KR20160133927A - Apparatus and method for detecting rooting from terminal based on android system - Google Patents
Apparatus and method for detecting rooting from terminal based on android system Download PDFInfo
- Publication number
- KR20160133927A KR20160133927A KR1020150067122A KR20150067122A KR20160133927A KR 20160133927 A KR20160133927 A KR 20160133927A KR 1020150067122 A KR1020150067122 A KR 1020150067122A KR 20150067122 A KR20150067122 A KR 20150067122A KR 20160133927 A KR20160133927 A KR 20160133927A
- Authority
- KR
- South Korea
- Prior art keywords
- malicious
- files
- processes
- file
- unit
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/561—Virus type analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
Abstract
Description
The present invention relates to a method for detecting a route in a terminal based on an Android system, and more particularly, to a technique for detecting a malicious process or a malicious file by collecting a process or a file executed on the basis of the Android system to determine whether the route is routed.
In addition to the spread of smart devices, banking operations are performed on smart devices, and mobile office environments that perform business operations are established, and important processing using smart devices is performed on smart devices. As a result, malicious attacks limited to existing PCs are spreading to smartphones, and studies for detecting and defending these behaviors are needed, and building an environment for them is becoming important. As a result, Android is making efforts to enhance security by applying SEAndroid based on SELinux (Security Enhancements Linux) to Android. Also, for collecting personal information and performing various malicious actions, the attacker goes through the rooting process to have the super administrator privilege on the Android system, and research is being conducted on how to detect it.
The conventional routing detection method is divided into two types. Root detection inserted at the kernel level through changes to the Android system, and general user privilege routing detection at the Android application level.
In the case of routing detection inserted at the Android kernel level, system call hooking and network packet monitoring are possible, and it is possible to derive a high level of routing detection using this.
In the case of routing detection of general user rights performed by an application, access rights of system resources are restricted, which leads to difficulty in finding a high-level routing detection method such as the above-mentioned routing detection.
Also, when detecting using a process list existing in the past, all root processes other than the Android basic process list provided by Google are detected, and a root process exists for each Android smartphone manufacturer, and there is a possibility of a false alarm.
Often, the method of monitoring events occurring in an application by a pooling method and storing logs is a hindrance to commercialization because it may greatly affect battery consumption due to the characteristics of a portable device.
The easiest way to detect the root is to search for the 'su' file that is installed when installing the rooting app. The system command directories '/ system / bin /' and '/' system / xbin / 'and so on.
There is also a way to circumvent this by looking for a specific string in the 'su' file.
Also, when the vulnerability is exploited to become a super administrator, there is a difficulty in detecting from the normal user privilege.
Korean Laid-Open Patent Application No. 2013-0060188 discloses a technique for receiving the process information on an application initiated on a mobile terminal and comparing routing application information with process information to detect routing application information. Korean Patent No. 1388053 Discloses a technology for detecting an elevation of the administrator privilege of the Android operating system and detecting the presence or absence of malicious code.
However, Korean Patent Publication No. 2103-0060188 and Korean Patent No. 1388053 also fail to initiate routing detection at the instruction level. In particular, only the technology for detecting the elevation of privilege is disclosed, and the parent process of the Android- And does not disclose the routing detection technology considering the relation between the child process and the child process.
Therefore, considering the recent trend of increasing importance of security and explosion of smartphones equipped with the latest Android-based system, there is a need for technology to more effectively detect roots and detect a safe execution environment.
It is an object of the present invention to effectively avoid various methods of bypassing the routing detection by analyzing a file or a process inside the Android system at an instruction level.
It is also an object of the present invention to use routines as well as recently modified files to detect routing.
It is also an object of the present invention to detect the routing in consideration of the basic process of the manufacturer or the communication company as well as the basic process of the Android system.
According to an aspect of the present invention, there is provided a routing detection apparatus comprising: a collection unit for collecting processes / files in an Android operating system; A detecting unit detecting malicious processes or malicious files based on the processes / commands inside the files; And a routing determiner for determining whether the Android operating system is routed based on the detected malicious process / malicious file.
In this case, the detection unit may include a search unit for searching for an executable file corresponding to the processes; A comparison unit for searching for a command part of the executable file and for comparing the command part and the command part of malicious files; And a determination unit for determining that the files are malicious files when the command part of the malicious files exists in the command part.
At this time, if the execution file corresponding to the processes does not exist as a result of searching by the searching unit, the routing determining unit may determine that the Android system is routed.
At this time, if the execution file corresponding to the processes is a file having no read permission as a result of the search by the search unit, the routing determining unit may determine that the Android system is routed.
In this case, the detection unit may include a classification unit that classifies the processes into parent processes and child processes; And a determination unit determining whether the processes are malicious processes based on the UIDs of the parent processes and the UIDs of the child processes.
In this case, if the UID of the parent process is not 0 and the UID of the child processes is 0, the determination unit may determine that the child process is a malicious process.
In this case, the determination unit may further include a database for storing a process list specific to a manufacturer or a process list specific to a communication company.
At this time, if the process is included in the process list stored in the database, the determination unit may determine the process as a normal process.
In this case, the collecting unit may collect files whose last modification time is within a specific time.
In this case, the detection unit may include: a search unit for searching for a command portion of the files; A comparison unit comparing the command part and the command part of the malicious files; And a determination unit for determining that the files are malicious files when the command part of the malicious files exists in the command part.
According to another aspect of the present invention, there is provided a method for detecting a route, comprising: collecting data of processes / files in an Android operating system; Detecting malicious processes or malicious files based on the processes / instructions within the files; And determining whether the Android operating system is routed based on the detected malicious process / malicious file.
In this case, the step of detecting the malicious process or malicious file may include searching an executable file corresponding to the processes. Searching for a command portion of the executable file, and comparing the command portion and the command portion of the malicious files; And if the command portion of the malicious files exists in the command portion, determining that the files are malicious files.
In the step of determining whether or not the route is routed, it may be determined that the Android system is routed when an executable file corresponding to the processes does not exist in the step of searching for the executable file.
In the step of determining whether or not the routing is performed, it may be determined that the Android system is routed when the executable file corresponding to the processes is a file having no read permission.
At this time, the step of detecting the malicious process or malicious file includes classifying the processes into a parent process and a child process. And determining whether the process is a malicious process based on a UID (User Identifier) of the parent process and a UID of the child process.
In this case, when the UID of the parent process is not 0 and the UID of the child process is found to be 0, it may be determined that the child process is a malicious process.
In this case, if the process is a process included in a manufacturer-specific process list or a database in which a process list specific to a communication company is stored, the step of determining whether the malicious process is the malicious process may determine the process as a normal process.
At this time, the collecting of the data may collect files whose last modification time of the files is within a specific time.
In this case, the step of detecting the malicious process or malicious file may include searching for a command portion of the files; Comparing the command portion and the command portion of the malicious files; And detecting the malicious file if the command portion of the malicious file exists in the command portion.
The present invention analyzes the file or process in the Android system at the command level and effectively avoids various methods of bypassing the routing detection, thereby enabling accurate routing detection.
In addition, the present invention can analyze not only the process but also the recently modified file to enable accurate routing detection.
In addition, the present invention can detect not only a basic process of the Android system but also a basic process of a manufacturer or a communication company, thereby drastically reducing a routing detection error.
1 is a block diagram illustrating a routing detection apparatus according to an embodiment of the present invention.
FIG. 2 is a block diagram showing an embodiment of the detector shown in FIG. 1. FIG.
3 is a diagram illustrating a principle of detecting a malicious process in a routing detection apparatus according to an exemplary embodiment of the present invention.
4 is a diagram illustrating a routing detection apparatus according to an exemplary embodiment of the present invention used in a banking mobile application.
FIG. 5 is a diagram showing the routing detection apparatus according to an embodiment of the present invention, collecting the files according to the last modification time of the files. FIG.
6 is a flowchart illustrating a routing detection method according to an exemplary embodiment of the present invention.
FIG. 7 is an operation flowchart showing the malicious file or malicious process detection shown in FIG. 6 in more detail.
The present invention will now be described in detail with reference to the accompanying drawings. Hereinafter, a repeated description, a known function that may obscure the gist of the present invention, and a detailed description of the configuration will be omitted. Embodiments of the present invention are provided to more fully describe the present invention to those skilled in the art. Accordingly, the shapes and sizes of the elements in the drawings and the like can be exaggerated for clarity.
Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the accompanying drawings.
1 is a block diagram illustrating a routing detection apparatus according to an embodiment of the present invention.
Referring to FIG. 1, a routing detection apparatus according to an embodiment of the present invention includes a
The
At this time, the collecting
At this time, when the collecting
At this time, in collecting the file, the collecting
The
At this time, the
In this case, the malicious process is detected by a string or a file name in the conventional method for searching for a command in the file. However, in order to cope with various routing detection avoidance methods, Search.
At this time, the
At this time, the command part of malicious files can be called up from a previously learned database and compared.
At this time, the instruction portion of the malicious files may increase the number of instruction portions stored in the database while updating the routing detection device of the present invention.
At this time, the
At this time, the detecting
At this time, the
The routing determining unit 130 determines whether the Android system is routed based on the malicious process or the malicious file.
At this time, the rooting means that the root authority is obtained on the Android operating system running on the mobile device, thereby lifting the restriction hung from the producer or the seller side of the device.
At this time, by performing the routing in the mobile device, the security of the mobile device becomes weak, and the hackers can perform illegal actions in the mobile device in which the routing is performed.
At this time, when the
At this time, if there is no execution file corresponding to the process in the detecting
At this time, if the execution file corresponding to the process in the
FIG. 2 is a block diagram showing an embodiment of the detector shown in FIG. 1. FIG.
2, the
The search unit 210 searches for an executable file corresponding to the processes.
The comparing
At this time, the malicious file may be a su (superuser) file existing in the rooted Android system.
At this time, the command portion of the malicious file may be the same as the command portion of the su file existing in the rooted Android system.
At this time, the
The
3 is a diagram illustrating a principle of detecting a malicious process in a routing detection apparatus according to an exemplary embodiment of the present invention.
Referring to FIG. 3, FIG. 3 is comprised of
Referring again to FIG. 3, the processes are classified into a parent process and a child process, which can be performed in the
In this case, the child process refers to a process newly formed by system call or the like, and the parent process can refer to a process that has generated a child process.
At this time, the
At this time, the
The malicious process 340 may be a child process of the
At this time, if the UID of the parent process is not 0 and the UID of the child process is 0, this is not a normal relationship in the Android-based system. There may be a weak part of the execution of the parent process, and it may be the result of elevating the privilege through malicious behavior in the vulnerable part and forming a child process. For example, the malicious process 340 is a child process of a
The manufacturer or carrier
At this time, since the
4 is a diagram illustrating a routing detection apparatus according to an exemplary embodiment of the present invention used in a banking mobile application.
Referring to FIG. 4, a screen is displayed when a banking mobile application is executed in a mobile device on which routing is performed.
At this time, the routing detection device can determine that the mobile device has been routed.
At this time, the routing detection device may send information to the banking mobile application that the mobile device has been routed.
At this time, the banking mobile application can output on the display of the mobile device that the application can not be used because the mobile device is routed.
FIG. 5 is a diagram showing the routing detection apparatus according to an embodiment of the present invention, collecting the files according to the last modification time of the files. FIG.
Referring to FIG. 5, a list of
The collecting
At this time, the
At this time, in collecting the file, the collecting
Referring to FIG. 5, for example, files modified from May 28, 2014, which is June 28, 2014, to perform routing detection, and one month prior to June 28, 2014, 560, 570, 580, and 590) may be collected in the
At this time, the
At this time, the specific time is not limited. The routing detection device can determine a specific time based on the performance of the installed device. For example, if the performance of the device is high, a certain time may be taken as one year, and routing detection may be performed to enable more accurate routing detection. Also, for example, if the performance of the device is rather low, it may be possible to carry out routing detection by performing a specific time period of two weeks and performing less-accurate but faster routing detection.
6 is a flowchart illustrating a routing detection method according to an exemplary embodiment of the present invention.
Referring to FIG. 6, a process or a file inside the Android system is collected (S610).
At this time, among the processes executed in the Android file system, it is possible to collect processes having a UID (User Identifier) of 0, that is, a root process.
At this point, you can collect all the processes from the proc directory that contains information about the process.
At this time, the file can be collected based on the last modification time of the files. For example, the collected files may be collected by the collecting
Further, a malicious process and a malicious file are detected (S620).
At this time, it is possible to search for a command in the file collected by the collecting
In this case, the malicious process is detected by a string or a file name in the conventional method for searching for a command in the file. However, in order to cope with various routing detection avoidance methods, Search.
At this time, the commands inside the file and the command part of the malicious file can be compared.
At this time, the command part of malicious files can be called up from a previously learned database and compared.
At this time, the instruction portion of the malicious files may increase the number of instruction portions stored in the database while updating the routing detection device of the present invention.
At this time, when a command portion of a malicious file exists in a command in the file, it can be detected that the file is a malicious file.
At this time, an executable file corresponding to the process collected by the collecting
At this time, the processes may be classified as a parent process and a child process, and a process may be detected as a malicious process based on the UID (User Identifier) of the parent process and the UID of the child process. This was described in FIG.
In addition, it is determined whether or not a routing operation has been performed on the Android system (S630).
At this time, the rooting means that the root authority is obtained on the Android operating system running on the mobile device, thereby lifting the restriction hung from the producer or the seller side of the device.
At this time, by performing the routing in the mobile device, the security of the mobile device becomes weak, and the hackers can perform illegal actions in the mobile device in which the routing is performed.
At this time, when a malicious file or a malicious process is detected, it is possible to detect that the Android system installed in the mobile device has been routed.
At this time, if there is no execution file corresponding to the process, it is possible to detect that the Android system installed in the mobile device is routed. This is because malicious processes can erase the executable file corresponding to the running process.
At this time, if the executable corresponding to the process is a file without read permission, it can detect that the Android system has been routed. Processes or newly added executable files that exist in the / system / bin or / system / xbin folder inside the Android system may not be able to be read properly and are likely to be executable files mostly corresponding to malicious processes.
FIG. 7 is an operation flowchart showing the malicious file or malicious process detection shown in FIG. 6 in more detail.
Referring to FIG. 7, it is determined whether the collected data corresponds to a process (S710).
If the collected data corresponds to the process, the path of the file in which the process is executed is searched and the execution file is collected (S720).
In addition, the collected data corresponds to the file or opens the file collected in S720 (S730).
At this time, it is determined whether the file has been opened successfully (S740). If the file is successfully opened, the command in the file is compared with the command in the malicious file (S750).
At this time, the malicious file may be a su (superuser) file existing in the rooted Android system.
At this time, the command portion of the malicious file may be the same as the command portion of the su file existing in the rooted Android system.
If a command in the malicious file exists in the command in the file, the malicious file is determined to be a malicious file (S760, S790).
At this time, the
If the file is not opened, it is determined whether or not the file exists first (S770).
At this time, if the file does not exist, the process or file is determined to be a malicious process or a malicious file (S790).
At this time, if there is no execution file corresponding to the process, it is possible to detect that the Android system installed in the mobile device is routed. This is because malicious processes can erase the executable file corresponding to the running process.
At this time, if the file exists, it is determined whether or not the file has a read permission (S780). If the file does not exist, the file is determined to be a malicious file (S790).
At this time, if the executable corresponding to the process is a file without read permission, it can detect that the Android system has been routed. Processes or newly added executable files that exist in the / system / bin or / system / xbin folder inside the Android system may not be able to be read properly and are likely to be executable files mostly corresponding to malicious processes.
Embodiments of the present invention may be implemented in a computer system, such as a computer readable recording medium. 8, the computer system 820-1 includes one or
Thus, embodiments of the invention may be embodied in a computer-implemented method or in a non-volatile computer readable medium having recorded thereon instructions executable by the computer. When computer readable instructions are executed by a processor, the instructions readable by the computer are capable of performing the method according to at least one aspect of the present invention.
As described above, the apparatus and method for routing based on the Android system according to the present invention are not limited to the configuration and method of the embodiments described above, All or some of the embodiments may be selectively combined.
310, 320, 350, 360: normal process
330, 340, 370: malicious process
380: Process unique to manufacturer or carrier
510, 520, 530, 540, 550, 560, 570, 580, 590:
Claims (19)
A detecting unit detecting malicious processes or malicious files based on the processes / commands inside the files; And
A routing determination unit for determining whether the Android operating system is routed based on the detected malicious process / the malicious file,
Wherein the routing information comprises a plurality of routing information.
The detection unit
A search unit for searching for an executable file corresponding to the processes;
A comparison unit for searching for a command part of the executable file and for comparing the command part and the command part of malicious files; And
When the command part of the malicious files exists in the command part, the judging part judges that the files are malicious files
Wherein the routing information comprises a plurality of routing information.
The routing determination unit
Wherein the determining unit determines that the Android system has been routed if an execution file corresponding to the processes does not exist as a result of searching by the searching unit.
The routing determination unit
Wherein the determining unit determines that the Android system is routed if the executable file corresponding to the processes is a file having no read permission as a result of searching by the searching unit.
The detection unit
A classifying unit for classifying the processes into parent processes and child processes; And
A determination unit for determining whether the processes are malicious processes based on a UID (User Identifier) of the parent processes and a UID of the child processes;
Wherein the routing information comprises a plurality of routing information.
The determination unit
Wherein if the UID of the parent process is not 0 and the UID of the child processes is 0, the process determines whether the child process is a malicious process.
The determination unit
A database that stores a manufacturer-specific process list or a carrier-specific process list
Lt; RTI ID = 0.0 > 1, < / RTI >
The determination unit
Wherein the determination unit determines that the process is a normal process when the process is a process included in a process list stored in the database.
The collecting unit
And collects files whose last modification time of the files is within a specific time.
The detection unit
A search unit for searching for a command portion of the files;
A comparison unit comparing the command part and the command part of the malicious files; And
When the command part of the malicious files exists in the command part, the judging part judges that the files are malicious files
Wherein the routing information comprises a plurality of routing information.
Detecting malicious processes or malicious files based on the processes / instructions within the files; And
Determining whether the Android operating system is routed based on the detected malicious process / malicious file
Wherein the step (c) comprises the steps of:
The step of detecting the malicious process or malicious file
Searching an executable file corresponding to the processes;
Searching for a command portion of the executable file, and comparing the command portion and the command portion of the malicious files; And
If the command portion of the malicious files exists in the command portion, determining that the files are malicious files
The method comprising the steps of:
The step of determining whether or not the routing
Wherein the step of searching for the executable file determines that the Android system is routed if an executable file corresponding to the processes does not exist.
The step of determining whether or not the routing
Wherein the step of searching for the executable file determines that the Android system has been routed if the executable file corresponding to the processes is a file without read permission.
The step of detecting the malicious process or malicious file
Classifying the processes into a parent process and a child process; And
Determining whether the process is a malicious process based on a UID (User Identifier) of the parent process and a UID of the child process
The method comprising the steps of:
The step of judging whether the malicious process is
Wherein if the UID of the parent process is not 0 and the UID of the child process is found to be 0, the process determines whether the child process is a malicious process.
The step of judging whether the malicious process is
Wherein the process is judged as a normal process when the process is a process included in a manufacturer-specific process list or a database storing a process list specific to a communication company.
The step of collecting the data
And collecting files whose last modification time is not within a specific time.
The step of detecting the malicious process or malicious file
Searching for a command portion of the files;
Comparing the command portion and the command portion of the malicious files; And
If the command portion of the malicious files exists in the command portion, determining that the files are malicious files
The method comprising the steps of:
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150067122A KR20160133927A (en) | 2015-05-14 | 2015-05-14 | Apparatus and method for detecting rooting from terminal based on android system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150067122A KR20160133927A (en) | 2015-05-14 | 2015-05-14 | Apparatus and method for detecting rooting from terminal based on android system |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20160133927A true KR20160133927A (en) | 2016-11-23 |
Family
ID=57541693
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150067122A KR20160133927A (en) | 2015-05-14 | 2015-05-14 | Apparatus and method for detecting rooting from terminal based on android system |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20160133927A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20180082217A (en) * | 2017-01-10 | 2018-07-18 | 삼성전자주식회사 | Device and Computer Readable Medium for Detecting Privilege Escalation of Process |
KR20210066460A (en) * | 2019-11-28 | 2021-06-07 | 네이버클라우드 주식회사 | Method and system for detecting web shell using process information |
CN113407940A (en) * | 2021-06-21 | 2021-09-17 | 成都欧珀通信科技有限公司 | Script detection method and device, storage medium and computer equipment |
KR20230051949A (en) * | 2021-10-12 | 2023-04-19 | 한전케이디엔주식회사 | Method for managing rooting information using blockchain |
-
2015
- 2015-05-14 KR KR1020150067122A patent/KR20160133927A/en not_active Application Discontinuation
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20180082217A (en) * | 2017-01-10 | 2018-07-18 | 삼성전자주식회사 | Device and Computer Readable Medium for Detecting Privilege Escalation of Process |
WO2018131831A1 (en) * | 2017-01-10 | 2018-07-19 | 삼성전자 주식회사 | Electronic device detecting privilege escalation of process, and storage medium |
US11392674B2 (en) | 2017-01-10 | 2022-07-19 | Samsung Electronics Co., Ltd. | Electronic device detecting privilege escalation of process, and storage medium |
KR20210066460A (en) * | 2019-11-28 | 2021-06-07 | 네이버클라우드 주식회사 | Method and system for detecting web shell using process information |
US11388182B2 (en) | 2019-11-28 | 2022-07-12 | Naver Cloud Corp. | Method and system for detecting webshell using process information |
CN113407940A (en) * | 2021-06-21 | 2021-09-17 | 成都欧珀通信科技有限公司 | Script detection method and device, storage medium and computer equipment |
KR20230051949A (en) * | 2021-10-12 | 2023-04-19 | 한전케이디엔주식회사 | Method for managing rooting information using blockchain |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20210256127A1 (en) | System and method for automated machine-learning, zero-day malware detection | |
US11036858B2 (en) | System and method for training a model for detecting malicious objects on a computer system | |
Ham et al. | Linear SVM-based android malware detection for reliable IoT services | |
KR101051722B1 (en) | Monitor program, monitoring method and computer program product for hardware related thereto | |
US9571509B1 (en) | Systems and methods for identifying variants of samples based on similarity analysis | |
JP5992622B2 (en) | Malicious application diagnostic apparatus and method | |
US9832211B2 (en) | Computing device to detect malware | |
US20140090061A1 (en) | System and method for automated machine-learning, zero-day malware detection | |
EP2975873A1 (en) | A computer implemented method for classifying mobile applications and computer programs thereof | |
Herron et al. | Machine learning-based android malware detection using manifest permissions | |
Bayazit et al. | Malware detection in android systems with traditional machine learning models: a survey | |
Kakavand et al. | Application of machine learning algorithms for android malware detection | |
Zhao et al. | Attack tree based android malware detection with hybrid analysis | |
US11057425B2 (en) | Apparatuses for optimizing rule to improve detection accuracy for exploit attack and methods thereof | |
KR20160133927A (en) | Apparatus and method for detecting rooting from terminal based on android system | |
CN102930207A (en) | API log monitoring method and device | |
KR20170041618A (en) | Apparatus and method for monitoring virtual machine based on hypervisor | |
Su et al. | Anomadroid: Profiling android applications' behaviors for identifying unknown malapps | |
Fereidooni et al. | Efficient classification of android malware in the wild using robust static features | |
Singh et al. | “Emerging Trends in Computational Intelligence to Solve Real-World Problems” Android Malware Detection Using Machine Learning | |
US9646157B1 (en) | Systems and methods for identifying repackaged files | |
KR101605783B1 (en) | Malicious application detecting method and computer program executing the method | |
Ndagi et al. | Machine learning classification algorithms for adware in android devices: a comparative evaluation and analysis | |
Guerra-Manzanares et al. | In-depth Feature Selection and Ranking for Automated Detection of Mobile Malware. | |
Utama et al. | Analysis and classification of danger level in android applications using naive Bayes algorithm |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E601 | Decision to refuse application |