Summary of the invention
For solving the deficiency that prior art exists, the invention discloses a kind of proxy server with mobile terminal from malicious software action detectability, this novel proxy server has triple detectability to the Mobile solution that user downloads, namely Mobile solution can realize Static Detection and detection of dynamic before being downloaded to mobile terminal device, traffic behavior analysis can be carried out further after Mobile solution is mounted, fully can ensure the security reliability of the software that customer mobile terminal is installed, simultaneously the Timeliness coverage Malware network behavior that may exist.
For achieving the above object, concrete scheme of the present invention is as follows:
There is the proxy server of mobile terminal from malicious software action detectability, comprising:
Static Detection module, by scheduling Static Detection interface, Static Detection is carried out to the Mobile solution downloaded, if be detected as malicious application, record the MD5 value of this application, and this value is write in the memory headroom of detection record buffer area, be labeled as malicious application, if be detected as normal use, original sent into the detection that dynamic detection module does next step;
Dynamic detection module, the api interface provided by calling the service of third party's detection of dynamic realizes being detected as normal Mobile solution to Static Detection module and does the second re-detection, if detection of dynamic is malicious application, then record the MD5 value of this application, and this value is write in the memory headroom of detection record buffer area, be labeled as malicious application; If be detected as normal use, then this installation file is returned to user, meanwhile, in the memory headroom of detection record buffer area, record the MD5 value of this application, be labeled as normal use;
Traffic behavior analysis module, detect the flow of the application generation of installing, through Static Detection and this two re-detection of detection of dynamic, download and be fitted through the Mobile solution of this two re-detection on mobile terminals, application will produce network traffics after mounting, and now the flow of traffic behavior analysis module to the application that user installs processes and detect this traffic behavior whether by Malware is produced by flow detection service model.
Preferably, the described proxy server with mobile terminal from malicious software action detectability also comprises match query module, for identifying installation file that this file is application and calculating the MD5 value of this application installation file, then match query is done with the MD5 value record information of detection record buffer area, if detect, the MD5 value of this application is present in buffer area, and be labeled as normal use, then user can normally download; If detect, the MD5 value of this application is present in buffer area, and is labeled as malicious application, then stop this application to download and push proxy server to user and detect that this is applied as the message of malicious application; If the recorded information of the MD5 value of not this application in buffer area, then detect through Static Detection module, dynamic detection module and traffic behavior analysis module successively.
Preferably, the described proxy server with mobile terminal from malicious software action detectability also comprises data update module, to the renewal of the detection record buffer area data of hard drive space backup on proxy server, replace algorithm based on proxy server caches to realize, data simultaneously in preservation detection record buffer area are in the hard drive space on proxy server, before each buffer update replaces it, check the data whether having had detection record buffer area all in hard drive space, whether data are consistent: if do not have some data in detection record buffer area in hard drive space, then write in hard drive space, if there are all data in detection record buffer area in hard drive space, then do not write in hard drive space.
Further, mobile terminal is set up and the connection of proxy server by link block, and after connection, this mobile terminal has the function monitored from the PUSH message of proxy server, simultaneously can recording user the MD5 value information of application is installed; MessageDigestAlgorithmMD5 (Chinese Message Digest Algorithm 5 by name) is the widely used a kind of hash function of computer safety field, in order to provide the integrity protection of message.
Further, there is the detection method of the proxy server of mobile terminal from malicious software action detectability, comprise the following steps:
The connection with proxy server is set up at mobile terminal; The domain name of proxy server parses user request also forwards the request of user, then downloads Mobile solution to proxy server from network;
The third-party Static Detection service interface of Static Detection cell call does Static Detection to the Mobile solution downloaded: write the MD5 value of this file to detection record buffer area, if Static Detection result is malicious application, then after MD5 value, add identification label, and delete original, send to user the notification message that this is applied as malicious application by message push unit simultaneously; If Static Detection result is normal use, then continue to carry out detection of dynamic by dynamic detection module to application;
Detection of dynamic cell call third party detection of dynamic service interface correspondence is used as detection of dynamic: if detection of dynamic result is malicious application, then by the MD5 value of this application write detection record buffer area, and correspondingly add identification label, delete original, meanwhile, through the notification message of message push unit to the terminal transmission malicious application of user; If testing result is normal use, then by the MD5 value of this application write detection record buffer area, and correspondingly add identification label, meanwhile, the installation file returning original is downloaded for user;
Mobile terminal successfully downloads the application detected through Static and dynamic, and when installing application, mobile terminal records its MD5 value to installed application;
Mobile terminal is by proxy server access network, traffic behavior analysis module starts to be responsible for utilizing the traffic characteristic of application to carry out the detection of Malware, and to upload on mobile terminal App application and the MD5 value of this application correspondence that record records is installed to flow detection module, traffic behavior analysis module use traffic behavioural analysis unit detects, if testing result is malicious application, then search the record of the MD5 value identical with this application in tamper detection record buffer memory district, if exist, then its class label is revised as malice label, send the notification message of malicious application at message push unit to user terminal simultaneously, application management unit completes the connection stopping this user terminal and external network simultaneously, if be detected as normal use, then can normally use.
Further, the above-mentioned detection method with the proxy server of mobile terminal from malicious software action detectability user interactive module after mobile terminal sets up with proxy server connection receives the connection request of customer mobile terminal; The identity information of user interaction unit authentication of users, the registration of completing user; User sends the request of down load application to proxy server, starts application management module, controls the download of application.
Further, application management unit checks the Mobile solution downloaded, and checks its whether standard compliant Mobile solution file format.
Further, Static Detection and detection of dynamic flow process comprise:
The request domain name of proxy server parses user also forwards user and downloads Mobile solution request, starts to download Mobile solution to local proxy server from network;
Application management unit should be used as filtration to what download, only retains the installation file of Mobile solution original, and calculates the MD5 value of this file;
Static Detection interface interchange third party Static Detection engine carries out Static Detection to Mobile solution;
If Static Detection is malicious application, be then responsible for notifying that user detects the PUSH message of malicious application by user interactive module;
Message push unit is responsible for the mobile terminal testing result of malicious application being pushed to user;
Write the MD5 value of this malicious application to detection record buffer area, and be labeled as malicious application identifier " 1 " accordingly;
If Static Detection is normal use, then call the service of third party's detection of dynamic, and the interface correspondence utilizing the service of third party's detection of dynamic to provide is used as detection of dynamic;
If dynamically detect this to be applied as malicious application, then notify that user detects the PUSH message of malicious application by user notification module in charge, the testing result of malicious application is pushed to user terminal by PUSH message unit;
Write the MD5 value of this malicious application to detection record buffer area, and be labeled as malicious application identifier " 1 " accordingly;
If detection of dynamic result is normal use, then writes the MD5 value of this application to detection record buffer area, and be labeled as normal use identifier " 0 " accordingly.
Further, the flow process of flow detection comprises:
The Mobile solution that user installation is downloaded;
While the Mobile solution that user installation is downloaded, the MD5 value of the Mobile solution installed under mobile terminal records;
User runs the Mobile solution downloaded, and by novel proxy server access network, and the MD5 value of this application is uploaded to traffic behavior analysis module;
Traffic behavior analytic unit access flow Analysis model of network behaviors is served, and utilizes the network traffics of application to detect;
If testing result is malicious application, then in detection record buffer area, search the MD5 value matched with this application, if exist, then revise the class label of this application correspondence, " 0 " is revised as " 1 ", be namely revised as malicious application from normal use;
Message push unit pushes the testing result of malicious application to user terminal;
Interrupt the connection of user terminal and external network;
If be detected as normal use, then user can normally use.
Further, operationally, extracting from network flow data can the feature of Efficient Characterization mobile terminal from malicious software network behavior for traffic behavior analysis module;
According to different characteristic types to can the feature of Efficient Characterization mobile terminal from malicious software network behavior classifying of extracting;
To the detection model that sorted characteristic matching adapts with it, the feature of every type has unique detection model corresponding with it;
The detection model that the feature selecting of every type is corresponding also exports corresponding testing result.
Further, user asks the flow process downloading Mobile solution, specifically comprises:
User uses mobile terminal to initiate to download the request of Mobile solution to proxy server;
Proxy server receive user request, resolve user request domain name and Forward-reques;
Proxy server is applied to local proxy server from download user request network;
Calculate the MD5 value of the application of downloading, and whether the MD5 value record of this application of inquiry verification exists in detection record buffer area;
If the MD5 value of inquiry correspondence exists and is normal use, then this application is returned to user and download.
Further, in user's down load application process, the handling process that detection record buffer area data in proxy server do match query is comprised:
The MD5 value that inquiry is identical with this application in detection record buffer area;
If this MD5 value does not exist, then start to carry out Static Detection and detection of dynamic flow process to this application;
If this MD5 value exists, then check whether corresponding class label is malice, whether is namely " 1 ";
If class label is " 0 ", be normal use, then return and download for user;
If class label is " 1 ", be malicious application, then pushed the message of malice testing result by message push unit to user.
Beneficial effect of the present invention:
Proxy server, as a kind of terminal of information, possesses the possibility of carrying out analysis and resolution before the resources such as file are downloaded to terminal use, and the present invention devises a kind of novel proxy server with triple detectability.By the detection that first and second is heavy, the Mobile solution that basic guarantee user installs is safe, by the triple flow detection, effectively identifies when ensureing that Malware produces malicious act.This novel proxy server have employed the hostile network behavioral value method based on flow designed by existing mobile terminal from malicious software detecting method (static nature detection method and dynamic behaviour detection method) and the present invention, combine with the caching technology of proxy server simultaneously, set up detection record buffer area, while the speed of download greatly improving user, ensure that the application of downloading is safe, and the Malware network behavior that Timeliness coverage is possible.
Embodiment:
Below in conjunction with accompanying drawing, the present invention is described in detail:
Be effectively recognized before being downloaded to mobile terminal to realize mobile terminal from malicious software, even if or mobile terminal from malicious software is mounted also can analyze Timeliness coverage by traffic behavior, consider the terminal of proxy server as a kind of information, possess the possibility of carrying out analysis and resolution before the resources such as file are downloaded to terminal use.The present invention is in traditional proxy basic function and add on the basis of DNS service function, devise a kind of novel proxy server with mobile terminal from malicious software detection ability, this novel proxy server has triple detectability to the Mobile solution that user downloads, namely Mobile solution can realize Static Detection and detection of dynamic before being downloaded to mobile terminal device, traffic behavior analysis can be carried out further after Mobile solution is mounted, fully can ensure the security reliability of the software that customer mobile terminal is installed, the simultaneously Timeliness coverage Malware network behavior that may exist.
Have a novel proxy server for mobile terminal from malicious software detection ability, specific works process is:
1) first user A installs the App being used for connecting with proxy server at mobile terminal.This App not only has configuration mobile terminal and proxy server and sets up the function that network is connected, and has the function of monitoring from the PUSH message of proxy server, while can recording user the MD5 value information of application is installed.
2) installation file of down load application preserved by proxy server.The first step, proxy server adds DNS service, such as, on the proxy server of operator, has this DNS service function.All flows that such customer mobile terminal produces all will through proxy server, and this design can ensure to do comprehensive detection to the flow of user on proxy server; Second step, user A configures proxy server on App; 3rd step, after the connection of mobile terminal into network of user A, sends the connection request downloading Mobile solution to proxy server, by the domain name of the DNS service function analysis request that proxy server adds, and Forward-reques; 4th step, is applied to proxy server from the Internet download; 5th step, proxy server detects the content downloaded, and preserves the installation file of institute's down load application, for android system, retaining suffix is the file of .apk, for IOS system, retaining suffix is the file of .ipa, and other system correspondence applies installation file accordingly.
3) Static Detection module schedules Static Detection interface, the Mobile solution be responsible for downloading carries out Static Detection.Static Detection module reads the application of downloading, by calling the api interface that third party's Static Detection model provides, Static Detection should be used as to what download, if be detected as malicious application, record the MD5 value of this application, and this value is write in the memory headroom of detection record buffer area, be labeled as malicious application, delete original simultaneously and to be sent to the terminal of user A by propelling movement mode and the notice of malicious application detected; If be detected as normal use, original is sent into the detection that dynamic detection module does next step.
4) dynamic detection module continues to read in and detects Static Detection for normal application.The api interface provided by calling the service of third party's detection of dynamic realizes being detected as normal Mobile solution to Static Detection module and does the second re-detection, if detection of dynamic is malicious application, then record the MD5 value of this application, and this value is write in the memory headroom of detection record buffer area, be labeled as malicious application, delete original simultaneously and to be sent to the terminal of user A by propelling movement mode and the notice of malicious application detected; If be detected as normal use, then this installation file is returned to user A, meanwhile, in the memory headroom of detection record buffer area, record the MD5 value of this application, be labeled as normal use.
5) traffic behavior analysis module detects the flow of the application generation of installing.Through Static Detection and this two re-detection of detection of dynamic, user A can download and be fitted through the Mobile solution of this two re-detection on mobile terminals.Application will produce network traffics after mounting, and now traffic behavior analysis module can process the flow of the application that user installs, and detects this traffic behavior whether by Malware is produced by flow detection service model.If malicious traffic stream detected, malicious application module makes an immediate response, and malicious application processing unit stops this terminal to the access of outer net immediately, and sends the PUSH message finding malicious application to user; If malicious application do not detected by traffic characteristic, be then left intact.
6) user B is by Proxy request down load application.User B installs the App for connecting with proxy server at mobile terminal, set up the connection with proxy server, and simultaneously sending down load application request to proxy server, proxy server forwards this request, and downloads this from network and be applied on proxy server.
7) proxy server is to the match query of application installation file MD5 value.Proxy server identifies the installation file that this file is application, and calculates the MD5 value of this application installation file, then does match query with the MD5 value record information of detection record buffer area.If detect, the MD5 value of this application is present in buffer area, and is labeled as normal use, then user B can normally download; If detect, the MD5 value of this application is present in buffer area, and is labeled as malicious application, then stop this application to be downloaded and push proxy server to user B to detect that this is applied as the message of malicious application; If the recorded information of the MD5 value of not this application, then re-execute said process 3 in buffer area)-5).
8) to the renewal of the detection record buffer area data of hard drive space backup on proxy server.Replace algorithm based on proxy server caches to realize, data simultaneously in preservation detection record buffer area are in the hard drive space on proxy server, before each buffer update replaces it, whether whether check in hard drive space has had all data of detection record buffer area, data consistent: if do not have some data in detection record buffer area in hard drive space, then write in hard drive space; If there are all data in detection record buffer area in hard drive space, then do not write in hard drive space.The all detection record of such guarantee can find in hard drive space, realizes the backup of detection record buffer area data.
The App for connecting with proxy server that described mobile terminal is installed, there is configuration mobile terminal and proxy server and set up the function that network is connected, have and monitor from the function of the PUSH message of proxy server, and there is record down load application MD5 value and upload to the function of proxy server.Be implemented as follows: (1) configuration mobile terminal is set up network with proxy server and is connected mainly based on HTTP Proxy, by arranging the information such as the IP address of proxy server and port, the connection of foundation and proxy server; (2) for android system, adopt XMPP can realize the message push of proxy server end and Android phone end, the AndroidPn project of Google is the message push utilizing XMPP to realize Android phone; (3) record down load application MD5 value and upload to proxy server, for android system, first, communication between process and process mainly passes through Intent, so the setDataAndType () method of Intent class can be used to arrange path and the file type (such as then arranging file type for " application/vnd.android.package-archive " for apk file) at installation file place; Then, utilize startActivity () method to open this file, just realize the function of application being installed on mobile terminals.Calculate the MD5 value of its installation file and be kept on this APP while installation application, then upload the MD5 value that calculates to proxy server.
Because novel proxy server mainly uses HTTP Proxy, traffic behavior analysis module mainly does malice behavioral value based on HTTP traffic characteristic.
In order to better describe the present invention, following content gives implements the present invention's process specifically:
Have a novel proxy server for mobile terminal from malicious software discovery ability, it comprises:
1, logic manage module, primary responsibility realizes the logic control to whole measuring ability, is the logic control center of measuring ability.It mainly comprises 5 control modules:
1) user interactive module: by the App be connected with mobile terminal at user terminal Install and configure proxy server, complete the certification between proxy server and user, proxy server has the function sending PUSH message to user terminal simultaneously.
2) application management module: primary responsibility is to the management of application and control.
3) Static Detection module: primary responsibility carries out Static Detection control to application.
4) dynamic detection module: primary responsibility carries out detection of dynamic control to application.
5) traffic behavior analysis module: primary responsibility carries out flow detection control to application.
2, realize unit module, for above-mentioned 5 different Logic control modules, devise respectively and realize unit accordingly.It mainly comprises:
1) user interaction unit: the App installed by user terminal, realizes the certification between user and proxy server and communication.
2) message push unit: primary responsibility realizes by the function of proxy server to user terminal PUSH message.
3) application management unit: primary responsibility extracts the application that user downloads, ensure that the application detected is all mobile terminal application, simultaneously this unit has the MD5 value calculating Mobile solution and the function removing malicious application, has and writes MD5 value and the type label the applied authority to detection record buffer area.
4) Static Detection interface: be responsible for calling third-party Static Detection service interface, realizes the Static Detection to application.
5) detection of dynamic interface: be responsible for calling third-party detection of dynamic service interface, realizes the detection of dynamic to application.
6) traffic behavior analysis interface: be responsible for access flow and detect service model, realize use traffic and application is detected.
7) detection record buffer area: in order to deposit the MD5 value of all application be detected and corresponding class label.If user asks the MD5 value of the application of downloading to be present in buffer area, then do not need repetition three re-detection, from detection record, directly take out the type label of this application, detection speed can be improved to a great extent.
3, the basic function module of traditional proxy, it comprises:
1) user's basic verification functional module.Can verify do not have the user registered to have no right to access Internet by proxy server by user; And access time of user, access locations, information flow-rate are added up.And realize the user interaction unit in unit on the basis of this functional module, achieve re-authentication between user and proxy server, only have the user registered in advance just by this certification, and then connect and use this proxy server.
2) pooling feature module.Proxy server all arranges a larger hard disk buffering area, when have extraneous information by time, be also saved in buffering area simultaneously, when other users visit again identical information, then directly take out information by buffering area, pass to user, to improve access speed.And the detection record buffer area realized in unit make use of this pooling feature of traditional proxy, and add the function of permanent storage detection record on this basis.
3) firewall functionality module.When the user of all in-house networks is extraneous by proxy server access, be only mapped as an IP address, so the external world directly can not have access to in-house network; Can arrange IP address filtering, restricted internal net is to the access rights of outside simultaneously.And the present invention also using this functional module of fire compartment wall, ensure that the safety of internal network.
4) DNS service function is increased.After increasing DNS service function, the DNS flow that the application software on customer mobile terminal produces also will through proxy server, and this design can ensure to do comprehensive detection to the flow of user on proxy server.
The composition structure chart of the novel proxy server that Fig. 1 designs for the present invention, as shown in Figure 1.The method comprises:
Step 100, user installs the App with Configuration Agent server capability at mobile terminal, the IP, the port that complete proxy server are arranged, and agency agreement adopts HTTP Proxy, sets up the connection with proxy server.
Step 101, user interactive module receives the connection request of customer mobile terminal.
Step 102, the identity information of user interaction unit authentication of users, the registration of completing user.
Step 103, user sends the request of down load application to proxy server, starts application management module, controls the download of application.
Step 104, adds the domain name of the proxy server parses user request of DNS service function and forwards the request of user, then downloading Mobile solution to proxy server from network.
Step 105, application management unit checks the Mobile solution downloaded, and check its whether standard compliant Mobile solution file format: android system is .apk file, IOS system is .ipa file.Calculate the MD5 value of this file simultaneously.
Step 106, Static Detection module is done Static Detection to the Mobile solution downloaded and is controlled.
Step 107, the third-party Static Detection service interface of Static Detection cell call does Static Detection to the Mobile solution downloaded.
Step 108, writes the MD5 value of this file to detection record buffer area, if Static Detection result is malicious application, then after MD5 value, adds identification label " 1 ", and deletes original.
Step 109, Static Detection is applied as malicious application to this, then send to user the notification message that this is applied as malicious application by message push unit.
Step 110, user receives the malicious application notification message that proxy server sends on mobile terminals.
Step 111, if Static Detection result is normal use, then continues to be responsible for carrying out detection of dynamic to application by dynamic detection module and controls.
Step 112, detection of dynamic cell call third party detection of dynamic service interface correspondence is used as detection of dynamic.If detection of dynamic result is malicious application, then by the MD5 value of this application write detection record buffer area, and correspondingly add identification label " 1 ", delete original, meanwhile, through the notification message of message push unit to the terminal transmission malicious application of user, prompting user does not download.If testing result is normal use, then by the MD5 value of this application write detection record buffer area, and correspondingly add identification label " 0 ", meanwhile, the installation file returning original is downloaded for user.
Step 113, user successfully downloads the application detected through Static and dynamic, and when installing application, the application of mobile terminal application App is installed writing function and recorded its MD5 value to installed application.
Step 114, user is by proxy server access network, traffic behavior analysis module starts to be responsible for utilizing the traffic characteristic of application to carry out the detection of Malware, and upload application mobile terminal App on install record this application correspondence recorded MD5 value to flow detection module.
Step 115, traffic behavior analysis module use traffic behavioural analysis unit detects, if testing result is malicious application, then search the record of the MD5 value identical with this application in tamper detection record buffer memory district, if exist, then its class label is revised as malice label, i.e. " 1 ", send the notification message of malicious application at message push unit to user terminal, application management unit completes the connection stopping this user terminal and external network simultaneously simultaneously.If be detected as normal use, then user can normally use.
Fig. 2 is novel proxy server Static Detection and detection of dynamic flow chart, as shown in Figure 2.The method comprises:
Step 121, the request domain name of proxy server parses user also forwards user and downloads Mobile solution request, starts to download Mobile solution to local proxy server from network.
Step 122, application management unit should be used as filtration to what download, only retains the installation file of Mobile solution original, and calculates the MD5 value of this file.
Step 123, Static Detection interface interchange third party Static Detection engine VirusTotal carries out Static Detection to Mobile solution.
Step 124, if Static Detection is malicious application, is then responsible for notifying that user detects the PUSH message of malicious application by user interactive module.
Step 125, message push unit is responsible for the mobile terminal testing result of malicious application being pushed to user.
Step 126, writes the MD5 value of this malicious application to detection record buffer area, and is labeled as malicious application identifier " 1 " accordingly.
Step 127, if Static Detection is normal use, then call third party's detection of dynamic service TaintDroid, and the interface correspondence utilizing the service of third party's detection of dynamic to provide is used as detection of dynamic.
By user notification module in charge, step 128, if dynamically detect this to be applied as malicious application, then notifies that user detects the PUSH message of malicious application.The testing result of malicious application is pushed to user terminal by PUSH message unit.
Step 129, writes the MD5 value of this malicious application to detection record buffer area, and is labeled as malicious application identifier " 1 " accordingly.
Step 130, if detection of dynamic result is normal use, then writes the MD5 value of this application to detection record buffer area, and is labeled as normal use identifier " 0 " accordingly.
After Static Detection and detection of dynamic, can ensure that the application software that user downloads is safe substantially, simultaneously, to detection each time, there is detection record in capital, like this when again downloading this application software, maliciously whether this application, accelerates the speed of download of user only to need the classification logotype searching this application in detection record just can judge.
Fig. 3 is flow detection flow chart, and as shown in Figure 3, the method comprises:
Step 141, the Mobile solution that user installation is downloaded.
Step 142, while the Mobile solution that user installation is downloaded, the installation writing function of mobile terminal App records the MD5 value of installed Mobile solution.
Step 143, user runs the Mobile solution downloaded, and by novel proxy server access network, and the MD5 value of this application is uploaded to traffic behavior analysis module.
Step 144, traffic behavior analytic unit access flow Analysis model of network behaviors is served, and utilizes the network traffics of application to detect.
Step 145, if testing result is malicious application, then searches the MD5 value matched with this application in detection record buffer area, if exist, then revises the class label of this application correspondence, " 0 " is revised as " 1 ", be namely revised as malicious application from normal use.
Step 146, message push unit pushes the testing result of malicious application to user terminal.
Step 147, interrupts the connection of user terminal and external network.
Step 148, if be detected as normal use, then user can normally use.
Flow detection is for providing protection when user uses application software to be linked into network, and after the application software through Static Detection and detection of dynamic is by user installation to mobile terminal, flow detection provides last one safety curtain for user.Traffic behavior analysis module on proxy server is served by access flow behavioural analysis, detect the network traffics that customer mobile terminal application software produces, if discovery malicious traffic stream, stop the connection between mobile terminal and external network immediately, the classification logotype of this application in tamper detection record buffer memory district simultaneously.
Fig. 4 asks to download Mobile solution flow chart for user, as shown in Figure 4.The method comprises:
Step 151, user uses mobile terminal to initiate to download the request of Mobile solution to network.
Step 152, proxy server receive user request, resolve user request domain name and Forward-reques.
Step 153, proxy server is applied to local proxy server from download user request network.
Step 154, calculates the MD5 value of the application of downloading, and whether the MD5 value record of this application of inquiry verification exists in detection record buffer area.
Step 155, if the MD5 value of inquiry correspondence exists and is normal use, then returns to user this application and downloads.
Fig. 5 does the process chart of match query to detection record buffer area data in proxy server in user's down load application process, is the refinement of above-mentioned steps 154, as shown in Figure 5.The method comprises:
Step 161, the MD5 value that inquiry is identical with this application in detection record buffer area.
Step 162, if this MD5 value does not exist, then starts to carry out Static Detection and detection of dynamic flow process to this application.
Step 163, if this MD5 value exists, then checks whether corresponding class label is malice, whether is namely " 1 ".
Step 164, if class label is " 0 ", is normal use, then return and download for user.
Step 165, if class label is " 1 ", is malicious application, then pushed the message of malice testing result to user by message push unit.
Wherein, the workflow of traffic behavior analysis module is:
Extracting from network flow data can the feature of Efficient Characterization mobile terminal from malicious software network behavior;
According to different characteristic types to can the feature of Efficient Characterization mobile terminal from malicious software network behavior classifying of extracting;
To the detection model that sorted feature selecting adapts with it, the feature of every type has unique detection model corresponding with it;
The detection model that the feature selecting of every type is corresponding also exports corresponding testing result.
When feature is classified, be divided into the feature of Regularia, figure category feature, numeric type characteristic sum nominal type feature.
To the detection model that sorted feature selecting adapts with it, for the feature of Regularia, selection is adapted to rule-based detection model, for the feature of figure class, select to be adapted to based on the similar Matching Model of figure, for numeric type characteristic sum nominal type feature, utilize the data of these types of machine learning model process.
Data in detection model mainly come from mobile terminal from malicious software network data on flows collection manufacture method and system, this system mainly comprises flow generation device, flow harvester and firewall agent protective device: the existing network traffics produced from real mobile terminal software of flow generation device, also comprise the network traffics produced from the Mobile solution that mobile-terminal simulator is installed; Flow harvester mainly based on traffic mirroring technology, by the mirror image of flow by data stored on data storage server; The harm that the external network that the protection of firewall agent protective device brings due to installation Malware is attacked.The data on flows be stored on data storage server is fed in detection model server, by the preliminary treatment of data on flows and feature extraction, thus realizes a kind of method based on mobile terminal network flow detection Malware designed by the present invention.
Data set in detection model obtains and the network behavior restructuring graph method of figure class comprises:
1) mobile terminal from malicious software decompilation.To the original of extensive Android malware, control to perform decompiling instrument APKTool by automatized script program, the file after all Malware decompilings can be obtained.Meanwhile, in the file after the decompiling of each Malware sample, there is the configuration file AndroidManifest.xml of an android system.
2) mobile terminal from malicious software Auto-mounting and the parameter required for operation is extracted.For each Android malware, if decompiling success, the bag name of this Malware and main activity name can be extracted, as the parameter required for mobile terminal from malicious software Auto-mounting and working procedure from its AndroidManifest.xml file.For the Malware of decompiling failure, then repeat step 1), reselect new decompiling instrument, until decompiling success.
3) mobile terminal from malicious software Auto-mounting.The ADB debug command provided by Android platform, can realize the installation of Android application software.Wherein, the installation of Android application software needs bag name to import ADB into as parameter.For Large-scale Mobile terminal Malware, by step 2) the bag name write text of all Malwares of obtaining, the content of every a line is the bag name of an app.ADB calls a line in text at every turn, completes and installs the automation of a Malware.Every a line of ADB recursive call text, realizes the installation to all Malwares successively.
4) mobile terminal from malicious software activation and operation.The active mode that different Android malware depends on is not quite similar, and active mode known at present mainly comprises that mobile terminal operating system is restarted, receives and dispatches note, played phone, system event, battery electric quantity state, network state change, USB access.Not etc., the Android malware according to statistics more than 80% does not rely on restarting of mobile phone operating system and realizes activating for the quantity of the Malware that different active modes can activate.A kind of activation override mechanism of the Malware quantity ordering designs that the present invention can activate according to various active mode, namely mobile terminal operating system is restarted > system event > battery electric quantity state > and is received and dispatched note > network state and change >USB and access > and play phone.If restart terminal operating system can produce effective discharge, then show that this Malware has been activated and has run, otherwise, then continue to use next rank " system event " active mode to activate Malware, by that analogy, until active block flow can be collected.If use all active modes still not collect effective discharge, then to the flow collection failure of this Malware.
5) mobile terminal from malicious software network flow obtains.Mirror port is disposed at the router node of connection of mobile terminal into network, can the mobile terminal network traffic mirroring of all uplink and downlink on data storage server by mirror port.
6) mobile terminal from malicious object listing is set up.On data storage server, save the mutual flow of all-network that mobile terminal from malicious software produces.By resolving the DNS information of data on flows, the target domain name about all DNS request of Malware can be obtained, then these target domain names are done the detection of malice domain name successively on VirusTotal, if malice target, then this domain name be added blacklist list.
7) mobile terminal from malicious software malicious act flow separation.Based on 6) blacklist that establishes, five-tuple (namely having identical source IP address, object IP address, source port number, destination slogan, protocol number) according to stream builds network data flow, then corresponding HOST field (HOST field is one section of domain name character string) is extracted in HTTP packet in a stream, if this field is present in 6) in the blacklist set up, then think that this data flow is Malware network behavior flow, extract and preserve, otherwise then neglecting this data flow.Collected all data flow are completed successively according to this principle.Isolate the mutual flow of the malice produced between mobile terminal from malicious software and remote control service device or between malicious server like this.
8) the mutual sequential chart of mobile terminal from malicious software network behavior is set up.7) isolate malice network data flow after, extract corresponding DNS packet and HTTP packet.First, read each stream in the network data flow of malice successively, extract the HTTP packet in stream, record the HOST field (this field recites the server domain name of HTTP data packet transmission) in the transmitting time of HTTP packet and HTTP packet; Then, according to the domain name of HOST field in HTTP packet, from original network traffic data bag, extract the DNS Protocol packet with HOST field with same domain name, and record the transmitting time of packet, and CNAME content in DNS reply data bag and the IP address that is resolved to; Finally, according to the transmitting time of packet, build from source IP address to DNS and send the network interaction sequential chart of HTTP packet to target name server.
9) mobile terminal from malicious software network behavior reconstruct.8) basis of network interaction sequential chart set up builds the restructuring graph of network behavior.First, being the node of figure by source IP address, destination server domain name and HTTP packet definitions, is the attribute node of destination server domain name node by DNS reply data bag content-defined; Secondly, use solid line linking objective server domain name node and each attribute node in the drawings, in order to represent destination server the CNAME information of being correlated with and the IP address information be resolved to; Again, connect HTTP data packet node and destination server domain name node with dotted line, in order to represent the corresponding relation sending HTTP packet to this destination server; Then, connect source IP address node and destination server domain name node with solid line, represent the request sent from source IP address to destination server, and using the request number of times of destination server domain name as the weight of this section of solid line; Finally, connect source IP address node and HTTP data packet node with solid line, represent the HTTP packet sent from source IP address to destination server, and using the HTTP data packet number sent to destination server as the weight of this section of solid line.The way of the network behavior restructuring graph of proper network behavior restructuring graph and customer mobile terminal application software is identical with hostile network behavior restructuring graph.
In detection model, when the feature for Regularia detects, the step of employing is:
1-1) based on the network flow data collection gathered, therefrom extract the domain name of all requests;
1-2) domain name of the request of extracting is done domain name in third party's domain name detection service to detect, set up malice url list;
1-3) the malice URL on malice url list is joined rule match model as rule;
1-4) after accessing user terminal to network, by the collection to customer mobile terminal network traffics, the domain name of request is extracted from the network traffics collected, mate with rule in rule match ATL, if the domain name finding that there is malicious requests exists, rule match model exports the testing result finding Malware.
When detecting for figure category feature, the step of employing is:
2-1) concentrate at the network flow data collected, go out the network behavior data flow of malice according to five-tuple feature extraction; Wherein, five-tuple feature refers to have identical source IP, object IP, source port, destination interface and protocol type;
2-2) based on the network behavior data flow of malice, build hostile network behavior restructuring graph;
2-3) based on normal network behavior data flow, build proper network behavior restructuring graph;
2-4) obtain the network traffics that customer mobile terminal application software produces, build the network behavior restructuring graph of customer mobile terminal application software, calculate itself and the similitude of hostile network behavior restructuring graph and the similarity with proper network behavior restructuring graph respectively, if be greater than the similarity of the latter with the former similarity, then illustrate that this application software is Malware.
Further, for numeric type and nominal type feature, set up detection model based on the unsupervised learning of machine learning and supervised learning, wherein, unsupervised learning is mainly based on clustering algorithm, and supervised learning, mainly based on sorting algorithm, specifically comprises:
3-1) concentrate at the network flow data collected, extract numeric type characteristic sum nominal type feature, set up primitive character collection;
On primitive character collection, 3-2) removing class label, (whether maliciously this class label for distinguishing this application software, such as, for Malware, this label can be set to " 1 ", for normal software, this label can be set to " 0 "), use clustering algorithm, the software sample with similar features being gathered is a class, is convenient to find unknown Malware;
3-3) to the unknown malware first found, again extract feature, join the feature set that primitive character concentrates formation new;
3-4) on the new feature collection adding class label, use sorting algorithm, set up classification and Detection model, be convenient to improve accuracy.
Embodiment, carry out cluster with the K Mean Method of machine learning unsupervised learning algorithm to primitive character collection, concrete grammar is:
4-1) input want cluster bunch number be K;
A 4-2) random initializtion K cluster centre on primitive character collection;
4-3) calculate the distance between each sample and K cluster centre, and be assigned in the class of minimum distance;
After 4-4) being assigned, calculate the center of new class;
Whether the center of 4-5) new class restrains, and the condition of convergence is set to iterations;
If 4-6) iterations reaches the number of times of setting, then export cluster result;
If 4-7) iterations does not reach the number of times of setting, return step 4-3), until reach the iterations of setting.
Embodiment, set up the SVM model of machine learning supervised learning algorithm, concrete steps are:
5-1) on the basis of the new unknown malware sample found, add that class label forms new feature set;
5-2) concentrate at new feature, choose partial data wherein as training set, another part data are as test set;
5-3) parameter of SVM model is encoded;
5-4) initial work, the preliminary treatment of complete paired data, the initialization of model parameter;
5-5) on the network flow characteristic collection of training set extraction, train SVM model;
5-6) with the classifying quality of test set assessment models;
5-7) assess classifying quality and whether meet termination condition;
If 5-8) reach termination condition, then obtain the parameters of SVM model;
5-9) obtain SVM model by the parameter obtained;
If 5-10) do not reach termination condition, then continue to turn back to step 5-5), continue training pattern, until meet termination condition.
Further, when detecting for numeric type and nominal type, the step of employing is:
In network traffics 3-1) produced in the customer mobile terminal application software collected, extract numeric type and nominal type feature;
3-2) to preliminary treatment such as the numeric type characteristic sum nominal type feature extracted are normalized;
3-3) the numeric type characteristic sum nominal type feature handled well is input in the machine learning model trained, for the above-mentioned SVM model got;
3-4) according to the feature of input, SVM model is used to detect.
By reference to the accompanying drawings the specific embodiment of the present invention is described although above-mentioned; but not limiting the scope of the invention; one of ordinary skill in the art should be understood that; on the basis of technical scheme of the present invention, those skilled in the art do not need to pay various amendment or distortion that creative work can make still within protection scope of the present invention.