CN109829300A - APP dynamic depth malicious act detection device, method and system - Google Patents
APP dynamic depth malicious act detection device, method and system Download PDFInfo
- Publication number
- CN109829300A CN109829300A CN201910007489.8A CN201910007489A CN109829300A CN 109829300 A CN109829300 A CN 109829300A CN 201910007489 A CN201910007489 A CN 201910007489A CN 109829300 A CN109829300 A CN 109829300A
- Authority
- CN
- China
- Prior art keywords
- control
- app
- malicious act
- input
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Telephone Function (AREA)
Abstract
The invention discloses a kind of APP dynamic depth malicious act detection device, method and system, device includes: screen processing module, for obtaining the display interface of the currently running APP to be detected of mobile terminal;Picture recognition module for being identified based on the display interface of the pre-set control features library to acquisition to obtain the control on the display interface, and obtains the classification information and location information of the control;Screen touch-control module, for the classification information and location information according to the control, the behavior of analog subscriber operates the control;Malicious act detection module, the control is carried out in operating process for monitoring, the network behavior of the operating system of mobile terminal, system action, file behavior, and the characteristic of running environment where extracting APP, the detection of APP malicious act is carried out by the way of combining based on static nature and behavioral characteristics.
Description
Technical field
The present invention relates to field of computer technology more particularly to a kind of APP dynamic depth malicious act detection systems, method
And system.
Background technique
In recent years, global smart phone shipment amount sharp increase, smart phone user are more and more.Mobile interchange network users
Swift and violent growing trend is presented in quantity, application level etc..As shown in Figure 1, according to the newest report that Gartner is announced, global mobile phone
Shipment amount mobile phone shipment amount mobile phone shipment amount reached 18.67 hundred million in 2018, and the 81.81% of Zhan Quanqiu smart machine total amount,
The trend of rapid growth is still kept to 2020.Using the intelligent movables such as mobile phone equipment as the mobile Internet application journey of carrier
Sequence, it has also become indispensable key element in current people's life.
As the universal and mobile Internet of intelligent movable mobile phone is in the good application of each main industries, it is hidden to be related to magnanimity
The mobile big data of personal letter breath just maintains sustained and rapid growth.Since the development quality of mobile application is irregular, security breaches and hidden
Trouble takes place frequently, and privacy of user is stolen as normality, and associated safety risk is gradually expanded, and also becomes more and more living for the wooden horse of mobile phone
Jump, main harm be related to privacy steal, malicious dissemination and indecent behavior etc..Malicious application amount of software constantly increases, attack
Trick is constantly evolved: many Virus producers encrypt itself using Encryption Platform;Small routine it is much more popular
New attack platform is provided for hackers, all kinds of small routines are plug-in to spread unchecked;The mad phase all kinds of digging mine wooden horses of bit coin emerge one after another,
Inadvertently mobile phone has become to dig mine machine user.Therefore, the detection of research mobile phone malicious act has very high application value.
" the Android platform malicious application detection method based on random forest classification method " discloses a kind of based on random
The Android platform malicious application detection method of forest classification method, by obtaining APP sample, the APP including malice and good will
Sample, static nature, authority set and API set based on each APP sample construct sample database, based on sample database building random forest
Every decision tree is realized to the efficient detection of malice APP, improves the safety of Android platform.
" dynamic testing method of malicious act in a kind of Android application " carries out decompiling, the Java that will acquire to APK
Code conversion is that intermediate representation carries out pitching pile operation, analyzes software malicious act.
" a kind of Android malicious application detection method based on multiclass feature " is using Android using self-contained
Using feature, the feature of various typical cases is obtained, the feature that Android is applied is carried out in conjunction with the method for a variety of machine learning
Quickly detection.
" a kind of Android malware detection platform towards mobile Internet " discloses one kind towards mobile Internet
Android malware detection platform, realize Android malware static detection and dynamic detection combination, lead to
It crosses and application program is installed in Android sandbox, start and manipulate Android application program automatically, analog subscriber is to application
The various practical operations of program can obtain the API Calls information of application program by the monitoring to application program operating condition
And various dynamic behaviours, achieve the purpose that detect application program malicious act with this.
The APP application of " the APP safety detecting system based on Android " based on Android starts to start with, to current common
A few class safety problems are analyzed, and detection method and thinking to these safety problems are proposed.
" a kind of malicious code detecting method towards Android application " discloses a kind of malicious code towards Android application
Detection method, server end analyze the application characteristic value extracted in advance by random forests algorithm, thus establish application
With malicious code relational database, application code sample is uploaded, data is taken from database server and is matched, examined
Survey result.
" Android platform software unusual checking system " combines the advantages of dynamic detection and static detection, by right
The Hook of sensitive API interface function, the effective abnormal behaviour for detecting app software.
