CN112685737A - APP detection method, device, equipment and storage medium - Google Patents
APP detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN112685737A CN112685737A CN202011550192.5A CN202011550192A CN112685737A CN 112685737 A CN112685737 A CN 112685737A CN 202011550192 A CN202011550192 A CN 202011550192A CN 112685737 A CN112685737 A CN 112685737A
- Authority
- CN
- China
- Prior art keywords
- app
- detection
- behavior
- firmware
- detection result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 467
- 238000004458 analytical method Methods 0.000 claims abstract description 130
- 244000035744 Hura crepitans Species 0.000 claims abstract description 116
- 238000000034 method Methods 0.000 claims abstract description 59
- 238000012544 monitoring process Methods 0.000 claims abstract description 47
- 230000006870 function Effects 0.000 claims abstract description 21
- 230000006399 behavior Effects 0.000 claims description 159
- 230000003068 static effect Effects 0.000 claims description 65
- 238000004422 calculation algorithm Methods 0.000 claims description 29
- 238000011161 development Methods 0.000 claims description 18
- 230000002787 reinforcement Effects 0.000 claims description 16
- 230000008569 process Effects 0.000 claims description 13
- 238000012549 training Methods 0.000 claims description 8
- 238000013527 convolutional neural network Methods 0.000 claims description 7
- 238000012216 screening Methods 0.000 claims description 7
- 238000013135 deep learning Methods 0.000 claims description 6
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 5
- 238000013528 artificial neural network Methods 0.000 claims description 5
- 238000001914 filtration Methods 0.000 claims description 5
- 238000007635 classification algorithm Methods 0.000 claims description 4
- 238000002347 injection Methods 0.000 abstract description 5
- 239000007924 injection Substances 0.000 abstract description 5
- 238000012795 verification Methods 0.000 abstract description 5
- 238000007689 inspection Methods 0.000 abstract description 3
- 238000012360 testing method Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 17
- 238000005065 mining Methods 0.000 description 16
- 230000006854 communication Effects 0.000 description 14
- 238000004891 communication Methods 0.000 description 13
- 230000009471 action Effects 0.000 description 9
- 230000003993 interaction Effects 0.000 description 9
- 238000009826 distribution Methods 0.000 description 8
- 241000700605 Viruses Species 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 7
- 238000012098 association analyses Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 238000000605 extraction Methods 0.000 description 6
- 238000007726 management method Methods 0.000 description 6
- 238000012015 optical character recognition Methods 0.000 description 6
- 238000009395 breeding Methods 0.000 description 5
- 230000001488 breeding effect Effects 0.000 description 5
- 238000003909 pattern recognition Methods 0.000 description 5
- 238000013475 authorization Methods 0.000 description 4
- 238000010801 machine learning Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000003014 reinforcing effect Effects 0.000 description 4
- 239000000243 solution Substances 0.000 description 4
- 238000012546 transfer Methods 0.000 description 4
- 208000001613 Gambling Diseases 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000007619 statistical method Methods 0.000 description 3
- 238000012351 Integrated analysis Methods 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 238000004880 explosion Methods 0.000 description 2
- 238000003064 k means clustering Methods 0.000 description 2
- 238000007637 random forest analysis Methods 0.000 description 2
- 238000009877 rendering Methods 0.000 description 2
- 238000012502 risk assessment Methods 0.000 description 2
- 238000011144 upstream manufacturing Methods 0.000 description 2
- GKSPIZSKQWTXQG-UHFFFAOYSA-N (2,5-dioxopyrrolidin-1-yl) 4-[1-(pyridin-2-yldisulfanyl)ethyl]benzoate Chemical compound C=1C=C(C(=O)ON2C(CCC2=O)=O)C=CC=1C(C)SSC1=CC=CC=N1 GKSPIZSKQWTXQG-UHFFFAOYSA-N 0.000 description 1
- 102000041248 APP family Human genes 0.000 description 1
- 108091061431 APP family Proteins 0.000 description 1
- 102000042836 Class-4 family Human genes 0.000 description 1
- 108091082588 Class-4 family Proteins 0.000 description 1
- 208000025865 Ulcer Diseases 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 238000009412 basement excavation Methods 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000000740 bleeding effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000007621 cluster analysis Methods 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 230000009193 crawling Effects 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005553 drilling Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000007670 refining Methods 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000002194 synthesizing effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 230000036269 ulceration Effects 0.000 description 1
- 230000003612 virological effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention discloses an APP detection method, device, equipment and storage medium. The method comprises the following steps: acquiring the running behavior of an APP running in the sandbox reported by detection firmware in the sandbox; at least one layer of the system architecture of the sandbox comprises detection firmware, and the detection firmware is used for monitoring the operation behavior in real time; detecting the operation behavior, obtaining a first detection result corresponding to the operation behavior, and sending the first detection result to a situation analysis system; and dynamically analyzing the APP through a situation analysis system. According to the embodiment of the invention, the detection firmware is added into at least one layer of the system architecture of the sandbox, so that all functions are compiled in the system firmware without post injection, and the stability and the operation efficiency of the sandbox are improved. Meanwhile, detection firmware is used as detection points of all levels, and wider detection point coverage is achieved. Still through the dynamic verification to APP and send the testing result to situation analytic system and carry out dynamic analysis, improve APP safety inspection's efficiency and degree of accuracy.
Description
Technical Field
The embodiment of the invention relates to a software detection technology, in particular to an APP detection method, device, equipment and storage medium.
Background
In recent years, mobile internet Application (APP) has been widely used, and plays an irreplaceable role in promoting the development of economic society and serving the livelihood.
However, the Development platforms and Software Development Kits (SDKs) not only provide developers with a wide Development space, but also increase more security risks. Various mobile security problems emerge continuously, such as APP mandatory authorization, excessive right claim, security vulnerability problems, malicious program problems, over-range user information collection events, fraud events, reverse decompilation, malicious code injection, application piracy, interface hijacking, short message hijacking and the like.
Therefore, how to improve the efficiency and accuracy of APP security detection becomes an urgent problem to be solved.
Disclosure of Invention
The embodiment of the invention provides an APP detection method, device, equipment and storage medium, which can improve the APP safety detection efficiency and accuracy.
In a first aspect, an embodiment of the present invention provides an APP detection method, including:
acquiring the running behavior of the APP running in the sandbox reported by the detection firmware in the sandbox; wherein at least one layer of the system architecture of the sandbox comprises the detection firmware for monitoring the operational behavior in real time;
detecting the operation behavior, obtaining a first detection result corresponding to the operation behavior, and sending the first detection result to a situation analysis system;
and dynamically analyzing the APP through the situation analysis system.
In a second aspect, an embodiment of the present invention further provides an APP detection apparatus, including:
the behavior acquisition module is used for acquiring the running behavior of the APP running in the sandbox reported by the detection firmware in the sandbox; wherein at least one layer of the system architecture of the sandbox comprises the detection firmware for monitoring the operational behavior in real time;
the first detection result sending module is used for detecting the operation behavior, obtaining a first detection result corresponding to the operation behavior, and sending the first detection result to a situation analysis system;
and the application analysis module is used for dynamically analyzing the APP through the situation analysis system.
In a third aspect, an embodiment of the present invention further provides an APP detection device, where the APP detection device includes:
one or more processors;
a memory for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a method for APP detection as provided by any of the embodiments of the invention.
In a fourth aspect, embodiments of the present invention further provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform the APP detection method provided in any of the embodiments of the present invention.
The method and the device for detecting the APP in the sandbox obtain a corresponding first detection result by obtaining the running behavior of the APP running in the sandbox reported by the detection firmware in the sandbox and detecting the running behavior, send the first detection result to the situation analysis system, and dynamically analyze the APP through the situation analysis system. According to the embodiment of the invention, the detection firmware is added into at least one layer of the system architecture of the sandbox, so that all functions are compiled in the system firmware without post injection, and the stability and the operation efficiency of the sandbox are improved. Meanwhile, the detection firmware is used as detection points of all levels, so that wider detection point coverage is realized. The embodiment of the invention also improves the efficiency and the accuracy of APP safety detection by dynamically detecting the APP and sending the detection result to the situation analysis system for dynamic analysis.
Drawings
Fig. 1 is a flowchart of an APP detection method according to an embodiment of the present invention;
fig. 2 is a flowchart of a detection method of APP according to an embodiment of the present invention;
fig. 3 is a schematic diagram of network interaction between a mobile phone and a server according to an embodiment of the present invention;
fig. 4 is a flowchart illustrating a network packet parsing method according to an embodiment of the present invention;
FIG. 5 is a flowchart of another APP detection method provided in the second embodiment of the present invention;
fig. 6 is a flowchart of a detection method for reinforcing an APP according to a second embodiment of the present invention;
fig. 7 is a flowchart illustrating a method for training a malware detection model according to a second embodiment of the present invention;
FIG. 8 is a flowchart illustrating a combined heuristic feature detection method according to a second embodiment of the present invention;
fig. 9 is a flowchart illustrating a method for detecting out-of-range collection of user information by a sandbox detection engine according to a second embodiment of the present invention;
fig. 10 is a service architecture diagram of an APP panoramic situation and information mining platform according to a third embodiment of the present invention;
fig. 11 is a flowchart of a method for association analysis according to a third embodiment of the present invention;
FIG. 12 is a flow chart of consistent network-wide real-time monitoring provided by a third embodiment of the present invention;
FIG. 13 is a logic flow diagram of a process of each system in an APP panoramic situation and intelligence mining platform according to a third embodiment of the present invention;
FIG. 14 is a flowchart of another APP panorama and intelligence mining platform for different data sources according to a third embodiment of the present invention;
fig. 15 is a logic flow diagram of a procedure for data flow in an APP panoramic situation and intelligence mining platform according to a third embodiment of the present invention;
FIG. 16 is a logic flow diagram of a process for scheduling detection results in an APP panoramic situation and intelligence mining platform according to a third embodiment of the present invention;
fig. 17 is a schematic structural diagram of an APP detection apparatus according to a fourth embodiment of the present invention;
fig. 18 is a schematic structural diagram of an APP detection device provided in the fifth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of an APP detection method according to an embodiment of the present invention, where the embodiment is applicable to detecting an APP and analyzing the APP according to a detection result, and the method may be executed by an APP detection apparatus, and the apparatus may be implemented in a software and/or hardware manner. The device can be configured in the detection equipment of APP. As shown in fig. 1, the method includes:
and step S110, obtaining the running behavior of the APP running in the sandbox reported by the detection firmware in the sandbox.
Wherein at least one layer of a system architecture of the sandbox includes the detection firmware for monitoring the operational behavior in real time. For example, the detection firmware may be distributed in the system architecture of each layer of the sandbox through the detection code, so as to perform comprehensive detection on the operation behavior of the APP running in the sandbox. If the detection firmware is the short message operation detection firmware, the short message operation detection firmware can monitor the short message sending behavior of the APP in the sandbox in real time, and when the short message sending behavior of the APP is monitored, the short message sending behavior is obtained and reported.
The run behavior may be a behavior of the APP when running within the sandbox. For example, the operation behavior may include privacy behavior, network behavior, file operation, short message operation, and the like.
The sandbox may be compiled into complete system firmware by modifying the core source code and adding detection firmware to at least one layer of the system architecture, respectively, and may be a native system with behavior detection function. The sandbox may be used to provide a system image for the APP running within the sandbox so that the APP can run dynamically throughout the day within the sandbox. For example, the sandbox may add detection codes to an application layer (Applications), a Framework layer (Framework), a library (Libraries), a Runtime environment (Runtime), and a Linux kernel layer (Linux kernel) respectively by modifying the Android core source code, and compile the detection codes into a complete system firmware, thereby implementing a native system with a behavior detection function. Because the monitoring function of each detection firmware is compiled in the system firmware, the later injection is not needed, and the stability and the operating efficiency of the sandbox are improved. Meanwhile, the detection firmware is used as detection points of all levels, so that wider detection point coverage is realized.
Exemplarily, fig. 2 is a flowchart of a detection method of APP according to an embodiment of the present invention. As shown in fig. 2, a developer may modify the system application layer source code, the framework layer source code, the runtime environment source code, and the kernel source code, generate a system image through compilation, obtain a sandbox, and write the sandbox into a virtual machine and/or a real machine. The APP can be operated in the sandbox, and the application information of the APP can be loaded in the sandbox. For example, information of APP stores and information of APPs, such as names of APP stores, names of APPs, application types of APPs, installation packages of APPs, etc., that crawl to by filtering. And monitoring the operation behavior of the APP through detection firmware in the sandbox.
Sandbox breeding is a specific implementation of monitoring APP operation behaviors through sandboxes. The sandbox cultivation can be divided into virtual machine horse raising field cultivation and special horse raising field equipment cultivation according to different equipment.
Virtual machine horse raising field is bred and can be directed against appointed APP, provides 24 hours long-time dynamic operation, makes APP show the action of self as much as possible, helps studying mobile terminal APP's propagation characteristics and operation mechanism etc to form the dynamic monitoring to mobile terminal APP's file action, network behavior, communication action and system action etc. in view of the above. In the traditional sandbox Hook (Hook) technology, through inserting piles in Applications, frames, Libraries and Runtime of a system architecture, a key point needing to be detected is adopted by Hook, and when the key point is called, a running log is obtained through a Hook, and then the log is output and returned to a system source code flow. However, this approach may result in the sandbox repeatedly jumping between system code and hook code, resulting in poor stability and detection efficiency of the sandbox. Different from the traditional sandbox Hook technology, the method for monitoring the running behavior of the APP in the sandbox by using the compiled sandbox can set at least one detection firmware in Applications, frames, Libraries, Runtime and Linux kernel to monitor the running behavior of the APP in the sandbox in real time. The Linux kernel may include Memory Management (MM), File management (File), Driver, and the like. When the detection firmware detects the operation behavior of the APP, the operation behavior is acquired and detected, or the operation behavior is directly detected. And the sandbox can directly output the detection result and send the detection result to the situation analysis system, so that the skipping of system codes and hook codes is omitted, the stability and the detection efficiency of the sandbox are improved, the running stability of the APP is improved, and the comprehensiveness of the APP detection is improved. This embodiment is through integrated sandbox in virtual machine horse-raising field is bred, can be applicable to multiple real demand, provides all kinds of safety inspection ability of efficient.
In addition, because some APP's malicious behavior need operate certain time and can show, consequently, can set up to 24 hours to the APP duration culture time that the sandbox supports. Since the more detection firmware to the APP running behavior, the stronger the ability to capture the malicious behavior of the APP, the detection firmware to the APP running by the sandbox can be set to be not less than the preset number, such as 140. Because some APPs need certain interface operation when triggering some operation behaviors, the sandbox can possess the simulated click ability of multiple modes in order to trigger different interface operations, for example, the simulated click mode can be no less than 2. The sandbox can also carry out the integrated analysis to the operation log of APP, and according to the classification definition of the Ministry of industry and mail to malicious programs, the detection analysis result to data in the operation log can be no less than 8. The sandbox may also obtain communication content of a hypertext Transfer Protocol over Secure Socket Layer (HTTPS) Protocol. The maximum cultivation duration of the virtual machine horse farm cultivation can exceed 100 days.
The special horse raising field equipment breeding can be integrated into a server through a preset number of development boards, and a computer mainboard is configured in the server to be used as control hardware equipment. For example, the server where the proprietary horse-keeping facility is cultivated can be obtained by integrating 12 high-performance RK3399 development boards into a 2U server chassis, and then configuring a Personal Computer (PC) motherboard as a control hardware device in the server chassis. The sandbox is integrated in the development board, so that the sandbox can meet various real requirements, is parallel in 12 paths, and can provide various high-efficiency safety detection capabilities. The development board can comprise various hardware and interfaces, and the information condition of various hardware during the operation of the mobile phone can be truly simulated. The embodiment is used for breeding by configuring the special horse-raising field equipment through hardware, and can provide a 3G network environment, a 4G environment, a Wifi environment and a wired mode network environment for the special equipment. The more monitoring firmware for the APP operation behaviors, the stronger the capability of capturing the malicious behaviors of the APP, and the number of monitoring firmware for the APP operation by the sandbox in the special horse-farm equipment breeding can be not less than the preset number, such as 140. Sandboxing may also support 3D rendering. Because the picture of APP renders because of the difference of technical architecture has two kinds of forms 2D and 3D, for example the rendering mode that games etc. all need sandbox to support is compatible 2D and 3D, traditional sandbox is because the virtual machine, can often because the picture does not support and leads to this kind of APP can rush or withdraw from when moving, leads to the problem of monitoring that can not be comprehensive, and this problem can be solved through the sandbox in the special horse-raising field equipment is bred to this embodiment. Because some APPs need certain interface operation when triggering some operation behaviors, the sandbox can possess the simulated click ability of multiple modes in order to trigger different interface operations, for example, the simulated click mode can be no less than 2. The sandbox can also carry out the integrated analysis to the operation log of APP, and according to the classification definition of the Ministry of industry and mail to malicious programs, the detection analysis result to data in the operation log can be no less than 8. The sandbox may also obtain the communication content of the HTTPS protocol. The maximum cultivation duration of the exclusive horse-farm equipment cultivation can exceed 100 days.
This embodiment realizes special horse-raising field equipment through hardware equipment and breeds, has solved APP because the version is different and development frame factor such as different, and the APP that leads to produces when operation in traditional sandbox rushes over the ulceration, withdraws from the scheduling problem to and a lot of APPs have simulator detection mechanism, and lead to the problem that operation can automatic withdraw from in the simulator. This embodiment detects APP through more real environment, ensures APP normal operating, triggers more behaviors, has realized carrying out comprehensive detection to APP. The special horse-farm equipment in the embodiment discards a Universal Serial Bus (USB) link mode, a special mobile phone rack and the like of a traditional mobile phone sandbox, and the connection mode is simpler. As an integrated chassis device, the defect that a single server cannot be connected with too many mobile phone devices (generally not more than 15 mobile phone devices) does not exist. The special horse raising field equipment breeding can be directly installed in a machine room, fire safety hazards do not exist, the problems that a traditional mobile phone sandbox has a battery, risks such as battery explosion exist and the equipment can not be installed in the machine room are solved. And the mobile phone sandbox is installed in a machine room, so that the problem of data interaction does not exist, and the problems that the traditional mobile phone sandbox can only be placed outside the machine room, and the data interaction between the traditional mobile phone sandbox and a machine room server is difficult and the compatibility needs to be maliciously developed due to the principle of data confidentiality of the data machine room are solved.
And S120, detecting the operation behavior to obtain a first detection result corresponding to the operation behavior, and sending the first detection result to a situation analysis system.
Specifically, detection rules of each operation behavior are set in the sandbox detection engine, after the APP operation behavior reported by the detection firmware is obtained, the corresponding detection rules are adopted to detect the APP operation behavior reported by the detection firmware, a first detection result corresponding to the operation behavior is obtained, and the first detection result is sent to the situation analysis system. For example, the first detection result may be output in the form of a report and sent to the situation analysis system.
Optionally, the running behavior of the APP running in the sandbox is collected through detection firmware in the sandbox, the running behavior is detected through the detection firmware, a first detection result corresponding to the running behavior is obtained, and the first detection result is sent to the situation analysis system. Through placing the detection rule in the detection firmware, realize APP operation action collection and detection through detecting the firmware.
The detection firmware in the sandbox can directly detect the operation behavior when the operation behavior of the APP is collected, and the detection firmware sends the detection result to the situation analysis system. This embodiment carries out direct detection to APP's operation action through the detection firmware in the sandbox, has improved APP's detection efficiency to because what output is the testing result rather than APP operation action, reach the effect that reduces the transmission data volume.
Optionally, the detection firmware includes at least one of privacy behavior detection firmware, network behavior detection firmware, file operation detection firmware, short message operation detection firmware, command line detection firmware, audio/video recording and camera detection firmware, and user data reading detection firmware;
the privacy behavior detection firmware is used for monitoring the user privacy information acquired by the APP in real time. For example, the privacy behavior detection firmware can monitor behaviors of the APP in real time, such as obtaining a serial number, a geographic position, an address book, a call record, short message information, a photo and a browser bookmark of a user.
The network behavior detection firmware is configured to monitor a destination internet protocol address (IP) and a destination port of the APP access in real time. For example, the network behavior detection firmware may monitor in real time which IPs the APP has accessed, and the port information accessed, etc.
And the file operation detection firmware is used for monitoring the file operation of the APP in real time. For example, the file operation detection firmware may monitor file operations of the APP in real time, such as creating files, reading and writing files, deleting files, creating directories, deleting directories, and the like.
The short message operation detection firmware is used for monitoring a short message sending behavior, a multimedia message sending behavior and a short message intercepted behavior of the APP in real time.
The command line detection firmware is used for monitoring the calling behavior of the tool of the APP corresponding to the command line in real time. For example, the command line detection firmware may monitor in real time which tools the APP calls, such as a Switch User (SU) power-up tool and a Package Management (PM) package management tool.
The audio and video recording and camera detection firmware is used for monitoring whether the APP has behaviors of opening the camera and recording the audio and video in real time. The audio and video recording and camera detection firmware can monitor whether the APP has behaviors of opening the camera and recording the audio and video.
The user data reading detection firmware is used for monitoring the dynamic reading state of the APP to the user data in real time so as to detect whether the user data is stolen.
Optionally, the sandbox may also monitor the running state of the APP in real time, intercept and store the APP running interface.
Optionally, the sandbox may also detect the simulator detection mask. For example, some APP operations detect the system environment and automatically exit when they are found to be operating under the simulator. Through the sandbox based on system mirror image constitution, the operational environment of true machine can be simulated to each parameter hardware environment of system, effectively solves the problem that this type of APP can't be in the simulator operation.
Optionally, for a case that the detection firmware is a user data read detection firmware, detecting the operation behavior to obtain a first detection result, and sending the first detection result to the situation analysis system firmware, the method may include:
acquiring a network data packet from an Input/Output (IO) function based on the modified open source project system; the modified open source project system is used for intercepting the network data packet before the network data packet is encrypted by a tunnel;
identifying the type of the network data packet, and identifying the message data of the network data packet according to the type;
detecting whether sensitive data exists in the message data;
and taking a detection result as a first detection result corresponding to the operation behavior, and sending the first detection result to a situation analysis system.
The modified open-source project system can be obtained by modifying the source code of the open-source project system by a developer. For example, a developer may modify a Source code of an Android Open-Source Project (AOSP) system, so that the AOSP system can intercept plaintext data sent by an application layer from an upstream of a data stream, that is, before a network data packet is encrypted through a tunnel, to acquire the network data packet.
Exemplarily, fig. 3 is a schematic diagram of interaction between a mobile phone and a server network according to an embodiment of the present invention. As shown in fig. 3, the AOSP system may modify codes from a hypertext Transfer Protocol (HTTP) Layer to a Security Transport Layer (TLS) Layer to directly obtain original plaintext data of the network packet from an IO function. By acquiring an HTTPS data interaction plaintext, whether sensitive data acquisition exists in the APP is identified, and which sensitive data are specifically acquired.
The type of network packet may be determined based on the protocol of the network packet. For example, the Protocol of the network packet may include an HTTP Protocol, a Simple Mail Transfer Protocol (SMTP) Protocol, a File Transfer Protocol (FTP) Protocol, a remote terminal Protocol (TELNET) Protocol, and the like. The type of the network packet can be identified by analyzing the ports included in the network packet, for example, the ports in the network packet of the SMTP protocol are generally 25, and the ports in the network packet of the HTTP protocol are generally 80. Alternatively, when identifying the network packet of the HTTP Protocol, it may be analyzed whether a state of a Transmission Control Protocol (TCP) is after the three-way handshake, and if so, it may be determined that the network packet is the network packet of the HTTP Protocol. Alternatively, a keyword of an application layer of the network packet may be analyzed, and the type of the network packet may be determined according to the keyword, for example, the keyword may include characters of HTTP or SMTP.
The message data of the network data packet may be message data obtained by parsing the network data packet. For example, parsing the network data packet of the HTTP protocol may obtain HTTP message data, and parsing the network data packet of the SMTP protocol may obtain SMTP message data.
Exemplarily, fig. 4 is a flowchart of a network packet parsing method according to an embodiment of the present invention. As shown in fig. 4, a network packet with parsing, for example, a packet in a process feature analysis software package (pcap) format, is input, and the type of the network packet is determined by loading a network packet capture function packet (libpcap) library. And if the network data packet is the network data packet of the HTTP protocol, analyzing the network data packet according to the HTTP protocol to obtain HTTP message data. And if the network data packet is the network data packet of the SMTP protocol, analyzing the network data packet according to the SMTP protocol to obtain SMTP message data.
Currently, in the dynamic detection of the APP, whether the APP has an acquisition behavior for user sensitive data, and which sensitive data are specifically acquired is an important detection index for APP supervision, and the application executes data transmission of these behaviors, which is realized by using an HTTP/HTTPs network protocol in most cases. Therefore, monitoring of the network data packet by the APP is mainly for monitoring of network data flow of the APP in the running process, and after the APP completes Socket (Socket) connection, the network data packet uploaded by the APP to the server side is captured by monitoring an APP Programming Interface (API) of a network link output stream. The Uniform Resource Locator (URL) address and data type of the network packet may also be automatically tagged.
Existing network communications typically use HTTPS encrypted channels instead of HTTP clear text transmissions, and most sensitive or important data transmissions are transmitted over HTTPS encrypted channels. However, only encrypted meaningless binary strings can be obtained from TCP packets. Therefore, for HTTPS data monitoring, the man-in-the-middle attack policy is bypassed, the handshake flow (such as certificate authentication and key agreement) of the HTTPS protocol is bypassed, and the original network packet is captured directly from the aspect of data flow, that is, upstream of the data flow and is presented in the form of direct plaintext. The problem of function failure in a bidirectional authentication scene is solved, and therefore monitoring of HTTPS data is achieved. This embodiment is through capturing the network data package of its communication to APP, and the network data package is analyzed and is obtained key data, later carries out sensitive information detection, and wherein, sensitive information can include cell phone number, SMS, address book, conversation record, IMEI, IMSI and address etc. detects whether contain sensitive information in APP's the network data package to judge whether there is illegal high risk behavior who obtains user information in APP.
Optionally, a network connection attribute corresponding to the network data packet is detected based on the message data, so as to determine whether the network data packet belongs to a third-party Software Development Kit (SDK) according to the network connection attribute.
When identifying the type of the network data packet, for example, the third party SDK may customize the protocol, the customized protocol includes a unique identifier of the third party SDK, and after determining the protocol in the network data packet, it may be determined whether the network data packet is from the third party SDK.
And S130, dynamically analyzing the APP through the situation analysis system.
Specifically, after the situation analysis system obtains a first detection result, the situation analysis system dynamically analyzes the operation behavior of the APP according to the first detection result. Wherein, the situation analysis system can be a system with situation analysis of APP. For example, the situation analysis system can draw a national distribution map according to the APP recorded city, and can also display and analyze the situations such as the trends and the distributions of the APP in the aspects of the overall situation, the situation of a malicious program, the situation of illegal violation risk situation, the situation of a security vulnerability and the like.
Optionally, the dynamically analyzing the APP by the situational analysis system includes at least one of:
according to a first detection result and city information of each APP, performing city safety situation analysis on the APPs of each city through the situation analysis system;
according to a first detection result and development information of each APP, performing development situation analysis on all APPs running in each sandbox through the situation analysis system;
and determining a risk APP corresponding to the risk detection result through the situation analysis system for the risk detection result in the first detection result, and carrying out risk situation analysis on the risk APP.
Illustratively, according to the first detection result and the city information of each APP, the APP of each city is subjected to security panorama situation analysis according to the statistics of the city. And the whole situation of the whole network APP can be analyzed according to the development information of each APP. Wherein the development information is used to indicate development-related information in the APP. For example, the number of developers, the overall communication address and the record place, etc. may be included. Basic information situation analysis can be further carried out on the APP, including APP industry distribution, APP distribution of various provinces, threat metadata statistics, reinforcement manufacturer statistics, total and malicious APP day-to-day trend and the like. Malicious program situation analysis can also be performed on the APP, including statistics such as risk level ratio, malicious program APP industry distribution, APP application store distribution, malicious program type ratio, APP family statistics, and malicious APP trends. And the APP can be subjected to security risk vulnerability situation analysis, including security risk APP industry analysis, each province APP distribution, APP vulnerability trend, vulnerability statistics, security risk type statistics and the like. And illegal violation risk situation analysis can be performed on the APP, including illegal violation APP industry distribution, external connection server attribution statistics, illegal violation risk trend, risk type statistics, SDK type statistics and the like.
The method and the device for detecting the APP in the sandbox obtain a corresponding first detection result by obtaining the running behavior of the APP running in the sandbox reported by the detection firmware in the sandbox and detecting the running behavior, send the first detection result to the situation analysis system, and dynamically analyze the APP through the situation analysis system. According to the embodiment of the invention, the detection firmware is added into at least one layer of the system architecture of the sandbox, so that all functions are compiled in the system firmware without post injection, and the stability and the operation efficiency of the sandbox are improved. Meanwhile, the detection firmware is used as detection points of all levels, so that wider detection point coverage is realized. The embodiment of the invention also improves the efficiency and the accuracy of APP safety detection by dynamically detecting the APP and sending the detection result to the situation analysis system for dynamic analysis.
Example two
Fig. 5 is a flowchart of another APP detection method provided in the second embodiment of the present invention, and this embodiment is optimized based on the foregoing embodiment, as shown in fig. 5, the method may be executed by an APP detection engine. The detection engine is used for carrying out multi-dimensional detection on the APP. For example, the detection engines may include a dynamics detection engine, a malware detection engine, a combined feature heuristics detection engine, a text detection engine, an image detection engine, and other detection engines, among others. The dynamic detection engine may include a sandbox detection engine, which may be used to perform the detection step in embodiment one. The detection method of the APP provided by the embodiment includes:
step S201, obtaining the running behavior of the APP running in the sandbox reported by the detection firmware in the sandbox.
Wherein at least one layer of a system architecture of the sandbox includes the detection firmware for monitoring the operational behavior in real time.
Step S202, detecting the operation behavior, obtaining a first detection result corresponding to the operation behavior, and sending the first detection result to a situation analysis system.
And step S203, obtaining an APP packet of the APP.
The APP package may be used to distribute and install APPs and middleware. For example, for APP on an Android system, the APP Package may be an Android APP Package (APK).
Step S204, detecting whether a reinforced field exists in the APP packet of the APP, if so, executing step S205, otherwise, executing step S208.
Wherein the reinforcement field is used to identify that the APP is reinforced. The reinforcement field can be obtained by analyzing and refining reinforcement characteristics of related fixed reinforcement through a reinforcement method of each reinforcement manufacturer. Whether the reinforcement field exists in the APP packet or not can be scanned to accurately judge and output the reinforcement mode. The purpose of reinforcing protection is to protect the APP from being illegally modified or decompiled, and the APP can only obtain the section of program responsible for protection when performing reverse analysis, and obtain and see the APP source code. Simultaneously a lot of malicious APPs also can carry out security software through reinforced mode and exempt from to kill, prevent the analysis of security analysis personnel, consequently through carrying out automatic shelling to APP, can acquire APP source code and carry out the analysis.
And S205, performing unshelling operation on the APP packet to generate an unshelled APP packet.
The shelling operation may be shelling the APP package through a shelling sandbox. Wherein, the shelling sandbox may be used to shell the reinforced APP within the sandbox. For example, at APP runtime, the original dex file or the original class method may be decrypted and executed at a certain stage, and the unsharp sandbox may dump (dump) the key dex file structure and key class code data, and then restore the data to the original dex file through a certain patching. Since the APP may be subjected to the reinforcement processing multiple times, the decapsulated APP packet may not be completely decapsulated, and the number of execution times of step S205 may be recorded at the same time or after the decapsulation operation is performed.
Step S206, determining whether the execution times of step S205 satisfy a preset condition, if yes, executing step S207, otherwise, returning to execute step S204.
The preset conditions can be set differently according to the reinforcement experience of the APP. For example, common reinforcement modes of the APPs are counted, and different execution times are preset according to the common reinforcement modes of the APPs. For example, for twice consolidated APPs, the preset condition may be set to more than 2 times.
Step S207, for a target APP packet generated when the execution times meet a preset condition, when an analysis instruction of the target APP packet is received, a dex file of the target APP packet is analyzed, the dex file is detected according to an analysis result to obtain a second detection result, and the second detection result is sent to a situation analysis system.
The executable binary (dex) file may be an executable file obtained after performing at least one shell removal operation on the APP package.
The analysis of the dex file of the target APP package can be implemented by analyzing the execution logic of the dex file through a heuristic sub engine, a virus sub engine, a sensitive word sub engine and the like. Wherein the heuristic sub-engine may be used to detect behavioral characteristics of the APP. The viron engine may be used to detect whether the APP is a viral APP. The sensitive word sub-engine can be used for detecting whether the APP contains sensitive words.
And S208, detecting the APP packet to obtain a second detection result, and sending the second detection result to a situation analysis system.
Exemplarily, fig. 6 is a flowchart of a detection method for reinforcing an APP according to a second embodiment of the present invention. As shown in fig. 6, in order to implement full automation processing of shelling, after finding and reinforcing APP, the static detection engine executes the original parsing and detection process on one hand, and returns the result to the situation analysis system; on the other hand, the APP can be automatically forwarded to the dynamic detection engine, and the shelling task is triggered. And after receiving the shelling task, the dynamic detection engine executes shelling operation on the APP and returns the generated shelling file to the situation analysis system. And after receiving the unshelled file returned by the dynamic detection engine, the situation analysis system creates a new task and sends the new task to the dex scanning sub-engine of the static detection engine again. And a dex scanning sub-engine of the static detection engine analyzes all dex files in the unshelled files, detects the execution logic of the dex files through a heuristic sub-engine, a virus sub-engine and a sensitive word sub-engine, and returns the result to the situation analysis system. And the situation analysis system integrates the detection results of the two detection tasks to generate a complete report. Wherein, the static detection engine can be used for analyzing and detecting the static characteristics of the APP, and the dynamic detection engine can be used for analyzing and detecting the dynamic characteristics and/or the static characteristics of the APP.
Wherein, steps S201 to S208 may be performed by the dynamic detection engine. Steps S201 to S202 may be performed by a sandbox detection engine among the dynamic detection engines.
And S209, extracting static features and/or dynamic features of the APP, and constructing a feature vector to be detected according to the static features and/or the dynamic features.
The static features are obtained based on extraction of the APP packet of the APP, and the dynamic features are obtained based on extraction of the first detection result. The static feature may be a stability feature in APP. For example, static features may include behavior features, family features, virus common string features, and permission features, among others. The behavior characteristics are used to indicate stable behavior characteristics in the running behavior of the APP, and may include 55 behavior characteristics, for example. Family features are used to indicate features of the family to which APP belongs, and may include, for example, common class 4 family features. The virus common character string feature is used for indicating the character string feature carried by the virus program, and for example, 15 types of character string features such as a mobile phone number can be included. The permission characteristics are used to indicate permission-related characteristics used in the APP, and may include, for example, 128 × 3 permission characteristics such as application, use, and whether to privacy permission. The dynamic characteristic may be a characteristic that the APP changes during operation.
Illustratively, 458 static features and 77 dynamic features are extracted to construct a feature vector containing 535 features, wherein the first 458 static features represent static information and the last 77 dynamic features represent dynamic information.
The existing malicious APP analysis mode mainly depends on static and dynamic sandboxes to extract codes and behavior characteristics of existing application information, identification rules are determined according to experience, and effectiveness of the rules is lack of demonstration. However, the prior rule can only detect malicious programs which have been collected in the feature library, and can not identify unknown malicious application information. Therefore, the automatic identification of massive APPs is facilitated by using machine learning and deep learning, and the discovery of unknown malicious APPs which cannot be identified by the existing APP detection engine is facilitated.
Step S210, inputting the feature vector to be detected to a malicious program detection model, judging whether the APP is a malicious program or not through the malicious program detection model, taking a judgment result as a third detection result, and sending the third detection result to a situation analysis system.
The malicious program detection model is obtained by training a binary classification algorithm, a neural network algorithm, a clustering algorithm and an anomaly detection algorithm based on the static characteristic sample, the dynamic characteristic sample and the malicious characteristic sample. The second classification algorithm is used for judging whether the program is a malicious program or not. For example, the binary algorithm may include a random forest algorithm or an eXtreme Gradient Boosting (XGBOOST) algorithm, etc. Neural network algorithms and clustering algorithms are used to identify and determine the family to which the feature sample belongs. For example, the Neural network algorithm may include a Convolutional Neural Network (CNN) algorithm or the like. The clustering algorithm is used for clustering the characteristic samples. For example, the clustering algorithm may include a K-means clustering (K-means) algorithm, or the like. The anomaly detection algorithm is used for detecting whether malicious application samples of unknown types exist in the feature samples.
Exemplarily, fig. 7 is a workflow diagram of a malware detection model training method according to a second embodiment of the present invention. As shown in fig. 7, a normal application sample set and a malicious application sample set are collected from a sample library, characteristics of sensitive permission, a sensitive API function call sequence, a file name string, an SO file name, a malicious program common string vector, file size and the like in the normal application sample set and the malicious application sample set are respectively extracted, two-classification judgment of black and white is performed through random forest and XGBOOST, multi-classification recognition of families is performed through a convolutional neural network and K-means clustering, an unknown type of black sample is found through anomaly detection, results of various algorithms are mutually verified, and finally the sample set is updated according to recognition results.
The online machine learning and deep learning method provided by the embodiment can solve the problems that a malicious program sample is updated too fast due to upgrading, updating, management, control, striking and the like, the characteristic change is too large, and the offline training model fails very fast, and can automatically add an error sample into a training set and restart the training and upgrade the model online based on sample detection results fed back by a malicious program detection engine and other third-party detection engines whenever the deviation effect of the model reaches a preset condition. The preset condition may be a set threshold.
Wherein, steps S209 to S210 may be performed by the malware detection engine.
The embodiment establishes the characteristic vector through the multiclass characteristic unification of synthesizing the APP package, adopts multiple mode to extract the characteristic that can reflect malicious program action, can automatic identification APP be malicious program, and be convenient for discern unknown malicious APP.
And S211, carrying out format screening on the executable file of the APP packet to obtain the executable file to be detected which meets the preset file format condition.
The executable file is a file which can be loaded and executed by the system. The executable file to be detected satisfying the preset file format condition may be an executable file including API information.
Step S212, static reverse analysis is carried out on the executable file to be detected, and interface static parameter information and an interface calling sequence are obtained.
Static reverse analysis may be used to parse the executable file to be detected and to parse information associated with the interface therefrom. For example, API call information, API static parameter information, API call sequences, and the like may be parsed.
Step S213, performing sensitive parameter identification on the interface static parameter information according to a preset malicious character string rule to obtain a first identification result.
Fig. 8 is a flowchart of a combined feature heuristic detection method according to a second embodiment of the present invention. As shown in fig. 8, the API static parameter information is input into the sensitive parameter identification module, and the API static parameter information is identified according to the malicious character string rule, so as to obtain a first identification result.
Step S214, fine-grained behavior parameters in the interface static parameter information are identified, and behavior pattern identification is respectively carried out on the fine-grained behavior parameters and the interface calling sequence according to a preset normal fine-grained behavior pattern rule and a preset malicious behavior pattern rule, so that a second identification result is obtained.
As shown in fig. 8, the API static parameter information is input into the fine-grained behavior parameter recognition module and then input into the behavior pattern recognition module, the API call sequence is input into the behavior pattern recognition module, and the fine-grained behavior parameter and the API call sequence are respectively pattern-recognized in the behavior pattern recognition module according to the preset normal fine-grained behavior pattern rule and the preset malicious behavior pattern rule, so as to obtain a second recognition result.
Step S215, taking the first recognition result and the second recognition result as a fourth detection result, and sending the fourth detection result to a situation analysis system.
Wherein, steps S211 to S215 can be executed by the combined feature heuristic detection engine.
In the embodiment, the high-risk sample in the unknown sample can be effectively detected by performing the detection of the malicious behavior pattern on the sample to be detected based on the API function calling information, the API calling parameters, the API calling sequence and the like of the APP and by combining the permission application condition and the behavior characteristics of common malicious programs.
Step S216, extracting text information of an undisplayed text in the operation process of the APP, extracting the text information in the operation screenshot of the APP, performing text detection on the text information through at least one of fast regular matching, keyword filtering and abnormal behavior recognition to detect whether a sensitive word exists in the text information, taking a text detection result as a fifth detection result, and sending the fifth detection result to a situation analysis system.
Specifically, text information in an undisplayed text and a running screenshot in the running process of the APP is extracted through text detection. The text detection is mainly based on the detection of text information extracted from the APP by a text detection engine through modes of fast regular matching, keyword filtering, abnormal behavior Recognition and the like, and text information of an operation screenshot extracted from Optical Character Recognition (OCR). And detecting whether the APP contains sensitive words related to yellow, gambling, storm and administration, and if the violation exists, displaying that the violation type and the violation are unknown. The keywords can be compared and identified based on various sensitive word banks. The OCR picture character extraction technology can utilize a machine learning technology, train a model by using a large amount of basic data, generate an OCR algorithm model specially aiming at the APP running content, and perform OCR recognition extraction on the character content in the APP page through an image OCR algorithm. The fast regular matching search may use a high performance regular expression based on a regular expression matching library (Hyperscan) for matching key information. The abnormal behavior recognition can be based on the free combination of the user Identity identification number (ID), the IP, the contact information, the Identity information, and the like, and can recognize various sensitive information combinations in the file or the data. The text information can be preprocessed by utilizing the natural language processing algorithm model, and the recognition efficiency and the detection accuracy can be improved. The embodiment can also identify the named entity, for example, the contact way, the QQ, the mobile phone number, the WeChat, the website and the like can be identified, and the contact way can be compositely judged by combining keywords, behaviors and the like.
Wherein step S216 may be performed by the text detection engine.
And S217, carrying out image content detection on the operation screenshot of the APP through a deep learning convolutional neural network algorithm model to detect whether illegal content exists in the operation screenshot, taking an image content detection result as a sixth detection result, and sending the sixth detection result to a situation analysis system.
The embodiment can detect whether the APP contains pictures or videos related to yellow, gambling, storm and administration, and if the violation exists, the violation type and the violation position are displayed. Can send into the page screenshot of APP in the sandbox operation into image detection engine, realize the detection to the picture of violating the regulations. The type of identification picture may include types of gambling, pornography, political, violence, and the like. Meanwhile, the image detection engine can have the capability of machine learning so as to have the detection capability for the new illegal pictures.
Illustratively, the acquired APP interface screenshot is subjected to yellow content detection and identification, lottery content detection and identification, political sensitive words, political figures and reaction information detection and identification, explosion, gun, bleeding and terror organization mark detection and identification and the like by adopting a deep learning convolutional neural network algorithm.
Wherein step S217 may be performed by the image detection engine.
And S218, dynamically analyzing the APP through the situation analysis system.
The embodiment of the invention can respectively carry out dynamic analysis on the APP from various angles according to the received detection results, and can also carry out comprehensive dynamic analysis on the APP based on a plurality of detection results.
According to the embodiment of the invention, through carrying out multi-dimensional detection such as dynamic detection, malicious program detection, combined characteristic heuristic detection, text detection and image detection on the APP, the omnibearing security of the APP can be ensured, the omnibearing mainstream detection problem of the current APP security trend is covered, and through information collection and detection of the APP in the whole network and the safety situation analysis of the APP, the efficiency and the accuracy of APP security detection are improved.
Optionally, various features of the APP can also be directly detected by a broad-spectrum feature-based static detection engine. For example, signature fingerprint detection, class file feature detection, character string feature detection, code execution sequence scan detection, SO file feature detection, custom feature detection, and the like are performed by a broad-spectrum feature-based static detection engine. Whether the APP is a malicious program or not can be accurately and quickly judged by signature fingerprint detection, the APP of each large application mall can be effectively filtered, the capability of confirming the non-malicious program is improved, and the probability of the suspected malicious program is reduced. Class file feature detection may detect class names of typical non-obfuscated, non-android, non-java standard APIs, non-advertising SDKs in classes. String feature detection may detect features that may contain malicious strings, such as telephone numbers, mailboxes, sql statements, web sites (non-advertising URLs), and the like, typical of strings in clastex. The code execution sequence scanning detection can be realized by sampling the execution sequence of the key function code of the malicious behavior to form a feature library as a malicious code template. The scanning mode reduces the granularity of APP sample scanning from a packet level, a class level and a method level to a line level of execution codes in the method. SO file feature detection can detect typical character strings visible in read-only sections. The user-defined feature detection can be combined and calculated according to the sample size, the package name and the signature, and then APP is detected, and the detection efficiency is improved. This embodiment is through carrying out direct detection to the broad-spectrum characteristic of APP, can provide prior detection to subsequent detection, has improved the detection precision.
Optionally, the APP privacy policy can be extracted through a sandbox detection engine, the APP permission is extracted through a broad-spectrum-feature-based static detection engine or a combined-type-feature heuristic detection engine, and finally the privacy policy and the permission are compared and detected based on semantic analysis to determine whether the APP applies for permission to acquire information beyond the right or beyond the range. Meanwhile, whether the APP has the problem of data situation or not can be detected through the sandbox detection engine.
Illustratively, fig. 9 is a workflow diagram of a method for detecting out-of-range collection of user information by a sandbox detection engine according to a second embodiment of the present invention. As shown in fig. 9, the technology for automatically extracting the privacy policy file based on the sandbox detection engine, for example, the APP privacy policy text may be automatically extracted by simulating click and packet parsing. The sandbox may provide multiple modes of simulated click capability to trigger different actions. Human-computer interaction based on the artificial sandbox can be understood as that when the privacy policy is extracted, the operation of the sandbox can be participated in manually, so that more accurate clicking is facilitated, and the extraction accuracy rate of the privacy policy text is improved. The privacy policy text analysis based on semantic analysis can be used for extracting the statement conditions of the private information of the citizen, different services aiming at various information, third-party data sharing, data situation and the like stated in the privacy policy through the analysis of the privacy policy text. Based on the APP permission statement and privacy policy detection technology, whether the permission of the APP actual statement exceeds the personal information permission required by the privacy policy statement or not is detected, whether the APP actual networking address has a situation or not is judged by combining APP return data monitoring to judge whether the user data is uploaded to a third party or not, and the like. And whether the APP has the risk of actually acquiring user information and data situation beyond the range can be automatically confirmed based on sandbox return data monitoring.
Optionally, the security risk assessment can be performed on the APP to be detected from eight major aspects of program code security, component security, communication security, data storage security, internal data interaction security, service interaction security, security policy and vulnerability detection, so as to assess the security capability of the APP in resisting sensitive information leakage, resisting malicious program intrusion and resisting malicious utilization by hackers.
Illustratively, for Android applications, users such as enterprises and supervision departments are provided with detection projects based on 9 categories, which involve 79 monitoring points, and risk levels of different detections and different risks are respectively determined.
Optionally, code security detection may also be performed on the APP. The method specifically comprises program file and process permission detection, component permission security detection, implicit request message (Intent) detection and code confusion detection.
The program file and process permission detection can be used for detecting whether the APP limits the permission of the program directory or forbids the APP from being privately accessed by third-party software, and detecting whether the APP follows a minimum authorization principle to avoid the permission from being abused maliciously. The component permission security detection can be a component for detecting APP use, and the problem that the component permission security detection can be randomly called by an external program exists, so that the risks of denial of service, phishing cheating and information leakage are caused. The implicit Intent detection can be to detect whether the APP uses the implicit Intent or not, whether the implicit Intent has a specific designated receiver or not, and to prevent the risk of data leakage caused by stealing Intent content after other programs pass through the designated identifier. The code obfuscation detection may be to calculate a degree of obfuscation of the source code.
Optionally, data security check detection can also be performed on the APP. The method specifically comprises sensitive information plaintext preservation detection, third-party security library detection, log information detection, backup identifier configuration risk detection and hard coding detection.
The sensitive information plaintext storage detection can detect whether the APP is in an XML file and a cache information file which are locally stored or not, and whether the APP is encrypted for protection or not, so that application data information is prevented from being leaked. The third-party security library detects whether the APP uses the third-party SDK or not, whether the third-party SDK has malicious behaviors or not, information leakage risks and the like. The log information detection may detect whether the APP calls a system log interface. The backup identifier configuration risk detection can detect whether the APP sets android: allowsackup ═ true in android manifest. APP data can be backed up and restored when this flag is set to true or not, and Android Debug Bridge (ADB) Debug backup allows malicious attackers to copy APP data. The hard code detection can detect whether a hard code problem (simple judgment logic), fixed character string information, an encrypted key, an encrypted method and the like exist in a source code, and the problem that the logical idea of the code is easy to leak is solved.
Optionally, vulnerability security check detection may also be performed on the APP. The method specifically comprises mainstream vulnerability detection such as android system signature (Janus) vulnerability detection, webpage view (WebView) component remote code execution vulnerability detection, android signature vulnerability, man-in-the-middle attack vulnerability and Content Provider (Content Provider) file directory traversal vulnerability. Vulnerability security inspection detection may be based on National information security Vulnerability sharing platform (CNVD) Vulnerability library rules. At present, 16 thousands of vulnerabilities are contained, wherein 20000 mobile internet vulnerabilities exist. The method can also support detection of Security vulnerabilities of the front 10 mobile internet of an Open WebAPP Security Project (OWASP), manual input of vulnerability detection rules, vulnerability feature support, character string features (method calls can also be classified as character strings) in a smili file and character string features in Manifest. The types of vulnerabilities may include system vulnerabilities, server vulnerabilities, and application vulnerabilities. For example, Android system signature vulnerabilities, Intent scheme url vulnerabilities, File (File) arbitrary read-write vulnerabilities, lightweight storage class (SharedPreferences) arbitrary read-write vulnerabilities, compressed (zip) File directory traversal vulnerabilities, and WebView remote code execution vulnerabilities, to name a few.
Optionally, the APP can be subjected to interaction and communication security detection. The method specifically comprises SSL communication detection, network data transmission detection, service interface malicious call detection, service data tampering detection and service authorization security detection.
The SSL communication detection may be to detect whether APP communication uses SSL/TLS or IPSec, and other security protocols are encrypted to ensure the security and integrity of communication. The network data transmission detection can be used for detecting the communication process of the client and the server, whether the transmitted data is encrypted or not, the difficulty degree of an encryption algorithm and whether sensitive information is leaked or not, and the safety and the integrity of communication are ensured. The service interface malicious call detection may be to detect whether the APP has an identity authentication mechanism in advance for a sensitive service interface. And checking such service interfaces which can be invoked by malicious large-scale services, such as user login modules, password recovery, password resetting and the like. For the service interface with the inquiry, display and handling functions, if identity authentication is not needed, a mandatory verification code mechanism is provided to prevent automatic large-scale malicious calling of robot programs and the like. The service data tampering detection may be to detect whether the APP can tamper with a field transmitted from the user side to the server side in the service process, and whether packet verification exists. The service authorization security detection may be to detect whether the APP has a page that some authorized users can access under an unauthorized condition, or to perform an operation of the authorized user.
Optionally, crawling the APPs of the application stores according to categories through a crawler, extracting application permissions and usage permissions of the APPs from the crawled APPs, performing statistical analysis on the application permissions and the usage permissions according to the categories, determining recommendation permissions of the applications of the categories according to the statistical analysis results, further analyzing and confirming the recommendation permissions with a small statistical proportion manually, and determining the recommendation permissions of the applications of the categories according to the further statistical analysis results.
Illustratively, the security level of the permission of the Android system may be divided into: normal, dangerous, extremely dangerous and system WeChat. Therefore, when the APP permission abuse is detected, the automatic classification function can be combined by applying different types of recommended permissions, and the APP is subjected to malice evaluation and permission abuse evaluation by clustering according to different security levels and security behaviors through the permissions applied to the APP.
EXAMPLE III
Fig. 10 is a service architecture diagram of an APP panorama and intelligence mining platform according to a third embodiment of the present invention, which is optimized based on the third embodiment of the present invention, and as shown in fig. 10, the service architecture of the platform includes a data source access layer, a metadata screening layer, a security and threat detection classification layer, an APP panorama and intelligence traceability mining layer, and a solution layer.
The first layer is a data source access layer, and a data base of the APP panoramic situation and information mining platform is built through large-range and deep-level data collection. Firstly, through application store data access, basic information such as APP application information and developers is collected. And secondly, real-time data access, the source of the APP is restored through flow, and data cloud platform integration is realized. Thirdly, the operator accesses the ticket data or the flow data and automatically crawls the APP and the like. The second layer is a metadata screening layer, which is mainly used for carrying out preprocessing on analysis and verification of the APP format and carrying out basic verification screening on data such as input application information and URL (uniform resource locator). And the third layer is security and threat detection and classification, and malicious program detection, security risk detection, vulnerability detection, counterfeit application detection, information drilling, content detection and the like are performed on the APP through the dynamic detection engine, the malicious program detection engine, the combined characteristic heuristic detection engine, the text detection engine, the image detection engine and other detection engines provided by the embodiment of the invention. And the fourth layer is data mining and association analysis, second-level big data retrieval is provided based on accumulated APP threat information data, and visual situations, association analysis, information traceability mining capability and the like meeting different industries and different scenes are formed according to association analysis and the like of retrieval rules.
The system also provides a solution layer, and APP security risk assessment, APP malware detection, AAP illegal violation detection, APP information security detection, counterfeit fraud application detection, APP city pictures, case information expansion, advanced Trojan detection, association analysis, history traceability, black-product information and the like can be realized.
Based on the core architecture, the final value of the APP panoramic situation and information mining platform is formed. A complete set of solution is provided for the whole APP system, and meanwhile, a developer can realize application innovation based on platform data, micro-service and SaaS cloud service functions.
The APP panoramic situation and information traceability mining platform has six characteristics: privatization deployment, SaaS cloud service, threat metadata accumulation, clue expansion, deep association analysis and sandbox cultivation.
Fig. 11 is a flowchart of a correlation analysis method according to a third embodiment of the present invention. As shown in fig. 11, in the present embodiment, by managing and analyzing strongly-associated clues such as a store developer, an application signature, an MD5, a URL, an IP address, a mailbox, and a mobile phone number, more detailed and precise cluster analysis can be performed on a sample family, and APPs with homology can be visually presented. And the display of a sample time track can be supported, and the historical track of a homologous sample or the development process of black birth can be clear. And various basic data statistics such as an external address attribution place, an application name and a developer can be supported.
Fig. 12 is a flow chart of consistent network-wide real-time monitoring provided by the third embodiment of the present invention. As shown in fig. 12, the APP panoramic situation and intelligence mining platform can monitor the APP in real time, and the user can monitor the whole network in real time according to the sample full-dimensional 1500 multiple features of the user's attention, including the file MD5, the file SHA1, the application name, the package name, the certificate developer, the universal URL, the universal IP, the mailbox, the mobile phone number, the malicious program name, the malicious program family, the SDK name, the returned data, the certificate owner, the certificate MD5, the certificate SHA1, the certificate serial number, the embedded file name, the class name, the Activity, the Receiver, the Provider, the Service, the authority name, the vulnerability name, the character string, the short message (static code or dynamic behavior), the geographic location (static code or dynamic behavior), the address book (static code or dynamic behavior), the short message (static code or dynamic behavior), the call record (static code or dynamic behavior), Obtaining a mobile phone number (static code or dynamic behavior), obtaining an IMEI (static code or dynamic behavior), obtaining an IMSI (static code or dynamic behavior), obtaining a method name (static code or dynamic behavior), a version number, a static wildcard URL, a static wildcard IP, a malicious property, a security level (malicious program), a province of a wildcard, a property of a wildcard (inbound, outbound), an SDK type, a backhaul approach (HTTPS, HTTP or SMPT), a time range, or a malicious program description.
Fig. 13 is a logic flow diagram of a program of each system in an APP panoramic situation and intelligence mining platform according to a third embodiment of the present invention. Fig. 14 is a logic flow diagram of another APP panorama and intelligence mining platform for different data sources according to a third embodiment of the present invention. Fig. 15 is a logic flow diagram of a procedure for data flow in an APP panoramic situation and intelligence mining platform according to a third embodiment of the present invention. Fig. 16 is a logic flow diagram of a procedure for scheduling detection results in an APP panoramic situation and intelligence mining platform according to a third embodiment of the present invention. As shown in FIGS. 13-14, the task state may include semi-complete or fully complete. The issued detection task includes dynamic and static engines, and when all the static engines return a scanning result (e.g., a static API, a static virus, a static sensitive word, or static metadata) and the dynamic detection is completed, it is called semi-completed. All engines scan results and return detection results when called fully completed (e.g., static API, static virus, static sensitive word, static metadata, or dynamic engine). When the issued detection task is in a semi-finished or fully finished state, the detection result is pushed to the ES, and the detection result stored in the ES is called a report.
The APP panorama situation and information excavation platform that this embodiment provided can guarantee that platform APP information continuity is updated through regularly collecting the update to each channel to detect APP in real time, guarantee to threaten timely update and the accumulation of information data.
Example four
Fig. 17 is a schematic structural diagram of an APP detection apparatus according to a fourth embodiment of the present invention. The device can be realized by software and/or hardware, generally can integrate in APP's check out test set, can realize improving APP safety check's efficiency and degree of accuracy through the detection method of carrying out APP. As shown in fig. 17, the apparatus includes:
a behavior obtaining module 310, configured to obtain an operation behavior of an APP running in a sandbox, which is reported by a detection firmware in the sandbox; wherein at least one layer of the system architecture of the sandbox comprises the detection firmware for monitoring the operational behavior in real time;
a first detection result sending module 320, configured to detect the operation behavior, obtain a first detection result corresponding to the operation behavior, and send the first detection result to a situation analysis system;
and the application analysis module 330 is configured to perform dynamic analysis on the APP through the situation analysis system.
Optionally, the detection firmware includes at least one of privacy behavior detection firmware, network behavior detection firmware, file operation detection firmware, short message operation detection firmware, command line detection firmware, audio/video recording and camera detection firmware, and user data reading detection firmware;
the privacy behavior detection firmware is used for monitoring the user privacy information acquired by the APP in real time;
the network behavior detection firmware is used for monitoring a destination internet protocol address and a destination port of the APP access in real time;
the file operation detection firmware is used for monitoring the file operation of the APP in real time;
the short message operation detection firmware is used for monitoring a short message sending behavior, a multimedia message sending behavior and a short message intercepted behavior of the APP in real time;
the command line detection firmware is used for monitoring the calling behavior of a tool of the APP corresponding to the command line in real time;
the audio and video recording and camera detection firmware is used for monitoring whether the APP has behaviors of opening the camera and recording the audio and video in real time;
the user data reading detection firmware is used for monitoring the dynamic reading state of the APP to the user data in real time so as to detect whether the user data is stolen.
Optionally, for a case that the detection firmware is a user data reading detection firmware, the first detection result sending module 320 is specifically configured to:
acquiring a network data packet from an input/output function based on the modified open source project system; the modified open source project system is used for intercepting the network data packet before the network data packet is encrypted by a tunnel;
identifying the type of the network data packet, and identifying the message data of the network data packet according to the type;
detecting whether sensitive data exists in the message data;
and taking a detection result as a first detection result corresponding to the operation behavior, and sending the first detection result to a situation analysis system.
Optionally, the apparatus further comprises:
a reinforced field detection module, configured to detect whether a reinforced field exists in an APP packet of the APP before the APP is dynamically analyzed by the situation analysis system; wherein the reinforcement field is used for identifying that the APP is reinforced;
an application unshelling module, configured to perform unshelling operation on the APP packet if the determined number of the unshelling operation is zero, generate an unshelled APP packet, return to the step of detecting whether a reinforced field exists in the APP packet of the APP, and record the number of times of execution of the step;
and the second detection result sending module is used for analyzing the executable binary dex file of the target APP packet when receiving the analysis instruction of the target APP packet, so as to detect the dex file according to the analysis result to obtain a second detection result, and sending the second detection result to the situation analysis system.
Optionally, the apparatus further comprises:
the feature extraction module is used for extracting static features and/or dynamic features of the APP before the APP is dynamically analyzed through the situation analysis system, and constructing a feature vector to be detected according to the static features and/or the dynamic features; the static features are obtained by extracting an APP packet of the APP, and the dynamic features are obtained by extracting the first detection result;
a third detection result sending module, configured to input the feature vector to be detected to a malicious program detection model, judge, by the malicious program detection model, whether the APP is a malicious program, use a judgment result as a third detection result, and send the third detection result to a situation analysis system;
the malicious program detection model is obtained by training a binary classification algorithm, a neural network algorithm, a clustering algorithm and an anomaly detection algorithm based on the static characteristic sample, the dynamic characteristic sample and the malicious characteristic sample.
Optionally, the apparatus further comprises:
the format screening module is used for screening the format of the executable file of the APP package before the APP is dynamically analyzed by the situation analysis system to obtain the executable file to be detected which meets the preset file format condition;
the file analysis module is used for performing static reverse analysis on the executable file to be detected to obtain interface static parameter information and an interface calling sequence;
the parameter identification module is used for carrying out sensitive parameter identification on the interface static parameter information according to a preset malicious character string rule to obtain a first identification result;
the pattern recognition module is used for recognizing the fine-grained behavior parameters in the interface static parameter information, and respectively performing behavior pattern recognition on the fine-grained behavior parameters and the interface calling sequence according to a preset normal fine-grained behavior pattern rule and a preset malicious behavior pattern rule to obtain a second recognition result;
and the fourth detection result sending module is used for sending the fourth detection result to a situation analysis system by taking the first identification result and the second identification result as a fourth detection result.
Optionally, the apparatus further comprises:
a fifth detection result sending module, configured to, before the APP is dynamically analyzed by the situation analysis system, extract text information of a text that is not displayed in an operation process of the APP, extract text information in an operation screenshot of the APP, perform text detection on the text information through at least one of fast regular matching, keyword filtering, and abnormal behavior recognition, to detect whether a sensitive word exists in the text information, use a text detection result as a fifth detection result, and send the fifth detection result to the situation analysis system;
and the sixth detection result sending module is used for carrying out image content detection on the operation screenshot of the APP through a deep learning convolutional neural network algorithm model so as to detect whether illegal contents exist in the operation screenshot, taking the image content detection result as a sixth detection result, and sending the sixth detection result to the situation analysis system.
Optionally, the application analysis module 330 is specifically configured to at least one of:
according to a first detection result and city information of each APP, performing city safety situation analysis on the APPs of each city through the situation analysis system;
according to a first detection result and development information of each APP, performing development situation analysis on all APPs running in each sandbox through the situation analysis system;
and determining a risk APP corresponding to the risk detection result through the situation analysis system for the risk detection result in the first detection result, and carrying out risk situation analysis on the risk APP.
The APP detection device provided by the embodiment of the invention can execute the APP detection method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
EXAMPLE five
Fig. 18 is a schematic structural diagram of an APP detection apparatus according to a fifth embodiment of the present invention, and as shown in fig. 18, the APP detection apparatus includes a processor 400, a memory 410, an input device 420, and an output device 430; the number of the processors 400 in the detection device of the APP may be one or more, and one processor 400 is taken as an example in fig. 18; the processor 400, the memory 410, the input device 420 and the output device 430 in the detection apparatus of APP may be connected by a bus or other means, and fig. 18 illustrates an example of connection by a bus.
The memory 410 is used as a computer-readable storage medium and can be used for storing software programs, computer-executable programs, and modules, such as program instructions and/or modules corresponding to the detection method of the APP in the embodiment of the present invention (for example, the behavior obtaining module 310, the first detection result sending module 320, and the application analysis module 330 in the detection apparatus of the APP). The processor 400 executes various functional applications and data processing of the detection device of the APP by executing software programs, instructions and modules stored in the memory 410, that is, implements the detection method of the APP described above.
The memory 410 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, APPs required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 410 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, memory 410 may further include memory located remotely from processor 400, which may be connected to the detection device of the APP via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input means 420 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the detection apparatus of the APP. The output device 430 may include a display device such as a display screen.
EXAMPLE six
An embodiment of the present invention further provides a storage medium containing computer-executable instructions, where the computer-executable instructions are executed by a computer processor to perform a method for detecting an APP, and the method includes:
acquiring the running behavior of the APP running in the sandbox reported by the detection firmware in the sandbox; wherein at least one layer of the system architecture of the sandbox comprises the detection firmware for monitoring the operational behavior in real time;
detecting the operation behavior, obtaining a first detection result corresponding to the operation behavior, and sending the first detection result to a situation analysis system;
and dynamically analyzing the APP through the situation analysis system.
Of course, the storage medium provided by the embodiment of the present invention contains computer-executable instructions, and the computer-executable instructions are not limited to the method operations described above, and may also perform related operations in the APP detection method provided by any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the detection apparatus for APP, each unit and each module included in the detection apparatus for APP are only divided according to functional logic, but are not limited to the above division as long as the corresponding function can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (11)
1. A detection method of APP is characterized by comprising the following steps:
acquiring the running behavior of an application program APP running in the sandbox reported by detection firmware in the sandbox; wherein at least one layer of the system architecture of the sandbox comprises the detection firmware for monitoring the operational behavior in real time;
detecting the operation behavior, obtaining a first detection result corresponding to the operation behavior, and sending the first detection result to a situation analysis system;
and dynamically analyzing the APP through the situation analysis system.
2. The method of claim 1, wherein the detection firmware comprises at least one of privacy behavior detection firmware, network behavior detection firmware, file operation detection firmware, sms operation detection firmware, command line detection firmware, audio and video recording and camera detection firmware, and user data reading detection firmware;
the privacy behavior detection firmware is used for monitoring the user privacy information acquired by the APP in real time;
the network behavior detection firmware is used for monitoring a destination internet protocol address and a destination port of the APP access in real time;
the file operation detection firmware is used for monitoring the file operation of the APP in real time;
the short message operation detection firmware is used for monitoring a short message sending behavior, a multimedia message sending behavior and a short message intercepted behavior of the APP in real time;
the command line detection firmware is used for monitoring the calling behavior of a tool of the APP corresponding to the command line in real time;
the audio and video recording and camera detection firmware is used for monitoring whether the APP has behaviors of opening the camera and recording the audio and video in real time;
the user data reading detection firmware is used for monitoring the dynamic reading state of the APP to the user data in real time so as to detect whether the user data is stolen.
3. The method of claim 2, wherein for the detection firmware being a user data read detection firmware, detecting the operation behavior to obtain a first detection result, and sending the first detection result to a situation analysis system firmware, comprises:
acquiring a network data packet from an input/output function based on the modified open source project system; the modified open source project system is used for intercepting the network data packet before the network data packet is encrypted by a tunnel;
identifying the type of the network data packet, and identifying the message data of the network data packet according to the type;
detecting whether sensitive data exists in the message data;
and taking a detection result as a first detection result corresponding to the operation behavior, and sending the first detection result to a situation analysis system.
4. The method of claim 1, further comprising, prior to dynamically analyzing the APP by the situational analysis system:
detecting whether a reinforcement field exists in an APP packet of the APP; wherein the reinforcement field is used for identifying that the APP is reinforced;
if so, performing unshelling operation on the APP packet to generate an unshelled APP packet, returning to the step of detecting whether a reinforced field exists in the APP packet of the APP, and recording the execution times of the step;
and for the target APP packet generated when the execution times meet the preset condition, when an analysis instruction of the target APP packet is received, analyzing an executable binary dex file of the target APP packet, detecting the dex file according to an analysis result to obtain a second detection result, and sending the second detection result to a situation analysis system.
5. The method of claim 1, further comprising, prior to dynamically analyzing the APP by the situational analysis system:
extracting static features and/or dynamic features of the APP, and constructing a feature vector to be detected according to the static features and/or the dynamic features; the static features are obtained by extracting an APP packet of the APP, and the dynamic features are obtained by extracting the first detection result;
inputting the feature vector to be detected to a malicious program detection model, judging whether the APP is a malicious program or not through the malicious program detection model, taking a judgment result as a third detection result, and sending the third detection result to a situation analysis system;
the malicious program detection model is obtained by training a binary classification algorithm, a neural network algorithm, a clustering algorithm and an anomaly detection algorithm based on the static characteristic sample, the dynamic characteristic sample and the malicious characteristic sample.
6. The method of claim 1, further comprising, prior to dynamically analyzing the APP by the situational analysis system:
format screening is carried out on the executable files of the APP package, and executable files to be detected meeting preset file format conditions are obtained;
performing static reverse analysis on the executable file to be detected to obtain interface static parameter information and an interface calling sequence;
performing sensitive parameter identification on the interface static parameter information according to a preset malicious character string rule to obtain a first identification result;
identifying fine-grained behavior parameters in the interface static parameter information, and respectively performing behavior pattern identification on the fine-grained behavior parameters and an interface calling sequence according to a preset normal fine-grained behavior pattern rule and a preset malicious behavior pattern rule to obtain a second identification result;
and taking the first recognition result and the second recognition result as a fourth detection result, and sending the fourth detection result to a situation analysis system.
7. The method of claim 1, further comprising, prior to dynamically analyzing the APP by the situational analysis system:
extracting text information of an undisplayed text in the running process of the APP, extracting the text information in a running screenshot of the APP, performing text detection on the text information in at least one mode of rapid regular matching, keyword filtering and abnormal behavior identification to detect whether a sensitive word exists in the text information, taking a text detection result as a fifth detection result, and sending the fifth detection result to a situation analysis system;
and carrying out image content detection on the operation screenshot of the APP through a deep learning convolutional neural network algorithm model so as to detect whether illegal content exists in the operation screenshot, taking an image content detection result as a sixth detection result, and sending the sixth detection result to a situation analysis system.
8. The method of claim 1, wherein said dynamically analyzing said APP by said situational analysis system comprises at least one of:
according to a first detection result and city information of each APP, performing city safety situation analysis on the APPs of each city through the situation analysis system;
according to a first detection result and development information of each APP, performing development situation analysis on all APPs running in each sandbox through the situation analysis system;
and determining a risk APP corresponding to the risk detection result through the situation analysis system for the risk detection result in the first detection result, and carrying out risk situation analysis on the risk APP.
9. A detection device of APP, characterized by, include:
the behavior acquisition module is used for acquiring the running behavior of the APP running in the sandbox reported by the detection firmware in the sandbox; wherein at least one layer of the system architecture of the sandbox comprises the detection firmware for monitoring the operational behavior in real time;
the first detection result sending module is used for detecting the operation behavior, obtaining a first detection result corresponding to the operation behavior, and sending the first detection result to a situation analysis system;
and the application analysis module is used for dynamically analyzing the APP through the situation analysis system.
10. A detection device of an APP, comprising:
one or more processors;
a memory for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a method of detection of an APP as claimed in any one of claims 1-8.
11. A storage medium containing computer executable instructions for performing the detection method of APP as claimed in any one of claims 1 to 8 when executed by a computer processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011550192.5A CN112685737A (en) | 2020-12-24 | 2020-12-24 | APP detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011550192.5A CN112685737A (en) | 2020-12-24 | 2020-12-24 | APP detection method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112685737A true CN112685737A (en) | 2021-04-20 |
Family
ID=75452260
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011550192.5A Pending CN112685737A (en) | 2020-12-24 | 2020-12-24 | APP detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112685737A (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113177205A (en) * | 2021-04-27 | 2021-07-27 | 国家计算机网络与信息安全管理中心 | Malicious application detection system and method |
| CN113206850A (en) * | 2021-04-30 | 2021-08-03 | 北京恒安嘉新安全技术有限公司 | Malicious sample message information acquisition method, device, equipment and storage medium |
| CN113254932A (en) * | 2021-06-16 | 2021-08-13 | 百度在线网络技术(北京)有限公司 | Application program risk detection method and device, electronic equipment and medium |
| CN113505374A (en) * | 2021-07-12 | 2021-10-15 | 恒安嘉新(北京)科技股份公司 | Information acquisition range detection method and device, electronic equipment and medium |
| CN113672907A (en) * | 2021-07-29 | 2021-11-19 | 济南浪潮数据技术有限公司 | Java safety precaution method, device and medium based on JVM sandbox and black and white list |
| CN113987496A (en) * | 2021-11-04 | 2022-01-28 | 北京天融信网络安全技术有限公司 | Malicious attack detection method and device, electronic equipment and readable storage medium |
| CN113987485A (en) * | 2021-09-28 | 2022-01-28 | 奇安信科技集团股份有限公司 | Application program sample detection method and device |
| CN114285627A (en) * | 2021-12-21 | 2022-04-05 | 安天科技集团股份有限公司 | Flow detection method and device, electronic equipment and computer readable storage medium |
| CN114297700A (en) * | 2021-11-11 | 2022-04-08 | 北京邮电大学 | Dynamic and static combined mobile application privacy protocol extraction method and related equipment |
| CN114510717A (en) * | 2022-01-25 | 2022-05-17 | 上海斗象信息科技有限公司 | ELF file detection method and device and storage medium |
| CN114666143A (en) * | 2022-03-29 | 2022-06-24 | 杭州安恒信息安全技术有限公司 | Application program source tracing and certificate transferring method, device, equipment and medium |
| CN114884717A (en) * | 2022-04-28 | 2022-08-09 | 浙江大学 | User data deep evidence obtaining analysis method and system for Internet of things equipment |
| CN115659337A (en) * | 2022-10-24 | 2023-01-31 | 国网山东省电力公司 | Computer network defense method and system |
| CN116107912A (en) * | 2023-04-07 | 2023-05-12 | 石家庄学院 | Security detection method and system based on application software |
| CN117079211A (en) * | 2023-08-16 | 2023-11-17 | 广州腾方科技有限公司 | Safety monitoring system and method for network machine room |
| CN117521087A (en) * | 2024-01-04 | 2024-02-06 | 江苏通付盾科技有限公司 | Equipment risk behavior detection method, system and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
| CN106341282A (en) * | 2016-11-10 | 2017-01-18 | 广东电网有限责任公司电力科学研究院 | Malicious code behavior analyzer |
| CN107688743A (en) * | 2017-08-14 | 2018-02-13 | 北京奇虎科技有限公司 | The determination method and system of a kind of rogue program |
| CN108133139A (en) * | 2017-11-28 | 2018-06-08 | 西安交通大学 | A kind of Android malicious application detecting system compared based on more running environment behaviors |
-
2020
- 2020-12-24 CN CN202011550192.5A patent/CN112685737A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
| CN106341282A (en) * | 2016-11-10 | 2017-01-18 | 广东电网有限责任公司电力科学研究院 | Malicious code behavior analyzer |
| CN107688743A (en) * | 2017-08-14 | 2018-02-13 | 北京奇虎科技有限公司 | The determination method and system of a kind of rogue program |
| CN108133139A (en) * | 2017-11-28 | 2018-06-08 | 西安交通大学 | A kind of Android malicious application detecting system compared based on more running environment behaviors |
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113177205A (en) * | 2021-04-27 | 2021-07-27 | 国家计算机网络与信息安全管理中心 | Malicious application detection system and method |
| CN113177205B (en) * | 2021-04-27 | 2023-09-15 | 国家计算机网络与信息安全管理中心 | Malicious application detection system and method |
| CN113206850B (en) * | 2021-04-30 | 2022-09-16 | 北京恒安嘉新安全技术有限公司 | Malicious sample message information acquisition method, device, equipment and storage medium |
| CN113206850A (en) * | 2021-04-30 | 2021-08-03 | 北京恒安嘉新安全技术有限公司 | Malicious sample message information acquisition method, device, equipment and storage medium |
| CN113254932B (en) * | 2021-06-16 | 2024-02-27 | 百度在线网络技术(北京)有限公司 | Application risk detection method and device, electronic equipment and medium |
| CN113254932A (en) * | 2021-06-16 | 2021-08-13 | 百度在线网络技术(北京)有限公司 | Application program risk detection method and device, electronic equipment and medium |
| CN113505374A (en) * | 2021-07-12 | 2021-10-15 | 恒安嘉新(北京)科技股份公司 | Information acquisition range detection method and device, electronic equipment and medium |
| CN113672907B (en) * | 2021-07-29 | 2023-12-22 | 济南浪潮数据技术有限公司 | Java safety precaution method, device and medium based on JVM sandbox and black-and-white list |
| CN113672907A (en) * | 2021-07-29 | 2021-11-19 | 济南浪潮数据技术有限公司 | Java safety precaution method, device and medium based on JVM sandbox and black and white list |
| CN113987485A (en) * | 2021-09-28 | 2022-01-28 | 奇安信科技集团股份有限公司 | Application program sample detection method and device |
| CN113987496A (en) * | 2021-11-04 | 2022-01-28 | 北京天融信网络安全技术有限公司 | Malicious attack detection method and device, electronic equipment and readable storage medium |
| CN114297700B (en) * | 2021-11-11 | 2022-09-23 | 北京邮电大学 | Dynamic and static combined mobile application privacy protocol extraction method and related equipment |
| CN114297700A (en) * | 2021-11-11 | 2022-04-08 | 北京邮电大学 | Dynamic and static combined mobile application privacy protocol extraction method and related equipment |
| CN114285627B (en) * | 2021-12-21 | 2023-12-22 | 安天科技集团股份有限公司 | Flow detection method and device, electronic equipment and computer readable storage medium |
| CN114285627A (en) * | 2021-12-21 | 2022-04-05 | 安天科技集团股份有限公司 | Flow detection method and device, electronic equipment and computer readable storage medium |
| CN114510717A (en) * | 2022-01-25 | 2022-05-17 | 上海斗象信息科技有限公司 | ELF file detection method and device and storage medium |
| CN114666143A (en) * | 2022-03-29 | 2022-06-24 | 杭州安恒信息安全技术有限公司 | Application program source tracing and certificate transferring method, device, equipment and medium |
| CN114666143B (en) * | 2022-03-29 | 2024-04-09 | 杭州安恒信息安全技术有限公司 | Application program tracing and evidence regulating method, device, equipment and medium |
| CN114884717B (en) * | 2022-04-28 | 2023-08-25 | 浙江大学 | User data deep evidence collection analysis method and system for Internet of things equipment |
| CN114884717A (en) * | 2022-04-28 | 2022-08-09 | 浙江大学 | User data deep evidence obtaining analysis method and system for Internet of things equipment |
| CN115659337B (en) * | 2022-10-24 | 2023-04-11 | 国网山东省电力公司 | Computer network defense method and system |
| CN115659337A (en) * | 2022-10-24 | 2023-01-31 | 国网山东省电力公司 | Computer network defense method and system |
| CN116107912A (en) * | 2023-04-07 | 2023-05-12 | 石家庄学院 | Security detection method and system based on application software |
| CN117079211A (en) * | 2023-08-16 | 2023-11-17 | 广州腾方科技有限公司 | Safety monitoring system and method for network machine room |
| CN117079211B (en) * | 2023-08-16 | 2024-06-04 | 广州腾方科技有限公司 | Safety monitoring system and method for network machine room |
| CN117521087A (en) * | 2024-01-04 | 2024-02-06 | 江苏通付盾科技有限公司 | Equipment risk behavior detection method, system and storage medium |
| CN117521087B (en) * | 2024-01-04 | 2024-03-15 | 江苏通付盾科技有限公司 | Equipment risk behavior detection method, system and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112685737A (en) | APP detection method, device, equipment and storage medium | |
| US10762206B2 (en) | Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security | |
| Spreitzenbarth et al. | Mobile-Sandbox: combining static and dynamic analysis with machine-learning techniques | |
| Tien et al. | KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches | |
| CN111931166B (en) | Application program anti-attack method and system based on code injection and behavior analysis | |
| Spreitzenbarth et al. | Mobile-sandbox: having a deeper look into android applications | |
| CN105956474B (en) | Android platform software unusual checking system | |
| US20180357446A1 (en) | Privacy detection of a mobile application program | |
| US10547626B1 (en) | Detecting repackaged applications based on file format fingerprints | |
| CN104484599A (en) | Behavior processing method and device based on application program | |
| CN107092830A (en) | The early warning of IOS Malwares and detecting system and its method based on flow analysis | |
| US11777961B2 (en) | Asset remediation trend map generation and utilization for threat mitigation | |
| CN113177205B (en) | Malicious application detection system and method | |
| US11762991B2 (en) | Attack kill chain generation and utilization for threat analysis | |
| CN116340943A (en) | Application program protection method, device, equipment, storage medium and program product | |
| Chen et al. | Detection, traceability, and propagation of mobile malware threats | |
| CN116932381A (en) | Automatic evaluation method for security risk of applet and related equipment | |
| KR20160090566A (en) | Apparatus and method for detecting APK malware filter using valid market data | |
| CN116415300A (en) | File protection method, device, equipment and medium based on eBPF | |
| Spreitzenbarth | Dissecting the Droid: Forensic analysis of android and its malicious applications | |
| Khan et al. | An android applications vulnerability analysis using MobSF | |
| Cheng et al. | Static detection of dangerous behaviors in android apps | |
| Changsan et al. | Log4shell Investigate Based On Generic Computer Forensic Investigation Model | |
| Alashjaee | An Integrated Framework for Android Based Mobile Device Malware Forensics | |
| Ning | Analysis of the Latest Trojans on Android Operating System |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |