CN109214178A - APP application malicious act detection method and device - Google Patents
APP application malicious act detection method and device Download PDFInfo
- Publication number
- CN109214178A CN109214178A CN201710524463.1A CN201710524463A CN109214178A CN 109214178 A CN109214178 A CN 109214178A CN 201710524463 A CN201710524463 A CN 201710524463A CN 109214178 A CN109214178 A CN 109214178A
- Authority
- CN
- China
- Prior art keywords
- application
- app
- malicious
- sensitive api
- app application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 65
- 238000000034 method Methods 0.000 claims abstract description 35
- 238000004458 analytical method Methods 0.000 claims abstract description 30
- 230000003068 static effect Effects 0.000 claims abstract description 25
- 230000008569 process Effects 0.000 claims abstract description 19
- 238000013528 artificial neural network Methods 0.000 claims description 11
- 230000006399 behavior Effects 0.000 claims description 11
- 230000000875 corresponding effect Effects 0.000 claims description 8
- 238000012300 Sequence Analysis Methods 0.000 claims description 6
- 230000008846 dynamic interplay Effects 0.000 claims description 3
- 230000035945 sensitivity Effects 0.000 claims description 3
- 230000002452 interceptive effect Effects 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 10
- 238000010586 diagram Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 6
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 210000002569 neuron Anatomy 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 230000003542 behavioural effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 210000005036 nerve Anatomy 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a kind of APP application malicious act detection method and device, method therein includes: to carry out static detection to APP application, obtains the sensitive API that the code of APP application is included;APP application in the process of running is detected, call relation sequence relevant to sensitive API is obtained;Determine whether APP application is malicious application according to sensitive API and call relation sequence.APP application malicious act detection method and device of the invention, the safety in utilization of intelligent terminal can be effectively improved, and the mode combined by using remote control technology with image recognition technology in dynamic analysis, dynamic analysis process for application software is automatically executed, the efficiency and accuracy of application software safety detection are improved.
Description
Technical field
The present invention relates to field of information security technology more particularly to a kind of APP application malicious act detection method and device.
Background technique
With the continuous development of development of Mobile Internet technology, the people day are increasingly becoming by the mobile intelligent terminal of representative of mobile phone
Often essential tool in life.While facilitating people's life, the various quick of user is also inevitably involved
Feel information, this results in the appearance of more and more malice or harmful application on platform indirectly, seriously threatens the people of user
Body and data safety.For example, two big mobile terminal operating systems one of of the iOS as current most mainstream, have attracted a large amount of evil
The attacker that anticipates has the application software of malicious act by the AppStore publication of Apple.To the information and property safety of user
Constitute serious threat.However due to the closure of iOS system, the application software for system publication is caused to carry out behavior
It analyzes and researches extremely difficult, also, traditional Static Analysis Method usually is used to application software, i.e., when application software is static
Malicious act analysis is carried out, the reliability of testing result is affected.
Summary of the invention
In view of this, the invention solves a technical problem be to provide a kind of APP application malicious act detection method
And device.
According to an aspect of the present invention, a kind of APP application malicious act detection method is provided, comprising: to APP apply into
Row static detection obtains the sensitive API that the code of the APP application is included;To the APP in the process of running apply into
Row detection, obtains call relation sequence relevant to the sensitive API;According to the sensitive API and the call relation sequence
Determine whether the APP application is malicious application.
Optionally, the sensitive API that APP application is carried out static detection, obtains the code of the APP application to be included
Include: that dis-assembling is carried out to the code of APP application, obtains the first dis-assembling code of the APP application;Detect described
It whether there is the sensitive API in one dis-assembling code.
Optionally, described to determine whether the APP application is malice according to the sensitive API and the call relation sequence
Using including: to be scanned to the first dis-assembling code, extracted and the sensitive API from the first dis-assembling code
Relevant characteristic set;The characteristic set is input to BP neural network algorithm model, according to preset malice
Data sample carries out Classification and Identification, to determination APP application whether be malicious application and affiliated malicious application class
Type.
Optionally, described that APP application in the process of running is detected, is obtained and described and sensitive API phase
The call relation sequence of pass include: using Recursive descent parsing and based on the sensitive API relevant control stream, to the APP
Using and call the other application of the sensitive API to carry out dis-assembling, be converted to the second dis-assembling code;It is anti-described second
The position and call relation relevant to the sensitive API that the sensitive API occurs are determined in assembly code, establish with it is described
Call relation sequence relevant to sensitive API.
Optionally, described to determine whether the APP application is malice according to the sensitive API and the call relation sequence
Using including: to analyze the sensitive API according to the call relation sequence to apply the APP and other application safety
Influence;Determine whether the APP application is malicious application based on the result of analysis.
Optionally, dynamic interaction is carried out with the end-user interface for being equipped with the APP application using remote controlled manner
Operation;Triggering executes the corresponding actions of the APP application;It obtains and applies relevant network traffic and log to the APP
File determines whether the APP application is malicious application based on the network traffic and journal file.
According to another aspect of the present invention, a kind of APP application malicious act detection device is provided, comprising: static detection mould
Block obtains the sensitive API that the code of the APP application is included for carrying out static detection to APP application;Behavior sequence point
Module is analysed, for being detected to APP application in the process of running, calling relevant to the sensitive API is obtained and closes
It is sequence;Malicious application determining module, for determining that the APP is applied according to the sensitive API and the call relation sequence
It whether is malicious application.
Optionally, the static detection module, comprising: the first pretreatment unit, code for being applied to the APP into
Row dis-assembling obtains the first dis-assembling code of the APP application;Sensitive API detection unit, for detecting the described first anti-remittance
It compiles and whether there is the sensitive API in code.
Optionally, the malicious application determining module, comprising: the first malicious application analytical unit, to the described first anti-remittance
It compiles code to be scanned, characteristic set relevant to the sensitive API is extracted from the first dis-assembling code;By institute
It states characteristic set and is input to BP neural network algorithm model, Classification and Identification is carried out according to preset malicious data sample, is used
With determination APP application whether be malicious application and affiliated malicious application type.
Optionally, the behavior sequence analysis module, comprising: the second pretreatment unit, for using Recursive descent parsing
And based on the sensitive API relevant control stream, to the APP apply and call the other application of the sensitive API to carry out
Dis-assembling is converted to the second dis-assembling code;Analytical unit is called, for determining described quick in the second dis-assembling code
Feel the position and call relation relevant to the sensitive API that API occurs, establishes and the calling relevant with sensitive API
Relational sequence.
Optionally, the malicious application determining module, comprising: the second malicious application analytical unit, for according to the tune
It analyzes the sensitive API with relational sequence to apply the APP and the influence of other application safety, the knot based on analysis
Fruit determines whether the APP application is malicious application.
Optionally, dynamic analysis module, for using remote controlled manner and the terminal user for being equipped with the APP application
Interface carries out dynamic interaction operation;Triggering executes the corresponding actions of the APP application;It obtains and applies relevant net to the APP
Network transmits information and journal file, determines whether the APP application is malice based on the network traffic and journal file
Using taking to the APP using relevant network traffic and journal file, it is based on the network traffic and log text
Part determines whether the APP application is malicious application.
According to another aspect of the invention, a kind of APP application malicious act detection device is provided, comprising: memory;And
It is coupled to the processor of the memory, the processor is configured to the instruction based on storage in the memory, executes
APP application malicious act detection method as described above.
In accordance with a further aspect of the present invention, a kind of computer readable storage medium is provided, which is characterized in that the computer
Readable storage medium storing program for executing is stored with computer instruction, and APP application malice as described above is realized when described instruction is executed by processor
Behavioral value method.
APP application malicious act detection method and device of the invention, obtain APP application code in sensitive API and
Call relation sequence relevant to sensitive API determines whether APP application is malicious application, can effectively improve intelligent terminal and set
Standby safety in utilization, and enable to the dynamic analysis process for application software that can automatically execute, it improves
The efficiency and accuracy of application software safety detection.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only
Some embodiments of the present invention, for those of ordinary skill in the art, without any creative labor, also
Other drawings may be obtained according to these drawings without any creative labor.
Fig. 1 is the flow chart of one embodiment of APP application malicious act detection method according to the present invention;
Fig. 2 is the process of static detection in one embodiment of APP application malicious act detection method according to the present invention
Schematic diagram;
Fig. 3 is behavior relation analysis in one embodiment of APP application malicious act detection method according to the present invention
Flow diagram;
Fig. 4 is the module diagram of one embodiment of APP application malicious act detection device according to the present invention;
Fig. 5 is static detection module in one embodiment of APP application malicious act detection device according to the present invention
Module diagram;
Fig. 6 is that the behavior sequence of one embodiment of APP application malicious act detection device according to the present invention analyzes mould
The module diagram of block;
Fig. 7 is that the malicious application of one embodiment of APP application malicious act detection device according to the present invention determines mould
The module diagram of block;
Fig. 8 is the module diagram of another embodiment of APP application malicious act detection device according to the present invention.
Specific embodiment
With reference to the accompanying drawings to invention is more fully described, wherein illustrating exemplary embodiment of the present invention.Under
Face will combine the attached drawing in the embodiment of the present invention, and technical scheme in the embodiment of the invention is clearly and completely described, show
So, described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Based on the reality in the present invention
Example is applied, every other embodiment obtained by those of ordinary skill in the art without making creative efforts all belongs to
In the scope of protection of the invention.
" first " hereinafter, " second " etc. are only used for distinguishing in description, and there is no other special meanings.
Fig. 1 is the flow chart of one embodiment of APP application malicious act detection method according to the present invention, such as Fig. 1 institute
Show:
Step 101, static detection is carried out to APP application, obtains the sensitive API that the code of APP application is included
(Application Programming Interface, application programming interface).
Static detection refers to the detection carried out in APP application not running.It is application program, APP application installation that APP, which is applied,
In the intelligent terminals such as mobile phone, the operating system of intelligent terminal can be Android, IOS etc..
Step 102, APP application in the process of running is detected, obtains call relation sequence relevant to sensitive API
Column.
Step 103, determine whether APP application is malicious application according to sensitive API and call relation sequence.
Traditional static analysis cannot go to look into associated calling sequence according to known sensitive API, cannot be according to difference
API occurs whether sequential decision impacts program function.APP application malicious act detection method in above-described embodiment,
The sensitive API and call relation sequence relevant to sensitive API in APP application code are obtained, determines whether APP application is evil
Meaning application, improves the efficiency and accuracy of safety detection.
In one embodiment, API is some functions predetermined, and the API in APP application can execute specific function
Can, for example, reading address list, reading geographical location information, read payment accounts and password, access network, modification system file
Deng.Illegal or malice application program can do some illegal things, such as obtain contact information and upload, read user's
Payment accounts and password transmission, unloading user program etc., to cause the safety issue of intelligent mobile terminal.In the present invention
Sensitive API refer to APP application installation or operation when may obtain or call user privacy information and execution may band
Carry out the API of safety issue function, for example, reading address list, reading geographical location information, read payment accounts and password, visit
Ask that the API of network, modification system file etc. is sensitive API, the type of sensitive API can be set.
Fig. 2 is the process of static detection in one embodiment of APP application malicious act detection method according to the present invention
Schematic diagram, as shown in Figure 2:
Step 201, dis-assembling is carried out to the code of APP application, the first dis-assembling code of APP application is obtained, for examining
It surveys in the first dis-assembling code with the presence or absence of sensitive API.APP, which is applied, is in not running state.
Step 202, the first dis-assembling code is scanned, is extracted from the first dis-assembling code related to sensitive API
Characteristic set.
Step 203, characteristic set is input to BP neural network algorithm model, according to preset malicious data sample
Carry out Classification and Identification, to determine APP application whether be malicious application and affiliated malicious application type.
BP (back propagation) neural network is a kind of multilayer feedforward according to the training of error backpropagation algorithm
Neural network, BP neural network are increase several layers (one or more layers) neuron between input layer and output layer, BP nerve
The calculating process of network is made of positive calculating process and retrospectively calculate process, forward-propagating process, and input pattern is from input layer
It is successively handled through hidden unit layer, and turns to output layer, the state of one layer of neuron under the influence of the state of every layer of neuron.
Static analysis is carried out when APP is applied in not running state, is collected generation to ARM of the destination application after reverse
Code carries out careful specific analysis, can write program and be scanned and obtain and sample database content type to assembly code
Similar characteristic set carries out characteristic matching using BP neural network algorithm and sample (the malicious data sample after training)
Assess Application Type and menace.
Fig. 3 is behavior relation analysis in one embodiment of APP application malicious act detection method according to the present invention
Flow diagram, as shown in Figure 3:
Step 301, using Recursive descent parsing and based on sensitive API relevant control stream, to APP apply and call quick
The other application for feeling API carries out dis-assembling, is converted to the second dis-assembling code.APP is applied in operation or called state.
Step 302, the position and tune relevant to sensitive API that sensitive API occurs are determined in the second dis-assembling code
With relationship, call relation sequence relevant to sensitive API is established.
Step 303, sensitive API is analyzed for the shadow of APP application and other application safety according to call relation sequence
It rings.
Step 304, determine whether APP application is malicious application based on the result of analysis.
Recursive descent parsing can be existing many algorithms, for example, Recursive descent parsing is by control stream come fixed one by one
Position, analysis instruction and data, according to the position of instruction (function call instruction etc.) positioned in sequence subsequent instructions.
APP apply in operation or it is called when, the position reverse, analysis sensitive API occurs is carried out to application program,
And analyze simultaneously influence of these contents to application program safety itself and user equipment information safety.Static analysis will be passed through
The safety evaluation result of application program is added in analysis result, whole system precision of analysis is improved.
In one embodiment, dynamic is carried out with the end-user interface for being equipped with APP application using remote controlled manner
Interactive operation, for example, can use VNC remotely control and respective image identification technology realize be directed to dynamic user interface interaction
Function.Triggering executes the corresponding actions of APP application, for example, really triggering the corresponding actions of application by operations such as screen taps.
It obtains and applies relevant network traffic and journal file to APP, determine that APP is answered based on network traffic and journal file
With whether being malicious application.Can by obtain, analyze triggering application corresponding actions after network transmission and file read-write day
Will analysis, determines whether the application program injures the safety of user information.
APP application malicious act detection method in above-described embodiment carries out traversal to ARM assembly code file first and sweeps
It retouches, matches sensitive API frequency of occurrence, and extract data relevant to fallacious message critical field, form the spy of the application program
Levy data acquisition system.Then classified by BP neural network, judge what the application program belongs to from the characteristic set of the program
Kind rogue program is normal use.It is combined by using remote control technology with image recognition technology in dynamic analysis
Mode, the dynamic analysis process for application software is automatically executed, application software safety detection is improved
Efficiency and accuracy.
In one embodiment, as shown in figure 4, the present invention provides a kind of APP application malicious act detection device 40, packet
It includes: static detection module 41, behavior sequence analysis module 42, malicious application determining module 43 and dynamic analysis module 44.
Static detection module 41 carries out static detection to APP application, obtains the sensitive API that the code of APP application is included.
Behavior sequence analysis module 42 detects APP application in the process of running, obtains call relation relevant to sensitive API
Sequence.Malicious application determining module 43 determines whether APP application is malicious application according to sensitive API and call relation sequence.
Dynamic analysis module 44 carries out dynamic friendship with the end-user interface for being equipped with APP application using remote controlled manner
Interoperability, triggering execute the corresponding actions of APP application, obtain and apply relevant network traffic and journal file, base to APP
Determine whether APP application is that malicious application takes to APP using relevant network transmission letter in network traffic and journal file
Breath and journal file determine whether APP application is malicious application based on network traffic and journal file.
As shown in figure 5, static detection module 41 includes: the first pretreatment unit 411 and sensitive API detection unit 412.The
One pretreatment unit 411 carries out dis-assembling to the code that APP is applied, and obtains the first dis-assembling code of APP application.Sensitive API
Detection unit 412, which detects, whether there is sensitive API in the first dis-assembling code.
As shown in fig. 7, malicious application determining module 43 includes: that the first malicious application analytical unit 431 and the second malice are answered
With analytical unit 432.First malicious application analytical unit 431 is scanned the first dis-assembling code, from the first dis-assembling generation
Characteristic set relevant to sensitive API is extracted in code.First malicious application analytical unit 431 inputs characteristic set
To BP neural network algorithm model, Classification and Identification is carried out according to preset malicious data sample, to determine APP application whether be
The type of malicious application and affiliated malicious application.
As shown in fig. 6, behavior sequence analysis module 42 includes: the second pretreatment unit 421, calls analytical unit 422.The
Two pretreatment units 411 using Recursive descent parsing and based on sensitive API relevant control stream, to APP apply and call quick
The other application for feeling API carries out dis-assembling, is converted to the second dis-assembling code.
Call analytical unit 422 in the second dis-assembling code determine sensitive API occur position and with sensitive API phase
The call relation of pass establishes call relation sequence relevant to sensitive API.Second malicious application analytical unit 432 is according to calling
Relational sequence analyzes influence of the sensitive API for APP application and other application safety, determines APP based on the result of analysis
Using whether being malicious application.
Fig. 8 is the module diagram of another embodiment of APP application malicious act detection device according to the present invention.Such as
Shown in Fig. 8, which may include memory 81, processor 82, communication interface 83 and bus 84.Memory 81 refers to for storing
It enables, processor 82 is coupled to memory 81, and the instruction execution that processor 82 is configured as storing based on memory 81 is realized above-mentioned
APP application malicious act detection method.
Memory 81 can be high speed RAM memory, nonvolatile memory (non-volatile memory) etc., deposit
Reservoir 81 is also possible to memory array.Memory 81 is also possible to by piecemeal, and block can be combined into virtually by certain rule
Volume.Processor 82 can be central processor CPU or application-specific integrated circuit ASIC (Application Specific
Integrated Circuit), or be arranged to implement one of APP application malicious act detection method of the invention or
Multiple integrated circuits.
In one embodiment, the present invention provides a kind of computer readable storage medium, and computer readable storage medium is deposited
Computer instruction is contained, the APP application malicious act detection in as above any one embodiment is realized when instruction is executed by processor
Method.
APP application malicious act detection method and device provided by the above embodiment obtain the sensitivity in APP application code
API and call relation sequence relevant to sensitive API determine whether APP application is malicious application, can effectively improve intelligence
The safety in utilization of terminal device, and combined by using remote control technology with image recognition technology in dynamic analysis
Mode, the dynamic analysis process for application software is automatically executed, application software safety detection is improved
Efficiency and accuracy.
Method and system of the invention may be achieved in many ways.For example, can by software, hardware, firmware or
Software, hardware, firmware any combination realize method and system of the invention.The said sequence of the step of for method is only
In order to be illustrated, the step of method of the invention, is not limited to sequence described in detail above, especially says unless otherwise
It is bright.In addition, in some embodiments, also the present invention can be embodied as to record program in the recording medium, these programs include
For realizing machine readable instructions according to the method for the present invention.Thus, the present invention also covers storage for executing according to this hair
The recording medium of the program of bright method.
Description of the invention is given for the purpose of illustration and description, and is not exhaustively or will be of the invention
It is limited to disclosed form.Many modifications and variations are obvious for the ordinary skill in the art.It selects and retouches
It states embodiment and is to more preferably illustrate the principle of the present invention and practical application, and those skilled in the art is enable to manage
The solution present invention is to design various embodiments suitable for specific applications with various modifications.
Claims (14)
1. a kind of APP application malicious act detection method characterized by comprising
Static detection is carried out to APP application, obtains the sensitive API that the code of the APP application is included;
APP application in the process of running is detected, call relation sequence relevant to the sensitive API is obtained;
Determine whether the APP application is malicious application according to the sensitive API and the call relation sequence.
2. the method as described in claim 1, which is characterized in that described to carry out static detection to APP application, obtain the APP
The sensitive API that the code of application is included includes:
Dis-assembling is carried out to the code of APP application, obtains the first dis-assembling code of the APP application;
It detects in the first dis-assembling code with the presence or absence of the sensitive API.
3. method according to claim 2, which is characterized in that described according to the sensitive API and the call relation sequence
Determine whether the APP application is that malicious application includes:
The first dis-assembling code is scanned, is extracted from the first dis-assembling code related to the sensitive API
Characteristic set;
The characteristic set is input to BP neural network algorithm model, is classified according to preset malicious data sample
Identification, to determination APP application whether be malicious application and affiliated malicious application type.
4. the method as described in claim 1, which is characterized in that described to be examined to APP application in the process of running
It surveys, obtain to the call relation sequence relevant with sensitive API and include:
Using Recursive descent parsing and based on the sensitive API relevant control stream, to the APP apply and call described quick
The other application for feeling API carries out dis-assembling, is converted to the second dis-assembling code;
The position and tune relevant to the sensitive API that the sensitive API occurs are determined in the second dis-assembling code
With relationship, establish and the call relation sequence relevant with sensitive API.
5. method as claimed in claim 4, which is characterized in that described according to the sensitive API and the call relation sequence
Determine whether the APP application is that malicious application includes:
The sensitive API is analyzed according to the call relation sequence to apply the APP and the shadow of other application safety
It rings;
Determine whether the APP application is malicious application based on the result of analysis.
6. the method as described in claim 1, which is characterized in that further include:
Dynamic interaction operation is carried out with the end-user interface for being equipped with the APP application using remote controlled manner;
Triggering executes the corresponding actions of the APP application;
It obtains and applies relevant network traffic and journal file to the APP, be based on the network traffic and log
File determines whether the APP application is malicious application.
7. a kind of APP application malicious act detection device characterized by comprising
Static detection module obtains the sensitivity that the code of the APP application is included for carrying out static detection to APP application
API;
Behavior sequence analysis module obtains and the sensitivity for detecting to APP application in the process of running
The relevant call relation sequence of API;
Malicious application determining module, for whether determining the APP application according to the sensitive API and the call relation sequence
For malicious application.
8. device as claimed in claim 7, which is characterized in that
The static detection module, comprising:
First pretreatment unit, the code for applying to the APP carry out dis-assembling, and obtain the APP application first is anti-
Assembly code;
Sensitive API detection unit, for detecting in the first dis-assembling code with the presence or absence of the sensitive API.
9. device as claimed in claim 8, which is characterized in that
The malicious application determining module, comprising:
First malicious application analytical unit is scanned the first dis-assembling code, from the first dis-assembling code
Extract characteristic set relevant to the sensitive API;The characteristic set is input to BP neural network algorithm mould
Whether type carries out Classification and Identification according to preset malicious data sample, be malicious application and institute to the determination APP application
The type of the malicious application of category.
10. device as claimed in claim 8, which is characterized in that
The behavior sequence analysis module, comprising:
Second pretreatment unit, for using Recursive descent parsing and based on the sensitive API relevant control stream, to described
APP applies and calls the other application of the sensitive API to carry out dis-assembling, is converted to the second dis-assembling code;
Call analytical unit, for determined in the second dis-assembling code position that the sensitive API occurs and with institute
The relevant call relation of sensitive API is stated, is established and the call relation sequence relevant with sensitive API.
11. device as claimed in claim 11, which is characterized in that
The malicious application determining module, comprising:
Second malicious application analytical unit answers the APP for analyzing the sensitive API according to the call relation sequence
To and other application securities influence, determine whether APP application is malicious application based on the result of analysis.
12. device as claimed in claim 8, which is characterized in that further include:
Dynamic analysis module, for being moved using remote controlled manner with the end-user interface for being equipped with the APP application
State interactive operation;Triggering executes the corresponding actions of the APP application;It obtains and applies relevant network traffic to the APP
And journal file, determine whether APP application is that malicious application takes and institute based on the network traffic and journal file
APP is stated using relevant network traffic and journal file, based on described in the network traffic and journal file determination
Whether APP application is malicious application.
13. a kind of APP application malicious act detection device characterized by comprising
Memory;And
It is coupled to the processor of the memory, the processor is configured to the instruction based on storage in the memory,
Execute such as APP application malicious act detection method described in any one of claims 1 to 6.
14. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has computer to refer to
It enables, realizes that APP application malicious act described in any one of claims 1 to 6 such as detects when described instruction is executed by processor
Method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710524463.1A CN109214178B (en) | 2017-06-30 | 2017-06-30 | APP application malicious behavior detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710524463.1A CN109214178B (en) | 2017-06-30 | 2017-06-30 | APP application malicious behavior detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109214178A true CN109214178A (en) | 2019-01-15 |
CN109214178B CN109214178B (en) | 2021-03-16 |
Family
ID=64976919
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710524463.1A Active CN109214178B (en) | 2017-06-30 | 2017-06-30 | APP application malicious behavior detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109214178B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109816005A (en) * | 2019-01-18 | 2019-05-28 | 北京智游网安科技有限公司 | Application program trade classification method, storage medium and terminal based on CNN |
CN110889115A (en) * | 2019-11-07 | 2020-03-17 | 国家计算机网络与信息安全管理中心 | Malicious push behavior detection method and device |
CN111797400A (en) * | 2020-07-08 | 2020-10-20 | 国家计算机网络与信息安全管理中心 | Method and device for dynamically detecting malicious applications in Internet of vehicles |
CN112765654A (en) * | 2021-01-07 | 2021-05-07 | 支付宝(杭州)信息技术有限公司 | Management and control method and device based on private data calling |
CN113051561A (en) * | 2019-12-27 | 2021-06-29 | 中国电信股份有限公司 | Application program feature extraction method and device and classification method and device |
CN113449297A (en) * | 2020-03-24 | 2021-09-28 | 中移动信息技术有限公司 | Training method of malicious code recognition model, and malicious code recognition method and device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103136471A (en) * | 2011-11-25 | 2013-06-05 | 中国科学院软件研究所 | Method and system for testing malicious Android application programs |
CN103186740A (en) * | 2011-12-27 | 2013-07-03 | 北京大学 | Automatic detection method for Android malicious software |
CN105760761A (en) * | 2016-02-04 | 2016-07-13 | 中国联合网络通信集团有限公司 | Software behavior analyzing method and device |
US20160232351A1 (en) * | 2015-02-06 | 2016-08-11 | Alibaba Group Holding Limited | Method and device for identifying computer virus variants |
CN106845236A (en) * | 2017-01-18 | 2017-06-13 | 东南大学 | A kind of application program various dimensions privacy leakage detection method and system for iOS platforms |
-
2017
- 2017-06-30 CN CN201710524463.1A patent/CN109214178B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103136471A (en) * | 2011-11-25 | 2013-06-05 | 中国科学院软件研究所 | Method and system for testing malicious Android application programs |
CN103186740A (en) * | 2011-12-27 | 2013-07-03 | 北京大学 | Automatic detection method for Android malicious software |
US20160232351A1 (en) * | 2015-02-06 | 2016-08-11 | Alibaba Group Holding Limited | Method and device for identifying computer virus variants |
CN105760761A (en) * | 2016-02-04 | 2016-07-13 | 中国联合网络通信集团有限公司 | Software behavior analyzing method and device |
CN106845236A (en) * | 2017-01-18 | 2017-06-13 | 东南大学 | A kind of application program various dimensions privacy leakage detection method and system for iOS platforms |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109816005A (en) * | 2019-01-18 | 2019-05-28 | 北京智游网安科技有限公司 | Application program trade classification method, storage medium and terminal based on CNN |
CN109816005B (en) * | 2019-01-18 | 2021-08-03 | 北京智游网安科技有限公司 | Application program industry classification method based on CNN, storage medium and terminal |
CN110889115A (en) * | 2019-11-07 | 2020-03-17 | 国家计算机网络与信息安全管理中心 | Malicious push behavior detection method and device |
CN113051561A (en) * | 2019-12-27 | 2021-06-29 | 中国电信股份有限公司 | Application program feature extraction method and device and classification method and device |
CN113449297A (en) * | 2020-03-24 | 2021-09-28 | 中移动信息技术有限公司 | Training method of malicious code recognition model, and malicious code recognition method and device |
CN111797400A (en) * | 2020-07-08 | 2020-10-20 | 国家计算机网络与信息安全管理中心 | Method and device for dynamically detecting malicious applications in Internet of vehicles |
CN111797400B (en) * | 2020-07-08 | 2023-09-01 | 国家计算机网络与信息安全管理中心 | Dynamic detection method and device for malicious application of Internet of vehicles |
CN112765654A (en) * | 2021-01-07 | 2021-05-07 | 支付宝(杭州)信息技术有限公司 | Management and control method and device based on private data calling |
CN112765654B (en) * | 2021-01-07 | 2022-09-20 | 支付宝(杭州)信息技术有限公司 | Management and control method and device based on private data calling |
Also Published As
Publication number | Publication date |
---|---|
CN109214178B (en) | 2021-03-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109214178A (en) | APP application malicious act detection method and device | |
CN109241711B (en) | User behavior identification method and device based on prediction model | |
CN109034660B (en) | Method and related device for determining risk control strategy based on prediction model | |
CA2223521C (en) | Detecting mobile telephone misuse | |
CN110442712B (en) | Risk determination method, risk determination device, server and text examination system | |
CN109241709B (en) | User behavior identification method and device based on slider verification code verification | |
CN109831465A (en) | A kind of invasion detection method based on big data log analysis | |
CN109145603A (en) | A kind of Android privacy leakage behavioral value methods and techniques based on information flow | |
CN109271762B (en) | User authentication method and device based on slider verification code | |
CN112801155B (en) | Business big data analysis method based on artificial intelligence and server | |
CN111552633A (en) | Interface abnormal call testing method and device, computer equipment and storage medium | |
CN107944274A (en) | A kind of Android platform malicious application off-line checking method based on width study | |
CN112149124B (en) | Android malicious program detection method and system based on heterogeneous information network | |
CN112330355B (en) | Method, device, equipment and storage medium for processing consumption coupon transaction data | |
CN106778151A (en) | Method for identifying ID and device based on person's handwriting | |
CN106603327A (en) | Behavior data analysis method and device | |
CN108600270A (en) | A kind of abnormal user detection method and system based on network log | |
CN109960936A (en) | A kind of pair of mobile terminal carries out the Risk Identification Method of automatization simulation business access | |
CN106845235A (en) | A kind of Android platform call back function detection method based on machine learning method | |
CN110443044A (en) | Block chain client bug excavation method, device, equipment and storage medium | |
CN117272113B (en) | Method and system for detecting illegal behaviors based on virtual social network | |
CN106293354A (en) | Shortcut menu self adaptation display control method, server and portable terminal | |
CN108734011A (en) | software link detection method and device | |
CN109544165A (en) | Resource transfers processing method, device, computer equipment and storage medium | |
CN105094810B (en) | Data processing method and device based on CGI(Common gateway interface) plug-in unit |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
EE01 | Entry into force of recordation of patent licensing contract | ||
EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20190115 Assignee: Tianyiyun Technology Co.,Ltd. Assignor: CHINA TELECOM Corp.,Ltd. Contract record no.: X2024110000040 Denomination of invention: Method and device for detecting malicious behavior in APP applications Granted publication date: 20210316 License type: Common License Record date: 20240914 |