CN105205356A - APP application re-packaging detection method - Google Patents

APP application re-packaging detection method Download PDF

Info

Publication number
CN105205356A
CN105205356A CN201510595733.9A CN201510595733A CN105205356A CN 105205356 A CN105205356 A CN 105205356A CN 201510595733 A CN201510595733 A CN 201510595733A CN 105205356 A CN105205356 A CN 105205356A
Authority
CN
China
Prior art keywords
installation kit
web page
files
file
consistance
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510595733.9A
Other languages
Chinese (zh)
Other versions
CN105205356B (en
Inventor
肖喜
张少峰
李清
胡光武
江勇
夏树涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Graduate School Tsinghua University
Original Assignee
Shenzhen Graduate School Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Graduate School Tsinghua University filed Critical Shenzhen Graduate School Tsinghua University
Priority to CN201510595733.9A priority Critical patent/CN105205356B/en
Publication of CN105205356A publication Critical patent/CN105205356A/en
Application granted granted Critical
Publication of CN105205356B publication Critical patent/CN105205356B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • G06F21/128Restricting unauthorised execution of programs involving web programs, i.e. using technology especially used in internet, generally interacting with a web browser, e.g. hypertext markup language [HTML], applets, java
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links

Abstract

The invention discloses an APP application re-packaging detection method which is used for detecting whether an installation package generated by APP packaging is subjected to re-packaging processing or not. The APP application re-packaging detection method comprises the following steps: judging whether the inner part of each file in the installation package has the consistency or not and/or the different files in the installation package have the consistency or not; if so, judging that the installation package is not subjected to the re-packaging processing; otherwise, judging that the installation package is subjected to the re-packaging processing. According to the APP application re-packaging detection method disclosed by the invention, an original APP does not need to be additionally acquired, and a third-party APP and the original APP do not need to be compared; the APP application re-packaging detection method has better practicability and flexibility.

Description

Packet inspection method is beaten again in a kind of APP application
Technical field
The present invention relates to a kind of APP application and beat again packet inspection method.
Background technology
Along with the development of mobile Internet, increasing people carries out traditional the Internet activity on mobile phone, such as, see video, payment, do shopping, log in social network sites etc.Smart mobile phone occupies more and more consequence in daily life, greatly enriches and facilitate everybody life.Meanwhile, various malice mobile phone attack software emerges in an endless stream.Beat again the important sources that bag APP is mobile phone Malware, destroy the sound development of the Android ecosystem, cause the interests of developer to incur loss, facilitate the propagation of Malware, the security privacy of harm domestic consumer.The APP beating again bag compares with original APP, but maintaining substantially constantly can increase or delete some functions, as replaced some pictures in APP, gives up the address in URL, load the webpage of fishing website, or add some additional modules to steal the information of user.
HybridAPP refers to the APP between both WebAPP and NativeAPP, adopts html language and java language to develop simultaneously, has had the advantage of WebAPP and NativeAPP concurrently, had well cross-platform advantage.HybridAPP and NativeAPP and WebAPP has again larger difference simultaneously, and HybridAPP is divided into Native layer and Web layer, and Native layer mainly realizes with java language, and Web layer mainly uses HTML5 to realize, and NativeAPP is primarily of java codes implement.Suspicious APK and original APK mainly compares by the detection method of beating again bag about NativeAPP, and the similarity according to comparing content judges whether to beat again bag, and similarity is higher, and the signature of APK is different, and so this APK beats again bag.HybridAPP and NativeAPP compares, and decompiling is more prone to, because NativeAPP mainly uses java codes implement, if want to beat again bag to NativeAPP, must to carry out decompiling be that java code is modified again.And HybridAPP is mainly realized by Html5, as long as carry out decompress(ion) to APK file just can see main Web code, assailant is easy to understand Html and JavaScript code, thus easy to do realization is revised and beaten again bag.Therefore HybridAPP is easier than NativeAPP is beaten again bag.
Scheme described in patent CN201210204247 discloses the detection method of heavy packaging applications in a kind of Android market, the method calculates the length of used character string according to the dex file that each Android is applied, using this as the condition code distinguishing different application, by calculate different application condition code between editing distance obtain different Android application between similarity, and this similarity and given threshold value are compared, thus determine whether packaging applications of attaching most importance to.The present invention can as the effective supplementary means of one detecting Android Malware, but this method is mainly for NativeAPP, what can not solve HybridAPP well beats again bag problem, and when can not find original APP, this method cannot detect the APP whether an APP beats again bag.
Scheme described in patent CN201410261034 disclose a kind of Android is beaten again to the malicious code of bag Malware detection, excision and recovery method, by setting up the feature database be made up of fuzzy hash value, for mating with the entrance class of the program to be detected after dis-assembling to the malice entrance class of known malicious program; Then excise successively and beaten again the resource file wrapping complete malicious snippets of code and the malicious code added, finally find out the code snippet beaten again to original program implementation modification in packet procedures, recover its original function.This main propagation characteristic of malicious code implanted by the bag of beating again that the present invention is directed to the day by day serious rogue program use of current Android platform, detects and excise the malicious code part implanted in those normal procedures.This method, mainly for the detection in malice generation, is not the test problems beating again bag, thisly carrys out counterweight packing for malicious code and carries out detecting and have larger limitation.If beat again bag just substituted for some pictures in master APP or some resources, then this packet inspection method of beating again will can't detect, and this method is also mainly for NativeAPP, because HybridAPP and NativeAPP program structure there are differences, this method is inapplicable for HybridAPP.
Scheme described in patent CN201310438647 discloses a kind of Android based on application programming interface and beats again bag application detection method.First application programs file processes, and obtains smali code file; For each file, from smali code, extract the service condition of Android application programming interface, statistical frequency information; Then by mutually relatively carrying out cluster between file, the file that similarity is high, number of iterations is many is considered as third party library; After removing third party library interference, then in units of application file, the program file high to similarity carries out cluster; Finally in conjunction with author's signing messages, judge whether to have between application program to beat again bag relation.Utilize technical scheme provided by the invention, counterweight packing application can detect automatically in other application of large-scale application market grade, have very high efficiency and accuracy.But the method is mainly for NativeAPP, do not consider the difference of HybridAPP and NativeAPP, so inapplicable for HybridAPP, and when can not find original APP, this method cannot detect the APP whether an APP beats again bag.
Scheme described in patent US2014082729A discloses and a kind ofly calculates by venture analysis the risk that is beaten again the APP of bag, this risk analysis method by calculate in this APP whether have malicious code to judge whether this APP is through beats again bag, the method that have employed blacklist is mated.The packing of the method counterweight detects has larger limitation, if just substituted for some resource files in master APP when beating again bag, this detection method will be difficult to detect, and this method is also mainly for NativeAPP, inapplicable for HybridAPP.
Summary of the invention
The object of the invention is that proposing a kind of APP application beats again packet inspection method, to solve the heavy packaging method of the existing application technical matters not strong to HybridAPP application applicability.
For this reason, the present invention proposes a kind of APP application and beats again packet inspection method, whether the installation kit generated for detecting APP packing processes through beating again bag, comprise the following steps: judge whether each file internal contained by described installation kit has between consistance and/or contained different files whether have consistance, if have consistance, then judging that described installation kit is without beating again bag process, if not there is consistance, then judging that described installation kit is through beating again bag process.
Preferably, whether each file internal judging contained by described installation kit has one or more whether to have between consistance and/or contained different files that consistance can adopt in following manner is carried out:
Mode one, judge whether the local file that described installation kit is accessed and the file contained by described installation kit have consistance;
Mode two, judge whether network file chained address that described installation kit the is accessed Main Domain corresponding with described APP has consistance;
Mode three, judge whether the content of web page files in described installation kit has consistance;
Mode four, judge whether the applicating category in described installation kit between files in different types has consistance.
Preferably, adopt described mode for the moment, described APP beats again packet inspection method and comprises the following steps:
S31, obtain all decompressing files contained by described installation kit and decompressing files name;
S32, obtain described installation kit access all local filenames;
S33, each local filename to be handled as follows: the filename similarity judging described local filename and each decompressing files name, if the filename similarity of described local filename and all decompressing files names is all less than first threshold, then described installation kit is through beating again bag process; If the filename similarity of described local filename and a certain described decompressing files name is not less than first threshold, then described installation kit is without beating again bag process.
Preferably, when adopting described mode two, described APP beats again packet inspection method and comprises the following steps:
S41, obtain all decompressing files contained by described installation kit;
S42, obtain described installation kit access all-network file chaining address;
S43, each chained address to be handled as follows: the domain name similarity judging each subdomain name in described chained address and white list, if the domain name similarity of described chained address and all subdomain names is all less than Second Threshold, then described installation kit is through beating again bag process; If the domain name similarity of described chained address and a certain subdomain name is not less than Second Threshold, then described installation kit is without beating again bag process; Wherein, described white list comprises the subdomain name corresponding with described APP.
Preferably, when adopting described mode three, described APP beats again packet inspection method and comprises the following steps:
S51, obtain the content characteristic values of each web page files in described installation kit, the content characteristic values of note i-th web page files is H (i);
S52, obtain Difference of content D (s) between all web page files in described installation kit:
D ( s ) = Σ i = 1 n h Σ j = i + 1 n h d ( H ( i ) , H ( j ) )
Wherein, n hfor the number of web page files in installation kit, H (j) is the content characteristic values of a jth web page files, d (H (i), H (j)) is the Difference of content between i-th web page files and a jth web page files, 1≤i < j≤n h, and i, j are positive integer;
S53, obtain content consistency f in described installation kit between all web page files html:
f html=1-2D(s)/[n h(n h+1)]
Judge f htmlwhether be not less than the 3rd threshold value, if so, then described installation kit processes without beating again bag; If not, then described installation kit processes through beating again bag.
Preferably, in step S51, using the content characteristic values H (i) of the key word of i-th web page files as i-th web page files;
In step S52, using key word number different between i-th web page files and a jth web page files as described Difference of content d (H (i), H (j)).
Preferably, when adopting described mode four, described APP beats again packet inspection method and comprises the following steps:
S71, obtain applicating category corresponding to web page files in described installation kit, xml file and JavaScript file respectively;
S72, obtain the consistance P of applicating category between web page files and JavaScript file hJ;
S73, obtain the consistance Q of applicating category between xml file and JavaScript file xJ;
S74, obtain web page files, the consistance F of applicating category between xml file and JavaScript file:
F=w 1*P HJ+w 2*Q XJ
Wherein, w 1and w 2for positive number; Judge whether F value is not less than the 4th threshold value, if so, then described installation kit is without beating again bag process, and if not, then described installation kit is through beating again bag process.
Preferably, in step S71,
The applicating category that described JavaScript file is corresponding is n jfor the number of API in JavaScript file, J (j) is applicating category corresponding to a jth API in JavaScript file;
The applicating category that described web page files is corresponding is n hfor the number of web page files, H (h) is the applicating category that in h web page files, key word is corresponding;
The applicating category that described xml file is corresponding is X, X is the applicating category that in all xml files, key word is corresponding.
In step S72, the consistance P of applicating category between web page files and JavaScript file hJ:
P H J = min 1 &le; h &le; n h , 1 &le; j &le; n j { p ( h , j ) | p ( h , j ) &NotEqual; 0 } ;
Wherein, p (h, j) represents the consistance of applicating category between h web page files and a jth API, and formula is:
p(h,j)=|J(j)∩H(h)|/|J(j)∪H(h)|,
If h web page files does not call a jth API, p (h, j) is 0; Wherein, | J (j) ∩ H (h) | be the element number during J (j) and H (h) occur simultaneously, | J (j) ∪ H (h) | for J (j) and H (h) and the element number concentrated;
In step S73, the consistance Q of applicating category between xml file and JavaScript file xJ:
Q XJ=min{q(1),q(2),…,q(n a)};
Wherein, q (j) represents the consistance of applicating category between all xml files and a jth API, n arepresent the number of API in JavaScript file, formula is:
q(j)=|J(j)∩X|/|J(j)∪X|,
Wherein, | J (j) ∩ X| is the element number during X and J (j) occurs simultaneously.
Preferably, 0 < w 2< w 1< 1, w 1+ w 2=1.
Preferably, described APP is HybridAPP.
The APP application that the present invention proposes is beaten again packet inspection method and is utilized " consistency principle " of APP to realize, " consistency principle " refers to that normal APP is in order to realize same major function, interior, perhaps functionally there is certain contact between its each file internal and different file, there is conforming feature.This APP application is beaten again packet inspection method and need not be compared with original APK, just can judge whether this APK is beaten again bag, effectively can improve the verification and measurement ratio that bag is beaten again in application.
Accompanying drawing explanation
Fig. 1 is that bag overhaul flow chart one is beaten again in the APP application of the specific embodiment of the invention;
Fig. 2 is that bag overhaul flow chart two is beaten again in the APP application of the specific embodiment of the invention.
Embodiment
Contrast accompanying drawing below in conjunction with embodiment the present invention is described in further detail.It is emphasized that following explanation is only exemplary, instead of in order to limit the scope of the invention and apply.
With reference to the following drawings, will describe the embodiment of non-limiting and nonexcludability, wherein identical Reference numeral represents identical parts, unless stated otherwise.
The present invention proposes a kind of APP application and beat again packet inspection method, whether the installation kit generated for detecting APP packing wraps process through beating again.In order to ensure that installation kit through beating again bag process is at interface with functionally have certain similarity with original APK, the common following certain situation of amendment that assailant makes installation kit:
1) revise the parameter of loadurl () in Java code, change the webpage that APP loads, load fishing website as made this APP thus steal the sensitive information of user;
2) revise the link URL in html webpage file, the resource loaded in URL is changed;
3) html webpage file is revised, as increased the html webpage file in this APP;
4) revise JavaScript code, change the function realized.
For these potential attacks, the APP application that the present invention proposes is beaten again each file internal of packet inspection method contained by installation kit and whether is had between consistance and/or contained different files whether have consistance, if, then judge that this installation kit is without beating again bag process, if not, then judge that this installation kit is through beating again bag process.Here consistance refers to that one should have consistent theme without between file contained by the installation kit beating again bag, and realizes consistent function, and bag overhaul flow chart one is beaten again in the APP application being the specific embodiment of the invention see Fig. 1.Packet inspection method is beaten again in the APP application of this proposition not to be needed to obtain original APP in addition, does not need third party APP and original APP to compare yet, has better practicality and dirigibility.
For convenience of description, for APK installation kit, other installation kits such as IPA etc. has similar processing procedure.In one embodiment of the invention, APP application beat again that packet inspection method can adopt in following manner one or more carry out:
Detection mode one:
Judge whether the local file that APK accesses and the file contained by APK have consistance, if so, then this APK processes without beating again bag; If not, then this APK processes through beating again bag.In one embodiment, comprise the steps:
S1, decompress(ion) APK, obtain all decompressing files and decompressing files name;
S2, in decompressing files by obtain loadurl () parameter, obtain APK access all local filenames;
S3, successively each local filename to be handled as follows: the filename similarity judging this local filename and each decompressing files name, the mode of string matching can be utilized to calculate, if the filename similarity of this local filename and all decompressing files names is all less than default first threshold (as 0.5), think that the parameter consistency of loadurl () is damaged in APK, then this APK is through beating again bag process; If the filename similarity of this local filename and a certain decompressing files name is not less than default first threshold, think that the parameter consistency of loadurl () is not damaged in APK, then this APK is without beating again bag process.
Detection mode two:
Judge whether network file chained address that APK the accesses Main Domain corresponding with APP has consistance, if so, then this APK without beating again bag process; If not, then this APK processes through beating again bag.In one embodiment, comprise the steps:
S1, decompress(ion) APK file, obtain all decompressing files;
S2, obtain in decompressing files APK access all-network file chaining address;
S3, successively each chained address to be handled as follows: the domain name similarity judging each subdomain name in this chained address and white list, KMP string matching algorithm can be utilized to calculate, if the domain name similarity of this chained address and all subdomain names is all less than default Second Threshold (as 0.5), think that the link consistance in APK is damaged, then this APK is through beating again bag process; If the domain name similarity of this chained address and a certain subdomain name is not less than default Second Threshold, think that the link consistance in APK is not damaged, then this APK is without beating again bag process.Wherein, the subdomain name relevant to this APP is listed in white list.As the APP of Baidu's news, in its white list, include the subdomain name www.news.baidu.com belonging to its main territory www.baidu.com.
Detection mode three:
Judge whether the content of web page files in APK has consistance, if so, then this APK processes without beating again bag; If not, then this APK processes through beating again bag.In one embodiment, comprise the steps:
The content characteristic values of each web page files in S1, acquisition APK, the content characteristic values of note i-th web page files is H (i); In one embodiment, using the key word of i-th web page files as content characteristic values H (i), as for i-th html webpage file, for avoiding extracting garbage, content of text is extracted after first can removing the label substance in this html webpage file, from content of text, screen five words that occurrence number is maximum again, as the content characteristic values of this html webpage file, be designated as: H (i)={ C (i) 1, C (i) 2, C (i) 3, C (i) 4, C (i) 5, wherein, C (i) prepresent the word by occurrence number rank p in i-th html webpage file, 1≤p≤5;
Suppose total n in APK hindividual html webpage file, n hfor positive integer, then the content characteristic value set of this APK can be designated as: S={H (1), H (2) ..., H (n h);
Difference of content D (s) in S2, acquisition APK between all web page files:
D ( s ) = &Sigma; i = 1 n h &Sigma; j = i + 1 n h d ( H ( i ) , H ( j ) )
Wherein, H (j) is the content characteristic values of a jth web page files, d (H (i), H (j)) be Difference of content between i-th web page files and a jth web page files, as the number of different content eigenwert between i-th web page files and a jth web page files, 1≤i < j≤n h, and i, j are positive integer;
Content consistency f in S3, acquisition APK between all web page files html:
f html=1-2D(s)/[n h(n h+1)]
Judge f htmlwhether be not less than the 3rd default threshold value, if so, think that webpage consistance is not damaged in APK, then this APK is without beating again bag process; If not, think that webpage consistance is damaged in APK, then this APK is through beating again bag process.
Detection mode four:
Judge whether the APK type in APK between files in different types has consistance, if so, then this APK processes without beating again bag; If not, then this APK processes through beating again bag.Include the dissimilar types such as web page files (as html webpage file, htm file), xml file and javascript file in a usual APK, in one embodiment, comprise the steps:
The APK classification that in S1, respectively acquisition APK, web page files, xml file and JavaScript file are corresponding, in an embodiment of the present invention, APK classification comprises: map, navigation, communication, friend-making, shopping, weather, news, video, education, study, financing, game;
(1) JavaScript file:
Successively to each API process in JavaScript file: obtain APK classification corresponding to this API by the API Calls table searching every class APK; As a jth API appears in the API Calls table of map class APK, then the APK classification that this API is corresponding is just " map "; Due to a corresponding multiple APK classification of API possibility, represent the APK classification that a jth API is corresponding, as J (j)={ A, B, C with set J (j), D} represents that the APK classification that a jth API is corresponding is A, B, C, D, A, B, C, D are by the sequence of possibility size;
Wherein, the API Calls table of every class APK can adopt following steps to obtain:
Sa, a large amount of APK to be analyzed, the API that APK all in every class APK call is extracted, obtains the public API of every class APK;
Sb, delete belong to the API of other APK class in the public API of every class APK, remaining API thinks the feature API of such APK, and namely all feature API of such APK form the API Calls table of such APK; For example, A, B, C are three class APK, and wherein, A has 5 APK{A.1, A.2, A.3, A.4, A.5}, B has 5 APK{B.1, B.2, B.3, B.4, B.5}, C has 4 APK{C.1, C.2, C.3, C.4, C.5}, if { A.1, A.2, A.3, A.4 a.1, all call a.1 A.5}, be then the public API of category-A APK, is a.1 again the public API of A but is not the public API of B or C, therefore, be a.1 the feature API of A, in like manner find out other feature API of category-A APK, form the API Calls table of category-A APK;
(2) web page files:
Successively each html webpage file is processed: utilize HtmlParser to extract a key word in this html webpage file; In html Keyword List, search this key word, obtain the APK classification that this html webpage file is corresponding, represent with set H (h) the APK classification that h html webpage file is corresponding;
Wherein, html Keyword List can adopt following steps to obtain:
Sa, analyze a large amount of html webpage file, the html webpage document keyword corresponding to APK all in every class APK extracts, and obtains the public keyword of every class APK;
Sb, delete and belong to the key word of other class successively in the public keyword of every class APK, the feature critical word of such APK thought in remaining key word, and namely all feature critical words of such APK form the html Keyword List of such APK;
(3) xml file:
All xml files are processed: utilize regular expression to extract content of text from all xml files, utilize TextRank from content of text, extract a key word; In xml Keyword List, search this key word, obtain the APK classification that all xml files are corresponding, represent with X the APK classification that all xml files are corresponding; Wherein, acquisition methods and the html Keyword List of xtml Keyword List are similar, do not repeat them here;
S2, obtain the consistance P of APK type between html webpage file and JavaScript file hJ:
P H J = min 1 &le; h &le; n h , 1 &le; j &le; n j { p ( h , j ) | p ( h , j ) &NotEqual; 0 } ;
Wherein, n hrepresent the number of html webpage file, n arepresent the number of API in JavaScript file, p (h, j) represents the consistance of APK type between h html webpage file and a jth API, and j, h are positive integer, and p (h, j) formula is:
p(h,j)=|J(j)∩H(h)|/|J(j)∪H(h)|,
If h html webpage file does not call a jth API, p (h, j) is 0; | J (j) ∩ H (h) | be the element number during J (j) and H (h) occur simultaneously, | J (j) ∪ H (h) | for J (j) and H (h) and the element number concentrated; The value of p (h, j) is larger, and between h html webpage file and a jth API, the consistance of APK type is larger;
S3, obtain the consistance Q of APK type between xml file and JavaScript file xJ:
Q XJ=min{q(1),q(2),…,q(n a)};
Wherein, q (j) represents the consistance of APK type between all xml files and a jth API, and computing formula is:
q(j)=|J(j)∩X|/|J(j)∪X|,
Wherein, | J (j) ∩ X| is the element number during X and J (j) occurs simultaneously; Q (j) value is larger, and the consistance between all xml files and a jth API is larger;
S4, obtain html webpage file, the consistance F of APK type between xml file and JavaScript file;
In HybridAPP, xml file only processes layout, and html webpage file has tangible meaning and function, so the contribution of html webpage file HybridAPP more individual than xml Document Alignment is larger, in an embodiment of the present invention, consider the Different Effects power of this two class file to global consistency, if the weights of xml file are w (0 < w < 1/2), the weights of html webpage file are (1-w), and the computing formula of F is:
F=w*Q XJ+(1-w)*P HJ
F value is larger, illustrates that the global consistency of this APK is larger.Judge whether F value is not less than the 4th default threshold value, if so, thinks that the global consistency of APK is not damaged, then this APK is without beating again bag process, if not, thinks that the global consistency of APK is damaged, then this APK is through beating again bag process.
Bag overhaul flow chart two is beaten again in the APP application being the specific embodiment of the invention see Fig. 2, the difference that packet inspection method take into account HybridAPP and NativeAPP is beaten again in the APP application that the present invention proposes, utilize parameter consistency in HybridAPP, link consistance, html file consistence and global consistency realize detect, in other application of large-scale application market grade, bag can be beaten again to HybridAPP and carry out Aulomatizeted Detect, and there is very high efficiency and accuracy.
Those skilled in the art will recognize that, it is possible for making numerous accommodation to above description, so embodiment is only used to describe one or more particular implementation.
Although described and described and be counted as example embodiment of the present invention, it will be apparent to those skilled in the art that and can make various change and replacement to it, and spirit of the present invention can not have been departed from.In addition, many amendments can be made so that particular case is fitted to religious doctrine of the present invention, and central concept of the present invention described here can not be departed from.So the present invention is not limited to specific embodiment disclosed here, but the present invention also may comprise all embodiments and equivalent thereof that belong to the scope of the invention.

Claims (10)

1. packet inspection method is beaten again in an APP application, whether the installation kit generated for detecting APP packing processes through beating again bag, it is characterized in that, comprise the following steps: judge whether each file internal contained by described installation kit has between consistance and/or contained different files whether have consistance, if have consistance, then judging that described installation kit is without beating again bag process, if not there is consistance, then judging that described installation kit is through beating again bag process.
2. packet inspection method is beaten again in APP application as claimed in claim 1, it is characterized in that, whether each file internal judging contained by described installation kit has one or more whether to have between consistance and/or contained different files that consistance can adopt in following manner is carried out:
Mode one, judge whether the local file that described installation kit is accessed and the file contained by described installation kit have consistance;
Mode two, judge whether network file chained address that described installation kit the is accessed Main Domain corresponding with described APP has consistance;
Mode three, judge whether the content of web page files in described installation kit has consistance;
Mode four, judge whether the applicating category in described installation kit between files in different types has consistance.
3. packet inspection method is beaten again in APP application as claimed in claim 2, and it is characterized in that, adopt described mode for the moment, described APP beats again packet inspection method and comprises the following steps:
S31, obtain all decompressing files contained by described installation kit and decompressing files name;
S32, obtain described installation kit access all local filenames;
S33, each local filename to be handled as follows: the filename similarity judging described local filename and each decompressing files name, if the filename similarity of described local filename and all decompressing files names is all less than first threshold, then described installation kit is through beating again bag process; If the filename similarity of described local filename and a certain described decompressing files name is not less than first threshold, then described installation kit is without beating again bag process.
4. packet inspection method is beaten again in APP application as claimed in claim 2, and it is characterized in that, when adopting described mode two, described APP beats again packet inspection method and comprises the following steps:
S41, obtain all decompressing files contained by described installation kit;
S42, obtain described installation kit access all-network file chaining address;
S43, each chained address to be handled as follows: the domain name similarity judging each subdomain name in described chained address and white list, if the domain name similarity of described chained address and all subdomain names is all less than Second Threshold, then described installation kit is through beating again bag process; If the domain name similarity of described chained address and a certain subdomain name is not less than Second Threshold, then described installation kit is without beating again bag process; Wherein, described white list comprises the subdomain name corresponding with described APP.
5. packet inspection method is beaten again in APP application as claimed in claim 2, and it is characterized in that, when adopting described mode three, described APP beats again packet inspection method and comprises the following steps:
S51, obtain the content characteristic values of each web page files in described installation kit, the content characteristic values of note i-th web page files is H (i);
S52, obtain Difference of content D (s) between all web page files in described installation kit:
D ( s ) = &Sigma; i = 1 n h &Sigma; j = i + 1 n h d ( H ( i ) , H ( j ) )
Wherein, n hfor the number of web page files in installation kit, H (j) is the content characteristic values of a jth web page files, d (H (i), H (j)) is the Difference of content between i-th web page files and a jth web page files, 1≤i < j≤n h, and i, j are positive integer;
S53, obtain content consistency f in described installation kit between all web page files html:
f html=1-2D(s)/[n h(n h+1)]
Judge f htmlwhether be not less than the 3rd threshold value, if so, then described installation kit processes without beating again bag; If not, then described installation kit processes through beating again bag.
6. packet inspection method is beaten again in APP application as claimed in claim 5, it is characterized in that, in step S51, using the content characteristic values H (i) of the key word of i-th web page files as i-th web page files;
In step S52, using key word number different between i-th web page files and a jth web page files as described Difference of content d (H (i), H (j)).
7. packet inspection method is beaten again in APP application as claimed in claim 2, and it is characterized in that, when adopting described mode four, described APP beats again packet inspection method and comprises the following steps:
S71, obtain applicating category corresponding to web page files in described installation kit, xml file and JavaScript file respectively;
S72, obtain the consistance P of applicating category between web page files and JavaScript file hJ;
S73, obtain the consistance Q of applicating category between xml file and JavaScript file xJ;
S74, obtain web page files, the consistance F of applicating category between xml file and JavaScript file:
F=w 1*P HJ+w 2*Q XJ
Wherein, w 1and w 2for positive number; Judge whether F value is not less than the 4th threshold value, if so, then described installation kit is without beating again bag process, and if not, then described installation kit is through beating again bag process.
8. packet inspection method is beaten again in APP application as claimed in claim 7, it is characterized in that, in step S71,
The applicating category that described JavaScript file is corresponding be { J (j) } j=1 ..., n j, n jfor the number of API in JavaScript file, J (j) is applicating category corresponding to a jth API in JavaScript file;
The applicating category that described web page files is corresponding be { H (h) } h=1 ..., n h, n hfor the number of web page files, H (h) is the applicating category that in h web page files, key word is corresponding;
The applicating category that described xml file is corresponding is X, X is the applicating category that in all xml files, key word is corresponding.
In step S72, the consistance P of applicating category between web page files and JavaScript file hJ:
P HJ = min 1 &le; h &le; n h , 1 &le; j &le; n j { p ( h , j ) | p ( h , j ) &NotEqual; 0 } ;
Wherein, p (h, j) represents the consistance of applicating category between h web page files and a jth API, and formula is:
p(h,j)=|J(j)∩H(h)/J(j)∪H(h)|,
If h web page files does not call a jth API, p (h, j) is 0; Wherein, | J (j) ∩ H (h) | be the element number during J (j) and H (h) occur simultaneously, | J (j) ∪ H (h) | for J (j) and H (h) and the element number concentrated;
In step S73, the consistance Q of applicating category between xml file and JavaScript file xJ:
Q XJ=min{q(1),q(2),…,q(n a)};
Wherein, q (j) represents the consistance of applicating category between all xml files and a jth API, n arepresent the number of API in JavaScript file, formula is:
q(j)=|J(j)∩X/J(j)∪X|,
Wherein, | J (j) ∩ X| is the element number during X and J (j) occurs simultaneously.
9. packet inspection method is beaten again in APP application as claimed in claim 7, it is characterized in that, 0 < w 2< w 1< 1, w 1+ w 2=1.
10. packet inspection method is beaten again in the APP application as described in any one of claim 1 ~ 9, and it is characterized in that, described APP is HybridAPP.
CN201510595733.9A 2015-09-17 2015-09-17 Packet inspection method is beaten again in a kind of APP applications Active CN105205356B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510595733.9A CN105205356B (en) 2015-09-17 2015-09-17 Packet inspection method is beaten again in a kind of APP applications

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510595733.9A CN105205356B (en) 2015-09-17 2015-09-17 Packet inspection method is beaten again in a kind of APP applications

Publications (2)

Publication Number Publication Date
CN105205356A true CN105205356A (en) 2015-12-30
CN105205356B CN105205356B (en) 2017-12-29

Family

ID=54953032

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510595733.9A Active CN105205356B (en) 2015-09-17 2015-09-17 Packet inspection method is beaten again in a kind of APP applications

Country Status (1)

Country Link
CN (1) CN105205356B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105897923A (en) * 2016-05-31 2016-08-24 中国科学院信息工程研究所 APP installation package network flow identification method
CN106951780A (en) * 2017-02-08 2017-07-14 中国科学院信息工程研究所 Beat again the static detection method and device of bag malicious application
CN108280647A (en) * 2018-02-12 2018-07-13 北京金山安全软件有限公司 Private key protection method and device for digital wallet, electronic equipment and storage medium
CN108958826A (en) * 2017-05-22 2018-12-07 北京京东尚科信息技术有限公司 The method and apparatus of dynamic configuration application installation package
CN109800575A (en) * 2018-12-06 2019-05-24 成都网安科技发展有限公司 A kind of safety detection method of Android application program
CN109858249A (en) * 2019-02-18 2019-06-07 暨南大学 The quick, intelligent comparison of mobile Malware big data and safety detection method
TWI675310B (en) * 2016-10-11 2019-10-21 香港商阿里巴巴集團服務有限公司 Method and device for preventing repackaging

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101719821A (en) * 2008-10-09 2010-06-02 爱思开电讯投资(中国)有限公司 System for managing application program of intelligent card and method thereof
US20140059690A1 (en) * 2012-02-16 2014-02-27 Nec Laboratories America, Inc. Method for Scalable Analysis of Android Applications for Security Vulnerability
CN104392181A (en) * 2014-11-18 2015-03-04 北京奇虎科技有限公司 SO file protection method and device and android installation package reinforcement method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101719821A (en) * 2008-10-09 2010-06-02 爱思开电讯投资(中国)有限公司 System for managing application program of intelligent card and method thereof
US20140059690A1 (en) * 2012-02-16 2014-02-27 Nec Laboratories America, Inc. Method for Scalable Analysis of Android Applications for Security Vulnerability
CN104392181A (en) * 2014-11-18 2015-03-04 北京奇虎科技有限公司 SO file protection method and device and android installation package reinforcement method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张思琪: "基于改进贝叶斯分类的Android恶意软件检测", 《综合电子信息技术》 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105897923A (en) * 2016-05-31 2016-08-24 中国科学院信息工程研究所 APP installation package network flow identification method
CN105897923B (en) * 2016-05-31 2019-04-30 中国科学院信息工程研究所 A kind of APP installation kit network flow identification method
US10685117B2 (en) 2016-10-11 2020-06-16 Alibaba Group Holding Limited Method and apparatus for anti-repackaging
TWI675310B (en) * 2016-10-11 2019-10-21 香港商阿里巴巴集團服務有限公司 Method and device for preventing repackaging
CN106951780B (en) * 2017-02-08 2019-09-10 中国科学院信息工程研究所 Beat again the static detection method and device of packet malicious application
CN106951780A (en) * 2017-02-08 2017-07-14 中国科学院信息工程研究所 Beat again the static detection method and device of bag malicious application
CN108958826A (en) * 2017-05-22 2018-12-07 北京京东尚科信息技术有限公司 The method and apparatus of dynamic configuration application installation package
CN108958826B (en) * 2017-05-22 2022-06-07 北京京东尚科信息技术有限公司 Method and device for dynamically configuring application installation package
CN108280647A (en) * 2018-02-12 2018-07-13 北京金山安全软件有限公司 Private key protection method and device for digital wallet, electronic equipment and storage medium
CN109800575A (en) * 2018-12-06 2019-05-24 成都网安科技发展有限公司 A kind of safety detection method of Android application program
CN109800575B (en) * 2018-12-06 2023-06-20 成都网安科技发展有限公司 Security detection method for Android application program
CN109858249A (en) * 2019-02-18 2019-06-07 暨南大学 The quick, intelligent comparison of mobile Malware big data and safety detection method
CN109858249B (en) * 2019-02-18 2020-08-07 暨南大学 Rapid intelligent comparison and safety detection method for mobile malicious software big data

Also Published As

Publication number Publication date
CN105205356B (en) 2017-12-29

Similar Documents

Publication Publication Date Title
CN105205356A (en) APP application re-packaging detection method
Skolka et al. Anything to hide? studying minified and obfuscated code in the web
US11126723B2 (en) Systems and methods for remote detection of software through browser webinjects
Wang et al. A deep learning approach for detecting malicious JavaScript code
US10620945B2 (en) API specification generation
Liu et al. A novel approach for detecting browser-based silent miner
Stock et al. From facepalm to brain bender: Exploring client-side cross-site scripting
Zhang et al. SaaS: A situational awareness and analysis system for massive android malware detection
CN104735074A (en) Malicious URL detection method and implement system thereof
CN104123493A (en) Method and device for detecting safety performance of application program
CN105760379B (en) Method and device for detecting webshell page based on intra-domain page association relation
CN107437026B (en) Malicious webpage advertisement detection method based on advertisement network topology
CN105959324A (en) Regular matching-based network attack detection method and apparatus
CN107463844B (en) WEB Trojan horse detection method and system
CN104021346A (en) Method for detecting Android malicious software based on program flow chart
Yang et al. Detection of malicious behavior in android apps through API calls and permission uses analysis
CN103279710A (en) Method and system for detecting malicious codes of Internet information system
Shahriar et al. Injecting comments to detect JavaScript code injection attacks
Nguyen et al. Detecting repackaged android applications using perceptual hashing
Gupta et al. An infrastructure-based framework for the alleviation of JavaScript worms from OSN in mobile cloud platforms
Bird et al. Actions speak louder than words: Semi-supervised learning for browser fingerprinting detection
Malviya et al. Development of web browser prototype with embedded classification capability for mitigating Cross-Site Scripting attacks
CN110135153A (en) The credible detection method and device of software
CN102799524A (en) Defect detection method of browser extension
CN108171057B (en) Android platform malicious software detection method based on feature matching

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 518055 Guangdong city of Shenzhen province Nanshan District Xili of Tsinghua

Applicant after: Graduate School at Shenzhen, Tsinghua University

Address before: 518000 Guangdong city in Shenzhen Province, Nanshan District City Xili Shenzhen Tsinghua Campus of Tsinghua University

Applicant before: Graduate School at Shenzhen, Tsinghua University

COR Change of bibliographic data
GR01 Patent grant
GR01 Patent grant