CN105956474B - Android platform software unusual checking system - Google Patents
Android platform software unusual checking system Download PDFInfo
- Publication number
- CN105956474B CN105956474B CN201610323750.1A CN201610323750A CN105956474B CN 105956474 B CN105956474 B CN 105956474B CN 201610323750 A CN201610323750 A CN 201610323750A CN 105956474 B CN105956474 B CN 105956474B
- Authority
- CN
- China
- Prior art keywords
- hook
- software
- module
- data
- software action
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a kind of Android platform software unusual checking systems, belong to intelligent mobile terminal technical field.This system includes interconnected Android mobile terminal and software action monitor database;Android mobile terminal includes kernel Hook module, data analysis module and Hook log module;Kernel Hook module includes the System_server process successively interacted, the library libbind.so and ioctl function, realizes the extraction of kernel Hook information;Data analysis module includes monitoring resource process, status monitoring process, data analysis engine and data treatment progress, and abnormal to software action defines write-in.The present invention has advanced, accuracy and comprehensive, not only in conjunction with dynamic detection and static detection the advantages of, by the Hook to sensitive API interface function, the effective abnormal behaviour for detecting app software, the operating system behavioural characteristic of effective statistical software.
Description
Technical field
The invention belongs to intelligent mobile terminal technical fields more particularly to a kind of Android platform software abnormal behaviour to examine
Examining system.
Background technique
In recent years, the decline with smart phone production cost with the rapid development of mobile Internet, many PC functions
It is slowly migrated toward mobile phone terminal, smart phone function becomes more powerful, such as mobile office, e-payment, vehicle mounted guidance, intelligent sliding
The quantity of dynamic terminal software is far beyond the quantity of application software on traditional PC.For PC, intelligent terminal closer to
User, gradually as a part indispensable in people's work, life.Android and iOS occupies mobile intelligent terminal behaviour
Make the important share of system.
Compared with the application software on iOS, the quantity of Android application software and number of users have been occupied absolutely at present
To advantage.Since the camp Android is by using open strategy, while its popularity rate is higher and higher, also become black
The important goal of visitor and malware attacks, Android platform safety problem can not be ignored.
Software detection is the most important means of Android platform security protection, and intelligent terminal software detection technique is big at present
Cause can be divided into static detection and dynamic detection:
Static detection needs the code piece by the means extraction program such as decompiling in the case where not operational objective software
The static natures such as section, api function, semantic logic are detected.The characteristics of this method is that detection speed is fast, rate of false alarm is low, detection
Effect depends on the comprehensive of characteristic of malware code library.When Malware quantity is big, mutation is more, sign code library will be made swollen rapidly
It is swollen, while occupying larger memory space, it also will increase the complexity of retrieval.And it is easy by the factors shadow such as program shell adding
It rings, can not cope with by obscuring the Malware with polymorphic technical treatment, unknown malware can not be detected.
Dynamic detection, which refers to, first to be installed software to be detected and runs at the terminal, then by using each of software
Function detects the software to the service condition of system resource.These resources may include whether without authorization networking situation, whether
There is including contact person etc. the acquisition of sensitive informations, whether request to send short message content without prompt, whether without in prompt request
The abnormal behaviours such as biography and downloading file etc. are stolen secret information by software operation come whether inspection software accords with, fee suction, illegal contents are propagated.But
Dynamic monitoring process needs constantly to run a monitoring program in mobile terminal, will cause the rapid of the resources such as mobile terminal electricity
It exhausts, influences user experience to a certain extent.On the other hand, also cause user to privacy leakage etc. to a certain extent
Worry.
Summary of the invention
The object of the invention is that overcoming the existing shortcoming and defect of the prior art, it is flat to propose a kind of Android
Platform software anomaly behavioral value system, provides safety assurance for software runtime environment in Android platform.
Realizing the technical solution of the object of the invention is:
In conjunction with the characteristics of static detection and dynamic detection, the information such as combined data analysis, behavior monitoring and Hook log have
Effect ground identification software abnormal behaviour, and abnormal behaviour offer is supported effectively to inquire and define, it is used for Android intelligent terminal
Safety guarantee is provided.
Specifically, Android platform software unusual checking system (abbreviation system)
This system includes interconnected Android mobile terminal and software action monitor database;
Android mobile terminal includes kernel Hook module, data analysis module and Hook log module;
Kernel Hook module includes the System_server process successively interacted, the library libbind.so and ioctl function,
Realize the extraction of kernel hook information;
Data analysis module includes monitoring resource process, status monitoring process, data analysis engine and data treatment progress;
Monitoring resource process and status monitoring process are interacted with data analysis engine respectively, and data analysis engine and data treatment progress are handed over
Mutually, write-in is defined to software action exception;
Ioctl function and data analysis module interaction, complete data transmission;
Data analysis engine is interacted with Hook log module and monitor database respectively, completes the inquiry of software action feature
And log write-in;
Data processing process is interacted with Hook log module and software action monitor database respectively, to software action feature
It is bound, Hook log module is written into software action, the software action defined is written in software action monitor database.
The present invention has following advantages and good effect:
1. advanced: the present invention is the method that the method for Hook sensitive API detection combines, and improves software anomaly detection
Efficiency.
2. accuracy: more and more app Malwares not only rest on application, more to start applying frame
Rack-layer even inner nuclear layer does some malicious operations;These emerging Malwares propose new need to virus analysis system
It asks;To sensitive API function interface Hook, the malicious act operation of app software can be detected.
3. comprehensive: the advantages of present invention is not only in conjunction with dynamic detection and static detection, by sensitive API interface function
Hook, the effective abnormal behaviour for detecting app software passes through the processing of the abnormal behaviour to software;User can pass through inspection
Survey the method or User behavior property data base of Hook log, the operating system behavioural characteristic of effective statistical software.
Detailed description of the invention
Fig. 1 is the structural block diagram of this system;
Fig. 2 is Android binder communication mechanism schematic diagram.
Wherein:
100-Android mobile terminals,
110-kernel Hook modules,
111-System_server processes,
112-the libraries libbind.so,
113-ioctl functions;
120-data analysis modules,
121-monitoring resource processes,
122-status monitoring processes,
123-data analysis engines,
124-data processing processes;
130-Hook log modules.
200-software action monitor databases.
English to Chinese
1, Hook technology: Hook Technique, actually a kind of program segment for handling message are loaded by calling and are
System.
2, Android: it is the operating system of a kind of freedom based on Linux and open source code, is mainly used for moving
Equipment by Google company and open mobile phone alliance leader and is developed such as smart phone and tablet computer.
3, iOS: the Mobile operating system developed by Apple Inc., is the software architecture of one with hardware separation.
Specific embodiment
It is described in detail with reference to the accompanying drawings and examples:
1, overall
Such as Fig. 1, this system includes interconnected Android mobile terminal 100 and software action monitor database 200;
Android mobile terminal 100 includes kernel Hook module 110, data analysis module 120 and Hook log module
130;
Kernel Hook module 110 includes successively interactive System_server process 111,112 and of the library libbind.so
Ioctl function 113 realizes the extraction of kernel hook information;
Data analysis module 120 includes monitoring resource process 121, status monitoring process 122,123 and of data analysis engine
Data processing process 124;Monitoring resource process 121 and status monitoring process 122 are interacted with data analysis engine 123 respectively, number
According to analysis engine 123 and the interaction of data treatment progress 124, abnormal to software action defines write-in;
Ioctl function 113 and the interaction of data analysis module 120, complete data transmission;
Data analysis engine 123 is interacted with Hook log module 130 and monitor database 200 respectively, completes software action
The inquiry and log of feature are written;
Data processing process 124 is interacted with Hook log module 130 and software action monitor database 200 respectively, to soft
Part behavioural characteristic is bound, and Hook log module 130 is written in software action, and software action is written in the software action defined
In monitor database 200.
2, functional block
1) Android mobile terminal 100
(1) kernel Hook module 110
The workflow of kernel Hook module 110:
1. utilizing ptrace system function, Shellcode program is injected into System_server process 111, ptrace
Providing a kind of parent process can control subprocess operation, it is mainly used for realizing debugging breakpoints;
2. utilizing ptrace system function, the code in Shellcode is executed:
Shellcode is really one section of code (being also possible to fill data), is the generation of the particular vulnerability for the system that is utilized
Code, available higher permission;Shellcode, which is often, is used as data to be sent under fire system;
3. the code of Shellcode is run in System_server process 111, function is to call Hook shared library;
4. the function of Hook shared library is called in the library libbind.so 112 in System_server process 111
Ioctl function 113 carries out function abduction, will kidnap data and carries out output redirection, output to data analysis module 120 is counted
Hook log module 130 and software action monitor database 200 is written according to parsing, and by processing result.
110 working mechanism of kernel Hook module:
Recent mobile phone Malware not only rests on the operation of application layer, has begun to application framework layer even kernel
Layer does some malicious operations, proposes higher challenge for inspection software difficulty in this way;Kernel Hook module 110 is exactly to pass through
The api interface of Hook inner nuclear layer driving function, is monitored system process;Using ptrace system function, by Shellcode
Program is injected into System_server process 111;The code in Shellcode is executed, the code of Shellcode is in System_
It is run in server process 111, function is to call Hook shared library;Hook shared library will kidnap data and carry out output redirection,
Output to data analysis module 120 carries out data parsing, and Hook log module 130 and software action prison is written in processing result
Measured data library 200.
(2) data analysis module 120
The workflow of data analysis module 120:
1. receiving the data that kernel Hook module 110 is sent;
2. data analysis module 120 is to step, 1. middle received data carries out classification parsing, system resource: reads IMEI
Or IMSI, send short message, make a phone call, reads GPS information, connection camera service and connection recording service;System mode: it reads
Write system database information;
3. 2. data and the permission of app in software action monitor database 200 that data analysis engine 123 parses step
It compares, after processing data processing, Hook log module 130 is written by app title, operating time, type, number and content
With software action monitor database 200;
4. forming behavioral characteristic database, in the operation of app software, data processing process 124 according to the process of operation
Statistics is processed to software action, and the data of software action and software action monitor database 200 are compared, is such as being counted
There is obvious exception in time, generates in exception reporting write-in Hook log module 130;
5. forming behavioral characteristic database, in the operation of app software, data processing process according to the process of operation
(124) statistics is processed to software action, and the data of software action and software action monitor database 200 is compared, such as
In statistical time, without obvious abnormal, in generation Log Report write-in Hook log module 130.
The working mechanism of data analysis module 120:
Data analysis module 120 is mainly the effect parsed to received operation system of software Hook data;Connect number
Classification parsing is carried out to data according to analysis module 120, by system resource and system mode parsing classification;System resource includes reading
IMEI or IMSI, short message is sent, is made a phone call, reads GPS information, connection camera service and connection recording service;System shape
State includes read-write system database information;Data analysis engine 123 does the permission of app in data behavior monitoring database 200
Comparison is written after processing data processing by app title, operating time, type, number and Context resolution, and by processing result
Hook log module 130 and behavior monitoring database 200;According to the formation behavioral characteristic database of operation, in the behaviour of app software
In work, data processing process 124 processes statistics to software action, and to software action and software action monitor database
(200) data compare, and such as have obvious exception in statistical time, generate in exception reporting write-in Hook log 130;According to
The formation behavioral characteristic database of operation, in the operation of app software, data processing process 124 processes system to software action
Meter, and the data of software action and data analysis module 120 are compared, without obvious abnormal such as in statistical time, generation
Log Report is written in Hook log 130.
(3) Hook log module 130
The workflow of Hook log module 130:
Local log is selected to be based on statistical conclusions after mainly software action is defined in the completion of data processing process 124,
If software action is abnormal, exception information is generated in exception reporting write-in Hook log module 130;If software action is just
Often, then software action is generated in Log Report write-in Hook log module 130.
The working mechanism of Hook log module 130:
Hook log module 130 and behavior monitoring database 200 are system action logging modle, mainly complete data
It after processing, will be write in database by app title, operating time, type, number and content, and count certain period users and use
Number, flow, safety statistics and the purpose defined of certain agreement;To after defining as a result, being incited somebody to action if software action is abnormal
Exception information generates in exception reporting write-in Hook log module 130;If software action is normal, software action is generated into day
In will report write-in Hook log module 130.
2) software action monitor database 200
The workflow of software action monitor database 200:
Software action monitor database 200 is database module, mainly completes the storage of data, will be by app title, behaviour
Make time, type, number and content to write in database, counts number, flow that certain period users use certain agreement, reach
To safety statistics and the purpose defined.
The working mechanism of software action monitor database 200:
The abnormal behavior of software is defined, when android mobile terminal is to software action feature, in conjunction with Hook
When log module 130 is analyzed, real-time query is provided for database, and support the reality of the processing result of data analysis module 120
When write back.
3, working principle
1) system principle
The purpose of system is to obtain software operation information from android system, identifies the behavior of app software anomaly.
The kernel Hook module 110 of Android mobile terminal 100, in the case where obtaining permission, by Shellcode generation
Code injection System_server process 111, by importing ioctl function in the library dynamic link library libbind.so 112 of Hook
113, the system operating information of Android is sent to data analysis module 120;120 pairs of data analysis module are applied program line
For monitoring include: read IMEI or IMSI, send short message, make a phone call, read or writing system database, read GPS
Information, connection camera service and connection recording service;System operating information via monitoring resource process 121 and status monitoring into
122 analysis of journey processing, is sent to data analysis engine 123, data processing process 124, in conjunction with software action monitor database
200, system status information is handled, and Hook log module 130 is written.
2) Android binder communication mechanism principle:
If Fig. 2, Android Binder are a kind of inter-process communication mechanisms.Each long-range service object of system is all
Be in the form of Binder existing for, as soon as and these Binder have a manager, that ServiceManager, Hook these
Service, will set about certainly from ServiceManager.In the Binder mechanism of android system, it is made of a system component,
Client, Server, Service Manager and Binder driver respectively, wherein Client, Server and
Service Manager operates in user's space, and Binder driver runs kernel spacing.Binder be exactly it is a kind of this four
The binder that a component is bonded together, wherein core component is Binder driver, Service Manager
The function of Added Management is provided, Client and Server are exactly the base provided in Binder driving and Service Manager
On Infrastructure, the communication between Client-Server is carried out.The mechanism of this Hook system service is referred to as Binder
Hook, because substantially these ISPs are the Binder objects for being present in each process of system.
(1) Client, Server and Service Manager realize that in the user space, Binder driver is realized
In kernel spacing;
(2) Binder driver and Service Manager have been carried out in Android platform, and developer only needs
Oneself Client and Server are realized in user's space;
(3) Binder driver provides device file and interacts with user's space, Client, Server and Service
Manager is communicated by ioctl file manipulation function with Binder driver;
(4) interprocess communication between Client and Server is realized indirectly by Binder driver;
(5) Service Manager is a finger daemon, for managing Server, and provides inquiry to Client
The ability of Server interface.
Claims (1)
1. a kind of Android platform software unusual checking system, including interconnected Android mobile terminal (100)
With software action monitor database (200);
Android mobile terminal (100) includes kernel Hook module (110), data analysis module (120) and Hook log module
(130);
Kernel Hook module (110) include the System_server process (111) successively interacted, the library libbind.so (112) and
Ioctl function (113) realizes the extraction of kernel hook information;
Data analysis module (120) includes monitoring resource process (121), status monitoring process (122), data analysis engine
(123) and data treatment progress (124);Monitoring resource process (121) and status monitoring process (122) are drawn with data analysis respectively
(123) interaction, data analysis engine (123) and data treatment progress (124) interaction are held up, abnormal the defining of software action is write
Enter;
Ioctl function (113) and data analysis module (120) interaction, complete data transmission;
Data analysis engine (123) is interacted with Hook log module (130) and monitor database (200) respectively, completes software row
Inquiry and the log write-in being characterized;
Data processing process (124) is interacted with Hook log module (130) and software action monitor database (200) respectively, right
Software action feature is bound, and Hook log module (130) are written in software action, and software is written in the software action defined
In behavior monitoring database (200);
The workflow of the kernel Hook module (110):
A, using ptrace system function, Shellcode program is injected into System_server process (111), ptrace is mentioned
A kind of parent process has been supplied to can control subprocess operation, it is mainly used for realizing debugging breakpoints;
B, using ptrace system function, the code in Shellcode is executed:
Shellcode is really one section of code, is the code of the particular vulnerability for the system that is utilized, available higher permission;
Shellcode, which is often, is used as data to be sent under fire system;
C, the code of Shellcode operation in System_server process (111), function are to call Hook shared library;
D, the function of Hook shared library is called in the library libbind.so (112) in System_server process (111)
Ioctl function (113) carry out function abduction, by kidnap data carry out output redirection, output to data analysis module (120) into
The parsing of row data, and Hook log module (130) and software action monitor database (200) is written into processing result;
The workflow of the Hook log module (130) is:
Local log is selected to be based on statistical conclusions, such as after mainly software action is defined in data processing process (124) completion
Fruit software action is abnormal, then generates exception information in exception reporting write-in Hook log module (130);If software action is just
Often, then software action is generated in Log Report write-in Hook log module (130);
The workflow of the software action monitor database (200) is:
Software action monitor database (200) is database module, mainly completes the storage of data, will be by app title, operation
Time, type, number and content are write in database, count number, flow that certain period users use certain agreement, reach
Safety statistics and the purpose defined;
It is characterized by:
The workflow of the data analysis module (120) is:
1. receiving the data that kernel Hook module (110) are sent;
2. data analysis module (120) to step 1. in received data carry out classification parsing, system resource: read IMEI or
IMSI, short message is sent, is made a phone call, reads GPS information, connection camera service and connection recording service;System mode: read-write
System database information;
3. data and the permission of app in software action monitor database (200) that data analysis engine (123) 2. parses step
It compares, after processing data processing, Hook log module is written by app title, operating time, type, number and content
(130) and software action monitor database (200);
4. forming behavioral characteristic database according to the process of operation, in the operation of app software, data processing process (124) is right
Software action processes statistics, and compares to the data of software action and software action monitor database (200), is such as counting
There is obvious exception in time, generates in exception reporting write-in Hook log module (130);
5. forming behavioral characteristic database according to the process of operation, in the operation of app software, data processing process (124) is right
Software action processes statistics, and compares to the data of software action and software action monitor database (200), is such as counting
In time, without obvious abnormal, in generation Log Report write-in Hook log module (130).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610323750.1A CN105956474B (en) | 2016-05-17 | 2016-05-17 | Android platform software unusual checking system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610323750.1A CN105956474B (en) | 2016-05-17 | 2016-05-17 | Android platform software unusual checking system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105956474A CN105956474A (en) | 2016-09-21 |
| CN105956474B true CN105956474B (en) | 2018-12-25 |
Family
ID=56911666
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610323750.1A Active CN105956474B (en) | 2016-05-17 | 2016-05-17 | Android platform software unusual checking system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105956474B (en) |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107967155B (en) * | 2016-10-18 | 2022-01-07 | 腾讯科技(深圳)有限公司 | Method, device, server and medium for realizing program operation based on Hook shared library |
| CN106709357A (en) * | 2016-12-14 | 2017-05-24 | 武汉虹旭信息技术有限责任公司 | Kernel internal storage monitoring based vulnerability prevention system for Android platform |
| CN106844182B (en) * | 2017-02-07 | 2021-07-09 | 网易(杭州)网络有限公司 | Method, system and mobile terminal for recording user behavior |
| CN108804278A (en) * | 2017-05-04 | 2018-11-13 | 苏州睿途网络科技有限公司 | A kind of software monitors system and its business model |
| CN107239698A (en) * | 2017-05-27 | 2017-10-10 | 北京洋浦伟业科技发展有限公司 | A kind of anti-debug method and apparatus based on signal transacting mechanism |
| CN109508245A (en) * | 2017-09-15 | 2019-03-22 | 西安中兴新软件有限责任公司 | A kind of method and terminal for realizing anomaly analysis |
| CN107635011B (en) * | 2017-10-17 | 2021-01-15 | 四川智魔王智能科技股份有限公司 | System and method for realizing transparent proxy of network in application by Android platform |
| CN108256320B (en) * | 2017-12-27 | 2020-04-28 | 北京梆梆安全科技有限公司 | Dynamic detection method, device, equipment and storage medium for differential domain |
| CN108959923B (en) * | 2018-05-31 | 2022-05-17 | 深圳壹账通智能科技有限公司 | Comprehensive security sensing method and device, computer equipment and storage medium |
| CN109740345A (en) * | 2018-12-26 | 2019-05-10 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device of monitoring process |
| CN110046502B (en) * | 2019-04-08 | 2020-12-04 | 中国科学院软件研究所 | Configurable function API monitoring method based on virtualized efficient HASH |
| CN110457140B (en) * | 2019-07-02 | 2022-11-11 | 福建新大陆通信科技股份有限公司 | Fastener mechanism-based client server quick calling method and system |
| CN110334523B (en) * | 2019-07-18 | 2021-06-01 | 北京智游网安科技有限公司 | Vulnerability detection method and device, intelligent terminal and storage medium |
| CN112965892B (en) * | 2019-12-12 | 2024-06-21 | 大唐移动通信设备有限公司 | Abnormal information acquisition method and device of software system, electronic equipment and medium |
| CN111209007B (en) * | 2020-01-17 | 2023-03-31 | 山东浪潮科学研究院有限公司 | Software implementation method for monitoring controllable equipment based on mobile environment |
| CN115563614B (en) * | 2022-10-27 | 2023-08-04 | 艾德领客(上海)数字技术有限公司 | Software abnormal behavior file tracing method applied to artificial intelligence |
| CN117201072B (en) * | 2023-07-31 | 2024-06-14 | 北京天融信网络安全技术有限公司 | User password acquisition method, device, equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103136472A (en) * | 2011-11-29 | 2013-06-05 | 腾讯科技(深圳)有限公司 | Method and mobile device of stopping application program to steal privacy |
| CN103136471A (en) * | 2011-11-25 | 2013-06-05 | 中国科学院软件研究所 | Method and system for testing malicious Android application programs |
| CN103198255A (en) * | 2013-04-03 | 2013-07-10 | 武汉大学 | Method and system for monitoring and intercepting sensitive behaviour of Android software |
| CN104217164A (en) * | 2014-09-11 | 2014-12-17 | 工业和信息化部电子第五研究所 | Method and device for detecting malicious software of intelligent mobile terminal |
| CN104751052A (en) * | 2013-12-30 | 2015-07-01 | 南京理工大学常熟研究院有限公司 | Dynamic behavior analysis method for mobile intelligent terminal software based on support vector machine algorithm |
| CN104766012A (en) * | 2015-04-09 | 2015-07-08 | 广东电网有限责任公司信息中心 | Method and system for dynamic detection of data safety based on dynamic taint tracking |
| CN105427096A (en) * | 2015-12-25 | 2016-03-23 | 北京奇虎科技有限公司 | Payment security sandbox realization method and system and application program monitoring method and system |
| CN106156628A (en) * | 2015-04-16 | 2016-11-23 | 阿里巴巴集团控股有限公司 | A kind of user behavior analysis method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8930940B2 (en) * | 2011-08-19 | 2015-01-06 | Yongyong Xu | Online software execution platform |
-
2016
- 2016-05-17 CN CN201610323750.1A patent/CN105956474B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103136471A (en) * | 2011-11-25 | 2013-06-05 | 中国科学院软件研究所 | Method and system for testing malicious Android application programs |
| CN103136472A (en) * | 2011-11-29 | 2013-06-05 | 腾讯科技(深圳)有限公司 | Method and mobile device of stopping application program to steal privacy |
| CN103198255A (en) * | 2013-04-03 | 2013-07-10 | 武汉大学 | Method and system for monitoring and intercepting sensitive behaviour of Android software |
| CN104751052A (en) * | 2013-12-30 | 2015-07-01 | 南京理工大学常熟研究院有限公司 | Dynamic behavior analysis method for mobile intelligent terminal software based on support vector machine algorithm |
| CN104217164A (en) * | 2014-09-11 | 2014-12-17 | 工业和信息化部电子第五研究所 | Method and device for detecting malicious software of intelligent mobile terminal |
| CN104766012A (en) * | 2015-04-09 | 2015-07-08 | 广东电网有限责任公司信息中心 | Method and system for dynamic detection of data safety based on dynamic taint tracking |
| CN106156628A (en) * | 2015-04-16 | 2016-11-23 | 阿里巴巴集团控股有限公司 | A kind of user behavior analysis method and device |
| CN105427096A (en) * | 2015-12-25 | 2016-03-23 | 北京奇虎科技有限公司 | Payment security sandbox realization method and system and application program monitoring method and system |
Non-Patent Citations (1)
| Title |
|---|
| 面向Android应用程序行为的安全监控系统设计与实现;阙斌生;《中国优秀硕士学位论文全文数据库信息科技辑(月刊)》;20150415(第4期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105956474A (en) | 2016-09-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105956474B (en) | Android platform software unusual checking system | |
| US11924230B2 (en) | Individual device response options from the monitoring of multiple devices | |
| US9753796B2 (en) | Distributed monitoring, evaluation, and response for multiple devices | |
| Di Cerbo et al. | Detection of malicious applications on android os | |
| Pan et al. | Dark hazard: Large-scale discovery of unknown hidden sensitive operations in Android apps | |
| CN112685737A (en) | APP detection method, device, equipment and storage medium | |
| US9781143B1 (en) | Systems and methods for detecting near field communication risks | |
| CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
| CN105531712A (en) | Data flow based behavioral analysis on mobile devices | |
| CN104484599A (en) | Behavior processing method and device based on application program | |
| CN105874463A (en) | Method and apparatus for malware detection | |
| CN103268448B (en) | The method and system of the security of detection of dynamic Mobile solution | |
| CN111835756B (en) | APP privacy compliance detection method and device, computer equipment and storage medium | |
| KR20110128632A (en) | Method and device for detecting malicious action of application program for smartphone | |
| CN113177205B (en) | Malicious application detection system and method | |
| Wang et al. | Leakdoctor: Toward automatically diagnosing privacy leaks in mobile applications | |
| Bhatia et al. | Tipped Off by Your Memory Allocator: Device-Wide User Activity Sequencing from Android Memory Images. | |
| Saad et al. | Android spyware disease and medication | |
| Liccardi et al. | Improving mobile app selection through transparency and better permission analysis | |
| CN113486335B (en) | JNI malicious attack detection method and device based on RASP zero rule | |
| CN117272308A (en) | Software security test method, device, equipment, storage medium and program product | |
| CN115398431A (en) | User information violation acquisition detection method and related equipment | |
| CN115828256A (en) | Unauthorized and unauthorized logic vulnerability detection method | |
| Almotairy et al. | B-droid: a static taint analysis framework for android applications | |
| CN113132346A (en) | Detection method and system for mobile application information stealing and returning master control address |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |