CN111259382A - Malicious behavior identification method, device and system and storage medium - Google Patents
Malicious behavior identification method, device and system and storage medium Download PDFInfo
- Publication number
- CN111259382A CN111259382A CN201811448176.8A CN201811448176A CN111259382A CN 111259382 A CN111259382 A CN 111259382A CN 201811448176 A CN201811448176 A CN 201811448176A CN 111259382 A CN111259382 A CN 111259382A
- Authority
- CN
- China
- Prior art keywords
- api
- apis
- terminal
- malicious behavior
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Telephone Function (AREA)
Abstract
The invention discloses a malicious behavior identification method, a malicious behavior identification device, a malicious behavior identification system and a storage medium, and relates to the technical field of information security. The malicious behavior identification method comprises the following steps: monitoring one or more target Application Programming Interfaces (APIs) in the running terminal application; responding to the terminal application to call one or more target APIs, and recording calling information of the terminal application to the one or more target APIs; generating a behavior sequence according to the calling information of one or more APIs; and identifying the malicious behaviors according to the matching result of the behavior sequences in the malicious behavior sequence library. The embodiment of the invention can generate the behavior sequence by monitoring the calling condition of the target API from the safety perspective of the terminal application during operation so as to identify the malicious behavior. Thus, dynamic detection of malicious behavior is achieved. Compared with the related art, the malicious behaviors in the terminal application can be more comprehensively identified.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a malicious behavior identification method, apparatus, system, and storage medium.
Background
The rapid development of the mobile internet has led to the development of various new types of security risks. These security risks relate to important information such as the mobile user's traffic charges, personal privacy, financial assets, business intelligence, and even national confidentiality. Once a security problem arises, extensive resources can be covertly stolen.
In recent years, security vulnerability events applied by mobile terminals are frequent, for example, a hippocampal apple helper collects an apple account and a password event of a user, a cell phone virus (xcodeg host) security event, a love helper vulnerability (FairPlay) event, and the like. In order to prevent such an event, in the application security testing scheme in the related art, technicians tend to perform security analysis on the source code of the terminal application by using an analysis tool to prevent a potential security threat.
Disclosure of Invention
The inventor realizes that the result of the source code analysis mode in the related art is only static and cannot know the malicious behavior of the Runtime (Runtime). Therefore, the scheme in the related art is relatively easy to identify the malicious behavior.
The embodiment of the invention aims to solve the technical problem that: how to more fully identify malicious behavior in the terminal application.
According to a first aspect of some embodiments of the present invention, there is provided a malicious behavior identification method, including: monitoring one or more target Application Programming Interfaces (APIs) in the running terminal application; responding to the terminal application to call one or more target APIs, and recording calling information of the terminal application to the one or more target APIs; generating a behavior sequence according to the calling information of one or more APIs; and identifying the malicious behaviors according to the matching result of the behavior sequences in the malicious behavior sequence library.
In some embodiments, the malicious behavior identification method further comprises: the inverse development tool Theos or the modified system framework service Xposed receives the input one or more target APIs in order to monitor the one or more target APIs in the running terminal application.
In some embodiments, a first terminal monitors one or more target Application Programming Interfaces (APIs) in a terminal application running in the first terminal, the first terminal being a mobile terminal; responding to the calling of one or more target APIs by the terminal application, and recording calling information of the one or more target APIs by the terminal application by the first terminal; the second terminal generates a behavior sequence according to the calling information of one or more APIs sent by the first terminal; and the second terminal identifies the malicious behaviors according to the matching result of the behavior sequence in the malicious behavior sequence library.
In some embodiments, the calling information of the API includes a calling time of the API, and at least one of a calling parameter and a return value.
In some embodiments, the behavior sequence is generated by arranging other calling information than the calling time of the one or more APIs according to the calling time of the one or more APIs.
In some embodiments, the target API includes at least one of a file system read-write API, a user preference setting API, a key read API, a cryptographic API, a system unauthorized API, a communication API, a paste board API, a data interaction between different terminal applications API, a profile operation API.
According to a second aspect of some embodiments of the present invention, there is provided a malicious behavior identification system, including: the monitoring module is configured to monitor one or more target Application Programming Interfaces (APIs) in the running terminal application; the calling information recording module is configured to respond to the calling of one or more target APIs by the terminal application and record calling information of the one or more APIs by the terminal application; a behavior sequence generation module configured to generate a behavior sequence according to call information of one or more APIs; and the malicious behavior identification module is configured to identify the malicious behaviors according to the matching results of the behavior sequences in the malicious behavior sequence library.
In some embodiments, the malicious behavior identification system further comprises: the system framework service Xposed module is configured to receive input of one or more target APIs so as to monitor one or more target APIs in the running terminal application.
In some embodiments, the monitoring module and the calling information recording module are located at a first terminal, and the first terminal is a mobile terminal; the behavior sequence generation module and the malicious behavior identification module are positioned at the second terminal.
In some embodiments, the calling information of the API includes a calling time of the API, and at least one of a calling parameter and a return value.
In some embodiments, the behavior sequence generation module is further configured to arrange other calling information than the calling time of the one or more APIs according to the calling time of the one or more APIs to generate the behavior sequence.
In some embodiments, the target API includes at least one of a file system read-write API, a user preference setting API, a key read API, a cryptographic API, a system unauthorized API, a communication API, a paste board API, a data interaction between different terminal applications API, a profile operation API.
According to a third aspect of some embodiments of the present invention, there is provided a malicious behavior identification apparatus including: a memory; and a processor coupled to the memory, the processor configured to perform any of the foregoing malicious behavior identification methods based on instructions stored in the memory.
According to a fourth aspect of some embodiments of the present invention, there is provided a computer readable storage medium having a computer program stored thereon, wherein the program, when executed by a processor, implements any one of the above malicious behavior identification methods.
Some embodiments of the above invention have the following advantages or benefits: the embodiment of the invention can generate the behavior sequence by monitoring the calling condition of the target API from the safety perspective of the Runtime (Runtime) of the terminal application so as to identify the malicious behavior. Thus, dynamic detection of malicious behavior is achieved. Compared with the related art, the malicious behaviors in the terminal application can be more comprehensively identified.
Other features of the present invention and advantages thereof will become apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flow diagram illustrating a malicious behavior identification method according to some embodiments of the present invention.
Fig. 2 is a flowchart illustrating a malicious behavior recognition method according to another embodiment of the present invention.
Fig. 3 is a flowchart illustrating a malicious behavior detection method according to still other embodiments of the present invention.
Fig. 4 is a schematic structural diagram of a malicious behavior identification system according to some embodiments of the present invention.
Fig. 5 is a schematic structural diagram of a malicious behavior identification system according to another embodiment of the present invention.
Fig. 6 is a schematic structural diagram of a malicious behavior identification apparatus according to some embodiments of the present invention.
Fig. 7 is a schematic structural diagram of a malicious behavior identification apparatus according to another embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the invention, its application, or uses. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The relative arrangement of the components and steps, the numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present invention unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
Fig. 1 is a flow diagram illustrating a malicious behavior identification method according to some embodiments of the present invention. As shown in fig. 1, the malicious behavior identification method of this embodiment includes steps S102 to S108.
In step S102, one or more target APIs (application programming interfaces) in the running terminal application are monitored.
The target API refers to an API that a malicious activity may use, and is generally associated with sensitive information of a user. In some embodiments, the target API includes at least one of a file system read-write API, a user preference setting API, a key read API, a cryptographic API, a system unauthorized API, a communication API, a paste board API, a data interaction between different terminal applications API, a profile operation API. It should be clear to the skilled person that the target API is not limited to the above listed types, which the skilled person can select as desired.
The key reading API may be, for example, an API relating to the crypto-management system KayChain; the communication API may be, for example, an API related to relevant operations of the HTTP protocol, such as interception of communication data, interaction of data parameters or messages between the terminal application and the background server, and the like; the data interaction API among different terminal applications can be operations related to a page jump protocol URL scheme, for example; the configuration file operation API may be, for example, an operation related to reading or modifying an XML file.
In step S104, in response to the terminal application calling one or more target APIs, recording calling information of the terminal application to the one or more APIs. The call information may include, for example, a call time, call parameters, return values, etc. of the API.
In step S106, a behavior sequence is generated from the call information of one or more APIs.
In some embodiments, the behavior sequence may be generated by arranging other calling information than the calling time of the one or more APIs according to the calling time of the one or more APIs. For example, if the terminal application calls API 1 and then API 2, a behavior sequence "call information of API 1 — call information of API 2" may be generated. The format of the behavior sequence may be preset.
In step S108, a malicious behavior is identified according to the matching result of the behavior sequence in the malicious behavior sequence library.
The behavior sequence of the malicious behaviors is stored in the malicious behavior library. When the behavior sequence collected from the terminal application is completely consistent with at least one malicious behavior in the malicious behavior library, or the similarity is higher than a preset threshold, it can be determined that the malicious behavior exists in the terminal application. In some embodiments, the matching result of the behavior sequence collected from the terminal application and the behavior sequence in the malicious behavior library can be determined through a character string search algorithm such as a KMP algorithm.
After the steps are executed, the detection report can be automatically output according to the recognition result and a preset detection report template so as to visually present the malicious behavior recognition result.
By the method of the embodiment, from the safety perspective of the Runtime (Runtime) of the terminal application, the behavior sequence can be generated by monitoring the calling condition of the target API, so as to identify the malicious behavior. Thus, dynamic detection of malicious behavior is achieved. Compared with the related art, the malicious behaviors in the terminal application can be more comprehensively identified.
In some embodiments, monitoring of the target API may be implemented based on either the Theos (inverse development tools) framework or the Xpos (modified System framework services) framework. The Theos framework is a framework based on an IOS (iOS) of an apple mobile terminal operating system, and the Xpos framework is a framework based on an android mobile terminal operating system. For example, Theos or Xpos can receive input of one or more target APIs to monitor one or more target APIs in a running terminal application. The monitoring process may monitor the terminal application's calls to the target API through a Hook mechanism provided by the framework.
In some embodiments, the identification process of malicious behavior may be performed by two terminals in cooperation. An embodiment of the malicious behavior identification method according to the present invention is described below with reference to fig. 2.
Fig. 2 is a flowchart illustrating a malicious behavior recognition method according to another embodiment of the present invention. As shown in fig. 2, the malicious behavior identification method of this embodiment includes steps S202 to S210.
In step S202, the first terminal monitors one or more target application programming interfaces APIs in the terminal application running on the first terminal. The first terminal is a mobile terminal, and may be, for example, a mobile phone, a tablet computer, or the like running with an iOS or android operating system.
In some embodiments, the first terminal may receive parameters such as a target API set by a user, call information required to be obtained, and the like through the user configuration interface.
In some embodiments, the first terminal may implement the monitoring through a behavior tracking module located in the first terminal, implemented through either the Theos framework or the Xposed framework.
In step S204, in response to the terminal application calling one or more target APIs, the first terminal records calling information of the one or more APIs by the terminal application. For example, the first terminal may write these call information into a local database.
In step S206, the first terminal transmits the call information to the second terminal. The second terminal may be, for example, a computer.
In step S208, the second terminal generates a behavior sequence according to the calling information of the one or more APIs sent by the first terminal.
In step S210, the second terminal identifies a malicious behavior according to a matching result of the behavior sequence in the malicious behavior sequence library.
By the method of the embodiment, the target API can be monitored on the first terminal, and the collected calling information can be analyzed on the second terminal, so that the malicious behavior recognition efficiency can be improved.
The following describes an embodiment of the malicious behavior detection method according to the present invention with reference to a specific application scenario.
Fig. 3 is a flowchart illustrating a malicious behavior detection method according to still other embodiments of the present invention. As shown in fig. 3, the malicious behavior detection method of this embodiment includes steps S302 to S314.
In step S302, one or more target APIs in the running terminal application are monitored.
In step S304, in response to the terminal application a1 calling the address book reading API and the network data transmission API, the call information of the address book reading API and the network data transmission API is recorded.
In step S306, in response to the terminal application a2 calling the camera API, the local image library read-write API, and the network data transmission API, the calling information of the camera API, the local image library read-write API, and the network data transmission API is recorded.
In step S308, in response to the terminal application a3 calling the short message reading API and the payment API, recording calling information of the short message reading API and the payment API.
In step S310, behavior sequences S1, S2, and S3 are generated based on the call information involved in the terminal applications a1, a2, A3 calling the target API, respectively.
In step S312, the behavior sequences S1, S2, and S3 are respectively matched with behavior sequences in the malicious behavior sequence library, and matching sequences M1, M2, and M3 are obtained.
In step S314, according to the malicious behaviors corresponding to the matched sequences M1, M2 and M3, the malicious behaviors suspected to exist in the terminal applications a1, a2 and A3 are determined. For example, the terminal application a1 is suspected of having a behavior of stealing user data; the terminal application A2 is suspected to have sensitive information leakage behavior; the terminal application a3 is suspected of having malicious deductive activity.
By the method of the embodiment, the suspected malicious behaviors of the terminal application can be effectively identified.
An embodiment of the malicious behavior identification system of the present invention is described below with reference to fig. 4.
Fig. 4 is a schematic structural diagram of a malicious behavior identification system according to some embodiments of the present invention. As shown in fig. 4, the malicious behavior recognition system 40 of this embodiment includes: a monitoring module 4100 configured to monitor one or more target application programming interface APIs in a running terminal application; a calling information recording module 4200 configured to record calling information of the terminal application to the one or more APIs in response to the terminal application calling the one or more target APIs; a behavior sequence generating module 4300 configured to generate a behavior sequence according to call information of one or more APIs; and the malicious behavior identification module 4400 is configured to identify the malicious behaviors according to the matching result of the behavior sequence in the malicious behavior sequence library.
In some embodiments, the malicious behavior identification system 40 further includes: the Theos/Xposed module 4500 is configured to receive input of one or more target APIs in order to monitor the one or more target APIs in the running terminal application. In some embodiments, the monitoring module 4100 may be located in the Theos module/Xposed module 4500.
In some embodiments, the calling information of the API includes a calling time of the API, and at least one of a calling parameter and a return value.
In some embodiments, the behavior sequence generation module is further configured to arrange other calling information than the calling time of the one or more APIs according to the calling time of the one or more APIs to generate the behavior sequence.
In some embodiments, the target API includes at least one of a file system read-write API, a user preference setting API, a key read API, a cryptographic API, a system unauthorized API, a communication API, a paste board API, a data interaction between different terminal applications API, a profile operation API.
An embodiment of the malicious behavior identification system of the present invention is described below with reference to fig. 5.
Fig. 5 is a schematic structural diagram of a malicious behavior identification system according to another embodiment of the present invention. As shown in fig. 5, the malicious behavior recognition system 50 of this embodiment includes: a first terminal 510 and a second terminal 520, the first terminal 510 being a mobile terminal. The monitoring module 5100 and the calling information recording module 5200 are located at the first terminal; the behavior sequence generation module 5300 and the malicious behavior identification module 5400 are located at the second terminal.
Fig. 6 is a schematic structural diagram of a malicious behavior recognition apparatus according to some embodiments of the present invention, where the malicious behavior recognition apparatus may be any apparatus related to a malicious behavior recognition method. As shown in fig. 6, the malicious behavior identification apparatus 60 of this embodiment includes: a memory 610 and a processor 620 coupled to the memory 610, wherein the processor 620 is configured to execute the malicious behavior identification method in any of the above embodiments based on instructions stored in the memory 610.
Fig. 7 is a schematic structural diagram of a malicious behavior recognition apparatus according to another embodiment of the present invention, where the malicious behavior recognition apparatus may be any apparatus related to a malicious behavior recognition method. As shown in fig. 7, the malicious behavior identification apparatus 70 of this embodiment includes: the memory 710 and the processor 720 may further include an input/output interface 730, a network interface 740, a storage interface 750, and the like. These interfaces 730, 740, 750, as well as the memory 710 and the processor 720, may be connected, for example, by a bus 760. The input/output interface 730 provides a connection interface for input/output devices such as a display, a mouse, a keyboard, and a touch screen. The network interface 740 provides a connection interface for various networking devices. The storage interface 750 provides a connection interface for external storage devices such as an SD card and a usb disk.
An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement any one of the above malicious behavior identification methods.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (14)
1. A malicious behavior identification method, comprising:
monitoring one or more target Application Programming Interfaces (APIs) in the running terminal application;
responding to the terminal application to call the one or more target APIs, and recording calling information of the terminal application to the one or more target APIs;
generating a behavior sequence according to the calling information of the one or more APIs;
and identifying the malicious behaviors according to the matching result of the behavior sequence in a malicious behavior sequence library.
2. The malicious behavior identification method according to claim 1, further comprising:
the inverse development tool Theos or the modified system framework service Xposed receives the input one or more target APIs in order to monitor the one or more target APIs in the running terminal application.
