CN113656801A - Classification method for Android malicious application family, server and terminal - Google Patents

Classification method for Android malicious application family, server and terminal Download PDF

Info

Publication number
CN113656801A
CN113656801A CN202110953987.9A CN202110953987A CN113656801A CN 113656801 A CN113656801 A CN 113656801A CN 202110953987 A CN202110953987 A CN 202110953987A CN 113656801 A CN113656801 A CN 113656801A
Authority
CN
China
Prior art keywords
application
android
malicious
api
detected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110953987.9A
Other languages
Chinese (zh)
Other versions
CN113656801B (en
Inventor
罗明宇
刘庆文
韩瑜
杨有为
梁琦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CCB Finetech Co Ltd
Original Assignee
CCB Finetech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CCB Finetech Co Ltd filed Critical CCB Finetech Co Ltd
Priority to CN202110953987.9A priority Critical patent/CN113656801B/en
Publication of CN113656801A publication Critical patent/CN113656801A/en
Application granted granted Critical
Publication of CN113656801B publication Critical patent/CN113656801B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Telephonic Communication Services (AREA)
  • Telephone Function (AREA)

Abstract

The invention is applied to the field of mobile interconnection, and provides an Android malicious application family classification method, an Android application feature extraction method, a server, a terminal, computing equipment and a computer-readable storage medium. The Android malicious application family classification method comprises the following steps: receiving application identifications of to-be-tested Android applications sent by a plurality of terminals; determining the Android application which is not detected; and receiving an API call tree sent by a terminal corresponding to the application, and analyzing by using a preset malicious application feature library to obtain a malicious classification result. By adopting the dynamic analysis method and utilizing the matching parameters representing the matching rules to analyze the API call tree, the influence of malicious application shell adding and confusion on the analysis accuracy is avoided, the behavior of the malicious application can be more accurately defined through the called API, the accuracy is improved, and the use safety of a user is improved.

Description

Classification method for Android malicious application family, server and terminal
Technical Field
The invention relates to the technical field of mobile interconnection, in particular to an Android malicious application family classification method, an Android application feature extraction method, a server, a terminal, computing equipment and a computer-readable storage medium.
Background
In recent years, with the rapid popularization of the mobile internet, the emergence of various mobile phone end applications brings great convenience to people in life, and even becomes an indispensable part in life. Compared with the traditional PC terminal, the mobile terminal application has stronger privacy and operability, and is also becoming the target of lawless persons. Due to the open characteristic of the Android system, malicious applications aiming at the Android system grow explosively, and become a serious disaster area. Although the Android system is continuously upgraded and perfected, behaviors of a plurality of applications for illegally acquiring user private data are not reduced, in order to reduce the spread range and the spread speed of malicious applications as much as possible, most mobile application markets perform security inspection on the applications and judge whether the applications are the malicious applications, but the situations that a large number of malicious applications are downloaded, installed and spread still exist. By studying the characteristics of different malicious applications, but different malicious applications have malicious families to which they belong, different malicious behavior characteristics are obtained.
The general process of the existing Android malicious application family classification method is as follows:
1) preprocessing an APK file of the Android malicious application to obtain a corresponding smali file of the APK file.
2) And on the basis of the smali file, generating a sensitive operation code sequence by counting different sensitive elements and expressing the Opcode by using an operation code based on semantic information of the Opcode.
3) And generating a text feature vector based on the sensitive operation code sequence, and classifying the Android malicious application by using a trained classification model based on the text feature vector.
From the process, the existing Android malicious application family classification method mainly carries out preprocessing on the APK file, counts different sensitive elements on the basis of obtaining a corresponding smali file of the APK, and generates a sensitive operation code sequence, so that text feature vectors are generated for classification. The method belongs to the category of static analysis methods, and has certain limitations: at present, more and more malicious applications are confused by added shells and codes, the accuracy of the static analysis method detection is seriously influenced, and a plurality of malicious applications cannot be identified, so that the use safety of a user is reduced.
Disclosure of Invention
In view of this, embodiments of the present invention provide an Android malicious application family classification method, an Android application feature extraction method, a server, a terminal, a computing device, and a computer-readable storage medium, where a dynamic analysis method is adopted, and based on an API call tree generated by the terminal, the API call tree is analyzed by using matching parameters representing matching rules, so as to obtain a malicious application classification result, thereby not only avoiding the influence of malicious application shelling and confusion on analysis accuracy, but also defining malicious application behaviors more accurately through the API called by the malicious application, classifying the malicious application behaviors, and improving detection accuracy, thereby improving user safety.
The embodiment of the invention provides a method for classifying Android malicious application families, which is applied to a server and comprises the following steps:
receiving application identifications of to-be-tested Android applications sent by a plurality of terminals;
determining the Android application which is not detected according to the application identification;
receiving an Application Programming Interface (API) calling tree sent by a terminal corresponding to the undetected Android application, and analyzing the API calling tree by using a preset malicious application feature library to obtain a malicious classification result of the undetected Android application;
and the malicious application feature library stores the corresponding relation among the malicious application category, the matching parameter and the application identifier.
Specifically, analyzing the API call tree by using a preset malicious application feature library to obtain a malicious classification result of the undetected Android application, including:
traversing an API call tree according to the depth of the API call tree, and dividing to obtain a plurality of different subtrees;
matching each sub-tree according to matching parameters corresponding to different malicious application categories in the malicious application feature library, and determining the malicious application category matched with each sub-tree;
and determining the malicious classification result of the undetected Android application corresponding to the API call tree according to the malicious application class matched with each subtree.
In a specific embodiment, the subtree is divided in the following manner: and dividing the root node of the API call tree to a leaf node into a subtree.
The method for classifying the Android malicious application family in the specific embodiment further comprises the following steps: the method comprises the following steps of pre-constructing a malicious application feature library, wherein the pre-constructing step comprises the following steps:
determining application identifications and malicious application categories of a plurality of Android malicious application samples;
dynamically analyzing the plurality of Android malicious application samples, extracting a key API and a sequence called by each Android malicious application sample, and forming an API characteristic sequence of each Android malicious application sample as a matching parameter corresponding to each Android malicious application sample;
and storing the application identification and the matching parameters of each Android malicious application sample in a database according to the corresponding relation by taking the malicious application category as an index to form a malicious application feature library.
Further, the pre-construction process of the malicious application feature library further comprises the following steps:
and setting a tested application list in the malicious application feature library, wherein the tested application list is used for storing the application identification of the Android application which is detected once.
Correspondingly, according to the application identifier, determining the Android application which is not detected comprises the following steps:
in a tested application list of a malicious application feature library, inquiring an application identifier of the Android application to be tested sent by each terminal;
and if not, determining the Android application which is not detected, and sending a feature extraction instruction to the corresponding terminal.
Preferably, in another specific embodiment, the method for classifying an Android malicious application family further includes:
and after the malicious classification result of the Android application which is not detected is obtained, updating the detected application list.
The embodiment of the invention also provides an Android application feature extraction method, which is applied to a terminal and comprises the following steps:
generating an application identifier of the Android application to be tested, and sending the application identifier of the Android application to be tested to a server;
and when a feature extraction instruction sent by the server is received, extracting the dynamic behavior of the Android application which is not detected on the terminal, generating an API call tree of the Android application which is not detected, and sending the API call tree to the server.
In a specific embodiment, extracting dynamic behaviors of undetected Android applications on a terminal, and generating an API call tree of undetected Android applications includes:
when the Android application which is not detected calls the system API of the terminal, recording the called API name, parameters and return value data; the system API of the terminal is a Hook system API;
forming a calling dependency sequence of the API according to the called API name, the called API parameter and the called return value data;
and generating an API call tree of the Android application which is not detected according to the call dependency sequence of the API.
An embodiment of the present invention further provides a server, including:
the identification receiving module is used for receiving application identifications of the Android application to be tested, which are sent by the plurality of terminals;
the detection identification module is used for determining the Android application which is not detected according to the application identifier;
the malicious classification module is used for receiving an Application Programming Interface (API) call tree sent by a terminal corresponding to the Android application which has not been detected, and analyzing the API call tree by using a preset malicious application feature library to obtain a malicious classification result of the Android application which has not been detected;
and the malicious application feature library stores the corresponding relation among the malicious application category, the matching parameter and the application identifier.
In a specific embodiment, the malicious classification module is specifically configured to:
traversing an API call tree according to the depth of the API call tree, and dividing to obtain a plurality of different subtrees;
matching each sub-tree according to matching parameters corresponding to different malicious application categories in the malicious application feature library, and determining the malicious application category matched with each sub-tree;
and determining the malicious classification result of the undetected Android application corresponding to the API call tree according to the malicious application class matched with each subtree.
Specifically, the subtree is divided in the following manner: and dividing the root node of the API call tree to a leaf node into a subtree.
A server in an embodiment, further comprising: a feature library pre-construction module for:
determining application identifications and malicious application categories of a plurality of Android malicious application samples;
dynamically analyzing the plurality of Android malicious application samples, extracting a key API and a sequence called by each Android malicious application sample, and forming an API characteristic sequence of each Android malicious application sample as a matching parameter corresponding to each Android malicious application sample;
and storing the application identification and the matching parameters of each Android malicious application sample in a database according to the corresponding relation by taking the malicious application category as an index to form a malicious application feature library.
Further, the feature library pre-construction module further includes: a measured list setting unit for:
and setting a tested application list in the malicious application feature library, wherein the tested application list is used for storing the application identification of the Android application which is detected once.
Correspondingly, the detection and identification module is specifically configured to:
in a tested application list of a malicious application feature library, inquiring an application identifier of the Android application to be tested sent by each terminal;
and if not, determining the Android application which is not detected, and sending a feature extraction instruction to the corresponding terminal.
In another specific embodiment, the server further includes:
a list update module to:
and after the malicious classification result of the Android application which is not detected is obtained, updating the detected application list.
An embodiment of the present invention further provides a terminal, including:
the identification generation module is used for generating an application identification of the Android application to be detected and sending the application identification of the Android application to be detected to the server;
and the call tree generation module is used for extracting the dynamic behavior of the Android application which is not detected on the terminal when receiving the feature extraction instruction sent by the server, generating the API call tree of the Android application which is not detected, and sending the API call tree to the server.
In a specific embodiment, the call tree generation module is specifically configured to:
when the Android application which is not detected calls the system API of the terminal, recording the called API name, parameters and return value data; the system API of the terminal is a Hook system API;
forming a calling dependency sequence of the API according to the called API name, the called API parameter and the called return value data;
and generating an API call tree of the Android application which is not detected according to the call dependency sequence of the API.
The embodiment of the invention also provides computer equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor executes the computer program to realize the Android malicious application family classification method and the Android application feature extraction method.
An embodiment of the present invention also provides a computer-readable storage medium, where a computer program for executing the above-mentioned method for classifying an Android malicious application family and the above-mentioned method for extracting Android application features is stored in the computer-readable storage medium.
According to the technical scheme, after the Android application to be detected is sent to the server by the terminal, the Android application which is not detected is determined, the server receives the API call tree of the Android application which is generated by the terminal and is not detected, and the API call tree is analyzed by using the preset malicious application feature library to obtain the malicious classification result. The dynamic analysis is realized based on the API call tree, the influence of malicious application shell adding and confusion on the analysis accuracy is avoided, the behavior of the malicious application can be accurately defined through the API called by the malicious application for classification, the detection accuracy is improved, and therefore the use safety of a user is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of a classification method for an Android malicious application family in an embodiment of the present invention.
Fig. 2 is a schematic diagram of pre-construction of a malicious application feature library in an embodiment of the present invention.
Fig. 3 is a schematic diagram of the implementation process of step 102 in the embodiment of the present invention.
Fig. 4 is a schematic diagram of the implementation process of step 103 in the embodiment of the present invention.
Fig. 5 is a schematic diagram of an Android application feature extraction method in the embodiment of the invention.
Fig. 6 is a schematic diagram illustrating an implementation process of step 502 in an embodiment of the present invention.
FIG. 7 is a schematic flow chart of an embodiment of the present invention.
Fig. 8 is a diagram of a malicious application feature library according to an embodiment of the present invention.
FIG. 9 is an exemplary diagram of an API call tree in an embodiment of the present invention.
FIG. 10 is a diagram illustrating an API call tree with privacy stealing behavior in an embodiment of the invention.
Fig. 11 is a schematic diagram of a server in an embodiment of the invention.
FIG. 12 is a diagram illustrating a server according to an embodiment of the present invention.
Fig. 13 is a schematic diagram of a server according to another embodiment of the invention.
Fig. 14 is a schematic diagram of a terminal in an embodiment of the invention.
Fig. 15 is a schematic diagram of an electronic device for Android malicious application family classification and Android application feature extraction in the embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention provides an Android malicious application family classification method, an Android application feature extraction method, a server, a terminal, computing equipment and a computer-readable storage medium.
Specifically, an embodiment of the present invention provides an Android malicious application family classification method, which is used to improve the accuracy of malicious detection, and as shown in fig. 1, the method is applied to a server, and includes:
step 101: receiving application identifications of to-be-tested Android applications sent by a plurality of terminals;
step 102: determining the Android application which is not detected according to the application identifier;
step 103: receiving an Application Programming Interface (API) calling tree sent by a terminal corresponding to the undetected Android application, and analyzing the API calling tree by using a preset malicious application feature library to obtain a malicious classification result of the undetected Android application;
the malicious application feature library stores the corresponding relation among the malicious application category, the matching parameters and the application identification.
During specific implementation, application identifiers of the Android applications to be tested, which are sent by the plurality of terminals, are received, wherein the application identifiers are unique identifiers of the Android applications, and the application identifiers are different for different Android applications.
And determining the Android application which is not detected according to the application identification. If the Android application is detected, detection is not required to be performed each time, and in order to reduce workload, in a specific embodiment, the detection result of the detected Android application may be stored, and the Android application which is not detected may be determined according to the application identifier.
In specific implementation, the method for classifying the Android malicious application family provided in a specific embodiment further includes: the pre-construction and specific implementation process of the malicious application feature library, as shown in fig. 2, includes:
step 201: determining application identifications and malicious application categories of a plurality of Android malicious application samples;
step 202: dynamically analyzing the plurality of Android malicious application samples, extracting a key API and a sequence called by each Android malicious application sample, and forming an API characteristic sequence of each Android malicious application sample as a matching parameter corresponding to each Android malicious application sample;
step 203: and storing the application identification and the matching parameters of each Android malicious application sample in a database according to the corresponding relation by taking the malicious application category as an index to form a malicious application feature library.
In addition, in the specific embodiment, the pre-constructing of the malicious application feature library further includes: and setting a tested application list in the malicious application feature library, wherein the tested application list is used for storing the application identification of the Android application which is detected once.
Accordingly, the implementation process of step 102, as shown in fig. 3, includes:
step 301: in a tested application list of a malicious application feature library, inquiring an application identifier of the Android application to be tested sent by each terminal;
step 302: and if not, determining the Android application which is not detected, and sending a feature extraction instruction to the corresponding terminal.
After the Android application which is not detected is determined, receiving an Application Programming Interface (API) call tree which is sent by a terminal and corresponds to the Android application which is not detected, and analyzing the API call tree by using a preset malicious application feature library to obtain a malicious classification result of the Android application which is not detected. The specific implementation process, as shown in fig. 4, includes:
step 401: traversing an API call tree according to the depth of the API call tree, and dividing to obtain a plurality of different subtrees;
step 402: matching each sub-tree according to matching parameters corresponding to different malicious application categories in the malicious application feature library, and determining the malicious application category matched with each sub-tree;
step 403: and determining the malicious classification result of the undetected Android application corresponding to the API call tree according to the malicious application class matched with each subtree.
In a specific embodiment, the subtree is divided in the following manner: and dividing the root node of the API call tree to a leaf node into a subtree. And the matching parameters represent rules matched with the malicious application categories, each matching parameter is taken as a reference to be matched with the subtrees one by one, one or more malicious application categories matched with each subtree are determined, and the malicious application categories matched with all the subtrees are combined to obtain the malicious classification result of the undetected Android application corresponding to the API call tree.
In order to improve the measured application list in time, the method for classifying the Android malicious application family in another specific embodiment further includes: and after the malicious classification result of the Android application which is not detected is obtained, updating the detected application list. Namely, the application identifier of the Android application with the detection result is recorded in the tested application list in time.
In order to improve the accuracy of detection and improve the safety of user usage, an embodiment of the present invention further provides an Android application feature extraction method, where the method is applied to a terminal, and as shown in fig. 5, the method includes:
step 501: generating an application identifier of the Android application to be tested, and sending the application identifier of the Android application to be tested to a server;
step 502: and when a feature extraction instruction sent by the server is received, extracting the dynamic behavior of the Android application which is not detected on the terminal, generating an API call tree of the Android application which is not detected, and sending the API call tree to the server.
In a specific embodiment, the generation method of the application identifier is as follows:
application identifier (Hash) (application name + package name + signature + version number)
In a specific embodiment, the extracting the dynamic behavior of the undetected Android application on the terminal, and generating an API call tree of the undetected Android application, as shown in fig. 6, includes:
step 601: when the Android application which is not detected calls the system API of the terminal, recording the called API name, parameters and return value data;
step 602: forming a calling dependency sequence of the API according to the called API name, the called API parameter and the called return value data;
step 603: and generating an API call tree of the Android application which is not detected according to the call dependency sequence of the API.
The system API of the terminal is a Hook system API, and specifically, the terminal uses a Hook system API of a VirutalXpos framework.
A specific example is given below to illustrate how the Android malicious application family classification is performed according to the embodiment of the present invention. The method provided by this example is implemented on a server and a terminal, respectively, and a flowchart is shown in fig. 7, which specifically includes:
(1) the server side:
constructing a malicious application feature library:
the malicious application feature library is classified according to different malicious behaviors. Each category comprises a matching rule of the malicious behavior and an application identifier with the malicious behavior, basic data of the malicious application feature library matching rule and the application identifier can be extracted from the malicious behavior in the existing malicious application sample to be used as original feature library data, in addition, the malicious application feature library also comprises a tested application list used for storing the application identifier of the tested application, and the structure of the malicious application feature library is shown in fig. 8.
Extracting a malicious behavior matching rule: and dynamically analyzing the malicious application sample, extracting the key API and sequence called by the malicious application to form an API characteristic sequence as a matching rule of the malicious behavior. If the malicious behavior of illegally obtaining the private data inevitably has the behavior of obtaining the private data and the behavior of sending the private data, namely, the interface for obtaining the private data (the interface for obtaining equipment information, an address list and the like) and the interface for sending the data (the interface for network communication, short message sending and the like) are called, and the calling sequence of the interface for obtaining the private data is before the interface for sending the data and has data correlation, the behavior of obtaining the private data by the application can be explained.
The application identification is used for distinguishing different applications, and is stored in the feature library as the unique identification of the application, and if the identifications of the two applications are the same, the two applications can be judged to be the same application. And because a malicious application may have different malicious behaviors at the same time, the same application identifier may exist in different classifications.
Application classification:
after receiving the API call tree uploaded by the terminal, the server firstly traverses according to the depth first and divides different subtrees. The subtrees are divided into root nodes to each leaf node, and the API call tree shown in fig. 9 can be divided into three subtrees, i.e., ABD, ABE, and AC. And then, according to the classification rules, each type of malicious application has one or more matching rules, each sub-tree of the API call tree is analyzed, and if the corresponding rules are matched, the sub-trees are classified as the malicious application types to which the rules belong. For example, an application API call tree exists as a subtree shown in FIG. 10: the method comprises the steps of TelephonManger, getDeviceid () - > cipher, doFinal () - > BufferdOutputStream (), analyzing the application behaviors from the subtree, obtaining IMEI (International Mobile Equipment Identity) data, encrypting the IMEI data, and finally sending the IMEI data through a network interface, wherein the malicious behaviors accord with privacy stealing and are classified as malicious applications of privacy stealing types.
(2) A terminal:
application identification generation and detection:
the terminal generates an application identifier for the application to be tested by the following method:
application identifier (Hash) (application name + package name + signature + version number)
The server compares the identifiers with a tested application list in a malicious application feature library after receiving the identifiers, and returns the identifiers to the terminal if the same application identifiers exist; otherwise, the returned identifier does not exist. And after the terminal receives that the identifier does not exist, extracting the behavior characteristics of the application.
Extracting application behavior characteristics: the behavior characteristics are extracted and generated according to the dynamic behavior of the application on the terminal. The method comprises the following specific steps:
the terminal uses the VirutalXposed framework Hook system API.
When the application to be tested calls the system API, recording the called API name, parameters and return values.
And forming an API call dependency sequence according to the recorded API name, parameters and return value data, forming an API call tree, and sending the API call tree and the application identifier to the server.
For example, the return value of interface a is the parameters of interface B and interface C, and the return value of interface B is the parameters of interface D and interface E, so that the call tree can be obtained as shown in fig. 9.
In the specific example, malicious application classification is performed by adopting a method of cooperation between the terminal and the server. The terminal collects behavior characteristics of the application, the server identifies and classifies the malicious application according to the matching rules and the application behavior characteristics uploaded by the terminal, more application data can be collected, new versions of malicious application or variant malicious application behavior characteristics can be collected in time, and the timeliness can be improved remarkably as the terminal range is larger and the number is larger.
And secondly, by adopting a dynamic Hook API method, the influence of shell adding and confusion of the malicious application on analysis is effectively avoided, the malicious behavior of the malicious application can be more accurately identified by generating an API call tree, and the error rate of classification is reduced.
The implementation of the above specific application is only an example, and the rest of the embodiments are not described in detail.
Based on the same inventive concept, embodiments of the present invention further provide a server, and because the principle of the problem solved by the server is similar to that of the Android malicious application family classification method, reference may be made to implementation of the Android malicious application family classification method, repeated parts are not described again, and the specific structure is shown in fig. 11:
the identifier receiving module 1101 is configured to receive application identifiers of the Android applications to be tested, which are sent by the plurality of terminals;
the detection identification module 1102 is used for determining the Android application which is not detected according to the application identifier;
the malicious classification module 1103 is configured to receive an application programming interface API call tree uploaded by a terminal corresponding to an undetected Android application, and analyze the API call tree by using a preset malicious application feature library to obtain a malicious classification result of the undetected Android application;
the malicious application feature library stores the corresponding relation among the malicious application category, the matching parameters and the application identification.
In a specific embodiment, the malicious classification module 1103 is specifically configured to:
traversing an API call tree according to the depth of the API call tree, and dividing to obtain a plurality of different subtrees;
matching each sub-tree according to matching parameters corresponding to different malicious application categories in the malicious application feature library, and determining the malicious application category matched with each sub-tree;
and determining the malicious classification result of the undetected Android application corresponding to the API call tree according to the malicious application class matched with each subtree.
Specifically, the subtrees are divided in the following manner: and dividing the root node of the API call tree to a leaf node into a subtree.
As shown in fig. 12, the server in an embodiment further includes, on the basis of fig. 11: a feature library pre-construction module 1201, configured to:
determining application identifications and malicious application categories of a plurality of Android malicious application samples;
dynamically analyzing the plurality of Android malicious application samples, extracting a key API and a sequence called by each Android malicious application sample, and forming an API characteristic sequence of each Android malicious application sample as a matching parameter corresponding to each Android malicious application sample;
and storing the application identification and the matching parameters of each Android malicious application sample in a database according to the corresponding relation by taking the malicious application category as an index to form a malicious application feature library.
Further, the feature library pre-construction module 1201 further includes: a measured list setting unit for:
and setting a tested application list in the malicious application feature library, wherein the tested application list is used for storing the application identification of the Android application which is detected once.
Accordingly, the detection and identification module 1102 is specifically configured to:
in a tested application list of a malicious application feature library, inquiring an application identifier of the Android application to be tested sent by each terminal;
and if not, determining the Android application which is not detected, and sending a feature extraction instruction to the corresponding terminal.
In another specific embodiment, the structure of the server is as shown in fig. 13, and on the basis of fig. 12, the server further includes:
a list update module 1301, configured to:
and after the malicious classification result of the Android application which is not detected is obtained, updating the detected application list.
In addition, an embodiment of the present invention further provides a terminal, as shown in fig. 14, including:
an identifier generating module 1401, configured to generate an application identifier of the to-be-tested Android application, and send the application identifier of the to-be-tested Android application to the server;
the call tree generation module 1402 is configured to, when receiving a feature extraction instruction sent by the server, extract a dynamic behavior of the undetected Android application on the terminal, generate an API call tree of the undetected Android application, and send the API call tree to the server.
In a specific embodiment, the call tree generation module 1402 is specifically configured to:
when the Android application which is not detected calls the system API of the terminal, recording the called API name, parameters and return value data; the system API of the terminal is a Hook system API;
forming a calling dependency sequence of the API according to the called API name, the called API parameter and the called return value data;
and generating an API call tree of the Android application which is not detected according to the call dependency sequence of the API.
Fig. 15 is a schematic block diagram of a system configuration of an electronic device 1500 according to an embodiment of the present application. As shown in fig. 15, the electronic device 1500 may include a central processor 1501 and a memory 1502; a memory 1502 is coupled to the central processor 1501. Notably, this fig. 15 is exemplary; other types of structures may also be used in addition to or in place of the structure to implement telecommunications or other functions.
In one embodiment, the functions of the server and the terminal may be integrated into the central processor 1501. The central processor 1501 may be configured to control as follows:
the terminal generates an application identifier of the Android application to be tested, and sends the application identifier of the Android application to be tested to the server;
the method comprises the steps that a server receives application identifications of to-be-tested Android applications sent by a plurality of terminals;
the server determines the Android application which is not detected according to the application identifier;
when the terminal receives a feature extraction instruction sent by the server, extracting the dynamic behavior of the Android application which is not detected on the terminal, generating an API call tree of the Android application which is not detected, and sending the API call tree to the server;
the method comprises the steps that a server receives an Application Programming Interface (API) calling tree sent by a terminal corresponding to the Android application which has not been detected, and analyzes the API calling tree by utilizing a preset malicious application feature library to obtain a malicious classification result of the Android application which has not been detected;
the malicious application feature library stores the corresponding relation among the malicious application category, the matching parameters and the application identification.
As can be seen from the above description, according to the electronic device provided in the embodiment of the present application, by using a dynamic analysis method, based on the API call tree generated by the terminal, the API call tree is analyzed by using the matching parameters representing the matching rules, so as to obtain the classification result of the malicious application, which not only avoids the influence of malicious application shelling and confusion on the analysis accuracy, but also can define the behavior of the malicious application more accurately through the API called by the malicious application, classify the behavior, and improve the detection accuracy, thereby improving the safety of the user.
In another embodiment, the server and the terminal may be configured separately from the central processor 1501, for example, the server and the terminal may be configured as a chip connected to the central processor 1501, and the functions of Android malicious application family classification and Android application feature extraction are realized through the control of the central processor.
As shown in fig. 15, the electronic device 1500 may further include: a communication module 1503, an input unit 1504, an audio processor 1505, a display 1506, and a power supply 1507. It is noted that the electronic device 1500 does not necessarily include all of the components shown in FIG. 15; furthermore, the electronic device 1500 may also include components not shown in fig. 15, which may be referred to in the prior art.
As shown in fig. 15, a central processor 1501, sometimes referred to as a controller or operational control, may include a microprocessor or other processor device and/or logic device, which central processor 1501 receives input and controls the operation of the various components of the electronic device 1500.
The memory 1502 may be, for example, one or more of a buffer, a flash memory, a hard drive, a removable media, a volatile memory, a non-volatile memory, or other suitable device. The information relating to the failure may be stored, and a program for executing the information may be stored. And the central processor 1501 may execute the program stored in the memory 1502 to realize information storage or processing, or the like.
An input unit 1504 provides input to the central processor 1501. The input unit 1504 is, for example, a key or a touch input device. The power supply 1507 is used to supply power to the electronic device 1500. The display 1506 is used to display objects such as images and characters. The display may be, for example, an LCD display, but is not limited thereto.
The memory 1502 may be a solid state memory such as Read Only Memory (ROM), Random Access Memory (RAM), a SIM card, or the like. There may also be a memory that holds information even when power is off, can be selectively erased, and is provided with more data, an example of which is sometimes called an EPROM or the like. The memory 1502 may also be some other type of device. The memory 1502 includes a buffer memory 1521 (sometimes referred to as a buffer). The memory 1502 may include an application/function storage portion 1522, the application/function storage portion 1522 being used to store application programs and function programs or a flow for executing operations of the electronic device 1500 by the central processor 1501.
The memory 1502 may also include a data store 1523, the data store 1523 for storing data, such as contacts, digital data, pictures, sounds, and/or any other data used by the electronic device. The driver storage portion 1524 of the memory 1502 may include various drivers of the electronic device for communication functions and/or for performing other functions of the electronic device (e.g., messaging applications, directory applications, etc.).
The communication module 1503 is a transmitter/receiver 1503 that transmits and receives signals via an antenna 1508. A communication module (transmitter/receiver) 1503 is coupled to the central processor 1501 to provide input signals and receive output signals, which may be the same as in the case of a conventional mobile communication terminal.
Based on different communication technologies, a plurality of communication modules 1503, such as a cellular network module, a bluetooth module, and/or a wireless local area network module, may be provided in the same electronic device. The communication module (transmitter/receiver) 1503 is also coupled to a speaker 1509 and a microphone 1510 via an audio processor 1505 to provide audio output via the speaker 1509 and receive audio input from the microphone 1510, thereby implementing general telecommunication functions. The audio processor 1505 may include any suitable buffers, decoders, amplifiers and so forth. In addition, the audio processor 1505 is also coupled to the central processor 1501, enabling recording locally through the microphone 1510, and enabling locally stored sound to be played through the speaker 1509.
An embodiment of the present invention further provides a computer-readable storage medium capable of implementing all the steps in the method for classifying an Android malicious application family and the method for extracting an Android application feature in the foregoing embodiments, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, all the steps in the method for classifying an Android malicious application family and the method for extracting an Android application feature in the foregoing embodiments are implemented, for example, when the processor executes the computer program, the following steps are implemented:
the terminal generates an application identifier of the Android application to be tested, and sends the application identifier of the Android application to be tested to the server;
the method comprises the steps that a server receives application identifications of to-be-tested Android applications sent by a plurality of terminals;
the server determines the Android application which is not detected according to the application identifier;
when the terminal receives a feature extraction instruction sent by the server, extracting the dynamic behavior of the Android application which is not detected on the terminal, generating an API call tree of the Android application which is not detected, and sending the API call tree to the server;
the method comprises the steps that a server receives an Application Programming Interface (API) calling tree sent by a terminal corresponding to the Android application which has not been detected, and analyzes the API calling tree by utilizing a preset malicious application feature library to obtain a malicious classification result of the Android application which has not been detected;
the malicious application feature library stores the corresponding relation among the malicious application category, the matching parameters and the application identification.
As can be seen from the above description, the computer-readable storage medium provided in the embodiment of the present invention analyzes the API call tree by using the matching parameters representing the matching rules based on the API call tree generated by the terminal by using a dynamic analysis method to obtain a classification result of the malicious application, so that not only is the influence of malicious application shelling and confusion on the analysis accuracy avoided, but also the behavior of the malicious application can be more accurately defined through the API called by the malicious application for classification, so as to improve the detection accuracy, thereby improving the safety of the user.
In summary, the Android malicious application family classification method, the Android application feature extraction method, the server, the terminal, the computing device and the computer-readable storage medium provided by the embodiments of the present invention have the following advantages:
based on a key API of a Hook system, judging a calling sequence through parameters and return values of the API, generating an API calling tree, classifying malicious applications through the API calling tree and matching parameters representing matching rules, and adopting a dynamic analysis method, so that not only is the influence of malicious application shell adding and confusion on analysis accuracy avoided, but also the behavior of the malicious applications can be accurately defined through the API called by the malicious applications, and the accuracy of classification detection is improved. And secondly, a dynamic analysis method is used, which is different from a static analysis method, and can be deployed on a large number of terminal devices, and the terminal provides a large number of samples in the use process, so that more updated characteristics can be collected, the detection timeliness is improved, the detection accuracy can be further improved, and the safety of a user in Android application is further ensured.
Although the present invention provides method steps as described in the examples or flowcharts, more or fewer steps may be included based on routine or non-inventive labor. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an actual apparatus or client product executes, it may execute sequentially or in parallel (e.g., in the context of parallel processors or multi-threaded processing) according to the embodiments or methods shown in the figures.
As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, apparatus (system) or computer program product. Accordingly, embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment. In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. The terms "upper", "lower", and the like, indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience in describing the present invention and simplifying the description, but do not indicate or imply that the referred devices or elements must have a specific orientation, be constructed and operated in a specific orientation, and thus, should not be construed as limiting the present invention. Unless expressly stated or limited otherwise, the terms "mounted," "connected," and "connected" are intended to be inclusive and mean, for example, that they may be fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations. It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict. The present invention is not limited to any single aspect, nor is it limited to any single embodiment, nor is it limited to any combination and/or permutation of these aspects and/or embodiments. Moreover, each aspect and/or embodiment of the present invention may be utilized alone or in combination with one or more other aspects and/or embodiments thereof.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the present invention, and they should be construed as being included in the following claims and description.

Claims (20)

1. The method for classifying the Android malicious application family is applied to a server and comprises the following steps:
receiving application identifications of to-be-tested Android applications sent by a plurality of terminals;
determining the Android application which is not detected according to the application identification;
receiving an Application Programming Interface (API) calling tree sent by a terminal corresponding to the undetected Android application, and analyzing the API calling tree by using a preset malicious application feature library to obtain a malicious classification result of the undetected Android application;
and the malicious application feature library stores the corresponding relation among the malicious application category, the matching parameter and the application identifier.
2. The Android malicious application family classification method according to claim 1, wherein the API call tree is analyzed by using a preset malicious application feature library to obtain a malicious classification result of the Android application which has not been detected, and the method comprises the following steps:
traversing an API call tree according to the depth of the API call tree, and dividing to obtain a plurality of different subtrees;
matching each sub-tree according to matching parameters corresponding to different malicious application categories in the malicious application feature library, and determining the malicious application category matched with each sub-tree;
and determining the malicious classification result of the undetected Android application corresponding to the API call tree according to the malicious application class matched with each subtree.
3. The Android malicious application family classification method according to claim 2, wherein the sub-trees are divided in a manner that: and dividing the root node of the API call tree to a leaf node into a subtree.
4. The Android malicious application family classification method according to claim 1, further comprising: the method comprises the following steps of pre-constructing a malicious application feature library, wherein the pre-constructing step comprises the following steps:
determining application identifications and malicious application categories of a plurality of Android malicious application samples;
dynamically analyzing the plurality of Android malicious application samples, extracting a key API and a sequence called by each Android malicious application sample, and forming an API characteristic sequence of each Android malicious application sample as a matching parameter corresponding to each Android malicious application sample;
and storing the application identification and the matching parameters of each Android malicious application sample in a database according to the corresponding relation by taking the malicious application category as an index to form a malicious application feature library.
5. The Android malicious application family classification method according to claim 4, further comprising:
and setting a tested application list in the malicious application feature library, wherein the tested application list is used for storing the application identification of the Android application which is detected once.
6. The Android malicious application family classification method according to claim 5, wherein determining the Android application that has not been detected according to the application identifier comprises:
in a tested application list of a malicious application feature library, inquiring an application identifier of the Android application to be tested sent by each terminal;
and if not, determining the Android application which is not detected, and sending a feature extraction instruction to the corresponding terminal.
7. The Android malicious application family classification method according to claim 5, further comprising:
and after the malicious classification result of the Android application which is not detected is obtained, updating the detected application list.
8. The Android application feature extraction method is applied to a terminal and comprises the following steps:
generating an application identifier of the Android application to be tested, and sending the application identifier of the Android application to be tested to a server;
and when a feature extraction instruction sent by the server is received, extracting the dynamic behavior of the Android application which is not detected on the terminal, generating an API call tree of the Android application which is not detected, and sending the API call tree to the server.
9. The method for extracting the Android application features of claim 8, wherein the steps of extracting the dynamic behavior of the undetected Android application on the terminal and generating the API call tree of the undetected Android application comprise:
when the Android application which is not detected calls the system API of the terminal, recording the called API name, parameters and return value data; the system API of the terminal is a Hook system API;
forming a calling dependency sequence of the API according to the called API name, the called API parameter and the called return value data;
and generating an API call tree of the Android application which is not detected according to the call dependency sequence of the API.
10. A server, characterized in that the server comprises:
the identification receiving module is used for receiving application identifications of the Android application to be tested, which are sent by the plurality of terminals;
the detection identification module is used for determining the Android application which is not detected according to the application identifier;
the malicious classification module is used for receiving an Application Programming Interface (API) call tree sent by a terminal corresponding to the Android application which has not been detected, and analyzing the API call tree by using a preset malicious application feature library to obtain a malicious classification result of the Android application which has not been detected;
and the malicious application feature library stores the corresponding relation among the malicious application category, the matching parameter and the application identifier.
11. The server according to claim 10, wherein the malicious classification module is specifically configured to:
traversing an API call tree according to the depth of the API call tree, and dividing to obtain a plurality of different subtrees;
matching each sub-tree according to matching parameters corresponding to different malicious application categories in the malicious application feature library, and determining the malicious application category matched with each sub-tree;
and determining the malicious classification result of the undetected Android application corresponding to the API call tree according to the malicious application class matched with each subtree.
12. The server according to claim 11, wherein the subtree is partitioned in such a way that: and dividing the root node of the API call tree to a leaf node into a subtree.
13. The server of claim 10, further comprising: a feature library pre-construction module for:
determining application identifications and malicious application categories of a plurality of Android malicious application samples;
dynamically analyzing the plurality of Android malicious application samples, extracting a key API and a sequence called by each Android malicious application sample, and forming an API characteristic sequence of each Android malicious application sample as a matching parameter corresponding to each Android malicious application sample;
and storing the application identification and the matching parameters of each Android malicious application sample in a database according to the corresponding relation by taking the malicious application category as an index to form a malicious application feature library.
14. The server of claim 13, wherein the feature library pre-construction module further comprises: a measured list setting unit for:
and setting a tested application list in the malicious application feature library, wherein the tested application list is used for storing the application identification of the Android application which is detected once.
15. The server according to claim 14, wherein the detection and identification module is specifically configured to:
in a tested application list of a malicious application feature library, inquiring an application identifier of the Android application to be tested sent by each terminal;
and if not, determining the Android application which is not detected, and sending a feature extraction instruction to the corresponding terminal.
16. The server according to claim 14, further comprising:
a list update module to:
and after the malicious classification result of the Android application which is not detected is obtained, updating the detected application list.
17. A terminal, characterized in that the terminal comprises:
the identification generation module is used for generating an application identification of the Android application to be detected and sending the application identification of the Android application to be detected to the server;
and the call tree generation module is used for extracting the dynamic behavior of the Android application which is not detected on the terminal when receiving the feature extraction instruction sent by the server, generating the API call tree of the Android application which is not detected, and sending the API call tree to the server.
18. The terminal of claim 17, wherein the call tree generation module is specifically configured to:
when the Android application which is not detected calls the system API of the terminal, recording the called API name, parameters and return value data; the system API of the terminal is a Hook system API;
forming a calling dependency sequence of the API according to the called API name, the called API parameter and the called return value data;
and generating an API call tree of the Android application which is not detected according to the call dependency sequence of the API.
19. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any of claims 1 to 9 when executing the computer program.
20. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for executing the method of any one of claims 1 to 9.
CN202110953987.9A 2021-08-19 2021-08-19 Android malicious application family classification method, server and terminal Active CN113656801B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110953987.9A CN113656801B (en) 2021-08-19 2021-08-19 Android malicious application family classification method, server and terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110953987.9A CN113656801B (en) 2021-08-19 2021-08-19 Android malicious application family classification method, server and terminal

Publications (2)

Publication Number Publication Date
CN113656801A true CN113656801A (en) 2021-11-16
CN113656801B CN113656801B (en) 2023-06-09

Family

ID=78481292

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110953987.9A Active CN113656801B (en) 2021-08-19 2021-08-19 Android malicious application family classification method, server and terminal

Country Status (1)

Country Link
CN (1) CN113656801B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103248649A (en) * 2012-02-09 2013-08-14 宇龙计算机通信科技(深圳)有限公司 Sort management method, equipment and system of applications
CN105184160A (en) * 2015-07-24 2015-12-23 哈尔滨工程大学 API object calling relation graph based method for detecting malicious behavior of application program in Android mobile phone platform
CN105893848A (en) * 2016-04-27 2016-08-24 南京邮电大学 Precaution method for Android malicious application program based on code behavior similarity matching
WO2018107953A1 (en) * 2016-12-12 2018-06-21 惠州Tcl移动通信有限公司 Smart terminal, and automatic application sorting method thereof
CN109829302A (en) * 2018-12-28 2019-05-31 中国科学院信息工程研究所 Android malicious application family classification method, apparatus and electronic equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103248649A (en) * 2012-02-09 2013-08-14 宇龙计算机通信科技(深圳)有限公司 Sort management method, equipment and system of applications
CN105184160A (en) * 2015-07-24 2015-12-23 哈尔滨工程大学 API object calling relation graph based method for detecting malicious behavior of application program in Android mobile phone platform
CN105893848A (en) * 2016-04-27 2016-08-24 南京邮电大学 Precaution method for Android malicious application program based on code behavior similarity matching
WO2018107953A1 (en) * 2016-12-12 2018-06-21 惠州Tcl移动通信有限公司 Smart terminal, and automatic application sorting method thereof
CN109829302A (en) * 2018-12-28 2019-05-31 中国科学院信息工程研究所 Android malicious application family classification method, apparatus and electronic equipment

Also Published As

Publication number Publication date
CN113656801B (en) 2023-06-09

Similar Documents

Publication Publication Date Title
Xu et al. Iccdetector: Icc-based malware detection on android
Avdiienko et al. Mining apps for abnormal usage of sensitive data
KR102057565B1 (en) Computing device to detect malware
US9349006B2 (en) Method and device for program identification based on machine learning
CN109145603A (en) A kind of Android privacy leakage behavioral value methods and techniques based on information flow
US20160379136A1 (en) Methods and Systems for Automatic Extraction of Behavioral Features from Mobile Applications
CN107679403B (en) Lesso software variety detection method based on sequence comparison algorithm
CN110795732A (en) SVM-based dynamic and static combination detection method for malicious codes of Android mobile network terminal
Gao et al. Android malware detection via graphlet sampling
KR20110124342A (en) Method and apparatus to vet an executable program using a model
KR20170068814A (en) Apparatus and Method for Recognizing Vicious Mobile App
CN106529294B (en) A method of determine for mobile phone viruses and filters
CN111931188B (en) Vulnerability testing method and system in login scene
CN112084497A (en) Method and device for detecting malicious program of embedded Linux system
CN110619213A (en) Malicious software identification method, system and related device based on multi-model features
CN111368289A (en) Malicious software detection method and device
CN116956080A (en) Data processing method, device and storage medium
CN108229168B (en) Heuristic detection method, system and storage medium for nested files
CN109240916B (en) Information output control method, information output control device and computer readable storage medium
CN112671614B (en) Method, system, device and storage medium for testing connectivity of association system
KR101657667B1 (en) Malicious app categorization apparatus and malicious app categorization method
CN112685255A (en) Interface monitoring method and device, electronic equipment and storage medium
CN112231696A (en) Malicious sample identification method and device, computing equipment and medium
CN113656801B (en) Android malicious application family classification method, server and terminal
CN113971283A (en) Malicious application program detection method and device based on features

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant