RU2580053C2 - System and method of determining unknown status application - Google Patents

Abstract

FIELD: information technologies.

SUBSTANCE: method of determining the status of the risk of the application which covering protected application, in which a protected application is detected covering the active element interface of the protected application interface elements of the application status is unknown; facility for gathering information about the application with unknown status; facility for analysis of the obtained information is analysed by comparing application information with unknown status with information from the data base, which contains forbidden and safe characteristics for applications, implemented covering protected application; analysis tool as a result of comparison of the application status which covering protected application.

EFFECT: technical result consists in decreasing the number of applications, danger status of which is not known, by determining the status of such applications.

15 cl, 5 dwg

Description

Technical field

The invention relates to methods and systems for determining the hazard status of unknown applications.

State of the art

The use of mobile applications to access services that require the input of confidential data has become widespread. This happens when paying for products and services, when accessing services that require registration data, etc. At the same time, payment using banking applications is also applied on stationary PCs. The result of the development of this sphere was the emergence of malicious software that steals confidential user data that is used to pay for products and services, as well as when registering for services and resources on the Internet.

One way to steal data entered by the user is to replace an interface or interface element of a web page or application through which payment or registration is carried out. The program created by the attacker replaces, for example, the fields for registration, and the user enters data not in the original field, but in the interface element provided by the attacker program.

The antivirus industry faced the task of protecting the user from such malicious programs, the solution to this problem was the creation of various systems to track the moment the interface of the protected application was blocked by the interface of the malicious program. Thus, US Pat. No. 8,205,260 B2 describes a system and method for detecting a spoofing of an original application window by a malware window by counting the time that the window of the protected application is blocked by the window of another application, if this time interval is greater than a certain critical interval, a warning is issued to the user. Another publication WO 2012101623 A1 describes a method for checking web elements for substitution by comparing the structure of the checked elements of web pages with previously known and safe structure templates.

An analysis of the prior art allows us to conclude that the solutions presented do not allow protection against partial overlapping of the protected application window without affecting the protected application window (closing the window, resizing, etc.) and its process (for example, implementation in an active process).

Disclosure of invention

The present invention relates to methods and systems for determining the status of unknown applications.

The technical result of the present invention is to reduce the number of applications whose hazard status is unknown by determining the status of such applications.

A method for determining the hazard status of an application that has shut down a protected application, in which the monitoring tool for a protected application detects that at least one active element of the protected application interface is blocked by application interface elements whose status is unknown, where the application with unknown status is an application whose status is not contained in the database, the collection tool collects information about the application with an unknown status, at least one interface element and which was blocked by at least one element of the protected application interface, the analysis tool analyzes the information obtained by comparing information about the application with an unknown status with information from the database, which contains forbidden and safe characteristics for applications that have blocked the protected application, and the analysis tool as a result of the comparison, the status of the application that has blocked the protected application is determined, where the application that blocked the protected application, the character ISTIC which the results of the comparison are similar to the prohibited characteristics, acquires the status of a dangerous.

In a particular case, the characteristics according to the results of the comparison are considered similar if the degree of similarity between the characteristics exceeds the established threshold, and an application whose characteristics are different from the prohibited characteristics receives a safe status.

In another particular case, the characteristics of at least one interface element of an unknown application that has overlapped are compared with the characteristics of interface elements stored in a database that are prohibited from overlapping interface elements of a protected application.

In another particular case, elements are considered prohibited only for a particular type of application, corresponding to the type of protected application, where the type of application is determined by the purpose of the application. In a particular case, the type of application is a banking application.

In a particular case, the previously defined status is entered into the database and, based on the application status, the category of trust of the application that performed the protection application overlap is determined.

In a particular case, the status is relevant only for determining the category of trust of the application that has performed the overlapping of the protected application. In another particular case, the status is relevant only for the security system of the type of application that corresponds to the type of secure application whose security system has determined the status.

A system for determining the category of trust of an application that has blocked a protected application, which contains a monitoring tool for a protected application designed to detect the overlap of at least one active interface element of a protected application with application interface elements whose status is unknown, where the application with unknown status is the application, status which is not contained in the database; secure application collection means for collecting information about an application with an unknown status, at least one interface element of which overlaps at least one protected application interface element; analysis tool for a secure application designed to analyze information received from the data collection tool by comparing application information with an unknown status with information from a database that contains forbidden and safe characteristics for applications that have blocked the protected application and determine the status of the application that blocked the protected application , where the application that blocked the protected application, whose characteristics are similar to the forbidden by characteristics, gets dangerous status; A database intended for storing application status and forbidden and safe characteristics for applications that have blocked a protected application.

In a particular case, the analysis tool compares the characteristics of at least one interface element of an unknown application that has overlapped with the characteristics of the interface elements stored in the database, which are forbidden to overlap the interface elements of the protected application.

In another particular case, the analysis tool additionally enters the previously defined status into the database. Also, in the particular case, the analysis tool additionally, based on the status of the application, determines the category of trust of the application that blocked the protected application.

Brief Description of the Drawings

The accompanying drawings are included to provide a further understanding of the invention and form part of this description, show embodiments of the invention, and together with the description serve to explain the principles of the invention.

The claimed invention is illustrated by the following drawings, in which:

FIG. 1 shows an example of a graphical interface of a banking application for payment of purchases or services;

FIG. 2 shows an example of a secure application security system;

FIG. 3 shows a method for determining the category of trust of an application that has overlaid a secure application;

FIG. 4 shows a method for determining the status of an application that has completed a secure application overlap;

FIG. 5 shows an example of a general purpose computer system.

Although the invention may have various modifications and alternative forms, the characteristic features shown by way of example in the drawings will be described in detail. It should be understood, however, that the purpose of the description is not to limit the invention to its specific embodiment. On the contrary, the purpose of the description is to cover all changes, modifications that are included in the scope of this invention, as defined by the attached formula.

Description of the invention

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, it can be embodied in various forms. The above description is intended to help a person skilled in the art for a comprehensive understanding of the invention, which is defined only in the scope of the attached claims.

The principles of operation of malicious applications that intercept by replacing interface elements are presented below. In the context of this application, an interface is understood as a graphical user interface (GUI), which is a type of user interface where interface elements (menus, buttons, icons, lists, etc.) presented to the user on the display are made in the form of graphic images. The interface elements themselves are the primitives of the graphical user interface. Interface elements at least include:

- button (button),

- double button (split button) - a button that calls up a list with secondary (s) action (s) (buttons),

- radio button (radio button),

- flag button (check box),

- icon (icon, icon),

- list (list box),

- tree - hierarchical list (tree view),

- drop-down list (combo box, drop-down list),

- label

- edit field (textbox, edit field),

- an element for displaying tabular data (grid view),

- menu

- the main menu of the window (main menu or menu bar),

- context menu (popup menu),

- pull down menu

- window (window),

- dialog box (dialog box),

- modal window (modal window),

- panel

- tab (tab),

- toolbar

- scrollbar (scrollbar),

- slider (slider),

- status bar (status bar),

- tooltip (tooltip, hint).

In FIG. 1 shows an example of a graphical interface of a banking application to pay for purchases or services. In a particular case, the malicious application completely replaces the banking application interface with its own. In another particular case, the malicious application replaces individual interface elements, for example, the field for entering the credit card number 1006 and CVV code, and the malicious application window 100a may be invisible, it is active, but it is not rendered to the user. In all the cases described, the user enters his confidential data not into the original interface of the banking application, but into the interface elements 100 created by the malicious application. A malicious application for overlapping monitors the operation of applications of interest to it, for example, applications that work with banking services, at the time of launch or during the periods of operation of these applications, it blocks the interface elements 100 of the banking application with its own elements.

To protect against the attack described above, an application (protected application) needs to detect the fact that its own elements of the interface 100 overlap. Detection is carried out in various ways. In one case, a protected application at the time of its activity (the user enters data, works with the interface) constantly polls the system to find its window on top of all other windows and other interface elements, i.e. for the activity of his window. Active, in this context, is understood as the interface element of the application with which the user is working. If an application receives a message from the system that there is an application interface element other than a protected application (the protected application window has ceased to be active), the protected application window is considered to be closed. Further, the coordinates of the interface elements that overlap the protected application can be additionally determined, their visibility determined, etc. In another particular case, the fact of overlap is determined by tracking system events associated with the creation or activation of interface elements, and if these events are triggered by an application other than a protected application, the protected application is considered to be closed. For example, the appearance of the EVENT_SYSTEM_FOREGROUND event (http://msdn.microsoft.com/en-us/library/windows/desktop/dd318066%28v=vs.85%29.aspx) in the system indicates that the active window has been changed. A protected application also detects overlap by monitoring the appearance of windows with a specific title, for example, with the title of KasperskyBank.

Overlapping can be carried out not only by a malicious application, but also by a safe application. The definition of the application that performed the overlap is done in several ways. In one case, this is done by determining the process identifier through the handle of the interface element that performed the overlap, i.e. get the handle of the interface element that performed the overlap, having the handle of the interface element, get the identifier of the process that created the window. Knowing the process identifier, the process itself and the application that created it are determined. In another case, for example, in an operating system such as Android, events are tracked in the Android system log (logcat). The window display of any application is recorded by the operating system in logcat. The system log is analyzed and determined by the application whose window is currently active. The following is an example of syslog entries with the information described:

I / ActivityManager (445): No longer want com.google.android.inputmethod.latin.dictionarypack

(pid 25679): empty # 17

W / WFApp (2479): onTrimMemory (20) called

V / AudioHardwareMSM8660 (129): open driver

I / ActivityManager (445): START u0 {act = android.intent.action.MAIN

cat = [android.intent.category.LAUNCHER] flg = 0 × 10200000

cmp = com.android.settings / .Settings} from pid 727

V / AudioHardwareMSM8660 (129): get config

V / AudioHardwareMSM8660 (129): set config

V / AudioHardwareMSM8660 (129): buffer_size: 4800

The process identifier is determined from the record (pid 727), then the application is determined by the process identifier. The application manifest is also analyzed, in a particular case, scanning by antivirus software is performed.

After determining the specific application that performed the overlap, information about the application is obtained. Information is the various characteristics of the application and its various components (files, interface elements, etc.). Information about the application allows us to conclude on the degree of trust in the application. The information may be the hash sum of the application or individual files, as well as the installer (installer), version of the application, application name, application source, size, path to the application on the device, types of application resources and their hash sums and histograms, etc. d. These are actual specifications that can be collected directly from the device. Another group of information is statistical characteristics, which are obtained on the basis of actual characteristics by referring to an external or internal database, such information is the hazard status of the application or a separate application file in the reputation database (a database that stores hazard assessments for objects, in a particular case files), the number of application installations in a world or a specific region, etc. The obtained actual and statistical characteristics are used for subsequent analysis of the application. The actual characteristics of the application characterizing the resources of the application, in particular the application interface elements (buttons, windows), are separately highlighted. The window shape, window title, button name, etc. can serve as characteristics. Information about the interface elements is obtained, for example, in the form of hash sums and histograms.

The information obtained is used to determine the category of trust of the application that performed the overlap. The concept of category and category of trust in the framework of this application are equivalent. The category of application trust refers to the degree of trust in the application (trusted or untrusted) by the security system of the protected application (will be described below). In one implementation option, the application category can be two: trusted applications and untrusted applications. Within the framework of the current application, the concept of the category of application should be separated from the concept of hazard status of the application. The application status within the framework of this application may be as follows: dangerous, safe. There are also unknown applications - these are applications whose status is not defined. An application’s danger status determines the danger of an application that has shut down a protected application. The danger of the application that performed the overlap for a protected application consists, in the particular case, of the theft of data processed by the protected application, of data spoofing.

Trusted applications include applications whose overlapping of the protected application interface, in the opinion of the security system, is safe. The security system of a protected application, assigning a category of trust to the application, does this locally, within the current state on the device and based on information about the application, the interface elements of which overlapped the interface elements of the protected application. In the particular case, such information is the status of the application that performed the overlap. The application status can be general, i.e. be used when scanning applications for malware in a different context (for example, when performing a full-disk scan of a device for malicious software), or private, i.e. The status is relevant only when determining the category of the application when overlapping. The status can also be even more private and refer only to certain types of applications when defining a category, for example, an application that has shut down has a dangerous status only when the security system analyzes a secure banking application for other types of secure applications (gaming, email, etc.). ) the application that performed the overlap has a safe status. In a particular case, the type of application is determined by its purpose. The application status is determined using the hash of the application or a separate application file. To do this, they organize a request to a reputation database, the database is located in one particular case on the device under study, in another particular case, the database is located remotely. If the application under study is known (the hash amount is contained in the reputation database), then, accordingly, the application that performed the overlap already has the safe or dangerous status, depending on which hash sum from the reputation database corresponds to the application hash being verified. If the hash of the application or an individual application file is not contained in the database, the application or an individual application file is considered unknown, i.e. the application that performed the overlap has no status. If the application or file has the safe status, then in the particular case the application that performed the overlap gets the trusted category. In another particular case, the category of the application is determined on the basis of other actual and statistical information about the application, for example, by installing the application on the device or by belonging to preinstalled system applications. If the application is a system application (the installation path indicates this), and its status is unknown, the application is recognized as trusted.

The application that performed the overlap can be assigned status at the same time as determining the category of trust. For example, the interface elements of a protected application are compared with the interface elements of the application that performed the overlap, if the elements are recognized as similar, then the application that performed the overlap is assigned a dangerous status. In another particular case, information about the user interface elements of the application that performed the overlap is compared with information about the user interface elements of the blacklisted application. The black list contains information about interface elements that are prohibited from overriding the interface elements of protected applications. Such elements can be buttons with the name ″ enter code ″, windows with headers containing the word ″ Bank ″, etc. The blacklist in one case can be located on the local device, in the other case it is located remotely. In the particular case, the blacklist is structured depending on the type of protected application. For example, a protected application refers to banking applications and blocking the window of a protected application with a window containing the bank name in the header is dangerous, therefore, for banking applications, such a window will be blacklisted, in another case, a protected application refers to gaming and blocking the window of this application with a window containing the name of the bank in the header is safe and will not be on the black list. The black list contains at least the characteristics of the interface elements that are copies of the interface elements of the protected application.

In FIG. 2 shows the security system 202 of the secure application 201. The security system 202 is part of the secure application 201. The application 201 itself with all its components is stored in the system memory 22. The security system 202 includes a monitoring tool 203 designed to detect elements of the interface of the protected application being blocked by elements interface of another application. The monitoring tool 203 is connected to the database 204, which contains information about the status of applications installed on the device, and the list of prohibited interface elements and can be located remotely on the device 49. The monitoring tool 203 is also connected to the collection tool 205, designed to collect information about the application, having completed the overlap. The monitoring tool 203 and the collection tool 205 are associated with the analysis tool 206, designed to analyze the collected information by the tool 205. As a result of the analysis of the collected information, the analysis tool 206 determines the trust category of the application that performed the overlap. Also, analysis tool 206 determines the status of the application that performed the overlap. In the particular case of implementation, all the means of the security system 202 of the secure application are associated with the software and hardware of the device, an example of which is shown in FIG. 5 (the figure is described below), through the established communication, the security system 202 performs configuration and modification: the operating system 35, under which the device operates, the file system 36, applications 37 and other components stored in the system memory 22, as well as the configuration of the hardware components parts of the device.

In FIG. 3 depicts a method for determining the category of an application that has overlaid a secure application. At step 301, the secure application detects the overlap of one of the active elements of its interface (the element with which the user is currently interacting) with at least one interface element of another application. In the particular case, the overlap is detected by comparing the information about the window of the protected application with information about the active window in the system log of the operating system. Next, at step 302, the secure application collects information about the application that performed the overlap, where at least the application status stored in the database 204 is used as the information. The collected information is analyzed at step 303 and, based on the analysis, the category of trust of the application that performed the overlap is determined in In a particular case, the category of the application is determined based on the status of the application stored in the database 204, where the application is recognized as untrusted if the application status is “dangerous” and, conversely, when dix recognized as a trusted, if the "safe" status of the application. In the case when the application status is unknown, additional information is collected, such information, for example, is whether the application that performed the overlap belongs to preinstalled system applications, where the application is recognized as trusted, if it relates to preinstalled system applications. As mentioned above, in a particular case, the status is relevant only to determine the category of trust of the application that has blocked the protected application, and in another particular case, the status is relevant only for the protection system of the type of applications that corresponds to the type of protected application 201, the security system 202 of which has established the status earlier .

In FIG. Figure 4 shows a method for determining the status of an application that has closed a protected application, where, at step 401, the protected application detects that its interface elements are blocked by application interface elements whose status is unknown, where an application with an unknown status is an application whose status is not contained in the database 204. Next, step 402 collect information about the application with an unknown status and at step 403 analyze the received information by comparing information about the application, the status of which unknown, with information from a database 204 containing forbidden and safe characteristics for applications that overlap a protected application, where prohibited characteristics are characteristics that an overlapping application should not have, and safe characteristics are those characteristics that an overlapping application has permissible. At the final stage 404, the status of the application that blocked the protected application is determined, where the application that blocked the protected application, the characteristics of which are similar to the forbidden characteristics, receives a dangerous status, the status is entered into the database 204. In a particular case, the application whose characteristics are not similar for prohibited characteristics, it receives the safe status, characteristics according to the results of comparison are considered similar if the degree of similarity between the characteristics exceeds Exceeds the set threshold. In the particular case of the invention, the degree of similarity is determined in accordance with the Dyce measure, in another particular case of implementation, the degree of similarity is determined in accordance with one of the metrics: Hamming, Levenshtein, Jacquard.

In a particular case, the analysis tool 206 of the protected application compares the characteristics of at least one interface element of an unknown application that has overlapped with the characteristics of the interface elements stored in the database 204, which are forbidden to overlap the interface elements of the protected application. Prohibited can only be for a specific type of application corresponding to the type of protected application, where the type of application is determined, for example, by the purpose of the application.

FIG. 5 is an example of a general purpose computer system, a personal computer or server 20 comprising a central processor 21, a system memory 22, and a system bus 23 that contains various system components, including memory associated with the central processor 21. The system bus 23 is implemented as any prior art bus structure comprising, in turn, a bus memory or a bus memory controller, a peripheral bus and a local bus that is capable of interacting with any other bus architecture. The system memory contains read-only memory (ROM) 24, random access memory (RAM) 25. The main input / output system (BIOS) 26 contains the basic procedures that ensure the transfer of information between the elements of the personal computer 20, for example, at the time of loading the operating system using ROM 24.

The personal computer 20 in turn contains a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29, and an optical drive 30 for reading and writing to removable optical disks 31, such as a CD-ROM, DVD -ROM and other optical information carriers. The hard disk 27, the magnetic disk drive 28, the optical drive 30 are connected to the system bus 23 through the interface of the hard disk 32, the interface of the magnetic disks 33 and the interface of the optical drive 34, respectively. Drives and associated computer storage media are non-volatile means of storing computer instructions, data structures, software modules and other data of a personal computer 20.