Summary of the invention
Inventor has found that above-mentioned cell phone application malicious act detection method is to a certain degree in the practice of the invention
On some components can be called using dynamic mode, such as: Android APP can pass through parsing Android Manifest
File calls Service and Activity component, and then Android APP is driven to enable related control, but is intended to grasp from user
The use habit for making APP is started with modelling customer behavior, and AndroidAPP is allowed to be difficult to discover in anti-conversed analysis, anti-detection and analysis
Or it can not accomplish.In addition, cell phone application has some components not need to state in configuration file, such as Android
The just not statement of input frame in Manifest file can not be accomplished when analog subscriber input by parsing Android
The simulation of Manifest file progress user's input behavior.The detection side based on feature is used in the detection mode being association of activity and inertia
Formula applies the machine learning algorithms such as decision tree in some detection modes, using these methods detected premise is that
The effectively behavior of triggering malice APP, but cell phone application was being done code encryption, was being obscured or the consolidation process by way of shell adding
Afterwards, the mode of static detection can not make effective detection, and in dynamic testing method, some malicious acts are characterized in dynamic in user
What state triggered during using APP, it not opens software or can directly trigger malicious act after calling associated component, need
User could trigger by certain normal use process or after reaching specific condition, for example " logic bomb " needs to give
Malicious act predetermined could be triggered after specific condition.In conclusion existing parsing Android Manifest text
The method that the method for part analogue mobile phone APP operation, the mode being association of activity and inertia carry out malicious act detection still has detection and does not fill
Effective malicious act detection can not be carried out to cell phone application under given conditions the drawbacks of dividing.
In view of this, the purpose of the present invention is to provide a kind of APP dynamic depth malicious act detection device, method and being
System is able to achieve and carries out effective malicious act detection to cell phone application.
The embodiment of the invention provides a kind of APP dynamic depth malicious act detection devices, comprising:
Screen processing module, for obtaining the display interface of the currently running APP to be detected of mobile terminal;
Picture recognition module, for being identified based on the display interface of the pre-set control features library to acquisition
To obtain the control on the display interface, and obtain the classification information and location information of the control;
Screen touch-control module, for the classification information and location information according to the control, the behavior pair of analog subscriber
The control is operated;
Malicious act detection module carries out in operating process the control for monitoring, the operating system of mobile terminal
Network behavior, system action, file behavior, and the characteristic of running environment where APP is extracted, using being based on static nature
The detection of APP malicious act is carried out with the mode that behavioral characteristics combine.
Preferably, the screen touch-control module is specifically used for:
Obtain the classification information of the control;
Input method component is activated when the classification information of the control is input-class object, is calculated and is respectively pressed in input method component
The character position of key, and simulating keyboard is clicked and obtains word content, the word content according to the classification information of the control from
Widget library obtains;Wherein, widget library includes the sequence of operation of control and the input data of different control bundles;The control sequence of operation
Method based on statistics or machine learning is obtained from the mass data and user's use habit of normal users operation APP.
It preferably, further include system interlink module;
The system interlink module is sent for reading the server corresponding with the APP that third-party application receives
Verification information, and the verification information is fed back into the screen touch-control module, so that the screen touch-control module is by institute
Verification information is stated to be input in corresponding control;Wherein, the third-party application includes short message application, mailbox application;It is described to test
Card information is generated and sent according to the word content to third-party application by server.
It preferably, further include node visit module;Wherein:
The screen touch-control module is also used to:
When the classification information of the control is to click class control, the action event for executing screen taps is sent to node
Access modules;
The node visit module is grasped for the action event to be sent to event handling layer by event handling layer
Make specific input equipment, so that the APP responds the action event.
Preferably, the built-in malicious act of the malicious act detection module detects feature database synchronizing function, malicious act
Detection feature database synchronizing function can synchronize the detection sample on detection backstage or the sample spy in other malice APP detection systems
Sign, is formatted as the feature database data suitable for this system, detects for malicious act.
The embodiment of the invention also provides a kind of APP dynamic depth malicious act detection methods, comprising:
Obtain the display interface of the currently running APP to be detected of mobile terminal;
It is identified based on the display interface of the pre-set control features library to acquisition to obtain display circle
Control on face, and obtain the classification information and location information of the control;
According to the classification information and location information of the control, the behavior of analog subscriber operates the control;
It monitors and the control is carried out in operating process, network behavior, system action, the text of the operating system of mobile terminal
Part behavior, and the characteristic of the place APP running environment is extracted, by the way of being combined based on static nature and behavioral characteristics
Carry out the detection of APP malicious act.
Preferably, the classification information and location information according to the control, the behavior of analog subscriber is to the control
Part carries out operation and specifically includes:
Obtain the classification information of the control;
Input method component is activated when the classification information of the control is input-class object, is calculated and is respectively pressed in input method component
The character position of key, and simulating keyboard is clicked and obtains word content, the word content according to the classification information of the control from
Widget library obtains;Wherein, widget library includes the sequence of operation of control and the input data of different control bundles;The control sequence of operation
Method based on statistics or machine learning is obtained from the mass data and user's use habit of normal users operation APP.
Preferably, further includes:
The verification information that the server corresponding with the APP that third-party application receives is sent is read, and is tested described
Information input is demonstrate,proved into corresponding control;Wherein, the third-party application includes short message application, mailbox application;The verifying letter
Breath is generated and sent according to the word content to third-party application by server.
Preferably, the classification information and location information according to the control, the behavior of analog subscriber is to the control
Part is operated further include:
When the classification information of the control is to click class control, the action event for executing screen taps is sent to event
Process layer, by the specific input equipment of event handling layer operation, so that the APP responds the action event.
The embodiment of the invention also provides a kind of APP dynamic depth malicious act detection systems, including device drive layer, behaviour
Make system kernel layer, event handling layer, user's space;Wherein, the user's space includes such as above-mentioned APP dynamic depth malice
Behavioral value device;Wherein:
Device drive layer includes touch-screen input device, key-press input equipment and other input equipments;
Operating system kernel layer includes the Message Processing of input and output, converts unified event shape for the hardware input of bottom
Formula is reported to input core;
The message transmission that event handling layer sends user's space is set to operating system kernel layer, including for specific input
Standby processing logic;
User's space is deployed in using real handset as in the environment of host or using mobile phone simulator as the void of host
In quasi- sandbox.
In said one embodiment, it can not accomplish for APP by parsing Android Manifest file, or use
Existing dynamic, static state, the normal operation behavior of mode analog subscriber being association of activity and inertia, and then trigger cell phone application malicious act
This problem designs the mode combined based on linux kernel event message mechanism and image recognition, by obtaining user's operation
The habit of cell phone application, analog subscriber click the behavior of screen operator cell phone application, obtain what cell phone application generated in simulation process
System environment data in data and operational process provides effective characteristic for the detection of later period malicious act, to realize
The APP malicious act of dynamic depth detects.
Detailed description of the invention
Fig. 1 is Gartner 2017-2020 annual global cell phone shipment amount tendency chart.
Fig. 2 is the structural schematic diagram for the APP dynamic depth malicious act detection system that first embodiment of the invention provides;
Fig. 3 is the structural schematic diagram for the APP dynamic depth malicious act detection device that second embodiment of the invention provides.
Fig. 4 is the flow diagram for the APP dynamic depth malicious act detection method that third embodiment of the invention provides.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
The embodiment of the invention provides a kind of APP dynamic depth malicious act detection devices, method and system, can be realized
The mobile APP malicious act of dynamic depth detects.
In order to facilitate the understanding of the present invention, APP dynamic depth malicious act detection system of the invention is first introduced below.
Referring to Fig. 2, first embodiment of the invention provides a kind of APP dynamic depth malicious act detection system, this reality
The system architecture level for applying example is related to device drive layer, operating system kernel layer, event handling layer, four part of user's space.Its
In:
Device drive layer 10 includes touch-screen input device, key-press input equipment and other input equipments;
The hardware input of bottom is converted unified thing by operating system kernel layer 20, the Message Processing comprising input and output
Part form is reported to input core;
Event handling layer 30 gives the message transmission that user's space is sent to system kernel layer, is some for specific input
The processing logic of equipment;
User's space 40 is deployed in using real handset as in the environment of host or using mobile phone simulator as host
In virtual sandbox.
Wherein, in specific work process, the operating system of mobile terminal supports mouse, keyboard (key), touch screen (single
Point, multiple spot), the input equipments such as trace ball, incoming event InputEvent caused by these input equipments is from device drive layer
Start, by operating system kernel layer arrival event process layer, event is finally transmitted to user's space, then by user's space
Layer obtains these events and is distributed, transmits.
In the present embodiment, user's space includes APP dynamic depth malicious act detection device, to carry out the place of event
Reason, the course of work of APP dynamic depth malicious act detection device described in detail below.
Referring to Fig. 3, second embodiment of the invention provides a kind of APP dynamic depth malicious act detection device, packet
It includes:
Screen processing module 210, for obtaining the display interface of the currently running APP to be detected of mobile terminal.
In the present embodiment, screen processing module 210 is responsible for carrying out the display interface of current mobile terminal screenshotss, and will
Content after interception is supplied to picture recognition module 20 in a manner of picture and carries out control discriminance analysis.Wherein, Android,
In the operation system of smart phone such as IOS, the screen interception to display interface may be implemented using the API that operating system is reserved, than
Such as: using IOKIT, IOMobileFramebuffer, IOSurface Framework, OpenGL, Surface,
The modes such as getWindow, UIView, hardware buffer area capture screen obtain contents of mobile phone screen, also can use Root authority
Screen content is got by underlying device.
Picture recognition module 220, for being carried out based on the display interface of the pre-set control features library to acquisition
Identification obtains the classification information and location information of the control to obtain the control on the display interface.
In the present embodiment, the display interface of 220 pairs of picture recognition module acquisitions parses, and first passes through machine using pre-
The control features library that learning algorithm obtains, goes out existing control in display interface by image recognition algorithm Classification and Identification, these
Control is finely divided function for the control content comprising that can segment function comprising the content that input frame, button etc. are interacted with user
The identification of energy, such as: after identifying button, further identifying that the button is the button of confirmation function or the button for cancelling function.
After control identifies, the classification information of control is input to control library module, then calculates pixel position of the control in screen
It sets, location information and classification information is supplied to screen touch-control module 230.
Screen touch-control module 230, for the classification information and location information according to the control, the behavior of analog subscriber
The control is operated.
Specifically, screen touch-control module 230 is responsible for receiving the location information and class of the control that picture recognition module 220 provides
Other information decides whether that calling input method component or direct analog subscriber click screen according to the classification information of control, wherein
The concrete operations of screen taps transfer to node visit module 250 to execute.If it is input-class object, need first to activate input method
Component calculates the character position of each key in input method component, then chooses whether the input method of the language such as switching Chinese and English, mould
Quasi- keyboard, which is clicked, obtains word content, and the word content specifically obtained also needs to be determined according to the data stored in widget library.Such as
Fruit is the content of non-input-class object, then carries out screen taps according to the sequence of operation that widget library defines.
Wherein, widget library includes the sequence of operation of control and the input data of different control bundles.Control sequence of operation base
In statistics or the method for machine learning, mass data and user's use habit based on normal users operation APP are obtained;Control
As long as the input-class object that the input data of part binding is directed to, such as a control are identified as account input frame, account is defeated
Enter frame and have and registered using mailbox, then needing to obtain the account of mailbox class from the input data of binding, for requiring using postal
The input frame of case identifying code needs to obtain the mailbox data of passback by system interlink module 240.
In the present embodiment, the major function of system interlink module 240 is to obtain to commonly use the involved in APP use process
The verify data of interaction in tripartite's application, such as: mobile phone identifying code, mailbox identifying code data, for testing for mobile phone identifying code
Demonstrate,prove data, it is only necessary to which identifying code can be obtained in the reading permission for obtaining SMS, mobile phone non-for mailbox identifying code etc. itself
Retrievable data need to develop third party's interaction scripts, read the verify data that the third-party applications such as mailbox are interacted with APP,
And it is supplied to screen touch-control module 230, verify data to be input in corresponding control by screen touch-control module 230.
In the present embodiment, node visit module 250 is responsible for the message that screen touch-control module 230 is sent being sent to event
Process layer passes through the specific input equipment of event handling layer operation.Wherein, the driving file of input equipment is normally at operation system
System /dev/input/ catalogue, different files corresponds to different input equipments.The operating system of mobile terminal is provided to touching
It touches, the treatment mechanism of key-press event, such as: gesture movement, screen touch press key pressing, and key-press event is different from touch event,
Focus must be first obtained, then could move, select.It, can be by way of adb shell in Android operation system
It is checked using getevent, if in the case that chip producer provides input driving, GPIO interface progress event can be encapsulated and disappeared
Breath transmitting.Incoming event passes through Driver- > Inputcore- > Event handler- > userspace sequence and reaches user
The application program of control.
In the present embodiment, by node visit module 250, APP can be made to caused by screen touch-control module 230
The behavior of analog subscriber is responded accordingly.
Malicious act detection module 260 carries out in operating process the control for monitoring, the operation system of mobile terminal
The network behavior of system, system action, file behavior, and the characteristic of the place APP running environment is extracted, using based on static special
The mode that behavioral characteristics of seeking peace combine carries out the detection of APP malicious act.
Further, the also built-in malicious act of the malicious act detection module 260 detects feature database synchronizing function, dislikes
Meaning behavioral value feature database synchronizing function can synchronize in detection sample or other malice APP detection systems on detection backstage
Sample characteristics are formatted as the feature database data suitable for this system, detect for malicious act.
Implement the present invention, can produce it is following the utility model has the advantages that
1, the operating habit of automatization simulation user behavior allows the APP of simulation to operate as true man's operation, Ke Yigeng
The each section function of adequately operating with APP, prevents the behavior of some profound levels from can not touch;
2, majority APP uses encryption, shell adding mode to carry out APP reinforcing at present, it is difficult to pass through conversed analysis code characteristic
Method analyzes the malicious act of APP, triggers malicious act by way of model user behavior, does not need to carry out APP reverse;
3, for the Malware of anti-conversed analysis, whether the operation conditions that can detect itself meets under real user scene
Operating habit, if the intrusion behaviors such as have pitching pile, distort can avoid the execution of sensitive behavior if do not met to APP itself
Logic does not have intrusion behavior to APP by the detection mode of image recognition and screen touch-control, more meets user's operation APP habit
Used, making malicious act, exposure is more thorough in the detection process.
In conclusion APP dynamic depth malicious act detection device provided in an embodiment of the present invention, for mobile APP without
Method accomplish by parse Android Manifest file, or using existing dynamic, static state, be association of activity and inertia by the way of simulate
The normal operation behavior of user, and then this problem of cell phone application malicious act is triggered, design is based on linux kernel event message
The mode that mechanism and image recognition combine, by obtaining the habit of user's operation cell phone application, analog subscriber clicks screen operator
The behavior of cell phone application obtains the system environment data in the data and operational process that cell phone application generates in simulation process, is
The detection of later period malicious act provides effective characteristic.
Referring to Fig. 4, third embodiment of the invention additionally provides a kind of APP dynamic depth malicious act detection method, packet
It includes:
S301 obtains the display interface of the currently running APP to be detected of mobile terminal;
S302 is identified described aobvious to obtain based on the display interface of the pre-set control features library to acquisition
Show the control on interface, and obtains the classification information and location information of the control;
S303, according to the classification information and location information of the control, the behavior of analog subscriber carries out the control
Operation;
S304 is monitored and is carried out in operating process to the control, network behavior, the system row of the operating system of mobile terminal
For, file behavior, and the characteristic of running environment where extracting APP, it is combined using based on static nature and behavioral characteristics
Mode carry out the detection of APP malicious act.
Preferably, step S303 is specifically included:
Obtain the classification information of the control;
Input method component is activated when the classification information of the control is input-class object, is calculated and is respectively pressed in input method component
The character position of key, and simulating keyboard is clicked and obtains word content, the word content according to the classification information of the control from
Widget library obtains;Wherein, widget library includes the sequence of operation of control and the input data of different control bundles;The control sequence of operation
Method based on statistics or machine learning is obtained from the mass data and user's use habit of normal users operation APP.
Preferably, further includes:
The verification information that the server corresponding with the APP that third-party application receives is sent is read, and is tested described
Information input is demonstrate,proved into corresponding control;Wherein, the third-party application includes short message application, mailbox application;The verifying letter
Breath is generated and sent according to the word content to third-party application by server.
Preferably, S303 further include:
When the classification information of the control is to click class control, the action event for executing screen taps is sent to event
Process layer, by the specific input equipment of event handling layer operation, so that the APP responds the action event.
Fourth embodiment of the invention additionally provides a kind of mobile terminal, including processor and storage are in the memory
Computer program;The processor is able to carry out the computer program, to realize such as above-mentioned APP dynamic depth malice row
For detection method.
Illustratively, the computer program can be divided into one or more module/units, one or more
A module/unit is stored in the memory, and is executed by the processor, to complete the present invention.It is one or more
A module/unit can be the series of computation machine program instruction section that can complete specific function, and the instruction segment is for describing institute
State implementation procedure of the computer program in the mobile terminal.
The mobile terminal may include, but be not limited only to, processor, memory.On it will be understood by those skilled in the art that
The example that component is only mobile terminal is stated, the restriction to mobile terminal is not constituted, may include more more or less than illustrating
Component, perhaps combine certain components or different components, such as the mobile terminal can also be set including input and output
Standby, network access equipment, bus etc..
Alleged processor can be central processing unit (Central Processing Unit, CPU), can also be it
His general processor, digital signal processor (Digital Signal Processor, DSP), specific integrated circuit
(Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field-
Programmable Gate Array, FPGA) either other programmable logic device, discrete gate or transistor logic,
Discrete hardware components etc..General processor can be microprocessor or the processor is also possible to any conventional processor
Deng the processor is the control centre of the mobile terminal, utilizes each of various interfaces and the entire mobile terminal of connection
A part.
The memory can be used for storing the computer program and/or module, and the processor is by operation or executes
Computer program in the memory and/or module are stored, and calls the data being stored in memory, described in realization
The various functions of mobile terminal.The memory can mainly include storing program area and storage data area, wherein storing program area
It can application program (such as sound-playing function, image player function etc.) needed for storage program area, at least one function etc.;
Storage data area, which can be stored, uses created data (such as audio data, phone directory etc.) etc. according to mobile phone.In addition, storage
Device may include high-speed random access memory, can also be hard including nonvolatile memory, such as hard disk, memory, plug-in type
Disk, intelligent memory card (Smart Media Card, SMC), secure digital (Secure Digital, SD) card, flash card
(Flash Card), at least one disk memory, flush memory device or other volatile solid-state parts.
Wherein, if module/unit that the mobile terminal integrates is realized in the form of SFU software functional unit and as only
Vertical product when selling or using, can store in a computer readable storage medium.Based on this understanding, this hair
All or part of the process in bright realization above-described embodiment method, can also be instructed by computer program relevant hardware come
It completes, the computer program can be stored in a computer readable storage medium, which holds by processor
When row, it can be achieved that the step of above-mentioned each embodiment of the method.Wherein, the computer program includes computer program code, institute
Stating computer program code can be source code form, object identification code form, executable file or certain intermediate forms etc..It is described
Computer-readable medium may include: any entity or device, recording medium, U that can carry the computer program code
Disk, mobile hard disk, magnetic disk, CD, computer storage, read-only memory (ROM, Read-OnlyMemory), arbitrary access are deposited
Reservoir (RAM, Random Access Memory), electric carrier signal, telecommunication signal and software distribution medium etc..It needs to illustrate
, the content that the computer-readable medium includes can be according to the requirement progress made laws in jurisdiction with patent practice
Increase and decrease appropriate, such as do not include electric carrier wave according to legislation and patent practice, computer-readable medium in certain jurisdictions
Signal and telecommunication signal.
It should be noted that the apparatus embodiments described above are merely exemplary, wherein described be used as separation unit
The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with
It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual
It needs that some or all of the modules therein is selected to achieve the purpose of the solution of this embodiment.In addition, device provided by the invention
In embodiment attached drawing, the connection relationship between module indicate between them have communication connection, specifically can be implemented as one or
A plurality of communication bus or signal wire.Those of ordinary skill in the art are without creative efforts, it can understand
And implement.
The above is a preferred embodiment of the present invention, it is noted that for those skilled in the art
For, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also considered as
Protection scope of the present invention.
Claims (10)
1. a kind of APP dynamic depth malicious act detection device characterized by comprising
Screen processing module, for obtaining the display interface of the currently running APP to be detected of mobile terminal;
Picture recognition module, for being identified based on the display interface of the pre-set control features library to acquisition to obtain
The control on the display interface is taken, and obtains the classification information and location information of the control;
Screen touch-control module, for the classification information and location information according to the control, the behavior of analog subscriber is to described
Control is operated;
Malicious act detection module carries out in operating process the control for monitoring, the net of the operating system of mobile terminal
Network behavior, system action, file behavior, and extract the characteristic of running environment where APP, using based on static nature and dynamic
The mode that state feature combines carries out the detection of APP malicious act.
2. APP dynamic depth malicious act detection device according to claim 1, which is characterized in that
The screen touch-control module is specifically used for:
Obtain the classification information of the control;
Input method component is activated when the classification information of the control is input-class object, calculates each key in input method component
Character position, and simulating keyboard is clicked and obtains word content, the word content is according to the classification information of the control from control
Library obtains;Wherein, widget library includes the sequence of operation of control and the input data of different control bundles;The control sequence of operation is based on
Statistics or the method for machine learning are obtained from the mass data and user's use habit of normal users operation APP.
3. APP dynamic depth malicious act detection device according to claim 2, which is characterized in that further include system connection
Dynamic model block;
The system interlink module is tested for read that the server corresponding with the APP that third-party application receives sends
Information is demonstrate,proved, and the verification information is fed back into the screen touch-control module, so that the screen touch-control module is tested described
Information input is demonstrate,proved into corresponding control;Wherein, the third-party application includes short message application, mailbox application;The verifying letter
Breath is generated and sent according to the word content to third-party application by server.
4. APP dynamic depth malicious act detection device according to claim 2, which is characterized in that further include that node is visited
Ask module;Wherein:
The screen touch-control module is also used to:
When the classification information of the control is to click class control, the action event for executing screen taps is sent to node visit
Module;
The node visit module, it is special by event handling layer operation for the action event to be sent to event handling layer
Fixed input equipment, so that the APP responds the action event.
5. APP dynamic depth malicious act detection device according to claim 1, which is characterized in that the malicious act
The built-in malicious act of detection module detects feature database synchronizing function, and malicious act detection feature database synchronizing function can synchronize inspection
The sample characteristics in the detection sample or other malice APP detection systems on backstage are surveyed, the spy suitable for this system is formatted as
Library data are levied, are detected for malicious act.
6. a kind of APP dynamic depth malicious act detection method characterized by comprising
Obtain the display interface of the currently running APP to be detected of mobile terminal;
It is identified based on the display interface of the pre-set control features library to acquisition to obtain on the display interface
Control, and obtain the classification information and location information of the control;
According to the classification information and location information of the control, the behavior of analog subscriber operates the control;
It monitors and the control is carried out in operating process, network behavior, system action, the file line of the operating system of mobile terminal
For, and the characteristic of the place APP running environment is extracted, it is carried out by the way of being combined based on static nature and behavioral characteristics
The detection of APP malicious act.
7. APP dynamic depth malicious act detection method according to claim 6, which is characterized in that
The classification information and location information according to the control, the behavior of analog subscriber carry out operation tool to the control
Body includes:
Obtain the classification information of the control;
Input method component is activated when the classification information of the control is input-class object, calculates each key in input method component
Character position, and simulating keyboard is clicked and obtains word content, the word content is according to the classification information of the control from control
Library obtains;Wherein, widget library includes the sequence of operation of control and the input data of different control bundles;The control sequence of operation is based on
Statistics or the method for machine learning are obtained from the mass data and user's use habit of normal users operation APP.
8. APP dynamic depth malicious act detection method according to claim 7, which is characterized in that further include:
The verification information that the server corresponding with the APP that third-party application receives is sent is read, and the verifying is believed
Breath is input in corresponding control;Wherein, the third-party application includes short message application, mailbox application;The verification information by
Server generates and sends according to the word content to third-party application.
9. APP dynamic depth malicious act detection method according to claim 7, which is characterized in that
The behavior of the classification information and location information according to the control, analog subscriber operate also to the control
Include:
When the classification information of the control is to click class control, the action event for executing screen taps is sent to event handling
Layer, by the specific input equipment of event handling layer operation, so that the APP responds the action event.
10. a kind of APP dynamic depth malicious act detection system, which is characterized in that including device drive layer, operating system nucleus
Layer, event handling layer, user's space;Wherein, the user's space includes that the APP dynamic depth as described in claim 1 to 5 is disliked
Meaning behavioral value device;Wherein:
Device drive layer includes touch-screen input device, key-press input equipment and other input equipments;
Operating system kernel layer includes the Message Processing of input and output, converts unified event form for the hardware input of bottom,
It is reported to input core;
The message transmission that event handling layer sends user's space is to operating system kernel layer, including for specific input equipment
Handle logic;
User's space is deployed in using real handset as in the environment of host or using mobile phone simulator as the virtual sand of host
In case.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910007489.8A CN109829300A (en) | 2019-01-02 | 2019-01-02 | APP dynamic depth malicious act detection device, method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910007489.8A CN109829300A (en) | 2019-01-02 | 2019-01-02 | APP dynamic depth malicious act detection device, method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109829300A true CN109829300A (en) | 2019-05-31 |
Family
ID=66861582
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910007489.8A Pending CN109829300A (en) | 2019-01-02 | 2019-01-02 | APP dynamic depth malicious act detection device, method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109829300A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110322289A (en) * | 2019-06-28 | 2019-10-11 | 百度在线网络技术(北京)有限公司 | A kind of anti-cheat detection method, device, server, terminal and storage medium |
| CN110399191A (en) * | 2019-06-28 | 2019-11-01 | 奇安信科技集团股份有限公司 | A kind of program graphic user interface automatic interaction processing method and processing device |
| CN110610089A (en) * | 2019-08-16 | 2019-12-24 | 阿里巴巴集团控股有限公司 | User behavior simulation method and device and computer equipment |
| CN111859370A (en) * | 2020-06-30 | 2020-10-30 | 百度在线网络技术(北京)有限公司 | Method, apparatus, electronic device and computer-readable storage medium for identifying service |
| WO2021098327A1 (en) * | 2019-11-22 | 2021-05-27 | 支付宝(杭州)信息技术有限公司 | Private data protection-based method and device for abnormal collection behavior recognition |
| CN114443467A (en) * | 2021-12-20 | 2022-05-06 | 奇安信科技集团股份有限公司 | Interface interaction method and device based on sandbox, electronic equipment, medium and product |
| CN114579455A (en) * | 2022-03-09 | 2022-06-03 | 广州市智通利电子有限公司 | Android software detection method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104598287A (en) * | 2013-10-30 | 2015-05-06 | 贝壳网际(北京)安全技术有限公司 | Method and device for detecting malicious program and client side |
| WO2015080871A1 (en) * | 2013-11-26 | 2015-06-04 | Qualcomm Incorporated | Pre-identifying probable malicious rootkit behavior using behavioral contracts |
| CN106874763A (en) * | 2017-01-16 | 2017-06-20 | 西安电子科技大学 | The Android software malicious act triggering system and method for modelling customer behavior |
| CN108073810A (en) * | 2016-11-07 | 2018-05-25 | 长沙云昊信息科技有限公司 | Malware dynamic detection technology is realized under a kind of Android platform |
-
2019
- 2019-01-02 CN CN201910007489.8A patent/CN109829300A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104598287A (en) * | 2013-10-30 | 2015-05-06 | 贝壳网际(北京)安全技术有限公司 | Method and device for detecting malicious program and client side |
| WO2015080871A1 (en) * | 2013-11-26 | 2015-06-04 | Qualcomm Incorporated | Pre-identifying probable malicious rootkit behavior using behavioral contracts |
| CN108073810A (en) * | 2016-11-07 | 2018-05-25 | 长沙云昊信息科技有限公司 | Malware dynamic detection technology is realized under a kind of Android platform |
| CN106874763A (en) * | 2017-01-16 | 2017-06-20 | 西安电子科技大学 | The Android software malicious act triggering system and method for modelling customer behavior |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110322289A (en) * | 2019-06-28 | 2019-10-11 | 百度在线网络技术(北京)有限公司 | A kind of anti-cheat detection method, device, server, terminal and storage medium |
| CN110399191A (en) * | 2019-06-28 | 2019-11-01 | 奇安信科技集团股份有限公司 | A kind of program graphic user interface automatic interaction processing method and processing device |
| CN110610089A (en) * | 2019-08-16 | 2019-12-24 | 阿里巴巴集团控股有限公司 | User behavior simulation method and device and computer equipment |
| CN110610089B (en) * | 2019-08-16 | 2023-02-28 | 创新先进技术有限公司 | User behavior simulation method and device and computer equipment |
| WO2021098327A1 (en) * | 2019-11-22 | 2021-05-27 | 支付宝(杭州)信息技术有限公司 | Private data protection-based method and device for abnormal collection behavior recognition |
| CN111859370A (en) * | 2020-06-30 | 2020-10-30 | 百度在线网络技术(北京)有限公司 | Method, apparatus, electronic device and computer-readable storage medium for identifying service |
| CN111859370B (en) * | 2020-06-30 | 2024-05-17 | 百度在线网络技术(北京)有限公司 | Method, apparatus, electronic device and computer readable storage medium for identifying service |
| CN114443467A (en) * | 2021-12-20 | 2022-05-06 | 奇安信科技集团股份有限公司 | Interface interaction method and device based on sandbox, electronic equipment, medium and product |
| CN114579455A (en) * | 2022-03-09 | 2022-06-03 | 广州市智通利电子有限公司 | Android software detection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109829300A (en) | APP dynamic depth malicious act detection device, method and system | |
| US10951647B1 (en) | Behavioral scanning of mobile applications | |
| JP6100898B2 (en) | Method and device for processing messages | |
| CN103186740B (en) | A kind of automated detection method of Android malware | |
| CN103679031B (en) | A kind of immune method and apparatus of file virus | |
| CN106326113B (en) | A kind of game data monitoring method and device | |
| CN105512045B (en) | Application program testing method and device and testing equipment | |
| CN112685737A (en) | APP detection method, device, equipment and storage medium | |
| CN108121914A (en) | A kind of document, which is divulged a secret, protects tracing system | |
| Berthome et al. | Repackaging android applications for auditing access to private data | |
| CN106709346B (en) | Document handling method and device | |
| CN109271780A (en) | Method, system and the computer-readable medium of machine learning malware detection model | |
| CN107092830A (en) | The early warning of IOS Malwares and detecting system and its method based on flow analysis | |
| CN112084497A (en) | Method and device for detecting malicious program of embedded Linux system | |
| CN103268448B (en) | The method and system of the security of detection of dynamic Mobile solution | |
| CN110399720A (en) | A kind of method and relevant apparatus of file detection | |
| CN107644161A (en) | Safety detecting method, device and the equipment of sample | |
| EP3460704A1 (en) | Virus database acquisition method and device, equipment, server and system | |
| CN104598287B (en) | Detection method, device and the client of rogue program | |
| CN112717417A (en) | Man-machine recognition method and device | |
| Irolla et al. | Glassbox: dynamic analysis platform for malware android applications on real devices | |
| CN104965701A (en) | Method and device for acquiring application information | |
| CN114697079B (en) | Method and system for detecting illegal user of application client | |
| CN111786991B (en) | Block chain-based platform authentication login method and related device | |
| Jiang et al. | Mrdroid: A multi-act classification model for android malware risk assessment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190531 |