (en) * 2017-09-19 2019-03-26 北京国双科技有限公司 A kind of data monitoring method, apparatus and system
CN107967426A (en) * 2017-11-27 2018-04-27 华中科技大学 A kind of detection method, defence method and the system of linux kernel Data attack
CN108920954A (en) * 2018-06-28 2018-11-30 中国科学院软件研究所 A kind of malicious code automatic detection platform and method
CN109033835A (en) * 2018-07-23 2018-12-18 成都立鑫新技术科技有限公司 A kind of method of isomery detection malicious code of mobile terminal with double engines
CN109583192A (en) * 2018-12-08 2019-04-05 公安部第三研究所 A kind of fixed safety system of mobile terminal application and method based on emulation
CN109614797A (en) * 2018-12-14 2019-04-12 北京车和家信息技术有限公司 Software checking and killing method, device and equipment are extorted in the screen locking of vehicle-mounted information and entertainment system
CN110889113A (en) * 2019-10-30 2020-03-17 泰康保险集团股份有限公司 Log analysis method, server, electronic device and storage medium
CN111708698A (en) * 2020-06-16 2020-09-25 中国银行股份有限公司 Application program simulation filing method and related device
CN111708698B (en) * 2020-06-16 2023-09-26 中国银行股份有限公司 Application program simulation recording method and related device
CN113923111A (en) * 2020-06-22 2022-01-11 中兴通讯股份有限公司 Method, device, equipment and storage medium for automatically collecting application internet surfing messages
CN112131110A (en) * 2020-09-21 2020-12-25 安徽捷兴信源信息技术有限公司 Multisource heterogeneous data probe method and device of smart phone system
CN112565274A (en) * 2020-12-11 2021-03-26 国家计算机网络与信息安全管理中心江苏分中心 Method and system for intelligently identifying malicious APP
CN113672902A (en) * 2021-08-31 2021-11-19 挂号网(杭州)科技有限公司 Application program detection method, device, equipment and storage medium
CN114996708A (en) * 2022-08-08 2022-09-02 中国信息通信研究院 Method and device for studying and judging fraud-related mobile phone application, electronic equipment and storage medium
CN116545642A (en) * 2023-01-07 2023-08-04 杭州融至兴科技有限公司 Terminal monitoring management system for specific environment
CN116545642B (en) * 2023-01-07 2024-05-14 杭州融至兴科技有限公司 Terminal monitoring management system for specific environment
CN116628684A (en) * 2023-07-19 2023-08-22 杭州海康威视数字技术股份有限公司 Mobile application security risk monitoring and early warning method, system and device and electronic equipment
CN116628684B (en) * 2023-07-19 2023-10-13 杭州海康威视数字技术股份有限公司 Mobile application security risk monitoring and early warning method, system and device and electronic equipment

Similar Documents

Publication Publication Date Title
CN104182688A (en) Android malicious code detection device and method based on dynamic activation and behavior monitoring
KR101666176B1 (en) Apparatus and method for of monitoring application based on android platform
US10581879B1 (en) Enhanced malware detection for generated objects
KR100938672B1 (en) The method and apparatus for detecting dll inserted by malicious code
CN112685737A (en) APP detection method, device, equipment and storage medium
CN110765464B (en) Vulnerability detection method, device, equipment and computer storage medium
US20170103200A1 (en) Log Information Generation Apparatus And Recording Medium, And Log Information Extraction Apparatus And Recording Medium
CN102254113A (en) Method and system for detecting and intercepting malicious code of mobile terminal
Choudhary et al. Haamd: Hybrid analysis for android malware detection
CN103746992B (en) Based on reverse intruding detection system and method thereof
WO2017071148A1 (en) Cloud computing platform-based intelligent defense system
US12039034B2 (en) Undetectable sandbox for malware
CN112084497A (en) Method and device for detecting malicious program of embedded Linux system
CN103268448B (en) The method and system of the security of detection of dynamic Mobile solution
US20160371492A1 (en) Method and system for searching and killing macro virus
CN109144834B (en) User behavior data acquisition method and device, android system and terminal equipment
KR102180098B1 (en) A malware detecting system performing monitoring of malware and controlling a device of user
CN112688966A (en) Webshell detection method, device, medium and equipment
CN104486292A (en) Enterprise-resource safety-access control method, device and system
KR20160090566A (en) Apparatus and method for detecting APK malware filter using valid market data
CN112182569A (en) File identification method, device, equipment and storage medium
CN109818972A (en) A kind of industrial control system information security management method, device and electronic equipment
KR102156340B1 (en) Method and apparatus for blocking web page attack
JP6258189B2 (en) Specific apparatus, specific method, and specific program
US11930019B2 (en) Methods and systems for fast-paced dynamic malware analysis

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20141203

WD01 Invention patent application deemed withdrawn after publication