3. The malicious behavior identification method according to claim 1, wherein,
the method comprises the steps that a first terminal monitors one or more target Application Programming Interfaces (APIs) in terminal application running in the first terminal, wherein the first terminal is a mobile terminal;
responding to the terminal application calling the one or more target APIs, and recording calling information of the terminal application to the one or more target APIs by the first terminal;
the second terminal generates a behavior sequence according to the calling information of the one or more APIs sent by the first terminal;
and the second terminal identifies the malicious behavior according to the matching result of the behavior sequence in the malicious behavior sequence library.
4. The malicious behavior identification method according to claim 1, wherein the calling information of the API includes a calling time of the API, and at least one of a calling parameter and a return value.
5. The malicious behavior identification method according to claim 4, wherein calling information of the one or more APIs except the calling time is arranged according to the calling time of the one or more APIs, and a behavior sequence is generated.
6. The malicious behavior identification method according to claim 1, wherein the target API includes at least one of a file system read-write API, a user preference setting API, a key reading API, an encryption API, a system unauthorized API, a communication API, a paste board API, a data interaction API between different terminal applications, and a profile operation API.
7. A malicious behavior identification system comprising:
the monitoring module is configured to monitor one or more target Application Programming Interfaces (APIs) in the running terminal application;
the calling information recording module is configured to respond to the calling of the one or more target APIs by the terminal application and record calling information of the one or more APIs by the terminal application;
a behavior sequence generation module configured to generate a behavior sequence according to the calling information of the one or more APIs;
and the malicious behavior identification module is configured to identify the malicious behaviors according to the matching results of the behavior sequences in the malicious behavior sequence library.
8. The malicious behavior identification system according to claim 7, further comprising:
the system framework service Xposed module is configured to receive input of one or more target APIs so as to monitor one or more target APIs in the running terminal application.
9. The malicious behavior identification system according to claim 7, wherein the monitoring module and the calling information recording module are located at a first terminal, and the first terminal is a mobile terminal; the behavior sequence generation module and the malicious behavior identification module are positioned at a second terminal.
10. The malicious behavior identification system according to claim 7, wherein the calling information of the API includes a calling time of the API, and at least one of a calling parameter and a return value.
11. The malicious behavior identification system according to claim 10, wherein the behavior sequence generation module is further configured to arrange other calling information of the one or more APIs except the calling time according to the calling time of the one or more APIs to generate a behavior sequence.
12. The malicious behavior identification system according to claim 7, wherein the target API includes at least one of a file system read-write API, a user preference setting API, a key reading API, an encryption API, a system unauthorized API, a communication API, a paste board API, a data interaction API between different terminal applications, and a profile operation API.
13. A malicious behavior identification apparatus comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the malicious behavior identification method of any of claims 1-6 based on instructions stored in the memory.
14. A computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the malicious behavior identification method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811448176.8A CN111259382A (en) | 2018-11-30 | 2018-11-30 | Malicious behavior identification method, device and system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811448176.8A CN111259382A (en) | 2018-11-30 | 2018-11-30 | Malicious behavior identification method, device and system and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111259382A true CN111259382A (en) | 2020-06-09 |
Family
ID=70951836
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811448176.8A Pending CN111259382A (en) | 2018-11-30 | 2018-11-30 | Malicious behavior identification method, device and system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111259382A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112463266A (en) * | 2020-12-11 | 2021-03-09 | 微医云(杭州)控股有限公司 | Execution policy generation method and device, electronic equipment and storage medium |
| CN113051560A (en) * | 2021-04-13 | 2021-06-29 | 北京安天网络安全技术有限公司 | Terminal behavior safety identification method and device |
| CN113094710A (en) * | 2021-04-19 | 2021-07-09 | 北京邮电大学 | Application program detection method and device |
| CN113821797A (en) * | 2020-06-18 | 2021-12-21 | 中国电信股份有限公司 | Security detection method and device for software development kit and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905423A (en) * | 2013-12-25 | 2014-07-02 | 武汉安天信息技术有限责任公司 | Harmful advertisement piece detecting method and system based on dynamic behavior analysis |
| US9781151B1 (en) * | 2011-10-11 | 2017-10-03 | Symantec Corporation | Techniques for identifying malicious downloadable applications |
| US20180124110A1 (en) * | 2016-11-03 | 2018-05-03 | RiskIQ, Inc. | Techniques for detecting malicious behavior using an accomplice model |
| CN108133139A (en) * | 2017-11-28 | 2018-06-08 | 西安交通大学 | A kind of Android malicious application detecting system compared based on more running environment behaviors |
| CN108491722A (en) * | 2018-03-30 | 2018-09-04 | 广州汇智通信技术有限公司 | A kind of malware detection method and system |
-
2018
- 2018-11-30 CN CN201811448176.8A patent/CN111259382A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9781151B1 (en) * | 2011-10-11 | 2017-10-03 | Symantec Corporation | Techniques for identifying malicious downloadable applications |
| CN103905423A (en) * | 2013-12-25 | 2014-07-02 | 武汉安天信息技术有限责任公司 | Harmful advertisement piece detecting method and system based on dynamic behavior analysis |
| US20180124110A1 (en) * | 2016-11-03 | 2018-05-03 | RiskIQ, Inc. | Techniques for detecting malicious behavior using an accomplice model |
| CN108133139A (en) * | 2017-11-28 | 2018-06-08 | 西安交通大学 | A kind of Android malicious application detecting system compared based on more running environment behaviors |
| CN108491722A (en) * | 2018-03-30 | 2018-09-04 | 广州汇智通信技术有限公司 | A kind of malware detection method and system |
Non-Patent Citations (2)
| Title |
|---|
| 王玉良等: "基于iOS系统的恶意行为检测研究", 《电信科学》 * |
| 黄浩华等: "静动态结合的恶意Android应用自动检测技术", 《信息安全学报》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113821797A (en) * | 2020-06-18 | 2021-12-21 | 中国电信股份有限公司 | Security detection method and device for software development kit and storage medium |
| CN112463266A (en) * | 2020-12-11 | 2021-03-09 | 微医云(杭州)控股有限公司 | Execution policy generation method and device, electronic equipment and storage medium |
| CN113051560A (en) * | 2021-04-13 | 2021-06-29 | 北京安天网络安全技术有限公司 | Terminal behavior safety identification method and device |
| CN113051560B (en) * | 2021-04-13 | 2024-05-24 | 北京安天网络安全技术有限公司 | Safety identification method and device for terminal behaviors |
| CN113094710A (en) * | 2021-04-19 | 2021-07-09 | 北京邮电大学 | Application program detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109743315B (en) | Behavior identification method, behavior identification device, behavior identification equipment and readable storage medium for website | |
| CN109558748B (en) | Data processing method and device, electronic equipment and storage medium | |
| CN111259382A (en) | Malicious behavior identification method, device and system and storage medium | |
| WO2016101384A1 (en) | Dual-system switch based data security processing method and apparatus | |
| CN104199654A (en) | Open platform calling method and device | |
| US10733594B1 (en) | Data security measures for mobile devices | |
| CN105653947B (en) | The method and device of data safety risk is applied in a kind of assessment | |
| CN109815700B (en) | Application program processing method and device, storage medium and computer equipment | |
| US20150193280A1 (en) | Method and device for monitoring api function scheduling in mobile terminal | |
| Apostolopoulos et al. | Discovering authentication credentials in volatile memory of android mobile devices | |
| CN109783316B (en) | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment | |
| CN104199657A (en) | Call method and device for open platform | |
| US20170155683A1 (en) | Remedial action for release of threat data | |
| CN110221990B (en) | Data storage method and device, storage medium and computer equipment | |
| CN110138731B (en) | Network anti-attack method based on big data | |
| CN109815701B (en) | Software security detection method, client, system and storage medium | |
| CN111767537A (en) | Tamper verification method of application program based on IOS (operating system) and related equipment | |
| US20230376610A1 (en) | Non-Intrusive Method of Detecting Security Flaws of a Computer Program | |
| CN111177536B (en) | Method and device for transmitting customized information to unregistered user based on device fingerprint and electronic device | |
| CN115794469A (en) | Data asset processing method and device | |
| CN107633174B (en) | User input management method and device and terminal | |
| CN111241547A (en) | Detection method, device and system for unauthorized vulnerability | |
| CN110943982B (en) | Document data encryption method and device, electronic equipment and storage medium | |
| CN112507361A (en) | Electronic document encryption method for domestic operating system | |
| CN104994225A (en) | Short message sending control method and short message sending control device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200609 |