CN109711151A - A kind of prediction technique, system and the device of application program bad behavior - Google Patents
A kind of prediction technique, system and the device of application program bad behavior Download PDFInfo
- Publication number
- CN109711151A CN109711151A CN201711007293.6A CN201711007293A CN109711151A CN 109711151 A CN109711151 A CN 109711151A CN 201711007293 A CN201711007293 A CN 201711007293A CN 109711151 A CN109711151 A CN 109711151A
- Authority
- CN
- China
- Prior art keywords
- application
- attribute
- detected
- bad behavior
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Debugging And Monitoring (AREA)
- Stored Programmes (AREA)
Abstract
The present invention provides a kind of prediction technique of application program bad behavior, obtains application to be detected in server operation end;Extract the attribute of application to be detected;Attribute and preset application attribute tag library based on application to be detected carry out bad behavior portrait to application to be detected;The result of output behavior portrait;The application attribute tag library is established in the following manner: the type of all bad behaviors is collected, as bad behavior label;All attributes for having application and duplicate removal are counted, as application attribute library;It is counted for the attribute of each application, the application where counting an attribute is that the ratio of bad behavior sticks bad behavior label to the attribute if the ratio is more than certain threshold value;All properties in application attribute library are labelled, constitute the application attribute tag library.The present invention can provide assistance and reference for artificial detection, improve treatment effeciency.
Description
Technical field
The present invention relates to mobile terminal safety fields, and in particular to a kind of prediction technique of application program bad behavior is
System and device.
Background technique
With mobile terminal of mobile telephone popularizing in people's lives, mobile phone flourishes it using also showing for (APP)
Gesture, the type and quantity of application are among sharp increase, but quality and content are really unable to get effective guarantee.It is wrapped in many applications
Various bad behaviors are contained, for example have included illicit content, no actual functional capability is mainly used for popularization etc..
Conventional processing mode is in server operation end by manual examination and verification, but with the sharp increase of number of applications, if
All using manual examination and verification meeting method, then time long low efficiency is handled, also due to the problem of manually understanding leads to detection effect
Difference.
Summary of the invention
The technical problem to be solved by the present invention is providing prediction technique, system and the dress of a kind of application program bad behavior
It sets, provides assistance and reference for manual examination and verification, to improve treatment effeciency.
A kind of technical solution taken by the invention to solve the above technical problem are as follows: prediction of application program bad behavior
Method, it is characterised in that: it includes:
Application to be detected is obtained in server operation end;
Extract the attribute of application to be detected, including dynamic attribute and static attribute;
Attribute and preset application attribute tag library based on application to be detected carry out bad behavior portrait to application to be detected;
The result of output behavior portrait;
The application attribute tag library is established in the following manner:
The type for collecting all bad behaviors, as bad behavior label;
All attributes for having application and duplicate removal are counted, as application attribute library;Attribute includes dynamic attribute and static attribute;
It is counted for the attribute of each application, the application where counting an attribute is the ratio of bad behavior, if should
Ratio is more than certain threshold value, then sticks bad behavior label to the attribute, be otherwise safety label;
All properties in application attribute library are labelled, constitute the application attribute tag library.
According to the above method, the attribute of the application to be detected includes access IP, domain name, third party's the component list, code
Module information and developer's information, specifically:
It obtains dynamic attribute: application to be detected is launched into dynamic sandbox, simultaneously actual motion is installed, and monitor net when operation
Network behavior records all domain names and access IP that the application accessed during operation;
Obtain static attribute: static state parsing sample file obtains developer's information;Extract in application file to be detected it is all can
File is executed, and the hash of calculation document, the attribute are code module information;Pass through the third party's component rule extracted in advance
Library detects all third party's components accessed in applying, obtains third party's the component list.
It is according to the above method, described that bad behavior portrait is carried out to application to be detected specifically:
From application attribute tag library, the label of the attribute of application to be detected is extracted, by bad behavior label all in label
Take union, the bad behavior portrait of application as to be detected.
According to the above method, the result of the output behavior portrait specifically: the application to be detected exported is owned
Bad behavior label.
A kind of forecasting system of application program bad behavior, it is characterised in that: it includes:
Module is obtained, for obtaining application to be detected in server operation end;
Extraction module, for extracting the attribute of application to be detected, including dynamic attribute and static attribute;
Draw a portrait module, for based on application to be detected attribute and preset application attribute tag library, to application to be detected carry out
Bad behavior portrait;
Output module, for exporting the result of behavior portrait;
The application attribute tag library is established in the following manner:
The type for collecting all bad behaviors, as bad behavior label;
All attributes for having application and duplicate removal are counted, as application attribute library;Attribute includes dynamic attribute and static attribute;
It is counted for the attribute of each application, the application where counting an attribute is the ratio of bad behavior, if should
Ratio is more than certain threshold value, then sticks bad behavior label to the attribute, be otherwise safety label;
All properties in application attribute library are labelled, constitute the application attribute tag library.
By above system, the attribute of the application to be detected includes access IP, domain name, third party's the component list, code
Module information and developer's information;
The extraction module includes:
Dynamic attribute obtains module, for launching application to be detected into dynamic sandbox, installs simultaneously actual motion, and monitor fortune
Network behavior when row records all domain names and access IP that the application accessed during operation;
Static attribute obtains module, for static parsing sample file, obtains developer's information;It extracts in application file to be detected
All executable files, and the hash of calculation document, the attribute are code module information;Pass through the third party extracted in advance
Component rule base detects all third party's components accessed in applying, obtains third party's the component list.
By above system, the portrait module is specifically used for from application attribute tag library, extracts application to be detected
Bad behavior label all in label is taken union, the bad behavior portrait of application as to be detected by the label of attribute.
By above system, the output module is specifically used for all bad behavior marks for the application to be detected that output obtains
Label.
A kind of prediction meanss of application program bad behavior, it is characterised in that: it includes that server operation end is arranged in
Memory and computer program stored in memory, computer program can be called and execute the application program not
The prediction technique of good behavior.
The invention has the benefit that it is for statistical analysis by each attribute to known applications, establish application attribute
Tag library, when detecting, the attribute and application attribute tag library for extracting application to be detected compare, and carry out bad behavior portrait, from
And whether be bad application, and have which kind of bad behavior if obtaining the application, and then provides assistance and reference for artificial detection, is improved
Treatment effeciency.
Detailed description of the invention
Fig. 1 is the method flow diagram of one embodiment of the invention.
Specific embodiment
Below with reference to specific example and attached drawing, the present invention will be further described.
The present invention provides a kind of prediction technique of application program bad behavior, as shown in Figure 1, it the following steps are included:
S01, application attribute tag library is established:
The type for collecting all bad behaviors, as bad behavior label;Such as: " frequently playing advertisement ", " including Pornograph "
Deng.
All attributes for having application and duplicate removal are counted, as application attribute library;Attribute includes dynamic attribute and static category
Property.
It being counted for the attribute of each application, the application where counting an attribute is the ratio of bad behavior,
If the ratio is more than certain threshold value, bad behavior label is sticked to the attribute, is otherwise safety label.For the process, lift
Under such as:
For the attribute of some specified " developer's information " type --- " CN=test, OU=test, O=test, L=
Test, ST=test, C=test " apply bad behavior testing result library based on storage, calculate all attributes that possess
In sample, the sample accounting with " frequently playing advertisement " bad behavior, if the accounting has been more than the threshold value of setting, such as 80%, then
Can be by bad behavior label --- " frequently playing advertisement " beats on the attribute of above-mentioned " developer's information " type.
All properties in application attribute library are labelled, constitute the application attribute tag library.
Application attribute tag library can initially set up once, be continued to use later;It can also be updated with fixed-period crawling.
S02, application to be detected is obtained in server operation end.
S03, the attribute for extracting application to be detected, including dynamic attribute and static attribute.
The attribute of application to be detected includes but is not limited to access IP, domain name (url), third party's the component list, code module
Information and developer's information, specifically:
It obtains dynamic attribute: application to be detected is launched into dynamic sandbox, simultaneously actual motion is installed, and monitor net when operation
Network behavior records all domain names and access IP that the application accessed during operation;
Obtain static attribute: static state parsing sample file obtains developer's information;Extract in application file to be detected it is all can
File is executed, and the hash of calculation document, the attribute are code module information;Pass through the third party's component rule extracted in advance
Library detects all third party's components accessed in applying, obtains third party's the component list;Here third-party package contain but
It is not limited to advertisement component, payment component etc..
S04, the attribute based on application to be detected and preset application attribute tag library carry out bad row to application to be detected
To draw a portrait, specifically:
From application attribute tag library, the label of the attribute of application to be detected is extracted, by bad behavior label all in label
Take union, the bad behavior portrait of application as to be detected.
The result of S05, output behavior portrait;Specifically: all bad behavior labels of the application to be detected exported.
The bad behavior set that the application may have exactly is predicted in these bad behaviors.
A kind of forecasting system of application program bad behavior, it includes:
Module is obtained, for obtaining application to be detected in server operation end.
Extraction module, for extracting the attribute of application to be detected, including dynamic attribute and static attribute.Application to be detected
Attribute includes access IP, domain name, third party's the component list, code module information and developer's information.
Extraction module includes: that dynamic attribute obtains module, and for launching application to be detected into dynamic sandbox, installation is simultaneously
Actual motion, and network behavior when operation is monitored, record all domain names and access IP that the application accessed during operation.
Static attribute obtains module, for static parsing sample file, obtains developer's information;Extract the institute in application file to be detected
There are executable file, and the hash of calculation document, which is code module information;Pass through the third party's component extracted in advance
Rule base detects all third party's components accessed in applying, obtains third party's the component list.
Draw a portrait module, for based on application to be detected attribute and preset application attribute tag library, to application to be detected
Bad behavior portrait is carried out, is specifically used for from application attribute tag library, the label of the attribute of application to be detected is extracted, by label
In all bad behavior label take union, the bad behavior portrait of application as to be detected.
Output module, for export behavior portrait as a result, be specifically used for output obtain application to be detected it is all not
Good behavior label.
The application attribute tag library is established in the following manner:
The type for collecting all bad behaviors, as bad behavior label;
All attributes for having application and duplicate removal are counted, as application attribute library;Attribute includes dynamic attribute and static attribute;
It is counted for the attribute of each application, the application where counting an attribute is the ratio of bad behavior, if should
Ratio is more than certain threshold value, then sticks bad behavior label to the attribute, be otherwise safety label;
All properties in application attribute library are labelled, constitute the application attribute tag library.
The present invention also provides a kind of prediction meanss of application program bad behavior, including depositing for server operation end is arranged in
Reservoir and computer program stored in memory, computer program can be called and to execute the application program bad
The prediction technique of behavior.
The invention proposes a kind of methods of automatic prediction bad behavior, can effectively assist existing artificial detection mould
Formula promotes detection efficiency;Present invention synthesis is predicted from two dimensions of dynamic attribute and static attribute of application, so that result
It is more accurate;The prediction technique that the present invention uses is calculated, with the increasing of data on stock based on existing data on stock dynamic
More, detection effect can step up.
It is appreciated that embodiment as described herein can be by hardware, software, firmware, middleware, microcode or any combination thereof
To realize.For hardware implementation mode, processing unit can be at one or more specific integrated circuits (ASIC), digital signal
Manage device (DSP), digital signal processing device (DSPD), programmable logic device (PLD), field programmable gate array (FPGA),
Processor, microcontroller, is designed to execute other electronic units of function described herein or its group controller, microprocessor
It is realized in closing.It, can be by it when with software, firmware, middleware or microcode, program code or code segment to realize embodiment
Be stored in the machine readable media of such as storage assembly.
Above embodiments are merely to illustrate design philosophy and feature of the invention, and its object is to make technology in the art
Personnel can understand the content of the present invention and implement it accordingly, and protection scope of the present invention is not limited to the above embodiments.So it is all according to
It is within the scope of the present invention according to equivalent variations made by disclosed principle, mentality of designing or modification.
Claims (9)
1. a kind of prediction technique of application program bad behavior, it is characterised in that: it includes:
Application to be detected is obtained in server operation end;
Extract the attribute of application to be detected, including dynamic attribute and static attribute;
Attribute and preset application attribute tag library based on application to be detected carry out bad behavior portrait to application to be detected;
The result of output behavior portrait;
The application attribute tag library is established in the following manner:
The type for collecting all bad behaviors, as bad behavior label;
All attributes for having application and duplicate removal are counted, as application attribute library;Attribute includes dynamic attribute and static attribute;
It is counted for the attribute of each application, the application where counting an attribute is the ratio of bad behavior, if should
Ratio is more than certain threshold value, then sticks bad behavior label to the attribute, be otherwise safety label;
All properties in application attribute library are labelled, constitute the application attribute tag library.
2. the prediction technique of application program bad behavior according to claim 1, it is characterised in that: described to be detected to answer
Attribute includes accessing IP, domain name, third party's the component list, code module information and developer's information, specifically:
It obtains dynamic attribute: application to be detected is launched into dynamic sandbox, simultaneously actual motion is installed, and monitor net when operation
Network behavior records all domain names and access IP that the application accessed during operation;
Obtain static attribute: static state parsing sample file obtains developer's information;Extract in application file to be detected it is all can
File is executed, and the hash of calculation document, the attribute are code module information;Pass through the third party's component rule extracted in advance
Library detects all third party's components accessed in applying, obtains third party's the component list.
3. the prediction technique of application program bad behavior according to claim 1, it is characterised in that: described to be detected
Using progress bad behavior portrait specifically:
From application attribute tag library, the label of the attribute of application to be detected is extracted, by bad behavior label all in label
Take union, the bad behavior portrait of application as to be detected.
4. the prediction technique of application program bad behavior according to claim 3, it is characterised in that: the output behavior
The result of portrait specifically: all bad behavior labels of the application to be detected exported.
5. a kind of forecasting system of application program bad behavior, it is characterised in that: it includes:
Module is obtained, for obtaining application to be detected in server operation end;
Extraction module, for extracting the attribute of application to be detected, including dynamic attribute and static attribute;
Draw a portrait module, for based on application to be detected attribute and preset application attribute tag library, to application to be detected carry out
Bad behavior portrait;
Output module, for exporting the result of behavior portrait;
The application attribute tag library is established in the following manner:
The type for collecting all bad behaviors, as bad behavior label;
All attributes for having application and duplicate removal are counted, as application attribute library;Attribute includes dynamic attribute and static attribute;
It is counted for the attribute of each application, the application where counting an attribute is the ratio of bad behavior, if should
Ratio is more than certain threshold value, then sticks bad behavior label to the attribute, be otherwise safety label;
All properties in application attribute library are labelled, constitute the application attribute tag library.
6. the forecasting system of application program bad behavior according to claim 5, it is characterised in that: described to be detected to answer
Attribute includes access IP, domain name, third party's the component list, code module information and developer's information;
The extraction module includes:
Dynamic attribute obtains module, for launching application to be detected into dynamic sandbox, installs simultaneously actual motion, and monitor fortune
Network behavior when row records all domain names and access IP that the application accessed during operation;
Static attribute obtains module, for static parsing sample file, obtains developer's information;It extracts in application file to be detected
All executable files, and the hash of calculation document, the attribute are code module information;Pass through the third party extracted in advance
Component rule base detects all third party's components accessed in applying, obtains third party's the component list.
7. the forecasting system of application program bad behavior according to claim 5, it is characterised in that: the portrait module
Specifically for extracting the label of the attribute of application to be detected from application attribute tag library, by bad behavior all in label
Label takes union, the bad behavior portrait of application as to be detected.
8. the forecasting system of application program bad behavior according to claim 5, it is characterised in that: the output module
Specifically for exporting all bad behavior labels of obtained application to be detected.
9. a kind of prediction meanss of application program bad behavior, it is characterised in that: it includes that depositing for server operation end is arranged in
Reservoir and computer program stored in memory, computer program can be called and perform claim requires in 1 to 4 arbitrarily
The prediction technique of application program bad behavior described in one.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711007293.6A CN109711151B (en) | 2017-10-25 | 2017-10-25 | Method, system and device for predicting adverse behaviors of application program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711007293.6A CN109711151B (en) | 2017-10-25 | 2017-10-25 | Method, system and device for predicting adverse behaviors of application program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109711151A true CN109711151A (en) | 2019-05-03 |
| CN109711151B CN109711151B (en) | 2021-08-20 |
Family
ID=66253226
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711007293.6A Active CN109711151B (en) | 2017-10-25 | 2017-10-25 | Method, system and device for predicting adverse behaviors of application program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109711151B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103136471A (en) * | 2011-11-25 | 2013-06-05 | 中国科学院软件研究所 | Method and system for testing malicious Android application programs |
| CN103279708A (en) * | 2012-12-28 | 2013-09-04 | 武汉安天信息技术有限责任公司 | Method and system for monitoring and analyzing mobile terminal malicious code behaviors |
| US20140208426A1 (en) * | 2008-05-28 | 2014-07-24 | Zscaler, Inc. | Systems and methods for dynamic cloud-based malware behavior analysis |
| CN104484607A (en) * | 2014-12-16 | 2015-04-01 | 上海交通大学 | Universal method and universal system for performing safety testing on Android application programs |
| CN104598824A (en) * | 2015-01-28 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Method and device for detecting malicious programs |
| CN106599688A (en) * | 2016-12-08 | 2017-04-26 | 西安电子科技大学 | Application category-based Android malicious software detection method |
| CN106776619A (en) * | 2015-11-20 | 2017-05-31 | 百度在线网络技术(北京)有限公司 | Method and apparatus for determining the attribute information of destination object |
| CN107247902A (en) * | 2017-05-10 | 2017-10-13 | 深信服科技股份有限公司 | Malware categorizing system and method |
-
2017
- 2017-10-25 CN CN201711007293.6A patent/CN109711151B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140208426A1 (en) * | 2008-05-28 | 2014-07-24 | Zscaler, Inc. | Systems and methods for dynamic cloud-based malware behavior analysis |
| CN103136471A (en) * | 2011-11-25 | 2013-06-05 | 中国科学院软件研究所 | Method and system for testing malicious Android application programs |
| CN103279708A (en) * | 2012-12-28 | 2013-09-04 | 武汉安天信息技术有限责任公司 | Method and system for monitoring and analyzing mobile terminal malicious code behaviors |
| CN104484607A (en) * | 2014-12-16 | 2015-04-01 | 上海交通大学 | Universal method and universal system for performing safety testing on Android application programs |
| CN104598824A (en) * | 2015-01-28 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Method and device for detecting malicious programs |
| CN106776619A (en) * | 2015-11-20 | 2017-05-31 | 百度在线网络技术(北京)有限公司 | Method and apparatus for determining the attribute information of destination object |
| CN106599688A (en) * | 2016-12-08 | 2017-04-26 | 西安电子科技大学 | Application category-based Android malicious software detection method |
| CN107247902A (en) * | 2017-05-10 | 2017-10-13 | 深信服科技股份有限公司 | Malware categorizing system and method |
Non-Patent Citations (2)
| Title |
|---|
| SUN WEIJUN等: "《An Approach for Reverse Engineering of Web Applications》", 《2008 INTERNATIONAL SYMPOSIUM ON INFORMATION SCIENCE AND ENGINEERING》 * |
| 陈建民: "《基于行为的移动应用程序安全检测方法研究》", 《计算机工程与设计》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109711151B (en) | 2021-08-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108667855B (en) | Network flow abnormity monitoring method and device, electronic equipment and storage medium | |
| US9824212B2 (en) | Method and system for recognizing advertisement plug-ins | |
| CN110020422B (en) | Feature word determining method and device and server | |
| CN106462703B (en) | Patch file analysis system and analysis method | |
| CN104866510B (en) | Method and device for removing residual file and method and device for establishing feature library of residual file | |
| CN103927484B (en) | Rogue program behavior catching method based on Qemu simulator | |
| CN110602045B (en) | Malicious webpage identification method based on feature fusion and machine learning | |
| US20180181482A1 (en) | Monitoring Activity of Software Development Kits Using Stack Trace Analysis | |
| CN102043716A (en) | Automatic software testing method based on business driving | |
| CN105653949B (en) | A kind of malware detection methods and device | |
| CN107360155A (en) | A kind of automatic source tracing method of network attack and system based on threat information and sandbox technology | |
| CN109840199A (en) | A kind of automated testing method and terminal | |
| CN113568841A (en) | Risk detection method, device and equipment for applet | |
| CN103268448A (en) | Method and system for dynamically detecting safety of mobile applications | |
| CN107180194B (en) | Method and device for vulnerability detection based on visual analysis system | |
| CN110287700B (en) | iOS application security analysis method and device | |
| CN103902906A (en) | Mobile terminal malicious code detecting method and system based on application icon | |
| CN110502892A (en) | A kind of the determination method, apparatus and system of abnormality test process | |
| CN108399129B (en) | H5 page performance detection method | |
| US11093957B2 (en) | Techniques to quantify effectiveness of site-wide actions | |
| CN111125704B (en) | Webpage Trojan horse recognition method and system | |
| US8751508B1 (en) | Contextual indexing of applications | |
| CN109711151A (en) | A kind of prediction technique, system and the device of application program bad behavior | |
| Holley et al. | Enrichment patterns for big data | |
| CN109995605B (en) | Flow identification method and device and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |