CN105893848A - Precaution method for Android malicious application program based on code behavior similarity matching - Google Patents

Precaution method for Android malicious application program based on code behavior similarity matching Download PDF

Info

Publication number
CN105893848A
CN105893848A CN201610273206.0A CN201610273206A CN105893848A CN 105893848 A CN105893848 A CN 105893848A CN 201610273206 A CN201610273206 A CN 201610273206A CN 105893848 A CN105893848 A CN 105893848A
Authority
CN
China
Prior art keywords
application
program
information
analysis
android
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610273206.0A
Other languages
Chinese (zh)
Inventor
孙知信
邰淳亮
洪汉舒
宫婧
陈梓洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Post and Telecommunication University
Nanjing University of Posts and Telecommunications
Original Assignee
Nanjing Post and Telecommunication University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Post and Telecommunication University filed Critical Nanjing Post and Telecommunication University
Priority to CN201610273206.0A priority Critical patent/CN105893848A/en
Publication of CN105893848A publication Critical patent/CN105893848A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a precaution method for an Android malicious application program based on code behavior similarity matching. The method comprises the following steps: establishing an application information knowledge base; detecting a repacked malicious program by comparing the characteristics of a homonymic program in the application information knowledge base by a difference verifying module; performing high coverage analysis on an application code by a static analysis module and extracting the permission related to privacy information and API calling information; simulating the program running in a sandbox by a dynamic analysis module, detecting the system calling and the LKM parameter related to the calling, and tracking the specific behavior of recording application; to constructing a multi-dimensional feature vector by utilizing log information through a clustering judging module, performing similarity matching on each feature vector of the malicious application and judging the attribution of the application. According to the method, The light client and heavy server system design is adopted, the client is responsible for lightweight information extraction, the server is responsible for heavy data analysis, and the method can effectively adapt to the reality of resource shortage of electric quantity, operation, storage and the like of the intelligent terminal.

Description

A kind of Android malicious application prevention method based on code behavior similarity mode
Technical field
The present invention relates to computer malware detection or process field, be specifically related to a kind of based on code behavior similarity The Android malicious application prevention method joined.
Background technology
Android is a kind of based on Linux the open source operating system researched and developed by Google company, is mainly used for moving Dynamic equipment.Android application program is developed runs on Android as in order to complete a certain or multinomial particular job The set of the command sequence write with computer language on system, is that intelligent terminal realizes mutual with user and completes The instrument of user's request.Android application program belongs to the application layer of android system general frame, except in system The basic application put, including desktop, mail, phone, note etc., what more user was conventional and mutual is by Java language The third party application that local code of making peace is write, increases newly the function of equipment, extend and optimizes.Android Mobile operating system is owing to it is powerful, it is convenient to open, and a few years just has become as the intelligence of global first share Mobile phone operating system.
Along with developing rapidly of development of Mobile Internet technology, intelligent terminal stores the most important user profile, occupies absolutely The android system of most of market shares the most just becomes the preferred object of malicious attack.Most of malice is attacked Hit and implemented by Android malicious application, be primarily present two kinds of situations: a kind of situation is that Android should Inherently the program in order to implement malicious act, i.e. Virus is developed by malice developer by program.Another kind of feelings Condition is Android application program existing defects in design, can the person of being hacked utilize, thus to Android terminal Implement malicious act.
The threat of Android terminal information security is reality and urgent.According to German network security firm Goethe's tower The a investigation report of (G DATA) up-to-date announcement shows, Android malware sample size in 2015 reaches 2,333,777, almost arising that a new Android malware sample every 11 seconds, this numerical value is same 50% is increased than 2014.And fourth quarter in 2015, emerging Android malware quantity reached 758,133, increase 32% 14 year fourth quarter on year-on-year basis.These Malwares can steal user profile, automatically Performing note and phone behavior, destroy security of system, cause the user economic asset is lost.The crowd of Android ecosphere Many third-party application shop, user need not the application source that official is unified, but the most also exacerbates Malware Spread speed.
Traditional Android malicious application Precaution Tactics mainly by Static Analysis Technology or dynamically analyzes skill Art carries out the detection of malicious application.Static Analysis Technology typically takes reversal technique that application program is carried out decompiling, obtains Take java source code or bytecode intermediate form, the logic of code is analyzed, find and be directed to privacy information With situations such as the authority of malicious operation, API Calls, determine whether the attribute of application program.Static analysis can be grasped The all paths of method call of code, but easily produce the wrong report of substantial amounts of false positive, and reversal technique is in the face of obscuring simultaneously After program be difficult to obtain the analysis result that needs.Dynamic analysis technology does not the most check source code, but at controlled mould Intend device environment (sandbox) performs application program.By each relevant operation of monitoring and record execution (as sent out Send note, from storage, read data, be connected to remote server etc.), automatically generate analysis report.Dynamically analyze skill Art can walk around the problem of the aspects such as Code obfuscation and the encryption that static method runs into, but its code analysis coverage rate Low, the triggering of some events may often be such that random, and some rogue program is possible to prevent to run under simulator.
As seen through the above analysis, unilateral static method is depended on or dynamic approach all also exists significantly limitation. Domestic granted patent CN103136471B is directed to the detection of a kind of malice Android application program, and its principle is should It is divided into several classification with the behavior in program, such as online, note, access multimedia etc., then passes through hardware simulation Button present on moving component in the trigger that device is random, identifies the button that operation is corresponding at present, sets up and respectively presses Associating between button with program behavior, obtains the operation behavior that after button triggers, program will be carried out.Secondly acquisition hardware The API sequence of simulator bottom, the operation contrast that itself and program will be carried out, it is judged that program attribute.The method letter Single efficient, but have significant limitation.Android application program exists substantial amounts of serviced component not there is mutual boundary Face, less has button and exists, but equally can perform various malicious operation, and this scheme can cause a large amount of missing inspection. Even if detection has the program of button interaction, the triggering behavior sequence using simulator random inherently has uncertainty, Its accuracy of detection and the scope of application can be the most restricted.
Application No. CN201510328402.9, entitled " Android application software API misuse class leak automatization Detection method " patent by University of Fuzhou in 2015 application.The program proposes a kind of Android application soft Part API misapplies class leak automated detection method, detects the API misuse class leak existed, and essence is right The rogue program that there is API misuse is identified.The API of existence is missed by the mode that the method uses dynamic to combine Detecting with class leak, static analysis is modeled constructing Whole Process according to Android application software feature and controls stream Cheng Tu, carries out API misuse approachability analysis in conjunction with program structure traversal and constant propagation Analysis and Screening goes out the suspicious leakage of candidate Hole;Dynamically analyze the candidate then for the different module of different types of leak design, described static analysis obtained suspicious Leak carries out leak triggering, records the behavior of the suspicious leak of described candidate, finally provides the leak security evaluation of this application. But, the static analysis in method is only analyzed API Calls, the purpose of its API Calls can not be judged completely, Easily produce the wrong report of substantial amounts of false positive, simultaneously the most feasible to the program of Code obfuscations a large amount of in reality.In method Dynamic analysis technology only for checking static analysis suspicious points, code analysis coverage rate is low, the triggering of some events May often be such that random, accuracy of detection and practicality can reduce.
The implication of the associated thumbnail word used in this specification is as follows:
API:Application Programming Interface, application programming interface.Some predefined letters Number, it is therefore an objective to provide application program and developer to be accessed the ability of one group of routine based on certain software or hardware, and Again without accessing source code, or understand the details of internal work mechanism.
IPC:Inter-Process Communication, interprocess communication.Have between two processes of communication dependence Transmission information.
LKM:Loadable Kernel Module, UV-Vis spectra.Linux kernel is in order to extend what its function was used Can operationally dynamic load kernel module.
URL:Uniform Resource Locator, URL.To the resource that can obtain from the Internet Position and a kind of succinct expression of access method, be the address of standard resource on the Internet.
ARM:Advanced RISC Machines, processor.Arm processor is that Acorn company limited is towards low budget city The first item risc microcontroller of field design.
ISA:Instruction Set Architecture, the instruction set architecture of microprocessor.It is all that processor can perform Instruction set.
LR:Link Register, link register.A depositor having specific use in arm processor.
Summary of the invention
In view of above android system safety precaution and malicious application detect problems faced, the present invention provides one Plant Android malicious application prevention method based on code behavior similarity mode, use and code level is covered The Static Analysis Technology covered and the dynamic analysis technology precisely detected for application behavior, form a kind of Android malice Application program prevention method.
A kind of Android malicious application prevention method based on code behavior similarity mode, comprises the following steps:
1) data that the intelligent terminal of the numerous users collected based on analytical tool server submits to, construct application message and know Know storehouse;
2) receive user when requiring to detect its intelligent terminal's application requests, difference authentication module by with application message knowledge In storehouse, the feature of program of the same name compares, and quickly detects and repacks rogue program;
3) static analysis module utilizes Static Analysis Technology application code to carry out height covering analyzing, extracts privacy information and is correlated with Authority and API Calls information;
4) dynamically analyzing module utilizes dynamic analysis technology simulation program in sandbox to run, during detecting system is called and called The LKM parameter related to, tracing record application concrete behavior;
5) cluster judgment module utilizes described dynamic and static analysis generation log information to build multidimensional characteristic vectors, with malice Each race characteristic vector of application carries out similarity coupling, it is judged that the attribute of application.
Difference authentication module checking application program install fileinfo time, if user upload be application program install file URL address, then start web crawlers instrument and download apk type file, if what user uploaded is apk type file, then Difference authentication module utilizes application program, and unique bag name, signature, authority and version number judges.
In described static analysis module, carry out program decompiling, if decompiling success, obtain source code or bytecode Intermediate form, extracts the relevant authority of privacy information and API Calls information, carries out data-flow analysis, obtains analyzing day Will;If decompiling failure, then it is directly entered and dynamically analyzes module.
Carry out application behavior analysis in described dynamic analysis module, generate and analyze daily record, in Android simulator The dry run of enterprising line program, the system call information of tracing program, record generates log information.
Collect the log information of described static and dynamic state process in described cluster judgment module, generate multiattribute spy Levy vector, utilize clustering method that characteristic vector is carried out similarity match check, it is thus achieved that analysis result, dislike Meaning software judges, with reference to malicious application characteristic vector knowledge base, if there is the base of characteristic vector Yu its Malware race Quasi-vector similarity within threshold value, is then judged as this race's Malware, needs to utilize characteristic vector weighted feedback correction Reference vector.
Above-mentioned log information includes API Calls information, and system calls daily record, LKM parameter.
As preferably, above-mentioned clustering method is K-means.
Beneficial effect:
1, the invention provides a kind of Android malicious application prevention method based on code behavior similarity mode, Have the advantage of traditional static analysis and dynamic analysis technology, complementary respective deficiency concurrently.Both ensure that the height of code analysis Degree covers, and also achieves the accurate detection for application behavior, it is possible to promote Detection results.
2, the Android malicious application prevention method of the present invention uses light client, weight server architecture design. Client is responsible for the information retrieval of lightweight, and server end is responsible for heavy data analysis.Be suitable for intelligent terminal electricity, The reality that the resource such as computing and storage is nervous.
3, before concrete analysis, the rogue program generating packaging method again carries out priority handle, filters out the most but Easily the sample of detection, alleviates the pressure of applied analysis demand, it is possible to centralized optimization analyzes the configuration of resource.
4, utilizing clustering method, generate characteristic vector and carry out similarity match check, its result can be to rogue program Knowledge base-feedback, constantly the information of correction malicious application sample race, has real-time.
Accompanying drawing explanation
Fig. 1 is the principle configuration diagram of the present invention
Fig. 2 is the system module schematic diagram of the present invention.
Fig. 3 is the flow chart of the present invention.
Detailed description of the invention
It is embodied as being described in detail to the present invention referring to the drawings.It should be noted that described herein specifically Embodiment only in order to explain the present invention, is not intended to limit the present invention.
The Organization Chart of the present invention is as it is shown in figure 1, framework of the present invention is broadly divided into 2 parts: what intelligent terminal was carried divides Analysis instrument client terminal and analytical tool server.Here light client, weight server architecture design are used.Client is real Matter is a Android application program, is responsible for the information retrieval of lightweight, and server end is responsible for heavy data analysis. Server end is made up of knowledge data base, Android virtual machine and analysis software.This framework is suitable for the electricity of intelligent terminal The reality that the resources such as amount, computing and storage are nervous.
The policy module design drawing of the present invention is as in figure 2 it is shown, be divided into 4 modules: difference authentication module, static analysis Module.Dynamically analyze module and cluster judgment module.First, by collecting the number that the intelligent terminal of numerous users submits to According to, construct application message knowledge base.When user requires the application program detecting its mobile phone, same in contrast knowledge base The feature of name program, quickly rogue program is repacked in detection, reduces the pressure of applied analysis demand.To normal procedure Repack after adding malicious code, the conventional fraud of the most a large amount of malicious application.Utilize Static Analysis Technology Height covering analyzing is carried out for application code, extracts the relevant authority of privacy information and API Calls information.Utilize dynamic State analytical technology simulation program in sandbox runs, and the LKM parameter that detecting system relates in calling and calling is followed the trail of Record application concrete behavior.Then the log information utilizing static and dynamic analysis to generate builds multidimensional characteristic vectors, with malice Each race characteristic vector of application carries out similarity coupling, it is judged that the attribute of application.
The flow chart of the present invention is shown in Fig. 3, comprises the following steps:
1) data that the intelligent terminal of the numerous users collected based on analytical tool server submits to, construct application letter Breath knowledge base.
2) receive user when requiring to detect its intelligent terminal's application requests, difference authentication module by with application message In knowledge base, the feature of program of the same name compares, and quickly detects and repacks rogue program.Difference authentication module is tested Card application program install fileinfo time, if user upload be application program install file URL address, then start net Apk type file downloaded by network reptile instrument, if what user uploaded is apk type file, then difference authentication module utilizes Bag name, signature, authority and the version number of application program uniqueness judge.
3) static analysis module utilizes Static Analysis Technology application code to carry out height covering analyzing, extracts privacy information Relevant authority and API Calls information.Static analysis module carries out program decompiling, if decompiling success, To source code or bytecode intermediate form, extract the relevant authority of privacy information and API Calls information, carry out data stream Analyze, obtain analyzing daily record;If decompiling failure, then it is directly entered and dynamically analyzes module.
4) dynamically analyzing module utilizes dynamic analysis technology simulation program in sandbox to run, and detecting system is called and adjusts The LKM parameter related in, tracing record application concrete behavior.Dynamically analyze module and carry out application behavior analysis, Generate and analyze daily record, in the dry run of the enterprising line program of Android simulator, the system call information of tracing program, Record generates log information.
5) cluster judgment module utilizes described dynamic and static analysis generation log information to build multidimensional characteristic vectors, with Each race characteristic vector of malicious application carries out similarity coupling, it is judged that the attribute of application.Cluster judgment module collects described The log information (including API Calls information, system calls daily record, LKM parameter) of static and dynamic state process, generates Multiattribute characteristic vector, utilizes clustering method, such as K-means method, characteristic vector is carried out similarity coupling Inspection, it is thus achieved that analysis result, carries out Malware judgement, with reference to malicious application characteristic vector knowledge base, if there is The reference vector similarity of characteristic vector and its Malware race within threshold value, is then judged as this race's Malware, needs Characteristic vector weighted feedback correction reference vector to be utilized.
When user requires the application program detecting its mobile phone, if user upload be application program install file URL ground Location, then start web crawlers instrument and download apk type file.Difference authentication module resolves apk type file, obtains Unique bag name, signature, authority and version number, generates characteristic vector and uniquely identifies this program.Next with application letter Breath knowledge base contrast, checks whether the application program of same bag name exists similar signature, authority statement and version number's letter Breath, if it find that excessive with reference vector gap, then it is judged to the rogue program that method of repacking generates, the most instead Feedback result, to client, no longer performs ensuing all analyses.If characteristic vector and reference vector gap are little, then Utilize characteristic vector weighted feedback correction reference vector, simultaneously enter static analysis module.
Static analysis module first has to carry out program decompiling, obtains source code or bytecode intermediate form.If decompiling Failure, program is then directly entered dynamically analyzes module.Utilize more existing technology, use batch system to connect APKTool instrument, Dex2jar instrument and JAD instrument etc., produce Android application program decompiling instrument and carry out The Decompilation of Android application program, can install file (apk type literary composition from input Android application program Part) carry out a key decompiling process, generate Android application program decompiling source code at assigned catalogue and (comprise Manifest.xml inventory file).After inverse compiling technique is applied program's source code, static analysis uses data stream Analytical technology collects the variable information in code, thus situational variables assignment in a program, quotes and the feelings such as transmission The ability of condition.Also need to extract the relevant authority of privacy information and API Calls information, thus generate controlling stream graph and carry out table Show Android source code.As the basis of functional dependence analysis, control flow analysis and data-flow analysis, can well Calling and performing flow process between reflection statement and module.Carry out data-flow analysis, obtain static analysis daily record.
Dynamically application program is installed file and is installed the dry run to the enterprising line program of Android simulator by analysis module, Use the behavior that Linux Strace instrument tracing program runs.In order to avoid traditional Android application is dynamically analyzed What technology employing class java program analysis technique was brought only analyzes API Calls, does not understands basis behavior and causes rate of false alarm The shortcoming increased, the system herein analyzing emphasis detection application program calls situation.ARM ISA provides swi instruction to be used for System is called, and the return address of system call swi is stored in LR depositor.When swi instruction is blocked by terminal When cutting, can be with check whether there is system call information.
Cluster judgment module collects the log information analyzing process before, and including API Calls information, system calls daily record, LKM parameter etc., generates multiattribute characteristic vector, utilizes K-means clustering method that characteristic vector is carried out phase Like property match check, it is thus achieved that analysis result, carry out Malware judgement.The malicious application characteristic vector participating in comparison is known Know storehouse, if there is the reference vector similarity of characteristic vector and Malware race within threshold value, it is judged that dislike for this race Meaning software, needs to utilize characteristic vector weighted feedback correction reference vector.
Technological means disclosed in the present invention program is not limited only to the technological means disclosed in above-mentioned embodiment, also includes The technical scheme being made up of above technical characteristic combination in any.

Claims (7)

1. an Android malicious application prevention method based on code behavior similarity mode, it is characterised in that include Following steps:
1) data that the intelligent terminal of the numerous users collected based on analytical tool server submits to, construct application message knowledge Storehouse;
2) receive user when requiring to detect its intelligent terminal's application requests, difference authentication module by with application message knowledge base In the feature of program of the same name compare, quickly detect and repack rogue program;
3) static analysis module utilizes Static Analysis Technology application code to carry out height covering analyzing, extracts what privacy information was correlated with Authority and API Calls information;
4) dynamically analyzing module utilizes dynamic analysis technology simulation program in sandbox to run, and detecting system relates in calling and calling And LKM parameter, tracing record application concrete behavior;
5) cluster judgment module utilizes described dynamic and static analysis generation log information to build multidimensional characteristic vectors, should with malice Each race characteristic vector carry out similarity coupling, it is judged that the attribute of application.
Android malicious application prevention method based on code behavior similarity mode the most according to claim 1, It is characterized in that described difference authentication module checking application program install fileinfo time, if user upload be application program install File URL address, then start web crawlers instrument and download apk type file, if what user uploaded is apk type file, then Difference authentication module utilizes application program, and unique bag name, signature, authority and version number judges.
Android malicious application prevention method based on code behavior similarity mode the most according to claim 1, It is characterized in that described static analysis module carries out program decompiling, if decompiling success, obtain in source code or bytecode Between form, extract the relevant authority of privacy information and API Calls information, carry out data-flow analysis, obtain analyzing daily record;If it is anti- Compile unsuccessfully, be then directly entered and dynamically analyze module.
Android malicious application prevention method based on code behavior similarity mode the most according to claim 1, It is characterized in that described dynamic analysis module carries out application behavior analysis, generate and analyze daily record, in Android simulator Carrying out the dry run of program, the system call information of tracing program, record generates log information.
Android malicious application prevention method based on code behavior similarity mode the most according to claim 1, It is characterized in that described cluster judgment module collects the log information of described static and dynamic state process, generate multiattribute feature Vector, utilizes clustering method that characteristic vector is carried out similarity match check, it is thus achieved that analysis result, carries out Malware and sentences Fixed, with reference to malicious application characteristic vector knowledge base, the reference vector similarity if there is characteristic vector Yu its Malware race exists Within threshold value, then it is judged as this race's Malware, needs to utilize characteristic vector weighted feedback correction reference vector.
Android malicious application prevention method based on code behavior similarity mode the most according to claim 5, It is characterized in that described log information includes API Calls information, system calls daily record, LKM parameter.
Android malicious application prevention method based on code behavior similarity mode the most according to claim 5, It is characterized in that described clustering method is K-means.
CN201610273206.0A 2016-04-27 2016-04-27 Precaution method for Android malicious application program based on code behavior similarity matching Pending CN105893848A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610273206.0A CN105893848A (en) 2016-04-27 2016-04-27 Precaution method for Android malicious application program based on code behavior similarity matching

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610273206.0A CN105893848A (en) 2016-04-27 2016-04-27 Precaution method for Android malicious application program based on code behavior similarity matching

Publications (1)

Publication Number Publication Date
CN105893848A true CN105893848A (en) 2016-08-24

Family

ID=56701871

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610273206.0A Pending CN105893848A (en) 2016-04-27 2016-04-27 Precaution method for Android malicious application program based on code behavior similarity matching

Country Status (1)

Country Link
CN (1) CN105893848A (en)

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106529293A (en) * 2016-11-09 2017-03-22 东巽科技(北京)有限公司 Sample classification determination method for malware detection
CN106713335A (en) * 2016-12-30 2017-05-24 山石网科通信技术有限公司 Malicious software identification method and device
CN106709332A (en) * 2016-12-13 2017-05-24 江苏通付盾科技有限公司 Application detection method and device
CN107169351A (en) * 2017-05-11 2017-09-15 北京理工大学 With reference to the Android unknown malware detection methods of dynamic behaviour feature
CN107798242A (en) * 2017-11-13 2018-03-13 南京大学 A kind of malice Android application automatic checkout system of quiet dynamic bind
CN107798243A (en) * 2017-11-25 2018-03-13 国网河南省电力公司电力科学研究院 The detection method and device of terminal applies
CN107844408A (en) * 2016-09-18 2018-03-27 中国矿业大学 A kind of similar execution route generation method based on hierarchical clustering
CN107871080A (en) * 2017-12-04 2018-04-03 杭州安恒信息技术有限公司 The hybrid Android malicious code detecting methods of big data and device
CN108241802A (en) * 2016-12-27 2018-07-03 卓望数码技术(深圳)有限公司 A kind of Android platform privacy for polymerizeing multidimensional steals class application automatic identifying method
CN108509796A (en) * 2017-02-24 2018-09-07 中国移动通信集团公司 A kind of detection method and server of risk
CN108509798A (en) * 2018-03-31 2018-09-07 河南牧业经济学院 A kind of computer software analysis system
CN108932429A (en) * 2017-05-27 2018-12-04 腾讯科技(深圳)有限公司 Analysis method, terminal and the storage medium of application program
CN108958826A (en) * 2017-05-22 2018-12-07 北京京东尚科信息技术有限公司 The method and apparatus of dynamic configuration application installation package
CN109117164A (en) * 2018-06-22 2019-01-01 北京大学 Micro services update method and system based on key element difference analysis
CN109284610A (en) * 2018-09-11 2019-01-29 腾讯科技(深圳)有限公司 A kind of Research of Malicious Executables Detection Method, device and detection service device
CN109508545A (en) * 2018-11-09 2019-03-22 北京大学 A kind of Android Malware classification method based on rarefaction representation and Model Fusion
CN109542456A (en) * 2017-08-15 2019-03-29 中兴通讯股份有限公司 A kind of preparation method, device and terminal using similarity
CN109791588A (en) * 2017-06-27 2019-05-21 赛门铁克公司 Alleviate malicious action associated with graphical user-interface element
CN109815739A (en) * 2019-02-13 2019-05-28 闻泰通讯股份有限公司 Application control method, apparatus, terminal and medium
CN109858249A (en) * 2019-02-18 2019-06-07 暨南大学 The quick, intelligent comparison of mobile Malware big data and safety detection method
CN110298171A (en) * 2019-06-17 2019-10-01 暨南大学 The intelligent measurement and safety protecting method of mobile Internet big data application
CN110472415A (en) * 2018-12-13 2019-11-19 成都亚信网络安全产业技术研究院有限公司 A kind of determination method and device of rogue program
CN110674497A (en) * 2019-09-27 2020-01-10 厦门安胜网络科技有限公司 Malicious program similarity calculation method and device
CN110889115A (en) * 2019-11-07 2020-03-17 国家计算机网络与信息安全管理中心 Malicious push behavior detection method and device
CN111046390A (en) * 2019-07-12 2020-04-21 哈尔滨安天科技集团股份有限公司 Cooperative defense patch protection method and device and storage equipment
CN111241544A (en) * 2020-01-08 2020-06-05 北京梆梆安全科技有限公司 Malicious program identification method and device, electronic equipment and storage medium
CN111460401A (en) * 2020-05-20 2020-07-28 南京大学 Automatic product tracking method combining software product process information and text similarity
CN111597557A (en) * 2020-06-30 2020-08-28 腾讯科技(深圳)有限公司 Malicious application detection method, system, device, equipment and storage medium
CN111770053A (en) * 2020-05-28 2020-10-13 江苏大学 Malicious program detection method based on improved clustering and self-similarity
CN111783095A (en) * 2020-07-28 2020-10-16 支付宝(杭州)信息技术有限公司 Method and device for identifying malicious code of applet and electronic equipment
CN111935118A (en) * 2020-07-31 2020-11-13 山东理工职业学院 Permission identification gateway and cloud comparison system based on browsing access
WO2020232685A1 (en) * 2019-05-22 2020-11-26 深圳市欢太科技有限公司 Malicious quickapp detection method and terminal
CN112733145A (en) * 2021-04-06 2021-04-30 北京邮电大学 Android application detection and analysis method, electronic equipment and storage medium
CN113158186A (en) * 2021-03-19 2021-07-23 南京邮电大学 Android malicious software static detection method
CN113343219A (en) * 2021-05-31 2021-09-03 烟台中科网络技术研究所 Automatic and efficient high-risk mobile application program detection method
CN113656801A (en) * 2021-08-19 2021-11-16 建信金融科技有限责任公司 Classification method for Android malicious application family, server and terminal
CN113987485A (en) * 2021-09-28 2022-01-28 奇安信科技集团股份有限公司 Application program sample detection method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102930210A (en) * 2012-10-14 2013-02-13 江苏金陵科技集团公司 System and method for automatically analyzing, detecting and classifying malicious program behavior
CN103685251A (en) * 2013-12-04 2014-03-26 电子科技大学 Android malicious software detecting platform oriented to mobile internet
CN105205396A (en) * 2015-10-15 2015-12-30 上海交通大学 Detecting system for Android malicious code based on deep learning and method thereof
CN105389508A (en) * 2015-11-10 2016-03-09 工业和信息化部电信研究院 Detection method and apparatus for re-packaged Android application

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102930210A (en) * 2012-10-14 2013-02-13 江苏金陵科技集团公司 System and method for automatically analyzing, detecting and classifying malicious program behavior
CN103685251A (en) * 2013-12-04 2014-03-26 电子科技大学 Android malicious software detecting platform oriented to mobile internet
CN105205396A (en) * 2015-10-15 2015-12-30 上海交通大学 Detecting system for Android malicious code based on deep learning and method thereof
CN105389508A (en) * 2015-11-10 2016-03-09 工业和信息化部电信研究院 Detection method and apparatus for re-packaged Android application

Cited By (55)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107844408B (en) * 2016-09-18 2021-02-12 中国矿业大学 Similar execution path generation method based on hierarchical clustering
CN107844408A (en) * 2016-09-18 2018-03-27 中国矿业大学 A kind of similar execution route generation method based on hierarchical clustering
CN106529293A (en) * 2016-11-09 2017-03-22 东巽科技(北京)有限公司 Sample classification determination method for malware detection
CN106529293B (en) * 2016-11-09 2019-11-05 东巽科技(北京)有限公司 A kind of sample class determination method for malware detection
CN106709332A (en) * 2016-12-13 2017-05-24 江苏通付盾科技有限公司 Application detection method and device
CN108241802A (en) * 2016-12-27 2018-07-03 卓望数码技术(深圳)有限公司 A kind of Android platform privacy for polymerizeing multidimensional steals class application automatic identifying method
CN106713335A (en) * 2016-12-30 2017-05-24 山石网科通信技术有限公司 Malicious software identification method and device
CN108509796A (en) * 2017-02-24 2018-09-07 中国移动通信集团公司 A kind of detection method and server of risk
CN108509796B (en) * 2017-02-24 2022-02-11 中国移动通信集团公司 Method for detecting risk and server
CN107169351A (en) * 2017-05-11 2017-09-15 北京理工大学 With reference to the Android unknown malware detection methods of dynamic behaviour feature
CN108958826A (en) * 2017-05-22 2018-12-07 北京京东尚科信息技术有限公司 The method and apparatus of dynamic configuration application installation package
CN108932429B (en) * 2017-05-27 2023-02-03 腾讯科技(深圳)有限公司 Application program analysis method, terminal and storage medium
CN108932429A (en) * 2017-05-27 2018-12-04 腾讯科技(深圳)有限公司 Analysis method, terminal and the storage medium of application program
CN109791588B (en) * 2017-06-27 2023-10-13 诺顿身份保护公司 Mitigating malicious actions associated with graphical user interface elements
CN109791588A (en) * 2017-06-27 2019-05-21 赛门铁克公司 Alleviate malicious action associated with graphical user-interface element
CN109542456A (en) * 2017-08-15 2019-03-29 中兴通讯股份有限公司 A kind of preparation method, device and terminal using similarity
CN107798242A (en) * 2017-11-13 2018-03-13 南京大学 A kind of malice Android application automatic checkout system of quiet dynamic bind
CN107798243A (en) * 2017-11-25 2018-03-13 国网河南省电力公司电力科学研究院 The detection method and device of terminal applies
CN107871080A (en) * 2017-12-04 2018-04-03 杭州安恒信息技术有限公司 The hybrid Android malicious code detecting methods of big data and device
CN108509798A (en) * 2018-03-31 2018-09-07 河南牧业经济学院 A kind of computer software analysis system
CN109117164A (en) * 2018-06-22 2019-01-01 北京大学 Micro services update method and system based on key element difference analysis
CN109117164B (en) * 2018-06-22 2020-08-25 北京大学 Micro-service updating method and system based on difference analysis of key elements
CN109284610B (en) * 2018-09-11 2023-02-28 腾讯科技(深圳)有限公司 Virus program detection method and device and detection server
CN109284610A (en) * 2018-09-11 2019-01-29 腾讯科技(深圳)有限公司 A kind of Research of Malicious Executables Detection Method, device and detection service device
CN109508545B (en) * 2018-11-09 2021-06-04 北京大学 Android Malware classification method based on sparse representation and model fusion
CN109508545A (en) * 2018-11-09 2019-03-22 北京大学 A kind of Android Malware classification method based on rarefaction representation and Model Fusion
CN110472415A (en) * 2018-12-13 2019-11-19 成都亚信网络安全产业技术研究院有限公司 A kind of determination method and device of rogue program
CN110472415B (en) * 2018-12-13 2021-08-10 成都亚信网络安全产业技术研究院有限公司 Malicious program determination method and device
CN109815739A (en) * 2019-02-13 2019-05-28 闻泰通讯股份有限公司 Application control method, apparatus, terminal and medium
CN109815739B (en) * 2019-02-13 2022-07-12 闻泰通讯股份有限公司 Application control method, device, terminal and medium
CN109858249A (en) * 2019-02-18 2019-06-07 暨南大学 The quick, intelligent comparison of mobile Malware big data and safety detection method
CN109858249B (en) * 2019-02-18 2020-08-07 暨南大学 Rapid intelligent comparison and safety detection method for mobile malicious software big data
WO2020232685A1 (en) * 2019-05-22 2020-11-26 深圳市欢太科技有限公司 Malicious quickapp detection method and terminal
CN110298171A (en) * 2019-06-17 2019-10-01 暨南大学 The intelligent measurement and safety protecting method of mobile Internet big data application
CN111046390B (en) * 2019-07-12 2023-07-07 安天科技集团股份有限公司 Collaborative defense patch protection method and device and storage equipment
CN111046390A (en) * 2019-07-12 2020-04-21 哈尔滨安天科技集团股份有限公司 Cooperative defense patch protection method and device and storage equipment
CN110674497B (en) * 2019-09-27 2021-07-02 厦门安胜网络科技有限公司 Malicious program similarity calculation method and device
CN110674497A (en) * 2019-09-27 2020-01-10 厦门安胜网络科技有限公司 Malicious program similarity calculation method and device
CN110889115A (en) * 2019-11-07 2020-03-17 国家计算机网络与信息安全管理中心 Malicious push behavior detection method and device
CN111241544A (en) * 2020-01-08 2020-06-05 北京梆梆安全科技有限公司 Malicious program identification method and device, electronic equipment and storage medium
CN111241544B (en) * 2020-01-08 2023-05-02 北京梆梆安全科技有限公司 Malicious program identification method and device, electronic equipment and storage medium
CN111460401A (en) * 2020-05-20 2020-07-28 南京大学 Automatic product tracking method combining software product process information and text similarity
CN111460401B (en) * 2020-05-20 2023-08-22 南京大学 Product automatic tracking method combining software product process information and text similarity
CN111770053A (en) * 2020-05-28 2020-10-13 江苏大学 Malicious program detection method based on improved clustering and self-similarity
CN111597557A (en) * 2020-06-30 2020-08-28 腾讯科技(深圳)有限公司 Malicious application detection method, system, device, equipment and storage medium
CN111783095A (en) * 2020-07-28 2020-10-16 支付宝(杭州)信息技术有限公司 Method and device for identifying malicious code of applet and electronic equipment
CN111935118A (en) * 2020-07-31 2020-11-13 山东理工职业学院 Permission identification gateway and cloud comparison system based on browsing access
CN113158186A (en) * 2021-03-19 2021-07-23 南京邮电大学 Android malicious software static detection method
CN112733145B (en) * 2021-04-06 2021-06-08 北京邮电大学 Android application detection and analysis method, electronic equipment and storage medium
CN112733145A (en) * 2021-04-06 2021-04-30 北京邮电大学 Android application detection and analysis method, electronic equipment and storage medium
CN113343219B (en) * 2021-05-31 2023-03-07 烟台中科网络技术研究所 Automatic and efficient high-risk mobile application program detection method
CN113343219A (en) * 2021-05-31 2021-09-03 烟台中科网络技术研究所 Automatic and efficient high-risk mobile application program detection method
CN113656801B (en) * 2021-08-19 2023-06-09 建信金融科技有限责任公司 Android malicious application family classification method, server and terminal
CN113656801A (en) * 2021-08-19 2021-11-16 建信金融科技有限责任公司 Classification method for Android malicious application family, server and terminal
CN113987485A (en) * 2021-09-28 2022-01-28 奇安信科技集团股份有限公司 Application program sample detection method and device

Similar Documents

Publication Publication Date Title
CN105893848A (en) Precaution method for Android malicious application program based on code behavior similarity matching
Damshenas et al. M0droid: An android behavioral-based malware detection model
Spreitzenbarth et al. Mobile-Sandbox: combining static and dynamic analysis with machine-learning techniques
Potharaju et al. Plagiarizing smartphone applications: attack strategies and defense techniques
CN102622536B (en) Method for catching malicious codes
Canfora et al. Acquiring and analyzing app metrics for effective mobile malware detection
CN108133139A (en) A kind of Android malicious application detecting system compared based on more running environment behaviors
CN107659570A (en) Webshell detection methods and system based on machine learning and static and dynamic analysis
CN107688743B (en) Malicious program detection and analysis method and system
CN104834858A (en) Method for statically detecting malicious code in android APP (Application)
CN105653956A (en) Android malicious software sorting method based on dynamic behavior dependency graph
Sethi et al. A novel malware analysis framework for malware detection and classification using machine learning approach
Rizzo et al. Unveiling web fingerprinting in the wild via code mining and machine learning
CN106599688A (en) Application category-based Android malicious software detection method
Qiu et al. Data-driven android malware intelligence: a survey
Faruki et al. Droidanalyst: Synergic app framework for static and dynamic app analysis
Suarez-Tangil et al. Thwarting obfuscated malware via differential fault analysis
Li et al. Large-scale third-party library detection in android markets
CN112688966A (en) Webshell detection method, device, medium and equipment
CN109344614A (en) A kind of Android malicious application online test method
Sun et al. Research towards key issues of api security
Cui et al. Towards unsupervised introspection of containerized application
Zhao et al. Android malware detection based on sensitive permissions and apis
CN116932381A (en) Automatic evaluation method for security risk of applet and related equipment
CN113407946A (en) Intelligent protection method and system for IoT (IoT) equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20160824