CN106570394B - Method for detecting malicious program - Google Patents
Method for detecting malicious program Download PDFInfo
- Publication number
- CN106570394B CN106570394B CN201610989174.4A CN201610989174A CN106570394B CN 106570394 B CN106570394 B CN 106570394B CN 201610989174 A CN201610989174 A CN 201610989174A CN 106570394 B CN106570394 B CN 106570394B
- Authority
- CN
- China
- Prior art keywords
- program
- tested
- installation package
- file
- programs
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Abstract
The invention provides a method for detecting a malicious program, which comprises the following steps: extracting an unencrypted executable file in the main body installation package to be tested by using a static method, and adding the executable file into the first set; extracting all executable files released after the main body installation package to be tested runs by using a dynamic method, and adding the executable files into the first set; rearranging files in the first set to obtain a second set; installing an executable file for executing the main installation package to be tested and the second set in the android sandbox, performing deep detection on the main installation package to be tested, and recording a monitoring log; and analyzing the monitoring log, and establishing an incidence relation graph, a time sequence flow chart and a privacy data flow chart in the running process of the plurality of programs to be tested in the main body installation package to be tested. The method can quickly and accurately detect all programs released after the high-level malicious program runs, including the main program and the plug-in functional program, perform parallel deep detection on a plurality of programs, improve the coverage rate and integrity of malicious program detection, and reduce the misjudgment rate.
Description
Technical Field
The invention relates to the field of software detection, in particular to a method for detecting malicious programs.
Background
The smart phone is developed at a high speed, and malicious programs of an Android platform are increasing day by day. The development condition of the China Mobile Internet and the safety report thereof in 2016 show that the number of smart phones active in China reaches 11.3 hundred million, wherein the number of smart phones running an Android system reaches 78.9%. According to statistics of relevant security centers, in the first quarter of 2016, samples of newly added malicious programs of the Android platform reach 339.6 ten thousand. Along with the continuous updating of the detection technology, the malicious programs are more and more advanced and are characterized by pluging, multi-program cooperation, encryption with a shell, strong concealment, strong destructive power, difficult detection, incapability of unloading and the like.
At present, there are two main methods for detecting malicious programs: static detection and dynamic detection. The static detection method is based on the principle that an API function corresponding to the authority used by an application program is analyzed as the characteristic of a malicious program by performing static analysis on an APK installation package, including the analysis of a configuration file and the decompiling of a source code. The principle of the dynamic detection method is that a program is installed and operated in a sandbox, whether a specific API is called to judge whether malicious behaviors exist or not during the operation of the program is detected, the coverage rate of a program operation code detected by the dynamic detection method is very low, the condition is mainly set by depending on the condition triggered by the malicious behaviors, the condition for triggering the malicious behaviors is very difficult, and the hiding performance of the plug-in program, particularly the program realized by using a bottom-layer ELF code, is very difficult to find.
In summary, the common problems of the existing malicious program detection technology for detecting high-level malicious programs are that the program coverage rate is low, the detection is incomplete, and the detection is difficult, wherein important reasons are that multiple programs cooperate to trigger malicious behaviors, and the triggering conditions are difficult to simulate, a malicious program is not only a program, but also may be multiple programs, a main program, and also releases other programs to cooperate, and how to quickly and accurately acquire other programs released by a main malicious program and how to perform parallel deep detection on multiple programs are blank areas of research.
Disclosure of Invention
Therefore, the invention provides a method for detecting the malicious program, which is used for quickly and accurately detecting all programs released after the high-level malicious program runs, including a main program and a plug-in functional program, and performing parallel deep detection on a plurality of programs, thereby improving the coverage rate and integrity of the detection of the malicious program and reducing the misjudgment rate.
The specific scheme of the invention is as follows:
a method of detecting malicious programs, comprising the steps of:
s1, extracting the unencrypted executable file in the main body installation package to be tested by using a static method, and adding the executable file into the first set;
s2, extracting all executable files released after the main body installation package to be tested runs by using a dynamic method, and adding the executable files into the first set;
s3, rearranging files in the first set to obtain a second set;
s4, installing and executing the executable files of the main installation package to be tested and the second set in the android sandbox, carrying out deep detection on the main installation package to be tested, and recording a monitoring log;
and S5, analyzing the monitoring log, and establishing an incidence relation graph, a time sequence flow graph and a privacy data flow graph in the running process of the programs to be tested in the main body installation package to be tested so as to analyze the malicious behavior of the main body installation package to be tested.
Further, the step S2 specifically includes:
s21, generating a first hash list for the system directory file in the android sandbox;
s22, installing and executing the main body installation package to be tested;
s23, generating a second hash list for the system directory file in the android sandbox again;
s24, comparing and obtaining the file difference of the first hash list and the second hash list, and marking the attribute of the difference file according to the rule;
and S25, adding the marked files into the first set, wherein the marked files are all executable files released after the installation package runs.
Further, the specific method for marking the attributes of the difference file in step S24 according to the rule is as follows:
if the file difference is that the installation file of the newly-added installation package is installed, suspected releasing a new plug-in program;
if the file difference is the executable file of the newly added system, the new plug-in program is suspected to be released;
if the file difference is that the executable file of the system is renamed and the original file is replaced by a new file, the program of the system is suspected to be disguised;
and if the file difference is that the main body installation package to be tested is automatically unloaded, the suspected program carrier.
Further, the performing of the depth detection on the to-be-detected main body installation package in the step S4 includes: the method comprises the steps of obtaining process information of a program running space, marking program running behaviors and recording corresponding timestamps, wherein the program running behaviors comprise but are not limited to program communication behaviors, private data reading behaviors, private data storage behaviors and private data outgoing behaviors, the program communication behaviors comprise but not limited to using an Http/Http protocol, a Socket protocol, a UDP protocol, a Smtp protocol or an internal Intent notification protocol of Android, and the private data comprise but not limited to data of address books, short messages, call records, mails, browsing records, App data, pictures, audios and videos.
Further, the specific method for establishing the association relationship graph in the running process of the multiple programs to be tested in the main body installation package to be tested in step S5 includes:
s51, acquiring the PID of the program to be tested and the corresponding program name, and constructing a third hash list by combining the marked attributes;
s52, constructing a fourth hash list according to the PID and the corresponding behavior of the log;
s53, filtering out PIDs with the same third hash list in the step S51 and the same fourth hash list in the step S52, screening out suspicious program sets from all running programs, labeling the programs, and adding behaviors corresponding to each program to form an association relation graph between the programs.
Further, the specific method of the program timing flow chart in the process of establishing the running of the plurality of programs to be tested in the main body installation package to be tested in step S5 is as follows: the time sequence of the behavior is recorded with time as the main axis.
The invention has the beneficial effects that:
1. and other suspicious programs which are propagated and declared by one program are quickly and accurately detected by combining the static extraction method and the dynamic extraction method.
2. On the basis of 1, for the parallel deep detection of multiple programs, the common detection method only supports the single detection of one program, and the missing judgment is easy to exist.
3. And analyzing the malicious behavior of the program to be tested more intuitively through an association relation graph, a time sequence flow graph and a flow graph of private data among the programs.
Drawings
FIG. 1 is a flow chart of the present invention for detecting a release of a document by a subject program;
FIG. 2 is a flow chart of depth detection according to the present invention;
FIG. 3 is a diagram of detecting associations between multiple programs in accordance with the present invention;
FIG. 4 is a timing diagram illustrating abnormal behavior during multi-program execution according to the present invention;
fig. 5 is a data flow diagram of the private data short message detected by the present invention.
Detailed Description
To further illustrate the various embodiments, the invention provides the accompanying drawings. The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the embodiments. Those skilled in the art will appreciate still other possible embodiments and advantages of the present invention with reference to these figures. The invention will now be further described with reference to the accompanying drawings and detailed description.
The advanced malicious program is exposed to a user and usually is an APK shell as a main program, other subsidiary programs are released after the program is operated, generally functional plug-ins can be disguised as system programs or automatically installed in a system directory to acquire private data of the user with higher authority to steal, the released programs cannot trigger malicious behaviors immediately after being operated but can trigger the malicious behaviors under specific conditions, if a single program cannot be detected during operation, the malicious behaviors are triggered by cooperation of multiple programs, the invention can quickly and accurately dynamically detect a set of the released programs and carry out parallel depth detection on the multiple programs, thereby providing an effective and reliable basis for qualitative malicious programs, and greatly reducing the misjudgment rate, and specifically comprising the following steps:
the extracted assembly of programs is C.
Firstly, extracting resource directories in a main body APK by using a static analysis method, such as unencrypted executable programs of the assets and raw directories, including APK, DEX and ELF files, and putting the files into a set C;
secondly, extracting all executable programs released after the main APK runs by using a sandbox dynamic extraction method, wherein the executable programs comprise APK, DEX and ELF files and are placed in a set C; the flow is shown in fig. 1, and the specific steps are as follows:
1. in the Android sandbox system, the system can execute all executable files of a path/system/bin and/system/xbin directory, the system APK installs all installed APK files of the path/system/frame and/system/app and/data/app directory, and the hash is carried out on each file, and the result is stored in a list A.
2. And installing the main program to be tested.
3. And starting the main program to be tested.
4. All executable files of a system executable path/system/bin and/system/xbin directory and all installed APK files of a system APK installation path/system/frame, system/app and/data/app directory are hashed aiming at each file, and the result is stored in a list B.
5. Comparing the hash list A with the hash list B, extracting different files, and marking the attributes of the files according to a certain rule:
a. adding an APK installation file: suspected release of new plug-in P1
b. Adding an executable file of the system: suspected release of new plug-in P2
c. Renaming the executable file of the system, replacing the original file with a new file: program P3 of suspected masquerading system
d. Automatically unloading the main program to be tested: carrier of suspected program
6. The P1, P2, P3 files marked for step 5 are put into collection C.
Thirdly, the set C is rearranged to obtain a new executable program set D;
preparing a self-compiled Android sandbox, simulating a real mobile phone data environment, installing and operating programs in a main APK and a set D, performing depth detection, and recording a monitoring log;
and fifthly, analyzing the monitoring logs, and establishing an incidence relation graph, a time sequence flow chart and a privacy data flow chart in the running process of the programs to be tested.
The depth detection method is based on a sandbox frame and a bottom layer HOOK monitoring technology to obtain process information, program communication behaviors, private data reading, storing and outgoing behaviors of a program running space to be respectively marked, and corresponding timestamps are recorded. The program communication behavior comprises the use of an Http/Http protocol, a Socket protocol, a UDP protocol, a Smtp protocol or an internal Android content notification protocol. The private data includes user data such as address list, short message, call record, mail, browsing record, App data, picture, audio, video, etc., and the flowchart is shown in fig. 2.
The construction method of the program association relationship graph comprises the following steps:
1. acquiring the process information of the program during running, acquiring the PID of the program to be tested and the corresponding program name, and constructing a hash table HA together with the attribute marked at the 5 th point in the second step;
2. constructing a hash table HB by all logs according to PID and corresponding behaviors (including program communication behaviors or private data reading and outgoing behaviors);
3. filtering out the PIDs with the same HA in step 1 and HB in step 2, i.e. screening out suspicious program sets from all running programs, labeling the programs, and forming an association relationship diagram between the programs by adding behaviors corresponding to each program, as shown in fig. 3;
the method for constructing the program timing flow chart comprises the following steps: the time sequence of the actions, each corresponding to a program label, is recorded with time as the main axis, as shown in fig. 4.
The construction method of the private data flow graph comprises the following steps: the reading of the private data, the saving of the private data, and the outgoing of the private data are respectively marked as shown in fig. 5.
The method for constructing the relation graph through deep detection more vividly explains various abnormal behaviors of the malicious program, and can effectively solve the problems of misjudgment and missed judgment of some common detection systems.
While the invention has been particularly shown and described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (5)
1. A method of detecting malicious programs, comprising the steps of:
s1, extracting unencrypted executable files in the main body installation package to be tested by using a static method, and adding the executable files into the first set, wherein the executable files comprise APK, DEX and ELF files;
s2, extracting all executable files released after the main body installation package to be tested runs by using a dynamic method, and adding the executable files into the first set;
s3, rearranging files in the first set to obtain a second set;
s4, installing and executing the executable files of the main installation package to be tested and the second set in the android sandbox, carrying out deep detection on the main installation package to be tested, and recording a monitoring log;
s5, analyzing the monitoring logs, and establishing an incidence relation graph, a time sequence flow graph and a privacy data flow graph in the running process of a plurality of programs to be tested in the main body installation package to be tested so as to analyze the malicious behavior of the main body installation package to be tested;
the specific method for establishing the incidence relation graph comprises the following steps:
s51, acquiring the PID of the program to be tested and the corresponding program name, and constructing a third hash list by combining the marked attributes;
s52, constructing a fourth hash list according to the PID and the corresponding behavior of the log;
s53, filtering out PIDs with the same third hash list in the step S51 and the same fourth hash list in the step S52, screening out suspicious program sets from all running programs, labeling the programs, and adding behaviors corresponding to each program to form an association relation graph between the programs.
2. The method for detecting a malicious program according to claim 1, wherein the step S2 specifically includes:
s21, generating a first hash list for the system directory file in the android sandbox;
s22, installing and executing the main body installation package to be tested;
s23, generating a second hash list for the system directory file in the android sandbox again;
s24, comparing and obtaining the file difference of the first hash list and the second hash list, and marking the attribute of the difference file according to the rule;
and S25, adding the marked files into the first set, wherein the marked files are all executable files released after the installation package runs.
3. The method for detecting malicious programs according to claim 2, wherein the specific method of step S24 and marking the attributes of the differential file according to the rules is:
if the file difference is that the installation file of the newly-added installation package is installed, suspected releasing a new plug-in program;
if the file difference is the executable file of the newly added system, the new plug-in program is suspected to be released;
if the file difference is that the executable file of the system is renamed and the original file is replaced by a new file, the program of the system is suspected to be disguised;
and if the file difference is that the main body installation package to be tested is automatically unloaded, the suspected program carrier.
4. The method for detecting malicious programs according to claim 1, wherein the deep detection of the to-be-detected subject installation package in step S4 includes: the method comprises the steps of obtaining process information of a program running space, marking program running behaviors and recording corresponding timestamps, wherein the program running behaviors comprise but are not limited to program communication behaviors, private data reading behaviors, private data storage behaviors and private data outgoing behaviors, the program communication behaviors comprise but not limited to using an Http/Http protocol, a Socket protocol, a UDP protocol, a Smtp protocol or an internal Intent notification protocol of Android, and the private data comprise but not limited to data of address books, short messages, call records, mails, browsing records, App data, pictures, audios and videos.
5. The method for detecting malicious programs according to claim 1, wherein the specific method of the program timing flow chart in the running process of the plurality of programs to be detected in the main body installation package to be detected, which is established in step S5, is as follows: the time sequence of the behavior is recorded with time as the main axis.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610989174.4A CN106570394B (en) | 2016-11-10 | 2016-11-10 | Method for detecting malicious program |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610989174.4A CN106570394B (en) | 2016-11-10 | 2016-11-10 | Method for detecting malicious program |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106570394A CN106570394A (en) | 2017-04-19 |
CN106570394B true CN106570394B (en) | 2021-04-16 |
Family
ID=58541069
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610989174.4A Active CN106570394B (en) | 2016-11-10 | 2016-11-10 | Method for detecting malicious program |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106570394B (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107395650B (en) * | 2017-09-07 | 2020-06-09 | 杭州安恒信息技术股份有限公司 | Method and device for identifying Trojan back connection based on sandbox detection file |
CN107967426B (en) * | 2017-11-27 | 2020-07-03 | 华中科技大学 | Detection method, defense method and system for Linux kernel data attack |
CN108123937B (en) * | 2017-12-13 | 2020-09-29 | 广州泰尔智信科技有限公司 | Multithreading monitoring method and system for monitoring mobile terminal application |
CN109101815B (en) * | 2018-07-27 | 2023-04-07 | 平安科技(深圳)有限公司 | Malicious software detection method and related equipment |
CN113064601A (en) * | 2019-12-30 | 2021-07-02 | Oppo广东移动通信有限公司 | Method, device, terminal and storage medium for determining dynamic loading file |
CN112948824B (en) * | 2021-03-31 | 2022-04-26 | 支付宝(杭州)信息技术有限公司 | Program communication method, device and equipment based on privacy protection |
CN113778877A (en) * | 2021-09-10 | 2021-12-10 | 中金金融认证中心有限公司 | Method for detecting application program installation package and related product |
CN114928476A (en) * | 2022-04-27 | 2022-08-19 | 北京天融信网络安全技术有限公司 | Target file security detection method and detection device |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9245125B2 (en) * | 2014-02-27 | 2016-01-26 | Nec Laboratories America, Inc. | Duleak: a scalable app engine for high-impact privacy leaks |
CN104598824B (en) * | 2015-01-28 | 2016-04-06 | 国家计算机网络与信息安全管理中心 | A kind of malware detection methods and device thereof |
CN105205397B (en) * | 2015-10-13 | 2018-10-16 | 北京奇安信科技有限公司 | Rogue program sample sorting technique and device |
CN106055479B (en) * | 2016-06-01 | 2019-03-01 | 中国科学院信息工程研究所 | A kind of Android application software testing method based on compulsory execution |
-
2016
- 2016-11-10 CN CN201610989174.4A patent/CN106570394B/en active Active
Non-Patent Citations (2)
Title |
---|
Android Malware Detection Based on Static Analysis of Characteristic Tree;Qi Li etc.;《2015 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery》;20151029;全文 * |
基于权限分析的Android 隐私数据泄露动态检测方法;高岳等;《信息网络安全》;20140228;第2014年卷(第02期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN106570394A (en) | 2017-04-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106570394B (en) | Method for detecting malicious program | |
JP6228966B2 (en) | Computing device that detects malware | |
US9953162B2 (en) | Rapid malware inspection of mobile applications | |
Cahyani et al. | Forensic data acquisition from cloud‐of‐things devices: windows Smartphones as a case study | |
US10198574B1 (en) | System and method for analysis of a memory dump associated with a potentially malicious content suspect | |
Spreitzenbarth et al. | Mobile-sandbox: having a deeper look into android applications | |
Barmpatsalou et al. | A critical review of 7 years of Mobile Device Forensics | |
Sato et al. | Detecting android malware by analyzing manifest files | |
JP6188956B2 (en) | Malware detection inspection method and apparatus | |
US9300682B2 (en) | Composite analysis of executable content across enterprise network | |
US9158915B1 (en) | Systems and methods for analyzing zero-day attacks | |
US20130122861A1 (en) | System and method for verifying apps for smart phone | |
KR20150044490A (en) | A detecting device for android malignant application and a detecting method therefor | |
WO2017012241A1 (en) | File inspection method, device, apparatus and non-volatile computer storage medium | |
Luoshi et al. | A3: automatic analysis of android malware | |
CN109783316B (en) | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment | |
CN110826058A (en) | Malware detection based on user interaction | |
CN109815702B (en) | Software behavior safety detection method, device and equipment | |
CN107729748B (en) | A method of description file running track figure in sandbox | |
WO2021243555A1 (en) | Quick application test method and apparatus, device, and storage medium | |
KR101345740B1 (en) | A malware detection system based on correlation analysis using live response techniques | |
KR101270497B1 (en) | System for collecting and analyzing mobile malware automatically | |
Verma et al. | Preserving dates and timestamps for incident handling in android smartphones | |
WO2016180211A1 (en) | Method and apparatus for processing faked application | |
JP5941745B2 (en) | Application analysis apparatus, application analysis system, and program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |