CN107045607A - Using abnormal behaviour identification model method for building up and device, recognition methods and device - Google Patents
Using abnormal behaviour identification model method for building up and device, recognition methods and device Download PDFInfo
- Publication number
- CN107045607A CN107045607A CN201611147119.7A CN201611147119A CN107045607A CN 107045607 A CN107045607 A CN 107045607A CN 201611147119 A CN201611147119 A CN 201611147119A CN 107045607 A CN107045607 A CN 107045607A
- Authority
- CN
- China
- Prior art keywords
- daily record
- sample
- api calls
- application
- api
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2411—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Abstract
One kind application abnormal behaviour identification model method for building up and device, recognition methods and device, are related to application security technical field.This includes using the method for building up of abnormal behaviour identification model:The first API Calls daily record sample, the second API Calls daily record sample of multiple malicious application samples of multiple normal use samples are obtained respectively;According to the first API Calls daily record sample and the second API Calls daily record Sample Establishing abnormal behaviour identification model.It can set up in the method using abnormal behaviour identification model, whether the behavior that the identification model can call daily record to recognize application according to the api interface collected when applying the actual motion on prototype in real time is abnormal, and behavior when being used in actual use so as to correspondence is detected in real time.Go for the Mobile solution towards electric power enterprise.
Description
Technical field
The present invention relates to application security technical field, and in particular to one kind application abnormal behaviour identification model foundation side
Method and device, recognition methods and device.
Background technology
In recent years, continuing to develop with mobile Internet, electric power enterprise is brought into close contact business under " internet+" environment and sent out
Exhibition and the application demand of new technology, it is proposed that the developing direction of electrical power services mobile, operation mobile and mobile of handling official business, be
Enterprise staff and power consumer provide more open and intelligentized service, are conducive to strengthening enterprise staff, affiliate and electricity
Contact between power client, realizes the real-time flowing of power business information and shares, greatly improve operating efficiency.However,
In the case of the protecting information safety scheme of existing conventional internet, the enterprise mobile application run as supporting business, on the one hand
In the presence of the Android security breaches of itself, on the other hand most electric power enterprise application is operated in personal mobile device, run
Environmental security situation is unknown, and Mobile solution is once attacked, it is easy to obtain enterprise business data, reveals Company Confidential.
Therefore, it is necessary to build the monitoring scheme towards the Mobile solution misoperation behavior of electric power enterprise, answer mobile
With operationally probably due to the negligent act of user, or malice usage behavior are monitored, analyze, judge and filtered,
Prevented before real generation harm, ensure the operation safety of Mobile solution.
At present both at home and abroad for operation when the detection technique analyzed of Mobile solution dynamic behaviour, more to study sandbox
Based on technology, Hook technologies and Mobile solution ccf layer stain analytical technology, CPU usage, the network of application program are obtained
The monitor control indexs such as data traffic, number of processes, API Calls sequence, then utilize intelligent algorithm (such as SVMs, nerve net
Network and Bayesian Classification Arithmetic etc.) analysis program dynamic behaviour, so as to determine whether malicious act or software.However,
Existing most Mobile solution dynamic behaviour detection platform (MobSF and DroidBox that such as increase income) is all on analog machine
Mobile solution is installed, is started by analog machine and applies and record using operation information to analyze Malware or abnormal behaviour.This
All kinds of triggering abnormal behaviours that detection scheme is planted when can not effectively cover prototype environment and the application operation in the case of actual use
Factor, Malware using analog machine identification technology or delay attack time can avoidance system detection.Therefore, having must
Study malicious act detection technique when normally being applied using enterprise.
The content of the invention
Therefore, the technical problem to be solved in the present invention is that existing start by analog machine is applied and recorded using operation
Information is come the method for analyzing Malware or abnormal behaviour, it is impossible to the effectively prototype environment in the case of covering actual use and application
The factor of all kinds of triggering abnormal behaviours during operation, Malware recognizes or postponed that attack time can be hidden using analog machine
The detection of system.
Therefore, the embodiments of the invention provide following technical scheme:
A kind of method for building up of application abnormal behaviour identification model, comprises the following steps:
Obtain respectively multiple normal use samples the first API Calls daily record sample, the second of multiple malicious application samples
API Calls daily record sample;
According to the first API Calls daily record sample and the second API Calls daily record Sample Establishing abnormal behaviour identification model.
Alternatively, the first API Calls daily record sample, the multiple malicious application samples of multiple normal use samples are obtained respectively
The second API Calls daily record sample the step of include:
Jave layers of api interface call function is converted into native layers of api interface call function;
The attribute of native layers of api interface call function is changed to switch to call Native_HOOK functions;
The daily record injected in Java layers is adjusted back by Native_HOOK functions to monitor function to record api interface in real time
Call.
Alternatively, mould is recognized according to the first API Calls daily record sample and the second API Calls daily record Sample Establishing abnormal behaviour
The step of the step of type, includes respectively pre-processing the first API Calls daily record sample and the second API Calls daily record sample, bag
Include:
Line number is entered to the characteristic vector element in the first API Calls daily record sample and the second API Calls daily record sample respectively
Value is handled;
Each characteristic vector element after logarithm value carries out linear transformation so that the numerical value of each characteristic vector element is in 0-1
Between.
Alternatively, mould is recognized according to the first API Calls daily record sample and the second API Calls daily record Sample Establishing abnormal behaviour
The step of type, includes:
Build membership function;
Train the weight parameter of function to be set to membership function SVMs (SVM) and obtain fuzzy support vector machine
(FSVM);
Utilize the first API Calls daily record sample and the second API Calls daily record sample training fuzzy support vector machine (FSVM)
Obtain abnormal behaviour identification model.
Alternatively, membership function is:
Wherein, s+ iRepresent degree of membership, the s of abnormal behaviour class sample+ iRepresent the degree of membership of normal behaviour class sample, m+,m-
For the Characteristic of Nonequilibrium factor, the unified weight that abnormal behaviour class sample and normal behaviour class sample are obtained is represented respectively,Represent
Abnormal behaviour class sample,Normal behaviour class sample is represented,For denoising fuzzy factor.
Alternatively, the discriminant function of abnormal behaviour identification model is:
Wherein, x is sample to be detected, xiFor supporting vector, n is supporting vector number, αiFor Lagrange multiplier, K (xi,
X) it is kernel function, ρ is hyperplane intercept, and f (x) is classification and Detection result.
A kind of abnormal behaviour recognition methods of application, comprises the following steps:
Obtain API Calls daily record during application operation;
API Calls daily record is classified using the application abnormal behaviour identification model set up according to any of the above-described kind of method
To recognize abnormal behaviour.
Alternatively, the step of obtaining API Calls daily record when application is run includes api interface obtaining step to be monitored, bag
Include:
The authority that the installation package file of decompiling application obtains application uses list;
The sensitive API interface of application is obtained using list according to the authority of application.
A kind of application abnormal behaviour identification model sets up device, including:
Daily record sample acquisition unit, the first API Calls daily record sample, many for obtaining multiple normal use samples respectively
Second API Calls daily record sample of individual malicious application sample;
Model sets up unit, for abnormal according to the first API Calls daily record sample and the second API Calls daily record Sample Establishing
Activity recognition model.
Alternatively, daily record sample acquisition unit includes:
Conversion subunit, letter is called for jave layers of api interface call function to be converted into native layers of api interface
Number;
Attribute modification subelement, for changing the attribute of native layers of api interface call function to switch to call Native_
HOOK functions;
Log recording subelement, function is monitored for adjusting back the daily record injected in Java layers by Native_HOOK functions
To record calling for api interface in real time.
Alternatively, model is set up unit and included:
Quantize subelement, for respectively to the spy in the first API Calls daily record sample and the second API Calls daily record sample
Levy vector element and carry out the processing that quantizes;
Subelement is normalized, linear transformation is carried out so that each characteristic vector for each characteristic vector element after logarithm value
The numerical value of element is between 0-1.
Alternatively, model is set up unit and included:
Subelement is built, for building membership function;
Parameter setting subelement, for training SVMs (SVM) weight parameter of function to be set to degree of membership letter
Number obtains fuzzy support vector machine (FSVM);
Subelement is trained, for utilizing the first API Calls daily record sample and the fuzzy branch of the second API Calls daily record sample training
Hold vector machine (FSVM) and obtain abnormal behaviour identification model.
A kind of abnormal behaviour identifying device of application, including:
Log acquisition unit, for obtaining API Calls daily record during application operation;
Classification and Identification unit, the application abnormal behaviour identification model for being set up using any of the above-described kind of method is adjusted to API
Classified to recognize abnormal behaviour with daily record.
Technical solution of the present invention, has the following advantages that:
1. application abnormal behaviour identification model method for building up provided in an embodiment of the present invention and device, recognition methods and dress
Put, can call daily record according to the api interface collected when applying the actual motion on prototype to recognize the row of application in real time
For extremely whether, behavior when being used in actual use so as to correspondence is detected in real time.Solve existing application abnormal
Behavioral value method, can only run application to be detected to gather behavioral data on the analog machine of customization, it is impossible to which effectively covering should
With the factor of all kinds of triggering abnormal behaviours when prototype environment in practical usage situations and application operation.Further, since API
Interface interchange is related to the privacy of user, so the model set up by this method is primarily adapted for use in some to protection privacy of user
It is required that some low Mobile solutions based on Android system, such as can be the Mobile solution towards electric power enterprise.
2. application abnormal behaviour identification model method for building up provided in an embodiment of the present invention and device, recognition methods and dress
Put, native layers when being run using reflex mechanism to application carry out Hook, can be in not shadow without obtaining system root authority
In the case of ringing the normal operation of Mobile solution, the interception and monitoring to being called using sensitive API are realized.
Brief description of the drawings
, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical scheme of the prior art
The accompanying drawing used required in embodiment or description of the prior art is briefly described, it should be apparent that, in describing below
Accompanying drawing is some embodiments of the present invention, for those of ordinary skill in the art, before creative work is not paid
Put, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of flow chart of the method for building up of application abnormal behaviour identification model in the embodiment of the present invention 1;
Fig. 2 is a kind of flow chart of API Calls daily record monitoring function call injection method in the embodiment of the present invention 1;
Fig. 3 is a kind of schematic diagram of API Calls daily record monitoring function call injection process in the embodiment of the present invention 1;
Fig. 4 is a kind of flow chart for obtaining application abnormal behaviour recognition classifier method in the embodiment of the present invention 1;
Fig. 5 is a kind of flow chart of the abnormal behaviour recognition methods of application in the embodiment of the present invention 3;
A kind of application abnormal behaviour recognition classifier is set up and abnormal behaviour recognition methods in Fig. 6 embodiment of the present invention 3
Overall flow schematic diagram;
Fig. 7 is a kind of theory diagram for setting up device of application abnormal behaviour identification model in the embodiment of the present invention 4;
Fig. 8 is a kind of theory diagram of the abnormal behaviour identifying device of application in the embodiment of the present invention 5.
Embodiment
Technical scheme is clearly and completely described below in conjunction with accompanying drawing, it is clear that described implementation
Example is a part of embodiment of the invention, rather than whole embodiments.Based on the embodiment in the present invention, ordinary skill
The every other embodiment that personnel are obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.
As long as in addition, technical characteristic involved in invention described below different embodiments non-structure each other
It can just be combined with each other into conflict.
Embodiment 1
As shown in figure 1, a kind of method for building up of application abnormal behaviour identification model is present embodiments provided, including following step
Suddenly:
S11:The first API (Application Programming of multiple normal use samples are obtained respectively
Interface, application programming interface) call the second API Calls daily record sample of daily record sample, multiple malicious application samples
This.The normal use sample and malicious application sample can be the other applications beyond application to be detected.First API Calls daily record
Api interface corresponding to sample and the second API Calls daily record sample with it is actually detected when the API Calls daily record that uses corresponding to
Api interface is consistent.
S12:According to the first API Calls daily record sample and the second API Calls daily record Sample Establishing abnormal behaviour identification model.
The method for building up for the application abnormal behaviour identification model that the present embodiment is provided, the specific API applied using sample is connect
Mouth calls daily record to pre-establish identification model, can be set up using abnormal behaviour identification model, the identification mould according to this method
Type can call daily record to recognize the behavior of application according to the api interface collected when applying the actual motion on prototype in real time
Whether abnormal, behavior when being used in actual use so as to correspondence is detected in real time.Solve the abnormal row of existing application
For detection method, application to be detected can only be run on the analog machine of customization to gather behavioral data, it is impossible to effectively covering application
The factor of all kinds of triggering abnormal behaviours when prototype environment and application in practical usage situations is run.Further, since API connects
Mouth calls the privacy for being related to user, and protection privacy of user is wanted so the model set up by this method is primarily adapted for use in some
Some low Mobile solutions based on Android system are sought, for example, can be the Mobile solution towards electric power enterprise.
As optional embodiment, as shown in Figures 2 and 3, above-mentioned steps S11, namely obtain multiple normal respectively
The step of using the first API Calls daily record sample of sample, the second API Calls daily record sample of multiple malicious application samples, wraps
Include:
S111:Jave layers of api interface call function is converted into native layers of api interface call function (Native_
API), it is native by function setup particular by SET_METHOD_FLAG methods.
S112:The attribute of native layers of api interface call function is changed to switch to call Native_HOOK functions.Due to
NativeFunc attributes are included in native function body data structures, the entrance of the native functions is pointed to, pass through modification
NativeFunc attributes can reach the purpose of control function flow.It therefore, it can call by changing native layers of api interface
The nativeFunc attributes of function point to the native function Native_Hook () of oneself realization, it is achieved thereby that to source Java
Calling for function switchs to call native function Native_Hook ().
S113:The daily record injected in Java layers monitoring function is adjusted back by Native_HOOK functions to connect to record API in real time
Mouthful call, the api interface of record normal use sample calls and obtains the first API Calls daily record sample, records malicious application
The api interface of sample, which is called, obtains the second API Calls daily record sample.
The method for building up for the application abnormal behaviour identification model that the present embodiment is provided, when being run using reflex mechanism to application
Native layers carry out Hook, without obtaining system root authority, can in the case where not influenceing Mobile solution normally to run,
Realize the interception and monitoring to being called using sensitive API.
In the present embodiment, above-mentioned steps S11, namely the first API Calls daily record of multiple normal use samples is obtained respectively
The step of sample, the second API Calls daily record sample of multiple malicious application samples, also includes:
Inject daily record by Hook in normal use sample, malicious application sample respectively to monitor after function, by its batch
Run on Android simulator, collect normal use sample, the api function of malicious application sample operationally and call day
Will.The Android simulator can be created on PC.
In the present embodiment, due to original first API Calls daily record sample and original second API Calls daily record sample record
It is that all kinds of api functions call character string, it is impossible to instructed as SVM (support vector machines (Support Vector Machine))
White silk and the input data of identification, it is therefore desirable to pre-processed.Above-mentioned steps S12 is also included respectively to the first API Calls day
The step of will sample and the second API Calls daily record sample are pre-processed, specifically includes:
First, the characteristic vector element in the first API Calls daily record sample and the second API Calls daily record sample is entered respectively
Line number value is handled.All kinds of API letters of original first API Calls daily record sample and original second API Calls daily record sample record
Number calls character string, may be constructed the characteristic vector of 7 dimensions, characteristic vector element is fixed, by each in characteristic vector
Element is mapped one by one with numerical value, so that the characteristic vector quantized, is represented by X={ x1,x2,···,xi}i
∈[1,7]i∈Z。xiFor the characteristic vector element after quantizing.
Then, each characteristic vector element after logarithm value carries out linear transformation so that at the numerical value of each characteristic vector element
Between 0-1.Characteristic vector element is mapped to interval [0,1], it is possible to reduce dimension impact.Transfer function is:
Wherein, xmaxFor the maximum of training sample data, xminFor the minimum value of training sample data.
For some applications, the malicious act of such as electric power enterprise application is difficult to gather, and sample is few, with normal behaviour sample
This quantity is uneven, therefore is calculated from the fuzzy support vector machine (FSVM) for being applied to the uneven sample of classification as Intelligent Measurement
Method.Specifically, as shown in figure 4, above-mentioned steps S12, i.e., according to the first API Calls daily record sample and the second API Calls daily record sample
The step of this sets up abnormal behaviour identification model includes:
S121:Build membership function.The design of membership function is the key that FSVM training and detection are realized.Assuming that existing
There is the training sample set (x for including l samplei,yi),xi∈Rn,yi∈ { -1 ,+1 }, i=1,2 ..., l, membership function
For:
Wherein, s+ iRepresent the degree of membership, s of abnormal behaviour class (being also positive class) sample+ iRepresent that normal behaviour class (is also named negative
Class) sample degree of membership;m+, m- is the Characteristic of Nonequilibrium factor, and abnormal behaviour class sample and normal behaviour class sample are represented respectively
The unified weight of acquisition, its value is determined that reflection is sample imbalance feature between class by positive and negative class sample size and degree of scatter,
Purpose is for reducing the influence that sample imbalance is offset to svm classifier face;Abnormal behaviour class sample is represented,Represent just
Chang Hangwei class samples;For denoising fuzzy factor, sample x is representediImportance in oneself class,
Purpose is for suppressing noise and interference of the isolated point sample to svm classifier.The design of the membership function is that take into account to make an uproar
The interference of sound and isolated point is it is also contemplated that influence of the sample imbalance to classifying face between class.
S122:SVMs (SVM) can be trained using the exploitation FSVM training of LIBSVM kits and detection algorithm
The weight parameter of function is set to membership function and obtains fuzzy support vector machine (FSVM).FSVM kernel functions use radial direction base core
Function exp (- g* | | u-v | |2), nuclear parameter g and FSVM penalty coefficient v utilizes grid data service parameter optimization.
S123:Utilize the first API Calls daily record sample and the second API Calls daily record sample training fuzzy support vector machine
(FSVM) optimum classifier as application abnormal behaviour identification model is obtained.Specifically, the first API Calls to collect
Daily record sample and the second API Calls daily record sample are inputted as FSVM, and normal behaviour sample label is set to 1, abnormal behaviour mark
Label are set to -1.The discriminant function of optimum classifier is:
Wherein, x is sample to be detected, xiFor supporting vector, n is supporting vector number, αiFor Lagrange multiplier, K (xi,
X) it is kernel function, ρ is hyperplane intercept, and f (x) is classification and Detection result.
The method for building up for the application abnormal behaviour identification model that the present embodiment is provided, for the abnormal behaviour sample of some applications
Originally it is difficult to obtain, there is a situation where sample imbalance with normal behaviour sample, introduces imbalance sorting algorithm FSVM to set up reality
The identification model of existing abnormal behaviour Intelligent Measurement.
Embodiment 2
A kind of method for building up of application abnormal behaviour identification model is present embodiments provided, is comprised the following steps:
The first step:Multiple normal use samples and multiple malicious application samples are obtained respectively.
Second step:The native of bag injection sensitive API interface is beaten again normal use sample and malicious application sample respectively
Hook functions and monitoring log function.
3rd step:The normal use sample and malicious application sample batch that are filled with monitoring log function are run on into Android
On simulator, the first API Calls daily record sample, the 2nd API of malicious application sample of normal use sample are collected respectively
Call daily record sample.
4th step:Build membership function, from kernel function.
5th step:With the first API Calls daily record sample of normal use sample, the second API Calls of malicious application sample
Daily record sample is inputted as FSVM, and normal behaviour sample label is set to 1, and abnormal behaviour sample label is set to -1, trains
To optimal FSVM graders, as using abnormal behaviour identification model.
Embodiment 3
A kind of abnormal behaviour recognition methods of application is present embodiments provided, as it can be seen in figures 5 and 6, going for electric power
Enterprise mobile application, comprises the following steps:
S31:API Calls daily record during application operation is obtained, the API Calls daily record is when applying the actual motion on prototype
Sensitive API call daily record.The application can be electric power enterprise Mobile solution.
S32:The application abnormal behaviour identification model set up using the method provided according to above-described embodiment 1 or 2 is adjusted to API
Classified to recognize abnormal behaviour with daily record.
The abnormal behaviour recognition methods for the application that the present embodiment is provided, can actually be transported according to applying on prototype in real time
Whether the behavior that the api interface collected during row calls daily record to recognize application is abnormal, and actual use is used in so as to correspondence
When behavior detected in real time.Existing application anomaly detection method is solved, can only be transported on the analog machine of customization
Go application to be detected to gather behavioral data, it is impossible to which effectively covering is transported using prototype environment in practical usage situations and application
The factor of all kinds of triggering abnormal behaviours during row.Further, since api interface calls the privacy for being related to user, so passing through the party
The model that method is set up is primarily adapted for use in some to protecting some low Mobile solutions based on Android system of the requirement of privacy of user,
It for example can be the Mobile solution towards electric power enterprise.
In the present embodiment and all api interfaces of application need not be obtained call daily record, it is only necessary to be connect than more sensitive API
Mouth calls daily record and whether there is abnormal behaviour to judge to apply.Therefore, above-mentioned steps S31, that is, API when obtaining application operation is adjusted
It is the step of with including extracting sensitive API interface the step of daily record, specific as follows:
First, the installation package file of decompiling application obtains the authority applied and uses list, can specifically use apktool
Instrument carrys out the AndroidManifest.XML files that the installation package file of decompiling application is applied, by traveling through this document
List is used the authority that obtains application;
Then, the sensitive API interface of application is obtained using list according to the authority of application.Increased income work particular by inquiry
Have PScout authority-API mapping tables to obtain the sensitive API invocation list of application.Authority-sensitive API interface-sensitive behavior
Corresponding relation such as table 1 below.
1 authority of table-sensitive API interface-sensitive behavior
As can be seen from the above table, can be used for judging application behavior whether the abnormal corresponding sensitivity of sensitive API interface
Behavior includes sending short message, short message reading, opens WiFi, open mobile network, obtain geographic location information, call and connect
Connect network.
Specifically, above-mentioned steps S32, i.e., the detailed process that the abnormal behaviour of application is recognized according to API Calls daily record is:
First, the sensitive API to acquisition calls daily record to pre-process, including quantizes and normalize two steps, specific place
Reason process can refer to above-described embodiment 1.
Then, call daily record to classify pretreated sensitive API using using abnormal behaviour identification model, judge
Whether the behavior of application is abnormal.Using abnormal behaviour identification model, namely FSVM graders, its discriminant function is:
Wherein, x is sample to be detected, xiFor supporting vector, n is supporting vector number, αiFor Lagrange multiplier, K (xi,
X) it is kernel function, ρ is hyperplane intercept, and f (x) is classification and Detection result.According to training stage label facilities, if f (x)
=1, then corresponding application behavior is normal, if f (x)=- 1, corresponding application behavior is abnormal.That is, as f (x)
When=- 1, with regard to carrying out Realtime Alerts or prompting.
The step of above-mentioned steps S32 recognizes the abnormal behaviour of application according to API Calls daily record, can be held by server
OK.When performing above-mentioned steps S32 specific steps by server, the sensitive API that above-mentioned steps S31 is obtained calls daily record just
Need to upload onto the server.
Embodiment 4
As shown in fig. 7, a kind of device of setting up of application abnormal behaviour identification model is present embodiments provided, including:
Daily record sample acquisition unit U41, the first API Calls daily record sample for obtaining multiple normal use samples respectively
Originally, the second API Calls daily record sample of multiple malicious application samples;
Model sets up unit U42, for according to the first API Calls daily record sample and the second API Calls daily record Sample Establishing
Abnormal behaviour identification model.
The application abnormal behaviour identification model that the present embodiment is provided sets up device, and the specific API applied using sample is connect
Mouthful call daily record to pre-establish identification model, the identification model set up using the device can be in real time according to applying in prototype
Whether the behavior that the api interface collected during upper actual motion calls daily record to recognize application is abnormal, is used in so as to correspondence
Behavior when actual use is detected in real time.Solve existing application anomaly detection method, can only customization mould
Run application to be detected on plan machine to gather behavioral data, it is impossible to which effectively covering is using prototype environment in practical usage situations
The factor of all kinds of triggering abnormal behaviours during with application operation.Further, since api interface calls the privacy for being related to user, so
The model set up by the device is primarily adapted for use in some to protecting low some of requirement of privacy of user based on Android system
Mobile solution, for example, can be the Mobile solution towards electric power enterprise.
As preferred embodiment, daily record sample acquisition unit U41 includes:
Conversion subunit, letter is called for jave layers of api interface call function to be converted into native layers of api interface
Number;
Attribute modification subelement, for changing the attribute of native layers of api interface call function to switch to call Native_
HOOK functions;
Log recording subelement, function is monitored for adjusting back the daily record injected in Java layers by Native_HOOK functions
To record calling for api interface in real time.
The application abnormal behaviour identification model that the present embodiment is provided sets up device, when being run using reflex mechanism to application
Native layers carry out Hook, without obtaining system root authority, can in the case where not influenceing Mobile solution normally to run,
Realize the interception and monitoring to being called using sensitive API.
As optional embodiment, model, which sets up unit U42, to be included:
Quantize subelement, for respectively to the spy in the first API Calls daily record sample and the second API Calls daily record sample
Levy vector element and carry out the processing that quantizes;
Subelement is normalized, linear transformation is carried out so that each characteristic vector for each characteristic vector element after logarithm value
The numerical value of element is between 0-1.
As another optional embodiment, model, which sets up unit U42, to be included:
Subelement is built, for building membership function;
Parameter setting subelement, for training SVMs (SVM) weight parameter of function to be set to degree of membership letter
Number obtains fuzzy support vector machine (FSVM);
Subelement is trained, for utilizing the first API Calls daily record sample and the fuzzy branch of the second API Calls daily record sample training
Hold vector machine (FSVM) and obtain optimum classifier.
The application abnormal behaviour identification model that the present embodiment is provided sets up device, for the abnormal behaviour sample of some applications
Originally it is difficult to obtain, there is a situation where sample imbalance with normal behaviour sample, introduces imbalance sorting algorithm FSVM to set up reality
The identification model of existing abnormal behaviour Intelligent Measurement.
Embodiment 5
As shown in figure 8, a kind of abnormal behaviour identifying device of application is present embodiments provided, including:
Log acquisition unit U51, for obtaining API Calls daily record during application operation;
Classification and Identification unit U52, the application abnormal behaviour that the method for being provided using above-described embodiment 1 or 2 is set up is known
Other model is classified to recognize abnormal behaviour to API Calls daily record.
The abnormal behaviour identifying device for the application that the present embodiment is provided, can actually be transported according to applying on prototype in real time
Whether the behavior that the api interface collected during row calls daily record to recognize application is abnormal, and actual use is used in so as to correspondence
When behavior detected in real time.Existing application anomaly detection method is solved, can only be transported on the analog machine of customization
Go application to be detected to gather behavioral data, it is impossible to which effectively covering is transported using prototype environment in practical usage situations and application
The factor of all kinds of triggering abnormal behaviours during row.Further, since api interface calls the privacy for being related to user, so passing through the dress
Set up vertical model and be primarily adapted for use in some to protecting some low Mobile solutions based on Android system of the requirement of privacy of user,
It for example can be the Mobile solution towards electric power enterprise.
As optional embodiment, log acquisition unit U51 includes:
Authority obtains subelement using list, and the authority for obtaining application for the installation kit that decompiling is applied uses list;
Sensitive API interface obtains subelement, and the sensitive API for obtaining application using list for the authority according to application connects
Mouthful.
Obviously, above-described embodiment is only intended to clearly illustrate example, and the not restriction to embodiment.It is right
For those of ordinary skill in the art, can also make on the basis of the above description it is other it is various forms of change or
Change.There is no necessity and possibility to exhaust all the enbodiments.And the obvious change thus extended out or
Among changing still in the protection domain of the invention.
Claims (13)
1. a kind of method for building up of application abnormal behaviour identification model, it is characterised in that comprise the following steps:
The first API Calls daily record sample of multiple normal use samples, the 2nd API of multiple malicious application samples is obtained respectively to adjust
Use daily record sample;
According to the first API Calls daily record sample and the second API Calls daily record Sample Establishing abnormal behaviour identification model.
2. according to the method described in claim 1, it is characterised in that described to obtain the first of multiple normal use samples respectively
The step of API Calls daily record sample, the second API Calls daily record sample of multiple malicious application samples, includes:
Jave layers of api interface call function is converted into native layers of api interface call function;
The attribute of the native layers of api interface call function is changed to switch to call Native_HOOK functions;
The daily record injected in Java layers is adjusted back by the Native_HOOK functions to monitor function to record api interface in real time
Call.
3. according to the method described in claim 1, it is characterised in that described according to the first API Calls daily record sample and institute
The step of stating the second API Calls daily record Sample Establishing abnormal behaviour identification model is included respectively to the first API Calls daily record
The step of sample and the second API Calls daily record sample are pre-processed, including:
The characteristic vector element in the first API Calls daily record sample and the second API Calls daily record sample is entered respectively
Line number value is handled;
Each characteristic vector element after logarithm value carry out linear transformation so that the numerical value of each characteristic vector element be in 0-1 it
Between.
4. the method according to any one of claim 1-3, it is characterised in that described according to first API Calls day
The step of will sample and the second API Calls daily record Sample Establishing abnormal behaviour identification model, includes:
Build membership function;
Train the weight parameter of function to be set to the membership function SVMs (SVM) and obtain fuzzy support vector machine
(FSVM);
Utilize fuzzy support vector described in the first API Calls daily record sample and the second API Calls daily record sample training
Machine (FSVM) obtains the abnormal behaviour identification model.
5. method according to claim 4, it is characterised in that the membership function is:
Wherein, si +Represent degree of membership, the s of abnormal behaviour class samplei -Represent the degree of membership of normal behaviour class sample, m+,m-To be non-
The balance characteristics factor, represents the unified weight that abnormal behaviour class sample and normal behaviour class sample are obtained respectively,Represent abnormal
Behavior class sample,Normal behaviour class sample is represented,For denoising fuzzy factor.
6. the method according to claim 4 or 5, it is characterised in that the discriminant function of the abnormal behaviour identification model is:
Wherein, x is sample to be detected, xiFor supporting vector, n is supporting vector number, αiFor Lagrange multiplier, K (xi, x) it is
Kernel function, ρ is hyperplane intercept, and f (x) is classification and Detection result.
7. the abnormal behaviour recognition methods of a kind of application, it is characterised in that comprise the following steps:
Obtain API Calls daily record during application operation;
The application abnormal behaviour identification model set up using the method according to any one of claim 1-6 is adjusted to the API
Classified to recognize abnormal behaviour with daily record.
8. method according to claim 7, it is characterised in that the step of the API Calls daily record during acquisition application operation
Suddenly api interface obtaining step to be monitored is included, including:
The authority that the installation package file of decompiling application obtains the application uses list;
The sensitive API interface of the application is obtained using list according to the authority of the application.
9. a kind of application abnormal behaviour identification model sets up device, it is characterised in that including:
Daily record sample acquisition unit, for the first API Calls daily record sample for obtaining multiple normal use samples respectively, multiple evils
Second API Calls daily record sample of meaning application sample;
Model sets up unit, for according to the first API Calls daily record sample and the second API Calls daily record Sample Establishing
Abnormal behaviour identification model.
10. device according to claim 9, it is characterised in that the daily record sample acquisition unit includes:
Conversion subunit, for jave layers of api interface call function to be converted into native layers of api interface call function;
Attribute modification subelement, for changing the attribute of the native layers of api interface call function to switch to call Native_
HOOK functions;
Log recording subelement, function is monitored for adjusting back the daily record injected in Java layers by the Native_HOOK functions
To record calling for api interface in real time.
11. device according to claim 10, it is characterised in that the model, which sets up unit, to be included:
Quantize subelement, for respectively in the first API Calls daily record sample and the second API Calls daily record sample
Characteristic vector element quantize processing;
Subelement is normalized, linear transformation is carried out so that each characteristic vector element for each characteristic vector element after logarithm value
Numerical value be in 0-1 between.
12. the device according to claim 9 or 11, it is characterised in that the model, which sets up unit, to be included:
Subelement is built, for building membership function;
Parameter setting subelement, for training SVMs (SVM) weight parameter of function to be set to the degree of membership letter
Number obtains fuzzy support vector machine (FSVM);
Subelement is trained, for utilizing the first API Calls daily record sample and the second API Calls daily record sample training institute
State fuzzy support vector machine (FSVM) and obtain the abnormal behaviour identification model.
13. a kind of abnormal behaviour identifying device of application, it is characterised in that including:
Log acquisition unit, for obtaining API Calls daily record during application operation;
Classification and Identification unit, the application abnormal behaviour for being set up using the method according to any one of claim 1-6 is known
Other model is classified to recognize abnormal behaviour to the API Calls daily record.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611147119.7A CN107045607A (en) | 2016-12-13 | 2016-12-13 | Using abnormal behaviour identification model method for building up and device, recognition methods and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611147119.7A CN107045607A (en) | 2016-12-13 | 2016-12-13 | Using abnormal behaviour identification model method for building up and device, recognition methods and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107045607A true CN107045607A (en) | 2017-08-15 |
Family
ID=59543770
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611147119.7A Pending CN107045607A (en) | 2016-12-13 | 2016-12-13 | Using abnormal behaviour identification model method for building up and device, recognition methods and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107045607A (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107491383A (en) * | 2017-08-17 | 2017-12-19 | 杭州师范大学 | Catching method, device and the mobile terminal of application crashes Operation Log |
| CN107742079A (en) * | 2017-10-18 | 2018-02-27 | 杭州安恒信息技术有限公司 | Malware recognition methods and system |
| CN108183900A (en) * | 2017-12-28 | 2018-06-19 | 北京奇虎科技有限公司 | A kind of method, server, client and system for digging the detection of ore deposit script |
| CN108259478A (en) * | 2017-12-29 | 2018-07-06 | 中国电力科学研究院有限公司 | Safety protecting method based on industry control terminal device interface HOOK |
| CN108363925A (en) * | 2018-03-16 | 2018-08-03 | 北京奇虎科技有限公司 | Webpage digs recognition methods and the device of mine script |
| CN108415815A (en) * | 2018-01-26 | 2018-08-17 | 昆明理工大学 | A kind of APP running softwares data exception judgment method |
| CN108427883A (en) * | 2018-03-16 | 2018-08-21 | 北京奇虎科技有限公司 | Webpage digs the detection method and device of mine script |
| CN108900496A (en) * | 2018-06-22 | 2018-11-27 | 杭州安恒信息技术股份有限公司 | A kind of quick detection website is implanted the detection method and device of digging mine wooden horse |
| CN110213200A (en) * | 2018-02-28 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of risk behavior hold-up interception method and relevant device |
| CN110222504A (en) * | 2019-05-21 | 2019-09-10 | 平安银行股份有限公司 | Monitoring method, device, terminal device and the medium of user's operation |
| CN110502895A (en) * | 2019-08-27 | 2019-11-26 | 中国工商银行股份有限公司 | Interface exception call determines method and device |
| CN110879884A (en) * | 2019-11-14 | 2020-03-13 | 维沃移动通信有限公司 | Information processing method, information processing device, electronic equipment and storage medium |
| CN112559840A (en) * | 2019-09-10 | 2021-03-26 | 中国移动通信集团浙江有限公司 | Internet surfing behavior identification method and device, computing equipment and computer storage medium |
| CN114389834A (en) * | 2021-11-26 | 2022-04-22 | 浪潮通信信息系统有限公司 | Method, device, equipment and product for identifying API gateway abnormal call |
| CN115426254A (en) * | 2022-08-26 | 2022-12-02 | 中国银行股份有限公司 | Method and device for establishing and identifying system log abnormity identification network |
| CN117272054A (en) * | 2023-11-22 | 2023-12-22 | 四川边缘算力科技有限公司 | Interval delay sample rapid judging method and system integrating edge calculation |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104123500A (en) * | 2014-07-22 | 2014-10-29 | 卢永强 | Android platform malicious application detection method and device based on deep learning |
| CN104751052A (en) * | 2013-12-30 | 2015-07-01 | 南京理工大学常熟研究院有限公司 | Dynamic behavior analysis method for mobile intelligent terminal software based on support vector machine algorithm |
| CN105468977A (en) * | 2015-12-14 | 2016-04-06 | 厦门安胜网络科技有限公司 | Method and device for Android malicious software classification based on Naive Bayes |
| CN105809035A (en) * | 2016-03-07 | 2016-07-27 | 南京邮电大学 | Android application real-time behavior based malicious software detection method and system |
-
2016
- 2016-12-13 CN CN201611147119.7A patent/CN107045607A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104751052A (en) * | 2013-12-30 | 2015-07-01 | 南京理工大学常熟研究院有限公司 | Dynamic behavior analysis method for mobile intelligent terminal software based on support vector machine algorithm |
| CN104123500A (en) * | 2014-07-22 | 2014-10-29 | 卢永强 | Android platform malicious application detection method and device based on deep learning |
| CN105468977A (en) * | 2015-12-14 | 2016-04-06 | 厦门安胜网络科技有限公司 | Method and device for Android malicious software classification based on Naive Bayes |
| CN105809035A (en) * | 2016-03-07 | 2016-07-27 | 南京邮电大学 | Android application real-time behavior based malicious software detection method and system |
Non-Patent Citations (4)
| Title |
|---|
| RUKSHAN BATUWITA AND VASILE PALADE: "FSVM-CIL: Fuzzy Support Vector Machines for Class Imbalance Learning", 《IEEE TRANSACTIONS ON FUZZY SYSTEMS》 * |
| 刘井强等著: "基于Android系统免Root主防方法的研究", 《网络与信息安全学报》 * |
| 秦传东等: "基于不平衡数据分类的一种平衡模糊支持向量机", 《计算机科学》 * |
| 谢琳: "模糊支持向量机关键技术研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107491383A (en) * | 2017-08-17 | 2017-12-19 | 杭州师范大学 | Catching method, device and the mobile terminal of application crashes Operation Log |
| CN107742079B (en) * | 2017-10-18 | 2020-02-21 | 杭州安恒信息技术股份有限公司 | Malicious software identification method and system |
| CN107742079A (en) * | 2017-10-18 | 2018-02-27 | 杭州安恒信息技术有限公司 | Malware recognition methods and system |
| CN108183900A (en) * | 2017-12-28 | 2018-06-19 | 北京奇虎科技有限公司 | A kind of method, server, client and system for digging the detection of ore deposit script |
| CN108183900B (en) * | 2017-12-28 | 2021-04-02 | 北京奇虎科技有限公司 | Method, server, system, terminal device and storage medium for detecting mining script |
| CN108259478A (en) * | 2017-12-29 | 2018-07-06 | 中国电力科学研究院有限公司 | Safety protecting method based on industry control terminal device interface HOOK |
| CN108259478B (en) * | 2017-12-29 | 2021-10-01 | 中国电力科学研究院有限公司 | Safety protection method based on industrial control terminal equipment interface HOOK |
| CN108415815A (en) * | 2018-01-26 | 2018-08-17 | 昆明理工大学 | A kind of APP running softwares data exception judgment method |
| CN108415815B (en) * | 2018-01-26 | 2021-03-02 | 昆明理工大学 | APP software operation data abnormity judgment method |
| CN110213200B (en) * | 2018-02-28 | 2022-07-01 | 腾讯科技(深圳)有限公司 | Risk behavior interception method and related equipment |
| CN110213200A (en) * | 2018-02-28 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of risk behavior hold-up interception method and relevant device |
| CN108427883A (en) * | 2018-03-16 | 2018-08-21 | 北京奇虎科技有限公司 | Webpage digs the detection method and device of mine script |
| CN108363925B (en) * | 2018-03-16 | 2021-06-25 | 北京奇虎科技有限公司 | Method and device for identifying webpage ore mining script |
| CN108363925A (en) * | 2018-03-16 | 2018-08-03 | 北京奇虎科技有限公司 | Webpage digs recognition methods and the device of mine script |
| CN108427883B (en) * | 2018-03-16 | 2021-09-24 | 北京奇虎科技有限公司 | Method and device for detecting webpage ore mining script |
| CN108900496A (en) * | 2018-06-22 | 2018-11-27 | 杭州安恒信息技术股份有限公司 | A kind of quick detection website is implanted the detection method and device of digging mine wooden horse |
| CN110222504A (en) * | 2019-05-21 | 2019-09-10 | 平安银行股份有限公司 | Monitoring method, device, terminal device and the medium of user's operation |
| CN110222504B (en) * | 2019-05-21 | 2024-02-13 | 平安银行股份有限公司 | User operation monitoring method, device, terminal equipment and medium |
| CN110502895A (en) * | 2019-08-27 | 2019-11-26 | 中国工商银行股份有限公司 | Interface exception call determines method and device |
| CN112559840A (en) * | 2019-09-10 | 2021-03-26 | 中国移动通信集团浙江有限公司 | Internet surfing behavior identification method and device, computing equipment and computer storage medium |
| CN112559840B (en) * | 2019-09-10 | 2023-08-18 | 中国移动通信集团浙江有限公司 | Internet surfing behavior recognition method and device, computing equipment and computer storage medium |
| CN110879884A (en) * | 2019-11-14 | 2020-03-13 | 维沃移动通信有限公司 | Information processing method, information processing device, electronic equipment and storage medium |
| CN114389834A (en) * | 2021-11-26 | 2022-04-22 | 浪潮通信信息系统有限公司 | Method, device, equipment and product for identifying API gateway abnormal call |
| CN115426254A (en) * | 2022-08-26 | 2022-12-02 | 中国银行股份有限公司 | Method and device for establishing and identifying system log abnormity identification network |
| CN117272054A (en) * | 2023-11-22 | 2023-12-22 | 四川边缘算力科技有限公司 | Interval delay sample rapid judging method and system integrating edge calculation |
| CN117272054B (en) * | 2023-11-22 | 2024-03-15 | 四川边缘算力科技有限公司 | Interval delay sample rapid judging method and system integrating edge calculation |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107045607A (en) | Using abnormal behaviour identification model method for building up and device, recognition methods and device | |
| EP3471007B1 (en) | Methods and apparatus for analyzing sequences of application programming interface traffic to identify potential malicious actions | |
| IL275042A (en) | Self-adaptive application programming interface level security monitoring | |
| CN104217164B (en) | The detection method and device of intelligent mobile terminal Malware | |
| CN109451182B (en) | Detection method and device for fraud telephone | |
| US8775333B1 (en) | Systems and methods for generating a threat classifier to determine a malicious process | |
| CN107580699A (en) | For the actuating specific to behavior with the method and system of real-time white list | |
| US11593811B2 (en) | Fraud detection based on community change analysis using a machine learning model | |
| US11574360B2 (en) | Fraud detection based on community change analysis | |
| CN106599688A (en) | Application category-based Android malicious software detection method | |
| Verma et al. | Email phishing: Text classification using natural language processing | |
| CN111460446A (en) | Malicious file detection method and device based on model | |
| CN105072115A (en) | Information system invasion detection method based on Docker virtualization | |
| CN105930726B (en) | A kind of processing method and user terminal of malicious operation behavior | |
| CN109614795A (en) | A kind of Android malware detection method of event perception | |
| CN107895122A (en) | A kind of special sensitive information active defense method, apparatus and system | |
| CN107256357A (en) | The detection of Android malicious application based on deep learning and analysis method | |
| US20220051127A1 (en) | Machine learning based analysis of electronic communications | |
| CN107180190A (en) | A kind of Android malware detection method and system based on composite character | |
| Xiao | Understanding the asymmetric perceptions of smartphone security from security feature perspective: A comparative study | |
| CN113761531A (en) | Malicious software detection system and method based on distributed API (application program interface) feature analysis | |
| WO2021247913A1 (en) | Dynamic, runtime application programming interface parameter labeling, flow parameter tracking and security policy enforcement | |
| CN109344614A (en) | A kind of Android malicious application online test method | |
| Kandukuru et al. | Android malicious application detection using permission vector and network traffic analysis | |
| CN107944873A (en) | A kind of method of mobile payment and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 102209 Beijing City, the future of science and Technology City Binhe Road, No. 18, No. Applicant after: Global energy Internet Institute, Inc. Applicant after: ELECTRIC POWER RESEARCH INSTITUTE, STATE GRID JIANGSU ELECTRIC POWER COMPANY Applicant after: State Grid Corporation of China Address before: 102211 Beijing city Changping District Xiaotangshan town big East Village Road No. 270 Applicant before: GLOBAL ENERGY INTERCONNECTION RESEARCH INSTITUTE Applicant before: ELECTRIC POWER RESEARCH INSTITUTE, STATE GRID JIANGSU ELECTRIC POWER COMPANY Applicant before: State Grid Corporation of China |
|
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 102209 18 Riverside Avenue, Changping District science and Technology City, Beijing Applicant after: Global energy Internet Institute, Inc. Applicant after: ELECTRIC POWER RESEARCH INSTITUTE, STATE GRID JIANGSU ELECTRIC POWER COMPANY Applicant after: State Grid Corporation of China Address before: 102209 18 Riverside Avenue, Changping District science and Technology City, Beijing Applicant before: Global energy Internet Institute, Inc. Applicant before: ELECTRIC POWER RESEARCH INSTITUTE, STATE GRID JIANGSU ELECTRIC POWER COMPANY Applicant before: State Grid Corporation of China |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170815 |