CN107169350A - A kind of detection and blocking-up method for Mobile solution using abnormal authority - Google Patents

A kind of detection and blocking-up method for Mobile solution using abnormal authority Download PDF

Info

Publication number
CN107169350A
CN107169350A CN201710325228.1A CN201710325228A CN107169350A CN 107169350 A CN107169350 A CN 107169350A CN 201710325228 A CN201710325228 A CN 201710325228A CN 107169350 A CN107169350 A CN 107169350A
Authority
CN
China
Prior art keywords
authority
application
classification
abnormal
measured
Prior art date
Application number
CN201710325228.1A
Other languages
Chinese (zh)
Inventor
周超
郭雅娟
黄伟
陈锦铭
姜海涛
郭静
李岩
王梓莹
Original Assignee
国网江苏省电力公司电力科学研究院
国家电网公司
江苏省电力试验研究院有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 国网江苏省电力公司电力科学研究院, 国家电网公司, 江苏省电力试验研究院有限公司 filed Critical 国网江苏省电力公司电力科学研究院
Priority to CN201710325228.1A priority Critical patent/CN107169350A/en
Publication of CN107169350A publication Critical patent/CN107169350A/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The invention discloses a kind of detection for Mobile solution using abnormal authority and blocking-up method:Obtain the abnormal authority in application application authority to be measured, in the method that these abnormal authority calling system ccf layers are provided, the corresponding safety behavior pattern table of querying method, if invoked procedure is unsatisfactory for the safety behavior mode sequences defined in safety behavior pattern table, then block and this time call, if it is satisfied, then not doing any operation.Authority service condition in authority application and running of the present invention to Mobile solution is analyzed, and the danger to application calls behavior timely to be blocked, so as to prevent the sensitive information leakage problem caused due to authority improper use.

Description

A kind of detection and blocking-up method for Mobile solution using abnormal authority

Technical field

The present invention relates to a kind of detection for Mobile solution using abnormal authority and blocking-up method, belong to mobile message peace Full technical field.

Background technology

Nowadays, mobile device plays more and more important role, the safety of mobile device in daily life Problem is also protruded all the more.Rogue program lifts its own right often through the leak on mobile phone, so as to access the sensitivity of system Data and method, finally implement malicious act.

In order to limit the behavior of malicious application, Samlley et al. is proposed with Mandatory Access Control protection The method of system resource in Android.In order to protect Android intelligent safety, android system safety is being analysed in depth On the basis of mechanism, poly- tiger of narrow eyes into a slit et al. proposes a security hardening technology based on forced symmetric centralization.Shebaro et al. is carried The access control model based on context environmental is gone out, has allowed application program only to use sensitive data under particular circumstances.Yang Huan Et al. devise the mining algorithm based on authority frequent mode, for the relevance between mining application authority.By digging Application program is classified, looked for by the relevance dug between authority, the characteristics of finding out program application authority using the method for machine learning Go out rogue program.To realize the efficient detection of Malware under Android platform, Li Ting et al. proposes a kind of based on Dalvik The Android malicious code characteristic formp descriptions of instruction and analysis method, can be on the basis without decompiling application program On, the malice feature of quick detection sample.

The above method is all based on the limitation and detection of the access action to application program or system in itself to reach really Protect the purpose of security of private data.In addition, an also class method is by the data flow or instruction stream in system Analysis and tracking, which are started with, carrys out analysis system safety.For example, FlowDroid constructs control or data flow by static analysis method Figure, carrys out the trend of analyze data stream, and provide the whether compromised conclusion of private data.Modified, traditional static routine Detection technique may apply in the detection of Android application programs, and can detect privacy present in program exactly Leaking data problem.To improve the security of Android mobile platforms, pigeon et al. proposes a kind of based on the quiet of Dalvik instructions State detection method, by analyzing the virtual machine code of application program, finds out the data flow of sensitive information, including the sensitive letter of tracking Breath, function call, so as to judge whether the application program has malicious act.

There is its limitation in above-mentioned static data flow or the analysis method of instruction stream, it can not ensure inspection in real time Survey and the private data of analysis current system moved towards, some system at this stage can only be analyzed to assess its security, Can not dynamic detecting system safety.

The content of the invention

In order to solve the above-mentioned technical problem, the invention provides it is a kind of for Mobile solution using the detection of abnormal authority and Blocking-up method.

In order to achieve the above object, the technical solution adopted in the present invention is:

A kind of detection and blocking-up method for Mobile solution using abnormal authority, is obtained in application application authority to be measured Abnormal authority, in the method that these abnormal authority calling system ccf layers are provided, the corresponding safety behavior pattern of querying method Table, if invoked procedure is unsatisfactory for the safety behavior mode sequences defined in safety behavior pattern table, blocks and this time calls, such as Fruit meets, then does not do any operation;Safety behavior mode sequences are the correct process of call method.

The process for obtaining the abnormal authority in application application authority to be measured is,

Some known applications of collection are used as master sample;

Analysis analyzes the authority of each application application as the classification belonging to each application of master sample, builds classification-authority Table;Wherein be stored with various classification applications and the corresponding authority applied in classification-authority list;

Classification according to belonging to Euclidean distance judges application to be measured, obtains class belonging to application to be measured from classification-authority list Not corresponding authority, and these authorities are put into standard rights collection A;

The authority of application application to be measured is obtained, and is compared with the authority in standard rights collection A, if the authority of application In have it is some be not belonging to standard rights collection A, then these applying rights are limited to abnormal authority.

Application in major application websites is crawled using web crawlers, master sample is used as.

The process for judging application generic to be measured according to Euclidean distance is,

For application to be measured, first query categories-authority list, for each entry in classification-authority list, it can build Characteristic vectorWherein, vikValue be 0 or 1, work as vikWhen=1, then it represents that i-th of classification application K-th of authority is applied for, n is the authority sum of i-th of classification application application, 1≤k≤n;

Application permission information to be measured is analyzed, authority vector is builtAgain by all characteristic vectors It is normalized with authority vector, then calculates Euclidean distance, Euclidean distance classification corresponding when minimum is application to be measured Affiliated classification.

Build safety behavior pattern table process be,

All methods that system framework layer is provided are corresponding with authority progress matching, build authority-method table;Authority-side The various authorities that are stored with method table and the corresponding method called;

Safety behavior pattern table is built to each method call, calling for each method corresponds to one or several Safety behavior mode sequences.

Using the temporal expression ability of TLCK sequential logic description languages, with the method call of application and related system thing Part is variable, and safety behavior pattern is defined to specific system resource access.

The beneficial effect that the present invention is reached:The invention provides a kind of more being obtained for Malware fully and completely Take and using detection during abnormal authority and blocking-up method, the authority in authority application and running to Mobile solution makes Analyzed with situation, the danger to application calls behavior timely to be blocked, so as to prevent due to authority improper use The sensitive information leakage problem caused.

Brief description of the drawings

Fig. 1 is flow chart of the invention.

Fig. 2 calls explanation for system.

Embodiment

The invention will be further described below in conjunction with the accompanying drawings.Following examples are only used for clearly illustrating the present invention Technical scheme, and can not be limited the scope of the invention with this.

As shown in figure 1, a kind of detection and blocking-up method for Mobile solution using abnormal authority, is specially:Acquisition is treated The abnormal authority surveyed in application application authority, the method provided in these abnormal authority calling system (Android system) ccf layers When, the corresponding safety behavior pattern table of querying method, if invoked procedure is unsatisfactory for the safety defined in safety behavior pattern table Behavior pattern sequence, then block and this time call, if it is satisfied, then not doing any operation.Safety behavior mode sequences are called side The correct process of method, for example, call, safety behavior mode sequences should be " input number/selection contact number "-> " click is dialed ", and malice process is then directly to carry out dialing malicious call on backstage.

The process for obtaining the abnormal authority in application application authority to be measured is:

S11, gathers some known applications and is used as master sample;Answering in major application websites is crawled using web crawlers With being used as master sample.

S12, analysis analyzes the authority of each application application as the classification belonging to each application of master sample, build classification- Authority list;Wherein be stored with various classification applications and the corresponding authority applied in classification-authority list.

S13, the classification according to belonging to Euclidean distance judges application to be measured obtains application institute to be measured from classification-authority list Belong to the corresponding authority of classification, and these authorities are put into standard rights collection A.

The process for judging application generic to be measured according to Euclidean distance is:

For application to be measured, first query categories-authority list, for each entry in classification-authority list, it can build Characteristic vectorWherein, vikValue be 0 or 1, work as vikWhen=1, then it represents that i-th of classification applies Shen Please k-th of authority, n is the authority sum of i-th of classification application application, 1≤k≤n;Analyze application permission information to be measured, structure Build authority vectorAll characteristic vectors and authority vector are normalized again, Europe is then calculated Formula distance, Euclidean distance classification corresponding when minimum is the classification belonging to application to be measured.

S14, obtains the authority of application application to be measured, and is compared with the authority in standard rights collection A, if application Have in authority it is some be not belonging to standard rights collection A, then these applying rights are limited to abnormal authority.

Build safety behavior pattern table process be:

S21, all methods that system framework layer is provided and authority progress matching are corresponding, build authority-method table;Power The various authorities that are stored with limit-method table and the corresponding method called.

S22, safety behavior pattern table is built to each method call, and calling for each method is corresponding one or several Individual safety behavior mode sequences.

Using the temporal expression ability of TLCK sequential logic description languages, with the method call of application and related system thing Part is variable, and safety behavior pattern is defined to specific system resource access.

Above-mentioned blocking process is carried out in the inner nuclear layer of native system, is monitored by the behavior to call method, On the basis of verifying authorization, the analysis to program behavior pattern is added, once being unsatisfactory for safety behavior mode sequences, its side is blocked Method is called and deprives the authority of its acquisition, reminds user to authorize again.Detect and hinder in application with most of fail-safe software The mode of disconnected Malware behavior is different, as shown in Fig. 2 each thread in system can safeguard one InterpretedStack, call method information can be pressed into Interpreted Stack in advance, then be solved by Dalvik Execution is released, has performed and has been ejected again from Interpreted Stack, therefore, position of the method in Interpreted Stack is closed System illustrates the call relation between method, and the recalls information of method, such as parameter, can also pass through parsing Acquisition of information in Interpreted Stack, therefore by monitoring Interpreted Stack push operation, you can obtain The method call information that must be applied, we add above-mentioned monitoring code when it calls these methods, you can complete dynamic State is monitored and blocked.

Obtained and using inspection during abnormal authority the invention provides a kind of Malware that is directed to more fully and completely Survey and blocking-up method, the authority service condition in authority application and running to Mobile solution is analyzed, to application Danger call behavior timely to be blocked, so as to prevent the sensitive information leakage caused due to authority improper use from asking Topic.

Described above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, without departing from the technical principles of the invention, some improvement and deformation can also be made, these improve and deformed Also it should be regarded as protection scope of the present invention.

Claims (6)

1. a kind of detection and blocking-up method for Mobile solution using abnormal authority, it is characterised in that:Obtain application Shen to be measured Abnormal authority that please be in authority, in the method that these abnormal authority calling system ccf layers are provided, the corresponding peace of querying method Full behavior pattern table, if invoked procedure is unsatisfactory for the safety behavior mode sequences defined in safety behavior pattern table, is blocked This is called, if it is satisfied, then not doing any operation;Safety behavior mode sequences are the correct process of call method.
2. a kind of detection and blocking-up method for Mobile solution using abnormal authority according to claim 1, its feature It is:The process for obtaining the abnormal authority in application application authority to be measured is,
Some known applications of collection are used as master sample;
Analysis analyzes the authority of each application application as the classification belonging to each application of master sample, builds classification-authority list; Wherein be stored with various classification applications and the corresponding authority applied in classification-authority list;
Classification according to belonging to Euclidean distance judges application to be measured, obtains application generic pair to be measured from classification-authority list The authority answered, and these authorities are put into standard rights collection A;
The authority of application application to be measured is obtained, and is compared with the authority in standard rights collection A, if had in the authority of application Some to be not belonging to standard rights collection A, then these applying rights are limited to abnormal authority.
3. a kind of detection and blocking-up method for Mobile solution using abnormal authority according to claim 2, its feature It is:Application in major application websites is crawled using web crawlers, master sample is used as.
4. a kind of detection and blocking-up method for Mobile solution using abnormal authority according to claim 2, its feature It is:The process for judging application generic to be measured according to Euclidean distance is,
, can be with construction feature for each entry in classification-authority list for application to be measured, first query categories-authority list VectorWherein, vikValue be 0 or 1, work as vikWhen=1, then it represents that i-th of classification application is applied K-th of authority, n is the authority sum of i-th of classification application application, 1≤k≤n;
Application permission information to be measured is analyzed, authority vector is builtAgain by all characteristic vector and power Limit vector is normalized, and then calculates Euclidean distance, Euclidean distance classification corresponding when minimum is belonging to application to be measured Classification.
5. a kind of detection and blocking-up method for Mobile solution using abnormal authority according to claim 1, its feature It is:Build safety behavior pattern table process be,
All methods that system framework layer is provided are corresponding with authority progress matching, build authority-method table;Authority-method table In be stored with various authorities and the corresponding method called;
Safety behavior pattern table is built to each method call, calling for each method corresponds to one or several safety Behavior pattern sequence.
6. a kind of detection and blocking-up method for Mobile solution using abnormal authority according to claim 5, its feature It is:Using the temporal expression ability of TLCK sequential logic description languages, with the method call of application and related system event For variable, safety behavior pattern is defined to specific system resource access.
CN201710325228.1A 2017-05-10 2017-05-10 A kind of detection and blocking-up method for Mobile solution using abnormal authority CN107169350A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710325228.1A CN107169350A (en) 2017-05-10 2017-05-10 A kind of detection and blocking-up method for Mobile solution using abnormal authority

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710325228.1A CN107169350A (en) 2017-05-10 2017-05-10 A kind of detection and blocking-up method for Mobile solution using abnormal authority

Publications (1)

Publication Number Publication Date
CN107169350A true CN107169350A (en) 2017-09-15

Family

ID=59813652

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710325228.1A CN107169350A (en) 2017-05-10 2017-05-10 A kind of detection and blocking-up method for Mobile solution using abnormal authority

Country Status (1)

Country Link
CN (1) CN107169350A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107832590A (en) * 2017-11-06 2018-03-23 珠海市魅族科技有限公司 Terminal control method and device, terminal and computer-readable recording medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8769676B1 (en) * 2011-12-22 2014-07-01 Symantec Corporation Techniques for identifying suspicious applications using requested permissions
CN104376266A (en) * 2014-11-21 2015-02-25 工业和信息化部电信研究院 Determination method and device for security level of application software
CN104462889A (en) * 2013-09-12 2015-03-25 腾讯科技(深圳)有限公司 Application authority management method and device
CN104866763A (en) * 2015-05-28 2015-08-26 天津大学 Permission-based Android malicious software hybrid detection method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8769676B1 (en) * 2011-12-22 2014-07-01 Symantec Corporation Techniques for identifying suspicious applications using requested permissions
CN104462889A (en) * 2013-09-12 2015-03-25 腾讯科技(深圳)有限公司 Application authority management method and device
CN104376266A (en) * 2014-11-21 2015-02-25 工业和信息化部电信研究院 Determination method and device for security level of application software
CN104866763A (en) * 2015-05-28 2015-08-26 天津大学 Permission-based Android malicious software hybrid detection method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
雷灵光 等: "一种基于行为的Android系统资源访问控制方案", 《计算机研究与发展》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107832590A (en) * 2017-11-06 2018-03-23 珠海市魅族科技有限公司 Terminal control method and device, terminal and computer-readable recording medium

Similar Documents

Publication Publication Date Title
CN105118127B (en) A kind of guest system and control method thereof
Yang et al. Leakminer: Detect information leakage on android with static taint analysis
US9430644B2 (en) Systems, methods, and apparatus to enhance the integrity assessment when using power fingerprinting systems for computer-based systems
Gibler et al. AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale
Jha et al. Two formal analyses of attack graphs
KR101739125B1 (en) Apparatus and method for analysing a permission of application for mobile device and detecting risk
Tian et al. Differentiating malware from cleanware using behavioural analysis
Xiao et al. Edge computing security: State of the art and challenges
CN102810143B (en) Safety detecting system and method based on mobile phone application program of Android platform
US20170293748A1 (en) Intrusion detection on computing devices
KR101881179B1 (en) System and method for securing virtual computing environments
US8117660B2 (en) Secure control flows by monitoring control transfers
US8607340B2 (en) Host intrusion prevention system using software and user behavior analysis
CN102647421B (en) The web back door detection method of Behavior-based control feature and device
Wu et al. Droidmat: Android malware detection through manifest and api calls tracing
US8763128B2 (en) Apparatus and method for detecting malicious files
JP2014501957A (en) Use of power fingerprint (PFP) to monitor computer system reliability and enhance security
Killourhy et al. A defense-centric taxonomy based on attack manifestations
Hsien-De Huang et al. R2-d2: Color-inspired convolutional neural network (cnn)-based android malware detections
Bai et al. Intrusion detection systems: technology and development
CN104766011A (en) Sandbox detection alarming method and system based on main engine characteristic
CN103927485A (en) Android application program risk assessment method based on dynamic monitoring
CN104834859B (en) The dynamic testing method of malicious act in a kind of Android applications
US8627478B2 (en) Method and apparatus for inspecting non-portable executable files
CN104462970B (en) A kind of Android application program privilege abuse detection methods based on process communication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170915

RJ01 Rejection of invention patent application after publication