CN108573149A - A kind of sample testing method and device - Google Patents
A kind of sample testing method and device Download PDFInfo
- Publication number
- CN108573149A CN108573149A CN201710142638.2A CN201710142638A CN108573149A CN 108573149 A CN108573149 A CN 108573149A CN 201710142638 A CN201710142638 A CN 201710142638A CN 108573149 A CN108573149 A CN 108573149A
- Authority
- CN
- China
- Prior art keywords
- sample
- characteristic value
- feature
- dex
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Abstract
The invention discloses a kind of sample testing method and devices, whether it is that self-defined shell adding sample or frame automatically generate sample by predefining characteristic value whether to meet preset rules come judgement sample in acquisition sample dex files to be detected, the present invention is characterized in that the parameter in dex files for describing file data structure, this parameter is only related with file itself, since characteristic parameter is located at the fixed position in file, accurate value can be pinpointed, therefore detection efficiency is high;The predefined rule of the present invention can detect the consistent sample of All Files structure, better than the method that detection packet name etc. is clustered by specific character string, detect enlightening high.
Description
Technical field
The present invention relates to field of information security technology more particularly to a kind of malice sample testing methods and device.
Background technology
The fast development of mobile Internet in recent years, what is brought is the growing day by day of platform safety problem.Especially with Android
Platform is the most prominent, is that hide is the Dark Industry Link driven with huge interests under the presentation of the ecosphere prosperity.Mesh
Before have the detection of two class samples relatively difficult:
One, shell adding sample is current more intractable sample to be analyzed, it can hide the program structure and key of malicious application
Code, to cause huge puzzlement to the static analysis of analysis personnel work, simultaneously because shell itself does not often have high value
Information leads to not extract the rule of high enlightenment so that Anti- Virus Engine mass detects.Currently, mainly from packet name,
Four big components of feature string and combination current application in AndroidManifest files(Activity、
BroadcastReceiver、 Service、ContentProvider)The methods of number extract the detection rule of shell adding sample
Then.
Severeer than common shell adding sample is to extort increasingly to like using self-defined in the malicious applications such as part, pornographic part
Shell adding(Including the random shell adding of machine batch)The case where, these are using the packet name after shell adding, class name, AndroidManifest texts
Part etc. is all random string, therefore using specified packet name, the detection side of feature string in AndroidManifest files
Substantially invalid, and that four big component counts are used alone method, rate of false alarm are high for method.Therefore, existing to add for common
The detection method of shell sample has been not applied for the case where self-defined shell adding completely.
Two, Android applications automatically generate frame to be one kind can automate and generate Android application structures and phase
Answer the mechanism of code.User only need to be using some particular parameters as the input of frame, so that it may to obtain being automatically generated by frame
Android application programs.The application that same frame automatically generates may have different packet name, class name and character string,
But its structure is consistent.
It should give and be seriously vigilant, in these application programs automatically generate frame, one kind is to be specifically used to generate
Virus document, especially with spies' class such as back door using most commonly seen.These can directly generate random packet name, class name using some
Or the character string in AndroidManifest files, some can obscure packet name, class name etc. in the later stage, even causing by same
A kind of a collection of Virus Sample that frame generates, above-mentioned characteristic quantity are also different from each other.Therefore, traditional use character string is as rule
Detection method then has been no longer desirable for detecting this kind of sample.
Invention content
In view of the above-mentioned problems, it is really necessary to propose a kind of new sample testing method and device, self-defined add can be suitably used for
Shell sample or frame automatically generate the detection of sample, have the characteristics that enlightening high and rate of false alarm is low.
To achieve the goals above, the invention discloses a kind of sample testing method, include the following steps:
It obtains and predefines characteristic value in sample dex files to be detected, the parameter being characterized as describing file data structure;
When the characteristic value of sample is matched with the first preset rules, judgement sample is self-defined shell adding sample;When sample
When characteristic value is matched with the second preset rules, judgement sample is that frame automatically generates sample.
Further, it includes from sample to be detected text to obtain the method that characteristic value is predefined in sample dex files to be detected
It is extracted in the dex file headers of part and predefines characteristic value.
Further, the method for predefining characteristic value is extracted from the dex file headers of sample file to be detected includes:With word
Dex files are read in throttling, are extracted by specified bytes deviant from file header byte sequence according to the specified format of dex file headers
The value of subsequence.
Further, the predefined feature includes main feature and auxiliary feature, and default first rule and/or Second Rule are
When dominant eigenvalue is met the requirements, then judge whether auxiliary characteristic value meets the requirements.
Further, the master is characterized as the sum of the class of definition, the auxiliary feature include character string in string table,
Type, the method prototype in method prototype table, the field in field list, at least one in the method in dex files in type list
Kind.
Further, when auxiliary feature there are it is multiple when, it is self-defined that each auxiliary characteristic value, which is satisfied by and requires ability judgement sample,
Shell adding sample.
Correspondingly, the invention also discloses a kind of sample testing apparatus, including:
Feature acquisition module predefines characteristic value for obtaining in sample dex files to be detected, described to be characterized as describing text
The parameter of part data structure;
Judgment module, for when the characteristic value of sample is matched with the first preset rules, judgement sample to be self-defined shell adding
Sample;When the characteristic value of sample is matched with the second preset rules, judgement sample is that frame automatically generates sample.
Further, the feature acquisition module obtains the method packet that characteristic value is predefined in sample dex files to be detected
It includes to extract from the dex file headers of sample file to be detected and predefines characteristic value.
Further, the method for predefining characteristic value is extracted from the dex file headers of sample file to be detected includes:With word
Dex files are read in throttling, are extracted by specified bytes deviant from file header byte sequence according to the specified format of dex file headers
The value of subsequence.
Further, the predefined feature includes main feature and auxiliary feature, and default first rule and/or Second Rule are
When dominant eigenvalue is met the requirements, then judge whether auxiliary characteristic value meets the requirements.
Further, the master is characterized as that the class of definition, the auxiliary feature include character string in string table, type list
Middle type, the method prototype in method prototype table, the field in field list, at least one of the method in dex files.
Further, the judgment module be additionally operable to when auxiliary feature there are it is multiple when, each auxiliary characteristic value is satisfied by requirement
Ability judgement sample is self-defined shell adding sample.
The present invention is compared with the advantageous effect of the prior art:The present invention is based on self-defined shell adding sample, frames to automatically generate
The characteristics of sample and big data statistical analysis as a result, by obtaining in sample dex files to be detected whether predefine characteristic value
Meet preset rules and comes whether judgement sample is that self-defined shell adding sample or frame automatically generate sample, the present invention is characterized in that
Parameter in dex files for describing file data structure, this parameter is only related with file itself, since characteristic parameter is located at text
Fixed position in part can pinpoint accurate value, therefore detection efficiency is high;The predefined rule of the present invention can detect all
The consistent sample of file structure detects enlightening high better than the method that detection packet name etc. is clustered by specific character string.
Description of the drawings
Fig. 1 is a kind of flow chart of the detection method of sample of the present invention.
Fig. 2 is a kind of structural schematic diagram of the detection device of sample of the present invention.
Specific implementation mode
The result of the characteristics of present invention is based on self-defined shell adding sample and big data statistical analysis is created, in order to make
The object, technical solutions and advantages of the present invention are clearer, and the present invention will be describe below in further detail with reference to the accompanying drawings.
Although the step in the present invention is arranged with label, it is not used to limit the precedence of step, unless
Based on the execution of the order or certain step that specify step needs other steps, otherwise the relative rank of step is
It is adjustable.
Embodiment 1:
As shown in Figure 1, a kind of sample testing method, includes the following steps:
S100 is obtained and is predefined characteristic value in sample dex files to be detected, described to be characterized as describing file data structure
Parameter.
Table 1 shows some and the relevant feature of file data structure, be different from shell adding sample packet name,
The self-defined random generation of the meeting such as feature string in AndroidManifest files, for describing number of files in dex files
According to these features of structure(Class, method, field etc.)It is changeless.The present embodiment is predefined with these and is characterized as
Example illustrates, and actually detected process is not limited to these features.
Table 1
| Feature | Feature Chinese paraphrase |
| string | Character string in string table |
| type | Type in type list |
| proto | Method prototype in method prototype table |
| field | Field in field list |
| method | Method in dex files |
| class | Class defined in dex files |
In order to obtain features described above, dex files can be traversed, count each characteristic value.Certainly, in order to improve efficiency, in conjunction with dex texts
The design feature of part head can also extract predefined characteristic value directly from the dex file headers of sample file to be detected.Due to spy
Sign parameter is located at the fixed position in file, can pinpoint accurate value, therefore detection efficiency is high.
Table 2 shows the structure of dex header files, in conjunction with shown in table 2, dex files is read with byte stream, according to dex files
The specified format of head is from file header byte sequence by the value of specified bytes deviant extraction subsequence, the value of the specified subsequence
As required characteristic value.For example, in the value for the address unpack field string_ids_size that deviant is 0x38, which is
The quantity of character string in string table;In the value for the address unpack field class_defs_size that deviant is 0x60, the value
The quantity of class as defined in dex files.
S200, when the characteristic value of sample is matched with the first preset rules, judgement sample is self-defined shell adding sample;Work as sample
When this characteristic value is matched with the second preset rules, judgement sample is that frame automatically generates sample.
Analysis based on big data can define several rules, such as when the quantity of each feature is satisfied by predefined value
When, then judgement sample is that self-defined shell adding sample or frame automatically generate sample.According to actual conditions, each characteristic value can be tool
Body value can also be a range.Since current self-defined shell adding sample and frame automatically generate sample standard deviation by Dark Industry Link event
Meaning generates, therefore it is malice sample to be generally acknowledged that self-defined shell adding sample or frame automatically generate sample.Certainly, according to reality
It is malicious to can be combined with the further judgement sample of remaining means for situation.
The present invention can be used for the batch detection to sample, have enlightening high, the high feature of Detection accuracy.
Embodiment 2:
In further embodiments, in order to improve detection speed, a little improvement can also be done to embodiment 1.
For example, in s 200, it is two class of main feature and auxiliary feature also to divide predefined feature, wanted in dominant eigenvalue satisfaction
When asking, then judge whether auxiliary characteristic value meets the requirements.By the analysis to a large amount of self-defined shell adding samples, find with dex files
Defined in class(It is indicated with class)The character string in string table for main feature(string), type in type list
(type), the method prototype (proto) in method prototype table, the field number (field) in field list, the side in dex files
Feature detection supplemented by least one of method sum (field), detection accuracy rate is high, detection efficiency is high.
It should be understood that in order to further increase Detection accuracy, the quantity of supplemental characteristic can be increased as possible, as auxiliary spy
Sign there are it is multiple when, it is that self-defined shell adding sample or frame automatically generate sample that each auxiliary characteristic value, which is satisfied by and requires ability judgement sample,
This.
For example, the first predefined rule is set as shown in table 3, in the class defined in dex files(class)Feature
In the case that value is 4, there are 5 sub-rules for being directed to supplemental characteristic.When sample class is 4, continue to detect remaining auxiliary spy
Sign.When string is 437, type 35, proto 58, field are 78 and method is 111, that is, meet sub-rule 1,
Judgement sample is self-defined shell adding sample.
Table 3
It should be understood that can according to the second predefined rule of statistic analysis result to big data, when sample characteristic value with
When second preset rules are matched, judgement sample is that frame automatically generates sample.
Embodiment 3:
A more specifically application present invention is given below and carries out sample testing method.
S100 ', self-defined shell adding to offer or the sample set for automatically generating frame learn, and establish and are directed to sample
The initialization feature model of characteristic value is predefined in dex files, and determines the threshold value of this feature value.
S200 ', provides two training sample sets, all self-defined shell adding and automatically generates frame sample, one
All normal samples.Model can keep its judgement more accurate by the study amendment initialization model to the two training sets,
It is more in line with the self-defined shell adding of actual use or automatically generates the detection model of frame sample.
S300 ' provides a random sample set, wherein both included self-defined shell adding and automatically generate the sample of frame,
Also include normal sample.The sample set is detected using model, judges the type of each sample in set.
Specific detecting step can participate in embodiment 1, embodiment 2, including:
It obtains and predefines characteristic value in sample dex files to be detected, the parameter being characterized as describing file data structure.
When the characteristic value of sample is matched with the first preset rules, judgement sample is self-defined shell adding sample;Work as sample
When this characteristic value is matched with the second preset rules, judgement sample is that frame automatically generates sample.
400 ', statistic mixed-state is as a result, the accuracy when detection is higher than certain preset value, it is believed that model, can be practical by verification
It uses, launches and use then.
Embodiment 4:
Correspondingly, the invention also discloses a kind of sample testing apparatus, obtained as shown in Fig. 2, the sample testing apparatus includes feature
Modulus block 10, judgment module 20.
Feature acquisition module 10 predefines characteristic value for obtaining in sample dex files to be detected, described to be characterized as being used for
The parameter of file data structure is described.
It can be self-defined random different from the feature string etc. in the packet name of shell adding sample, AndroidManifest files
It generates, these features in dex files for describing file data structure(Class, method, field etc.)It is to fix not
Become.In order to obtain features described above, in conjunction with the design feature of dex file headers, feature acquisition module 10 can be directly to be detected
It is extracted in the dex file headers of sample file and predefines characteristic value.Since characteristic parameter is located at the fixed position in file, Ke Yiding
The accurate value of point, therefore detection efficiency is high.
Judgment module 20, for when the characteristic value of sample is matched with the first preset rules, judgement sample to be to make by oneself
Adopted shell adding sample;When the characteristic value of sample is matched with the second preset rules, judgement sample is that frame automatically generates sample.
Analysis based on big data can define several rules, such as when the quantity of each feature is satisfied by predefined number
When amount, then judgement sample is that self-defined shell adding sample or frame automatically generate sample.It, can also will be pre- in order to improve detection speed
It is two class of main feature and auxiliary feature that defined feature, which divides, when dominant eigenvalue is met the requirements, then judges whether auxiliary characteristic value meets
It is required that.It should be understood that in order to further increase Detection accuracy, the quantity of supplemental characteristic can be increased as possible, when auxiliary feature
There are it is multiple when, it is that self-defined shell adding sample or frame automatically generate sample that each auxiliary characteristic value, which is satisfied by and requires ability judgement sample,
This.
Since current self-defined shell adding sample and frame automatically generate sample standard deviation and are deliberately generated by Dark Industry Link, one
As to think that self-defined shell adding sample or frame automatically generate sample be malice sample.Certainly, it according to actual conditions, can also tie
It is malicious to close the further judgement sample of remaining means.
In further embodiments, sample testing apparatus further includes model library generation module, for self-defined shell adding and
It automatically generates frame sample to be learnt, establishes initialization feature model library, and determine the threshold value of characteristic value.
The specific implementation process of sample testing apparatus may refer to sample testing method, and details are not described herein.The present invention's
Sample testing apparatus can be used for the batch detection to sample, have enlightening high, the high feature of Detection accuracy.
Several embodiments of the present invention have shown and described in above description, but as previously described, it should be understood that the present invention is not
It is confined to form disclosed herein, is not to be taken as excluding other embodiments, and can be used for various other combinations, modification
And environment, and can be carried out by the above teachings or related fields of technology or knowledge in the scope of the invention is set forth herein
Change.And changes and modifications made by those skilled in the art do not depart from the spirit and scope of the present invention, then it all should be in institute of the present invention
In attached scope of the claims.
Claims (10)
1. a kind of sample testing method, which is characterized in that include the following steps:
It obtains and predefines characteristic value in sample dex files to be detected, the parameter being characterized as describing file data structure;
When the characteristic value of sample is matched with the first preset rules, judgement sample is self-defined shell adding sample;When sample
When characteristic value is matched with the second preset rules, judgement sample is that frame automatically generates sample.
2. detection method as described in claim 1, which is characterized in that obtain and predefine feature in sample dex files to be detected
The method of value includes extracting to predefine characteristic value from the dex file headers of sample file to be detected.
3. detection method as described in claim 1, which is characterized in that the predefined feature includes main feature and auxiliary feature,
Default first rule and/or Second Rule are then to judge whether auxiliary characteristic value meets the requirements when dominant eigenvalue is met the requirements.
4. detection method as claimed in claim 3, which is characterized in that when auxiliary feature there are it is multiple when, each auxiliary characteristic value is equal
It is self-defined shell adding sample to meet the requirements ability judgement sample.
5. a kind of sample testing apparatus, which is characterized in that including:
Feature acquisition module predefines characteristic value for obtaining in sample dex files to be detected, described to be characterized as describing text
The parameter of part data structure;
Judgment module, for when the characteristic value of sample is matched with the first preset rules, judgement sample to be self-defined shell adding
Sample;When the characteristic value of sample is matched with the second preset rules, judgement sample is that frame automatically generates sample.
6. detection device as claimed in claim 5, which is characterized in that the feature acquisition module obtains sample dex to be detected
The method that characteristic value is predefined in file includes extracting to predefine characteristic value from the dex file headers of sample file to be detected.
7. detection device as claimed in claim 5, which is characterized in that the predefined feature includes main feature and auxiliary feature,
Default first rule and/or Second Rule are then to judge whether auxiliary characteristic value meets the requirements when dominant eigenvalue is met the requirements.
8. detection device as claimed in claim 7, which is characterized in that the judgment module is additionally operable to when there are multiple for auxiliary feature
When, it is self-defined shell adding sample that each auxiliary characteristic value, which is satisfied by and requires ability judgement sample,.
9. detection method as claimed in claim 2 or right want the detection device described in 6, which is characterized in that from test sample to be checked
The method for predefining characteristic value is extracted in the dex file headers of this document includes:Dex files are read with byte stream, according to dex files
The specified format of head is from file header byte sequence by the value of specified bytes deviant extraction subsequence.
10. detection method as claimed in claim 3 or right want the detection device described in 7, which is characterized in that the main feature
For the sum of the class of definition, the auxiliary feature includes character string in string table, in type list in type, method prototype table
At least one of the method in field, dex files in method prototype, field list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710142638.2A CN108573149A (en) | 2017-03-10 | 2017-03-10 | A kind of sample testing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710142638.2A CN108573149A (en) | 2017-03-10 | 2017-03-10 | A kind of sample testing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108573149A true CN108573149A (en) | 2018-09-25 |
Family
ID=63578136
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710142638.2A Pending CN108573149A (en) | 2017-03-10 | 2017-03-10 | A kind of sample testing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108573149A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111220200A (en) * | 2020-01-02 | 2020-06-02 | 长江存储科技有限责任公司 | Method and device for detecting process parameters of sample |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102034043A (en) * | 2010-12-13 | 2011-04-27 | 四川大学 | Novel file-static-structure-attribute-based malware detection method |
| CN102855440A (en) * | 2012-09-13 | 2013-01-02 | 北京奇虎科技有限公司 | Method, device and system for detecting packed executable files |
| CN103530535A (en) * | 2013-10-25 | 2014-01-22 | 苏州通付盾信息技术有限公司 | Shell adding and removing method for Android platform application program protection |
| CN103761480A (en) * | 2014-01-13 | 2014-04-30 | 北京奇虎科技有限公司 | Method and device for detecting file security |
| CN105068932A (en) * | 2015-08-25 | 2015-11-18 | 北京安普诺信息技术有限公司 | Android application program packing detection method |
| CN105354496A (en) * | 2015-10-10 | 2016-02-24 | 邱寅峰 | Detection method and system of malicious program automatically generated on Android platform |
-
2017
- 2017-03-10 CN CN201710142638.2A patent/CN108573149A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102034043A (en) * | 2010-12-13 | 2011-04-27 | 四川大学 | Novel file-static-structure-attribute-based malware detection method |
| CN102855440A (en) * | 2012-09-13 | 2013-01-02 | 北京奇虎科技有限公司 | Method, device and system for detecting packed executable files |
| CN103530535A (en) * | 2013-10-25 | 2014-01-22 | 苏州通付盾信息技术有限公司 | Shell adding and removing method for Android platform application program protection |
| CN103761480A (en) * | 2014-01-13 | 2014-04-30 | 北京奇虎科技有限公司 | Method and device for detecting file security |
| CN105068932A (en) * | 2015-08-25 | 2015-11-18 | 北京安普诺信息技术有限公司 | Android application program packing detection method |
| CN105354496A (en) * | 2015-10-10 | 2016-02-24 | 邱寅峰 | Detection method and system of malicious program automatically generated on Android platform |
Non-Patent Citations (1)
| Title |
|---|
| 姜晓新等: "一种PE文件加壳检测规则", 《计算机工程》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111220200A (en) * | 2020-01-02 | 2020-06-02 | 长江存储科技有限责任公司 | Method and device for detecting process parameters of sample |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105069355B (en) | The static detection method and device of webshell deformations | |
| CN103888490B (en) | A kind of man-machine knowledge method for distinguishing of full automatic WEB client side | |
| US8838992B1 (en) | Identification of normal scripts in computer systems | |
| CN107204960B (en) | Webpage identification method and device and server | |
| WO2019142398A1 (en) | Interpretation device, interpretation method and interpretation program | |
| CN112468520B (en) | Data detection method, device and equipment and readable storage medium | |
| EP3547121B1 (en) | Combining device, combining method and combining program | |
| CN107426049A (en) | A kind of network traffics accurate detecting method, equipment and storage medium | |
| US11888874B2 (en) | Label guided unsupervised learning based network-level application signature generation | |
| CN108664791B (en) | Method and device for detecting back door of webpage in hypertext preprocessor code | |
| US20180219881A1 (en) | Detecting Anomalous Hypertext Transfer Protocol (HTTP) Events from Semi-Structured Data | |
| CN106230835B (en) | Method based on Nginx log analysis and the IPTABLES anti-malicious access forwarded | |
| CN102882748A (en) | Network access detection system and network access detection method | |
| CN111835777A (en) | Abnormal flow detection method, device, equipment and medium | |
| CN104023046B (en) | Mobile terminal recognition method and device | |
| CN107105428A (en) | The method and device in quick completion end message storehouse | |
| CN107403251A (en) | Risk checking method and device | |
| CN109408810A (en) | A kind of malice PDF document detection method and device | |
| CN106663171A (en) | Browser-emulator device, construction device, browser emulation method, browser emulation program, construction method, and construction program | |
| CN106528805B (en) | Mobile Internet rogue program URL intellectual analysis method for digging based on user | |
| EP4137976A1 (en) | Learning device, detection device, learning method, detection method, learning program, and detection program | |
| CN108573149A (en) | A kind of sample testing method and device | |
| CN109728977A (en) | JAP anonymity flow rate testing methods and system | |
| JP6823205B2 (en) | Collection device, collection method and collection program | |
| US11308091B2 (en) | Information collection system, information collection method, and recording medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180925 |