CN116821904A - Mobile malicious program monitoring system based on big data - Google Patents
Mobile malicious program monitoring system based on big data Download PDFInfo
- Publication number
- CN116821904A CN116821904A CN202310622419.XA CN202310622419A CN116821904A CN 116821904 A CN116821904 A CN 116821904A CN 202310622419 A CN202310622419 A CN 202310622419A CN 116821904 A CN116821904 A CN 116821904A
- Authority
- CN
- China
- Prior art keywords
- malicious
- analysis
- dynamic
- analysis module
- static
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000003068 static effect Effects 0.000 claims abstract description 59
- 230000006399 behavior Effects 0.000 claims abstract description 37
- 238000001514 detection method Methods 0.000 claims abstract description 31
- 238000012545 processing Methods 0.000 claims abstract description 19
- 244000035744 Hura crepitans Species 0.000 claims abstract description 16
- 230000000903 blocking effect Effects 0.000 claims abstract description 10
- 238000011160 research Methods 0.000 claims abstract description 10
- 230000011664 signaling Effects 0.000 claims abstract description 8
- 238000005516 engineering process Methods 0.000 claims abstract description 7
- 238000012544 monitoring process Methods 0.000 claims abstract description 5
- 230000009385 viral infection Effects 0.000 claims abstract description 4
- 238000012098 association analyses Methods 0.000 claims description 35
- 238000000034 method Methods 0.000 claims description 35
- 230000006870 function Effects 0.000 claims description 19
- 230000008569 process Effects 0.000 claims description 19
- 238000012795 verification Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 9
- 238000004891 communication Methods 0.000 claims description 8
- 238000013145 classification model Methods 0.000 claims description 6
- 238000010801 machine learning Methods 0.000 claims description 6
- 239000011159 matrix material Substances 0.000 claims description 6
- 238000010606 normalization Methods 0.000 claims description 3
- 238000012216 screening Methods 0.000 claims description 3
- 238000007619 statistical method Methods 0.000 claims description 3
- 238000012800 visualization Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 7
- 238000012360 testing method Methods 0.000 description 4
- 238000012549 training Methods 0.000 description 4
- 230000003542 behavioural effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 101150030531 POP3 gene Proteins 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The application provides a mobile malicious program monitoring system based on big data, which comprises: the flow acquisition and analysis module is used for acquiring, analyzing, restoring and backfilling the flow of the interfaces of the signaling surfaces S6a and N11 and the user surfaces S1-U, N of the mobile terminal; the dynamic and static analysis module is used for performing research and judgment analysis on the analysis result of the flow acquisition and analysis module through static feature comparison or dynamic sandbox detection, so as to realize malicious sample detection and obtain malicious programs; the processing function module is used for realizing bypass interception or redirection blocking and processing on the link, downloading and malicious behaviors of the malicious program detected by the dynamic and static analysis module; and the statistics analysis module is used for analyzing the user behaviors through access logs to realize situation awareness of the whole network malicious programs through multidimensional statistics and report analysis, and visually presenting virus infection conditions. The application can timely find out malicious software and behaviors in the network, and plug by the bypass blocking technology, thereby realizing the safety monitoring and treatment of the mobile Internet network.
Description
Technical Field
The application relates to the technical field of big data, in particular to a mobile malicious program monitoring system based on big data.
Background
With the increasing functions of mobile intelligent terminals such as smart phones, the number of application software of the mobile intelligent terminals is rapidly increased, and the number of users of the mobile intelligent terminals is rapidly increased. But with this, there are increasing numbers of applications with malicious behaviour, which are not well-controlled. The malicious behavior of these applications is mainly: malicious deduction or package consumption, theft of user privacy data, no prompt for online downloading of software, mass propagation of malicious software and the like. How to protect against these malicious programs has become a challenge.
The mobile internet malicious program monitoring system can effectively protect users from being harmed by mobile phone malicious software, and has important significance for improving network safety. At present, the existing mobile internet malicious program monitoring system needs to reside in a corresponding telecommunication enterprise under a communication management department, and adopts original checking means such as manual dial testing and the like to acquire the coverage rate of the internet malicious program monitoring system, so that serious waste of labor cost is easily caused.
Disclosure of Invention
In view of the above, the present application aims to provide a mobile malicious program monitoring system based on big data, which can solve the existing problems in a targeted manner.
Based on the above purpose, the present application also provides a mobile malicious program monitoring system based on big data, comprising:
the flow acquisition and analysis module is used for acquiring, analyzing, restoring and backfilling the flow of the interfaces of the signaling surfaces S6a and N11 and the user surfaces S1-U, N of the mobile terminal;
the dynamic and static analysis module is used for performing research and judgment analysis on the analysis result of the flow acquisition and analysis module through static feature comparison or dynamic sandbox detection, so as to realize malicious sample detection and obtain malicious programs;
the processing function module is used for realizing bypass interception or redirection blocking and processing on the link, downloading and malicious behaviors of the malicious program detected by the dynamic and static analysis module;
and the statistics analysis module is used for analyzing the user behaviors through access logs to realize situation awareness of the whole network malicious programs through multidimensional statistics and report analysis, and visually presenting virus infection conditions.
Further, the flow acquisition and analysis module comprises the following steps:
acquiring and analyzing mirror image data of interfaces of signaling surfaces S6a and N11 and user surfaces S1-U, N3 of the mobile terminal, decoding the acquired mirror image data and backfilling data indexes to obtain data required by association analysis;
carrying out service detail combination association analysis on the analyzed data and carrying out service end-to-end association analysis on the analyzed data, and displaying the result of the association analysis;
and sending the results of the service detailed list combination association analysis and the service end-to-end association analysis of the analyzed data to a dynamic and static analysis module as analysis results.
Further, the business detail list combination association analysis is used for restoring a business process by carrying out association analysis on head-end data generated in a business handling process; and the business end-to-end association analysis restores the IT path requested between the ends by carrying out association analysis on the related data of the end-to-end request generated in the business handling process.
Further, the static feature comparison method comprises the following steps:
decompressing the compressed package file of the analysis result, extracting a program global configuration file and an executable file contained in the compressed package file, decompiling the program global configuration file and the executable file, and obtaining a decompiled file;
analyzing the decompiled file to obtain the static characteristics of the analysis result;
screening the static features by adopting a fitness function based on frequency, comparing the screened features with a preset sensitive feature database, reserving a feature set with discrimination capability for malicious programs, and generating a feature matrix with the static features;
and inputting the feature matrix into a trained machine learning classification model to judge, and judging whether the current analysis result is a malicious program or not.
Further, the dynamic sandbox detection includes the steps of:
the analysis result is sent to a dynamic sandbox detection environment;
the dynamic sandbox detection environment respectively forms corresponding lightweight virtual environments in a mode of simulating a CPU instruction set according to different types of the analysis result;
and in the lightweight virtual environment, carrying out real-time instruction level analysis on the analysis result, judging whether behavior features belonging to attack threats are found, if so, belonging to malicious programs, and otherwise, judging whether the behavior features belong to malicious programs.
Further, the bypass interception includes the steps of:
starting internal firewall interception protection, managing the links, downloads and malicious behaviors of the malicious programs detected by the dynamic and static analysis module in a unidirectional access control mode, and recording the links, downloads and malicious behaviors of the malicious programs detected by the dynamic and static analysis module in a log mode; or alternatively, the process may be performed,
intercepting a malicious program obtained by detection of the dynamic and static analysis module, and shielding the URL of the malicious program;
shielding a download port of the malicious program;
and shielding the TCP communication message of the malicious program.
Further, the redirecting plugging comprises the following steps:
executing verification signature when receiving a loading request of the malicious program detected by the dynamic and static analysis module;
verifying the signature of the malicious program by using the key of the disposal function module; if the signature passes verification, allowing the malicious program to be loaded; if the signature fails verification, refusing to load or access the malicious program;
or resolving the links of the known malicious programs to construct a processing strategy; analyzing the data message of the malicious program detected by the dynamic and static analysis module to obtain a message analysis result; and matching the message analysis result with the processing strategy, and if the matching is successful, blocking the malicious program.
Further, the statistical analysis module comprises the following units:
the log unit is used for actively collecting or passively receiving log data in the treatment function module and carrying out normalization treatment;
the association analysis unit is used for analyzing the links, downloading and malicious behaviors of the malicious programs detected by the dynamic and static analysis module in real time, matching association rules and generating a multidimensional statistics and analysis report;
and the situation sensing unit is used for visually displaying the data processed by the flow acquisition analysis module, the dynamic and static analysis module and the treatment function module by using a visualization technology, so that the data can be checked by a user.
Overall, the advantages of the application and the experience brought to the user are:
the mobile malicious program monitoring system based on big data timely discovers malicious software and behaviors in a network through technologies such as feature library matching, static and dynamic detection, comprehensive research and judgment, threat information library, situation awareness and the like, and performs blocking through a bypass blocking technology to realize mobile internet network security monitoring and treatment, wherein the mobile malicious program monitoring system is used for acquiring, analyzing, correlating and backfilling traffic of an exit user plane and a signaling plane of a 2/3/4/5G core network in real time and recovering files transmitted in the network.
Drawings
In the drawings, the same reference numerals refer to the same or similar parts or elements throughout the several views unless otherwise specified. The figures are not necessarily drawn to scale. It is appreciated that these drawings depict only some embodiments according to the disclosure and are not therefore to be considered limiting of its scope.
Fig. 1 shows a constitution diagram of a mobile big data based malicious program monitoring system according to an embodiment of the present application.
Fig. 2 shows a schematic diagram of a specific implementation method of the flow acquisition and analysis module.
Fig. 3 is a schematic diagram of a specific implementation method of a dynamic and static analysis module through static feature comparison according to an embodiment of the present application.
FIG. 4 illustrates a schematic diagram of one particular implementation of bypass interception according to an embodiment of the present application.
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Fig. 6 is a schematic diagram of a storage medium according to an embodiment of the present application.
Detailed Description
The application is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting of the application. It should be noted that, for convenience of description, only the portions related to the present application are shown in the drawings.
It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other. The application will be described in detail below with reference to the drawings in connection with embodiments.
As shown in fig. 1, the big data based mobile malicious program monitoring system of the present application includes an analysis processing device, a management platform, a research and judgment platform and a log analysis system, both of which are constructed and hardware-based. And the management platform is used as a core and is respectively connected with the analysis treatment equipment, the research and judgment platform and the log analysis system. Wherein the analysis and disposition device is to detect known malware, receive and execute a disposition policy. The management platform is used for carrying out database management, overall strategy issuing, plugging instruction issuing and the like. The research and judgment platform uses a dynamic analysis tool and a static analysis tool to conduct research and judgment. The log analysis system then analyzes the user behavior by accessing the log to identify virus malware.
Correspondingly, the application embodiment provides a mobile malicious program monitoring system based on big data, which comprises:
the flow acquisition and analysis module is used for acquiring, analyzing, restoring and backfilling the flow of the interfaces of the signaling surfaces S6a and N11 and the user surfaces S1-U, N of the mobile terminal;
the dynamic and static analysis module is used for performing research and judgment analysis on the analysis result of the flow acquisition and analysis module through static feature comparison or dynamic sandbox detection, so as to realize malicious sample detection and obtain malicious programs;
the processing function module is used for realizing bypass interception or redirection blocking and processing on the link, downloading and malicious behaviors of the malicious program detected by the dynamic and static analysis module;
and the statistics analysis module is used for analyzing the user behaviors through access logs to realize situation awareness of the whole network malicious programs through multidimensional statistics and report analysis, and visually presenting virus infection conditions.
Specific implementation and technical details of each module are described in detail below:
the flow acquisition and analysis module, as shown in fig. 2, comprises the following steps:
s1, acquiring and analyzing mirror image data of interfaces of signaling surfaces S6a and N11 and user surfaces S1-U, N of a mobile terminal, decoding the acquired mirror image data and backfilling data indexes to obtain data required by association analysis;
s2, carrying out association analysis on the analyzed data, and displaying the result of the association analysis; the method comprises the steps of analyzing the data obtained by analysis, wherein the step of performing association analysis on the data obtained by analysis comprises the step of performing business detail list combination association analysis on the data obtained by analysis and performing business end-to-end association analysis on the data obtained by analysis; the business detail list combination association analysis is used for restoring a business process by carrying out association analysis on head-end data generated in a business handling process; the business end-to-end association analysis restores the IT path requested between the ends by carrying out association analysis on the related data of the end-to-end request generated in the business handling process;
s3, the result of the service detail list combination association analysis and the service end-to-end association analysis of the analyzed data is used as an analysis result and is sent to a dynamic and static analysis module.
The dynamic and static analysis module, as shown in fig. 3, includes the following steps in a static feature comparison manner:
performing research and judgment analysis on the analysis result of the flow acquisition and analysis module through static feature comparison or dynamic sandbox detection to realize malicious sample detection and obtain malicious programs;
s21, decompressing the compressed package file of the analysis result, extracting a program global configuration file and an executable file contained in the compressed package file, decompiling the program global configuration file and the executable file, and obtaining a decompiled file;
s22, analyzing the decompiled file to obtain the static characteristics of the analysis result, wherein the static characteristics are extracted characteristics representing the behavior and the characteristics of the analysis result, and the method comprises the following steps: rights features, hardware features, component features, intent features, function call features;
s23, screening the static features by adopting a fitness function based on frequency, comparing the screened features with a preset sensitive feature database, reserving a feature set with discrimination capability for malicious programs, and generating a feature matrix with the static features;
s24, inputting the feature matrix into a trained machine learning classification model to judge, and judging whether the current analysis result is a malicious program or not.
The training process of the machine learning classification model comprises the following steps: acquiring a sample data set, and dividing the sample data set into a training set, a testing set and a verification set; respectively training an RF classifier, a GNB classifier, an LR classifier and a KNN classifier by using a training set; in the model evaluation stage, performing parameter adjustment optimization and inspection on the performances of all the classifiers by using the test set; calculating the ambiguity of the output vector of each classifier model, and constructing a machine learning classification model by optimizing the test set to ensure that the ambiguity is smaller than a preset threshold value so as to minimize an error target; and verifying the classification performance of the machine learning classification model for the malicious program by utilizing the verification set.
The dynamic sandbox detection, also called virtual execution detection, establishes a plurality of different application environments through virtual machine technology, and observes the behavior of programs in the application environments to judge whether attacks exist. This approach can detect both known and unknown threats and, because the analysis is of the real behavior in the real application environment, can achieve extremely low false positive rates, but higher detection rates. In the application, the dynamic and static analysis module comprises the following steps in a dynamic sandbox detection mode:
step 1, sending the analysis result to a dynamic sandbox detection environment;
step 2, the dynamic sandbox detection environment respectively forms corresponding lightweight virtual environments in a mode of simulating a CPU instruction set according to different types of the analysis result;
the APT attacks transmit malicious codes to the terminal of the intranet through phishing mails, attractive websites and the like, and TAC supports typical internet transmission protocols such as http, pop3 and smtp, imap, smb. The TAC built-in static detection engine forms different lightweight virtual environments by simulating a CPU instruction set to solve the problems because of limited influence of the built-in virtual environment of the equipment and incapability of running part of files. Further, many APT security events start from end users with weak defenses, so TAC supports multiple virtual operating systems of the terminal, such as WIN xp, WIN7, android, etc. According to the application, a plurality of virtual machines are operated on one machine, and meanwhile, the parallel virtual machines are utilized to accelerate the execution of detection tasks, so that an extensible platform is achieved to process high-speed network traffic in the real world, and threat monitoring is timely and effectively carried out. The detection policy for threat analysis is performed by a virtual machine hypervisor that supports a large number of parallel execution environments, i.e., virtual machines that include a combination of operating systems, upgrade packages, and applications. Each virtual machine utilizes the contained environment to identify malware and its key behavioral characteristics. By the design, parallel processing of multiple concurrent flows and multiple virtual execution environments is achieved, and performance and detection rate are improved.
And 3, in the lightweight virtual environment, carrying out real-time instruction level analysis on the analysis result, judging whether behavior characteristics belonging to attack threats are found, if so, belonging to malicious programs, and if not, otherwise, judging whether the behavior characteristics belong to the attack threats.
The dynamic sandbox detection process has the code analysis capability of an instruction level, and can track and analyze instruction characteristics and behavior characteristics. The instruction features comprise code execution conditions in stacks and stacks, and the like, and can discover exploit behaviors such as various overflow attacks and the like and discover 0day vulnerabilities through abnormal changes of memory space in instruction operation. The detection process simultaneously tracks the following behavioral characteristics, including: creating and suspending the process, and injecting the process; service and drive; accessing and rewriting a registry; accessing, rewriting and downloading files; monitoring a program port; network access behavior, etc. According to the behavior characteristics, the behavior characteristics belonging to attack threat are comprehensively analyzed, and then malicious software such as 0day Trojan horse is discovered.
In the treatment function module, as shown in fig. 4, the steps of:
the bypass interception includes the steps of:
starting internal firewall interception protection, managing the links, downloads and malicious behaviors of the malicious programs detected by the dynamic and static analysis module in a unidirectional access control mode, ensuring that the links, downloads and malicious behaviors of the malicious programs detected by the dynamic and static analysis module cannot form an effective attack path, and recording the links, downloads and malicious behaviors of the malicious programs detected by the dynamic and static analysis module in a log mode; alternatively, as shown in fig. 4, the steps of:
s31, intercepting the malicious program detected by the dynamic and static analysis module, and shielding the URL of the malicious program;
s32, shielding a downloading port of the malicious program;
s33, shielding the TCP communication message of the malicious program.
The redirecting plugging comprises the following steps:
executing verification signature when receiving a loading request of the malicious program detected by the dynamic and static analysis module;
verifying the signature of the malicious program by using the key of the disposal function module; if the signature passes verification, allowing the malicious program to be loaded; and if the signature fails to pass verification, refusing to load or access the malicious program.
Or resolving the links of the known malicious programs to construct a processing strategy; analyzing the data message of the malicious program detected by the dynamic and static analysis module to obtain a message analysis result; and matching the message analysis result with the processing strategy, and if the matching is successful, blocking the malicious program.
The statistical analysis module comprises the following units:
the log unit is used for actively collecting or passively receiving log data in the treatment function module and carrying out normalization treatment;
the association analysis unit is used for analyzing the links, downloading and malicious behaviors of the malicious programs detected by the dynamic and static analysis module in real time, matching association rules and generating a multidimensional statistics and analysis report;
and the situation sensing unit is used for visually displaying the data processed by the flow acquisition analysis module, the dynamic and static analysis module and the treatment function module by using a visualization technology, so that the data can be checked by a user.
Referring to fig. 5, a schematic diagram of an electronic device according to some embodiments of the present application is shown. As shown in fig. 5, the electronic device 20 includes: a processor 200, a memory 201, a bus 202 and a communication interface 203, the processor 200, the communication interface 203 and the memory 201 being connected by the bus 202; the memory 201 stores a computer program that can be executed on the processor 200, and the processor 200 executes the big data based mobile malicious program monitoring system according to any one of the foregoing embodiments of the present application when executing the computer program.
The memory 201 may include a high-speed random access memory (RAM: random Access Memory), and may further include a non-volatile memory (non-volatile memory), such as at least one disk memory. The communication connection between the system network element and at least one other network element is implemented via at least one communication interface 203 (which may be wired or wireless), the internet, a wide area network, a local network, a metropolitan area network, etc. may be used.
Bus 202 may be an ISA bus, a PCI bus, an EISA bus, or the like. The buses may be classified as address buses, data buses, control buses, etc. The memory 201 is configured to store a program, and the processor 200 executes the program after receiving an execution instruction, and the mobile malicious program monitoring system based on big data disclosed in any of the foregoing embodiments of the present application may be applied to the processor 200 or implemented by the processor 200.
The processor 200 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in the processor 200 or by instructions in the form of software. The processor 200 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), etc.; but may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in the memory 201, and the processor 200 reads the information in the memory 201, and in combination with its hardware, performs the steps of the above method.
The electronic equipment provided by the embodiment of the application and the mobile malicious program monitoring system based on big data provided by the embodiment of the application have the same beneficial effects as the method adopted, operated or realized by the electronic equipment and the mobile malicious program monitoring system based on big data.
The embodiment of the present application further provides a computer readable storage medium corresponding to the big data based mobile malicious program monitoring system provided in the foregoing embodiment, referring to fig. 6, the computer readable storage medium is shown as an optical disc 30, on which a computer program (i.e. a program product) is stored, where the computer program, when executed by a processor, performs the big data based mobile malicious program monitoring system provided in any of the foregoing embodiments.
It should be noted that examples of the computer readable storage medium may also include, but are not limited to, a phase change memory (PRAM), a Static Random Access Memory (SRAM), a Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a flash memory, or other optical or magnetic storage medium, which will not be described in detail herein.
The computer readable storage medium provided by the above embodiment of the present application has the same beneficial effects as the method adopted, operated or implemented by the application program stored in the computer readable storage medium, because of the same inventive concept as the big data based mobile malicious program monitoring system provided by the embodiment of the present application.
It should be noted that:
the algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general-purpose systems may also be used with the teachings herein. The required structure for a construction of such a system is apparent from the description above. In addition, the present application is not directed to any particular programming language. It will be appreciated that the teachings of the present application described herein may be implemented in a variety of programming languages, and the above description of specific languages is provided for disclosure of enablement and best mode of the present application.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the application may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the above description of exemplary embodiments of the application, various features of the application are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed application requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this application.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component and, furthermore, they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the application and form different embodiments. For example, in the following claims, any of the claimed embodiments can be used in any combination.
Various component embodiments of the application may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that some or all of the functions of some or all of the components in a virtual machine creation system according to embodiments of the application may be implemented in practice using a microprocessor or Digital Signal Processor (DSP). The present application can also be implemented as an apparatus or system program (e.g., a computer program and a computer program product) for performing a portion or all of the methods described herein. Such a program embodying the present application may be stored on a computer readable medium, or may have the form of one or more signals. Such signals may be downloaded from an internet website, provided on a carrier signal, or provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the application, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The application may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that various changes and substitutions are possible within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A mobile malware monitoring system based on big data, comprising:
the flow acquisition and analysis module is used for acquiring, analyzing, restoring and backfilling the flow of the interfaces of the signaling surfaces S6a and N11 and the user surfaces S1-U, N of the mobile terminal;
the dynamic and static analysis module is used for performing research and judgment analysis on the analysis result of the flow acquisition and analysis module through static feature comparison or dynamic sandbox detection, so as to realize malicious sample detection and obtain malicious programs;
the processing function module is used for realizing bypass interception or redirection blocking and processing on the link, downloading and malicious behaviors of the malicious program detected by the dynamic and static analysis module;
and the statistics analysis module is used for analyzing the user behaviors through access logs to realize situation awareness of the whole network malicious programs through multidimensional statistics and report analysis, and visually presenting virus infection conditions.
2. The system of claim 1, wherein the system further comprises a controller configured to control the controller,
the flow acquisition and analysis module comprises the following steps:
acquiring and analyzing mirror image data of interfaces of signaling surfaces S6a and N11 and user surfaces S1-U, N3 of the mobile terminal, decoding the acquired mirror image data and backfilling data indexes to obtain data required by association analysis;
carrying out service detail combination association analysis on the analyzed data and carrying out service end-to-end association analysis on the analyzed data, and displaying the result of the association analysis;
and sending the results of the service detailed list combination association analysis and the service end-to-end association analysis of the analyzed data to a dynamic and static analysis module as analysis results.
3. The system of claim 2, wherein the system further comprises a controller configured to control the controller,
the business detail list combination association analysis is used for restoring a business process by carrying out association analysis on head-end data generated in a business handling process; and the business end-to-end association analysis restores the IT path requested between the ends by carrying out association analysis on the related data of the end-to-end request generated in the business handling process.
4. The system of claim 3, wherein the system further comprises a controller configured to control the controller,
the static characteristic comparison mode comprises the following steps of:
decompressing the compressed package file of the analysis result, extracting a program global configuration file and an executable file contained in the compressed package file, decompiling the program global configuration file and the executable file, and obtaining a decompiled file;
analyzing the decompiled file to obtain the static characteristics of the analysis result;
screening the static features by adopting a fitness function based on frequency, comparing the screened features with a preset sensitive feature database, reserving a feature set with discrimination capability for malicious programs, and generating a feature matrix with the static features;
and inputting the feature matrix into a trained machine learning classification model to judge, and judging whether the current analysis result is a malicious program or not.
5. The system of claim 3, wherein the system further comprises a controller configured to control the controller,
the dynamic sandbox detection comprises the following steps:
the analysis result is sent to a dynamic sandbox detection environment;
the dynamic sandbox detection environment respectively forms corresponding lightweight virtual environments in a mode of simulating a CPU instruction set according to different types of the analysis result;
and in the lightweight virtual environment, carrying out real-time instruction level analysis on the analysis result, judging whether behavior features belonging to attack threats are found, if so, belonging to malicious programs, and otherwise, judging whether the behavior features belong to malicious programs.
6. The system of claim 4 or 5, wherein the system comprises a plurality of sensors,
the bypass interception includes the steps of:
starting internal firewall interception protection, managing the links, downloads and malicious behaviors of the malicious programs detected by the dynamic and static analysis module in a unidirectional access control mode, and recording the links, downloads and malicious behaviors of the malicious programs detected by the dynamic and static analysis module in a log mode; or alternatively, the process may be performed,
intercepting a malicious program obtained by detection of the dynamic and static analysis module, and shielding the URL of the malicious program;
shielding a download port of the malicious program;
and shielding the TCP communication message of the malicious program.
7. The system of claim 4 or 5, wherein the system comprises a plurality of sensors,
the redirecting plugging comprises the following steps:
executing verification signature when receiving a loading request of the malicious program detected by the dynamic and static analysis module;
verifying the signature of the malicious program by using the key of the disposal function module; if the signature passes verification, allowing the malicious program to be loaded; if the signature fails verification, refusing to load or access the malicious program;
or resolving the links of the known malicious programs to construct a processing strategy; analyzing the data message of the malicious program detected by the dynamic and static analysis module to obtain a message analysis result; and matching the message analysis result with the processing strategy, and if the matching is successful, blocking the malicious program.
8. The system of claim 7, wherein the system further comprises a controller configured to control the controller,
the statistical analysis module comprises the following units:
the log unit is used for actively collecting or passively receiving log data in the treatment function module and carrying out normalization treatment;
the association analysis unit is used for analyzing the links, downloading and malicious behaviors of the malicious programs detected by the dynamic and static analysis module in real time, matching association rules and generating a multidimensional statistics and analysis report;
and the situation sensing unit is used for visually displaying the data processed by the flow acquisition analysis module, the dynamic and static analysis module and the treatment function module by using a visualization technology, so that the data can be checked by a user.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor runs the computer program to implement the system of any one of claims 1-8.
10. A computer readable storage medium having stored thereon a computer program, wherein the program is executed by a processor to implement the system of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310622419.XA CN116821904A (en) | 2023-05-29 | 2023-05-29 | Mobile malicious program monitoring system based on big data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310622419.XA CN116821904A (en) | 2023-05-29 | 2023-05-29 | Mobile malicious program monitoring system based on big data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116821904A true CN116821904A (en) | 2023-09-29 |
Family
ID=88126653
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310622419.XA Pending CN116821904A (en) | 2023-05-29 | 2023-05-29 | Mobile malicious program monitoring system based on big data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116821904A (en) |
-
2023
- 2023-05-29 CN CN202310622419.XA patent/CN116821904A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11057405B2 (en) | Automated malware family signature generation | |
| RU2613535C1 (en) | Method for detecting malicious software and elements | |
| Grace et al. | Riskranker: scalable and accurate zero-day android malware detection | |
| US10192052B1 (en) | System, apparatus and method for classifying a file as malicious using static scanning | |
| RU2680736C1 (en) | Malware files in network traffic detection server and method | |
| CN112685737A (en) | APP detection method, device, equipment and storage medium | |
| US11861006B2 (en) | High-confidence malware severity classification of reference file set | |
| US20200193031A1 (en) | System and Method for an Automated Analysis of Operating System Samples, Crashes and Vulnerability Reproduction | |
| Thangavelooa et al. | Datdroid: Dynamic analysis technique in android malware detection | |
| US20220116411A1 (en) | Deobfuscating and decloaking web-based malware with abstract execution | |
| US11568052B2 (en) | Undetectable sandbox for malware | |
| WO2020019505A1 (en) | Malicious software detection method and related device | |
| CN110336835A (en) | Detection method, user equipment, storage medium and the device of malicious act | |
| CN110099044A (en) | Cloud Host Security detection system and method | |
| Zhang et al. | ScanMe mobile: a cloud-based Android malware analysis service | |
| Tansettanakorn et al. | ABIS: a prototype of android botnet identification system | |
| Ibrahim et al. | Aot-attack on things: A security analysis of iot firmware updates | |
| CN111581644A (en) | Vulnerability mining method and system for intercepting data packet based on Hook function | |
| Surendran et al. | Detection of malware applications from centrality measures of syscall graph | |
| Long et al. | An efficient algorithm and tool for detecting dangerous website vulnerabilities | |
| Gashi et al. | A study of the relationship between antivirus regressions and label changes | |
| Reeves | Autoscopy Jr.: Intrusion detection for embedded control systems | |
| CN116599747A (en) | Network and information security service system | |
| Ding et al. | Accurate and efficient exploit capture and classification | |
| CN113569240B (en) | Method, device and equipment for detecting malicious software |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |