CN106384047A - APP detection unknown pattern collection and judging method - Google Patents

APP detection unknown pattern collection and judging method Download PDF

Info

Publication number
CN106384047A
CN106384047A CN201610737830.1A CN201610737830A CN106384047A CN 106384047 A CN106384047 A CN 106384047A CN 201610737830 A CN201610737830 A CN 201610737830A CN 106384047 A CN106384047 A CN 106384047A
Authority
CN
China
Prior art keywords
rules
regulations
analysis system
clue
malice
Prior art date
Application number
CN201610737830.1A
Other languages
Chinese (zh)
Other versions
CN106384047B (en
Inventor
王明贤
Original Assignee
青岛天龙安全科技有限公司
王明贤
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 青岛天龙安全科技有限公司, 王明贤 filed Critical 青岛天龙安全科技有限公司
Priority to CN201610737830.1A priority Critical patent/CN106384047B/en
Publication of CN106384047A publication Critical patent/CN106384047A/en
Application granted granted Critical
Publication of CN106384047B publication Critical patent/CN106384047B/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis

Abstract

The invention relates to an APP detection unknown pattern collection and judging method. During APP procedural security detection, double-line test is conducted for an unknown detection result; and results of double-line test are compared, so a correct convergent result can be deducted.

Description

APP detection unknown aspect collection and determination methods

Technical field

The present invention examines and determine the rules and regulations of project and the receipts of interpretation with regard to a kind of safety of its application of intelligent mobile device Hold back method.

Background technology

Most of action APP hostile content and associated safety detection, the actual harm problem of generation is it is simply that so-called " safety " subject under discussion and " malice aspect ", in " real world ", actual malice aspect or safety exceed well over the instrument of generally using The test that can accomplish, just cannot can be reached with artificial one instruments of inspection of simple design in other words and detect and " true generation The problem of boundary " same risk harm is that is to say, that degree of accuracy faces test to be improved in fact.

For previously existing technology, the instrument of detection APP safety at most accomplishes some close to real world Malice quantity or simply a portion, so, 100% does not meet risky test instrument, so that with existing For the present, the reliability of instrument test ability can only be guessed as far as possible but cannot confirm.

Content of the invention

In view of the problem of prior art, inventor appreciates that a kind of device of improvement should be had, it is provided with a kind of APP inspection for this Survey unknown aspect collection and determination methods, operated with formula with computer equipment, that is, one kind is examined for mobile applications formula Survey interpretation, carry out intersecting comparing according to the multiple clue of interpretation, and produce the detection modification method that convergence judges degree of corroboration.

The present invention sets up one to test dual channel model, and same APP is made two groups of different inspection engines so as to two groups of output is tied Really, then this two groups of results are done intersection to compare, find out certifiable reliable clue, judge whether APP has malice and safety problem Deng, by intersect comparison find out confirmation clue, also by intersect compare, find out well-behaved offline rope, and analyzed, confirm its line Whether rope has reference value, by the system construction of the present invention, produces the mechanism revising accurate interpretation, is formed and persistently restrains accurately The calculation pattern of degree.The running of model of the present invention is automation process and continuous schedule operating type.

Brief description

Fig. 1 is the block schematic diagram of method of the present invention flow process.

Fig. 2 is the operational definition schematic diagram of the present invention.

Fig. 3 is the thin portion schematic diagram of Fig. 1 square 6 of the present invention.

Specific embodiment

1. refer to Fig. 1 and indicate square 1, by the APK application of Android operation system or iOS operating system IPA application (being collectively referred to as APP or application) puts into the spy of working region to be measured or servomechanism with transmission or copy mode Determine in storage area, wait for the work of follow-up test analysis, in this module APK the or IPA source of indication can for downloading, Replicate, voluntarily store or carried etc. by trust and originate and be not limited to aforesaid source mode.

2. refer to Fig. 1 and indicate square 2 and square 3, receive APK or IPA (APP or application) coming from step 1 Assign the job, be analyzed, analysis mode takes in the following manner to carry out:

(A). be defined rules and regulations (RULE) A of detection, represent a succession of detect original program statement gauge outfit (Header) and Test patterns (Testing Code) or carry out archives and disassemble or APP to execute the detection that executed of simulated environment and to be defined No matter process performing and result, translated or call testing code (Testing Code) mode and simulation execution using anti-group, all Can be considered and disassemble and judge;

(B). do search rules and regulations and meet part with judging archive content according to disassembling, carry out test (MatchQuery) determination that coincide Malice aspect;

(C). search rules and regulations are done according to implementing result and record shelves (log) content judging execution generation and meets part, kissed Close test (MatchQuery) and determine malice aspect;

(D). analysis system A with Service or execution instrument (Executive tool) mode be triggered (trigger) hold OK, and rules and regulations development need be isolated from analysis system B beyond test derived from nature rule and method, in organic growth situation The lower test rule producing no deliberately imitation.Analysis system B is with Service or execution instrument (Executive tool) execution Instrument mode be triggered (trigger) execution, and rules and regulations development need be isolated from analysis system A beyond test derived from nature Rule and method, produce the test rule no deliberately imitated in the case of organic growth.The namely analysis of analysis system A and B Method, rule, condition each develop and are independent analysis system, using important as one of follow-up screening and filtering malice clue Compare foundation.

Refer to shown in Fig. 2, and coordinate Fig. 1 to indicate the technology accumulation of standard known to square 1,2 or known safe differentiation, system Determine and set up test rule (rules and regulations), such as Fig. 2 indicates square 3.

Define the inventory of malice aspect and crucial control code according to test rules and regulations, such as Fig. 2 indicates square 5.According to test Rules and regulations are set up and are disassembled and interpretation method (detection content), and such as Fig. 2 indicates square 4.According to definition malice aspect inventory with disassemble, Interpretation method is detected and interpretation, and is confirmed whether to have and meets malice inventory, and such as Fig. 2 indicates square 6, square 7.Analysis safety Clue rules and regulations set A and B receive and come from Fig. 1 such as and indicate analysis system A of square 2,3 and B disassembles and to analyze rules and regulations identical As a result, it is analyzed the safe clue rules and regulations set of result, this set can be File Format or data library format, and has The interpretation of the corresponding malice inventory that single safe clue is clearly coincide.The safe clue of static analysis safe clue rules and regulations set A Rules and regulations set is also called the comparison of malice pattern (MalPattern), and this malice pattern will save as further numerical digit appreciation The index needing, but not yet issue as safe evidence and use.

3. receive and be derived from step (2), refer to shown in Fig. 3, cooperation Fig. 1 indicates the clue of the analysis result of square 4,5 simultaneously Carry out following judgement work:

(A). analysis system A (dynamic) malice aspect of analyzing safe clue rules and regulations set A and B produced with B is coincide and former The source position of the examined formula that begins produces occurs simultaneously, that is, analysis system A but is all detected with different rules and regulations from analysis system B The same safety problem of same position, that is, fall in a area, then it is considered as " the dynamic malice interpretation with a high credibility of fast grating rule ";

(B). analysis system A and B be produced analyze safe clue rules and regulations set A and B (static) key control code identical and The source position of original examined formula produces occurs simultaneously, that is, analysis system A but is all detected with different rules and regulations from analysis system B Go out the same safety problem of same position, that is, fall in b area, be then considered as " the static malice interpretation with a high credibility of fast grating rule ";

(C). analysis system A and B be produced analyze safe clue rules and regulations set A and B (static) key control code identical and The source position of (dynamic) malice aspect and original examined formula produces occurs simultaneously, that is, analysis system A and analysis system B with Different rules and regulations but all detect the same safety problem of same position, that is, fall in e area, be then considered as " interdependent common security line " the mobile application security detection reliable result " of rope ";

(D). by that analogy, misfit analyzing safe clue rules and regulations set A and B when malice aspect or crucial control code misfit Clue such as d area and c area, be regarded as " detection " or rules and regulations definition be bad caused with the design of test method, will be separately with archives Or data library format independently stores, and mark original test rules and regulations, the position of the identical rules and regulations of this formula and formula title, shelves Case model etc., compares interpretation including but not limited to aforesaid enough information for follow-up;

(E). by that analogy, misfit analyzing safe clue rules and regulations set A and B when malice aspect and crucial control code misfit Clue such as f area, be considered " detection " and rules and regulations definition do not meet, but geometric distance close as Fig. 1 indicate square 9,10, 11, will separately independently be stored with archives or data library format, and mark original test rules and regulations, this formula coincide rules and regulations position, with And formula title, archives model etc., and manually compared with repeat test confirm clue, and include after validation rules and regulations with Test method, such as Fig. 1 indicate square 12,13.

Claims (2)

1. a kind of APP detects unknown aspect collection and determination methods it is characterised in that being operated with formula with computer equipment, Test dual channel model with one, same APP is made two groups of different inspection engines so as to two groups of results of output, then this two groups are tied Fruit is cooked intersection and compares, and finds out certifiable reliable clue.
2. APP as claimed in claim 1 detects unknown aspect collection and determination methods it is characterised in that comprising the following steps:
(1). by APP to transmit or copy mode is put in working region to be measured or the specific storage region of servomechanism;
(2). analyse whether, via specification defined in analysis system A and specification defined in analysis system B, malice aspect of coincideing;
(3). receive the clue of analysis result from step (2) and carry out following judgement work:
(A). the analysis system A dynamic malice aspect of analyzing safe clue rules and regulations set A and B produced with B is coincide and original The source position of examined formula produces occurs simultaneously, that is, analysis system A detects same from analysis system B with different rules and regulations but all The same safety problem of one position, that is, fall in a area, then it is considered as the dynamic malice interpretation with a high credibility of fast grating rule;
(B). the analysis system A static key control code of analyzing safe clue rules and regulations set A and B produced with B is coincide and former The source position of the examined formula that begins produces occurs simultaneously, that is, analysis system A but is all detected with different rules and regulations from analysis system B The same safety problem of same position, that is, fall in b area, then it is considered as the static malice interpretation with a high credibility of fast grating rule;
(C). the analysis system A static key control code of analyzing safe clue rules and regulations set A and B produced with B is coincide and dynamic The source position of state malice aspect and original examined formula produces occurs simultaneously, that is, analysis system A from analysis system B with different Rules and regulations but all detect the same safety problem of same position, that is, fall in e area, be then considered as the shifting of interdependent common security clue Dynamic application safety detection reliable result;
(D). by that analogy, misfit analyzing safe clue rules and regulations set A and B when malice aspect or crucial control code misfit Clue such as d area and c area, be regarded as not detecting or rules and regulations definition be bad caused with the design of test method, will separately with archives or Data library format independently stores, and marks original test rules and regulations, the position of the identical rules and regulations of this formula and formula title, archives Model etc., compares interpretation including but not limited to aforesaid enough information for follow-up;
(E). by that analogy, misfit analyzing safe clue rules and regulations set A and B when malice aspect and crucial control code misfit Clue such as f area, be regarded as not detecting and rules and regulations definition do not meet, but geometric distance is close, will be separately with archives or information bank Form independently stores, and marks original test rules and regulations, the position of the identical rules and regulations of this formula and formula title, archives model etc., And manually compared and repeat test and confirm clue, and include rules and regulations and test method after validation.
CN201610737830.1A 2016-08-26 2016-08-26 APP detects unknown behavior acquisition and judgment method CN106384047B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610737830.1A CN106384047B (en) 2016-08-26 2016-08-26 APP detects unknown behavior acquisition and judgment method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610737830.1A CN106384047B (en) 2016-08-26 2016-08-26 APP detects unknown behavior acquisition and judgment method

Publications (2)

Publication Number Publication Date
CN106384047A true CN106384047A (en) 2017-02-08
CN106384047B CN106384047B (en) 2019-11-15

Family

ID=57917294

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610737830.1A CN106384047B (en) 2016-08-26 2016-08-26 APP detects unknown behavior acquisition and judgment method

Country Status (1)

Country Link
CN (1) CN106384047B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080148406A1 (en) * 2003-07-29 2008-06-19 International Business Machines Corporation Automatically detecting malicious computer network reconnaissance by updating state codes in a histogram
TW201035795A (en) * 2009-03-16 2010-10-01 Chunghwa Telecom Co Ltd System and method for detecting web malicious programs and behaviors
CN101894230A (en) * 2010-07-14 2010-11-24 国网电力科学研究院 Static and dynamic analysis technology-based host system security evaluation method
US20120331303A1 (en) * 2011-06-23 2012-12-27 Andersson Jonathan E Method and system for preventing execution of malware
CN102930210A (en) * 2012-10-14 2013-02-13 江苏金陵科技集团公司 System and method for automatically analyzing, detecting and classifying malicious program behavior
JP2013092981A (en) * 2011-10-27 2013-05-16 Kddi Corp Software detection rule generation device, software detection rule generation method and software detection rule generation program
CN103327492A (en) * 2013-06-04 2013-09-25 王天时 Android cellphone intrusion detecting method and detecting system thereof
CN105550095A (en) * 2015-12-22 2016-05-04 中国科学院信息工程研究所 Virtualization based active and passive combination detection system and method for host behavior
CN105897807A (en) * 2015-01-14 2016-08-24 江苏博智软件科技有限公司 Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080148406A1 (en) * 2003-07-29 2008-06-19 International Business Machines Corporation Automatically detecting malicious computer network reconnaissance by updating state codes in a histogram
TW201035795A (en) * 2009-03-16 2010-10-01 Chunghwa Telecom Co Ltd System and method for detecting web malicious programs and behaviors
CN101894230A (en) * 2010-07-14 2010-11-24 国网电力科学研究院 Static and dynamic analysis technology-based host system security evaluation method
US20120331303A1 (en) * 2011-06-23 2012-12-27 Andersson Jonathan E Method and system for preventing execution of malware
JP2013092981A (en) * 2011-10-27 2013-05-16 Kddi Corp Software detection rule generation device, software detection rule generation method and software detection rule generation program
CN102930210A (en) * 2012-10-14 2013-02-13 江苏金陵科技集团公司 System and method for automatically analyzing, detecting and classifying malicious program behavior
CN103327492A (en) * 2013-06-04 2013-09-25 王天时 Android cellphone intrusion detecting method and detecting system thereof
CN105897807A (en) * 2015-01-14 2016-08-24 江苏博智软件科技有限公司 Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics
CN105550095A (en) * 2015-12-22 2016-05-04 中国科学院信息工程研究所 Virtualization based active and passive combination detection system and method for host behavior

Also Published As

Publication number Publication date
CN106384047B (en) 2019-11-15

Similar Documents

Publication Publication Date Title
Hadžiosmanović et al. Through the eye of the PLC: semantic security monitoring for industrial processes
Kruger et al. Statistical monitoring of complex multivatiate processes: with applications in industrial process control
Amos et al. Applying machine learning classifiers to dynamic android malware detection at scale
CN104345726B (en) Noninvasive data analysis in Process Control System
JP2017142800A (en) Rule Builder for Process Control Network
JP2017199365A (en) Domain level threat detection for industrial asset control system
CN102804147B (en) Perform the code check executive system of the code check of ABAP source code
US7327869B2 (en) Computer aided quality assurance software system
Bekrar et al. Finding software vulnerabilities by smart fuzzing
Antunes et al. Defending against web application vulnerabilities
JP5659238B2 (en) Source code conversion method and source code conversion program
JP2009520948A (en) Process model based virtual sensor system and method
JP2008536221A (en) Control system and method
US20080154811A1 (en) Method and system for verifying virtual sensors
CN104598383B (en) A kind of dynamic bug excavation integrated system and method based on pattern
Matinnejad et al. Search-based automated testing of continuous controllers: Framework, tool support, and case studies
CN106663003A (en) Systems and methods for software analysis
Krotofil et al. The process matters: Ensuring data veracity in cyber-physical systems
Zonouz et al. Detecting industrial control malware using automated PLC code analytics
US7340475B2 (en) Evaluating dynamic expressions in a modeling application
CN105094783B (en) method and device for testing stability of android application
CN103164328B (en) The regression testing method of a kind of business function, Apparatus and system
US20060005079A1 (en) Methods and apparatus for translating application tests for execution with simulation software tools
EP2960799A1 (en) Defect localization in software integration tests
Shen et al. Automating performance bottleneck detection using search-based application profiling

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20191021

Address after: 604, block a, Pangu maker space, No. 100, Huohuo Road, high tech Zone, Qingdao, Shandong Province

Applicant after: Qingdao Tianlong Safety Technology Co., Ltd.

Address before: 266199 Room 308, Eastern End of Incubation Building, 17 Zhengfo Road, Licang District, Qingdao City, Shandong Province

Applicant before: Qingdao Tianlong Safety Technology Co., Ltd.

Applicant before: Wang Ming Xian

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant