CN106778247B - Method and device for dynamically analyzing application program - Google Patents
Method and device for dynamically analyzing application program Download PDFInfo
- Publication number
- CN106778247B CN106778247B CN201611160804.3A CN201611160804A CN106778247B CN 106778247 B CN106778247 B CN 106778247B CN 201611160804 A CN201611160804 A CN 201611160804A CN 106778247 B CN106778247 B CN 106778247B
- Authority
- CN
- China
- Prior art keywords
- installation package
- package file
- analysis
- behavior data
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Stored Programmes (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a method and a device for dynamically analyzing an application program. The method comprises the following steps: acquiring an installation package file of an application program to be analyzed; putting the installation package file into a sandbox for operation, and collecting behavior data generated in the operation process of the installation package file; the behavior data is analyzed to obtain an analysis result, so that the operation behavior of the application program can be comprehensively monitored and analyzed, and a user can determine whether to adjust the application program according to the analysis result.
Description
Technical Field
The invention relates to the technical field of internet, in particular to a method and a device for dynamically analyzing an application program.
Background
With the great popularity of application programs, various application programs appear in the application market, and in order to protect the benefit of users, whether the behaviors of the application programs are in accordance with rules needs to be detected. However, in the face of massive applications, how to efficiently and accurately detect the behavior of an application program and make a reasonable judgment is an urgent need.
For these applications, domestic security manufacturers have developed corresponding products, but these manufacturers are only directed to a specific aspect, such as: the method for dynamically analyzing the behavior of the application program is not available in the prior art because a dynamic detection scheme for analyzing the behavior of the application program is not available, such as detecting malicious application and detecting whether the application program is reinforced.
Disclosure of Invention
In view of the above, the present invention is proposed in order to provide a method of application dynamic analysis and a corresponding apparatus of application dynamic analysis that overcome or at least partially solve the above problems.
According to an aspect of the present invention, there is provided a method for dynamic analysis of an application, the method comprising:
acquiring an installation package file of an application program to be analyzed;
putting the installation package file into a sandbox for operation, and collecting behavior data generated in the operation process of the installation package file;
and analyzing the behavior data to obtain an analysis result.
According to another aspect of the present invention, there is provided an apparatus for dynamic analysis of an application, the apparatus comprising:
the acquisition module is used for acquiring an installation package file of the application program to be analyzed;
the behavior data collection module is used for putting the installation package file into a sandbox for operation and collecting behavior data generated in the operation process of the installation package file;
and the analysis module is used for analyzing the behavior data to obtain an analysis result.
According to the scheme provided by the invention, after the installation package file of the application program to be analyzed is obtained, the installation package file is put into the sandbox to operate, the behavior data generated in the operation process of the installation package file is collected, the behavior data is analyzed, and the analysis result is obtained, so that the operation behavior of the application program can be comprehensively monitored and analyzed, and a user can determine whether to adjust the application program according to the analysis result.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 illustrates a flow diagram of a method for application dynamic analysis, in accordance with one embodiment of the present invention;
FIG. 2 illustrates a flow diagram of a method of application dynamic analysis according to another embodiment of the invention;
FIG. 3 is a schematic diagram of an apparatus for dynamic analysis of an application according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an apparatus for dynamic analysis of an application according to another embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
FIG. 1 shows a flow diagram of a method of application dynamic analysis, according to one embodiment of the invention. As shown in fig. 1, the method comprises the steps of:
step S100, obtaining an installation package file of the application program to be analyzed.
In the embodiment of the present invention, the installation package file of the application to be analyzed may be an installation package file uploaded by a client, or an installation package file downloaded from a website or a local application, for example, after a developer of the application develops a new application, before the application is marketed, the installation package file of the application may be uploaded through an entry of an upload file provided by the client, so as to perform dynamic behavior analysis on the installation package file of the application; of course, after downloading the installation package file of a certain application program from an application store or the like, the ordinary user may also upload the installation package file of the application program through an entry of an upload file provided by the client, so as to perform dynamic behavior analysis on the installation package file of the application program.
And S101, putting the installation package file into a sandbox for operation, and collecting behavior data generated in the operation process of the installation package file.
After the installation package file is obtained, the installation package file can be put into a sandbox, the installation package file is operated in the sandbox, and behavior data generated in the operation process of the installation package file is collected to be used as an analysis object of subsequent analysis. Here, running the installation package file in the sandbox can avoid affecting the real system.
And step S102, analyzing the behavior data to obtain an analysis result.
After behavior data generated in the operation process of the installation package file is collected, analyzing the collected behavior data, wherein the analyzing of the behavior data specifically comprises the following steps: and performing sensitive behavior analysis, malicious behavior analysis, behavior trend analysis, authority analysis and/or behavior classification analysis on the data behaviors. The sensitive behavior analysis may be used to analyze whether the installation package file operates on sensitive data, for example, to read the sensitive data; the malicious behavior analysis can be used for analyzing whether behaviors such as fraud and the like occur during the operation of the installation package file; permission analysis refers to analyzing which permissions are involved in the runtime of the installation package file, such as modification, deletion, and the like. Of course, the analysis is not limited to the above analysis, and other behavior analysis can be performed by those skilled in the art according to actual needs.
According to the method provided by the embodiment of the invention, after the installation package file of the application program to be analyzed is obtained, the installation package file is put into the sandbox to operate, the behavior data generated in the operation process of the installation package file is collected, the behavior data is analyzed, and the analysis result is obtained, so that the operation behavior of the application program can be comprehensively monitored and analyzed, and a user can determine whether to adjust the application program according to the analysis result.
FIG. 2 is a flow diagram illustrating a method for dynamic analysis of an application according to another embodiment of the invention. As shown in fig. 2, the method comprises the steps of:
step S200, obtaining an installation package file of the application program to be analyzed.
In the embodiment of the present invention, the installation package file of the application to be analyzed may be an installation package file uploaded by a client, or an installation package file downloaded from a website or a local application, for example, after a developer of the application develops a new application, before the application is marketed, the installation package file of the application may be uploaded through an entry of an upload file provided by the client, so as to perform dynamic behavior analysis on the installation package file of the application; of course, after downloading the installation package file of a certain application program from an application store or the like, the ordinary user may also upload the installation package file of the application program through an entry of an upload file provided by the client, so as to perform dynamic behavior analysis on the installation package file of the application program. The application here may be a mobile application or a non-mobile application.
Step S201, judging whether the installation package file is subjected to shell adding processing, if so, executing step S202; if not, go to step S203.
After the application program is developed, the installation package file of the application program may be subjected to shell processing, which is mainly to resist reverse engineering and code injection attacks. However, because the installation package file is shelled, great difficulty is brought to the process of performing program behavior analysis, after the installation package file is acquired, it is also necessary to determine whether the installation package file is shelled.
Generally, the reinforcement scheme adopted by the reinforcement manufacturer is determined and the installation package file reinforced by the reinforcement manufacturer has the identification of the reinforcement manufacturer, so that whether the installation package file is subjected to shell processing can be determined by performing script parsing processing on the installation package file and judging whether the reinforcement manufacturer identification and the reinforcement scheme are contained in the installation package file.
Step S202, unshelling the installation package file.
After the installation package file is judged to be subjected to shelling processing, shelling processing can be performed on the installation package file so as to facilitate subsequent analysis processing, and a specific shelling method is not described in detail here.
Step S203, performs instrumentation on the installation package file.
After the installation package file is subjected to shelling processing, or after the installation package file is judged not to be subjected to shelling processing, instrumentation can be performed on the installation package file, a section of code or node and the like is inserted into the code of the installation package file, and corresponding behavior data can be obtained when the installation package file is operated. It should be noted that this step is optional, and in some embodiments, the instrumentation process may not be performed on the installation package file.
And S204, putting the installation package file into a sandbox for operation, and collecting behavior data generated in the process of operating the installation package file by the application simulator after kernel lightweight processing by utilizing taint analysis and/or hook technology.
The application simulator is arranged in the sandbox and used for operating the installation package file, the kernel of the application simulator is subjected to light weight processing, the operation speed of the application simulator subjected to light weight processing is improved, and the accuracy of obtaining behavior data is improved.
In addition, the embodiment of the invention can trigger the application simulator after kernel lightweight processing to automatically run the installation package file through a code covering technology without manually controlling the application simulator and inputting corresponding operation, thereby realizing full automation of the operation of the installation package file. In the operation process of the installation package file, behavior data generated in the process of operating the installation package file by the application simulator after kernel lightweight processing can be collected by utilizing taint analysis and/or Hook (Hook) technology. The taint analysis is to define a starting point and an ending point to form a pollution sequence aiming at an installation package file, and analyze whether the installation package file is polluted or not by tracking the pollution sequence to carry out taint analysis. The hook technology can monitor the appointed behavior of the installation package file during operation and collect behavior data generated in the operation process of the installation package file.
The behavioral data includes one or more of the following data: running logs, running screenshots and transmitting data. For example, a running log may be generated during a file read operation and a file write operation.
And S205, inputting the behavior data into a preset behavior data model, and analyzing the behavior data to obtain an analysis result.
After the behavior data generated in the operation process of the installation package file is collected, the behavior data can be input into a preset behavior data model, the collected behavior data is analyzed, and specifically, the collected behavior data is compared with the behavior characteristics in the behavior data model, so that a corresponding analysis result can be obtained. The behavior data analysis specifically comprises the following steps: and performing sensitive behavior analysis, malicious behavior analysis, behavior trend analysis, authority analysis and/or behavior classification analysis on the data behaviors. The sensitive behavior analysis may be used to analyze whether the installation package file operates on sensitive data, for example, to read the sensitive data; the malicious behavior analysis can be used for analyzing whether behaviors such as fraud and the like occur during the operation of the installation package file; permission analysis refers to analyzing which permissions are involved in the runtime of the installation package file, such as modification, deletion, and the like. Of course, the analysis is not limited to the above analysis, and other behavior analysis can be performed by those skilled in the art according to actual needs.
The behavior data model is obtained by training behavior features in an application feature library, wherein the behavior features refer to behavior data of a determined behavior type, and specifically refer to that certain behavior data are malicious behavior data or non-malicious behavior data, sensitive behavior data or non-sensitive data and the like.
The behavior data model of the invention is obtained by batch learning mode or increment learning mode training. The batch learning mode refers to training behavior data collected before a preset time period every other preset time period, so as to obtain a behavior data model in each preset time period, wherein the preset time period can be one hour or one day, and a person skilled in the art can set the behavior data model according to the needs of practical application, and is not specifically limited herein; the incremental learning mode is a behavior data model obtained by collecting behavior data, training the collected behavior data and learning the training result to a preset time period through an interface, so that a new behavior data model is obtained in each preset time period. The incremental learning mode is adopted, so that the collected behavior data can be learned to the behavior data model in real time, the workload of machine learning training is reduced, and the behavior data model can be quickly obtained.
In an optional implementation manner of the present invention, the behavior data may be further analyzed in a pattern matching manner to obtain an analysis result, where corresponding patterns, such as malicious patterns, sensitive patterns, and the like, may be preset, and a matching rule of each pattern is preset, and after the behavior data is obtained, the behavior data is analyzed by using the matching rule of each pattern to obtain the analysis result.
After the analysis result is obtained, the analysis result can be displayed to a user for the user to process the installation package file of the application program according to the analysis result; in addition, the analysis results may be stored to an application feature library as a source of training data for behavioral data models or pattern matching.
According to the method provided by the embodiment of the invention, after the installation package file of the application program to be analyzed is obtained, whether the installation package file is subjected to shell adding processing is judged, if so, the installation package file is subjected to shell removing processing to facilitate subsequent collection of behavior data, the installation package file is subjected to pile inserting processing, the behavior data can be collected in a targeted manner, the installation package file is put into a sandbox to operate, the behavior data generated by the installation package file in the operation process is collected, the collected behavior data is input into a preset behavior data model to be analyzed, and an analysis result is obtained, so that the operation behavior of the application program can be comprehensively monitored and analyzed, and a user can determine whether to adjust the application program according to the analysis result.
Fig. 3 is a schematic structural diagram of an apparatus for dynamic analysis of an application according to an embodiment of the present invention. As shown in fig. 3, the apparatus includes: an acquisition module 310, a behavior data collection module 320, and an analysis module 330.
The obtaining module 310 is configured to obtain an installation package file of an application program to be analyzed.
In the embodiment of the present invention, the installation package file of the application to be analyzed may be an installation package file uploaded by a client, or an installation package file downloaded from a website or a local application, for example, after a developer of the application develops a new application, before the application is marketed, the installation package file of the application may be uploaded through an entry of an upload file provided by the client, so as to perform dynamic behavior analysis on the installation package file of the application; of course, after downloading the installation package file of a certain application program from an application store or the like, the ordinary user may also upload the installation package file of the application program through an entry of an upload file provided by the client, so as to perform dynamic behavior analysis on the installation package file of the application program.
And the behavior data collection module 320 is used for putting the installation package file into a sandbox for operation and collecting behavior data generated in the operation process of the installation package file.
After the installation package file is obtained, the installation package file can be put into a sandbox, the installation package file is operated in the sandbox, and behavior data generated in the operation process of the installation package file is collected to be used as an analysis object of subsequent analysis. Here, running the installation package file in the sandbox can avoid affecting the real system.
The analysis module 330 is configured to analyze the behavior data to obtain an analysis result.
According to the device provided by the embodiment of the invention, after the installation package file of the application program to be analyzed is obtained, the installation package file is put into the sandbox to operate, the behavior data generated in the operation process of the installation package file is collected, the behavior data is analyzed, and the analysis result is obtained, so that the operation behavior of the application program can be comprehensively monitored and analyzed, and a user can determine whether to adjust the application program according to the analysis result.
Fig. 4 is a schematic structural diagram of an apparatus for dynamic analysis of an application according to another embodiment of the present invention. As shown in fig. 4, the apparatus includes: an acquisition module 410, a behavior data collection module 420, and an analysis module 430.
The obtaining module 410 is configured to obtain an installation package file of an application to be analyzed. The application program is a mobile application program or a non-mobile application program.
And the behavior data collection module 420 is used for putting the installation package file into a sandbox for operation, and collecting behavior data generated in the process of operating the installation package file by the application simulator after kernel lightweight processing by utilizing taint analysis and/or hook technology.
Wherein the behavioral data includes one or more of the following data: running logs, running screenshots and transmitting data.
Specifically, the behavior data collection module 420 includes: the triggering unit 421 is configured to trigger the application simulator subjected to kernel lightweight processing to automatically run the installation package file through a code coverage technique.
And a behavior data collection unit 422 for collecting behavior data generated during the process of running the installation package file by using taint analysis and/or hooking technology.
And the analysis module 430 is configured to analyze the behavior data to obtain an analysis result.
The analysis module 430 is specifically configured to: and performing sensitive behavior analysis, malicious behavior analysis, behavior trend analysis, authority analysis and/or behavior classification analysis on the behavior data.
In addition, the analysis module 430 is further configured to: and inputting the behavior data into a preset behavior data model, and analyzing the behavior data to obtain an analysis result, wherein the behavior data model is obtained by training the behavior characteristics in the application characteristic library.
Alternatively, the analysis module 430 is further configured to: and analyzing the behavior data in a mode matching mode to obtain an analysis result.
Furthermore, the apparatus further comprises: and the shelling processing module 440 is configured to determine whether the installation package file is subjected to shelling processing, and perform shelling processing on the installation package file when it is determined that the installation package file is subjected to shelling processing.
Specifically, the shelling processing module 440 is further configured to: and performing script analysis processing on the installation package file, and judging whether the installation package file contains a reinforcement manufacturer identifier and a reinforcement scheme.
After the application program is developed, the installation package file of the application program may be subjected to shell processing, which is mainly used for resisting reverse engineering and code injection attacks. However, because the installation package file is shelled, great difficulty is brought to the process of performing program behavior analysis, after the installation package file is acquired, it is also necessary to determine whether the installation package file is shelled.
Generally, the reinforcement scheme adopted by the reinforcement manufacturer is determined and the installation package file reinforced by the reinforcement manufacturer has the identification of the reinforcement manufacturer, so that whether the installation package file is subjected to shell processing can be determined by performing script parsing processing on the installation package file and judging whether the reinforcement manufacturer identification and the reinforcement scheme are contained in the installation package file.
The device also includes: and the instrumentation processing module 450 is configured to perform instrumentation processing on the installation package file.
After the installation package file is subjected to shelling processing, or after the installation package file is judged not to be subjected to shelling processing, instrumentation can be performed on the installation package file, a section of code or node and the like is inserted into the code of the installation package file, and corresponding behavior data can be obtained when the installation package file is operated.
According to the device provided by the embodiment of the invention, after the installation package file of the application program to be analyzed is obtained, whether the installation package file is subjected to shell adding processing is judged, if so, the installation package file is subjected to shell removing processing to facilitate subsequent collection of behavior data, the installation package file is subjected to pile inserting processing, the behavior data can be collected in a targeted manner, the installation package file is put into a sandbox to operate, the behavior data generated in the operation process of the installation package file is collected, the behavior data is input into a behavior data model to analyze the behavior data, an analysis result is obtained, and therefore, the operation behavior of the application program can be monitored and analyzed comprehensively, and a user can determine whether to adjust the application program according to the analysis result.
Thus, it should be appreciated by those skilled in the art that while a number of exemplary embodiments of the invention have been illustrated and described in detail herein, many other variations or modifications consistent with the principles of the invention may be directly determined or derived from the disclosure of the invention without departing from the spirit and scope of the invention. Accordingly, the scope of the invention should be understood and interpreted to cover all such other variations or modifications.
As will be appreciated by one skilled in the art, embodiments of the present invention may be embodied as a system, apparatus, device, method or computer program product. In addition, the present invention is not intended to be limited to any particular programming language, it being understood that various programming languages may be used to implement the present invention as described herein, and any specific languages are provided for disclosure of enablement and best mode of the present invention.
It should be noted that although several modules of the apparatus for dynamic analysis of an application are described in detail in the above description, such division is merely exemplary and not mandatory. Those skilled in the art will appreciate that, in practice, the modules in the embodiments may be adaptively changed, that a plurality of modules in the embodiments may be combined into one module, or that one module may be divided into a plurality of modules.
Moreover, while operations for carrying out the invention are illustrated in the drawings in a particular order, this does not require or imply that all of the illustrated operations must be performed in that particular order to achieve desirable results. Some steps may be omitted, multiple steps may be combined into one step for execution, or one step may be divided into multiple steps for execution.
In summary, by using the method and the device for dynamically analyzing the application program of the present invention, after the installation package file of the application program to be analyzed is obtained, the installation package file is placed into the sandbox for operation, the behavior data generated during the operation process of the installation package file is collected, and the behavior data is analyzed to obtain the analysis result, so that the operation behavior of the application program can be comprehensively monitored and analyzed, and a user can determine whether to adjust the application program according to the analysis result.
The method and the specific implementation method of the invention are described in detail and corresponding examples are given. Of course, the present invention may have other embodiments besides the above embodiments, and all the technical solutions formed by using equivalent substitutions or equivalent transformations fall within the protection scope of the present invention.
Claims (16)
1. A method for dynamic analysis of an application, the method comprising:
acquiring an installation package file of an application program to be analyzed;
putting the installation package file into a sandbox for operation, and collecting behavior data generated in the operation process of the installation package file, wherein the behavior data comprises one or more of the following data: running a log, running a screenshot and transmitting data;
analyzing the behavior data to obtain an analysis result;
wherein, the analyzing the behavior data to obtain an analysis result further comprises:
and inputting the behavior data into a preset behavior data model, and performing sensitive behavior analysis, malicious behavior analysis, behavior trend analysis, authority analysis and/or behavior classification analysis on the behavior data to obtain an analysis result, wherein the behavior data model is obtained by training behavior characteristics in an application characteristic library.
2. The method of claim 1, wherein collecting behavior data generated by the installation package file during operation further comprises:
and collecting behavior data generated in the process of operating the installation package file by the application simulator after kernel lightweight processing by utilizing taint analysis and/or hook technology.
3. The method according to claim 2, wherein the running of the installation package file by the application simulator after kernel lightweight processing is specifically as follows: and triggering the application simulator subjected to kernel lightweight processing to automatically run the installation package file through a code covering technology.
4. The method of any of claims 1-3, wherein prior to placing the installation package file in a sandbox for operation, the method further comprises:
judging whether the installation package file is subjected to shell adding treatment or not;
and if so, unshelling the installation package file.
5. The method of claim 4, wherein the determining whether the installation package file is shelled further comprises:
and performing script analysis processing on the installation package file, and judging whether the installation package file contains a reinforcement manufacturer identifier and a reinforcement scheme.
6. The method of claim 4, wherein after the installation package file is subjected to an unshelling process, the method further comprises:
and performing pile inserting treatment on the installation package file.
7. The method of any of claims 1-3, wherein analyzing the behavioral data to obtain an analysis result further comprises:
and analyzing the behavior data in a mode matching mode to obtain an analysis result.
8. The method of any of claims 1-3, wherein the application is a mobile application or a non-mobile application.
9. An apparatus for dynamic analysis of an application, the apparatus comprising:
the acquisition module is used for acquiring an installation package file of the application program to be analyzed;
the behavior data collection module is used for putting the installation package file into a sandbox for operation and collecting behavior data generated by the installation package file in the operation process, wherein the behavior data comprises one or more of the following data: running a log, running a screenshot and transmitting data;
the analysis module is used for analyzing the behavior data to obtain an analysis result;
wherein the analysis module is further to: and inputting the behavior data into a preset behavior data model, and performing sensitive behavior analysis, malicious behavior analysis, behavior trend analysis, authority analysis and/or behavior classification analysis on the behavior data to obtain an analysis result, wherein the behavior data model is obtained by training behavior characteristics in an application characteristic library.
10. The apparatus of claim 9, wherein the behavioral data collection module is further to: and collecting behavior data generated in the process of operating the installation package file by the application simulator after kernel lightweight processing by utilizing taint analysis and/or hook technology.
11. The apparatus of claim 10, wherein the behavioral data collection module comprises: the triggering unit is used for triggering the application simulator subjected to kernel lightweight processing to automatically operate the installation package file through a code coverage technology;
and the behavior data collection unit is used for collecting behavior data generated in the process of operating the installation package file by utilizing taint analysis and/or hooking technology.
12. The apparatus of any of claims 9-11, wherein the apparatus further comprises: and the shelling processing module is used for judging whether the installation package file is subjected to shelling processing or not, and carrying out shelling processing on the installation package file under the condition that the installation package file is judged to be subjected to shelling processing.
13. The apparatus of claim 12, wherein the dehulling processing module is further configured to: and performing script analysis processing on the installation package file, and judging whether the installation package file contains a reinforcement manufacturer identifier and a reinforcement scheme.
14. The apparatus of claim 12, wherein the apparatus further comprises: and the pile inserting processing module is used for performing pile inserting processing on the installation package file.
15. The apparatus of any of claims 9-11, wherein the analysis module is further to: and analyzing the behavior data in a mode matching mode to obtain an analysis result.
16. The apparatus of any of claims 9-11, wherein the application is a mobile application or a non-mobile application.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611160804.3A CN106778247B (en) | 2016-12-15 | 2016-12-15 | Method and device for dynamically analyzing application program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611160804.3A CN106778247B (en) | 2016-12-15 | 2016-12-15 | Method and device for dynamically analyzing application program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106778247A CN106778247A (en) | 2017-05-31 |
| CN106778247B true CN106778247B (en) | 2020-09-08 |
Family
ID=58887552
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611160804.3A Active CN106778247B (en) | 2016-12-15 | 2016-12-15 | Method and device for dynamically analyzing application program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106778247B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108009424A (en) * | 2017-11-22 | 2018-05-08 | 北京奇虎科技有限公司 | Virus behavior detection method, apparatus and system |
| CN108021806B (en) * | 2017-11-24 | 2021-10-22 | 北京奇虎科技有限公司 | Malicious installation package identification method and device |
| CN108920943A (en) * | 2018-05-08 | 2018-11-30 | 国家计算机网络与信息安全管理中心 | The method and device of installation binding behavior is detected for application software |
| CN109145588B (en) * | 2018-07-27 | 2023-05-05 | 平安科技(深圳)有限公司 | Data processing method and device |
| CN109492355B (en) * | 2018-11-07 | 2021-09-07 | 中国科学院信息工程研究所 | Software anti-analysis method and system based on deep learning |
| CN109740351A (en) * | 2018-12-28 | 2019-05-10 | 广东电网有限责任公司 | A kind of leak detection method, device and the equipment of embedded firmware |
| CN111079146A (en) * | 2019-12-10 | 2020-04-28 | 苏州浪潮智能科技有限公司 | Malicious software processing method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105160251A (en) * | 2015-07-06 | 2015-12-16 | 国家计算机网络与信息安全管理中心 | Analysis method and device of APK (Android Packet) application software behavior |
| CN105959372A (en) * | 2016-05-06 | 2016-09-21 | 华南理工大学 | Internet user data analysis method based on mobile application |
| CN106022130A (en) * | 2016-05-20 | 2016-10-12 | 中国科学院信息工程研究所 | Shelling method and device for reinforced application program |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104751052A (en) * | 2013-12-30 | 2015-07-01 | 南京理工大学常熟研究院有限公司 | Dynamic behavior analysis method for mobile intelligent terminal software based on support vector machine algorithm |
-
2016
- 2016-12-15 CN CN201611160804.3A patent/CN106778247B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105160251A (en) * | 2015-07-06 | 2015-12-16 | 国家计算机网络与信息安全管理中心 | Analysis method and device of APK (Android Packet) application software behavior |
| CN105959372A (en) * | 2016-05-06 | 2016-09-21 | 华南理工大学 | Internet user data analysis method based on mobile application |
| CN106022130A (en) * | 2016-05-20 | 2016-10-12 | 中国科学院信息工程研究所 | Shelling method and device for reinforced application program |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106778247A (en) | 2017-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106778247B (en) | Method and device for dynamically analyzing application program | |
| Keliris et al. | ICSREF: A framework for automated reverse engineering of industrial control systems binaries | |
| CN105069355B (en) | The static detection method and device of webshell deformations | |
| CN102622536B (en) | Method for catching malicious codes | |
| CN107657177B (en) | Vulnerability detection method and device | |
| Sabhadiya et al. | Android malware detection using deep learning | |
| CN111639337B (en) | Unknown malicious code detection method and system for massive Windows software | |
| CN104834859A (en) | Method for dynamically detecting malicious behavior in Android App (Application) | |
| CN103761481A (en) | Method and device for automatically processing malicious code sample | |
| US12039034B2 (en) | Undetectable sandbox for malware | |
| CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| CN102043915A (en) | Method and device for detecting malicious code contained in non-executable file | |
| CN103810222A (en) | Sample file processing method and device | |
| CN111783094A (en) | Data analysis method and device, server and readable storage medium | |
| CN112688966A (en) | Webshell detection method, device, medium and equipment | |
| CN112347487A (en) | Debugging analysis method for stack overflow vulnerability of MIPS instruction set program | |
| CN108572892B (en) | PowerPC multi-core processor-based offline test method and device | |
| CN104134019A (en) | Script virus detection method and device | |
| CN115391230A (en) | Test script generation method, test script penetration method, test script generation device, test penetration device, test equipment and test medium | |
| CN104657259A (en) | Android application testing method and device | |
| KR101557455B1 (en) | Application Code Analysis Apparatus and Method For Code Analysis Using The Same | |
| CN111291377A (en) | Application vulnerability detection method and system | |
| CN116522345A (en) | Vulnerability discovery method, device, equipment and readable storage medium | |
| Liu et al. | Automated binary analysis: A survey | |
| CN114579457A (en) | Novel power system firmware operation simulation platform and simulation method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20200728 Address after: 215028 No. 88 Dongchang Road, Suzhou Industrial Park, Jiangsu Province Applicant after: JIANGSU PAY EGIS TECHNOLOGY Co.,Ltd. Applicant after: JIANGSU TONGFUDUN INFORMATION SECURITY TECHNOLOGY Co.,Ltd. Address before: Suzhou City, Jiangsu province 215021 East Road, Suzhou Industrial Park, No. 88 building 2.5 Industrial Park building C2 4F Applicant before: JIANGSU PAY EGIS TECHNOLOGY Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |