CN105897807A - Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics - Google Patents

Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics Download PDF

Info

Publication number
CN105897807A
CN105897807A CN201510023257.3A CN201510023257A CN105897807A CN 105897807 A CN105897807 A CN 105897807A CN 201510023257 A CN201510023257 A CN 201510023257A CN 105897807 A CN105897807 A CN 105897807A
Authority
CN
China
Prior art keywords
detection
code
intelligent terminal
mobile intelligent
cloud
Prior art date
Application number
CN201510023257.3A
Other languages
Chinese (zh)
Inventor
傅涛
傅德胜
经正俊
Original Assignee
江苏博智软件科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 江苏博智软件科技有限公司 filed Critical 江苏博智软件科技有限公司
Priority to CN201510023257.3A priority Critical patent/CN105897807A/en
Publication of CN105897807A publication Critical patent/CN105897807A/en

Links

Abstract

The invention discloses a mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics. The mobile intelligent terminal abnormal code cloud detection method comprises the steps of: applying static detection and dynamic detection to mobile intelligent terminal abnormal code cloud detection comprehensively, and scanning and detecting third-party software when a user downloads and installs client software of a corresponding platform; and sending acquired sample data to a remote cloud server, carrying out static detection of the acquired data by the cloud server, comparing the acquired data with data in a malicious program database, and returning a detection result to a client directly if matched data exists. Since the cloud serer has a huge characteristic database, the cloud server can respond to common malicious programs quickly; if matched data does not exist, a dynamic behavior detection method is adopted for detecting the program, and behaviors of unknown malicious codes during the operation process are monitored; the mobile intelligent terminal abnormal code cloud detection method can achieve detection of the malicious codes, reduce false alarm rate, reduce occupation of system resources, and alleviate burden of the system.

Description

A kind of mobile intelligent terminal abnormality code cloud detection method of optic of Behavior-based control feature

Technical field

The invention belongs to abnormality code detection field field, particularly relate to the movement of a kind of Behavior-based control feature Intelligent terminal's abnormality code cloud detection method of optic.

Background technology

Malicious code occurs so far from first, experienced by a series of evolve develop, to highly concealed type, The directions such as compound, anti-killing are developed.It attacks motivation the most simply for meeting the destruction that technology psychology drives Desire, and it is more of politics, military, intellectual property and the particular attack of economic aim initiation.

The major technique related in this method has:

Stationary detection technique: stationary detection technique is a kind of simple and quick detection method.In Static Detection During, malicious code need not perform, and simply flows to the evil grammer of code, file structure and data Row is analyzed.Early, data base enriches huge, it is possible to quickly detect known malicious generation in stationary detection technique starting Code, and during detection, malicious code need not perform, and will not take too many system resource.Therefore, Stationary detection technique is widely used by current each big antivirus software manufacturer.But, those can only be had by this technology The known malicious code having unique forms is just effective, it is impossible to be timely detected the unknown malice constantly updating change Code, has suitable hysteresis quality.Additionally, the results showed, malware writer can apply shell adding, The technology such as polymorphic, deformation successfully evade Static Detection makes its detection efficiency be substantially reduced.

Dynamic detection technology: application program is operated in a closing by the core process of dynamic detection technology Environment also monitors, thus analyzes the behavior characteristics of application program.A lot of parameters is had dynamically to be divided Analysis gathers, as file permission change, process and thread ruuning situation, system call situation, network access situation Deng.Because dynamically detecting and needing application program real time execution, and need longer time acquisition applications program Dynamic data, so it is more more complicated than static analysis.

Summary of the invention

To achieve these goals, the present invention is achieved by the following scheme:

User downloads corresponding client application according to the system platform of mobile intelligent terminal.

Use third party application that client is detected: common abnormality code can be determined Result is then directly showed cellphone subscriber by the result of property.

The program not detecting result is carried out sample collection, and the result of collection is sent to cloud service Device.

Cloud server, according to the sample data received, first takes the method for Static Detection to sample data Detect.

During Static Detection, obtain corresponding performance of program code according to client according to sample data, special here Levy the essential information analysis that code is program, obtained by grammar property analysis.

According to database search engine, the condition code of suspect program is mated.If the match is successful, then sentence This suspect code fixed has malicious, submits malice report to user;If mating unsuccessful, then temporarily judging should Suspect code does not have malicious, carries out dynamic behaviour detection.

Application program is carried out dynamic behaviour detection, unknown malicious code behavior in running is entered Row monitoring note, and monitoring data are sent to cloud server.

Cloud server is made whether have malicious judgement according to its behavior, if being judged as rogue program, Its condition code is stored in condition code data base, and result is fed back to user.

The invention have the advantages that

In client, abnormality code is carried out the detection of lightweight, testing result is fed directly to user, It is capable of quickly detecting to common abnormality code.

Beyond the clouds sample data is carried out Static Detection, i.e. carries out coupling inspection according to the condition code of sample data Survey, owing to cloud server contains huge property data base, therefore common rogue program can be made quickly Reaction.

Program nd after Static Detection is carried out dynamic behaviour and is monitored detection, and will have evil The abnormality code condition code of meaning behavior is stored in data base, enriches data base further, promotes Static Detection next time Efficiency.

Accompanying drawing explanation

Fig. 1 is the schematic flow sheet of the method for the invention.

Detailed description of the invention

User downloads corresponding client application according to the system platform of mobile intelligent terminal;

Use third party application that client is detected: common abnormality code can be determined Result is then directly showed cellphone subscriber by the result of property;

The program not detecting result is carried out sample collection, and the result of collection is sent to cloud service Device;

Cloud Server, according to the sample data received, first takes the method for Static Detection to enter sample data Row detection;

During Static Detection, obtain corresponding performance of program code according to client according to sample data, special here Levy the essential information analysis that code is program, obtained by grammar property analysis;

According to database search engine, the condition code of suspect program is mated.If the match is successful, then sentence This suspect code fixed has malicious, submits malice report to user;If mating unsuccessful, then temporarily judging should Suspect code does not have malicious, carries out dynamic behaviour detection;

Application program is carried out dynamic behaviour detection, unknown malicious code behavior in running is entered Row monitoring note, and monitoring data are sent to cloud server;

Cloud server is made whether have malicious judgement according to its behavior, if being judged as rogue program, Its condition code is stored in condition code data base, and result is fed back to user.

Claims (5)

1. a mobile intelligent terminal abnormality code cloud detection method of optic for Behavior-based control feature, is characterized in that: it Comprise the following steps:
(1) user downloads corresponding client application according to the system platform of mobile intelligent terminal;
(2) use third party application that client is detected: available really to common abnormality code Result is then directly showed cellphone subscriber by result qualitatively;
(3) program not detecting result is carried out sample collection, and the result of collection is sent to high in the clouds clothes Business device;
(4) Cloud Server is according to the sample data received, and first takes the method for Static Detection to sample data Detect;
(5), during Static Detection, corresponding performance of program code is obtained according to client according to sample data, here Condition code is the essential information analysis of program, is obtained by grammar property analysis;
(6) according to database search engine, the condition code of suspect program is mated.If the match is successful, then Judge that this suspect code has malicious, submit malice report to user;If mating unsuccessful, the most temporarily judge This suspect code does not have malicious, carries out dynamic behaviour detection;
(7) application program is carried out dynamic behaviour detection, to unknown malicious code behavior in running It is monitored note, and monitoring data are sent to cloud server;
(8) cloud server is made whether have malicious judgement according to its behavior, if being judged as malice journey Sequence, is stored in condition code data base by its condition code, and result is fed back to user.
The mobile intelligent terminal abnormality code cloud detection of a kind of Behavior-based control feature the most according to claim 1 Method, is characterized in that: after client downloads application program, first carries out the detection of lightweight, by testing result It is fed directly to user, is capable of quickly detecting to common abnormality code.
The mobile intelligent terminal abnormality code cloud inspection of a kind of Behavior-based control feature the most according to claim 1 Survey method, is characterized in that: after carrying out the detection of lightweight, and nd abnormality code is carried out sample data It is sent to high in the clouds after collection again detect.
The mobile intelligent terminal abnormality code cloud inspection of a kind of Behavior-based control feature the most according to claim 1 Survey method, is characterized in that: sample data carries out Static Detection, i.e. carries out according to the condition code of sample data Collating is surveyed, and owing to cloud server contains huge property data base, therefore can make common rogue program Fast reaction.
The mobile intelligent terminal abnormality code cloud inspection of a kind of Behavior-based control feature the most according to claim 1 Survey method, is characterized in that: program nd after Static Detection carries out dynamic behaviour and is monitored detection, And the abnormality code condition code with malicious act is stored in data base.
CN201510023257.3A 2015-01-14 2015-01-14 Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics CN105897807A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510023257.3A CN105897807A (en) 2015-01-14 2015-01-14 Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510023257.3A CN105897807A (en) 2015-01-14 2015-01-14 Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics

Publications (1)

Publication Number Publication Date
CN105897807A true CN105897807A (en) 2016-08-24

Family

ID=56999468

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510023257.3A CN105897807A (en) 2015-01-14 2015-01-14 Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics

Country Status (1)

Country Link
CN (1) CN105897807A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106383768A (en) * 2016-09-14 2017-02-08 江苏北弓智能科技有限公司 Mobile device operation behavior-based supervision analysis system and method
CN106384047A (en) * 2016-08-26 2017-02-08 青岛天龙安全科技有限公司 APP detection unknown pattern collection and judging method
CN106708732A (en) * 2016-12-12 2017-05-24 中国航空工业集团公司西安航空计算技术研究所 Software running detection method based on feature codes
CN106971106A (en) * 2017-03-30 2017-07-21 维沃移动通信有限公司 A kind of method, mobile terminal and server for recognizing unauthorized applications
CN107169351A (en) * 2017-05-11 2017-09-15 北京理工大学 With reference to the Android unknown malware detection methods of dynamic behaviour feature
CN107402764A (en) * 2017-07-28 2017-11-28 南京南瑞继保电气有限公司 A kind of graphical page program functional character code calculates method for refreshing
CN108090348A (en) * 2017-12-14 2018-05-29 四川长虹电器股份有限公司 Android malware detection method based on sandbox

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090077544A1 (en) * 2007-09-14 2009-03-19 International Business Machines Corporation Method, system and program product for optimizing emulation of a suspected malware
CN103281301A (en) * 2013-04-28 2013-09-04 上海海事大学 System and method for judging cloud safety malicious program
CN103500305A (en) * 2013-09-04 2014-01-08 中国航天科工集团第二研究院七〇六所 System and method for malicious code analysis based on cloud computing
CN103839003A (en) * 2012-11-22 2014-06-04 腾讯科技(深圳)有限公司 Malicious file detection method and device
CN103942491A (en) * 2013-12-25 2014-07-23 国家计算机网络与信息安全管理中心 Internet malicious code disposal method
CN104200155A (en) * 2014-08-12 2014-12-10 中国科学院信息工程研究所 Monitoring device and method for protecting user privacy based on iPhone operating system (iOS)

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090077544A1 (en) * 2007-09-14 2009-03-19 International Business Machines Corporation Method, system and program product for optimizing emulation of a suspected malware
CN103839003A (en) * 2012-11-22 2014-06-04 腾讯科技(深圳)有限公司 Malicious file detection method and device
CN103281301A (en) * 2013-04-28 2013-09-04 上海海事大学 System and method for judging cloud safety malicious program
CN103500305A (en) * 2013-09-04 2014-01-08 中国航天科工集团第二研究院七〇六所 System and method for malicious code analysis based on cloud computing
CN103942491A (en) * 2013-12-25 2014-07-23 国家计算机网络与信息安全管理中心 Internet malicious code disposal method
CN104200155A (en) * 2014-08-12 2014-12-10 中国科学院信息工程研究所 Monitoring device and method for protecting user privacy based on iPhone operating system (iOS)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106384047A (en) * 2016-08-26 2017-02-08 青岛天龙安全科技有限公司 APP detection unknown pattern collection and judging method
CN106384047B (en) * 2016-08-26 2019-11-15 青岛天龙安全科技有限公司 APP detects unknown behavior acquisition and judgment method
CN106383768A (en) * 2016-09-14 2017-02-08 江苏北弓智能科技有限公司 Mobile device operation behavior-based supervision analysis system and method
CN106708732A (en) * 2016-12-12 2017-05-24 中国航空工业集团公司西安航空计算技术研究所 Software running detection method based on feature codes
CN106971106A (en) * 2017-03-30 2017-07-21 维沃移动通信有限公司 A kind of method, mobile terminal and server for recognizing unauthorized applications
CN107169351A (en) * 2017-05-11 2017-09-15 北京理工大学 With reference to the Android unknown malware detection methods of dynamic behaviour feature
CN107402764A (en) * 2017-07-28 2017-11-28 南京南瑞继保电气有限公司 A kind of graphical page program functional character code calculates method for refreshing
CN108090348A (en) * 2017-12-14 2018-05-29 四川长虹电器股份有限公司 Android malware detection method based on sandbox

Similar Documents

Publication Publication Date Title
US10637880B1 (en) Classifying sets of malicious indicators for detecting command and control communications associated with malware
US10043001B2 (en) Methods and apparatus for control and detection of malicious content using a sandbox environment
US9690933B1 (en) Framework for classifying an object as malicious with machine learning for deploying updated predictive models
US10218740B1 (en) Fuzzy hash of behavioral results
CA2966408C (en) A system and method for network intrusion detection of covert channels based on off-line network traffic
US10505956B1 (en) System and method for detecting malicious links in electronic messages
US9973531B1 (en) Shellcode detection
US10341363B1 (en) Dynamically remote tuning of a malware content detection system
Chen et al. Finding unknown malice in 10 seconds: Mass vetting for new threats at the google-play scale
US10192052B1 (en) System, apparatus and method for classifying a file as malicious using static scanning
US9715588B2 (en) Method of detecting a malware based on a white list
CN103685575B (en) A kind of web portal security monitoring method based on cloud framework
US10157279B2 (en) Malware detection
US9715589B2 (en) Operating system consistency and malware protection
Wu et al. Effective detection of android malware based on the usage of data flow APIs and machine learning
US9910988B1 (en) Malware analysis in accordance with an analysis plan
US9357397B2 (en) Methods and systems for detecting malware and attacks that target behavioral security mechanisms of a mobile device
US20160006757A1 (en) Detection and prevention of installation of malicious mobile applications
Spreitzenbarth et al. Mobile-Sandbox: combining static and dynamic analysis with machine-learning techniques
US8291500B1 (en) Systems and methods for automated malware artifact retrieval and analysis
US20140187177A1 (en) Methods and systems of dynamically generating and using device-specific and device-state-specific classifier models for the efficient classification of mobile device behaviors
US8056136B1 (en) System and method for detection of malware and management of malware-related information
US20170331848A1 (en) System and method of comparative evaluation for phishing mitigation
KR102057565B1 (en) Computing device to detect malware
JP6176868B2 (en) Methods and products that provide predictive security products and evaluate existing security products

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20160824

WD01 Invention patent application deemed withdrawn after publication