Using abnormal behaviour identification model method for building up and device, recognition methods and device
Technical field
The present invention relates to application security technical field, and in particular to one kind application abnormal behaviour identification model foundation side
Method and device, recognition methods and device.
Background technology
In recent years, continuing to develop with mobile Internet, electric power enterprise is brought into close contact business under " internet+" environment and sent out
Exhibition and the application demand of new technology, it is proposed that the developing direction of electrical power services mobile, operation mobile and mobile of handling official business, be
Enterprise staff and power consumer provide more open and intelligentized service, are conducive to strengthening enterprise staff, affiliate and electricity
Contact between power client, realizes the real-time flowing of power business information and shares, greatly improve operating efficiency.However,
In the case of the protecting information safety scheme of existing conventional internet, the enterprise mobile application run as supporting business, on the one hand
In the presence of the Android security breaches of itself, on the other hand most electric power enterprise application is operated in personal mobile device, run
Environmental security situation is unknown, and Mobile solution is once attacked, it is easy to obtain enterprise business data, reveals Company Confidential.
Therefore, it is necessary to build the monitoring scheme towards the Mobile solution misoperation behavior of electric power enterprise, answer mobile
With operationally probably due to the negligent act of user, or malice usage behavior are monitored, analyze, judge and filtered,
Prevented before real generation harm, ensure the operation safety of Mobile solution.
At present both at home and abroad for operation when the detection technique analyzed of Mobile solution dynamic behaviour, more to study sandbox
Based on technology, Hook technologies and Mobile solution ccf layer stain analytical technology, CPU usage, the network of application program are obtained
The monitor control indexs such as data traffic, number of processes, API Calls sequence, then utilize intelligent algorithm (such as SVMs, nerve net
Network and Bayesian Classification Arithmetic etc.) analysis program dynamic behaviour, so as to determine whether malicious act or software.However,
Existing most Mobile solution dynamic behaviour detection platform (MobSF and DroidBox that such as increase income) is all on analog machine
Mobile solution is installed, is started by analog machine and applies and record using operation information to analyze Malware or abnormal behaviour.This
All kinds of triggering abnormal behaviours that detection scheme is planted when can not effectively cover prototype environment and the application operation in the case of actual use
Factor, Malware using analog machine identification technology or delay attack time can avoidance system detection.Therefore, having must
Study malicious act detection technique when normally being applied using enterprise.
The content of the invention
Therefore, the technical problem to be solved in the present invention is that existing start by analog machine is applied and recorded using operation
Information is come the method for analyzing Malware or abnormal behaviour, it is impossible to the effectively prototype environment in the case of covering actual use and application
The factor of all kinds of triggering abnormal behaviours during operation, Malware recognizes or postponed that attack time can be hidden using analog machine
The detection of system.
Therefore, the embodiments of the invention provide following technical scheme:
A kind of method for building up of application abnormal behaviour identification model, comprises the following steps:
Obtain respectively multiple normal use samples the first API Calls daily record sample, the second of multiple malicious application samples
API Calls daily record sample;
According to the first API Calls daily record sample and the second API Calls daily record Sample Establishing abnormal behaviour identification model.
Alternatively, the first API Calls daily record sample, the multiple malicious application samples of multiple normal use samples are obtained respectively
The second API Calls daily record sample the step of include:
Jave layers of api interface call function is converted into native layers of api interface call function;
The attribute of native layers of api interface call function is changed to switch to call Native_HOOK functions;
The daily record injected in Java layers is adjusted back by Native_HOOK functions to monitor function to record api interface in real time
Call.
Alternatively, mould is recognized according to the first API Calls daily record sample and the second API Calls daily record Sample Establishing abnormal behaviour
The step of the step of type, includes respectively pre-processing the first API Calls daily record sample and the second API Calls daily record sample, bag
Include:
Line number is entered to the characteristic vector element in the first API Calls daily record sample and the second API Calls daily record sample respectively
Value is handled;
Each characteristic vector element after logarithm value carries out linear transformation so that the numerical value of each characteristic vector element is in 0-1
Between.
Alternatively, mould is recognized according to the first API Calls daily record sample and the second API Calls daily record Sample Establishing abnormal behaviour
The step of type, includes:
Build membership function;
Train the weight parameter of function to be set to membership function SVMs (SVM) and obtain fuzzy support vector machine
(FSVM);
Utilize the first API Calls daily record sample and the second API Calls daily record sample training fuzzy support vector machine (FSVM)
Obtain abnormal behaviour identification model.
Alternatively, membership function is:
Wherein, s+ iRepresent degree of membership, the s of abnormal behaviour class sample+ iRepresent the degree of membership of normal behaviour class sample, m+,m-
For the Characteristic of Nonequilibrium factor, the unified weight that abnormal behaviour class sample and normal behaviour class sample are obtained is represented respectively,Represent
Abnormal behaviour class sample,Normal behaviour class sample is represented,For denoising fuzzy factor.
Alternatively, the discriminant function of abnormal behaviour identification model is:
Wherein, x is sample to be detected, xiFor supporting vector, n is supporting vector number, αiFor Lagrange multiplier, K (xi,
X) it is kernel function, ρ is hyperplane intercept, and f (x) is classification and Detection result.
A kind of abnormal behaviour recognition methods of application, comprises the following steps:
Obtain API Calls daily record during application operation;
API Calls daily record is classified using the application abnormal behaviour identification model set up according to any of the above-described kind of method
To recognize abnormal behaviour.
Alternatively, the step of obtaining API Calls daily record when application is run includes api interface obtaining step to be monitored, bag
Include:
The authority that the installation package file of decompiling application obtains application uses list;
The sensitive API interface of application is obtained using list according to the authority of application.
A kind of application abnormal behaviour identification model sets up device, including:
Daily record sample acquisition unit, the first API Calls daily record sample, many for obtaining multiple normal use samples respectively
Second API Calls daily record sample of individual malicious application sample;
Model sets up unit, for abnormal according to the first API Calls daily record sample and the second API Calls daily record Sample Establishing
Activity recognition model.
Alternatively, daily record sample acquisition unit includes:
Conversion subunit, letter is called for jave layers of api interface call function to be converted into native layers of api interface
Number;
Attribute modification subelement, for changing the attribute of native layers of api interface call function to switch to call Native_
HOOK functions;
Log recording subelement, function is monitored for adjusting back the daily record injected in Java layers by Native_HOOK functions
To record calling for api interface in real time.
Alternatively, model is set up unit and included:
Quantize subelement, for respectively to the spy in the first API Calls daily record sample and the second API Calls daily record sample
Levy vector element and carry out the processing that quantizes;
Subelement is normalized, linear transformation is carried out so that each characteristic vector for each characteristic vector element after logarithm value
The numerical value of element is between 0-1.
Alternatively, model is set up unit and included:
Subelement is built, for building membership function;
Parameter setting subelement, for training SVMs (SVM) weight parameter of function to be set to degree of membership letter
Number obtains fuzzy support vector machine (FSVM);
Subelement is trained, for utilizing the first API Calls daily record sample and the fuzzy branch of the second API Calls daily record sample training
Hold vector machine (FSVM) and obtain abnormal behaviour identification model.
A kind of abnormal behaviour identifying device of application, including:
Log acquisition unit, for obtaining API Calls daily record during application operation;
Classification and Identification unit, the application abnormal behaviour identification model for being set up using any of the above-described kind of method is adjusted to API
Classified to recognize abnormal behaviour with daily record.
Technical solution of the present invention, has the following advantages that:
1. application abnormal behaviour identification model method for building up provided in an embodiment of the present invention and device, recognition methods and dress
Put, can call daily record according to the api interface collected when applying the actual motion on prototype to recognize the row of application in real time
For extremely whether, behavior when being used in actual use so as to correspondence is detected in real time.Solve existing application abnormal
Behavioral value method, can only run application to be detected to gather behavioral data on the analog machine of customization, it is impossible to which effectively covering should
With the factor of all kinds of triggering abnormal behaviours when prototype environment in practical usage situations and application operation.Further, since API
Interface interchange is related to the privacy of user, so the model set up by this method is primarily adapted for use in some to protection privacy of user
It is required that some low Mobile solutions based on Android system, such as can be the Mobile solution towards electric power enterprise.
2. application abnormal behaviour identification model method for building up provided in an embodiment of the present invention and device, recognition methods and dress
Put, native layers when being run using reflex mechanism to application carry out Hook, can be in not shadow without obtaining system root authority
In the case of ringing the normal operation of Mobile solution, the interception and monitoring to being called using sensitive API are realized.
Brief description of the drawings
, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical scheme of the prior art
The accompanying drawing used required in embodiment or description of the prior art is briefly described, it should be apparent that, in describing below
Accompanying drawing is some embodiments of the present invention, for those of ordinary skill in the art, before creative work is not paid
Put, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of flow chart of the method for building up of application abnormal behaviour identification model in the embodiment of the present invention 1;
Fig. 2 is a kind of flow chart of API Calls daily record monitoring function call injection method in the embodiment of the present invention 1;
Fig. 3 is a kind of schematic diagram of API Calls daily record monitoring function call injection process in the embodiment of the present invention 1;
Fig. 4 is a kind of flow chart for obtaining application abnormal behaviour recognition classifier method in the embodiment of the present invention 1;
Fig. 5 is a kind of flow chart of the abnormal behaviour recognition methods of application in the embodiment of the present invention 3;
A kind of application abnormal behaviour recognition classifier is set up and abnormal behaviour recognition methods in Fig. 6 embodiment of the present invention 3
Overall flow schematic diagram;
Fig. 7 is a kind of theory diagram for setting up device of application abnormal behaviour identification model in the embodiment of the present invention 4;
Fig. 8 is a kind of theory diagram of the abnormal behaviour identifying device of application in the embodiment of the present invention 5.
Embodiment
Technical scheme is clearly and completely described below in conjunction with accompanying drawing, it is clear that described implementation
Example is a part of embodiment of the invention, rather than whole embodiments.Based on the embodiment in the present invention, ordinary skill
The every other embodiment that personnel are obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.
As long as in addition, technical characteristic involved in invention described below different embodiments non-structure each other
It can just be combined with each other into conflict.
Embodiment 1
As shown in figure 1, a kind of method for building up of application abnormal behaviour identification model is present embodiments provided, including following step
Suddenly:
S11:The first API (Application Programming of multiple normal use samples are obtained respectively
Interface, application programming interface) call the second API Calls daily record sample of daily record sample, multiple malicious application samples
This.The normal use sample and malicious application sample can be the other applications beyond application to be detected.First API Calls daily record
Api interface corresponding to sample and the second API Calls daily record sample with it is actually detected when the API Calls daily record that uses corresponding to
Api interface is consistent.
S12:According to the first API Calls daily record sample and the second API Calls daily record Sample Establishing abnormal behaviour identification model.
The method for building up for the application abnormal behaviour identification model that the present embodiment is provided, the specific API applied using sample is connect
Mouth calls daily record to pre-establish identification model, can be set up using abnormal behaviour identification model, the identification mould according to this method
Type can call daily record to recognize the behavior of application according to the api interface collected when applying the actual motion on prototype in real time
Whether abnormal, behavior when being used in actual use so as to correspondence is detected in real time.Solve the abnormal row of existing application
For detection method, application to be detected can only be run on the analog machine of customization to gather behavioral data, it is impossible to effectively covering application
The factor of all kinds of triggering abnormal behaviours when prototype environment and application in practical usage situations is run.Further, since API connects
Mouth calls the privacy for being related to user, and protection privacy of user is wanted so the model set up by this method is primarily adapted for use in some
Some low Mobile solutions based on Android system are sought, for example, can be the Mobile solution towards electric power enterprise.
As optional embodiment, as shown in Figures 2 and 3, above-mentioned steps S11, namely obtain multiple normal respectively
The step of using the first API Calls daily record sample of sample, the second API Calls daily record sample of multiple malicious application samples, wraps
Include:
S111:Jave layers of api interface call function is converted into native layers of api interface call function (Native_
API), it is native by function setup particular by SET_METHOD_FLAG methods.
S112:The attribute of native layers of api interface call function is changed to switch to call Native_HOOK functions.Due to
NativeFunc attributes are included in native function body data structures, the entrance of the native functions is pointed to, pass through modification
NativeFunc attributes can reach the purpose of control function flow.It therefore, it can call by changing native layers of api interface
The nativeFunc attributes of function point to the native function Native_Hook () of oneself realization, it is achieved thereby that to source Java
Calling for function switchs to call native function Native_Hook ().
S113:The daily record injected in Java layers monitoring function is adjusted back by Native_HOOK functions to connect to record API in real time
Mouthful call, the api interface of record normal use sample calls and obtains the first API Calls daily record sample, records malicious application
The api interface of sample, which is called, obtains the second API Calls daily record sample.
The method for building up for the application abnormal behaviour identification model that the present embodiment is provided, when being run using reflex mechanism to application
Native layers carry out Hook, without obtaining system root authority, can in the case where not influenceing Mobile solution normally to run,
Realize the interception and monitoring to being called using sensitive API.
In the present embodiment, above-mentioned steps S11, namely the first API Calls daily record of multiple normal use samples is obtained respectively
The step of sample, the second API Calls daily record sample of multiple malicious application samples, also includes:
Inject daily record by Hook in normal use sample, malicious application sample respectively to monitor after function, by its batch
Run on Android simulator, collect normal use sample, the api function of malicious application sample operationally and call day
Will.The Android simulator can be created on PC.
In the present embodiment, due to original first API Calls daily record sample and original second API Calls daily record sample record
It is that all kinds of api functions call character string, it is impossible to instructed as SVM (support vector machines (Support Vector Machine))
White silk and the input data of identification, it is therefore desirable to pre-processed.Above-mentioned steps S12 is also included respectively to the first API Calls day
The step of will sample and the second API Calls daily record sample are pre-processed, specifically includes:
First, the characteristic vector element in the first API Calls daily record sample and the second API Calls daily record sample is entered respectively
Line number value is handled.All kinds of API letters of original first API Calls daily record sample and original second API Calls daily record sample record
Number calls character string, may be constructed the characteristic vector of 7 dimensions, characteristic vector element is fixed, by each in characteristic vector
Element is mapped one by one with numerical value, so that the characteristic vector quantized, is represented by X={ x1,x2,···,xi}i
∈[1,7]i∈Z。xiFor the characteristic vector element after quantizing.
Then, each characteristic vector element after logarithm value carries out linear transformation so that at the numerical value of each characteristic vector element
Between 0-1.Characteristic vector element is mapped to interval [0,1], it is possible to reduce dimension impact.Transfer function is:
Wherein, xmaxFor the maximum of training sample data, xminFor the minimum value of training sample data.
For some applications, the malicious act of such as electric power enterprise application is difficult to gather, and sample is few, with normal behaviour sample
This quantity is uneven, therefore is calculated from the fuzzy support vector machine (FSVM) for being applied to the uneven sample of classification as Intelligent Measurement
Method.Specifically, as shown in figure 4, above-mentioned steps S12, i.e., according to the first API Calls daily record sample and the second API Calls daily record sample
The step of this sets up abnormal behaviour identification model includes:
S121:Build membership function.The design of membership function is the key that FSVM training and detection are realized.Assuming that existing
There is the training sample set (x for including l samplei,yi),xi∈Rn,yi∈ { -1 ,+1 }, i=1,2 ..., l, membership function
For:
Wherein, s+ iRepresent the degree of membership, s of abnormal behaviour class (being also positive class) sample+ iRepresent that normal behaviour class (is also named negative
Class) sample degree of membership;m+, m- is the Characteristic of Nonequilibrium factor, and abnormal behaviour class sample and normal behaviour class sample are represented respectively
The unified weight of acquisition, its value is determined that reflection is sample imbalance feature between class by positive and negative class sample size and degree of scatter,
Purpose is for reducing the influence that sample imbalance is offset to svm classifier face;Abnormal behaviour class sample is represented,Represent just
Chang Hangwei class samples;For denoising fuzzy factor, sample x is representediImportance in oneself class,
Purpose is for suppressing noise and interference of the isolated point sample to svm classifier.The design of the membership function is that take into account to make an uproar
The interference of sound and isolated point is it is also contemplated that influence of the sample imbalance to classifying face between class.
S122:SVMs (SVM) can be trained using the exploitation FSVM training of LIBSVM kits and detection algorithm
The weight parameter of function is set to membership function and obtains fuzzy support vector machine (FSVM).FSVM kernel functions use radial direction base core
Function exp (- g* | | u-v | |2), nuclear parameter g and FSVM penalty coefficient v utilizes grid data service parameter optimization.
S123:Utilize the first API Calls daily record sample and the second API Calls daily record sample training fuzzy support vector machine
(FSVM) optimum classifier as application abnormal behaviour identification model is obtained.Specifically, the first API Calls to collect
Daily record sample and the second API Calls daily record sample are inputted as FSVM, and normal behaviour sample label is set to 1, abnormal behaviour mark
Label are set to -1.The discriminant function of optimum classifier is:
Wherein, x is sample to be detected, xiFor supporting vector, n is supporting vector number, αiFor Lagrange multiplier, K (xi,
X) it is kernel function, ρ is hyperplane intercept, and f (x) is classification and Detection result.
The method for building up for the application abnormal behaviour identification model that the present embodiment is provided, for the abnormal behaviour sample of some applications
Originally it is difficult to obtain, there is a situation where sample imbalance with normal behaviour sample, introduces imbalance sorting algorithm FSVM to set up reality
The identification model of existing abnormal behaviour Intelligent Measurement.
Embodiment 2
A kind of method for building up of application abnormal behaviour identification model is present embodiments provided, is comprised the following steps:
The first step:Multiple normal use samples and multiple malicious application samples are obtained respectively.
Second step:The native of bag injection sensitive API interface is beaten again normal use sample and malicious application sample respectively
Hook functions and monitoring log function.
3rd step:The normal use sample and malicious application sample batch that are filled with monitoring log function are run on into Android
On simulator, the first API Calls daily record sample, the 2nd API of malicious application sample of normal use sample are collected respectively
Call daily record sample.
4th step:Build membership function, from kernel function.
5th step:With the first API Calls daily record sample of normal use sample, the second API Calls of malicious application sample
Daily record sample is inputted as FSVM, and normal behaviour sample label is set to 1, and abnormal behaviour sample label is set to -1, trains
To optimal FSVM graders, as using abnormal behaviour identification model.
Embodiment 3
A kind of abnormal behaviour recognition methods of application is present embodiments provided, as it can be seen in figures 5 and 6, going for electric power
Enterprise mobile application, comprises the following steps:
S31:API Calls daily record during application operation is obtained, the API Calls daily record is when applying the actual motion on prototype
Sensitive API call daily record.The application can be electric power enterprise Mobile solution.
S32:The application abnormal behaviour identification model set up using the method provided according to above-described embodiment 1 or 2 is adjusted to API
Classified to recognize abnormal behaviour with daily record.
The abnormal behaviour recognition methods for the application that the present embodiment is provided, can actually be transported according to applying on prototype in real time
Whether the behavior that the api interface collected during row calls daily record to recognize application is abnormal, and actual use is used in so as to correspondence
When behavior detected in real time.Existing application anomaly detection method is solved, can only be transported on the analog machine of customization
Go application to be detected to gather behavioral data, it is impossible to which effectively covering is transported using prototype environment in practical usage situations and application
The factor of all kinds of triggering abnormal behaviours during row.Further, since api interface calls the privacy for being related to user, so passing through the party
The model that method is set up is primarily adapted for use in some to protecting some low Mobile solutions based on Android system of the requirement of privacy of user,
It for example can be the Mobile solution towards electric power enterprise.
In the present embodiment and all api interfaces of application need not be obtained call daily record, it is only necessary to be connect than more sensitive API
Mouth calls daily record and whether there is abnormal behaviour to judge to apply.Therefore, above-mentioned steps S31, that is, API when obtaining application operation is adjusted
It is the step of with including extracting sensitive API interface the step of daily record, specific as follows:
First, the installation package file of decompiling application obtains the authority applied and uses list, can specifically use apktool
Instrument carrys out the AndroidManifest.XML files that the installation package file of decompiling application is applied, by traveling through this document
List is used the authority that obtains application;
Then, the sensitive API interface of application is obtained using list according to the authority of application.Increased income work particular by inquiry
Have PScout authority-API mapping tables to obtain the sensitive API invocation list of application.Authority-sensitive API interface-sensitive behavior
Corresponding relation such as table 1 below.
1 authority of table-sensitive API interface-sensitive behavior
As can be seen from the above table, can be used for judging application behavior whether the abnormal corresponding sensitivity of sensitive API interface
Behavior includes sending short message, short message reading, opens WiFi, open mobile network, obtain geographic location information, call and connect
Connect network.
Specifically, above-mentioned steps S32, i.e., the detailed process that the abnormal behaviour of application is recognized according to API Calls daily record is:
First, the sensitive API to acquisition calls daily record to pre-process, including quantizes and normalize two steps, specific place
Reason process can refer to above-described embodiment 1.
Then, call daily record to classify pretreated sensitive API using using abnormal behaviour identification model, judge
Whether the behavior of application is abnormal.Using abnormal behaviour identification model, namely FSVM graders, its discriminant function is:
Wherein, x is sample to be detected, xiFor supporting vector, n is supporting vector number, αiFor Lagrange multiplier, K (xi,
X) it is kernel function, ρ is hyperplane intercept, and f (x) is classification and Detection result.According to training stage label facilities, if f (x)
=1, then corresponding application behavior is normal, if f (x)=- 1, corresponding application behavior is abnormal.That is, as f (x)
When=- 1, with regard to carrying out Realtime Alerts or prompting.
The step of above-mentioned steps S32 recognizes the abnormal behaviour of application according to API Calls daily record, can be held by server
OK.When performing above-mentioned steps S32 specific steps by server, the sensitive API that above-mentioned steps S31 is obtained calls daily record just
Need to upload onto the server.
Embodiment 4
As shown in fig. 7, a kind of device of setting up of application abnormal behaviour identification model is present embodiments provided, including:
Daily record sample acquisition unit U41, the first API Calls daily record sample for obtaining multiple normal use samples respectively
Originally, the second API Calls daily record sample of multiple malicious application samples;
Model sets up unit U42, for according to the first API Calls daily record sample and the second API Calls daily record Sample Establishing
Abnormal behaviour identification model.
The application abnormal behaviour identification model that the present embodiment is provided sets up device, and the specific API applied using sample is connect
Mouthful call daily record to pre-establish identification model, the identification model set up using the device can be in real time according to applying in prototype
Whether the behavior that the api interface collected during upper actual motion calls daily record to recognize application is abnormal, is used in so as to correspondence
Behavior when actual use is detected in real time.Solve existing application anomaly detection method, can only customization mould
Run application to be detected on plan machine to gather behavioral data, it is impossible to which effectively covering is using prototype environment in practical usage situations
The factor of all kinds of triggering abnormal behaviours during with application operation.Further, since api interface calls the privacy for being related to user, so
The model set up by the device is primarily adapted for use in some to protecting low some of requirement of privacy of user based on Android system
Mobile solution, for example, can be the Mobile solution towards electric power enterprise.
As preferred embodiment, daily record sample acquisition unit U41 includes:
Conversion subunit, letter is called for jave layers of api interface call function to be converted into native layers of api interface
Number;
Attribute modification subelement, for changing the attribute of native layers of api interface call function to switch to call Native_
HOOK functions;
Log recording subelement, function is monitored for adjusting back the daily record injected in Java layers by Native_HOOK functions
To record calling for api interface in real time.
The application abnormal behaviour identification model that the present embodiment is provided sets up device, when being run using reflex mechanism to application
Native layers carry out Hook, without obtaining system root authority, can in the case where not influenceing Mobile solution normally to run,
Realize the interception and monitoring to being called using sensitive API.
As optional embodiment, model, which sets up unit U42, to be included:
Quantize subelement, for respectively to the spy in the first API Calls daily record sample and the second API Calls daily record sample
Levy vector element and carry out the processing that quantizes;
Subelement is normalized, linear transformation is carried out so that each characteristic vector for each characteristic vector element after logarithm value
The numerical value of element is between 0-1.
As another optional embodiment, model, which sets up unit U42, to be included:
Subelement is built, for building membership function;
Parameter setting subelement, for training SVMs (SVM) weight parameter of function to be set to degree of membership letter
Number obtains fuzzy support vector machine (FSVM);
Subelement is trained, for utilizing the first API Calls daily record sample and the fuzzy branch of the second API Calls daily record sample training
Hold vector machine (FSVM) and obtain optimum classifier.
The application abnormal behaviour identification model that the present embodiment is provided sets up device, for the abnormal behaviour sample of some applications
Originally it is difficult to obtain, there is a situation where sample imbalance with normal behaviour sample, introduces imbalance sorting algorithm FSVM to set up reality
The identification model of existing abnormal behaviour Intelligent Measurement.
Embodiment 5
As shown in figure 8, a kind of abnormal behaviour identifying device of application is present embodiments provided, including:
Log acquisition unit U51, for obtaining API Calls daily record during application operation;
Classification and Identification unit U52, the application abnormal behaviour that the method for being provided using above-described embodiment 1 or 2 is set up is known
Other model is classified to recognize abnormal behaviour to API Calls daily record.
The abnormal behaviour identifying device for the application that the present embodiment is provided, can actually be transported according to applying on prototype in real time
Whether the behavior that the api interface collected during row calls daily record to recognize application is abnormal, and actual use is used in so as to correspondence
When behavior detected in real time.Existing application anomaly detection method is solved, can only be transported on the analog machine of customization
Go application to be detected to gather behavioral data, it is impossible to which effectively covering is transported using prototype environment in practical usage situations and application
The factor of all kinds of triggering abnormal behaviours during row.Further, since api interface calls the privacy for being related to user, so passing through the dress
Set up vertical model and be primarily adapted for use in some to protecting some low Mobile solutions based on Android system of the requirement of privacy of user,
It for example can be the Mobile solution towards electric power enterprise.
As optional embodiment, log acquisition unit U51 includes:
Authority obtains subelement using list, and the authority for obtaining application for the installation kit that decompiling is applied uses list;
Sensitive API interface obtains subelement, and the sensitive API for obtaining application using list for the authority according to application connects
Mouthful.
Obviously, above-described embodiment is only intended to clearly illustrate example, and the not restriction to embodiment.It is right
For those of ordinary skill in the art, can also make on the basis of the above description it is other it is various forms of change or
Change.There is no necessity and possibility to exhaust all the enbodiments.And the obvious change thus extended out or
Among changing still in the protection domain of the invention.