CN105760761A - Software behavior analyzing method and device - Google Patents
Software behavior analyzing method and device Download PDFInfo
- Publication number
- CN105760761A CN105760761A CN201610080493.3A CN201610080493A CN105760761A CN 105760761 A CN105760761 A CN 105760761A CN 201610080493 A CN201610080493 A CN 201610080493A CN 105760761 A CN105760761 A CN 105760761A
- Authority
- CN
- China
- Prior art keywords
- software
- calling sequence
- function calling
- behavior
- malicious act
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides a software behavior analyzing method.The method comprises the following steps that the structure of a software file is analyzed statically; based on the structure analysis result of the software file, a polling mode is adopted for capturing the function calling sequence corresponding the preset sensitivity behavior in the running process of a software application program; the function calling sequence corresponding to the preset sensitivity behavior and a function calling sequence corresponding to a preset malicious behavior are compared to recognize the malicious behavior of software, the malicious behavior comprises a combination of at least two specific sensitivity behaviors, the safety level of the malicious behavior is determined according to the preset safety level list, and safety level early warning is carried out according to the safety level.Correspondingly, the invention provides a software behavior analyzing device.The device can recognize the malicious behavior of the software efficiently and comprehensively, and divides the safety level accurately and meticulously.
Description
Technical field
The present invention relates to communication technical field, be specifically related to a kind of software action and analyze method and a kind of software action analytical equipment.
Background technology
Since in recent years, along with the fast development of development of Mobile Internet technology and popularizing of smart mobile phone, mobile interchange and smart mobile phone bring great convenience to the life of people.Smart mobile phone, except having traditional call function of non intelligent mobile phone and the feature of SMS, also has online, pays features such as (SP charging and NFC).Owing to networking so that smart mobile phone is inevitably subjected to the attack of Malware.
Owing to AndroidOS is in occupation of more than half the market share of Mobile operating system so that AndroidOS is more by " favor " of bogusware developer.Since in June, 2010, mobile security manufacturer intercepted and captured first Android virus of the whole world, have built up killing to tens thousand of money Malwares.As can be seen here, the safety problem that android system faces is increasingly severe so that the smart mobile phone of application android system is compared with traditional non intelligent mobile phone, and the safety problem faced is more severe.
Usually, the malicious act main manifestations of software is networking, obtains system communication record, deletes note, and obtains the information such as geographical position.Along with the development of mobile Internet, software category gets more and more, and partial software developer can implant malicious code therefrom illegally to make a profit in software document, it is therefore desirable to the malicious act for these softwares is analyzed quickly and efficiently.
In prior art, mostly adopt and analyze binary file or in source code, analyze the mode of condition code to find code malice district, again code malice district being carried out static analysis, thus finding out the malicious act of software, and then malice grade (danger classes) can be divided for it.But, this method efficiency is low, and spreadability is not high.
Summary of the invention
The technical problem to be solved is for drawbacks described above existing in prior art, a kind of software action is provided to analyze method and a kind of software action analytical equipment, the malicious act of software can be identified efficiently, all sidedly, and divide its safe class accurately, meticulously.
Solve the technology of the present invention problem be the technical scheme is that
The present invention provides a kind of software action to analyze method, comprises the steps:
The structure of static analysis software document;
Results of structural analysis based on software document adopts the mode of poll to catch the function calling sequence that software application is corresponding with presetting sensitive behavior in running;
The function calling sequence corresponding with default sensitive behavior and the function calling sequence corresponding with default malicious act are contrasted, identify the malicious act of software, described malicious act includes the combination of at least two certain sensitive behavior, determine the safe class of software malicious act according to default safe class list, and issue safe class early warning according to described safe class.
The present invention also provides for a kind of software action analytical equipment, including:
Static analysis module, for the structure of static analysis software document;
Dynamic analysis module, for adopting the mode of poll to catch the function calling sequence that software application is corresponding with presetting sensitive behavior in running based on the results of structural analysis of software document;
Behavior analysis module, for the function calling sequence corresponding with default sensitive behavior and the function calling sequence corresponding with default malicious act are contrasted, identify the malicious act of software, described malicious act includes the combination of at least two certain sensitive behavior, determine the safe class of software malicious act according to default safe class list, and issue safe class early warning according to described safe class.
Beneficial effect:
The present invention by carrying out static analysis and dynamically analyzing to software document, draw the function calling sequence that software application is corresponding with presetting sensitive behavior in running, the function calling sequence that contrast is corresponding with default malicious act again, thus identifying the malicious act of software, the present invention and prior art adopt to be analyzed binary file or analyzes compared with the mode of condition code in source code, the malicious act of software can be identified quickly, efficiently, all sidedly, and the accuracy rate that software action is analyzed can be improved.
In addition, the present invention divides the safe class of software malicious act (malice grade) also by safe class early warning mechanism, wherein, software malicious act is not single sensitive behavior, but the combination of at least two certain sensitive behavior, it is thus possible to more accurately, meticulously divide software malicious act safe class.
Accompanying drawing explanation
Fig. 1 analyzes the schematic flow sheet of method for a kind of software action that the embodiment of the present invention 1 provides;
Fig. 2 analyzes the schematic flow sheet of method for the another kind of software action that the embodiment of the present invention 1 provides;
The structural representation of a kind of software action analytical equipment that Fig. 3 provides for the embodiment of the present invention 2;
The structural representation of the static analysis module that Fig. 4 provides for the embodiment of the present invention 2;
The structural representation of the dynamic analysis module that Fig. 5 provides for the embodiment of the present invention 2;
The structural representation of the behavior analysis module that Fig. 6 provides for the embodiment of the present invention 2;And,
The structural representation of the another kind of software action analytical equipment that Fig. 7 provides for the embodiment of the present invention 2.
In figure: 100-static analysis module;101-software document format analysis submodule;102-function calling sequence analyzes submodule;103-logical analysis submodule;104-verifies submodule;The dynamic analysis module of 200-;201-dynamic base loads submodule;202-catches submodule;203-instruction triggers engine;300-behavior analysis module;301-data base loads submodule;302-malicious act analyzes submodule;303-safe class early warning submodule;400-daily record generation module.
Detailed description of the invention
For making those skilled in the art be more fully understood that technical scheme, below in conjunction with drawings and Examples, the present invention is described in further detail.
Embodiment 1:
Fig. 1 analyzes the schematic flow sheet of method for a kind of software action that the embodiment of the present invention 1 provides.As it is shown in figure 1, described method comprises the steps:
The structure of step 101. static analysis software document.
Software document is mainly carried out static analysis by this step, in fact analyze the installation file of software exactly, by decompressing, file is installed, analyze the daughter element of its core document (executable file), draw the call relation between function, the application logic of software application and content, thus learning the structure of software document, also just know the api function sequence of calling system.
This step specifically includes:
The form of step 1011. static analysis software document.
The such as form of android system file is APK, it is a ZIP installation kit in fact by checking hexadecimal several leading the known APK of byte of file, DEX file can be got by ZIP decompression tool, DEX file is the execution program of Android virtual machine, contains and can be explained, by Dalvik virtual machine (DVM), the Dalvik bytecode performed.One APK can comprise META-INF file (including manifest.mf and cert.rsa file, cert.sf file), res file (comprising resource information and the configuration files thereof such as the picture of developer's use, music and word), AndroidManifest.xml (topology file), clas.dex (code section running on virtual machine) and resource.arsc (resource file) etc..
Only get the form of software document, just can learn the position of its source code file, by software code partition is analyzed obtaining function calling relationship, and then be capable of the static analysis to software action, therefore, the form analyzing software document is the premise analyzing software action.
The source code of software document is carried out static analysis based on the format analysis result of software document by step 1012., draws the daughter element of software application and the call relation between daughter element.
From macroscopically, software document is made up of files such as executable file, configuration file and resource files.And from microcosmic, executable file is made up of daughter elements such as function, object and character strings, meanwhile, between function, there is call relation (by being analyzed drawing) to code.Only analyze the call relation between function and function, further software action could be carried out static analysis.
Therefore, the daughter element of described software application includes function, object and character string, and the call relation between described daughter element includes the call relation between function.
The application logic of step 1013. static analysis software application and content.
Wherein, application logic refers to execution sequence and the call relation of corresponding document in application program, in a such as application program different JAVA files or the execution sequence of EXE file and call relation.Owing to having interface mutually to call between different files, therefore content refers to call relation table and the interface interchange logic of corresponding document in application program.
If additionally, software is to download from the website that safety is unknown, it is possible to by verifying that the mode of its MD5 value legitimacy verifies this software whether safety.
MD5 (Message-DigestAlgorithm5, Message-Digest Algorithm 5) is used for guaranteeing integrity and the concordance that information is transmitted, and is a kind of irreversible AES, one of widely used hash algorithm of computer realm especially.Typical case's application of MD5 is that a segment information (Message) is produced informative abstract (Message-Digest), to prevent from being tampered.Specifically, a big text message is used as by whole file by MD5, by its irreversible character string mapping algorithm, produce unique MD5 informative abstract, therefore, MD5 can be just that any file (regardless of its size, form, quantity) produces one unique " digital finger-print ", if this document has been done any change by anyone, its MD5 value (namely corresponding " digital finger-print ") all can change.In other words, a corresponding unique MD5 value of software.
If the MD5 value software downloaded being carried out MD5 verification and obtaining is identical with the MD5 value that this software supplier provides, then illustrates that the software downloaded is not tampered with, be safe, be otherwise unsafe.
Therefore, step 101 also includes:
Step 1010. verifies the legitimacy of software MD5 value.
Step 102. adopts the mode of poll to catch the function calling sequence that software application is corresponding with presetting sensitive behavior in running based on the results of structural analysis of software document.
This step is mainly based upon the results of structural analysis (specifically the call relation between function) of software document, and the application logic of software application and content, by self-defining script and data, the running of software application is caught the function calling sequence corresponding with default sensitive behavior, thus identifying the sensitive behavior of software.
Wherein, sensitive behavior refers to for a user, has possible or potential threat behavior.Sensitive behavior can be set according to practical experience by those skilled in the art, for instance, network, send note/multimedia message, shielding note/multimedia message, acquisition cell-phone number, obtain position, monitoring mobile phone state etc..
This step specifically includes:
Step 1021. uses automatized script technology (such as, can pass through script and ADB instrument realizes) to complete the installation of software application, open and close operation.
Step 1022. loads self-defined dynamic base, including the function calling sequence corresponding with default sensitive behavior.
Step 1023. travels through the execution logic (because other functions of behavior needs having trigger or call and produce) of software application in process pool, and catch software application in running, meet the function calling sequence of self-defined dynamic base, thus catch the function calling sequence corresponding with default sensitive behavior.
Wherein, perform logic and refer to execution condition and the content of file or function.Such as, for file A and B, file A and B realizes a certain function jointly, but some behavior needing user between file A and B could trigger, such as user is clicked by software and checks system communication record A file, so B file will be triggered, then automatically uploading system phonebook data to background server;Or, some function is capable of for function A and function B, function A, function B is capable of another function, however it is necessary that calling certain interface could associate function A and B, here it is perform logic.
The function calling sequence corresponding with default sensitive behavior and the function calling sequence corresponding with default malicious act are contrasted by step 103., identify the malicious act of software, described malicious act includes the combination of at least two certain sensitive behavior, determine the safe class of software malicious act according to default safe class list, and issue safe class early warning according to described safe class.
This step specifically includes:
Step 1031. loads self-defining data storehouse, including the function calling sequence corresponding with default malicious act.
The function calling sequence meeting self-defined dynamic base captured and the function calling sequence meeting self-defining data storehouse are contrasted by step 1032., in other words, the function calling sequence corresponding with default sensitive behavior captured and the function calling sequence corresponding with default malicious act are contrasted, thus identifying the malicious act of software.
Wherein, malicious act refers to for a user, has the behavior of certain menace.Malicious act can by those skilled in the art's execution logic according to the software application carrying out obtaining in dynamic analysis process to software and set in conjunction with practical experience, specifically, those skilled in the art known a large amount of reptile samples can be carried out magnanimity, comprehensively, analyze accurately and draw malicious act list.In the present invention, malicious act is set as the combination of at least two certain sensitive behavior.Here, " at least two certain sensitive behavior " refers to can bring certain threat to user when this at least two sensitivity behavior occurs simultaneously, and then causes the adverse consequences damaging user benefit.Owing to default sensitive behavior includes a variety of, be not by any two of which more than sensitive behavior be combined just obtaining a kind of malicious act.Such as, the sensitive behavior captured includes sensitive behavior A, sensitive behavior B, sensitive behavior C and sensitive behavior D, wherein, when sensitive behavior A and B occurs simultaneously, certain threat can be brought to user, and sensitive behavior C and D is when occurring simultaneously, also certain threat can be brought to user, but, sensitive behavior A and C, or sensitive behavior A and D, or sensitive behavior B and C, or when sensitive behavior B and D occurs simultaneously, all will not bring threat to user, therefore, sensitive behavior A and B, sensitive behavior C and D is exactly the sensitive behavior of " specific ", correspondingly, the combination of sensitive behavior A and B constitutes a kind of malicious act, the combination of sensitive behavior C and D constitutes another kind of malicious act.
Step 1033. pre-establishes safe class list, including the mapping relations of software malicious act Yu safe class, can determine that the safe class of software malicious act according to default safe class list, then issues safe class early warning according to described safe class.
Table 1 is the example of safe class list.
Table 1
It should be noted that in the multiple behavior of safe class 1 correspondence shown in table 1, the combination of at least two behavior is malicious act.
Fig. 2 analyzes the schematic flow sheet of method for the another kind of software action that the embodiment of the present invention 1 provides.Compared with analyzing method with software action shown in Fig. 1, software action shown in Fig. 2 is analyzed method and is also comprised the steps:
Step 204. generates the software action analysis report of XML format, record system running log and loading daily record.
Wherein, software action analysis report includes the software malicious act identified and the safe class of software malicious act.
As depicted in figs. 1 and 2, step 201 is identical with step 101 to step 103 successively to step 203, repeats no more herein.
In the present embodiment, by software document being carried out static analysis and dynamically analyzing, draw the function calling sequence that software application is corresponding with presetting sensitive behavior in running, the function calling sequence that contrast is corresponding with default malicious act again, thus identifying the malicious act of software, compared with prior art, the malicious act of software can be identified quickly, efficiently, all sidedly, and the accuracy rate that software action is analyzed can be improved.In addition, the present embodiment divides the safe class of software malicious act (malice grade) also by safe class early warning mechanism, wherein, software malicious act is not single sensitive behavior, but the combination of at least two certain sensitive behavior, it is thus possible to more accurately, meticulously divide software malicious act safe class.
Embodiment 2:
The structural representation of a kind of software action analytical equipment that Fig. 3 provides for the embodiment of the present invention 2.As it is shown on figure 3, described device includes: static analysis module 100, dynamic analysis module 200 and behavior analysis module 300.
Static analysis module 100 is for the structure of static analysis software document.Mainly software document is carried out static analysis, in fact analyze the installation file of software exactly, by decompressing, file is installed, analyze the daughter element of its core document (executable file), draw the call relation between function, the application logic of software application and content, thus learning the structure of software document, also just know the api function sequence of calling system.
As shown in Figure 4, static analysis module 100 specifically includes: software document format analysis submodule 101, function calling sequence analyze submodule 102 and logical analysis submodule 103.
Software document format analysis submodule 101 is for the form of static analysis software document.
Only get the form of software document, just can learn the position of its source code file, by software code partition is analyzed obtaining function calling relationship, and then be capable of the static analysis to software action, therefore, the form analyzing software document is the premise analyzing software action.
Function calling sequence is analyzed submodule 102, for the format analysis result based on software document, the source code of software document is carried out static analysis, draws the daughter element of software application and the call relation between daughter element.
Wherein, the daughter element of described software application includes function, object and character string, and the call relation between described daughter element includes the call relation between function.Only analyze the call relation between function and function, further software action could be carried out static analysis.
Logical analysis submodule 103 is used for application logic and the content of static analysis software application.
Wherein, application logic refers to execution sequence and the call relation of corresponding document in application program, in a such as application program different JAVA files or the execution sequence of EXE file and call relation.Owing to having interface mutually to call between different files, therefore content refers to call relation table and the interface interchange logic of corresponding document in application program.
If additionally, software is to download from the website that safety is unknown, it is possible to by verifying that the mode of its MD5 value legitimacy verifies this software whether safety.Specifically, if the MD5 value software downloaded being carried out MD5 verification and obtaining is identical with the MD5 value that this software supplier provides, then illustrates that the software downloaded is not tampered with, be safe, be otherwise unsafe.
Therefore, static analysis module 100 may also include that
Checking submodule 104, for verifying the legitimacy of software MD5 value.
Dynamic analysis module 200 catches, for adopting the mode of poll based on the results of structural analysis of software document, the function calling sequence that software application is corresponding with presetting sensitive behavior in running.
Dynamic analysis module 200 is mainly based upon the results of structural analysis (specifically the call relation between function) of software document, and the application logic of software application and content, by self-defining script and data, the running of software application is caught the function calling sequence corresponding with default sensitive behavior, thus identifying the sensitive behavior of software.
Wherein, sensitive behavior refers to for a user, has possible or potential threat behavior.Sensitive behavior can be set according to practical experience by those skilled in the art, for instance, network, send note/multimedia message, shielding note/multimedia message, acquisition cell-phone number, obtain position, monitoring mobile phone state etc..
As it is shown in figure 5, dynamically analysis module 200 specifically includes: dynamic base loads submodule 201, catches submodule 202 and instruction triggers engine 203.
Dynamic base loads submodule 201 and is used for loading self-defined dynamic base, including the function calling sequence corresponding with default sensitive behavior.
Catch submodule 202 for traveling through the execution logic (because other functions of behavior needs having trigger or call and produce) of software application in process pool, and catch software application in running, meet the function calling sequence of self-defined dynamic base, thus catch the function calling sequence corresponding with default sensitive behavior.
Wherein, perform logic and refer to execution condition and the content of file or function.Such as, for file A and B, file A and B realizes a certain function jointly, but some behavior needing user between file A and B could trigger, such as user is clicked by software and checks system communication record A file, so B file will be triggered, then automatically uploading system phonebook data to background server;Or, some function is capable of for function A and function B, function A, function B is capable of another function, however it is necessary that calling certain interface could associate function A and B, here it is perform logic.
Instruction triggers engine 203 is used for using automatized script technology (such as, can pass through script and ADB instrument realizes) to complete the installation of software application, open and close operation.
Behavior analysis module 300 is for contrasting the function calling sequence corresponding with default sensitive behavior and the function calling sequence corresponding with default malicious act, identify the malicious act of software, described malicious act includes the combination of at least two certain sensitive behavior, determine the safe class of software malicious act according to default safe class list, and issue safe class early warning according to described safe class.
As shown in Figure 6, behavior analysis module 300 specifically includes: data base loads submodule 301, malicious act analyzes submodule 302 and safe class early warning submodule 303.
Data base loads submodule 301 for loading self-defining data storehouse, including the function calling sequence corresponding with default malicious act.
Malicious act analyzes submodule 302 for the function calling sequence meeting self-defined dynamic base captured and the function calling sequence meeting self-defining data storehouse being contrasted, in other words, the function calling sequence corresponding with default sensitive behavior captured and the function calling sequence corresponding with default malicious act are contrasted, thus identifying the malicious act of software.
Wherein, malicious act refers to for a user, has the behavior of certain menace.Malicious act can by those skilled in the art's execution logic according to the software application carrying out obtaining in dynamic analysis process to software and set in conjunction with practical experience, specifically, those skilled in the art known a large amount of reptile samples can be carried out magnanimity, comprehensively, analyze accurately and draw malicious act list.In the present invention, malicious act is set as the combination of at least two certain sensitive behavior.Here, " at least two certain sensitive behavior " refers to can bring certain threat to user when this at least two sensitivity behavior occurs simultaneously, and then causes the adverse consequences damaging user benefit.
Safe class early warning submodule 303 is used for pre-establishing safe class list, mapping relations including software malicious act Yu safe class, can determine that the safe class of software malicious act according to default safe class list, then issue safe class early warning according to described safe class.
The structural representation of the another kind of software action analytical equipment that Fig. 7 provides for the embodiment of the present invention 2.Compared with software action analytical equipment shown in Fig. 3, software action analytical equipment shown in Fig. 7 also includes:
Daily record generation module 400, for generating the software action analysis report of XML format, records system running log and loads daily record.
Wherein, software action analysis report includes the software malicious act identified and the safe class of software malicious act.
In the present embodiment, by static analysis module 100, dynamic analysis module 200, behavior analysis module, daily record generation module 400 (optional) constitutes a software action analytical equipment, described device by carrying out static analysis and dynamically analyzing to software document, draw the function calling sequence that software application is corresponding with presetting sensitive behavior in running, the function calling sequence that contrast is corresponding with default malicious act again, thus identifying the malicious act of software, compared with prior art, can be quickly, efficiently, identify the malicious act of software all sidedly, and the accuracy rate that software action is analyzed can be improved.In addition, the present embodiment divides the safe class of software malicious act (malice grade) also by congruence level warning module, wherein, software malicious act is not single sensitive behavior, but the combination of at least two certain sensitive behavior, it is thus possible to more accurately, meticulously divide software malicious act safe class.
It is understood that correlated characteristic in said method and device and effect can reference mutually, therefore related content is not repeated to describe in example 2.And, the numbering (i.e. embodiment 1 embodiment 2) of above-described embodiment, for distinguishing each embodiment, does not represent the quality of each embodiment.
In addition, what one of ordinary skill in the art will appreciate that is, the all or part of step realizing said method embodiment can be completed by the hardware that programmed instruction is relevant, aforesaid program can be stored in computer read/write memory medium, this program is upon execution, perform to include the step of said method embodiment, and aforesaid storage medium includes the various media that can store program code such as ROM, RAM, magnetic disc or CD.
Last it should be noted that, the principle that is intended to be merely illustrative of the present of embodiment of above and the illustrative embodiments that adopts, but the invention is not limited in this.For those skilled in the art, without departing from the spirit and substance in the present invention, it is possible to make various modification and improvement, these modification and improvement are also considered as protection scope of the present invention.
Claims (10)
1. a software action analyzes method, it is characterised in that comprise the steps:
The structure of static analysis software document;
Results of structural analysis based on software document adopts the mode of poll to catch the function calling sequence that software application is corresponding with presetting sensitive behavior in running;
The function calling sequence corresponding with default sensitive behavior and the function calling sequence corresponding with default malicious act are contrasted, identify the malicious act of software, described malicious act includes the combination of at least two certain sensitive behavior, determine the safe class of software malicious act according to default safe class list, and issue safe class early warning according to described safe class.
2. method according to claim 1, it is characterised in that the structure of described static analysis software document particularly as follows:
The form of static analysis software document;
The source code of software document is carried out static analysis by the format analysis result based on software document, draws the daughter element of software application and the call relation between daughter element;
The application logic of static analysis software application and content.
3. method according to claim 2, it is characterised in that the daughter element of described software application includes function, object and character string, and the call relation between described daughter element includes the call relation between function.
4. method according to claim 1, it is characterised in that the mode of described employing poll catch software application function calling sequence corresponding with presetting sensitive behavior in running step particularly as follows:
Load self-defined dynamic base, including the function calling sequence corresponding with default sensitive behavior;
The execution logic of software application in traversal process pool, and catch software application in running, meet the function calling sequence of self-defined dynamic base.
5. method according to claim 4, it is characterised in that also include: use automatized script technology to complete the installation of software application, open and close operation.
6. a software action analytical equipment, it is characterised in that described device includes:
Static analysis module, for the structure of static analysis software document;
Dynamic analysis module, for adopting the mode of poll to catch the function calling sequence that software application is corresponding with presetting sensitive behavior in running based on the results of structural analysis of software document;
Behavior analysis module, for the function calling sequence corresponding with default sensitive behavior and the function calling sequence corresponding with default malicious act are contrasted, identify the malicious act of software, described malicious act includes the combination of at least two certain sensitive behavior, determine the safe class of software malicious act according to default safe class list, and issue safe class early warning according to described safe class.
7. device according to claim 6, it is characterised in that described static analysis module specifically includes:
Software document format analysis submodule, for the form of static analysis software document;
Function calling sequence analyzes submodule, for the format analysis result based on software document, the source code of software document is carried out static analysis, draws the daughter element of software application and the call relation between daughter element;
Logical analysis submodule, for application logic and the content of static analysis software application.
8. device according to claim 7, it is characterized in that, described function calling sequence is analyzed the daughter element of the software application that submodule analysis draws and is included function, object and character string, analyzes the call relation that the call relation between the daughter element drawn includes between function.
9. device according to claim 6, it is characterised in that described dynamic analysis module specifically includes:
Dynamic base loads submodule, is used for loading self-defined dynamic base, including the function calling sequence corresponding with default sensitive behavior;
Catch submodule, for traveling through the execution logic of software application in process pool, and catch software application in running, meet the function calling sequence of self-defined dynamic base.
10. device according to claim 9, it is characterised in that described dynamic analysis module also includes:
Instruction triggers engine, for using automatized script technology to complete the installation of software application, open and close operation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610080493.3A CN105760761A (en) | 2016-02-04 | 2016-02-04 | Software behavior analyzing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610080493.3A CN105760761A (en) | 2016-02-04 | 2016-02-04 | Software behavior analyzing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105760761A true CN105760761A (en) | 2016-07-13 |
Family
ID=56330620
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610080493.3A Pending CN105760761A (en) | 2016-02-04 | 2016-02-04 | Software behavior analyzing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105760761A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107577946A (en) * | 2017-10-17 | 2018-01-12 | 江苏通付盾信息安全技术有限公司 | Analysis method, device, system and the PC equipment of iOS application programs |
| CN109214178A (en) * | 2017-06-30 | 2019-01-15 | 中国电信股份有限公司 | APP application malicious act detection method and device |
| CN109472143A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | It is a kind of to the method and system extorting software and being automatically analyzed |
| CN109558730A (en) * | 2018-12-29 | 2019-04-02 | 360企业安全技术(珠海)有限公司 | A kind of safety protecting method and device of browser |
| CN109800569A (en) * | 2018-12-29 | 2019-05-24 | 360企业安全技术(珠海)有限公司 | Program identification method and device |
| CN117155612A (en) * | 2023-08-09 | 2023-12-01 | 华能信息技术有限公司 | Malicious behavior analysis method for network file content |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101183414A (en) * | 2007-12-07 | 2008-05-21 | 白杰 | Program detection method, device and program analyzing method |
| CN103377341A (en) * | 2012-04-28 | 2013-10-30 | 北京网秦天下科技有限公司 | Method and system for security detection |
| CN103793650A (en) * | 2013-12-02 | 2014-05-14 | 北京邮电大学 | Static analysis method and static analysis device for Android application program |
| CN103839005A (en) * | 2013-11-22 | 2014-06-04 | 北京智谷睿拓技术服务有限公司 | Malware detection method and malware detection system of mobile operating system |
| CN104636661A (en) * | 2013-11-06 | 2015-05-20 | 中国银联股份有限公司 | Method and system for analyzing Android application program |
| CN105160251A (en) * | 2015-07-06 | 2015-12-16 | 国家计算机网络与信息安全管理中心 | Analysis method and device of APK (Android Packet) application software behavior |
-
2016
- 2016-02-04 CN CN201610080493.3A patent/CN105760761A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101183414A (en) * | 2007-12-07 | 2008-05-21 | 白杰 | Program detection method, device and program analyzing method |
| CN103377341A (en) * | 2012-04-28 | 2013-10-30 | 北京网秦天下科技有限公司 | Method and system for security detection |
| CN104636661A (en) * | 2013-11-06 | 2015-05-20 | 中国银联股份有限公司 | Method and system for analyzing Android application program |
| CN103839005A (en) * | 2013-11-22 | 2014-06-04 | 北京智谷睿拓技术服务有限公司 | Malware detection method and malware detection system of mobile operating system |
| CN103793650A (en) * | 2013-12-02 | 2014-05-14 | 北京邮电大学 | Static analysis method and static analysis device for Android application program |
| CN105160251A (en) * | 2015-07-06 | 2015-12-16 | 国家计算机网络与信息安全管理中心 | Analysis method and device of APK (Android Packet) application software behavior |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109214178A (en) * | 2017-06-30 | 2019-01-15 | 中国电信股份有限公司 | APP application malicious act detection method and device |
| CN109214178B (en) * | 2017-06-30 | 2021-03-16 | 中国电信股份有限公司 | APP application malicious behavior detection method and device |
| CN107577946A (en) * | 2017-10-17 | 2018-01-12 | 江苏通付盾信息安全技术有限公司 | Analysis method, device, system and the PC equipment of iOS application programs |
| CN109472143A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | It is a kind of to the method and system extorting software and being automatically analyzed |
| CN109558730A (en) * | 2018-12-29 | 2019-04-02 | 360企业安全技术(珠海)有限公司 | A kind of safety protecting method and device of browser |
| CN109800569A (en) * | 2018-12-29 | 2019-05-24 | 360企业安全技术(珠海)有限公司 | Program identification method and device |
| CN109558730B (en) * | 2018-12-29 | 2020-10-16 | 360企业安全技术(珠海)有限公司 | Safety protection method and device for browser |
| CN117155612A (en) * | 2023-08-09 | 2023-12-01 | 华能信息技术有限公司 | Malicious behavior analysis method for network file content |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108347430B (en) | Network intrusion detection and vulnerability scanning method and device based on deep learning | |
| US10915659B2 (en) | Privacy detection of a mobile application program | |
| CN105760761A (en) | Software behavior analyzing method and device | |
| Chen et al. | Detecting android malware using clone detection | |
| CN103679031B (en) | A kind of immune method and apparatus of file virus | |
| Allix et al. | A Forensic Analysis of Android Malware--How is Malware Written and How it Could Be Detected? | |
| KR101246623B1 (en) | Apparatus and method for detecting malicious applications | |
| CN112685737A (en) | APP detection method, device, equipment and storage medium | |
| EP3262557A1 (en) | A method to identify known compilers functions, libraries and objects inside files and data items containing an executable code | |
| CN105357204B (en) | Method and device for generating terminal identification information | |
| CN113489713A (en) | Network attack detection method, device, equipment and storage medium | |
| US10296743B2 (en) | Method and device for constructing APK virus signature database and APK virus detection system | |
| Yang et al. | Enmobile: Entity-based characterization and analysis of mobile malware | |
| Wang et al. | Demadroid: Object Reference Graph‐Based Malware Detection in Android | |
| Khoury et al. | Execution trace analysis using ltl-fo | |
| Li et al. | Large-scale third-party library detection in android markets | |
| Martinelli et al. | Classifying android malware through subgraph mining | |
| US10275595B2 (en) | System and method for characterizing malware | |
| CN109543409B (en) | Method, device and equipment for detecting malicious application and training detection model | |
| US9646157B1 (en) | Systems and methods for identifying repackaged files | |
| CN112632547A (en) | Data processing method and related device | |
| CN116932381A (en) | Automatic evaluation method for security risk of applet and related equipment | |
| EP3692456B1 (en) | Binary image stack cookie protection | |
| Mostafa et al. | Netdroid: Summarizing network behavior of android apps for network code maintenance | |
| CN106372508B (en) | Malicious document processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160713 |
|
| RJ01 | Rejection of invention patent application after publication |