CN105893848A - Precaution method for Android malicious application program based on code behavior similarity matching - Google Patents
Precaution method for Android malicious application program based on code behavior similarity matching Download PDFInfo
- Publication number
- CN105893848A CN105893848A CN201610273206.0A CN201610273206A CN105893848A CN 105893848 A CN105893848 A CN 105893848A CN 201610273206 A CN201610273206 A CN 201610273206A CN 105893848 A CN105893848 A CN 105893848A
- Authority
- CN
- China
- Prior art keywords
- application
- program
- information
- analysis
- android
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a precaution method for an Android malicious application program based on code behavior similarity matching. The method comprises the following steps: establishing an application information knowledge base; detecting a repacked malicious program by comparing the characteristics of a homonymic program in the application information knowledge base by a difference verifying module; performing high coverage analysis on an application code by a static analysis module and extracting the permission related to privacy information and API calling information; simulating the program running in a sandbox by a dynamic analysis module, detecting the system calling and the LKM parameter related to the calling, and tracking the specific behavior of recording application; to constructing a multi-dimensional feature vector by utilizing log information through a clustering judging module, performing similarity matching on each feature vector of the malicious application and judging the attribution of the application. According to the method, The light client and heavy server system design is adopted, the client is responsible for lightweight information extraction, the server is responsible for heavy data analysis, and the method can effectively adapt to the reality of resource shortage of electric quantity, operation, storage and the like of the intelligent terminal.
Description
Technical field
The present invention relates to computer malware detection or process field, be specifically related to a kind of based on code behavior similarity
The Android malicious application prevention method joined.
Background technology
Android is a kind of based on Linux the open source operating system researched and developed by Google company, is mainly used for moving
Dynamic equipment.Android application program is developed runs on Android as in order to complete a certain or multinomial particular job
The set of the command sequence write with computer language on system, is that intelligent terminal realizes mutual with user and completes
The instrument of user's request.Android application program belongs to the application layer of android system general frame, except in system
The basic application put, including desktop, mail, phone, note etc., what more user was conventional and mutual is by Java language
The third party application that local code of making peace is write, increases newly the function of equipment, extend and optimizes.Android
Mobile operating system is owing to it is powerful, it is convenient to open, and a few years just has become as the intelligence of global first share
Mobile phone operating system.
Along with developing rapidly of development of Mobile Internet technology, intelligent terminal stores the most important user profile, occupies absolutely
The android system of most of market shares the most just becomes the preferred object of malicious attack.Most of malice is attacked
Hit and implemented by Android malicious application, be primarily present two kinds of situations: a kind of situation is that Android should
Inherently the program in order to implement malicious act, i.e. Virus is developed by malice developer by program.Another kind of feelings
Condition is Android application program existing defects in design, can the person of being hacked utilize, thus to Android terminal
Implement malicious act.
The threat of Android terminal information security is reality and urgent.According to German network security firm Goethe's tower
The a investigation report of (G DATA) up-to-date announcement shows, Android malware sample size in 2015 reaches
2,333,777, almost arising that a new Android malware sample every 11 seconds, this numerical value is same
50% is increased than 2014.And fourth quarter in 2015, emerging Android malware quantity reached
758,133, increase 32% 14 year fourth quarter on year-on-year basis.These Malwares can steal user profile, automatically
Performing note and phone behavior, destroy security of system, cause the user economic asset is lost.The crowd of Android ecosphere
Many third-party application shop, user need not the application source that official is unified, but the most also exacerbates Malware
Spread speed.
Traditional Android malicious application Precaution Tactics mainly by Static Analysis Technology or dynamically analyzes skill
Art carries out the detection of malicious application.Static Analysis Technology typically takes reversal technique that application program is carried out decompiling, obtains
Take java source code or bytecode intermediate form, the logic of code is analyzed, find and be directed to privacy information
With situations such as the authority of malicious operation, API Calls, determine whether the attribute of application program.Static analysis can be grasped
The all paths of method call of code, but easily produce the wrong report of substantial amounts of false positive, and reversal technique is in the face of obscuring simultaneously
After program be difficult to obtain the analysis result that needs.Dynamic analysis technology does not the most check source code, but at controlled mould
Intend device environment (sandbox) performs application program.By each relevant operation of monitoring and record execution (as sent out
Send note, from storage, read data, be connected to remote server etc.), automatically generate analysis report.Dynamically analyze skill
Art can walk around the problem of the aspects such as Code obfuscation and the encryption that static method runs into, but its code analysis coverage rate
Low, the triggering of some events may often be such that random, and some rogue program is possible to prevent to run under simulator.
As seen through the above analysis, unilateral static method is depended on or dynamic approach all also exists significantly limitation.
Domestic granted patent CN103136471B is directed to the detection of a kind of malice Android application program, and its principle is should
It is divided into several classification with the behavior in program, such as online, note, access multimedia etc., then passes through hardware simulation
Button present on moving component in the trigger that device is random, identifies the button that operation is corresponding at present, sets up and respectively presses
Associating between button with program behavior, obtains the operation behavior that after button triggers, program will be carried out.Secondly acquisition hardware
The API sequence of simulator bottom, the operation contrast that itself and program will be carried out, it is judged that program attribute.The method letter
Single efficient, but have significant limitation.Android application program exists substantial amounts of serviced component not there is mutual boundary
Face, less has button and exists, but equally can perform various malicious operation, and this scheme can cause a large amount of missing inspection.
Even if detection has the program of button interaction, the triggering behavior sequence using simulator random inherently has uncertainty,
Its accuracy of detection and the scope of application can be the most restricted.
Application No. CN201510328402.9, entitled " Android application software API misuse class leak automatization
Detection method " patent by University of Fuzhou in 2015 application.The program proposes a kind of Android application soft
Part API misapplies class leak automated detection method, detects the API misuse class leak existed, and essence is right
The rogue program that there is API misuse is identified.The API of existence is missed by the mode that the method uses dynamic to combine
Detecting with class leak, static analysis is modeled constructing Whole Process according to Android application software feature and controls stream
Cheng Tu, carries out API misuse approachability analysis in conjunction with program structure traversal and constant propagation Analysis and Screening goes out the suspicious leakage of candidate
Hole;Dynamically analyze the candidate then for the different module of different types of leak design, described static analysis obtained suspicious
Leak carries out leak triggering, records the behavior of the suspicious leak of described candidate, finally provides the leak security evaluation of this application.
But, the static analysis in method is only analyzed API Calls, the purpose of its API Calls can not be judged completely,
Easily produce the wrong report of substantial amounts of false positive, simultaneously the most feasible to the program of Code obfuscations a large amount of in reality.In method
Dynamic analysis technology only for checking static analysis suspicious points, code analysis coverage rate is low, the triggering of some events
May often be such that random, accuracy of detection and practicality can reduce.
The implication of the associated thumbnail word used in this specification is as follows:
API:Application Programming Interface, application programming interface.Some predefined letters
Number, it is therefore an objective to provide application program and developer to be accessed the ability of one group of routine based on certain software or hardware, and
Again without accessing source code, or understand the details of internal work mechanism.
IPC:Inter-Process Communication, interprocess communication.Have between two processes of communication dependence
Transmission information.
LKM:Loadable Kernel Module, UV-Vis spectra.Linux kernel is in order to extend what its function was used
Can operationally dynamic load kernel module.
URL:Uniform Resource Locator, URL.To the resource that can obtain from the Internet
Position and a kind of succinct expression of access method, be the address of standard resource on the Internet.
ARM:Advanced RISC Machines, processor.Arm processor is that Acorn company limited is towards low budget city
The first item risc microcontroller of field design.
ISA:Instruction Set Architecture, the instruction set architecture of microprocessor.It is all that processor can perform
Instruction set.
LR:Link Register, link register.A depositor having specific use in arm processor.
Summary of the invention
In view of above android system safety precaution and malicious application detect problems faced, the present invention provides one
Plant Android malicious application prevention method based on code behavior similarity mode, use and code level is covered
The Static Analysis Technology covered and the dynamic analysis technology precisely detected for application behavior, form a kind of Android malice
Application program prevention method.
A kind of Android malicious application prevention method based on code behavior similarity mode, comprises the following steps:
1) data that the intelligent terminal of the numerous users collected based on analytical tool server submits to, construct application message and know
Know storehouse;
2) receive user when requiring to detect its intelligent terminal's application requests, difference authentication module by with application message knowledge
In storehouse, the feature of program of the same name compares, and quickly detects and repacks rogue program;
3) static analysis module utilizes Static Analysis Technology application code to carry out height covering analyzing, extracts privacy information and is correlated with
Authority and API Calls information;
4) dynamically analyzing module utilizes dynamic analysis technology simulation program in sandbox to run, during detecting system is called and called
The LKM parameter related to, tracing record application concrete behavior;
5) cluster judgment module utilizes described dynamic and static analysis generation log information to build multidimensional characteristic vectors, with malice
Each race characteristic vector of application carries out similarity coupling, it is judged that the attribute of application.
Difference authentication module checking application program install fileinfo time, if user upload be application program install file
URL address, then start web crawlers instrument and download apk type file, if what user uploaded is apk type file, then
Difference authentication module utilizes application program, and unique bag name, signature, authority and version number judges.
In described static analysis module, carry out program decompiling, if decompiling success, obtain source code or bytecode
Intermediate form, extracts the relevant authority of privacy information and API Calls information, carries out data-flow analysis, obtains analyzing day
Will;If decompiling failure, then it is directly entered and dynamically analyzes module.
Carry out application behavior analysis in described dynamic analysis module, generate and analyze daily record, in Android simulator
The dry run of enterprising line program, the system call information of tracing program, record generates log information.
Collect the log information of described static and dynamic state process in described cluster judgment module, generate multiattribute spy
Levy vector, utilize clustering method that characteristic vector is carried out similarity match check, it is thus achieved that analysis result, dislike
Meaning software judges, with reference to malicious application characteristic vector knowledge base, if there is the base of characteristic vector Yu its Malware race
Quasi-vector similarity within threshold value, is then judged as this race's Malware, needs to utilize characteristic vector weighted feedback correction
Reference vector.
Above-mentioned log information includes API Calls information, and system calls daily record, LKM parameter.
As preferably, above-mentioned clustering method is K-means.
Beneficial effect:
1, the invention provides a kind of Android malicious application prevention method based on code behavior similarity mode,
Have the advantage of traditional static analysis and dynamic analysis technology, complementary respective deficiency concurrently.Both ensure that the height of code analysis
Degree covers, and also achieves the accurate detection for application behavior, it is possible to promote Detection results.
2, the Android malicious application prevention method of the present invention uses light client, weight server architecture design.
Client is responsible for the information retrieval of lightweight, and server end is responsible for heavy data analysis.Be suitable for intelligent terminal electricity,
The reality that the resource such as computing and storage is nervous.
3, before concrete analysis, the rogue program generating packaging method again carries out priority handle, filters out the most but
Easily the sample of detection, alleviates the pressure of applied analysis demand, it is possible to centralized optimization analyzes the configuration of resource.
4, utilizing clustering method, generate characteristic vector and carry out similarity match check, its result can be to rogue program
Knowledge base-feedback, constantly the information of correction malicious application sample race, has real-time.
Accompanying drawing explanation
Fig. 1 is the principle configuration diagram of the present invention
Fig. 2 is the system module schematic diagram of the present invention.
Fig. 3 is the flow chart of the present invention.
Detailed description of the invention
It is embodied as being described in detail to the present invention referring to the drawings.It should be noted that described herein specifically
Embodiment only in order to explain the present invention, is not intended to limit the present invention.
The Organization Chart of the present invention is as it is shown in figure 1, framework of the present invention is broadly divided into 2 parts: what intelligent terminal was carried divides
Analysis instrument client terminal and analytical tool server.Here light client, weight server architecture design are used.Client is real
Matter is a Android application program, is responsible for the information retrieval of lightweight, and server end is responsible for heavy data analysis.
Server end is made up of knowledge data base, Android virtual machine and analysis software.This framework is suitable for the electricity of intelligent terminal
The reality that the resources such as amount, computing and storage are nervous.
The policy module design drawing of the present invention is as in figure 2 it is shown, be divided into 4 modules: difference authentication module, static analysis
Module.Dynamically analyze module and cluster judgment module.First, by collecting the number that the intelligent terminal of numerous users submits to
According to, construct application message knowledge base.When user requires the application program detecting its mobile phone, same in contrast knowledge base
The feature of name program, quickly rogue program is repacked in detection, reduces the pressure of applied analysis demand.To normal procedure
Repack after adding malicious code, the conventional fraud of the most a large amount of malicious application.Utilize Static Analysis Technology
Height covering analyzing is carried out for application code, extracts the relevant authority of privacy information and API Calls information.Utilize dynamic
State analytical technology simulation program in sandbox runs, and the LKM parameter that detecting system relates in calling and calling is followed the trail of
Record application concrete behavior.Then the log information utilizing static and dynamic analysis to generate builds multidimensional characteristic vectors, with malice
Each race characteristic vector of application carries out similarity coupling, it is judged that the attribute of application.
The flow chart of the present invention is shown in Fig. 3, comprises the following steps:
1) data that the intelligent terminal of the numerous users collected based on analytical tool server submits to, construct application letter
Breath knowledge base.
2) receive user when requiring to detect its intelligent terminal's application requests, difference authentication module by with application message
In knowledge base, the feature of program of the same name compares, and quickly detects and repacks rogue program.Difference authentication module is tested
Card application program install fileinfo time, if user upload be application program install file URL address, then start net
Apk type file downloaded by network reptile instrument, if what user uploaded is apk type file, then difference authentication module utilizes
Bag name, signature, authority and the version number of application program uniqueness judge.
3) static analysis module utilizes Static Analysis Technology application code to carry out height covering analyzing, extracts privacy information
Relevant authority and API Calls information.Static analysis module carries out program decompiling, if decompiling success,
To source code or bytecode intermediate form, extract the relevant authority of privacy information and API Calls information, carry out data stream
Analyze, obtain analyzing daily record;If decompiling failure, then it is directly entered and dynamically analyzes module.
4) dynamically analyzing module utilizes dynamic analysis technology simulation program in sandbox to run, and detecting system is called and adjusts
The LKM parameter related in, tracing record application concrete behavior.Dynamically analyze module and carry out application behavior analysis,
Generate and analyze daily record, in the dry run of the enterprising line program of Android simulator, the system call information of tracing program,
Record generates log information.
5) cluster judgment module utilizes described dynamic and static analysis generation log information to build multidimensional characteristic vectors, with
Each race characteristic vector of malicious application carries out similarity coupling, it is judged that the attribute of application.Cluster judgment module collects described
The log information (including API Calls information, system calls daily record, LKM parameter) of static and dynamic state process, generates
Multiattribute characteristic vector, utilizes clustering method, such as K-means method, characteristic vector is carried out similarity coupling
Inspection, it is thus achieved that analysis result, carries out Malware judgement, with reference to malicious application characteristic vector knowledge base, if there is
The reference vector similarity of characteristic vector and its Malware race within threshold value, is then judged as this race's Malware, needs
Characteristic vector weighted feedback correction reference vector to be utilized.
When user requires the application program detecting its mobile phone, if user upload be application program install file URL ground
Location, then start web crawlers instrument and download apk type file.Difference authentication module resolves apk type file, obtains
Unique bag name, signature, authority and version number, generates characteristic vector and uniquely identifies this program.Next with application letter
Breath knowledge base contrast, checks whether the application program of same bag name exists similar signature, authority statement and version number's letter
Breath, if it find that excessive with reference vector gap, then it is judged to the rogue program that method of repacking generates, the most instead
Feedback result, to client, no longer performs ensuing all analyses.If characteristic vector and reference vector gap are little, then
Utilize characteristic vector weighted feedback correction reference vector, simultaneously enter static analysis module.
Static analysis module first has to carry out program decompiling, obtains source code or bytecode intermediate form.If decompiling
Failure, program is then directly entered dynamically analyzes module.Utilize more existing technology, use batch system to connect
APKTool instrument, Dex2jar instrument and JAD instrument etc., produce Android application program decompiling instrument and carry out
The Decompilation of Android application program, can install file (apk type literary composition from input Android application program
Part) carry out a key decompiling process, generate Android application program decompiling source code at assigned catalogue and (comprise
Manifest.xml inventory file).After inverse compiling technique is applied program's source code, static analysis uses data stream
Analytical technology collects the variable information in code, thus situational variables assignment in a program, quotes and the feelings such as transmission
The ability of condition.Also need to extract the relevant authority of privacy information and API Calls information, thus generate controlling stream graph and carry out table
Show Android source code.As the basis of functional dependence analysis, control flow analysis and data-flow analysis, can well
Calling and performing flow process between reflection statement and module.Carry out data-flow analysis, obtain static analysis daily record.
Dynamically application program is installed file and is installed the dry run to the enterprising line program of Android simulator by analysis module,
Use the behavior that Linux Strace instrument tracing program runs.In order to avoid traditional Android application is dynamically analyzed
What technology employing class java program analysis technique was brought only analyzes API Calls, does not understands basis behavior and causes rate of false alarm
The shortcoming increased, the system herein analyzing emphasis detection application program calls situation.ARM ISA provides swi instruction to be used for
System is called, and the return address of system call swi is stored in LR depositor.When swi instruction is blocked by terminal
When cutting, can be with check whether there is system call information.
Cluster judgment module collects the log information analyzing process before, and including API Calls information, system calls daily record,
LKM parameter etc., generates multiattribute characteristic vector, utilizes K-means clustering method that characteristic vector is carried out phase
Like property match check, it is thus achieved that analysis result, carry out Malware judgement.The malicious application characteristic vector participating in comparison is known
Know storehouse, if there is the reference vector similarity of characteristic vector and Malware race within threshold value, it is judged that dislike for this race
Meaning software, needs to utilize characteristic vector weighted feedback correction reference vector.
Technological means disclosed in the present invention program is not limited only to the technological means disclosed in above-mentioned embodiment, also includes
The technical scheme being made up of above technical characteristic combination in any.
Claims (7)
1. an Android malicious application prevention method based on code behavior similarity mode, it is characterised in that include
Following steps:
1) data that the intelligent terminal of the numerous users collected based on analytical tool server submits to, construct application message knowledge
Storehouse;
2) receive user when requiring to detect its intelligent terminal's application requests, difference authentication module by with application message knowledge base
In the feature of program of the same name compare, quickly detect and repack rogue program;
3) static analysis module utilizes Static Analysis Technology application code to carry out height covering analyzing, extracts what privacy information was correlated with
Authority and API Calls information;
4) dynamically analyzing module utilizes dynamic analysis technology simulation program in sandbox to run, and detecting system relates in calling and calling
And LKM parameter, tracing record application concrete behavior;
5) cluster judgment module utilizes described dynamic and static analysis generation log information to build multidimensional characteristic vectors, should with malice
Each race characteristic vector carry out similarity coupling, it is judged that the attribute of application.
Android malicious application prevention method based on code behavior similarity mode the most according to claim 1,
It is characterized in that described difference authentication module checking application program install fileinfo time, if user upload be application program install
File URL address, then start web crawlers instrument and download apk type file, if what user uploaded is apk type file, then
Difference authentication module utilizes application program, and unique bag name, signature, authority and version number judges.
Android malicious application prevention method based on code behavior similarity mode the most according to claim 1,
It is characterized in that described static analysis module carries out program decompiling, if decompiling success, obtain in source code or bytecode
Between form, extract the relevant authority of privacy information and API Calls information, carry out data-flow analysis, obtain analyzing daily record;If it is anti-
Compile unsuccessfully, be then directly entered and dynamically analyze module.
Android malicious application prevention method based on code behavior similarity mode the most according to claim 1,
It is characterized in that described dynamic analysis module carries out application behavior analysis, generate and analyze daily record, in Android simulator
Carrying out the dry run of program, the system call information of tracing program, record generates log information.
Android malicious application prevention method based on code behavior similarity mode the most according to claim 1,
It is characterized in that described cluster judgment module collects the log information of described static and dynamic state process, generate multiattribute feature
Vector, utilizes clustering method that characteristic vector is carried out similarity match check, it is thus achieved that analysis result, carries out Malware and sentences
Fixed, with reference to malicious application characteristic vector knowledge base, the reference vector similarity if there is characteristic vector Yu its Malware race exists
Within threshold value, then it is judged as this race's Malware, needs to utilize characteristic vector weighted feedback correction reference vector.
Android malicious application prevention method based on code behavior similarity mode the most according to claim 5,
It is characterized in that described log information includes API Calls information, system calls daily record, LKM parameter.
Android malicious application prevention method based on code behavior similarity mode the most according to claim 5,
It is characterized in that described clustering method is K-means.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610273206.0A CN105893848A (en) | 2016-04-27 | 2016-04-27 | Precaution method for Android malicious application program based on code behavior similarity matching |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610273206.0A CN105893848A (en) | 2016-04-27 | 2016-04-27 | Precaution method for Android malicious application program based on code behavior similarity matching |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105893848A true CN105893848A (en) | 2016-08-24 |
Family
ID=56701871
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610273206.0A Pending CN105893848A (en) | 2016-04-27 | 2016-04-27 | Precaution method for Android malicious application program based on code behavior similarity matching |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105893848A (en) |
Cited By (37)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106529293A (en) * | 2016-11-09 | 2017-03-22 | 东巽科技(北京)有限公司 | Sample classification determination method for malware detection |
| CN106713335A (en) * | 2016-12-30 | 2017-05-24 | 山石网科通信技术有限公司 | Malicious software identification method and device |
| CN106709332A (en) * | 2016-12-13 | 2017-05-24 | 江苏通付盾科技有限公司 | Application detection method and device |
| CN107169351A (en) * | 2017-05-11 | 2017-09-15 | 北京理工大学 | With reference to the Android unknown malware detection methods of dynamic behaviour feature |
| CN107798242A (en) * | 2017-11-13 | 2018-03-13 | 南京大学 | A kind of malice Android application automatic checkout system of quiet dynamic bind |
| CN107798243A (en) * | 2017-11-25 | 2018-03-13 | 国网河南省电力公司电力科学研究院 | The detection method and device of terminal applies |
| CN107844408A (en) * | 2016-09-18 | 2018-03-27 | 中国矿业大学 | A kind of similar execution route generation method based on hierarchical clustering |
| CN107871080A (en) * | 2017-12-04 | 2018-04-03 | 杭州安恒信息技术有限公司 | The hybrid Android malicious code detecting methods of big data and device |
| CN108241802A (en) * | 2016-12-27 | 2018-07-03 | 卓望数码技术(深圳)有限公司 | A kind of Android platform privacy for polymerizeing multidimensional steals class application automatic identifying method |
| CN108509796A (en) * | 2017-02-24 | 2018-09-07 | 中国移动通信集团公司 | A kind of detection method and server of risk |
| CN108509798A (en) * | 2018-03-31 | 2018-09-07 | 河南牧业经济学院 | A kind of computer software analysis system |
| CN108932429A (en) * | 2017-05-27 | 2018-12-04 | 腾讯科技(深圳)有限公司 | Analysis method, terminal and the storage medium of application program |
| CN108958826A (en) * | 2017-05-22 | 2018-12-07 | 北京京东尚科信息技术有限公司 | The method and apparatus of dynamic configuration application installation package |
| CN109117164A (en) * | 2018-06-22 | 2019-01-01 | 北京大学 | Micro services update method and system based on key element difference analysis |
| CN109284610A (en) * | 2018-09-11 | 2019-01-29 | 腾讯科技(深圳)有限公司 | A kind of Research of Malicious Executables Detection Method, device and detection service device |
| CN109508545A (en) * | 2018-11-09 | 2019-03-22 | 北京大学 | A kind of Android Malware classification method based on rarefaction representation and Model Fusion |
| CN109542456A (en) * | 2017-08-15 | 2019-03-29 | 中兴通讯股份有限公司 | A kind of preparation method, device and terminal using similarity |
| CN109791588A (en) * | 2017-06-27 | 2019-05-21 | 赛门铁克公司 | Alleviate malicious action associated with graphical user-interface element |
| CN109815739A (en) * | 2019-02-13 | 2019-05-28 | 闻泰通讯股份有限公司 | Application control method, apparatus, terminal and medium |
| CN109858249A (en) * | 2019-02-18 | 2019-06-07 | 暨南大学 | The quick, intelligent comparison of mobile Malware big data and safety detection method |
| CN110298171A (en) * | 2019-06-17 | 2019-10-01 | 暨南大学 | The intelligent measurement and safety protecting method of mobile Internet big data application |
| CN110472415A (en) * | 2018-12-13 | 2019-11-19 | 成都亚信网络安全产业技术研究院有限公司 | A kind of determination method and device of rogue program |
| CN110674497A (en) * | 2019-09-27 | 2020-01-10 | 厦门安胜网络科技有限公司 | Malicious program similarity calculation method and device |
| CN110889115A (en) * | 2019-11-07 | 2020-03-17 | 国家计算机网络与信息安全管理中心 | Malicious push behavior detection method and device |
| CN111046390A (en) * | 2019-07-12 | 2020-04-21 | 哈尔滨安天科技集团股份有限公司 | Cooperative defense patch protection method and device and storage equipment |
| CN111241544A (en) * | 2020-01-08 | 2020-06-05 | 北京梆梆安全科技有限公司 | Malicious program identification method and device, electronic equipment and storage medium |
| CN111460401A (en) * | 2020-05-20 | 2020-07-28 | 南京大学 | Automatic product tracking method combining software product process information and text similarity |
| CN111597557A (en) * | 2020-06-30 | 2020-08-28 | 腾讯科技(深圳)有限公司 | Malicious application detection method, system, device, equipment and storage medium |
| CN111770053A (en) * | 2020-05-28 | 2020-10-13 | 江苏大学 | Malicious program detection method based on improved clustering and self-similarity |
| CN111783095A (en) * | 2020-07-28 | 2020-10-16 | 支付宝(杭州)信息技术有限公司 | Method and device for identifying malicious code of applet and electronic equipment |
| CN111935118A (en) * | 2020-07-31 | 2020-11-13 | 山东理工职业学院 | Permission identification gateway and cloud comparison system based on browsing access |
| WO2020232685A1 (en) * | 2019-05-22 | 2020-11-26 | 深圳市欢太科技有限公司 | Malicious quickapp detection method and terminal |
| CN112733145A (en) * | 2021-04-06 | 2021-04-30 | 北京邮电大学 | Android application detection and analysis method, electronic equipment and storage medium |
| CN113158186A (en) * | 2021-03-19 | 2021-07-23 | 南京邮电大学 | Android malicious software static detection method |
| CN113343219A (en) * | 2021-05-31 | 2021-09-03 | 烟台中科网络技术研究所 | Automatic and efficient high-risk mobile application program detection method |
| CN113656801A (en) * | 2021-08-19 | 2021-11-16 | 建信金融科技有限责任公司 | Classification method for Android malicious application family, server and terminal |
| CN113987485A (en) * | 2021-09-28 | 2022-01-28 | 奇安信科技集团股份有限公司 | Application program sample detection method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102930210A (en) * | 2012-10-14 | 2013-02-13 | 江苏金陵科技集团公司 | System and method for automatically analyzing, detecting and classifying malicious program behavior |
| CN103685251A (en) * | 2013-12-04 | 2014-03-26 | 电子科技大学 | Android malicious software detecting platform oriented to mobile internet |
| CN105205396A (en) * | 2015-10-15 | 2015-12-30 | 上海交通大学 | Detecting system for Android malicious code based on deep learning and method thereof |
| CN105389508A (en) * | 2015-11-10 | 2016-03-09 | 工业和信息化部电信研究院 | Detection method and apparatus for re-packaged Android application |
-
2016
- 2016-04-27 CN CN201610273206.0A patent/CN105893848A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102930210A (en) * | 2012-10-14 | 2013-02-13 | 江苏金陵科技集团公司 | System and method for automatically analyzing, detecting and classifying malicious program behavior |
| CN103685251A (en) * | 2013-12-04 | 2014-03-26 | 电子科技大学 | Android malicious software detecting platform oriented to mobile internet |
| CN105205396A (en) * | 2015-10-15 | 2015-12-30 | 上海交通大学 | Detecting system for Android malicious code based on deep learning and method thereof |
| CN105389508A (en) * | 2015-11-10 | 2016-03-09 | 工业和信息化部电信研究院 | Detection method and apparatus for re-packaged Android application |
Cited By (55)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107844408B (en) * | 2016-09-18 | 2021-02-12 | 中国矿业大学 | Similar execution path generation method based on hierarchical clustering |
| CN107844408A (en) * | 2016-09-18 | 2018-03-27 | 中国矿业大学 | A kind of similar execution route generation method based on hierarchical clustering |
| CN106529293A (en) * | 2016-11-09 | 2017-03-22 | 东巽科技(北京)有限公司 | Sample classification determination method for malware detection |
| CN106529293B (en) * | 2016-11-09 | 2019-11-05 | 东巽科技(北京)有限公司 | A kind of sample class determination method for malware detection |
