KR20160031590A - Malicious app categorization apparatus and malicious app categorization method - Google Patents

Abstract

The present invention relates to an apparatus and a method for categorizing malicious applications. The apparatus for categorizing malicious applications includes: a profiling module for generating an operation profile capable of identifying at least one malicious operation of an application from data based on analysis of the application; and an operation categorizing module for categorizing the application according to a malicious operation pattern of the application which is analyzed by the operation profile. When the apparatus and the method of the present invention are used, a mobile malicious application can be detected and classified with high accuracy by applying a profiling method based on the operation.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention [0001] The present invention relates to a malicious app classification apparatus and a malicious application classification method,

The present invention relates to a malicious application classifying device and a malicious application classifying method, and more particularly, to a malicious application classifying device and a malicious application classifying device that can detect and classify malicious applications by configuring an action- .

With the popularization of smartphones, an environment was established to access and exchange information anytime, anywhere. While the spread of smartphones is growing exponentially, there are also increasing threats of hacking, such as information leakage by mobile malicious apps.

In particular, smartphones based on the Android platform are more exposed to the risk of hacking. This is because, according to the opening policy of the Android platform, malicious apps can easily be uploaded to any developer or Android market with simple authentication, and the cracks and repackaging of the app itself are easy.

To prevent the proliferation of exponentially growing malicious apps, vaccine companies are extending their signature-based detection methods, which are malicious code detection methods applied in existing PCs, to mobile environments. Signature-based detection methods require a continuous database update, detection is difficult for unknown (zero-day) malicious apps, and malicious apps that change some or all of their app code There is a problem.

Many previous studies have been conducted to deal with such signature - based detection methods. The previous researches mainly detect malicious apps based on permissions, API (Application Programming Interface) based or system call.

Permission-based malicious app detection methods have many false positives that classify benign apps as malicious apps. The method of detecting malicious apps based on APIs must be completed before decompilation and disassembly. weak. Also, the malicious app detection method based on the system call is based only on the system call frequency and does not take into consideration other system call arguments, and therefore the accuracy is lowered.

Thus, there is a need for a new malicious app classification apparatus and a malicious app classification method that can solve the limitations found in previous researches on existing malicious app detection methods and accurately classify malicious apps.

The present invention has been made in order to solve the above-described problems, and it is an object of the present invention to provide a malicious app that can detect and classify malicious apps by generating an action-based profile from user level and kernel level log data output by dynamic analysis of an app. And a method of classifying malicious apps.

According to another aspect of the present invention, there is provided a malicious application classifying apparatus including an action profiling module for generating an action profile capable of identifying at least one malicious operation of an application from data based on an analysis of an application, And a behavior categorizing module for classifying the app according to the malicious behavior pattern of the malicious behavior pattern of the malicious behavior.

According to another aspect of the present invention, there is provided a malicious application classification method, comprising the steps of: (b) generating an action profile capable of identifying one or more malicious operations of an application from data based on an analysis of an application; and (c) And classifying the app according to the malicious behavior pattern of the app to be analyzed.

The malicious application classifying device and the malicious application classifying method according to the present invention can be used to detect malicious apps by generating an action-based profile from log data of user level and kernel level output by dynamic analysis of an application .

1 is a diagram illustrating an exemplary system block and schematic internal structure for malicious app detection and classification according to the present invention.
2 is a diagram showing an exemplary functional block diagram of an app analysis unit.
3 is a diagram illustrating an exemplary flow chart for malicious app detection and classification.
4 is a view showing an example of a behavior profile generated for a specific malicious app.

The above and other objects, features and advantages of the present invention will become more apparent from the following detailed description of the present invention when taken in conjunction with the accompanying drawings, in which: It can be easily carried out. In the following description, well-known functions or constructions are not described in detail since they would obscure the invention in unnecessary detail. Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a diagram illustrating an exemplary system block and schematic internal structure for malicious app detection and classification according to the present invention.

Referring to FIG. 1, a malicious application detection and classification system includes at least one client 100, a malicious application classification apparatus 200, and a communication network 300.

As to each block of the system, the client 100 may be a smartphone, a tablet PC, or the like, which is used by a general user. The client 100 has a built-in processor and can execute various application programs. Hereinafter, an application is referred to as an app. The client 100 is preferably a portable terminal capable of performing telephone communication, SMS (Short Message Service), or MMS (Multimedia Message Service) over a mobile communication network even on the move. The client 100 can download various apps through a mobile communication network or an internet network and can execute downloaded apps.

The client 100 transmits the app information in order to know whether the app downloaded to the malicious application classification device 200 through the web browser is a malicious app or malicious app if it is a malicious app before executing the downloaded app, And receive analysis results for the app. The app information includes, for example, the name of the downloaded app and the hash value of the app. Alternatively, the app information may include a package of the downloaded app.

The malicious application classification apparatus 200 is connected to one or more clients 100 through a communication network 300 and receives an application detection and classification request from the client 100 and detects whether the application is malicious using the received application information And / or malicious apps, and transmits the analysis result to the client 100. The malicious application classification apparatus 200 can operate as a web server that constitutes a so-called server and provides, for example, a web page through hyper text transfer protocol (HTTP).

The malicious application classifying apparatus 200 comprises at least a communication interface for interfacing with the communication network 300, at least one processor for executing various programs, and at least one hard disk for storing various data.

The malicious application classifying apparatus 200 includes a transmitting and receiving unit 210, a database 220, an app checking unit 230, an app analyzing unit 240, and a crawler 250 as functional blocks. Each functional block is preferably configured in combination with the hardware of the malicious app classifier 200. For example, the transceiver 210 processes communication packets on a communication interface and a communication interface to transmit and receive data through the communication network 300. The database 220 allows various data to be accessed and managed by using a hard disk or the like. The crawler 250, the app checking unit 230, and the app analyzing unit 240 are configured in the form of a program executable by the processor.

The crawler 250 continuously collects app files (for example, APK (Android PacKage) files) from the official / unofficial market through the Internet network and collects collected apps And stores the files in the database 220 or a hard disk. The crawler 250 first collects the app files before requesting the analysis by the client 100, determines the malicious application in advance through the application analysis unit 240, and classifies the malicious application in the case of the malicious application.

The transmitting and receiving unit 210 receives the app information indicating the analysis target of the app from the client 100 and stores the received app information in a hard disk constituting the database 220 or the database 220. [ The app information includes, for example, the name (identifier) of the app file and the hash value of the app file. Alternatively, the app information may represent an app file (APK file) itself. The app information may also be passed directly to the app checking unit 230. The transmission / reception unit 210 also transmits the analysis result generated through the application confirmation unit 230 or the application analysis unit 240 to the requesting client 100.

The app checking unit 230 and the app analyzing unit 240 classify the app using the app information according to the app analysis request from the client 100 when the app is malicious and the app is malicious, You can decide.

The app checking unit 230 compares the hash value of the app information from the client 100 with the hash values of the apps already analyzed in the database 220 and classified by category. If the same hash value exists in the database 220, the app checking unit 230 generates an analysis result determined using the information extracted from the database 220. Then, the application verification unit 230 transmits the analysis result to the client 100 through the transmission / reception unit 210.

When the app information from the client 100 is not identified in the database 220, the app checking unit 230 automatically extracts the app file from the official / informal marketplace of the internet network using the crawler 250, Stores the app file in the database 220, and transfers the app file to the app analyzer 240. If the app file is not extracted from the official / informal market, the app checking unit 230 may request the app file to the client 100 as app information.

The app analyzing unit 240 classifies the app files requested to be detected and classified by the client 100 or the app files collected through the crawler 250 into categories according to behavior-based profiling, Categories can be determined. The analysis result through the application analysis unit 240 may be stored in the database 220 as a hash value and may be transmitted to the client 100 through the transceiver unit 210. [

The client 100 may display the received analysis result on the screen and then determine whether the downloaded application is installed according to the analysis result by the user.

The app analysis unit 240 will be described in detail with reference to FIG. 2 and FIG.

The communication network 300 is a wired, wireless, or wired or wireless network capable of transmitting and receiving data between the malicious application classification apparatus 200 and the client 100. The communication network 300 includes a mobile communication network or an Internet network. Of course, the mobile communication network may constitute an internet network.

2 is a diagram showing an exemplary functional block diagram of the app analysis unit 240. As shown in FIG.

2, the app analysis unit 240 includes a behavior identification module 241, a behavior profiling module 243, a behavior categorizing module 245, and a similarity matching module 247. [

Looking at the respective modules, the behavior identification module 241 generates log data to be used for generating the behavior profile. This log data can then identify the behavior of the app being analyzed.

More specifically, the behavior identification module 241 executes an application to be analyzed in an emulator environment and integrates user log data at a user level and system log data at a kernel level to generate integrated log data . The generated consolidated log data is then transmitted to the behavior profiling module 243 for behavior profiling.

For example, the action identification module 241 may execute an application for a predetermined time or longer using a loadable kernel module (LKM) capable of being dynamically combined with an emulator executed at a user level and a kernel, And collects system log data from the kernel module. For example, the emulator is a Droidbox that can emulate an Android app running.

The action identification module 241 collects data leak data and SMS / call data among user log data, collects system calls and parameters from the dynamic kernel module, and composes the data into integrated log data. The generated consolidated log data includes at least the parameters used in the system call and the system call.

Generally, malicious app authors are unable to identify malicious behavior in your app because they can hide the API calls associated with malicious behavior. So, if you record what kind of system function is called through system call hooking (Hooking) and what parameter it has, you can grasp correct behavior even when hiding API function call.

The behavior profiling module 243 generates an action profile that can identify one or more operations of the analyzed application from the integrated log data of the action identification module 241. [ That is, the behavior profiling module 243 parses the integrated log data and constructs a behavior profile from the parsed data.

The behavior profile generated by the behavior profiling module 243 will be described in detail here.

와 같이 4개의 원소를 갖는 집합으로 구성된다.

는 분석 대상인 앱에서 파악되는 모든 객체 셋(Set)을 의미하고

는 모든 오퍼레이션(Operation) 집합을 나타내며 키(Key)와 값(Value)로 구성된 내재된 사전 구조(nested dictionary)를 가진다.

는 객체와 오퍼레이션과의 매핑 관계를 의미하며

는 순서(Sequence)와 관련 없는 전체 객체-오프레이션 관게 집합을 의미한다.

는 통합 로그 데이터로 표현된다. The behavior profile (P)

And a set having four elements as shown in FIG.

Refers to all the set of objects that are understood by the app to be analyzed

Has a built-in nested dictionary consisting of a key and a value representing all sets of operations.

Means a mapping relationship between an object and an operation

Means a whole set of object-offsets that are not related to a sequence.

Is represented by integrated log data.

Objects represent the abstract functionality that malicious apps need to do for each action. An object is an abstraction of a specific action and can be described as follows. As will be seen below, malicious apps' behavior patterns can be classified into the following three categories: calling a billing phone number (hereinafter referred to as a "billing call"), sending an SMS to a billing phone number (Hereinafter also referred to as " personal information transmission ") and an operation of converting data for transmission (hereinafter also referred to as " data conversion ").

Operation indicates specific malicious behavior. Hereinafter, the operation may be referred to as a malicious act. An operation consists of a name, a target and an attribute. The name refers to the identifier (or delimiter) of malicious behavior and the goal is the attack target of the malicious app. For example, the content or system information of the external memory of the client 100 may be an attack target. Attributes refer to sensitive personal information targeted by malicious apps, such as billing / text phone numbers, country codes or worm information, extracted against attack targets. The operation can be described by symbolizing as follows.

)에 대한 예제이다. Table 1 below shows the relationship between the network object and the corresponding operation (

) Is an example.

As can be seen in Table 1, the network object is mapped to two operations, and each of the operations can again know to transfer or translate one or more attributes.

The behavior profiling module 243 identifies objects and operations (malicious actions) from the integrated log data and configures the mapping relationship between the object and the malicious behavior and the name, target, and attributes of the malicious behavior in a nested format. For example, the behavior profiling module 243 may express this behavior profile P with a nested dictionary of the PYTHON programming language.

Each malicious behavior can be identified in an emulation process (also through kernel hooking). The malicious action is, for example, an act of performing a billing character, a billing call, a personal information transmission or a data conversion without notifying the user using the client 100 of the action. These behaviors are categorized into four malicious behaviors as described above, and the apps are represented by a combination of four malicious acts through the behavior profile.

4 is a view showing an example of a behavior profile generated for a specific malicious app. The example of FIG. 4 is an example of the behavior profile generated by the behavior profiling module 243 with the integrated log data collected for FakeBattScar, which is a kind of data collecting malicious app. FakeBattScar displays the advertisement on the device screen, and transmits the device model, manufacturer, carrier information, location information, IMEI, OS / SDK version, etc. to the malicious app producer's server. As shown in FIG. 4, the behavior profile allows the analyst to intuitively grasp the malicious behavior of the app.

The behavior profiling module 243 configures a behavior profile for the application to be analyzed and delivers the behavior profile P to the behavior categorizing module 245. [

The action categorizing module 245 classifies the analyzed application into a specific category according to the behavior pattern of the app analyzed from the behavior profile. The categories used as the main categories are, for example, a combination of 4 malicious acts, and 16 behavior patterns (one behavior pattern represents the normal application and the remaining 15 behavior patterns are combinations of one or more malicious acts Respectively).

Thus, the behavior categorizing module 245 classifies the analyzed application into a behavior pattern recognized as a malicious behavior combination of a billing call, a billing character, personal information transmission, or data conversion performed in the application.

If there are no four malicious acts predefined in the behavior profile, the action categorization module 245 regards the corresponding application as a normal application and stores the corresponding application information (for example, the application name and the hash value ). Then, the behavior categorization module 245 may not transmit the analysis result indicating normalness to the client 100 through the transmission / reception unit 210 without driving the similarity matching module 247 thereafter.

The similarity matching module 247 compares the similarity with a plurality of sub-category-based representative (activity) profiles within the corresponding category of the analysis target application classified by the behavior categorization module 245, Category of an app that is classified in < / RTI >

Here, the database 220 included in the malicious application classifying apparatus 200 may be classified into 16 categories by the crawler 250 or the client 100, The apps are again sub-categorized by community. One of the 16 categories is the category for the normal app and the remaining 15 represents the malicious behavior pattern of one or more combinations of the four malicious acts.

Each of the sub-categories within each category of the malicious behavior pattern may, for example, represent a diagnosis of a malicious app. The apps classified in a specific sub-category are stored in the database 220 as a hash value for the app file and a behavior profile generated by the behavior profiling module 243 for the app. Each of the particular sub-categories in the database 220 also stores a representative profile.

The representative profile is determined by the profile of the apps in the sub-category. The representative profile is configured to have a common character of a group of sub-categories. For example, the representative profile is updated as the analyzed application is classified into a specific sub-category, and the update method is updated to the union or intersection of the current representative profile and the behavior profile of the analyzed application.

The intersection method can easily cope with the noise caused by the variant of the malicious app and updates the common characteristics of malicious apps belonging to the corresponding group (sub-category). The union scheme is updated to accommodate various variants.

The similarity matching module 247 determines the subcategories of the analysis target appara- tus by the similarity comparison. The similarity matching module 247 compares the representative profile of each sub-category by the billing phone, the billing character, the personal information transmission, And the similarity score is calculated by summing up the similarity scores.

Similarity scores are quantified to the extent that they have access to hardware resources, such as phones and cameras, and systems or personal information.

The similarity (S) per sub-category is

이다.

와

는 i 번째 행위 유사성 요소와 가중치를 나타낸다. BFS(Behavior Factor Similarity)는 행위 유사성 요소로서 인덱스 i에 따라 4가지를 나타낸다. i 인덱스 값에 따라 즉 과금 전화 악성 행위에 대한 유사성(CS : Similarity of Calling premiun-rate number), 과금 문자 악성 행위에 대한 유사성(SS : Similarity of Sending premiun-rate SMS), 개인 정보 전송 악성 행위에 대한 유사성(SIS : Similarity of collecting Sensitvie Information), 데이터 변환 악성 행위에 대한 유사성(CDS : Similarity of Converting Data)을 나타낸다. Lt; / RTI >

to be.

Wow

Represents the ith similarity factor and its weight. Behavior Factor Similarity (BFS) is a behavior similarity factor and represents four things according to index i. (iii) Similarity of calling premiun-rate number (CS), Similarity of sending premiun-rate SMS (SS), Personal information transmission Malicious behavior Similarity of collecting Sensitvie Information (SIS) and Similarity of Converting Data (CDS).

The weights applied to each similarity can be applied differently. For example, SS can be determined to be 0.33, CS to be 0.33, SIS to be 0.21, and CDS to be 0.13. Thus, SS and CS are larger than SIS and CDS weights. In particular, CDS has the lowest weight because: First, since data conversion for transmission is unnecessary in the process of communication for personal information transmission, weight is lower than other similarity factors. Second, encoding and encryption are applied when communication between servers is required for normal files Because there are many cases, it is hard to be seen as malicious act by data conversion only.

Table 2 shows the similarity measurement method for each element. The similarity score of the CS that dials the billing number and the SS that sends the SMS with the billing number compares binary access whether or not the corresponding hardware resource can be accessed. A string such as a phone number included in the attribute of malicious action is different from one letter, so partial matching does not provide a meaningful meaning in terms of similarity comparison. Therefore, if the same behavior is performed based on the attribute of the malicious behavior in comparison with the sub-category representative profile, 1 is assigned to 0 otherwise.

SIS, which transmits sensitive data, calculates the similarity score using the ZarCard index method. The CDS computes the similarity scores for the destination URL address, the encryption mode, and the encoding mode included in the attribute of the malicious behavior, and calculates the similarity score by adding the average value. The similarity score of the destination URL address is obtained by applying the Levenshtein distance method to the discordant part after applying the Longest Prefix Matching method. For the encryption mode and the encoding mode, 0 is assigned if the same operation is performed through binary comparison.

Thus, the similarity matching module 247 calculates the similarity score (S) per sub-category and compares the similarity score by sub-category with a threshold value. The similarity matching module 247 may determine a sub-category having a similarity score per sub-category exceeding a threshold value and having the highest similarity score as a sub-category of the analyzed application. The threshold value may be 0.85, for example. If there is no sub-category that exceeds the threshold, the similarity matching module 247 creates a new sub-category in the database 220 and stores the behavior profile of that app in the new sub-category. According to the determination of the sub-category, the similarity matching module 247 updates the representative profile according to the union or intersection method.

Then, the similarity matching module 247 may transmit the analysis result to the client 100 through the transceiver 210.

As a result of experimenting with the application analyzer 240 according to the present invention, it has been found that the similarity score between the sub-category of the malicious application (for example, malicious application diagnosis name) is up to 0.8 and the sub- The similarity score between the apps was 0.1. In addition, it was confirmed that the accuracy was more than 99% in classification based on the comparison of malicious apps, and the classification accuracy of normal and malicious apps was more than 98%, and 1MB app was able to be classified within 58 seconds. Diagnostic names that may be used in the experiment and which may be sub-categories are, for example, AdWo, AirPush, Boxer, FakeBattScar, and the like.

In this way, the behavior profile technique can be applied to malicious application detection and classification, and it is possible to cope with malicious code samples quickly and efficiently, and it is possible to detect and classify new malicious apps while solving various existing problems by utilizing behavior profiling technique .

3 is a diagram illustrating an exemplary flow chart for malicious app detection and classification.

Since the module and the control for detection and classification have already been described in detail with reference to FIG. 2, a description of the module and the control for the detection and classification will be omitted here. 3 is performed on the hardware of the malicious application classifying apparatus 200, preferably by executing a program stored in a hard disk or the like on the processor.

First, the malicious application classification apparatus 200 receives application information from the client 100 (S101).

After receiving the app information, it is determined whether the app corresponding to the app information exists in the database 220 (S103). The determination of existence is determined by comparing the hash value included in the app information with the hash value included in the database 220. [

If the malicious application classifier 200 already exists and is classified into the sub-category in the database 220, the malicious appclassifier 200 generates an analysis result from the database 220 (S117).

If it is not present in the database 220, the malicious appclassifier 200 generates integrated log data (S105), which is data for identifying malicious behavior of the application corresponding to the app information. The malicious application classification apparatus 200 receives an application from the client 100 via the crawler 250 or the like and executes the application through the emulator. According to the execution in the emulator, the malicious application classification apparatus 200 combines user log data at the user level and system log data collected at the kernel level by the LKM to generate integrated log data. Consolidated log data includes at least the parameters used in system calls and system calls.

Thereafter, the malicious appclassifier 200 generates an action profile that can identify the malicious action of the app from the integrated log data, which is data based on the application analysis (S107), and classifies the application into categories according to the malicious act pattern analyzed from the action profile (S109). Accordingly, the analyzed application can detect whether it is a normal app or a malicious app, and can identify the main category of the app.

Within the classified category, the malicious appclassifier 200 determines the sub-category of the app classified by the similarity comparison with the representative profile by sub-category (S111). At this time, the malicious application classification apparatus 200 can determine a specific sub-category or create a new sub-category using the threshold value.

According to the determination of the sub-category, the malicious appclassifier 200 updates the representative profile of the determined sub-category (S113). Such updates may be, for example, intersection or union.

Then, the malicious appclassifier 200 updates the database 220 to reflect the determination of the sub-category and the update of the representative profile, and generates an analysis result for the application to be analyzed (S115).

According to the generation of the analysis result, the malicious app classification apparatus 200 transmits the analysis result to the client 100 via the transmission / reception unit 210 (S119). The client 100 receiving the analysis result can display the analysis result on a screen or the like and inform the user of the analysis result.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the invention. The present invention is not limited to the drawings.

100: Client 200: Malicious app classifier
210: Transmitting / receiving unit 220:
230: App verification unit 240: App analysis unit
241: Behavior Identification Module 243: Behavior Profiling Module
245: Act categorization module 247: Similarity matching module
250: Crawler
300: Network

Claims (11)

An act profiling module that generates an action profile that can identify one or more malicious operations of the app from data based on an analysis of the app; And
And a behavior categorization module for classifying the application according to a malicious behavior pattern of the application analyzed from the behavior profile.
Malicious app classifier. The method according to claim 1,
And an action identification module for generating the data to identify malicious behavior of the app,
The action identification module generates the integrated log data by integrating the user log data collected at the user level and the system log data collected at the kernel level by executing the application through the emulator and transmits the combined log data to the behavior profiling module,
The integrated log data includes system call and parameters used in the system call,
Malicious app classifier. The method according to claim 1,
The malicious action may represent a billing call, billing text, personal information transfer or data conversion,
Wherein the behavior categorization module classifies the application into a malicious behavior pattern recognized as one or more combinations of charging phone calls, charging characters, personal information transmission, and data conversion performed in the application,
Malicious app classifier. The method according to claim 1,
A database for classifying malicious apps by category, classifying the malicious apps into a plurality of sub-categories within a category, and managing representative profiles for each sub-category; And
And a similarity matching module for determining a sub-category of the classified application by comparing the similarity with the sub-category representative profile within the corresponding category of the application classified by the behavior categorization module.
Malicious app classifier. 5. The method of claim 4,
The similarity matching module calculates the similarity by summing up similarity between the classified app and the representative profile for each of billing telephone, billing character, personal information transmission, and data conversion malicious behavior,
The weight applied to the similarity of malicious act of charging phone malicious act and billing character is larger than the weight applied to malicious malicious act of data transmission and malicious activity of data conversion,
Malicious app classifier. 5. The method of claim 4,
The representative profile is updated according to sub-category determination of the app,
Wherein the representative profile is updated with an intersection or a union of profiles of the apps in the determined sub-
Malicious app classifier. 6. The method of claim 5,
The malicious action consists of a name, a goal and an attribute
Wherein the similarity calculated for each malicious action is calculated based on at least an attribute included in the malicious action,
Malicious app classifier. 5. The method of claim 4,
A transmitting and receiving unit receiving app information from a client and transmitting an analysis result according to the app information; And
And a crawler for collecting apps over the Internet,
The malicious app classification apparatus classifies the apps collected through the crawler into a database, and when the app identified by the hash value of the received app information is already classified in the database, the malicious app classification apparatus transmits the analysis result determined from the database to the client through the transmitting / Transmitting,
Malicious app classifier. (b) generating an action profile that can identify one or more malicious operations of the app from data based on an analysis of the app; And
(c) classifying the app according to a malicious behavior pattern of the app analyzed from the behavior profile.
How to classify malicious apps. 10. The method of claim 9,
The method of claim 1, further comprising: (a) before the step (b), generating the data to identify malicious behavior of the app,
Wherein the step (a) generates integrated log data, which is obtained by integrating user log data collected at a user level and system log data collected at a kernel level by executing the app through an emulator, based on analysis of the app,
The integrated log data includes system call and parameters used in the system call,
How to classify malicious apps. 10. The method of claim 9,
Determining a sub-category of an app that is classified by a similarity comparison with a sub-category representative profile within a corresponding category of the classified application;
How to classify malicious apps.

Images