CN107092830A - The early warning of IOS Malwares and detecting system and its method based on flow analysis - Google Patents
The early warning of IOS Malwares and detecting system and its method based on flow analysis Download PDFInfo
- Publication number
- CN107092830A CN107092830A CN201710432771.1A CN201710432771A CN107092830A CN 107092830 A CN107092830 A CN 107092830A CN 201710432771 A CN201710432771 A CN 201710432771A CN 107092830 A CN107092830 A CN 107092830A
- Authority
- CN
- China
- Prior art keywords
- malware
- analysis
- module
- ios
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Abstract
The invention discloses a kind of IOS Malwares early warning based on flow analysis and detecting system and its method, it is related to information of mobile terminal security fields.The system includes IOS mobile phone terminal detection units(10)With server end detection unit(20), IOS mobile phone terminal detection units(10)With server end detection unit(20)Interaction, is realized based on the malware detection and analytic function in IOS systems, and form analysis report there is provided give terminal early warning.This method includes:1. IOS mobile phone terminals Malware pre-judging method;2. the viral analysis method of server end.The present invention has following advantages and good effect:1. originality supports the monitoring of version of not escaping from prison;2. detection range is wide, supports Malware and bundled software;3. detection scheme is rigorous;4. system expandable is strong;5. it can trace to the source.
Description
Technical field
The present invention relates to information security field, more particularly to a kind of early warning of IOS Malwares and inspection based on flow analysis
Examining system and its method.
Background technology
Shown according to the market survey company Kantar Worldpanel smart mobile phone sales datas issued recently, from
Month in December, 2016 to this year 2, apple iOS device has reached 27.6% in the share of Chinese market, is since the dawn of human civilization most
Height record, has accounted for the share of China's Smart Mobile Phone Market nearly 1/3rd.
The IOS App Store of Apple officials are all the time famous with strict code inspection, and this is enforceable to arrange
An important mechanisms for having become the privacy that IOS user is ensured in the ios security ecosystem and safety are applied, especially because should
System " smaller under fire face ", " operating system simplified ", " authority separation ", " code signature mechanism ", " DEP ", " ASLP "
Security development measures such as " sandbox mechanism " so that IOS systems are famous with safety always.
But be accompanied by the frequent upgrading of IOS systems, and bug excavation technology fast development, information security turned into
The main flow direction of social concerns, increasing hacker bypasses apple official website, Yi Jitong using leak technology issue Malware
Cross injection mode infection QQ, drop drop it is fast etc. well-known APP, particularly the ios platform of 2015 Nian9Yue20 Apple Inc. is by rare
See many moneys well-known mobile software of the invasion Apple Inc. in China's application shop by malware infection.This undoubtedly exposes this
The rare security breaches of system.The Palo Alto network company for being located at the U.S. according to general headquarters claims, this there are about more than 30 an application by
To attack.Researcher represents that these infected applications can trigger false alarm, and then steal with the facility information of upload user
The password of family iCloud services is taken, and reads and record the information on user's clipbook.
Therefore, the malicious event triggered by iPhone Malware is emerged in an endless stream, and network criminal is carried out using Malware
Growth trend is also presented in the event of crime.Due to the closure of system before IOS, many antivirus softwares are all abandoned pair all the time
The detection of IOS systems, the malware threats in face of burst are felt simply helpless.At present, the domestic Malware for ios platform is examined
Survey means are also in the stage of fumbling, especially for the no total solution of detection of do not escape from prison mobile phone and infection application,
There are problems that big hysteresis quality, resource consumption and low-response and Malware is studied and judged.Therefore it is badly in need of a set of based on IOS
The malware detection scheme of system, which is realized, to be judged and danger early warning the feature of Malware.
The content of the invention
The purpose of the present invention is that the shortcoming and defect for overcoming prior art to exist there is provided a kind of based on flow analysis
The early warning of IOS Malwares and detecting system and its method, by carrying out traffic behavior analysis to Malware and bundled software, are carried
For studying and judging analysis model, technical support is provided for IOS system malware detections.
Realizing the object of the invention technical scheme is:
The present invention realizes the malware detection based on IOS systems by following 5 kinds of modes in mobile phone terminal and server end:
1. IOS mobile phone terminals detection unit malware detection method
Frequently interaction, periodic request fixed data and uplink traffic are more than downlink traffic during by user's cell-phone lock screen
Etc. feature, Malware is determined whether;
2. IOS mobile phone terminals detection unit is infected malicious code software detecting method
Compared by intended application and original program MD5 characteristic values, monitor whether it is to distort application, while by than aligning
Often frequently interaction, periodic request fixed data and uplink traffic are more than downlink traffic during application IP ponds, user mobile phone screen locking
Etc. feature, determine whether to be injected into malicious code normal software;
3. service end detection unit privacy content detection method
Reverse source code analysis is carried out to Malware by inverse compiling technique, restoring data encrypting and decrypting flow and encryption are calculated
Method, is reduced to the data traffic in IOS system terminal analog modules, is parsed content and is compared sensitive blocks, detects whether
It is related to user communication record, geographical position, short message, message registration, picture, the sensitive personal information of audio frequency and video, determines whether to dislike
Meaning software;
4. service end detection unit sensitive permission detection method
Using Dynamic Monitoring, the analog module application behavior of IOS system terminals and authority are analyzed, behavior is recorded
Daily record and permissions log, detect whether to be related to user communication record, geographical position, short message, message registration, picture and audio frequency and video quick
Feel authority information, submit to virus and study and judge model progress comprehensive analysis;
5. server end studies and judges model checking method
With reference to private data content and privilege analysis, and viral Trojan characteristics storehouse is compared, assess value-at-risk, form malice
Software analysis report, forms analysis sample, pushes each terminal and realize early warning;
The present invention based on flow analysis technology using terminal anticipation and backstage comprehensive detection mode is realized, after first anticipation
Depth analysis, the mode being association of activity and inertia carries out forensics analysis to Malware, and mould is assessed with reference to machine Learning Theory constantly improve
Type, solves characteristic of malware analysis problem under IOS systems, supports the analysis of non-escape from prison system and bundled software.
Specifically:
First, based on flow analysis IOS Malwares early warning and detecting system (abbreviation system)
The system includes IOS mobile phone terminals detection unit and server end detection unit;
Described IOS mobile phone terminal detection units are a kind of based on the analysis of user's internet behavior and connected applications flow analysis
The function set of Malware anticipation system, including including data traffic acquisition module, machine learning module, traffic behavior detection
Module, Malware anticipation module and warning module, the overall analysis system based on backstage build Malware storehouse, constantly excellent
Change sample analysis model, lift the precision studied and judged;
Described server end detection unit is that a kind of Malware carries out flow content and the analysis of authority depths of features
Set, including IOS system terminals analog module, data on flows recovery module, characteristic of malware monitoring modular, virus study and judge mould
Type and malware analysis report generation module;
Its interactive relation is:
IOS mobile phone terminals detection unit and the interaction of server end detection unit, are realized based on the Malware inspection in IOS systems
Survey and analytic function, and form analysis report there is provided give terminal early warning;
Data traffic acquisition module in IOS mobile phone terminal detection units will gather flow information and pass to engineering on mobile phone
Module and traffic behavior detection module are practised, user behavior analysis is realized;
Machine learning module and traffic behavior detection module interact what is applied there is provided source with Malware anticipation module respectively
MD5 values are compared, the internet behavior of user is drawn a portrait and the flow analysis data of application software carry out risk analysis, finally determine anticipation
Whether be Malware or bundle malicious code application program;
Malware anticipation module is interacted with IOS system terminal analog modules, and transmission Malware sample is to background service
Device, and simulate on backstage and to escape from prison that there is provided sample analysis for the virtualization terminal of environment based on IOS systems;
IOS system terminals analog module is interacted with data on flows recovery module and characteristic of malware monitoring modular respectively,
By the conversed analysis to sample and dynamic debugging, AES is reduced, realizes that, to the data convert under simulated environment, monitoring should
With whether include sensitive permission and sensitive data;
Data on flows recovery module and characteristic of malware monitoring modular send the data of extraction to virus respectively and studied and judged
Model carries out comprehensive analysis, and by data convert content and authority feature access log, Malware wind is calculated with reference to virus base
Danger value, viral judgement is carried out to Malware;
Virus is studied and judged model and interacted with malware analysis report generation module, generation virus analysis report, correlated characteristic
Enter virus base sample, and submit to terminal warning module to be alerted.
2nd, based on flow analysis IOS Malwares early warning and detection method (abbreviation method)
The Research Thinking of this method is based on traffic characteristics analysis basis, by user's online model analysis information,
Application traffic feature, the Malware of the monitoring of flow content erotic and sensitive permission detection based on IOS systems, with reference to dynamic evil
The risk assessment to Malware is realized in the viral wooden horse storehouse of meaning, forms analysis report, is submitted to each terminal and is carried out early warning.
1. IOS mobile phone terminals Malware pre-judging method
By flow collection according to user's surf time, position connected applications essential information, user's online custom mould is formed
Type, forms customer flow by machine learning and draws a portrait, while counting up-downgoing data on flows, passback IP statistics forms flow
Daily record;Malware anticipation module is according to the data and model collected, on the one hand by comparing Malware and source installation kit
Feature MD5 values, discovery distort and bundled software, on the other hand combine user surf the Net custom and application flow monitoring, to different
Normal flow carries out early warning, is studied and judged according to viral wooden horse storehouse, realizes excessive risk early warning, and passback Malware enters background system
Depth is carried out to study and judge;
2. the viral analysis method of server end detection unit
The Malware sample passed back according to the terminal monitoring program of IOS systems carries out analog subscriber mobile phone IOS and escaped from prison ring
Border, the dynamic operation Malware in virtual environment realizes comprehensive behavior and flow detection, with reference to inverse compiling technique, also
Former Malware encrypting and decrypting flow, realizes the reduction and the monitoring of authority feature of data content.Characteristic of malware monitoring modular
Analyzed by pair also raw content and an authority feature, detect whether to be related to user communication record, geographical position, short message, call
The sensitive personal information of record, picture and audio frequency and video, with reference to viral Trojan characteristics storehouse, risk assessment, shape are carried out to Malware
Into malware analysis report.
The present invention has following advantages and good effect:
1. originality supports the detection of version of not escaping from prison:The method based on flow detection Malware that the present invention is used,
The effective IOS systems that solve are not escaped from prison problem, it is possible to achieve in the detection for version of not escaping from prison;
2. detection range is wide:The detection to the camouflage software and common Malware of injection malicious code is supported simultaneously, is carried
The use scope of the system of liter;
3. detection scheme is rigorous:The method based on flow detection Malware that the present invention is used, it is pre- based on IOS mobile phone terminals
Sentence the depth detection two ways with service end, detection range is smaller than traditional detection, and detected rule is also relatively easy, reduce
To the expense of system resource, improve and study and judge efficiency;
4. system expandable is strong:On the premise of not modified to the structure of system, pattern detection feature can be entered
Mobile state is adjusted, by machine learning techniques constantly improve customer flow model, constantly filling trojan horse feature database, is come with this
Guarantee can detect new threat;
5. it can trace to the source:The present invention can record malware infection type, infection time, infection model by analyzing daily record
Enclose, and the private data and authority being related to, and full log record is formed, it is easy to review and statistical analysis.
Brief description of the drawings
Fig. 1 is the block diagram of the system.
Wherein:
10-IOS mobile phone terminal detection units,
11-data traffic acquisition module,
12-machine learning module,
13-traffic behavior detection module,
14-Malware anticipation module,
15-warning module;
20-server end detection unit,
21-IOS system terminal analog modules,
22-data on flows recovery module,
23-characteristic of malware monitoring modular;
24-virus studies and judges model,
25-malware analysis report generation module.
English to Chinese
1、IOS:Iphone OS, iPhone system;
2、DEP:Data Execution Prevention, DEP;
3、ASLP:Address Space Layout Randomization, address space layout randomization;
4th, KNN, k-NearestNeighbor, close on algorithm;
5th, RVI, Remote Virtual Interface, remote dummy interface.
Embodiment
Describe in detail with reference to the accompanying drawings and examples:
First, system
1st, it is overall
Such as Fig. 1, the system includes IOS mobile phone terminals detection unit 10 and server end detection unit 20;
Described IOS mobile phone terminals detection unit 10 is a kind of based on the analysis of user's internet behavior and connected applications flow analysis
Malware anticipation system function set, including including data traffic acquisition module 11, machine learning module 12, flow row
For detection module 13, Malware anticipation module 14 and warning module 15, the overall analysis system based on backstage builds malice soft
Part storehouse, continues to optimize sample analysis model, lifts the precision studied and judged;
Described server end detection unit 20 is that a kind of Malware carries out flow content and the analysis of authority depths of features
Set, including IOS system terminals analog module 21, data on flows recovery module 22, characteristic of malware monitoring modular 23, disease
Poison studies and judges model 24 and malware analysis report generation module 25;
Its interactive relation is:
IOS mobile phone terminals detection unit 10 and server end detection unit 20 are interacted, and are realized soft based on the malice in IOS systems
Part is detected and analytic function, and forms analysis report there is provided give terminal early warning;
Data traffic acquisition module 11 in IOS mobile phone terminals detection unit 10 will gather flow information and pass to machine on mobile phone
Device study module 12 and traffic behavior detection module 13, realize user behavior analysis;
Machine learning module 12 and traffic behavior detection module 13 interact that there is provided source with Malware anticipation module 14 respectively
The MD5 values of application are compared, the internet behavior of user is drawn a portrait and the flow analysis data of application software carry out risk analysis, final true
Determine whether anticipation is Malware or bundlees the application program of malicious code;
Malware anticipation module 14 is interacted with IOS system terminals analog module 21, and transmission Malware sample is to backstage
Server, and simulate on backstage and to escape from prison that there is provided sample analysis for the virtualization terminal of environment based on IOS systems;
IOS system terminals analog module 21 respectively with data on flows recovery module 22 and characteristic of malware monitoring modular 23
Interaction, by the conversed analysis to sample and dynamic debugging, reduces AES, realizes to the data convert under simulated environment,
Whether monitoring application includes sensitive permission and sensitive data;
Data on flows recovery module 22 and characteristic of malware monitoring modular 23 send the data of extraction to virus respectively
Study and judge model 24 and carry out comprehensive analysis, by data convert content and authority feature access log, malice is calculated with reference to virus base
Software hazard value, viral judgement is carried out to Malware;
Virus is studied and judged model 24 and interacted with malware analysis report generation module 25, generation virus analysis report, related
Feature enters virus base sample, and submits to terminal warning module 15 and alerted.
2nd, functional module
1) IOS mobile phone terminals detection unit 10
IOS mobile phone terminals detection unit 10 is a kind of based on the analysis of user's internet behavior, the malice of connected applications flow analysis
The function set of software anticipation system, by building the upper pessimistic concurrency control of user, connected applications traffic characteristic realizes risk assessment.
(1) data traffic acquisition module 11
Data traffic acquisition module 11 can gather flow information on user mobile phone, and there is provided be used for machine learning module 12
Setting up user model, there is provided be used for carrying out flow analysis to traffic behavior detection module 13;
Data traffic acquisition module can use RVI to set up Microsoft Loopback Adapter and carry out packet capturing, use RVI either cellular datas
Or Wifi, what network message can be grabbed is arrived, and flow, which was imported computer packet capturing, with Wifi in the past to capture under cellular data
Message.
(2) machine learning module 12
Machine learning module 12 can be formed user's online and practised according to user's surf time, position connected applications essential information
Used model, can use sample analysis according to daily data, and continuous machine learning sophisticated model forms customer flow portrait;
Machine learning module 12 is according to based on outlier detection, when Malware is in the progress data friendship of non-user active time
Mutually, whether these operations of system meeting real-time judge belong to the behavior of Malware.By judge online rule, up-downgoing flow,
Interaction cycle, frequency, interaction IP ponds are compared, and MD5 is compared, and interaction data bag size factor is judged, find user's online stream
Measure exceptional value.
(3) traffic behavior detection module 13
Traffic behavior detection module 13 is by applying flow monitoring, counting up-downgoing data on flows, and passback IP is counted,
Form traffic log.
(4) Malware anticipation module 14
The one side of Malware anticipation module 14 finds to usurp by comparing the feature MD5 values of Malware and source installation kit
Change and bundled software, on the other hand combine the flow monitoring of user's online custom and application, early warning is carried out to abnormal flow, according to
Wooden horse storehouse is studied and judged, and excessive risk early warning is realized with reference to KNN nearest neighbor algorithms.
(5) warning module 15
Warning module 15 realizes the Malware alarm to present terminal by the analysis report of server detection unit 20,
Forewarning function is played to other-end.
Described IOS mobile phone terminals detection unit (10) its workflow is:
1. there is provided to machine learning module 12 and stream for the collection user mobile phone surfing flow information of data traffic acquisition module 11
Measure the further analysis of behavioral value module 13;
2. machine learning module 12 forms user's online and practised according to user's surf time, position connected applications essential information
Used model, sample analysis is used according to daily data, and binding time, space, position form customer flow portrait, constantly improve
Machine learning model;
3. traffic behavior detection module 13, by applying flow monitoring, counting up-downgoing data on flows, returns IP systems
Meter, forms the traffic log of application-specific;
4. Malware anticipation module 14, on the one hand by comparing the feature MD5 values of Malware and source installation kit, finds
Distort and bundled software, on the other hand combine the flow monitoring of user's online custom and application, early warning, root are carried out to abnormal flow
Studied and judged according to wooden horse storehouse, realize excessive risk early warning;
5. the virus that warning module 15 feeds back according to server end detecting system 20 studies and judges result, realizes to present terminal
Malware is alerted, and forewarning function is played to other-end.
2) server end detection unit 20;
Server end detection unit 20 is the set that a kind of Malware carries out flow content and the analysis of authority depths of features,
By content erotic analysis and authority feature, risk analysis is carried out with reference to viral Trojan characteristics storehouse.
(1) IOS system terminals analog module 21
IOS system terminals analog module 21 can carry out environment to the rogue program of the anticipation of IOS mobile phone terminals detection unit 10
Simulation, analog subscriber mobile phone IOS escapes from prison environment, installation and operation Malware, realizes comprehensive behavior and flow detection.
(2) data on flows recovery module 22
Data on flows recovery module 22 carries out reverse source code analysis by inverse compiling technique to Malware, and restoring data adds
Close decryption flow and AES, content reduction is carried out to the data traffic in IOS system terminals analog module 21, parses content
Sensitive blocks are compared, detect whether to be related to user communication record, geographical position, short message, message registration, picture and audio frequency and video sensitivity
Personal information;
(3) characteristic of malware monitoring modular 23
Characteristic of malware monitoring modular 23 uses Dynamic Monitoring, and the application of IOS system terminals analog module 21 is gone
To be analyzed with authority, record user behaviors log and permissions log detects whether to be related to user communication record, geographical position, short
Letter, message registration, picture and audio frequency and video sensitive permission, submit to virus and study and judge the progress comprehensive analysis of model 24;
(4) virus studies and judges model 24
Virus studies and judges model 24 and is based on application upload data progress Context resolution and the analysis of Malware behavioural characteristic, detection
Whether user communication record, geographical position, short message, message registration, picture and audio frequency and video sensitive permission are related to, with reference to viral wooden horse
Feature database, KNN Algorithm Analysis is carried out to Malware, and calculation risk value carries out risk assessment.
(5) malware analysis report generation module 25
Malware analysis report generation module 25 carries out storage preservation to analysis result, while record is special in viral wooden horse
Storehouse is levied, the terminal based on IOS systems is pushed to, Malware pre-alert notification is proposed to present terminal and new clothes terminal, it is to avoid dislike
The further diffusion of meaning software.
Described its workflow of server end detection unit 20 is:
1. IOS system terminals analog module 21 carries out operation ring to the rogue program of the anticipation of IOS mobile phone terminals detection unit 10
Border is simulated, and analog subscriber mobile phone IOS escapes from prison environment, installation and operation Malware, realizes comprehensive behavior and flow detection;
2. data on flows recovery module 22 carries out reverse source code analysis, restoring data by inverse compiling technique to Malware
Encrypting and decrypting flow and AES, are reduced to the data traffic in IOS system terminals analog module (21), parse content
And sensitive blocks are compared, detect whether to be related to user communication record, geographical position, short message, message registration, picture, audio frequency and video quick
Feel personal information;
3. characteristic of malware monitoring modular 23 uses Dynamic Monitoring, and IOS system terminals analog module 21 is applied
Behavior and authority are analyzed, record user behaviors log and permissions log, detect whether to be related to user communication record, geographical position,
Short message, message registration, picture and audio frequency and video sensitive permission, submit to virus and study and judge model (24) progress comprehensive analysis;
4. virus studies and judges model 24 and is based on uploading data content parsing and the analysis of Malware behavioural characteristic, with reference to viral wood
Horse feature database, risk assessment is carried out to Malware;
5. malware analysis report generation module 25 carries out storage preservation to analysis result, while record is in viral wooden horse
Feature database, is pushed to the terminal based on IOS systems, and Malware pre-alert notification is proposed to present terminal and new clothes terminal, it is to avoid
The further diffusion of Malware.
3rd, the working mechanism of the system:
The system have studied a kind of IOS Malwares early warning based on flow analysis and detecting system, using based on flow
Analytical technology realizes terminal anticipation and backstage comprehensive detection mode, using depth analysis after first anticipation, the mode pair being association of activity and inertia
Malware carries out forensics analysis, with reference to machine Learning Theory constantly improve assessment models, solves Malware under IOS systems special
Analysis problem is levied, the analysis of non-escape from prison system and bundled software is supported.Cleaning Principle is based on traffic characteristics analysis and user draws a portrait,
Global alignment is carried out with reference to trojan horse feature database, ultimately generating analysis report, there is provided warning function.
1. the anticipation of IOS ends mobile phone detection unit is detected
By flow collection according to user's surf time, position connected applications essential information, user's online custom mould is formed
Type, forms customer flow by machine learning and draws a portrait, while counting up-downgoing data on flows, passback IP statistics forms flow
Daily record.Malware anticipation module is according to the data and model collected, on the one hand by comparing Malware and source installation kit
Feature MD5 values, discovery distort and bundled software, on the other hand combine user surf the Net custom and application flow monitoring, to different
Normal flow carries out early warning, is studied and judged according to viral wooden horse storehouse, realizes excessive risk early warning, and passback Malware enters background system
Depth is carried out to study and judge;
2. server end detection unit depth detection
The Malware sample passed back according to the terminal monitoring program of IOS systems carries out analog subscriber mobile phone IOS and escaped from prison ring
Border, the dynamic operation Malware in virtual environment realizes comprehensive behavior and flow detection, with reference to inverse compiling technique, also
Former Malware encrypting and decrypting flow, realizes the reduction and the monitoring of authority feature of data content.Characteristic of malware monitoring modular
Analyzed by pair also raw content and an authority feature, detect whether to be related to user communication record, geographical position, short message, call
The sensitivity personal information such as record, picture, audio frequency and video, with reference to viral Trojan characteristics storehouse, risk assessment, shape are carried out to Malware
Into malware analysis report;
3. warning module
The timely early warning realized to target terminal is assessed by carrying out risk to Malware, while updating trojan horse
Feature database.
2nd, method
1st, IOS mobile phone terminals Malware pre-judging method
A, common malware analysis, by portraying user's surfing flow model, detect application-specific in anon-normal
The situation of normal time frequent return data, including during user mobile phone screen locking frequently interaction, periodic request fixed data and on
Row flow is more than downlink traffic feature, determines whether common Malware;
B, be injected into malicious code normal software analysis, some Malwares by inject binding mode be tied to normally should
Injecting codes are carried out to common application with the realization principle of, this kind of software, decompiling forms common application, based on common application outside
Shell carries out hidden operation;This module is compared by intended application and original program characteristic value MD5, monitors whether it is to distort application,
Then portrayed by comparing the upper pessimistic concurrency control of user, detect situation of the application-specific in the frequent return data of non-normal hours, it is main
Will be including frequently interaction, periodic request fixed data, uplink traffic are big during comparing normal use IP ponds, user mobile phone screen locking
In features such as downlink traffics, determine whether to be injected into malicious code normal software;
C, the judgement of Malware exceptional value include two rule-likes, i.e. event class and mould based on trojan horse feature database
Type rule-like:
First, event rule-like passes through the surf time to mobile phone, online place, the main application up-downgoing stream used
Amount, interaction cycle, frequency, interaction IP ponds are compared, and MD5 is compared and interaction data bag size judges whether exception;
Second, model rule-like is then to judge whether transaction belongs to Malware by machine learning modular algorithm.It is general logical
Malware sample data, application traffic data and permissions data are crossed, the judgement that model carries out classification problem is built;Sentence in model
Analyzed in disconnected using nearest neighbor algorithm machine learning algorithm, each sample can be represented with its immediate K neighbour;
The core concept of KNN algorithms is if most of in K of the sample in feature space most adjacent samples belong to certain
One classification, then the sample falls within this classification, and has the characteristic of sample in this classification.In KNN, pass through calculating pair
As between distance is used as the non-similarity index between each object, it is to avoid the matching problem between object, using Euclidean away from
From or manhatton distance calculated:
Euclidean distance:Manhatton distance:
Based on KNN algorithms this method it is determined that only classification according to one or several closest samples on categorised decision
To determine whether sample to be divided belongs to the classification of Malware;
K is natural number, value 2≤M≤100.
2nd, the viral analysis method of server end
A, privacy content monitoring, content reduction, parsing are carried out to the data traffic in IOS system terminals analog module (21)
Content compares sensitive blocks, detects whether to be related to user communication record, geographical position, short message, message registration, picture and audio frequency and video
Sensitive personal information;
B, sensitive permission monitoring, using Dynamic Monitoring, behavior and power are applied to IOS system terminals analog module (21)
Limit is analyzed, record user behaviors log and permissions log, detects whether to be related to user communication record, geographical position, short message, call
Record, picture and audio frequency and video sensitive permission, submit to virus and study and judge model (24) progress comprehensive analysis;
C, analyzed using nearest neighbor algorithm machine learning algorithm, with reference to privacy content and privilege analysis, and compare disease
Malicious Trojan characteristics storehouse, assesses value-at-risk, forms malware analysis report
D, sample analysis storehouse is added to analysis result, and warning information is pushed into each IOS terminal and realize early warning.
Claims (5)
1. a kind of early warning of IOS Malwares and detecting system based on flow analysis, it is characterised in that:
The system includes IOS mobile phone terminals detection unit (10) and server end detection unit (20);
Described IOS mobile phone terminals detection unit (10) is a kind of based on the analysis of user's internet behavior and connected applications flow analysis
The function set of Malware anticipation system, including including data traffic acquisition module (11), machine learning module (12), flow
Behavioral value module (13), Malware anticipation module (14) and warning module (15), the overall analysis system based on backstage, structure
Malware storehouse is built, sample analysis model is continued to optimize, the precision studied and judged is lifted;
Described server end detection unit (20) is that a kind of Malware carries out flow content and the analysis of authority depths of features
Set, including IOS system terminals analog module (21), data on flows recovery module (22), characteristic of malware monitoring modular
(23), virus studies and judges model (24) and malware analysis report generation module (25);
Its interactive relation is:
IOS mobile phone terminals detection unit (10) and server end detection unit (20 interaction), are realized soft based on the malice in IOS systems
Part is detected and analytic function, and forms analysis report there is provided give terminal early warning;
Data traffic acquisition module (11) in IOS mobile phone terminals detection unit (10) will gather flow information and pass to machine on mobile phone
Device study module (12) and traffic behavior detection module (13), realize user behavior analysis;
Machine learning module (12) and traffic behavior detection module (13) interacted respectively with Malware anticipation module (14) there is provided
The MD5 values of source application are compared, the internet behavior of user is drawn a portrait and the flow analysis data of application software carry out risk analysis, finally
Determine whether anticipation is Malware or bundlees the application program of malicious code;
Malware anticipation module (14) is interacted with IOS system terminals analog module (21), and transmission Malware sample is to backstage
Server, and simulate on backstage and to escape from prison that there is provided sample analysis for the virtualization terminal of environment based on IOS systems;
IOS system terminals analog module (21) respectively with data on flows recovery module (22) and characteristic of malware monitoring modular
(23) interaction, by the conversed analysis to sample and dynamic debugging, reduces AES, realizes to the data under simulated environment also
Whether original, monitoring application includes sensitive permission and sensitive data;
Data on flows recovery module (22) and characteristic of malware monitoring modular (23) send the data of extraction to virus respectively
Study and judge model (24) and carry out comprehensive analysis, by data convert content and authority feature access log, calculate and dislike with reference to virus base
Meaning software hazard value, viral judgement is carried out to Malware;
Virus is studied and judged model (24) and interacted with malware analysis report generation module (25), generation virus analysis report, related
Feature enters virus base sample, and submits to terminal warning module (15) and alerted.
2. IOS Malwares early warning based on flow analysis and detecting system as described in claim 1, it is characterised in that described
IOS mobile phone terminals detection unit (10) its workflow be:
1. there is provided to machine learning module (12) and stream for data traffic acquisition module (11) collection user mobile phone surfing flow information
Behavioral value module (13) is measured further to analyze;
2. machine learning module (12) forms user's online custom according to user's surf time, position connected applications essential information
Model, sample analysis is used according to daily data, and binding time, space, position form customer flow portrait, constantly improve machine
Device learning model;
3. traffic behavior detection module (13), by applying flow monitoring, counting up-downgoing data on flows, return IP systems
Meter, forms the traffic log of application-specific;
4. Malware anticipation module (14), on the one hand by comparing the feature MD5 values of Malware and source installation kit, find to usurp
Change and bundled software, on the other hand combine the flow monitoring of user's online custom and application, early warning is carried out to abnormal flow, according to
Wooden horse storehouse is studied and judged, and realizes excessive risk early warning;
5. the virus that warning module (15) feeds back according to server end detecting system (20) studies and judges result, realizes to present terminal
Malware is alerted, and forewarning function is played to other-end.
3. IOS Malwares early warning based on flow analysis and detecting system as described in claim 1, it is characterised in that described
Server end detection unit (20) its workflow be:
A, IOS system terminal analog module (21) carry out operation ring to the rogue program of IOS mobile phone terminals detection unit (10) anticipation
Border is simulated, and analog subscriber mobile phone IOS escapes from prison environment, installation and operation Malware, realizes comprehensive behavior and flow detection;
B, data on flows recovery module (22) carry out reverse source code analysis by inverse compiling technique to Malware, and restoring data adds
Close decryption flow and AES, are reduced to the data traffic in IOS system terminals analog module (21), and parsing content is simultaneously
Sensitive blocks are compared, detect whether to be related to user communication record, geographical position, short message, message registration, picture, audio frequency and video sensitivity
Personal information;
C, characteristic of malware monitoring modular (23) use Dynamic Monitoring, and IOS system terminals analog module (21) is applied
Behavior and authority are analyzed, record user behaviors log and permissions log, detect whether to be related to user communication record, geographical position,
Short message, message registration, picture and audio frequency and video sensitive permission, submit to virus and study and judge model (24) progress comprehensive analysis;
D, virus study and judge model (24) and are based on uploading data content parsing and the analysis of Malware behavioural characteristic, with reference to viral wooden horse
Feature database, risk assessment is carried out to Malware;
E, malware analysis report generation module (25) carry out storage preservation to analysis result, while record is special in viral wooden horse
Storehouse is levied, the terminal based on IOS systems is pushed to, Malware pre-alert notification is proposed to present terminal and new clothes terminal, it is to avoid dislike
The further diffusion of meaning software.
4. the IOS mobile phone terminal Malware pre-judging methods based on system described in claim 1-3, it is characterised in that:
A, common malware analysis, by portraying user's surfing flow model, detect application-specific when improper
Between frequent return data situation, including frequently interaction, periodic request fixed data and upstream during user mobile phone screen locking
Amount is more than downlink traffic feature, determines whether common Malware;
B, the analysis of malicious code normal software is injected into, some Malwares are tied to normal use by injecting binding mode,
The realization principle of this kind of software carries out injecting codes to common application, and decompiling forms common application, based on common application shell
Carry out hidden operation;This module is compared by intended application and original program characteristic value MD5, monitors whether it is to distort application, so
Portrayed afterwards by comparing the upper pessimistic concurrency control of user, detect situation of the application-specific in the frequent return data of non-normal hours, mainly
Including frequently interaction, periodic request fixed data, uplink traffic are more than during comparing normal use IP ponds, user mobile phone screen locking
The features such as downlink traffic, determine whether to be injected into malicious code normal software;
C, the judgement of Malware exceptional value include two rule-likes, i.e. event class and model class based on trojan horse feature database
Rule:
First, event rule-like passes through the surf time to mobile phone, online place, the main application up-downgoing flow used, friendship
Mutual cycle, frequency, interaction IP ponds are compared, and MD5 is compared and interaction data bag size judges whether exception;
Second, model rule-like is then to judge whether transaction belongs to Malware by machine learning modular algorithm;It is general to pass through evil
Software sample of anticipating data, application traffic data and permissions data, build the judgement that model carries out classification problem;In model judgement
Analyzed using nearest neighbor algorithm machine learning algorithm, each sample can be represented with its immediate K neighbour;KNN
The core concept of algorithm is if most of in K of the sample in feature space most adjacent samples belong to some
Classification, then the sample falls within this classification, and has the characteristic of sample in this classification;In KNN, by calculating between object
Distance is used as the non-similarity index between each object, it is to avoid the matching problem between object, using Euclidean distance or
Manhatton distance is calculated:
Euclidean distance:Manhatton distance:
Based on KNN algorithms this method it is determined that only being determined on categorised decision according to the classification of one or several closest samples
Whether sample surely to be divided belongs to the classification of Malware;
K is natural number, value 2≤M≤100.
5. the viral analysis method of the server end based on system described in claim 1-3, it is characterised in that:
I, privacy content monitoring, carry out content reduction to the data traffic in IOS system terminals analog module (21), parse content
Sensitive blocks are compared, detect whether to be related to user communication record, geographical position, short message, message registration, picture and audio frequency and video sensitivity
Personal information;
II, sensitive permission monitoring, using Dynamic Monitoring, behavior and authority are applied to IOS system terminals analog module (21)
Analyzed, record user behaviors log and permissions log, detect whether to be related to user communication record, geographical position, short message, call note
Record, picture and audio frequency and video sensitive permission, submit to virus and study and judge model (24) progress comprehensive analysis;
III, analyzed using nearest neighbor algorithm machine learning algorithm, with reference to privacy content and privilege analysis, and compare virus wood
Horse feature database, assesses value-at-risk, forms malware analysis report
IV, sample analysis storehouse is added to analysis result, and warning information is pushed into each IOS terminal and realize early warning.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710432771.1A CN107092830A (en) | 2017-06-09 | 2017-06-09 | The early warning of IOS Malwares and detecting system and its method based on flow analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710432771.1A CN107092830A (en) | 2017-06-09 | 2017-06-09 | The early warning of IOS Malwares and detecting system and its method based on flow analysis |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107092830A true CN107092830A (en) | 2017-08-25 |
Family
ID=59639310
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710432771.1A Withdrawn CN107092830A (en) | 2017-06-09 | 2017-06-09 | The early warning of IOS Malwares and detecting system and its method based on flow analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107092830A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107770374A (en) * | 2017-10-13 | 2018-03-06 | 杭州安恒信息技术有限公司 | APP application systems are moved in a kind of circular early warning for security control |
| CN108090348A (en) * | 2017-12-14 | 2018-05-29 | 四川长虹电器股份有限公司 | Android malware detection method based on sandbox |
| CN108200030A (en) * | 2017-12-27 | 2018-06-22 | 深信服科技股份有限公司 | Detection method, system, device and the computer readable storage medium of malicious traffic stream |
| CN108334775A (en) * | 2018-01-23 | 2018-07-27 | 阿里巴巴集团控股有限公司 | One kind is escaped from prison plug-in detecting method and device |
| CN109413036A (en) * | 2018-09-12 | 2019-03-01 | 全球能源互联网研究院有限公司 | Sensitive information outflow monitoring method, device and server extremely |
| CN109491268A (en) * | 2018-09-07 | 2019-03-19 | 深圳慧安康科技有限公司 | A kind of intelligent apparatus with privacy protection function |
| CN109842622A (en) * | 2019-01-28 | 2019-06-04 | 苏州水易数据科技有限公司 | A kind of network security risk evaluation system and its working method |
| CN109861844A (en) * | 2018-12-07 | 2019-06-07 | 中国人民大学 | A kind of cloud service problem fine granularity intelligence source tracing method based on log |
| CN109960901A (en) * | 2017-12-14 | 2019-07-02 | 北京京东尚科信息技术有限公司 | Desktop application risk assessment, the method for control, system, equipment and storage medium |
| CN110198298A (en) * | 2018-10-11 | 2019-09-03 | 腾讯科技(深圳)有限公司 | A kind of information processing method, device and storage medium |
| CN110460611A (en) * | 2019-08-16 | 2019-11-15 | 国家计算机网络与信息安全管理中心 | Full flow attack detecting technology based on machine learning |
| CN111274118A (en) * | 2018-12-05 | 2020-06-12 | 阿里巴巴集团控股有限公司 | Application optimization processing method, device and system |
| CN112364349A (en) * | 2020-11-30 | 2021-02-12 | 江苏极鼎网络科技有限公司 | Cell-phone APP intellectual detection system equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103685251A (en) * | 2013-12-04 | 2014-03-26 | 电子科技大学 | Android malicious software detecting platform oriented to mobile internet |
| US20150128263A1 (en) * | 2013-11-07 | 2015-05-07 | Cyberpoint International, LLC | Methods and systems for malware detection |
| CN104753946A (en) * | 2015-04-01 | 2015-07-01 | 浪潮电子信息产业股份有限公司 | Security analysis framework based on network traffic meta data |
| CN105323247A (en) * | 2015-10-13 | 2016-02-10 | 华中科技大学 | Intrusion detection system for mobile terminal |
-
2017
- 2017-06-09 CN CN201710432771.1A patent/CN107092830A/en not_active Withdrawn
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150128263A1 (en) * | 2013-11-07 | 2015-05-07 | Cyberpoint International, LLC | Methods and systems for malware detection |
| CN103685251A (en) * | 2013-12-04 | 2014-03-26 | 电子科技大学 | Android malicious software detecting platform oriented to mobile internet |
| CN104753946A (en) * | 2015-04-01 | 2015-07-01 | 浪潮电子信息产业股份有限公司 | Security analysis framework based on network traffic meta data |
| CN105323247A (en) * | 2015-10-13 | 2016-02-10 | 华中科技大学 | Intrusion detection system for mobile terminal |
Non-Patent Citations (1)
| Title |
|---|
| 刘伟: "基于行为模式的Android平台入侵检测系统的设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107770374A (en) * | 2017-10-13 | 2018-03-06 | 杭州安恒信息技术有限公司 | APP application systems are moved in a kind of circular early warning for security control |
| CN109960901A (en) * | 2017-12-14 | 2019-07-02 | 北京京东尚科信息技术有限公司 | Desktop application risk assessment, the method for control, system, equipment and storage medium |
| CN108090348A (en) * | 2017-12-14 | 2018-05-29 | 四川长虹电器股份有限公司 | Android malware detection method based on sandbox |
| CN108200030A (en) * | 2017-12-27 | 2018-06-22 | 深信服科技股份有限公司 | Detection method, system, device and the computer readable storage medium of malicious traffic stream |
| CN108334775A (en) * | 2018-01-23 | 2018-07-27 | 阿里巴巴集团控股有限公司 | One kind is escaped from prison plug-in detecting method and device |
| CN109491268A (en) * | 2018-09-07 | 2019-03-19 | 深圳慧安康科技有限公司 | A kind of intelligent apparatus with privacy protection function |
| CN109413036A (en) * | 2018-09-12 | 2019-03-01 | 全球能源互联网研究院有限公司 | Sensitive information outflow monitoring method, device and server extremely |
| CN110198298A (en) * | 2018-10-11 | 2019-09-03 | 腾讯科技(深圳)有限公司 | A kind of information processing method, device and storage medium |
| CN110198298B (en) * | 2018-10-11 | 2021-08-27 | 腾讯科技(深圳)有限公司 | Information processing method, device and storage medium |
| CN111274118A (en) * | 2018-12-05 | 2020-06-12 | 阿里巴巴集团控股有限公司 | Application optimization processing method, device and system |
| CN109861844A (en) * | 2018-12-07 | 2019-06-07 | 中国人民大学 | A kind of cloud service problem fine granularity intelligence source tracing method based on log |
| CN109861844B (en) * | 2018-12-07 | 2021-09-03 | 中国人民大学 | Cloud service problem fine-grained intelligent tracing method based on logs |
| CN109842622A (en) * | 2019-01-28 | 2019-06-04 | 苏州水易数据科技有限公司 | A kind of network security risk evaluation system and its working method |
| CN110460611A (en) * | 2019-08-16 | 2019-11-15 | 国家计算机网络与信息安全管理中心 | Full flow attack detecting technology based on machine learning |
| CN110460611B (en) * | 2019-08-16 | 2022-01-11 | 国家计算机网络与信息安全管理中心 | Machine learning-based full-flow attack detection technology |
| CN112364349A (en) * | 2020-11-30 | 2021-02-12 | 江苏极鼎网络科技有限公司 | Cell-phone APP intellectual detection system equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107092830A (en) | The early warning of IOS Malwares and detecting system and its method based on flow analysis | |
| Das et al. | The web's sixth sense: A study of scripts accessing smartphone sensors | |
| CN112685737A (en) | APP detection method, device, equipment and storage medium | |
| CN106960269B (en) | Safety emergency disposal method and system based on analytic hierarchy process | |
| Gu et al. | DIAVA: a traffic-based framework for detection of SQL injection attacks and vulnerability analysis of leaked data | |
| CN104283889B (en) | APT attack detectings and early warning system inside electric system based on the network architecture | |
| Hadžiosmanović et al. | N-gram against the machine: On the feasibility of the n-gram network analysis for binary protocols | |
| CN103428196B (en) | A kind of WEB application intrusion detection method based on URL white list | |
| CN102088379B (en) | Detecting method and device of client honeypot webpage malicious code based on sandboxing technology | |
| CN107579956B (en) | User behavior detection method and device | |
| Killourhy et al. | A defense-centric taxonomy based on attack manifestations | |
| CN109446817A (en) | A kind of detection of big data and auditing system | |
| CN106845236A (en) | A kind of application program various dimensions privacy leakage detection method and system for iOS platforms | |
| CN107273747A (en) | The method for extorting software detection | |
| TWI703468B (en) | Suspicious event analysis device and related computer program product for generating suspicious event sequence diagram | |
| CN107766728A (en) | Mobile application security managing device, method and mobile operation safety protection system | |
| CN104598824A (en) | Method and device for detecting malicious programs | |
| CN104392177A (en) | Android platform based virus forensics system and method | |
| CN103036745A (en) | Anomaly detection system based on neural network in cloud computing | |
| CN106599688A (en) | Application category-based Android malicious software detection method | |
| Thangavelooa et al. | Datdroid: Dynamic analysis technique in android malware detection | |
| CN107147627A (en) | A kind of network safety protection method and system based on big data platform | |
| CN113177205B (en) | Malicious application detection system and method | |
| Luoshi et al. | A3: automatic analysis of android malware | |
| CN103746992A (en) | Reverse-based intrusion detection system and reverse-based intrusion detection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20170825 |
|
| WW01 | Invention patent application withdrawn after publication |