CN109214178B - APP application malicious behavior detection method and device - Google Patents

APP application malicious behavior detection method and device Download PDF

Info

Publication number
CN109214178B
CN109214178B CN201710524463.1A CN201710524463A CN109214178B CN 109214178 B CN109214178 B CN 109214178B CN 201710524463 A CN201710524463 A CN 201710524463A CN 109214178 B CN109214178 B CN 109214178B
Authority
CN
China
Prior art keywords
app
application
sensitive api
malicious
code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710524463.1A
Other languages
Chinese (zh)
Other versions
CN109214178A (en
Inventor
季凌禹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN201710524463.1A priority Critical patent/CN109214178B/en
Publication of CN109214178A publication Critical patent/CN109214178A/en
Application granted granted Critical
Publication of CN109214178B publication Critical patent/CN109214178B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Telephonic Communication Services (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a method and a device for detecting malicious behaviors of an APP (application), wherein the method comprises the following steps: performing static detection on the APP to obtain a sensitive API contained in a code of the APP; detecting the APP in the running process to obtain a calling relation sequence related to the sensitive API; and determining whether the APP is a malicious application or not according to the sensitive API and the calling relation sequence. The method and the device for detecting the malicious behavior of the APP can effectively improve the use safety of the intelligent terminal equipment, and can automatically execute the dynamic analysis process aiming at the application software by using a mode of combining a remote control technology and an image recognition technology in dynamic analysis, thereby improving the efficiency and the accuracy of the safety detection of the application software.

Description

APP application malicious behavior detection method and device
Technical Field
The invention relates to the technical field of information security, in particular to an APP application malicious behavior detection method and device.
Background
With the continuous development of mobile internet technology, mobile intelligent terminals represented by mobile phones are becoming essential tools in daily life of people. The system brings convenience to the life of people, and meanwhile, various sensitive information of users is inevitably involved, so that more and more malicious or harmful applications on the platform are caused, and the personal and data safety of the users is seriously threatened. For example, iOS, one of the two most popular mobile terminal operating systems at present, has attracted a large number of malicious attackers to publish application software with malicious behaviors through Apple's AppStore. Poses a serious threat to the information and property security of users. However, because of the closed nature of the iOS system, it is very difficult to perform behavior analysis research on the application software released by the system, and the reliability of the detection result is affected by adopting a traditional static analysis method for the application software, that is, performing malicious behavior analysis when the application software is static.
Disclosure of Invention
In view of this, a technical problem to be solved by the present invention is to provide a method and an apparatus for detecting APP application malicious behavior.
According to one aspect of the invention, an APP application malicious behavior detection method is provided, and the method comprises the following steps: performing static detection on an APP to obtain a sensitive API contained in a code of the APP; detecting the APP in the running process to obtain a calling relation sequence related to the sensitive API; and determining whether the APP application is a malicious application or not according to the sensitive API and the calling relation sequence.
Optionally, the performing static detection on the APP application and acquiring the sensitive API included in the code of the APP application include: disassembling the code of the APP application to obtain a first disassembled code of the APP application; detecting whether the sensitive API exists in the first disassembled code.
Optionally, the determining whether the APP application is a malicious application according to the sensitive API and the call relationship sequence includes: scanning the first disassembled code, and extracting a feature data set related to the sensitive API from the first disassembled code; and inputting the characteristic data set into a BP neural network algorithm model, and performing classification and identification according to a preset malicious data sample so as to determine whether the APP application is a malicious application and the type of the malicious application.
Optionally, the detecting the APP application in the running process and acquiring the call relationship sequence related to the sensitive API include: disassembling the APP and other applications calling the sensitive API by adopting a recursive descent algorithm and based on a control flow related to the sensitive API, and converting the APP and other applications into second disassembled codes; and determining the position of the sensitive API and the calling relation related to the sensitive API in the second disassembling code, and establishing the calling relation sequence related to the sensitive API.
Optionally, the determining whether the APP application is a malicious application according to the sensitive API and the call relationship sequence includes: analyzing the influence of the sensitive API on the safety of the APP and other applications according to the calling relation sequence; determining whether the APP application is a malicious application based on a result of the analysis.
Optionally, performing dynamic interactive operation with a terminal user interface provided with the APP in a remote control mode; triggering a corresponding action of executing the APP application; obtaining network transmission information and log files related to the APP application, and determining whether the APP application is a malicious application based on the network transmission information and the log files.
According to another aspect of the present invention, an APP application malicious behavior detection apparatus is provided, including: the static detection module is used for carrying out static detection on the APP and obtaining a sensitive API contained in a code of the APP; the behavior sequence analysis module is used for detecting the APP in the running process and acquiring a calling relation sequence related to the sensitive API; and the malicious application determining module is used for determining whether the APP is a malicious application according to the sensitive API and the calling relation sequence.
Optionally, the static detection module includes: the first preprocessing unit is used for disassembling the code of the APP application and acquiring a first disassembled code of the APP application; and the sensitive API detection unit is used for detecting whether the sensitive API exists in the first disassembled code.
Optionally, the malicious application determination module includes: the first malicious application analysis unit scans the first disassembly code and extracts a characteristic data set related to the sensitive API from the first disassembly code; and inputting the characteristic data set into a BP neural network algorithm model, and performing classification and identification according to a preset malicious data sample so as to determine whether the APP application is a malicious application and the type of the malicious application.
Optionally, the behavior sequence analysis module includes: the second preprocessing unit is used for disassembling the APP and other applications calling the sensitive API by adopting a recursive descent algorithm and based on a control flow related to the sensitive API, and converting the APP and other applications into second disassembled codes; and the call analysis unit is used for determining the position of the sensitive API and the call relation related to the sensitive API in the second disassembled code and establishing a call relation sequence related to the sensitive API.
Optionally, the malicious application determination module includes: and the second malicious application analysis unit is used for analyzing the influence of the sensitive API on the safety of the APP and other applications according to the calling relation sequence and determining whether the APP is a malicious application or not based on the analysis result.
Optionally, the dynamic analysis module is configured to perform dynamic interactive operation with a terminal user interface installed with the APP application in a remote control manner; triggering a corresponding action of executing the APP application; the method comprises the steps of obtaining network transmission information and log files related to the APP, determining whether the APP is a malicious application or not based on the network transmission information and the log files, and determining whether the APP is a malicious application or not based on the network transmission information and the log files.
According to another aspect of the present invention, there is provided an APP application malicious behavior detection apparatus, including: a memory; and a processor coupled to the memory, the processor configured to execute the APP application malicious behavior detection method as described above based on instructions stored in the memory.
According to a further aspect of the present invention, there is provided a computer-readable storage medium, characterized in that the computer-readable storage medium stores computer instructions which, when executed by a processor, implement the APP application malicious behavior detection method as described above.
According to the method and the device for detecting the malicious behavior of the APP application, the sensitive API in the APP application code and the calling relation sequence related to the sensitive API are obtained, whether the APP application is the malicious application or not is determined, the use safety of the intelligent terminal device can be effectively improved, the dynamic analysis process aiming at the application software can be automatically executed, and the efficiency and the accuracy of the safety detection of the application software are improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flow chart of an embodiment of an APP application malicious behavior detection method according to the present invention;
fig. 2 is a schematic flow chart of static detection in an embodiment of an APP application malicious behavior detection method according to the present invention;
fig. 3 is a schematic flow chart of behavior relationship analysis in an embodiment of an APP application malicious behavior detection method according to the present invention;
fig. 4 is a block diagram illustrating an embodiment of an APP application malicious behavior detection apparatus according to the present invention;
fig. 5 is a schematic block diagram of a static detection module in an embodiment of an APP application malicious behavior detection apparatus according to the present invention;
fig. 6 is a schematic block diagram of a behavior sequence analysis module of an embodiment of an APP application malicious behavior detection apparatus according to the present invention;
fig. 7 is a block diagram illustrating a malicious application determining module according to an embodiment of the APP application malicious behavior detection apparatus of the present invention;
fig. 8 is a schematic block diagram of an APP application malicious behavior detection apparatus according to another embodiment of the present invention.
Detailed Description
The present invention now will be described more fully hereinafter with reference to the accompanying drawings, in which exemplary embodiments of the invention are shown. The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first", "second", and the like are used hereinafter only for descriptive distinction and not for other specific meanings.
Fig. 1 is a flowchart of an embodiment of an APP application malicious behavior detection method according to the present invention, as shown in fig. 1:
step 101, performing static detection on the APP Application, and acquiring a sensitive API (Application Programming Interface) included in a code of the APP Application.
Static detection refers to detection performed when the APP application is not running. The APP is an application program, the APP is installed in the intelligent terminals such as the mobile phone, and the operating system of the intelligent terminal can be android, IOS and the like.
And 102, detecting the APP in the running process, and acquiring a calling relation sequence related to the sensitive API.
And 103, determining whether the APP is a malicious application or not according to the sensitive API and the calling relation sequence.
The traditional static analysis can not check the related calling sequence according to the known sensitive API and can not judge whether the program function is influenced according to the appearance sequence of different APIs. According to the method for detecting the malicious behavior of the APP application in the embodiment, the sensitive API in the APP application code and the calling relationship sequence related to the sensitive API are obtained, whether the APP application is the malicious application or not is determined, and the efficiency and accuracy of safety detection are improved.
In one embodiment, the API is a predefined function, and the API in the APP application may perform specific functions, such as reading an address book, reading geographical location information, reading a payment account number and password, accessing a network, modifying a system file, and the like. Illegal or malicious application programs can do illegal things, such as acquiring contact information, uploading, reading a payment account number and a password of a user, sending and uninstalling a user program, and the like, so that the safety problem of the intelligent mobile terminal is caused. The sensitive API in the present invention refers to an API that may obtain or call user privacy information and execute a function that may cause a security problem when the APP application is installed or run, for example, an API that reads an address book, reads geographic location information, reads a payment account and a password, accesses a network, modifies a system file, and the like is a sensitive API, and the type of the sensitive API may be set.
Fig. 2 is a schematic flow diagram of static detection in an embodiment of an APP application malicious behavior detection method according to the present invention, as shown in fig. 2:
step 201, disassembling the code of the APP application, and obtaining a first disassembling code of the APP application, which is used to detect whether a sensitive API exists in the first disassembling code. The APP application is in an un-running state.
Step 202, scanning the first disassembled code, and extracting a feature data set related to the sensitive API from the first disassembled code.
And 203, inputting the feature data set into a BP neural network algorithm model, and performing classification and identification according to a preset malicious data sample to determine whether the APP is a malicious application and the type of the malicious application.
A BP (back propagation) neural network is a multi-layer feedforward neural network trained according to an error back propagation algorithm, a plurality of layers (one layer or a plurality of layers) of neurons are added between an input layer and an output layer, the calculation process of the BP neural network consists of a forward calculation process and a backward calculation process, the forward propagation process is that an input mode is processed layer by layer from the input layer through a hidden unit layer and is transferred to the output layer, and the state of each layer of neurons only influences the state of the next layer of neurons.
When the APP is in a non-running state, static analysis is performed, ARM assembly codes after the target application program is reversed are subjected to detailed and specific analysis, the assembly codes can be written into a program to be scanned, a feature data set similar to the content type of a sample data base is obtained, and a BP neural network algorithm and the sample (a trained malicious data sample) are used for performing feature matching to evaluate the type and the threat of the application program.
Fig. 3 is a schematic flow diagram of behavior relationship analysis in an embodiment of an APP application malicious behavior detection method according to the present invention, as shown in fig. 3:
step 301, disassembling the APP application and other applications calling the sensitive API using a recursive descent algorithm and based on a control flow related to the sensitive API, and converting the APP application and other applications calling the sensitive API into a second disassembled code. The APP application is in a running or invoked state.
And step 302, determining the position of the sensitive API and the calling relation related to the sensitive API in the second disassembled code, and establishing a calling relation sequence related to the sensitive API.
And step 303, analyzing the influence of the sensitive API on the safety of the APP and other applications according to the calling relation sequence.
And step 304, determining whether the APP is a malicious application or not based on the analysis result.
The recursive descent algorithm may be any of a variety of existing algorithms, for example, a recursive descent algorithm locates and analyzes instructions and data item by item through a control flow, and locates the positions of subsequent instructions in order of instruction (function call instruction, etc.).
When the APP is in operation or called, the application program is reversed, the position of the sensitive API is analyzed, and the influence of the content on the safety of the application program and the information safety of the user equipment is analyzed. And adding the safety evaluation result of the application program through static analysis into the analysis result, thereby improving the accuracy of the analysis result of the whole system.
In one embodiment, a remote control mode is adopted to perform dynamic interactive operation with a terminal user interface installed with an APP application, for example, a VNC remote control and a corresponding image recognition technology may be used to implement an interactive function for the dynamic user interface. And triggering to execute the corresponding action of the APP application, for example, operating the corresponding action of the real trigger application through screen clicking and the like. The method comprises the steps of obtaining network transmission information and log files related to the APP, and determining whether the APP is malicious or not based on the network transmission information and the log files. Whether the application program endangers the safety of user information can be determined by acquiring and analyzing the network transmission and file read-write log analysis after the corresponding action of the trigger application.
In the method for detecting the malicious behavior of the APP application in the embodiment, the ARM assembly code file is first scanned in a traversal manner, the occurrence times of the sensitive API are matched, data related to the malicious information key field is extracted, and a feature data set of the application program is formed. And then, classifying through a BP neural network, and judging which malicious program the application program belongs to or is normal application from the characteristic data set of the program. In the dynamic analysis, the remote control technology and the image recognition technology are combined, so that the dynamic analysis process aiming at the application software can be automatically executed, and the efficiency and the accuracy of the safety detection of the application software are improved.
In one embodiment, as shown in fig. 4, the present invention provides an APP application malicious behavior detection apparatus 40, including: a static detection module 41, a behavior sequence analysis module 42, a malicious application determination module 43, and a dynamic analysis module 44.
The static detection module 41 performs static detection on the APP application, and obtains a sensitive API included in a code of the APP application. The behavior sequence analysis module 42 detects the APP application in the running process, and obtains a call relationship sequence related to the sensitive API. The malicious application determining module 43 determines whether the APP application is a malicious application according to the sensitive API and the call relation sequence.
The dynamic analysis module 44 performs dynamic interactive operation with a terminal user interface installed with the APP application in a remote control manner, triggers and executes corresponding actions of the APP application, obtains network transmission information and log files related to the APP application, determines whether the APP application is a malicious application or not based on the network transmission information and the log files, and determines whether the APP application is a malicious application or not based on the network transmission information and the log files.
As shown in fig. 5, the static detection module 41 includes: a first preprocessing unit 411 and a sensitive API detection unit 412. The first preprocessing unit 411 disassembles the code of the APP application, and obtains a first disassemblied code of the APP application. The sensitive API detection unit 412 detects whether a sensitive API exists in the first disassembled code.
As shown in fig. 7, the malicious application determination module 43 includes: a first malicious application analysis unit 431 and a second malicious application analysis unit 432. The first malicious application analysis unit 431 scans the first disassembled code and extracts a feature data set related to the sensitive API from the first disassembled code. The first malicious application analysis unit 431 inputs the feature data set into the BP neural network algorithm model, and performs classification and identification according to a preset malicious data sample to determine whether the APP application is a malicious application and the type of the malicious application.
As shown in fig. 6, the behavior sequence analysis module 42 includes: second preprocessing unit 421, call analysis unit 422. The second preprocessing unit 411 disassembles the APP application and other applications calling the sensitive API using a recursive descent algorithm and based on a control flow associated with the sensitive API, and converts the application into a second disassemblable code.
The call analysis unit 422 determines the position of the sensitive API and the call relation related to the sensitive API in the second disassembled code, and establishes a call relation sequence related to the sensitive API. The second malicious application analysis unit 432 analyzes the influence of the sensitive API on the security of the APP application and other applications according to the call relationship sequence, and determines whether the APP application is a malicious application based on the analysis result.
Fig. 8 is a schematic block diagram of an APP application malicious behavior detection apparatus according to another embodiment of the present invention. As shown in fig. 8, the apparatus may include a memory 81, a processor 82, a communication interface 83, and a bus 84. The memory 81 is used for storing instructions, the processor 82 is coupled to the memory 81, and the processor 82 is configured to execute the APP application malicious behavior detection method based on the instructions stored in the memory 81.
The memory 81 may be a high-speed RAM memory, a non-volatile memory (non-volatile memory), or the like, and the memory 81 may be a memory array. The storage 81 may also be partitioned and the blocks may be combined into virtual volumes according to certain rules. The processor 82 may be a central processing unit CPU, or an application Specific Integrated circuit asic (application Specific Integrated circuit), or one or more Integrated circuits configured to implement the APP application malicious behavior detection method of the present invention.
In one embodiment, the present invention provides a computer-readable storage medium storing computer instructions that, when executed by a processor, implement an APP application malicious behavior detection method as in any of the above embodiments.
The APP application malicious behavior detection method and device provided by the embodiment obtain the sensitive API in the APP application code and the calling relationship sequence related to the sensitive API, determine whether the APP application is a malicious application, can effectively improve the use security of the intelligent terminal device, and enable the dynamic analysis process for the application software to be automatically executed by using a mode of combining a remote control technology and an image recognition technology in dynamic analysis, thereby improving the efficiency and accuracy of application software security detection.
The method and system of the present invention may be implemented in a number of ways. For example, the methods and systems of the present invention may be implemented in software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustrative purposes only, and the steps of the method of the present invention are not limited to the order specifically described above unless specifically indicated otherwise. Furthermore, in some embodiments, the present invention may also be embodied as a program recorded in a recording medium, the program including machine-readable instructions for implementing a method according to the present invention. Thus, the present invention also covers a recording medium storing a program for executing the method according to the present invention.
The description of the present invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to practitioners skilled in this art. The embodiment was chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.

Claims (6)

1. An APP application malicious behavior detection method is characterized by comprising the following steps:
performing static detection on an APP to obtain a sensitive API contained in a code of the APP;
disassembling the code of the APP application to obtain a first disassembled code of the APP application; detecting whether the sensitive API exists in the first disassembled code;
detecting the APP in the running process to obtain a calling relation sequence related to the sensitive API;
the APP and other applications calling the sensitive API are disassembled by adopting a recursive descent algorithm and based on a control flow related to the sensitive API, and are converted into a second disassembled code; determining the position of the sensitive API and the calling relation related to the sensitive API in the second disassembled code, and establishing a calling relation sequence related to the sensitive API;
determining whether the APP is a malicious application or not according to the sensitive API and the calling relation sequence;
wherein the first disassembled code is scanned, and a feature data set related to the sensitive API is extracted from the first disassembled code; inputting the characteristic data set into a BP neural network algorithm model, and performing classification and identification according to a preset malicious data sample to determine whether the APP is a malicious application and the type of the malicious application;
performing dynamic interactive operation with a terminal user interface provided with the APP in a remote control mode; triggering a corresponding action of executing the APP application; obtaining network transmission information and log files related to the APP application, and determining whether the APP application is a malicious application based on the network transmission information and the log files.
2. The method of claim 1, wherein said determining whether the APP application is a malicious application from the sensitive API and the call relationship sequence comprises:
analyzing the influence of the sensitive API on the safety of the APP and other applications according to the calling relation sequence;
determining whether the APP application is a malicious application based on a result of the analysis.
3. An APP application malicious behavior detection apparatus, comprising:
the static detection module is used for carrying out static detection on the APP and obtaining a sensitive API contained in a code of the APP;
wherein the static detection module comprises:
the first preprocessing unit is used for disassembling the code of the APP application and acquiring a first disassembled code of the APP application;
a sensitive API detection unit, configured to detect whether the sensitive API exists in the first disassembled code;
the behavior sequence analysis module is used for detecting the APP in the running process and acquiring a calling relation sequence related to the sensitive API;
wherein the behavior sequence analysis module comprises:
the second preprocessing unit is used for disassembling the APP and other applications calling the sensitive API by adopting a recursive descent algorithm and based on a control flow related to the sensitive API, and converting the APP and other applications into second disassembled codes;
the call analysis unit is used for determining the position of the sensitive API and the call relation related to the sensitive API in the second disassembled code and establishing a call relation sequence related to the sensitive API;
a malicious application determining module, configured to determine whether the APP application is a malicious application according to the sensitive API and the call relationship sequence;
the malicious application determination module comprises:
the first malicious application analysis unit scans the first disassembly code and extracts a characteristic data set related to the sensitive API from the first disassembly code; inputting the characteristic data set into a BP neural network algorithm model, and performing classification and identification according to a preset malicious data sample to determine whether the APP is a malicious application and the type of the malicious application;
the dynamic analysis module is used for carrying out dynamic interactive operation with a terminal user interface provided with the APP in a remote control mode; triggering a corresponding action of executing the APP application; the method comprises the steps of obtaining network transmission information and log files related to the APP, determining whether the APP is a malicious application or not based on the network transmission information and the log files, and determining whether the APP is a malicious application or not based on the network transmission information and the log files.
4. The apparatus of claim 3,
the malicious application determination module comprises:
and the second malicious application analysis unit is used for analyzing the influence of the sensitive API on the safety of the APP and other applications according to the calling relation sequence and determining whether the APP is a malicious application or not based on the analysis result.
5. An APP application malicious behavior detection apparatus, comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the APP application malicious behavior detection of any of claims 1-2 based on instructions stored in the memory.
6. A computer readable storage medium storing computer instructions which, when executed by a processor, implement the APP application malicious behavior detection method of any of claims 1 to 2.
CN201710524463.1A 2017-06-30 2017-06-30 APP application malicious behavior detection method and device Active CN109214178B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710524463.1A CN109214178B (en) 2017-06-30 2017-06-30 APP application malicious behavior detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710524463.1A CN109214178B (en) 2017-06-30 2017-06-30 APP application malicious behavior detection method and device

Publications (2)

Publication Number Publication Date
CN109214178A CN109214178A (en) 2019-01-15
CN109214178B true CN109214178B (en) 2021-03-16

Family

ID=64976919

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710524463.1A Active CN109214178B (en) 2017-06-30 2017-06-30 APP application malicious behavior detection method and device

Country Status (1)

Country Link
CN (1) CN109214178B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109816005B (en) * 2019-01-18 2021-08-03 北京智游网安科技有限公司 Application program industry classification method based on CNN, storage medium and terminal
CN110889115A (en) * 2019-11-07 2020-03-17 国家计算机网络与信息安全管理中心 Malicious push behavior detection method and device
CN113051561A (en) * 2019-12-27 2021-06-29 中国电信股份有限公司 Application program feature extraction method and device and classification method and device
CN113449297A (en) * 2020-03-24 2021-09-28 中移动信息技术有限公司 Training method of malicious code recognition model, and malicious code recognition method and device
CN111797400B (en) * 2020-07-08 2023-09-01 国家计算机网络与信息安全管理中心 Dynamic detection method and device for malicious application of Internet of vehicles
CN115842656A (en) * 2021-01-07 2023-03-24 支付宝(杭州)信息技术有限公司 Management and control method and device based on private data calling

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103136471A (en) * 2011-11-25 2013-06-05 中国科学院软件研究所 Method and system for testing malicious Android application programs
CN103186740A (en) * 2011-12-27 2013-07-03 北京大学 Automatic detection method for Android malicious software
CN105760761A (en) * 2016-02-04 2016-07-13 中国联合网络通信集团有限公司 Software behavior analyzing method and device
CN106845236A (en) * 2017-01-18 2017-06-13 东南大学 A kind of application program various dimensions privacy leakage detection method and system for iOS platforms

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105989283B (en) * 2015-02-06 2019-08-09 阿里巴巴集团控股有限公司 A kind of method and device identifying virus mutation

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103136471A (en) * 2011-11-25 2013-06-05 中国科学院软件研究所 Method and system for testing malicious Android application programs
CN103186740A (en) * 2011-12-27 2013-07-03 北京大学 Automatic detection method for Android malicious software
CN105760761A (en) * 2016-02-04 2016-07-13 中国联合网络通信集团有限公司 Software behavior analyzing method and device
CN106845236A (en) * 2017-01-18 2017-06-13 东南大学 A kind of application program various dimensions privacy leakage detection method and system for iOS platforms

Also Published As

Publication number Publication date
CN109214178A (en) 2019-01-15

Similar Documents

Publication Publication Date Title
CN109214178B (en) APP application malicious behavior detection method and device
US11126717B2 (en) Techniques for identifying computer virus variant
US10303874B2 (en) Malicious code detection method based on community structure analysis
Ficco Detecting IoT malware by Markov chain behavioral models
Zhu et al. Android malware detection based on multi-head squeeze-and-excitation residual network
CN109194689B (en) Abnormal behavior recognition method, device, server and storage medium
CN108399336B (en) Detection method and device for malicious behaviors of android application
US11809556B2 (en) System and method for detecting a malicious file
CN111641588A (en) Webpage analog input detection method and device, computer equipment and storage medium
CN104080058A (en) Information processing method and device
CN112688966A (en) Webshell detection method, device, medium and equipment
KR101748372B1 (en) Face recognition service system, method and apparatus for face recognition service thereof of
CN113468524B (en) RASP-based machine learning model security detection method
CN114448664A (en) Phishing webpage identification method and device, computer equipment and storage medium
CN111641594B (en) Method, system, medium and device for detecting fraudulent user based on page behavior
CN109992958A (en) A kind of security assessment method and safety evaluation equipment
CN114143074B (en) webshell attack recognition device and method
CN115688107A (en) Fraud-related APP detection system and method
CN114491528A (en) Malicious software detection method, device and equipment
CN111190813A (en) Android application network behavior information extraction system and method based on automatic testing
CN117688565B (en) Malicious application detection method and system
KR102465307B1 (en) Method for generating of whitelist and user device for perfoming the same, computer-readable storage medium and computer program
CN112380530B (en) Homologous APK detection method, terminal device and storage medium
KR102683862B1 (en) Nlp-based call monitoring method for preventing voice fishing, apparatus and program therefor
CN115859292B (en) Fraud-related APP detection system, fraud-related APP judgment method and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant