CN104239797B

CN104239797B - Active defense method and device

Info

Publication number: CN104239797B
Application number: CN201410539274.8A
Authority: CN
Inventors: 李常坤; 刘星; 石浩然; 杨威; 孙年忠; 王玺; 张海
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd
Priority date: 2014-10-13
Filing date: 2014-10-13
Publication date: 2017-07-07
Anticipated expiration: 2034-10-13
Also published as: CN104239797A

Abstract

The invention provides a kind of active defense method and device, comprise the following steps：The instruction of operational objective application is responded, corresponding shell application is run；Using shell application successively loading monitoring unit and the intended application, the event behavior by the monitoring unit to the intended application is monitored capture；After particular event behavior is captured, event behavior treatment strategy is obtained, the particular event behavior is processed according to the treatment strategy.Initiative Defense scheme proposed by the present invention, to the change very little of existing system, does not interfere with the compatibility of system, and realize simple, efficient.

Description

Active defense method and device

Technical field

The present invention relates to computer safety field, specifically, the present invention relates to a kind of active defense method, accordingly also relate to And a kind of Initiative Defense device.

Background technology

The operating system of Unix systems, with Android as Typical Representative, is widely used in various mobile communication terminals. Android has comparatively strict user authority management mechanism, and under default conditions, the authority of user is relatively low.Gonna breakthrough is weighed Limit limitation by the authority of system, it is necessary to bring up to highest level, namely carry out ROOT mandates.After obtaining highest authority, Yong Hubian The malicious act of third-party application can be intercepted, the setting option to consuming system resource is modified, therefore, most cases Under, fail-safe software on the market needs to be worked in the Android mobile terminal for having obtained ROOT mandates, can be only achieved it most Excellent effect.But, general user does not grasp professional knowledge higher, ROOT mandates may not necessarily be carried out to its terminal, even if entering Go ROOT mandates, while authority higher is opened for fail-safe software, also give rogue program with opportunity.More contradiction , under the conditions of non-ROOT, a part of rogue program can work, and traditional Prevention-Security software can lose definitely excellent Gesture.Therefore, the Prevention-Security demand of the similar system such as Android, Ubuntu is solved under the conditions of non-ROOT, be in the industry always with The striving direction come.

Initiative type safeguard technology is the preferable solution for meeting the demand.Initiative Defense is to be based on program event behavior certainly The real-time protection technology that main analysis judges, not using the condition code of virus as the foundation for judging virus, but from the disease of most original Poison definition is set out, directly using the behavior of program as the foundation for judging virus.Initiative Defense is to be automatically obtained anti-disease with software Malicious engineer analysis judges the process of virus, the drawbacks of solving conventional security software and cannot defend unknown malware, from skill The Initiative Defense to wooden horse and virus is realized in art.

The open, patent application of Publication No. CN104023122A on the 3rd of September in 2014 is referred to, it is claimed one kind Safety defense method and device.The basic ideas of the program are to replace to work as by downloading the application program to be implanted of customization in advance The corresponding application program of preceding terminal, and preferentially start the application program to be implanted after system reboot, so as to realize actively Defence.The thinking is primarily to solve the problems, such as how to build Prevention-Security mechanism, and wherein involved application journey to be implanted Sequence is generation after being carried out decompiling, modification code and Resealed by the application program of present terminal, that is, employs two Secondary packaging technique.It will be understood by those skilled in the art that this depending on carries out comprehensively secondary packing realization to application program Behavior monitoring mode Shortcomings, show following aspects：

First, install failure rate is high.In fact, increasing application program has been provided with preventing the immune of secondary packing Power, if application program has been ready for preventing the immune setting of secondary packing, then, injected to destination application supervise by force Control code, can cause the intended application to install, or occur abnormal collapse, the success of construction Initiative Defense environment after installation Rate is relatively low.

Secondly there are the incomplete inadequate natural endowment of monitoring.Hooking function constitutes a part for application program, and rogue program can Called with using the reflection in JAVA reflex mechanisms, JNI locally calls technologies such as (Native) to escape this defense mechanism.

Additionally, monitoring fine degree is not high.Application program after secondary packing, its monitored object is often confined to apply journey Sequence is in itself, it is difficult to specific to fine behavior, it is difficult to which to the operation of such as short message, contact person accesses or deletion action, URL access behaviour Fine monitoring is made in the concrete behaviors such as work, derivative operation, installation operation, subprocess intrusion.

In summary analysis understands that the research on initiative type safeguard technology in the industry still has larger room for promotion.

The content of the invention

Primary and foremost purpose of the invention is that highly efficient active safety defence is realized under the conditions of ROOT is exempted from, so as to carry For a kind of active defense method.

A kind of Initiative Defense device is provided another object of the present invention is to coordinate primary and foremost purpose.

To realize above-mentioned purpose of the invention, the present invention provides following technical scheme：

The present invention provide a kind of active defense method its comprise the following steps：

The instruction of operational objective application is responded, corresponding shell application is run；

Using shell application successively loading monitoring unit and the intended application, by the monitoring unit to the intended application Event behavior is monitored capture；

After particular event behavior is captured, event behavior treatment strategy is obtained, according to the treatment strategy to the specific thing Part behavior is processed.

Additionally, including following previous step：There is provided shortcut in graphical user interfaces is used to obtain the operation mesh The instruction of application is marked, the icon of the shortcut is changed by intended application default icon and obtained.

Specifically, the monitoring unit calls hook plug-in unit, operationally link up with the intended application process institute directly or The particular event of triggering indirectly, to realize the monitoring to the intended application.

Specifically, the monitoring unit obtains slotting corresponding to the hook of particular event behavior from long-range card i/f Part.

Specifically, the event behavior of monitoring unit monitoring objective application process triggering, answers when monitoring unit monitors target When discharging the event behavior of subprocess with process triggers, for the subprocess loads monitoring unit, to continue to monitor the subprocess institute The event behavior of triggering.

Specifically, the monitoring unit realizes hook by injecting inline hook in the subprocess of intended application.

Preferably, the event behavior that the monitoring module is monitored includes following any one or more behavior type：Obtain Operator's informaiton, APN operations are taken, informing advertisement operation, handset identity code operation is obtained, is created shortcut, phone and dial Operation, short message insert or delete operation, contact person's insert or delete operation, URL access operation, subprocess and invade operation, application Loading operation, command operation, derivative operation, the operation of activation equipment manager.

Further, when the monitoring module monitors the event behavior of intended application triggering generation derivative, by long-range Regular bank interface obtains the treatment rule for the derivative and processes the derivative.

Further, the method includes the step of default interactive module is registered as into system service, and shell application passes through it Built-in interactive interface is communicated with the interactive module, and man-machine interaction is realized to user interface pop-up by the interactive module.

Specifically, shell application intended application described in dynamic load by the way of JAVA reflections are called.

Further, after capturing events behavior, obtained for described in the event behavior with least one following any-mode Treatment strategy：

Alerted to user interface pop-up, receive user instruction to obtain described treatment strategy；

Retrieval obtains corresponding treatment strategy from local policy database；

The treatment strategy for asking and obtaining correspondence feedback is sent to high in the clouds by remote policy interface.

Additionally, also comprising the following steps：Download high in the clouds policy database and update local policy database, the local policy Database is used to provide the treatment strategy of the particular event behavior corresponding to objectives application.

A kind of Initiative Defense device that the present invention is provided, it includes：

Starting module, the instruction for responding operational objective application runs corresponding shell application；

Security module, it utilizes shell application successively loading monitoring unit and the intended application, by the monitoring unit pair The event behavior of the intended application is monitored capture；

Processing module, for after particular event behavior is captured, obtaining event behavior treatment strategy, according to the treatment Strategy is processed the particular event behavior.

Further, also include：

Shortcut, it is placed in graphic user interface, the instruction for obtaining the operational objective application, the quick side The icon of formula is changed by intended application default icon and obtained.

Specifically, the monitoring unit calls hook plug-in unit, it is straight for operationally linking up with the intended application process institute The particular event for connecing or triggering indirectly, to realize the monitoring to the intended application.

Further, the event behavior of monitoring unit monitoring objective application process triggering, answers when monitoring unit monitors target When discharging the event behavior of subprocess with process triggers, for the subprocess loads monitoring unit, to continue to monitor the subprocess institute The event behavior of triggering.

Additionally, the device includes interactive module, system service is registered as, shell application passes through its built-in interactive interface Communicated with the interactive module, man-machine interaction is realized to user interface pop-up by the interactive module.

Further, the security module include configuration module, for JAVA reflect call by way of dynamic load institute State intended application.

Additionally, being provided by one of following strategy generating device for the treatment strategy of event behavior：

For being alerted to user interface pop-up, receive user instruction to obtain described treatment strategy；

Corresponding treatment strategy is obtained for the retrieval from local policy database；

The treatment strategy of correspondence feedback is asked and obtained for being sent to high in the clouds by remote policy interface.

Further the device also includes：

Update module, for downloading high in the clouds policy database and updating local policy database, the local policy database Treatment strategy for retrieving the particular event behavior corresponding to objectives application.

Compared to prior art, the present invention at least has the following advantages that：

1st, it is truly realized dynamic Initiative Defense.The present invention with intended application be base unit proposition construction its Initiative Defense The solution of environment, can by real-time monitoring intended application be mounted after, or by identifying user to need set up The target program of active defense mechanism it is selected after, a shell application for the intended application that disguises oneself as is constructed according to intended application, Gone to load monitoring unit and real intended application by the shell application again, be that destination application dynamically sets up defence machine in time System, subsequently can realize Initiative Defense by the operation of this shell application.This process need not carry out ROOT mandates to system, Networking condition is not relied on, more independent from the virus base based on condition code, therefore and is truly realized to intended application The Initiative Defense of program.

2nd, the active defense mechanism set up is safe and effective.As it was previously stated, being root when the present invention constructs the shell application Constructed according to the installation kit of intended application, and the installation kit of intended application is securely held in itself.Thus, a side of the invention Face is not due to changing code and the configuration of intended application to be run, thus intended application disclosure satisfy that self checking requirement, and outer Shell application is considered as described intended application and legal existence；On the other hand, the intended application even with malice attempts to utilize JAVA reflex mechanisms avoid detection, it is also difficult to escape the observation of monitoring unit；Another further aspect can also be realized by monitoring unit Monitoring to the event behavior of real target program, all events of intended application are monitored with the identity for being similar to observer comprehensively Various particular event behaviors are responded by behavior in time, break through JVM limitations, it is possible to achieve to Java functions, JNI functions, be The monitoring of function call of uniting, it is clear that more comprehensive.

3rd, the fine monitoring to intended application is realized.Because monitoring unit can be with all event rows of monitoring objective application For, to various function calls can implementing monitoring without barrier, therefore, specific to application, the present invention can not only be realized Monitoring to the concrete operations behavior of conventional application such as including phone, short message, contact person, it is also possible to realize such as derivative (peace Dress bag), carry power order, using loading etc. high-end event behavior monitoring, its monitoring effect is more fully, specifically, effectively.

Understand that such scheme proposed by the present invention, to the change very little of existing system, is not interfered with reference to above-mentioned analysis The compatibility of system, and realize simple, efficient.

The additional aspect of the present invention and advantage will be set forth in part in the description, and these will become from the following description Obtain substantially, or recognized by practice of the invention.

Brief description of the drawings

The above-mentioned and/or additional aspect of the present invention and advantage will become from the following description of the accompanying drawings of embodiments Substantially and be readily appreciated that, wherein：

Fig. 1 is a kind of principle schematic of the exemplary embodiments for exempting from ROOT Initiative Defense collocation methods of the present invention；

Fig. 2 is of the invention to exempt from that the process that former bag is configured to shell application will be installed in ROOT Initiative Defense collocation methods Principle schematic；

Fig. 3 is a kind of structural representation for exempting from ROOT Initiative Defense configuration devices of the present invention；

Fig. 4 is a kind of principle schematic of the exemplary embodiments of active defense method of the invention；

Fig. 5 is that the event behavior in active defense method of the invention using the operation of shell application to intended application is carried out The principle schematic of monitoring；

Fig. 6 is the principle schematic processed the event for capturing in active defense method of the invention；

Fig. 7 is a kind of structural representation of Initiative Defense device of the invention；

Fig. 8 is, according to one of user interface for program example realized of the invention, to find not defending to answer for showing Bullet frame interactive function after；

Fig. 9 is according to one of user interface for program example realized of the invention, for the application that display scan is arrived Program listing, and provide a user with the selection region for determining intended application；

Figure 10 is according to one of user interface for program example realized of the invention, for showing that single application is owned The default treatment strategy of event behavior, and user is supplied to the tactful option modified for the treatment of；

Figure 11 is, according to one of user interface for program example realized of the invention, event behavior to be carried out for showing Man-machine interaction effect after interception, specifically intercepts the event behavior for sending short message；

Figure 12 is, according to one of user interface for program example realized of the invention, event behavior to be carried out for showing Man-machine interaction effect after interception, specifically intercepts the event behavior of insertion short message.

Specific embodiment

Embodiments of the invention are described below in detail, the example of the embodiment is shown in the drawings, wherein from start to finish Same or similar label represents same or similar element or the element with same or like function.Below with reference to attached It is exemplary to scheme the embodiment of description, is only used for explaining the present invention, and is not construed as limiting the claims.

Those skilled in the art of the present technique are appreciated that unless expressly stated, singulative " " used herein, " one It is individual ", " described " and " being somebody's turn to do " may also comprise plural form.It is to be further understood that what is used in specification of the invention arranges Diction " including " refer to the presence of the feature, integer, step, operation, element and/or component, but it is not excluded that in the presence of or addition One or more other features, integer, step, operation, element, component and/or their group.It should be understood that when we claim unit Part is " connected " or during " coupled " to another element, and it can be directly connected or coupled to other elements, or can also exist Intermediary element.Additionally, " connection " used herein or " coupling " can include wireless connection or wireless coupling.It is used herein to arrange Diction "and/or" includes one or more associated wholes or any cell of listing item and all combines.

Those skilled in the art of the present technique are appreciated that unless otherwise defined, all terms used herein (including technology art Language and scientific terminology), with art of the present invention in those of ordinary skill general understanding identical meaning.Should also Understand, those terms defined in such as general dictionary, it should be understood that with the context with prior art The consistent meaning of meaning, and unless by specific definitions as here, will not otherwise use idealization or excessively formal implication To explain.

Those skilled in the art of the present technique are appreciated that " terminal " used herein above, " terminal device " both include wireless communication The equipment of number receiver, the equipment of its wireless signal receiver for only possessing non-emissive ability, and including receiving and transmitting hardware Equipment, its have can on bidirectional communication link, perform two-way communication reception and transmitting hardware equipment.This equipment Can include：Honeycomb or other communication equipments, it has single line display or multi-line display or is shown without multi-line The honeycomb of device or other communication equipments；PCS (Personal Communications Service, PCS Personal Communications System), it can With combine voice, data processing, fax and/or its communication ability；PDA (Personal Digital Assistant, it is personal Digital assistants), it can include radio frequency receiver, pager, the Internet/intranet access, web browser, notepad, day Go through and/or GPS (Global Positioning System, global positioning system) receiver；Conventional laptop and/or palm Type computer or other equipment, its have and/or conventional laptop and/or palmtop computer including radio frequency receiver or its His equipment." terminal " used herein above, " terminal device " they can be portable, can transport, installed in the vehicles (aviation, Sea-freight and/or land) in, or be suitable for and/or be configured in local runtime, and/or with distribution form, operate in the earth And/or any other position operation in space." terminal " used herein above, " terminal device " can also be communication terminal, on Network termination, music/video playback terminal, for example, can be PDA, MID (Mobile Internet Device, mobile Internet Equipment) and/or the equipment such as mobile phone, or intelligent television, Set Top Box with music/video playing function.

Those skilled in the art of the present technique are appreciated that remote network devices used herein above, and it includes but is not limited to meter The cloud that calculation machine, network host, single network server, multiple webserver collection or multiple servers are constituted.Here, Yun Youji Constituted in a large amount of computers or the webserver of cloud computing (Cloud Computing), wherein, cloud computing is Distributed Calculation One kind, a super virtual computer being made up of the computer collection of a group loose couplings.In embodiments of the invention, distal end Can realize communicating by any communication mode between the network equipment, terminal device and WNS servers, including but not limited to, be based on The mobile communication of 3GPP, LTE, WIMAX, based on TCP/IP, the computer network communication of udp protocol and based on bluetooth, infrared The low coverage wireless transmission method of transmission standard.

It will be appreciated by those skilled in the art that " application ", " application program ", " application software " and class alleged by the present invention It is the same concept well known to those skilled in the art like the concept of statement, refers to be instructed by series of computation machine and related data The computer software for being suitable to electronics operation of the organic construction of resource.Unless specified, programming language is not received in this name in itself Species, rank, the operating system or platform of operation of also not rely by it are limited.In the nature of things, this genus is not also appointed The terminal of what form is limited.Similarly, there is corresponding relation between " intended application ", " installation kit " alleged by the present invention, install Wrap the file existence form for intended application.

One kind of the invention exempts from ROOT Initiative Defense collocation methods, is mainly used in being built for operating system the peace of application program Full defence environment, on the premise of the normal operating for not influenceing application program, to realize Initiative Defense.For this present invention will be carried It is used to illustrate the basic realization of the method for an exemplary embodiments.Accordingly, apply and above-mentioned exempt from ROOT Initiative Defenses configuration side The application program of method, it is operated using the mechanism of the collocation method, also comprising one kind Initiative Defense corresponding with the former Method.For purposes of illustration only, it is following by by taking the Android operation system and its application program of Unix systems as an example, describe in detail above-mentioned Two methods and its related device are implemented.

The environment that the method for the present invention is applied includes the mobile terminal that can be communicated with remote server or high in the clouds, the movement Terminal is provided with Android operation system, and the system is in the state authorized without ROOT.Even if it is pointed out that the behaviour Make system and be in the state after ROOT is authorized, various methods of the present invention are also still suitable for the operating system.Also It is to say, the realization of various methods of the invention is not limited by whether operating system opens highest authority.

The principle schematic of Fig. 1 is referred to, the figure discloses the typical case's implementation for exempting from ROOT Initiative Defense collocation methods Example, including following several big steps：

S11, determine intended application, preserve its installation kit to assigned catalogue.

Described intended application, that is, need the destination application of construction Initiative Defense environment, just specifically in non- ROOT is authorized for the android system under environment, for the consideration of authority limitation, applies in general to third-party application.

Assigned catalogue alleged by the present invention, refer to the present invention for file organization, the consideration of the efficiency of management and be these need The self-defined default directory wanted construction Initiative Defense environment and provide, all mesh that Initiative Defense environment is established by the present invention Mark the installation kit of application, can be moved or copying and saving in the assigned catalogue, can also being further encrypted to it or Hide, to ensure its security.It is pointed out that assigned catalogue here, the catalogue that the system that can also be has been present.Both Can be single catalogue, or multiple catalogues.Generally, it is to be built by the present invention for depositing for of the present invention The catalogue of the intended application installation kit of structure Initiative Defense environment.

The determination and treatment of intended application, very flexibly, several realities for determining intended application and subsequent treatment presented below Apply mode：

Mode one：

For the application program for having completed to install, the present invention can be controlled to these automatically or by user instruction Application program is installed to be scanned, the mount message of these application programs is obtained, should using these application programs as candidate target With list display in the user interface (refer to Fig. 9), each in the corresponding indicating area of graphic user interface for list Candidate target application provides corresponding selecting switch, these on off states is set by user, so as to obtain user couple The determination of objectives application.Specifically, user can open the selection in the indicating area corresponding to certain intended application Close, never selected state switches to selected state, " monitoring ", " clicking on monitoring " the two condition switch example, this feelings in such as Fig. 9 Under condition, you can be considered as user and complete to the determination of intended application operation.

It is well known that in android system, the installation of third-party application can be related to be done as follows following catalogue： Apk files are first copied to this catalogue by data/app, third-party application installation directory during installation；Data/dalvik-cache, Code file (.dex files) after apk is decompressed is installed under the catalogue；Data/data, journey is applied for setting up and depositing Data needed for sequence.Understand that the apk files of third-party application are its installation kit, can in data/app based on above-mentioned principle To find the installation kit.Therefore, for mounted intended application, corresponding apk texts can be replicated from data/app Then part unloads the intended application in assigned catalogue.

Mode two：

Refering to Fig. 8, for the application program for preparing or being installed, the present invention can be noted by by itself Volume is the form of default installation device, obtains the installation broadcast message of the application program.Then, using this new clothes application program as Intended application, the characteristic information of its installation kit or signature etc is sent in cloud server by remote layout bank interface, Security is made to it by cloud server to judge.In a kind of embodiment, cloud server sets for the level of security of application program Fixed black, grey, white three kinds of ranks, represent different degrees of danger, and set corresponding treatment rule respectively.For example, black application is forbidden Installation, ash application is voluntarily selected by user, and white application then can footpath row installation.Of course, it is possible to grey, white two kinds are further simplified as, Or it is reduced to black, white two kinds.This high in the clouds control technology of server familiar to the person skilled in the art, will be follow-up further Summary is disclosed.Anyway, the present invention will obtain what cloud server was applied about these from the machine remote layout bank interface The feedback of rule is processed, corresponding subsequent treatment is made using feedback result.Specifically, returned when for current goal application During black application identities, can immediately stop the installation of the intended application；When white application is designated or ash is applied, then can let pass peace Dress.For the consideration of interactivity, after completing remotely to judge, the present invention will remind user that relevant judgement is tied to user interface pop-up Really, and show corresponding treatment advice, ask the user whether to determine to current new clothes application construction Initiative Defense environment, Yong Hucong After middle determination carries out the mark of Initiative Defense to current new clothes intended application, that is, the intended application is determined.

Similarly, after user determines the intended application, the present invention can be deposited to described the installation kit of the intended application In assigned catalogue.In addition, will be subsequently the consideration of the fixed intended application construction Initiative Defense environment for the present invention, this Invention can immediately stop the installation of the intended application, stop the operation installed both can invention user determine the intended application it Before can also occur after.

Other flexible modes：

The two kinds as previously provided typical modes about determining intended application, can become tonneau by those skilled in the art With.For example, for the application of installation targets in mode one, can be long-range using passing through will have been installed in applicable pattern two Regular bank interface is sent to high in the clouds and carries out safe class judgement, and after returning result, the processing mode of reference pattern two, to Application is installed to be processed.And for example, if current application belongs to black application, and user remains desirable to install the application, then still may be used Allow user to retain this on the premise of Initiative Defense environment is set up and application program has been installed, or allow corresponding new clothes application Continue to install.

Two kinds of typical ways and its flexible mode on determining intended application disclosed above, those skilled in the art are enough to Grasp accordingly, relate to how to determine the number of ways of intended application in the first step of Initiative Defense collocation method of the invention, And how to obtain the installation kit and various implementations for being saved in assigned catalogue of the intended application being determined.

S12, the installation kit that shell application is configured using the installation kit of intended application.

It is determined that after needing the intended application of construction Initiative Defense environment, further creating shell application.Fig. 2 is referred to, should The establishment of shell application is comprised the following specific steps that：

S121, parsing intended application installation kit, generate shell application mirror image.

It is well known that intended application installation kit is compressed file, by installation kit decompression, you can obtain file therein. Preferably, intended application installation kit solution is depressed into an odd-job catalogue to complete to decompress work.After decompression, you can to target Each file in application installation package is parsed.In another way, it is also possible to the intended application is directly parsed in internal memory Installation kit.Anyway, those skilled in the art can be parsed by known way to intended application, be obtained for configuring The relevant parameter and resource of shell application, and accordingly generate shell application mirror image.The mirror image both can be hard disk mirror-image, it is also possible to It is memory mirror, its function is occur as intermediateness in shell application process is constructed, therefore its specific existence form should Do not influence realization of the invention, those skilled in the art can combine common knowledge flexible it, under do not repeat.S122, repair Change or replace the code file in mirror image, to inject described stubs.

It is known, code file Classes.dex is included in the configuration file of apk installation kits.In the present invention, by modification Or the mode replaced, it is the new Classes.dex of shell application mirror-image constructions, make in the new file comprising provided by the present invention Stubs nStub.The stubs make monitoring unit 14 to transport by loading the monitoring unit 14 realized using HOOK technologies The monitoring capture of the event behavior of the process that realization is created to intended application 15 during row.

The configuration parameter of the configuration file in S123, modification mirror image, for loading the intended application 15 in assigned catalogue.

Similarly, configuration file Androidmanifest.xml is also included in the configuration file of installation kit, this document is carried out Modification, about the configuration information of intended application 15 in correspondence modification shell application mirror image, is adapted in loading assigned catalogue Intended application 15.Additionally, the present invention reflects call-by mechanism using Java, the fortune that LoadApk and ActivityThread are related to Configuration information reflection is substituted for the ClassLoader and resource of the installation kit of intended application 15 in assigned catalogue during row, so that real Existing shell application is operationally to the loading of intended application 15.

Additionally, icon also serves as one of configuration file and is repaiied in the present invention as a kind of resource for being available for man-machine identification Change.In order that icon is more easy to identify, the present invention is denoted as being draft using the artwork of the intended application 15, and figure stamp is added to it, with Old file name preserves replacement artwork mark, in this way, can be stabbed by the figure for user and recognize that it is anti-after shell application installation Imperial application.Same intended application 15 potentially includes multiple icon resources, and only wherein intended application 15 can be used Home icon is modified, and the multiple or all icons that can be also included to it carry out similar modification.

S124, the encapsulation for completing the shell application.

This sub-step conventional steps known known to those skilled in the art, after above-mentioned modification is completed, should to shell Packed with mirror image and signed, just can be completed the encapsulation of shell application.During signature, with reference to known manner, mobile phone can be used Identification code IME, or signed by the way of random code.

Four sub-steps more than, just can construct corresponding shell application installation package based on the installation kit of intended application 15. It is appreciated that shell application belongs to light application, small volume, its function is mainly manifested in monitoring unit 14 and to intended application 15 priority loading.Operationally, monitoring unit 14 is first loaded by stubs, and the follow-up mesh being loaded of hook is just started after loading The event behavior that mark is specified using 15 all or part, is effectively equivalent to the control of the event behavior of intended application 15 It is sent in the hand of monitoring unit 14.

It is pointed out that described monitoring unit 14, corresponded to by being obtained from a backstage sandbox HOOK frameworks The hook plug-in unit of specific event behavior, is realized using the particular event behavior of the hook plug-in unit monitoring objective application 15. Described backstage sandbox HOOK frameworks, are managed concentratedly beyond the clouds, are distributed to each terminal.Wherein, high in the clouds mainly constructs There is Java to link up with plugin library and Native hook plugin libraries.Monitoring unit 14 can be by long-range card i/f to backstage sandbox HOOK frameworks send request, obtain the HOOK functions for particular event behavior, i.e., described hook plug-in unit is set up to spy whereby Determine the monitoring capture of event behavior and process.

Due to the loading of monitoring unit 14 and intended application 15, it is shell application process and is driven, and monitoring unit 14 Loaded prior to intended application 15, thus, monitoring unit 14 can be set up to intended application 15 all event behaviors in theory Monitoring.Several typical event behaviors of explanation summarized below and its capture example：

(1) terminal, relevant operation of networking：

Obtain operator's informaiton：Intended application 15 for example can obtain movement by getSimOperatorName () function The IMSI of terminal, thus can determine whether the title of operator, further can send agreement instruction to operator, realize button The illegal objective taken etc.Monitor supervision platform, just can be to the capture of event behavior by linking up with message related to this.

Switching APN operations：Similarly, intended application 15 realizes the behaviour of ANP switching controls by the function relevant with APN switchings Make, also can monitored unit 14 be monitored by calling corresponding hook plug-in unit.

Similar operation, also including obtaining the operation of handset identity code IME, also with it is above-mentioned similarly.

(2) informing advertisement operation：Informing advertisement is the means for most easily being utilized by rogue program, and monitoring unit 14 passes through Corresponding hook plug-in unit is called to be monitored the event message that notify functions are produced, also can be to its implementing monitoring.

(3) traffic operation：

As phone dials operation, the event behavior for dialing phone can be monitored by StartActivity () function, utilized Corresponding hook plug-in unit can set up event behavior monitoring to dialing phone operation.

Short message is operated, corresponding to the function of SendTextMessage () etc, similarly, can be by hook plug-in unit to this Class function sets up event behavior monitoring.

Contact person operates：Query (), Insert () function are corresponded generally to, monitoring unit 14 is linked up with using plug-in unit is linked up with This class function can realize the monitoring capture to such event behavior.

(4) command operation：

As SU proposes power operation or execution of command operations, it is both needed to use Execve () function, monitoring unit 14 is by monitoring this The return message of function, just can realize the monitoring of such event behavior.

(5) interface and access operation：

The event behavior of shortcut is such as created, then corresponding to SentBroacast () function.Similarly, for concealing program The operation of icon, can also correspond to specific function and monitor it.

As http network accesses operation, then corresponding to functions such as Sentto (), Write ().

(6) procedure operation：

Such as application loading is operated, and refers to that current goal application 15 loads the operation of related application, by right The functions such as dexclassloader (), loadlibrary () carry out hook monitoring, it is possible to achieve such event behavior is caught Obtain.

Attached bag is and for example installed, then corresponding to StartActivity () function.

(7) other risky operation：

For example, subprocess invades operation, derivative operation, the operation of activation equipment manager etc., correspond respectively to.

Wherein, subprocess refers to the subprocess that intended application 15 is set up, and when intended application 15 creates subprocess, monitoring is single Unit 14 will receive corresponding message, and judge its event behavior for creating subprocess.Thus, monitoring unit 14 is further to the son Process implant monitor unit 14 in the subprocess in the way of inline hook, just can subsequently continue the event row to the subprocess To be monitored.Thus, the subprocess of the either own process of intended application 15, or its establishment, they are direct or indirect The event behavior for being triggered, can be monitored by monitoring unit of the invention 14, make Initiative Defense better.

And the derivative, refer to file that intended application 15 is voluntarily created, or remote download file, typically refer to Sensitive derivative, such as installation kit.The event can be captured by linking up with fclose () function.It is pointed out that when prison After control unit 14 captures the event behavior, can be sent further with remote layout bank interface and asked as the method previously described To high in the clouds, the safe class of the derivative is judged using its black, white, grey safe class rule of conduct by high in the clouds, the present invention is logical After crossing long-range rule base interface acquisition high in the clouds result of determination, further pop-up asks the user whether to set up to the sensitive derivative Initiative Defense, thus just can further consolidate the effect of Initiative Defense.

Above-mentioned event behavior is only that extracts is used, it is impossible to be interpreted as the limitation of the event behavior to present invention monitoring.Knot Close to state and the classification of event behavior understood, monitoring unit of the invention 14, can to the event behavior from intended application 15, Either by intended application 15, directly or indirectly the event behavior of triggering is monitored.

The filename of shell application installation package of the invention is completely the same with the filename of the installation kit of intended application 15, because This, it can be seen that shell application constitutes the camouflage applications of intended application 15.Shell application small volume, its construction process is more Rapidly, its construction and running are relatively transparent for a user, have substantially no effect on mesh when carrying out Initiative Defense environment construction Mark applies 15 installation and operation efficiency.

Additionally, for the ease of realizing user mutual, the present invention is also equipped with an interactive interface for shell application, by the interaction Interface, can send message to the system service of pre-registration, by system service to user interface pop-up inquiry user instruction, be System service obtaining the process of this shell application of return to after user instruction, shell application according to user instruction can do it is foregoing alleged by Serial subsequent treatment, this subsequent processing section will subsequently be related to the active defense method part to carry out detailed announcement.

S13, the shell application is installed.

After completing the construction of the shell application, the present invention is installed the shell application, and then, the intended application 15 is Foregoing illustrated Initiative Defense environment is provided with, user runs the intended application 15, operating file name can be directed to identical Shell application, shell application once run, just can realize the Initiative Defense to the intended application 15.

Because the applied environment of the method for the present invention is the environment that non-ROOT is authorized, part limited authority system, such case Under, if installation targets application 15 is not unloaded, can first eject the interface of the unloading intended application 15, guiding user's unloading Intended application 15 is filled；Then the interface of the shell application is installed in ejection one, and guiding client installs the shell application.Certainly, such as Fruit system has obtained ROOT mandates, the method for the present invention can footpath be about to its old application unloading and then shell application be installed.

Need it is further, it is emphasized that the sub-step of the foregoing unloading intended application 15 for referring to, as described in this step, can So that by subsequent treatment, the time point of its unloading has no effect on the realization of the method for the present invention on demand.

Initiative Defense collocation method of the invention is more than merely illustrated, further, it is possible to be configured using the Initiative Defense Method builds corresponding Initiative Defense configuration device.

Refer to Fig. 3, it is of the invention exempt from ROOT Initiative Defenses configuration device and aforementioned arrangements method have it is tight corresponding Property, including determining device 11, constructing apparatus 12 and erecting device 13, it is carried out as follows and is specifically described：

Described determining device 11, for determining intended application 15, and the installation kit of the intended application 15 is preserved to finger Determine catalogue.

Described intended application 15, that is, need the program of intended application 15 of construction Initiative Defense environment, is just specifically in Non- ROOT is authorized for the android system under environment, for the consideration of authority limitation, applies in general to third-party application.

Assigned catalogue alleged by the present invention, refer to the present invention for file organization, the consideration of the efficiency of management and be these need The self-defined default directory wanted construction Initiative Defense environment and provide, all mesh that Initiative Defense environment is established by the present invention The installation kit of mark application 15, can be moved or copying and saving is in the assigned catalogue, and further it can also be encrypted Or hide, to ensure its security.It is pointed out that assigned catalogue here, the catalogue that the system that can also be has been present. Both can be single catalogue, or multiple catalogues.Generally, it is for depositing by the present invention for of the present invention The catalogue of the installation kit of intended application 15 of construction Initiative Defense environment.

The construction of determining device 11, very flexibly, several implementation methods for constructing the determining device 11 presented below：

Mode one：

For the application program for having completed to install, the present invention can be controlled to these automatically or by user instruction Application program is installed to be scanned, the mount message of these application programs is obtained, unit is selected by these application programs by one As the list of candidate target application 15 display as shown in Figure 9 in the user interface, in the corresponding instruction area of graphic user interface For each the candidate target application 15 in list provides corresponding selecting switch in domain, these on off states are carried out by user Setting, so as to obtain determination of the user to objectives application 15.Specifically, user can by certain intended application 15 it is right Selecting switch in the indicating area answered, never selected state switch to selected state, in this case, you can be considered as user complete Into the determination operation to the intended application 15.

It is well known that in android system, the installation of third-party application can be related to be done as follows following catalogue： Apk files are first copied to this catalogue by data/app, third-party application installation directory during installation；Data/dalvik-cache, Code file (.dex files) after apk is decompressed is installed under the catalogue；Data/data, journey is applied for setting up and depositing Data needed for sequence.Understand that the apk files of third-party application are its installation kit, can in data/app based on above-mentioned principle To find the installation kit.Therefore, for mounted intended application 15, the present invention so that for determining device 11 construction one at Reason unit, corresponding apk files are replicated from data/app by it in assigned catalogue, then unload the intended application 15.

Mode two：

Refering to Fig. 8, for the application program for preparing or being installed, the present invention can be noted by by itself Volume is the form of default installation device, and the installation broadcast message of the application program is obtained by a selected unit.Then, it is this is new Dress application program is sent the characteristic information of its installation kit or signature etc by remote layout bank interface as intended application 15 To in cloud server, security is made to it by cloud server and is judged.In a kind of embodiment, cloud server is to apply journey The level of security of sequence sets black, grey, white three kinds of ranks, different degrees of danger is represented respectively, and set corresponding treatment rule.Example Such as, black application forbids installation, ash application voluntarily to be selected by user, and white application then can footpath row installation.Of course, it is possible to further simplify It is grey, white two kinds, or is reduced to black, white two kinds.This high in the clouds control technology of server familiar to the person skilled in the art, for this reason Do not repeat.Anyway, the present invention will be obtained from cloud server applies about these from the machine remote layout bank interface The feedback of rule is managed, corresponding subsequent treatment is made using feedback result.Specifically, returned when for current goal application 15 During black application identities, can immediately stop the installation of the intended application 15；When white application is designated or ash is applied, then can let pass Install.For the consideration of interactivity, after completing remotely to judge, the present invention will remind the relevant judgement of user to user interface pop-up As a result, and show corresponding treatment advice, ask the user whether to determine to current new clothes application construction Initiative Defense environment, user After therefrom determining to carry out the mark of Initiative Defense to current new clothes intended application 15, that is, the intended application 15 is determined.

Similarly, after user determines the intended application 15, the present invention can be deposited to institute the installation kit of the intended application 15 In the assigned catalogue stated.In addition, will be subsequently the construction Initiative Defense environment of fixed intended application 15 for the present invention Consider, the present invention can immediately be stopped the installation of the intended application 15 by a processing unit, the operation for stopping installing can both be invented Can also occur after before user determines the intended application 15.

Other flexible modes：

The two kinds as previously provided typical modes about determining intended application 15, can become tonneau by those skilled in the art With.For example, for the application of installation targets 15 in mode one, can be remote using passing through will have been installed in applicable pattern two Journey rule bank interface is sent to high in the clouds carries out safe class judgement, and after returning result, the processing mode of reference pattern two is right Install to apply and processed.And for example, if current application belongs to black application, and user remains desirable to install the application, then still User can be allowed to retain this on the premise of Initiative Defense environment is set up application program has been installed, or allow corresponding new clothes to answer Installed with continuation.

Two kinds of typical arrangements on determining device 11 disclosed above and its flexible mode, those skilled in the art's foot To grasp accordingly, relate to how to determine the various of intended application 15 in the determining device 11 of Initiative Defense configuration device of the invention Approach, and how to obtain the installation kit of the intended application 15 being determined and various realization sides for being saved in assigned catalogue Formula.

Described constructing apparatus 12, it utilizes the installation kit of the installation kit configuration shell application of intended application 15.

It is determined that after needing the intended application 15 of construction Initiative Defense environment, further creating shell application.The constructing apparatus 12 include resolution unit, code unit, dispensing unit and encapsulation unit, and the functional realiey of these units is disclosed in detailed below：

Described resolution unit, for parsing the installation kit of intended application 15, generates shell application mirror image.

It is well known that the installation kit of intended application 15 is compressed file, by installation kit decompression, you can obtain text therein Part.Preferably, the installation kit solution of intended application 15 is depressed into an odd-job catalogue to complete to decompress work.After decompression, you can Each file in intended application installation kit is parsed.In another way, it is also possible to the mesh is directly parsed in internal memory Mark application installation package.Anyway, those skilled in the art can be parsed by known way to intended application, be used In the relevant parameter and resource of configuration shell application, and accordingly generate shell application mirror image.

Described code unit, for changing or replacing the code file in mirror image, to inject described stubs.

It is known, code file Classes.dex is included in the configuration file of apk installation kits.In the present invention, by modification Or the mode replaced, new Classes.dex is constructed, make in the new file comprising stubs nStub provided by the present invention. The stubs make monitoring unit 14 operationally to realize to target by loading the monitoring unit 14 realized using HOOK technologies Captured using the monitoring of the event behavior of 15 processes for being created.

Described dispensing unit, the configuration parameter for changing the configuration file in mirror image, for loading assigned catalogue In intended application 15.

Described encapsulation unit, the encapsulation for completing the shell application.

The functional realiey of encapsulation unit should be understood that by those skilled in the art.After above-mentioned modification is completed, to shell Packed using mirror image and signed, just can be completed the encapsulation of shell application.During signature, with reference to known manner, hand can be used Machine identification code IME, or signed by the way of random code.

By performing the constructing apparatus 12, just corresponding shell application can be constructed based on the installation kit of intended application 15 and installed Bag.It is appreciated that shell application belongs to light application, small volume, its function is mainly manifested in monitoring unit 14 and to target Loaded using 15 priority.Operationally, monitoring unit 14 is first loaded by stubs, hook is just started after loading and is subsequently loaded Intended application 15 the event behavior specified of all or part, be effectively equivalent to the control of the event behavior of intended application 15 Power processed is sent in the hand of monitoring unit 14.

Due to the loading of monitoring unit 14 and intended application 15, it is shell application process and is driven, and monitoring unit 14 Loaded prior to intended application 15, thus, monitoring unit 14 can be set up to intended application 15 all event behaviors in theory Monitoring.

Event behavior in Initiative Defense configuration device for the present invention handled by monitoring unit 14, due to above-mentioned master Dynamic defence collocation method has tight correspondence, therefore does not repeat.

Similarly, the filename complete of the installation kit of the filename of shell application installation package of the invention and intended application 15 Cause, thus, it will be seen that shell application constitutes the camouflage applications of intended application 15.Shell application small volume, its construction process More rapid, construction and running are relatively transparent for a user, have substantially no effect on when carrying out Initiative Defense environment construction The installation and operation efficiency of intended application 15.

Described erecting device 13, for installing the shell application.

After completing the shell application, erecting device 13 is performed, to be mounted directly the shell application, after installation, should Intended application 15 is provided with foregoing illustrated Initiative Defense environment, and user runs the intended application 15, can be directed to fortune Style of writing part name identical shell application, shell application runs for the moment, just can realize the Initiative Defense to the intended application 15.

The present invention is application program construction Initiative Defense environment in foregoing method and apparatus, on this basis, from The visual angle that program is performed, additionally provides a kind of active defense method and a kind of Initiative Defense device.

Fig. 4 is referred to, active defense method of the invention is the Initiative Defense of structure in foregoing Initiative Defense collocation method The concrete application of environment, the method is built based on the intended application 15 for constructing Initiative Defense environment configurations, real to intended application 15 Apply security protection.With reference to Fig. 7, the method comprises the following steps：

S31, the instruction of response operational objective application 35, run corresponding shell application.

Explanation refering to aforementioned arrangements method understands, after shell application is mounted, its filename and original intended application 35 filename is identical, the intended application that disguises oneself as 35, operation of the user to intended application 35, in fact, being referred to by desktop icons The shortcut drawn, is directed to run the shell application of advance camouflage, now, user's point selection operation on a user interface Just the operating instruction for running the shell application is constituted.It is pointed out that the instruction of operational objective application 35 be not limited to by User triggers, also including foregoing, by application program, timed task or by other well known approach with function call The loading instruction that mode is performed.Shell application is light application, can quickly be loaded onto operation in internal memory, and for a user, it is opened Dynamic process is transparent.

The icon of shell application is improved from the default icon of intended application 35, usually adds figure to stab with the default icon To realize this improvement, thus, from visual effect, may also function as certain effect of warning.

Once producing the instruction of operational objective application 35, the present invention responds, and shell application is loaded into immediately Run in JAVA virtual machine.

S32, the loading procedure of shell application.

As described in preceding collocation method, in shell application of the invention, its code file Classes.dex is configured with a mould Block nstub, monitoring module can be loaded by the stubs；Its configuration file Androidmanifest.xml is anti-with Java Penetrate and call principle, configuration parameter therein is modified, being adapted to load the target being stored in the assigned catalogue should With 35, additionally, also having carried out the modification of adaptability to the runtime configuration parameter of intended application 35, determine that intended application 35 can be just Often operation.

Therefore, Fig. 5 is referred to, after shell application operation, as disclosed in step S321, loading is called by stubs first Monitoring unit 34, the monitoring unit 34 obtains the hook corresponding to specific event behavior from a backstage sandbox HOOK frameworks Plug-in unit, using hook plug-in unit hook and the particular event behavior of monitoring objective application 35.Described backstage sandbox HOOK frameworks, Managed concentratedly beyond the clouds, be distributed to each terminal.Wherein, high in the clouds is mainly configured with Java hooks plugin library and Native Hook plugin library.When monitoring unit 34 needs to link up with specific event behavior, by long-range card i/f to backstage sandbox HOOK frames Frame sends request, obtains the HOOK functions for particular event behavior, i.e., described hook plug-in unit is set up to particular event whereby The monitoring capture and treatment of behavior.

And then, as disclosed in step S322, operating shell application will further load described being located in assigned catalogue Intended application 35.As it was previously stated, intended application 35 is called, it is to be realized using known Java reflections call-by mechanism.Shell Configuration information reflection is substituted in assigned catalogue during the operation that be related to for LoadApk and ActivityThread by the process of application The ClassLoader and resource of the installation kit of intended application 35, so as to realize the loading to intended application 35.

As step S323 shows that when intended application 35 is loaded, monitored unit 34 establishes prison using plug-in unit is linked up with Control, therefore, all event behaviors of intended application 35 are within the monitoring range of monitoring unit 34.Positioned at intended application 35 Installation kit is complete unmodified, therefore, after intended application 35 is loaded by shell application, can completely legal, normally transport OK, realize that the institute that intended application 35 can be realized originally is functional.

Due to the loading of monitoring unit 34 and intended application 35, it is shell application process and is driven, is all shell application A part for process, and monitoring unit 34 loads prior to intended application 35, thus, it is right that operating monitoring unit 34 is established The monitoring of intended application 35 all event behaviors.Any event behavior produced in the running of intended application 35, its event disappears Breath can monitored unit 34 capture and processed accordingly.

Processing procedure after S33, capturing events behavior.

Incorporated by reference to Fig. 6, step S331 is shown, the particular event behavior monitored unit 34 that intended application 35 is produced is captured, When substantially triggering particular event behavior, corresponding hook plug-in unit (hook in produced event message monitored unit 34 Function) captured.Capture the event message, you can know the intention of the event, can then carry out follow-up treatment.

Step S332 shows, particular event behavior is processed, it is necessary to be obtained event behavior treatment strategy.In this son In step, further human-computer interaction function can be realized by system service.In order to realize man-machine interaction effect, the present invention is pre- An interactive module is first registered as into system service, shell application can be communicated by its interactive interface with the interactive module, so that Realize acquisition of the shell application to user instruction or preset instructions.

The acquisition modes of event behavioral strategy are very versatile and flexible, are exemplified below several by the present invention is selected one or any group The strategy that conjunction is used：

(1) after the capture of monitoring unit 34 particular event behavior, by the built-in interactive interface of shell application, to the interaction Module sends request, and strategy, as is illustrated by figs. 11 and 12, the pop-up are processed from interactive module to user interface pop-up inquiry user Interface can directly inform content and its risk of the user about event behavior, and corresponding option is selected as treatment plan by user Slightly.After user selects respective selection and determination, interactive module obtains the treatment strategy for the particular event behavior, is fed back To monitoring unit 34, corresponding thing of the treatment strategy that monitoring unit 34 can be according to produced by the user instruction to intended application 35 Part behavior carries out the treatment of next step.

(2) when some event behaviors for being acknowledged as relative low-risk occur, such as to the read-only operation of contact person Behavior, or when user is voluntarily retrieved for the treatment strategy to be taken of particular event behavior for the present invention is provided with, this Invention is using a local policy database retrieval accordingly for the treatment strategy of particular event behavior.For example, as shown in Figure 10, The default treatment strategy of all event behaviors of certain application can be given in the form of list.That is, the local plan Slightly in database, the association between particular event behavior and corresponding treatment strategy is established, and store various event rows It is the record data of the corresponding relation between corresponding treatment strategy, can be used for present invention retrieval.The present invention is from local plan After corresponding treatment strategy is slightly obtained in database, the treatment of next step can be done to corresponding event behavior.

(3) if user is provided with the option for remotely obtaining treatment strategy, or acquiescence in local policy number for the present invention According to library searching less than particular event behavior specific strategy when can remotely obtain, and or carried out by foregoing (1st) kind situation Interact and cannot get response of the user to pop-up within the regulation time limit, such situation, shell application can be by it The remote policy interface built, request is sent to the high in the clouds of pre- framework, obtains the corresponding treatment corresponding to the particular event behavior Strategy, and for follow-up treatment.

It is pointed out that relevant three of the above obtains the mode for the treatment of strategy, can intersect and use cooperatively, for example, one Denier interactive module receives the feature of the event message of the transmission of monitoring unit 34, you can according to default setting, with reference to (2nd) kind side Formula retrieves local policy database in advance, obtains the treatment strategy of system recommendation (if can not be obtained from local policy database , it might even be possible to further obtained from the policy database of high in the clouds by (3rd) kind mode).Then, mode is planted with reference to (1st), The treatment strategy that pop-up interface sets system recommendation is default option.If user does not confirm that the acquiescence is selected within the regulation time limit , then it is defined execution subsequent instructions by the treatment strategy of system recommendation；If it is changed into new default option by user, to Monitoring unit 34 returns to the treatment strategy that user is set.It can be seen that, interactive process can be more flexible freely to realize.

Described local policy database, can be a copy of high in the clouds policy database, therefore, in the present invention, if A renewal step is put, for downloading high in the clouds policy database for updating local policy database.

Generally, the strategy for particular event behavior could be arranged to " refusal ", " RUN ", " inquiry " three often See option, its specific purpose for characterizing is：

Refusal：For the particular event behavior, the falseness being finished to the transmission event behavior of intended application 35 disappears Breath, to forbid the event behavior to actually occur；

Operation：Do not made any changes for the particular event behavior, corresponding event message is forwarded directly into system disappears Breath mechanism, it is allowed to which intended application 35 continues its event behavior；

Inquiry：Independence or to depend on both of the aforesaid option one of any, for the particular event behavior, marks its state to be Unknown state, it is follow-up when repeating to occur the behavior, it is necessary to row pop-up inquiry user again.

In practical application, option " inquiry " can be ignored, it is only necessary to consider whether to refuse or allow current event behavior to occur .

Described event behavior, it is varied, specifically include following several big types：

(1) terminal, relevant operation of networking：

Obtain operator's informaiton：Intended application 35 for example can obtain movement by getSimOperatorName () function The IMSI of terminal, thus can determine whether the title of operator, further can send agreement instruction to operator, realize button The illegal objective taken etc.Monitor supervision platform, just can be to the capture of event behavior by linking up with message related to this.

Switching APN operations：Similarly, intended application 35 realizes the behaviour of ANP switching controls by the function relevant with APN switchings Make, also can monitored unit 34 be monitored by calling corresponding hook plug-in unit.

(2) informing advertisement operation：Informing advertisement is the means for most easily being utilized by rogue program, and monitoring unit 34 passes through Corresponding hook plug-in unit is called to be monitored the event message that notify functions are produced, also can be to its implementing monitoring.

(3) traffic operation：

Contact person operates：Query (), Insert () function are corresponded generally to, monitoring unit 34 is linked up with using plug-in unit is linked up with This class function can realize the monitoring capture to such event behavior.

(4) command operation：

As SU proposes power operation or execution of command operations, it is both needed to use Execve () function, monitoring unit 34 is by monitoring this The return message of function, just can realize the monitoring of such event behavior.

(5) interface and access operation：

(6) procedure operation：

Such as application loading is operated, and refers to that current goal application 35 loads the operation of related application, by right The functions such as dexclassloader (), loadlibrary () carry out hook monitoring, it is possible to achieve such event behavior is caught Obtain.

(7) other risky operation：

Wherein, subprocess refers to the subprocess that intended application 35 is set up, and when intended application 35 creates subprocess, monitoring is single Unit 34 will receive corresponding message, and judge its event behavior for creating subprocess.Thus, monitoring unit 34 is further to the son Process implant monitor unit 34 in the subprocess in the way of inline hook, just can subsequently continue the event row to the subprocess To be monitored.Thus, the subprocess of the either own process of intended application 35, or its establishment, they are direct or indirect The event behavior for being triggered, can be monitored by monitoring unit of the invention 34, make Initiative Defense better.

And the derivative, refer to file that intended application 35 is voluntarily created, or remote download file, typically refer to Sensitive derivative, such as installation kit.The event can be captured by linking up with fclose () function.It is pointed out that when prison After control unit 34 captures the event behavior, can be sent further with remote layout bank interface and asked as the method previously described To high in the clouds, the safe class of the derivative is judged using its black, white, grey safe class rule of conduct by high in the clouds, the present invention is logical After crossing long-range rule base interface acquisition high in the clouds result of determination, further pop-up asks the user whether to set up to the sensitive derivative Initiative Defense, thus just can further consolidate the effect of Initiative Defense.

Above-mentioned event behavior is only that extracts is used, it is impossible to be interpreted as the limitation of the event behavior to present invention monitoring.

Step S333 shows, according to the above-mentioned tactful and above-mentioned explanation on event behavior for the treatment of, active of the invention Defence method just can be accordingly processed various event behaviors, and the summary of its processing procedure has hashed be given above, Several typical application examples are enumerated further below：

(1) to the application of the fine interception of intended application 35：

After part rogue program is mounted, the state in normally using within the quite a long time benumbs user Awareness of safety.But, after one rapid lapse of time of operation, the intended application 35 is attempted causing user's from backstage one short message of insertion Concern, reaches the effect of advertisement and swindle.Refering to Figure 12, after setting up active defense mechanism to the intended application 35, the present invention is such as It is preceding described, by monitoring of the corresponding hook plug-in unit to short message handling function in monitoring unit 34, once intended application 35 is produced The event behavior of short message operation, just can capture this event behavior, and then, monitoring unit 34 notifies to be used as by its interactive interface The interactive module of system service operation, is warned from interactive module to user interface pop-up.User clicks the treatment strategy of " refusal " Afterwards, by converse monitoring unit 34 of feeding, wherein hook plug-in unit just can hinder actually occurring for the event behavior accordingly, strick precaution is reached The purpose of risk.

(2) application of malicious file is discharged to intended application 35.

Intended application 35 is a Games Software, is downloaded by way of checking and updating and discharges malice attached bag, and called Systemic-function installs the attached bag.The present invention is established after Initiative Defense to the intended application 35, can be monitored it and downloaded File and the event behavior that produces, alert accordingly by interactive module pop-up.After user instruction refusal, phase in monitoring unit 34 The hook plug-in unit answered just can directly delete this document, or only refuse the installation behavior of this document.

In the present invention, for such malice attached bag, it is considered as sensitive derivative, to derivative with the presence or absence of malice Judge, with reference to described in foregoing defence collocation method and the mode of determination safe class remotely judged.Specifically, when When detecting generation derivative, the characteristic information of corresponding file or its signature etc is sent by remote layout bank interface To high in the clouds, and its safe class is obtained from high in the clouds, if black, grey application, then advise that user's refusal is installed in pop-up；If It is white application, then it can be allowed to pass through.By this method, the Prevention-Security to sensitive derivative can just be realized.If high in the clouds The relative recording of the derivative is can't detect, can require that this method is its upload this document, and unknown answering is denoted as by high in the clouds With, accordingly, with ash application be marked, for future use.

(3) application invaded subprocess.

Monitored intended application 35 creates subprocess in the process of running, and subprocess further discharges malicious event row For.When monitoring unit 34 monitors the establishment subprocess of intended application 35, that is, the entrance of subprocess is obtained, then planted to the subprocess Enter monitoring unit of the invention 34, all HOOK plug-in units (hook plug-in unit) can all be entered by the son is loaded into the way of inline hook In journey and initialize it is good realize hook, to set up the monitoring to the event behavior of the subprocess.Thus, it is possible to find out, no matter It is the event behavior directly triggered by the process of intended application 35, or is triggered by the subprocess that the process of intended application 35 is created Indirect event behavior, can monitored unit 34 successfully monitor.

Above by S31, S32, S33 totally three committed steps, the reality of active defense method of the invention is described in detail Existing and its application, it can be seen that the initiative type safeguard technology for working in this way, with sufficient feasibility.

Further, adapt to above-mentioned active defense method, the present invention further provides a kind of Initiative Defense device, both also from So there is tight correspondence, the device is specifically disclosed below：

Initiative Defense device of the invention, including starting module 31, security module 32 and processing module 33, each module Concrete function and realize as follows：

Described starting module 31, the instruction for responding operational objective application 35 runs corresponding shell application.

Described security module 32, its loading procedure for mainly realizing shell application, using shell application successively loading prison Control unit 34 and the intended application 35, are monitored by the event behavior of 34 pairs of intended applications 35 of the monitoring unit.

In shell application of the invention, its code file Classes.dex is configured with stubs nstub, by this mould Block can load monitoring module；Its configuration file Androidmanifest.xml calls principle with Java reflections, to therein Configuration parameter is modified, and is adapted to load the intended application 35 being stored in the assigned catalogue, additionally, should also to target The modification of adaptability is carried out with 35 runtime configuration parameter, has determined that intended application 35 can normally be run.

Therefore, after shell application operation, monitoring unit 34 is called by stubs first, after the monitoring unit 34 from The hook plug-in unit corresponding to specific event behavior is obtained in platform sandbox HOOK frameworks, is linked up with using the hook plug-in unit and is monitored mesh The particular event behavior of mark application 35.Described backstage sandbox HOOK frameworks, are managed concentratedly beyond the clouds, are carried out to each terminal Distribution.Wherein, high in the clouds is mainly configured with Java hook plugin libraries and Native hook plugin libraries.Monitoring unit 34 needs hook tool During body event behavior, request is sent to backstage sandbox HOOK frameworks by long-range card i/f, obtain and be directed to particular event behavior HOOK functions, i.e., described hook plug-in unit sets up to the monitoring of particular event behavior capture and processes whereby.

And then, the intended application 35 that operating shell application will be located in assigned catalogue described in further loading.It is such as preceding Described, intended application 35 is called, and is realized using known Java reflections call-by mechanism.Configuration is configured with security module 32 Module, configuration information is replaced with reflection during the operation that be related to for LoadApk and ActivityThread by the process of shell application by it The ClassLoader and resource of the installation kit of intended application 35 in assigned catalogue are changed into, so as to realize the loading to intended application 35. When intended application 35 is loaded, monitored unit 34 establishes monitoring using plug-in unit is linked up with, therefore, intended application 35 all Event behavior is within the monitoring range of monitoring unit 34.Be positioned at the installation kit of intended application 35 it is complete unmodified, Therefore, after intended application 35 is loaded by shell application, can completely legal, normally run, realize the script energy of intended application 35 The institute of realization is functional.

Described processing module 33, for performing the processing procedure after capturing events behavior.

The particular event behavior monitored unit 34 that intended application 35 is produced is captured, and substantially triggers particular event behavior When, corresponding hook plug-in unit (Hook Function) is captured in produced event message monitored unit 34.The event is captured to disappear Breath, you can know the intention of the event, can then carry out follow-up treatment.

Particular event behavior is processed, it is necessary to be obtained event behavior treatment strategy.In this sub-step, Ke Yijin One step realizes human-computer interaction function by system service.In order to realize man-machine interaction effect, the present invention interacts mould by one in advance Block is registered as system service, and shell application can be communicated by its interactive interface with the interactive module, so as to realize shell application Acquisition to user instruction or preset instructions.

As it was previously stated, the acquisition modes of event behavioral strategy are very versatile and flexible, by construct a strategy generating device come Perform, it is the strategy selected one or be used in any combination of the invention to be exemplified below several：

(1) after the capture of monitoring unit 34 particular event behavior, by the built-in interactive interface of shell application, to the interaction Module sends request, and strategy is processed from interactive module to user interface pop-up inquiry user, and the pop-up interface can directly inform User selects corresponding option as treatment strategy about the content and its risk of event behavior by user.User's selection is corresponding After option and determination, interactive module obtains the treatment strategy for the particular event behavior, is fed back to monitoring unit 34, supervises The tactful corresponding event behavior to intended application 35 for the treatment of by control unit 34 according to produced by the user instruction carries out next The treatment of step.

(2) when some event behaviors for being acknowledged as relative low-risk occur, such as to the read-only operation of contact person Behavior, or when user is voluntarily retrieved for the treatment strategy to be taken of particular event behavior for the present invention is provided with, this Invention is using a local policy database retrieval accordingly for the treatment strategy of particular event behavior.That is, this is local In policy database, the association between particular event behavior and corresponding treatment strategy is established, and store various events The record data of corresponding relation between behavior and corresponding treatment strategy, can use for present invention retrieval.The present invention is from local After corresponding treatment strategy is obtained in policy database, the treatment of next step can be done to corresponding event behavior.

(1) terminal, relevant operation of networking：

(3) traffic operation：

(4) command operation：

(5) interface and access operation：

(6) procedure operation：

(7) other risky operation：

According to the above-mentioned tactful and above-mentioned explanation on event behavior for the treatment of, active defense method of the invention just can be right Various event behaviors are processed accordingly.It is exemplified below several typical application examples：

(1) to the application of the fine interception of intended application 35：

After part rogue program is mounted, the state in normally using within the quite a long time benumbs user Awareness of safety.But, after one rapid lapse of time of operation, the intended application 35 is attempted causing user's from backstage one short message of insertion Concern, reaches the effect of advertisement and swindle.After setting up active defense mechanism to the intended application 35, the present invention is as it was previously stated, logical Monitoring of the corresponding hook plug-in unit to short message handling function in monitoring unit 34 is crossed, once intended application 35 produces short message operation Event behavior, just can capture this event behavior, and then, monitoring unit 34 notifies that being used as system service transports by its interactive interface Capable interactive module, is warned from interactive module to user interface pop-up.After user clicks the treatment strategy of " refusal ", by converse feedback To monitoring unit 34, wherein hook plug-in unit just can hinder actually occurring for the event behavior accordingly, the purpose for averting risks is reached.

(2) application of malicious file is discharged to intended application 35.

(3) application invaded subprocess.

From above-mentioned analysis, Initiative Defense device of the invention, corresponding to active defense method, with efficiently may be used Row.

The present invention is further realized for ease of those skilled in the art, cloud server is disclosed further below and is set with terminal The standby related content for realizing that installation kit safe class judges that how to cooperate：

As it was previously stated, the characteristic information of cloud server is sent to by remote layout bank interface by client, including： The bag name of Android installation kits, and/or, version number, and/or, digital signature, and/or, the spy of Android components receiver Levy, and/or, the feature of Android components service, and/or, the feature of Android components activity, and/or, can hold Instruction or character string in style of writing part, and/or, the MD5 values (signature) of each file under Android installation kit catalogues.

The client of the method for the present invention or device is realized, specified characteristic information is uploaded onto the server into (high in the clouds), Searched in the preset rule base of server with specified single feature information or its combine the feature that matches and record；Wherein, Corresponding level of security is recorded comprising feature record and feature in the preset rule base of the server, is wrapped in every feature record The combination of information containing single feature or characteristic information；

Thousands of feature records are prefixed in server end rule base, wherein, list certain in first feature record The Android installation kits bag name of virus, lists the Android installation kit versions of certain normal use in Article 2 feature record Number and its digital signature MD5 values, Article 3 feature record in list certain normal use Android installation kits bag name and Its receiver feature, Article 4 feature record in list certain wooden horse Android installation kits bag name, version number and its Specific character string in ELF files, etc..

Mark on safe class, i.e., black, white (safety) or grey (unknown, suspicious) three kinds of marks, can be further Be expressed as：

Safety：The application is a normal application, the behavior for not having any threat user mobile phone safety；

It is dangerous：There is security risk in the application, it is possible to the application inherently Malware；It is also possible to the application originally Being the normal software of regular company issue, but because there are security breaches, the privacy of user, mobile phone safe is caused to be subject to prestige The side of body；

With caution：The application is a normal application, but be there are problems that, for example, user's imprudence can be allowed to be detained Take, or there is disagreeableness advertisement to be complained；After this kind of application is found, user can be pointed out to use with caution and inform this Using possible behavior, but decide whether remove the application in its sole discretion by user；

Wooden horse：The application is virus, wooden horse or other Malwares, here for being referred to generally simply as wooden horse, but not Represent the application only wooden horse.

It should be appreciated that the cooperation between high in the clouds and client, can be by those skilled in the art according to disclosed Content further expand, convert, additions and deletions and improve.Thus, disclosure recited above should not be construed as realizing side of the invention The limitation of method and device.

By test, the present invention has broader range of application and application effect relative to prior art, below slightly Illustrate：

Due to the present invention HOOK frameworks have been made into service platform, to link up with plug-in unit in the way of be terminal configuration monitoring Unit 34, therefore, its loading only needs to depend on corresponding configuration file, efficient administration and is easily achieved, for technical personnel, Some simple function calls only need to write the configuration that configuration file is capable of achieving hook plug-in unit, and HOOK reentries, concurrency performance is high.

The loading to monitoring unit 34 and intended application 35 is successively realized using shell application, then by monitoring unit 34 Monitoring is set up in event behavior to intended application 35, it is possible to achieve to Java functions, the hook of Native functions.

The present invention is applicable not only to Dalvik patterns, is also applied for ART patterns, and function performance is upper, and both are as good as, user Be not required to adapt to different mode to write different codes, simplify development (a small range test Android version number 4.4.2, 4.4.3、4.4.4)。

Through actual measurement, there are following data to prove the superiority of example of the invention：

(1) developing example of the invention, to 107 sections of mainstream applications softwares (such as QQ, wechat, microblogging, hands on 16 mobile phones Machine bodyguard, pays class, various purchases by group app, each video jukebox software etc.) stability depth test has been carried out, can normally run.

(2) developing example of the invention, test covers mobile phone A ndroid operating system versions number from 2.3 to 4.4.3.Machine Type includes nexus4/5,7, Samsung, millet, Huawei, association, Sony, HTC and part mountain vallage mobile phone, obtains more excellent Performance.

(3) developing example of the invention, supports reinforcement application, such as supports 360 to reinforce, nets Qin Jiagu, and Tengxun reinforces, watchman's wooden clapper watchman's wooden clapper With love encryption, APKProtect etc., the test for the reinforcement application of above Ge Jia manufacturers offer shows that example of the invention is equal Can normally run.

(4) the test effect of developing example of the invention shows that the success rate of mobile phone terminal generation shell bag is 99.7% (base Number is 100W).

In sum, initiative type safeguard technology provided by the present invention is safer efficiently.

The above is only some embodiments of the invention, it is noted that for the ordinary skill people of the art For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should It is considered as protection scope of the present invention.

Claims

1. a kind of active defense method, it is characterised in that it comprises the following steps：

Using shell application successively loading monitoring unit and the intended application, called from long-range card i/f by the monitoring unit The hook plug-in unit corresponding to particular event behavior for obtaining, operationally links up with the event row that the intended application process is triggered For, and when the monitoring unit monitors that intended application process discharges the event behavior of subprocess, to the intended application Subprocess injects monitoring unit in the form of inline hook, is entered with the event behavior to the intended application and its subprocess of establishment Row monitoring capture；

After particular event behavior is captured, event behavior treatment strategy is obtained, according to the treatment strategy to the particular event row To be processed.

2. active defense method according to claim 1, it is characterised in that including following previous step：In graphical user circle Shortcut is provided in face is used to obtain the instruction of the operational objective application, and the icon of the shortcut is given tacit consent to by intended application Icon is changed and obtained.

3. active defense method according to claim 1, it is characterised in that the event behavior that the monitoring module is monitored Including following any one or more behavior type：Obtain operator's informaiton, APN operations, informing advertisement operation, acquisition mobile phone Identification code operation, create shortcut, phone dial operation, short message insert or delete operation, contact person's insert or delete operation, URL accesses operation, subprocess and invades operation, grasped using loading operation, command operation, derivative operation, activation equipment manager Make.

4. active defense method according to claim 1, it is characterised in that the monitoring module monitors intended application and touches During the event behavior of hair generation derivative, obtain the treatment rule for the derivative and process by remote layout bank interface and be somebody's turn to do Derivative.

5. active defense method according to claim 1, it is characterised in that the method is included default interactive module note The step of volume is for system service, shell application is communicated by its built-in interactive interface with the interactive module, by the interaction mould Block realizes man-machine interaction to user interface pop-up.

6. active defense method according to claim 1, it is characterised in that the shell application is called using JAVA reflections Mode dynamic load described in intended application.

7. active defense method according to claim 1, it is characterised in that after capturing events behavior, with following any side At least one formula obtains the treatment strategy for the event behavior：

8. active defense method as claimed in any of claims 1 to 7, it is characterised in that also comprise the following steps： Download high in the clouds policy database and update local policy database, the local policy database is used to provide corresponding to objectives The treatment strategy of the particular event behavior of application.

9. a kind of Initiative Defense device, it is characterised in that it includes：

Security module, its utilize shell application successively loading monitoring unit and the intended application, by the monitoring unit call from The hook plug-in unit corresponding to particular event behavior that long-range card i/f is obtained, operationally links up with the intended application process institute The event behavior of triggering, and when monitoring unit monitors that intended application process discharges the event behavior of subprocess, should to target Subprocess injects monitoring unit in the form of inline hook, with the event row to the intended application and its subprocess of establishment To be monitored capture；

Processing module, for after particular event behavior is captured, obtaining event behavior treatment strategy, according to the treatment strategy The particular event behavior is processed.

10. Initiative Defense device according to claim 9, it is characterised in that including：

Shortcut, it is placed in graphic user interface, the instruction for obtaining the operational objective application, the shortcut Icon is changed by intended application default icon and obtained.

11. Initiative Defense devices according to claim 9, it is characterised in that the event row that the monitoring module is monitored It is to include following any one or more behavior type：Obtain operator's informaiton, APN operations, informing advertisement operation, acquisition hand The operation of machine identification code, establishment shortcut, phone dial operation, short message insert or delete operation, contact person's insertion or delete behaviour Make, URL access operation, subprocess invade operation, using loading operation, command operation, derivative operate, activation equipment manager Operation.

12. Initiative Defense devices according to claim 9, it is characterised in that the monitoring module monitors intended application When triggering produces the event behavior of derivative, the treatment rule for the derivative is obtained by remote layout bank interface and is processed The derivative.

13. Initiative Defense devices according to claim 9, it is characterised in that the device includes interactive module, is registered as System service, shell application is communicated by its built-in interactive interface with the interactive module, by the interactive module to user circle Man-machine interaction is realized in face pop-up.

14. Initiative Defense devices according to claim 9, it is characterised in that the security module includes configuration module, use The intended application described in dynamic load by way of reflecting and calling JAVA.

15. Initiative Defense devices according to claim 9, it is characterised in that for the treatment strategy of event behavior There is provided by one of following strategy generating device：

The 16. Initiative Defense device according to any one in claim 9 to 15, it is characterised in that also include：

Update module, for downloading high in the clouds policy database and updating local policy database, the local policy database is used for Treatment strategy of the retrieval corresponding to the particular event behavior of objectives application.