CN105488412A - Malicious code detection method and system based on android terminal log - Google Patents
Malicious code detection method and system based on android terminal log Download PDFInfo
- Publication number
- CN105488412A CN105488412A CN201510343505.2A CN201510343505A CN105488412A CN 105488412 A CN105488412 A CN 105488412A CN 201510343505 A CN201510343505 A CN 201510343505A CN 105488412 A CN105488412 A CN 105488412A
- Authority
- CN
- China
- Prior art keywords
- log
- daily record
- malicious code
- malicious
- object instance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a malicious code detection method and system based on an android terminal log. The method comprises the following steps that a main process starts a log to obtain a process; a log obtaining process obtains an object instance, with the log process, of an android system through an interface functions during the running; a log obtaining function of the object instance of the log process is called, and all generated log records are obtained; the log records are preprocessed; the preprocessed log records are matched with a malicious code library; if the matching succeeds, a malicious behavior exists, and the result is fed back to the main process; and otherwise, the malicious behavior does not exist. The invention correspondingly provides the system. Through the contents of the invention, addition information in the program running process is used as inspection points, and the problem of too high static analysis reverse cost and dynamic detection cost is solved.
Description
Technical field
The present invention relates to mobile terminal safety field, particularly a kind of malicious code detecting method based on android terminal daily record and system.
Background technology
For the Viral diagnosis of Android operation system, generally completed by dynamic detection technology and stationary detection technique.Detection of dynamic requirement of real-time is higher, general needs are guaranteed to be detected before malicious act produces harm, because dynamic detection technology must catch application code operation action track by executive routine, comparatively large to hardware resource consumption, execution efficiency is lower.Stationary detection technique needs first to utilize inverse compiling technique carry out decompiling to software and obtain code, then the control flow of detection of code and code logic, the detection of Static Detection, based on known rogue program, makes it resist the ability of unknown rogue program relatively poor.
Summary of the invention
The present invention proposes a kind of malicious code detecting method based on android terminal daily record and system, by the detection for android system daily record, avoid above deficiency, further increase detectability, save system resource.
Based on a malicious code detecting method for android terminal daily record, comprising:
Host process starting log obtains process;
When log acquisition process is by running, interface function obtains the object instance that Android system carries daily record process;
Call the log acquisition function of the object instance of described daily record process, obtain all log recordings generated;
Pre-service is carried out to log recording;
Pretreated log recording is mated with malicious code storehouse, if the match is successful, then there is malicious act, and by result feedback to host process; Otherwise there is not malicious act.
In described method, describedly pre-service is carried out to log recording comprise: canonical is filtered or Hash calculation.
In described method, described the mode that pretreated log recording mates with malicious code storehouse to be comprised: string matching or Hash similarity matching.
Based on a malicious code detection system for android terminal daily record, comprising:
Primary module, obtains process for host process starting log;
Log acquisition module, during for log acquisition process by running, interface function obtains the object instance that Android system carries daily record process; Call the log acquisition function of the object instance of described daily record process, obtain all log recordings generated;
Daily record detection module, for carrying out pre-service to log recording; Pretreated log recording is mated with malicious code storehouse, if the match is successful, then there is malicious act, and by result feedback to host process; Otherwise there is not malicious act.
In described system, describedly pre-service is carried out to log recording comprise: canonical is filtered or Hash calculation.
In described system, described the mode that pretreated log recording mates with malicious code storehouse to be comprised: string matching or Hash similarity matching.
Advantage of the present invention is, during by running, interface function obtains the object instance of the daily record process that Android operation system carries, and obtain daily record by the log acquisition function of object instance, daily record is mated with virus base and locates malicious application, and start warning strategy.
The invention provides a kind of malicious code detecting method based on android terminal daily record and system, comprising: host process starting log obtains process; When log acquisition process is by running, interface function obtains the object instance that Android system carries daily record process; Call the log acquisition function of the object instance of described daily record process, obtain all log recordings generated; Pre-service is carried out to log recording; Pretreated log recording is mated with malicious code storehouse, if the match is successful, then there is malicious act, and by result feedback to host process; Otherwise there is not malicious act.The present invention also correspondence provides system, by content of the present invention, using the additional information in program operation process as checkpoint, solves the reverse cost of static analysis and the problem of detection of dynamic high cost.
Accompanying drawing explanation
In order to be illustrated more clearly in the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, the accompanying drawing that the following describes is only some embodiments recorded in the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of malicious code detecting method embodiment process flow diagram based on android terminal daily record of the present invention;
Fig. 2 is a kind of malicious code detection system example structure schematic diagram based on android terminal daily record of the present invention.
Embodiment
In order to make those skilled in the art person understand technical scheme in the embodiment of the present invention better, and enable above-mentioned purpose of the present invention, feature and advantage become apparent more, below in conjunction with accompanying drawing, technical scheme in the present invention is described in further detail.
The present invention proposes a kind of malicious code detecting method based on android terminal daily record and system, by the detection for android system daily record, further increase detectability, save system resource.
Based on a malicious code detecting method for android terminal daily record, as shown in Figure 1, comprising:
S101: host process starting log obtains process;
S102: when log acquisition process is by running, interface function Runtime obtains the object instance that Android system carries daily record process logcat; Logcat process is system process, for the log information that Real-time Obtaining operating system and application program produce
S103: the log acquisition function calling the object instance of described daily record process, obtains all log recordings generated;
S104: pre-service is carried out to log recording;
, if the match is successful, then there is malicious act in S105: mated with malicious code storehouse by pretreated log recording, and by result feedback to host process; Otherwise there is not malicious act.
In described method, describedly pre-service is carried out to log recording comprise: canonical is filtered or Hash calculation.
In described method, described the mode that pretreated log recording mates with malicious code storehouse to be comprised: string matching or Hash similarity matching.
Based on a malicious code detection system for android terminal daily record, as shown in Figure 2, comprising:
Primary module 201, obtains process for host process starting log;
Log acquisition module 202, during for log acquisition process by running, interface function obtains the object instance that Android system carries daily record process; Call the log acquisition function of the object instance of described daily record process, obtain all log recordings generated;
Daily record detection module 203, for carrying out pre-service to log recording; Pretreated log recording is mated with malicious code storehouse, if the match is successful, then there is malicious act, and by result feedback to host process; Otherwise there is not malicious act.
In described system, describedly pre-service is carried out to log recording comprise: canonical is filtered or Hash calculation.
In described system, described the mode that pretreated log recording mates with malicious code storehouse to be comprised: string matching or Hash similarity matching.
Advantage of the present invention is, during by running, interface function obtains the object instance of the daily record process that Android operation system carries, and obtain daily record by the log acquisition function of object instance, daily record is mated with virus base and locates malicious application, and start warning strategy.
The invention provides a kind of malicious code detecting method based on android terminal daily record and system, comprising: host process starting log obtains process; When log acquisition process is by running, interface function obtains the object instance that Android system carries daily record process; Call the log acquisition function of the object instance of described daily record process, obtain all log recordings generated; Pre-service is carried out to log recording; Pretreated log recording is mated with malicious code storehouse, if the match is successful, then there is malicious act, and by result feedback to host process; Otherwise there is not malicious act.The present invention also correspondence provides system, by content of the present invention, using the additional information in program operation process as checkpoint, solves the reverse cost of static analysis and the problem of detection of dynamic high cost.
Each embodiment in this instructions all adopts the mode of going forward one by one to describe, between each embodiment identical similar part mutually see, what each embodiment stressed is the difference with other embodiments.Especially, for system embodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, relevant part illustrates see the part of embodiment of the method.
Although depict the present invention by embodiment, those of ordinary skill in the art know, the present invention has many distortion and change and do not depart from spirit of the present invention, and the claim appended by wishing comprises these distortion and change and do not depart from spirit of the present invention.
Claims (6)
1. based on a malicious code detecting method for android terminal daily record, it is characterized in that, comprising:
Host process starting log obtains process;
When log acquisition process is by running, interface function obtains the object instance that Android system carries daily record process;
Call the log acquisition function of the object instance of described daily record process, obtain all log recordings generated;
Pre-service is carried out to log recording;
Pretreated log recording is mated with malicious code storehouse, if the match is successful, then there is malicious act, and by result feedback to host process; Otherwise there is not malicious act.
2. the method for claim 1, is characterized in that, describedly carries out pre-service to log recording and comprises: canonical is filtered or Hash calculation.
3. method as claimed in claim 2, is characterized in that, describedly the mode that pretreated log recording mates with malicious code storehouse is comprised: string matching or Hash similarity matching.
4. based on a malicious code detection system for android terminal daily record, it is characterized in that, comprising:
Primary module, obtains process for host process starting log;
Log acquisition module, during for log acquisition process by running, interface function obtains the object instance that Android system carries daily record process; Call the log acquisition function of the object instance of described daily record process, obtain all log recordings generated;
Daily record detection module, for carrying out pre-service to log recording; Pretreated log recording is mated with malicious code storehouse, if the match is successful, then there is malicious act, and by result feedback to host process; Otherwise there is not malicious act.
5. system as claimed in claim 4, is characterized in that, describedly carries out pre-service to log recording and comprises: canonical is filtered or Hash calculation.
6. system as claimed in claim 5, is characterized in that, describedly the mode that pretreated log recording mates with malicious code storehouse is comprised: string matching or Hash similarity matching.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510343505.2A CN105488412A (en) | 2015-06-19 | 2015-06-19 | Malicious code detection method and system based on android terminal log |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510343505.2A CN105488412A (en) | 2015-06-19 | 2015-06-19 | Malicious code detection method and system based on android terminal log |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105488412A true CN105488412A (en) | 2016-04-13 |
Family
ID=55675386
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510343505.2A Pending CN105488412A (en) | 2015-06-19 | 2015-06-19 | Malicious code detection method and system based on android terminal log |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105488412A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105933186A (en) * | 2016-06-30 | 2016-09-07 | 北京奇虎科技有限公司 | Security detection method, device and system |
| CN113687973A (en) * | 2021-08-30 | 2021-11-23 | 浪潮卓数大数据产业发展有限公司 | Method, device and medium for controlling dynamic output of logs |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102479084A (en) * | 2010-11-26 | 2012-05-30 | 腾讯科技(深圳)有限公司 | Method and device for acquiring log by Android terminal |
| CN104021346A (en) * | 2014-06-06 | 2014-09-03 | 东南大学 | Method for detecting Android malicious software based on program flow chart |
| CN104598824A (en) * | 2015-01-28 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Method and device for detecting malicious programs |
-
2015
- 2015-06-19 CN CN201510343505.2A patent/CN105488412A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102479084A (en) * | 2010-11-26 | 2012-05-30 | 腾讯科技(深圳)有限公司 | Method and device for acquiring log by Android terminal |
| CN104021346A (en) * | 2014-06-06 | 2014-09-03 | 东南大学 | Method for detecting Android malicious software based on program flow chart |
| CN104598824A (en) * | 2015-01-28 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Method and device for detecting malicious programs |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105933186A (en) * | 2016-06-30 | 2016-09-07 | 北京奇虎科技有限公司 | Security detection method, device and system |
| CN113687973A (en) * | 2021-08-30 | 2021-11-23 | 浪潮卓数大数据产业发展有限公司 | Method, device and medium for controlling dynamic output of logs |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3588285B1 (en) | Sequence optimizations in a high-performance computing environment | |
| US8978141B2 (en) | System and method for detecting malicious software using malware trigger scenarios | |
| CN102831035B (en) | The method of backup information and device | |
| CN103365758B (en) | Process monitoring method under a kind of virtualized environment and system | |
| KR101857001B1 (en) | Android dynamic loading file extraction method, recording medium and system for performing the method | |
| JP2013529335A5 (en) | ||
| CN101923617A (en) | Cloud-based sample database dynamic maintaining method | |
| CN104636435A (en) | Cloud terminal screen recording method | |
| CN104932972B (en) | A kind of method and device of reaction state debugging utility | |
| CN103886229A (en) | Method and device for extracting PE file features | |
| CN109271414B (en) | IPC-based database local communication auditing method | |
| US20190205239A1 (en) | Code update based on detection of change in runtime code during debugging | |
| CN105956191B (en) | Data migration method and system | |
| CN110795326A (en) | Code interception detection method, storage medium, electronic device and system | |
| CN105488412A (en) | Malicious code detection method and system based on android terminal log | |
| Casolare et al. | A model checking based proposal for mobile colluding attack detection | |
| WO2015153037A1 (en) | Systems and methods for identifying a source of a suspect event | |
| CN103902890A (en) | Monitoring method and monitoring system for Android program behaviors | |
| US20170344461A1 (en) | Automated exception resolution during a software development session based on previous exception encounters | |
| CN103279334A (en) | Android software rapid dynamic detection device and method | |
| CN103019760B (en) | The structure of mounting software and installation method | |
| CN204407010U (en) | Off line programming system | |
| CN109656763B (en) | Method and system for automatically testing and activating core function of source processor | |
| CN103150251A (en) | Method for intelligently acquiring automated test object | |
| CN106778276B (en) | Method and system for detecting malicious codes of entity-free files |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160413 |