| CN106709332A (en) * | 2016-12-13 | 2017-05-24 | 江苏通付盾科技有限公司 | Application detection method and device |
| CN108241802A (en) * | 2016-12-27 | 2018-07-03 | 卓望数码技术(深圳)有限公司 | A kind of Android platform privacy for polymerizeing multidimensional steals class application automatic identifying method |
| CN106713335A (en) * | 2016-12-30 | 2017-05-24 | 山石网科通信技术有限公司 | Malicious software identification method and device |
| CN108509796A (en) * | 2017-02-24 | 2018-09-07 | 中国移动通信集团公司 | A kind of detection method and server of risk |
| CN108509796B (en) * | 2017-02-24 | 2022-02-11 | 中国移动通信集团公司 | Method for detecting risk and server |
| CN107169351A (en) * | 2017-05-11 | 2017-09-15 | 北京理工大学 | With reference to the Android unknown malware detection methods of dynamic behaviour feature |
| CN108958826A (en) * | 2017-05-22 | 2018-12-07 | 北京京东尚科信息技术有限公司 | The method and apparatus of dynamic configuration application installation package |
| CN108932429B (en) * | 2017-05-27 | 2023-02-03 | 腾讯科技(深圳)有限公司 | Application program analysis method, terminal and storage medium |
| CN108932429A (en) * | 2017-05-27 | 2018-12-04 | 腾讯科技(深圳)有限公司 | Analysis method, terminal and the storage medium of application program |
| CN109791588B (en) * | 2017-06-27 | 2023-10-13 | 诺顿身份保护公司 | Mitigating malicious actions associated with graphical user interface elements |
| CN109791588A (en) * | 2017-06-27 | 2019-05-21 | 赛门铁克公司 | Alleviate malicious action associated with graphical user-interface element |
| CN109542456A (en) * | 2017-08-15 | 2019-03-29 | 中兴通讯股份有限公司 | A kind of preparation method, device and terminal using similarity |
| CN107798242A (en) * | 2017-11-13 | 2018-03-13 | 南京大学 | A kind of malice Android application automatic checkout system of quiet dynamic bind |
| CN107798243A (en) * | 2017-11-25 | 2018-03-13 | 国网河南省电力公司电力科学研究院 | The detection method and device of terminal applies |
| CN107871080A (en) * | 2017-12-04 | 2018-04-03 | 杭州安恒信息技术有限公司 | The hybrid Android malicious code detecting methods of big data and device |
| CN108509798A (en) * | 2018-03-31 | 2018-09-07 | 河南牧业经济学院 | A kind of computer software analysis system |
| CN109117164A (en) * | 2018-06-22 | 2019-01-01 | 北京大学 | Micro services update method and system based on key element difference analysis |
| CN109117164B (en) * | 2018-06-22 | 2020-08-25 | 北京大学 | Micro-service updating method and system based on difference analysis of key elements |
| CN109284610B (en) * | 2018-09-11 | 2023-02-28 | 腾讯科技(深圳)有限公司 | Virus program detection method and device and detection server |
| CN109284610A (en) * | 2018-09-11 | 2019-01-29 | 腾讯科技(深圳)有限公司 | A kind of Research of Malicious Executables Detection Method, device and detection service device |
| CN109508545B (en) * | 2018-11-09 | 2021-06-04 | 北京大学 | Android Malware classification method based on sparse representation and model fusion |
| CN109508545A (en) * | 2018-11-09 | 2019-03-22 | 北京大学 | A kind of Android Malware classification method based on rarefaction representation and Model Fusion |
| CN110472415A (en) * | 2018-12-13 | 2019-11-19 | 成都亚信网络安全产业技术研究院有限公司 | A kind of determination method and device of rogue program |
| CN110472415B (en) * | 2018-12-13 | 2021-08-10 | 成都亚信网络安全产业技术研究院有限公司 | Malicious program determination method and device |
| CN109815739A (en) * | 2019-02-13 | 2019-05-28 | 闻泰通讯股份有限公司 | Application control method, apparatus, terminal and medium |
| CN109815739B (en) * | 2019-02-13 | 2022-07-12 | 闻泰通讯股份有限公司 | Application control method, device, terminal and medium |
| CN109858249A (en) * | 2019-02-18 | 2019-06-07 | 暨南大学 | The quick, intelligent comparison of mobile Malware big data and safety detection method |
| CN109858249B (en) * | 2019-02-18 | 2020-08-07 | 暨南大学 | Rapid intelligent comparison and safety detection method for mobile malicious software big data |
| WO2020232685A1 (en) * | 2019-05-22 | 2020-11-26 | 深圳市欢太科技有限公司 | Malicious quickapp detection method and terminal |
| CN110298171A (en) * | 2019-06-17 | 2019-10-01 | 暨南大学 | The intelligent measurement and safety protecting method of mobile Internet big data application |
| CN111046390B (en) * | 2019-07-12 | 2023-07-07 | 安天科技集团股份有限公司 | Collaborative defense patch protection method and device and storage equipment |
| CN111046390A (en) * | 2019-07-12 | 2020-04-21 | 哈尔滨安天科技集团股份有限公司 | Cooperative defense patch protection method and device and storage equipment |
| CN110674497B (en) * | 2019-09-27 | 2021-07-02 | 厦门安胜网络科技有限公司 | Malicious program similarity calculation method and device |
| CN110674497A (en) * | 2019-09-27 | 2020-01-10 | 厦门安胜网络科技有限公司 | Malicious program similarity calculation method and device |
| CN110889115A (en) * | 2019-11-07 | 2020-03-17 | 国家计算机网络与信息安全管理中心 | Malicious push behavior detection method and device |
| CN111241544A (en) * | 2020-01-08 | 2020-06-05 | 北京梆梆安全科技有限公司 | Malicious program identification method and device, electronic equipment and storage medium |
| CN111241544B (en) * | 2020-01-08 | 2023-05-02 | 北京梆梆安全科技有限公司 | Malicious program identification method and device, electronic equipment and storage medium |
| CN111460401A (en) * | 2020-05-20 | 2020-07-28 | 南京大学 | Automatic product tracking method combining software product process information and text similarity |
| CN111460401B (en) * | 2020-05-20 | 2023-08-22 | 南京大学 | Product automatic tracking method combining software product process information and text similarity |
| CN111770053A (en) * | 2020-05-28 | 2020-10-13 | 江苏大学 | Malicious program detection method based on improved clustering and self-similarity |
| CN111597557A (en) * | 2020-06-30 | 2020-08-28 | 腾讯科技(深圳)有限公司 | Malicious application detection method, system, device, equipment and storage medium |
| CN111783095A (en) * | 2020-07-28 | 2020-10-16 | 支付宝(杭州)信息技术有限公司 | Method and device for identifying malicious code of applet and electronic equipment |
| CN111935118A (en) * | 2020-07-31 | 2020-11-13 | 山东理工职业学院 | Permission identification gateway and cloud comparison system based on browsing access |
| CN113158186A (en) * | 2021-03-19 | 2021-07-23 | 南京邮电大学 | Android malicious software static detection method |
| CN112733145B (en) * | 2021-04-06 | 2021-06-08 | 北京邮电大学 | Android application detection and analysis method, electronic equipment and storage medium |
| CN112733145A (en) * | 2021-04-06 | 2021-04-30 | 北京邮电大学 | Android application detection and analysis method, electronic equipment and storage medium |
| CN113343219B (en) * | 2021-05-31 | 2023-03-07 | 烟台中科网络技术研究所 | Automatic and efficient high-risk mobile application program detection method |
| CN113343219A (en) * | 2021-05-31 | 2021-09-03 | 烟台中科网络技术研究所 | Automatic and efficient high-risk mobile application program detection method |
| CN113656801B (en) * | 2021-08-19 | 2023-06-09 | 建信金融科技有限责任公司 | Android malicious application family classification method, server and terminal |
| CN113656801A (en) * | 2021-08-19 | 2021-11-16 | 建信金融科技有限责任公司 | Classification method for Android malicious application family, server and terminal |
| CN113987485A (en) * | 2021-09-28 | 2022-01-28 | 奇安信科技集团股份有限公司 | Application program sample detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105893848A (en) | Precaution method for Android malicious application program based on code behavior similarity matching | |
| Damshenas et al. | M0droid: An android behavioral-based malware detection model | |
| Spreitzenbarth et al. | Mobile-Sandbox: combining static and dynamic analysis with machine-learning techniques | |
| Potharaju et al. | Plagiarizing smartphone applications: attack strategies and defense techniques | |
| CN105653956B (en) | Android malware classification method based on dynamic behaviour dependency graph | |
| CN102622536B (en) | Method for catching malicious codes | |
| Canfora et al. | Acquiring and analyzing app metrics for effective mobile malware detection | |
| CN108133139A (en) | A kind of Android malicious application detecting system compared based on more running environment behaviors | |
| CN107659570A (en) | Webshell detection methods and system based on machine learning and static and dynamic analysis | |
| CN107688743B (en) | Malicious program detection and analysis method and system | |
| CN104834858A (en) | Method for statically detecting malicious code in android APP (Application) | |
| Sethi et al. | A novel malware analysis framework for malware detection and classification using machine learning approach | |
| CN106599688A (en) | Application category-based Android malicious software detection method | |
| Ham et al. | Detection of malicious android mobile applications based on aggregated system call events | |
| Qiu et al. | Data-driven android malware intelligence: a survey | |
| Faruki et al. | Droidanalyst: Synergic app framework for static and dynamic app analysis | |
| Suarez-Tangil et al. | Thwarting obfuscated malware via differential fault analysis | |
| Li et al. | Large-scale third-party library detection in android markets | |
| CN109344614A (en) | A kind of Android malicious application online test method | |
| Cui et al. | Towards unsupervised introspection of containerized application | |
| Zhao et al. | Android malware detection based on sensitive permissions and apis | |
| CN116932381A (en) | Automatic evaluation method for security risk of applet and related equipment | |
| CN113407946A (en) | Intelligent protection method and system for IoT (IoT) equipment | |
| Rana et al. | Automated Windows behavioral tracing for malware analysis | |
| Zhao et al. | Large-scale detection of privacy leaks for BAT browsers extensions in China |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160824 |