The present description discloses an implementation of a system that uses a hard disk 27, a removable magnetic disk 29, and a removable optical disk 31, but it should be understood that other types of computer storage media 56 that can store data in a form readable by a computer (solid state drives, flash memory cards, digital disks, random access memory (RAM), etc.) that are connected to the system bus 23 through the controller 55.

Computer 20 has a file system 36 where the recorded operating system 35 is stored, as well as additional software applications 37, other program modules 38, and program data 39. The user is able to enter commands and information into personal computer 20 via input devices (keyboard 40, keypad “ the mouse "42). Other input devices (not displayed) can be used: microphone, joystick, game console, scanner, etc. Such input devices are, as usual, connected to the computer system 20 via a serial port 46, which in turn is connected to the system bus, but can be connected in another way, for example, using a parallel port, a game port, or a universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48. In addition to the monitor 47, the personal computer may be equipped with other peripheral output devices (not displayed), such as speakers, a printer, and the like.

The personal computer 20 is capable of operating in a networked environment, using a network connection with another or more remote computers 49. The remote computer (or computers) 49 is the same personal computer or server that has most or all of the elements mentioned earlier in the description of the creature the personal computer 20 of FIG. 5. Other devices, such as routers, network stations, peer-to-peer devices, or other network nodes may also be present on the computer network.

Network connections can form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks, internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, the personal computer 20 is connected to the local area network 50 via a network adapter or network interface 51. When using the networks, the personal computer 20 may use a modem 54 or other means of providing communication with a global computer network such as the Internet. The modem 54, which is an internal or external device, is connected to the system bus 23 via the serial port 46. It should be clarified that the network connections are only exemplary and are not required to display the exact network configuration, i.e. in reality, there are other ways to establish a technical connection between one computer and another.

In conclusion, it should be noted that the information provided in the description are examples that do not limit the scope of the present invention defined by the claims. One skilled in the art will recognize that there may be other embodiments of the present invention consistent with the spirit and scope of the present invention.

Claims (15)

1. A method for determining the hazard status of an application that has performed a shutdown of a protected application, in which:
a) the monitoring application of the protected application detects the overlap of at least one active element of the protected application interface with application interface elements whose status is unknown, where the application with unknown status is an application whose status is not contained in the database;
b) a collection tool collects information about an application with an unknown status, at least one interface element of which overlaps at least one interface element of a protected application;
c) the analysis tool analyzes the information obtained by comparing information about an application with an unknown status with information from a database that contains forbidden and safe characteristics for applications that have blocked a protected application;
d) as a result of the comparison, the analysis tool determines the status of the application that blocked the protected application, where the application that blocked the protected application, the characteristics of which are similar to the forbidden characteristics by the results, receives a dangerous status. 2. The method according to p. 1, in which the characteristics according to the results of the comparison are considered similar if the degree of similarity between the characteristics exceeds a specified threshold. 3. The method according to claim 1, in which the application, the characteristics of which are different from the prohibited characteristics, receives the status of safe. 4. The method according to claim 2, which compares the characteristics of at least one interface element of an unknown application that has performed overlapping with the characteristics of interface elements stored in a database that are prohibited from overlapping interface elements of a secure application. 5. The method according to claim 3, in which the elements are considered prohibited only for a specific type of application corresponding to the type of secure application. 6. The method of claim 4, wherein the type of application is determined by the purpose of the application. 7. The method of claim 6, wherein the type of application is a banking application. 8. The method according to claim 1, in which the previously defined status is entered into the database. 9. The method according to claim 1, in which, based on the status of the application, a category of trust of the application that has completed the overlapping of the protected application is determined. 10. The method according to p. 1, in which the status is relevant only to determine the category of trust of the application that has performed the overlapping of the protected application. 11. The method according to p. 10, in which the status is relevant only for the security system of the type of applications that corresponds to the type of secure application whose security system has determined the status. 12. A system for determining the hazard status of an application that has completed a secure application that contains:
a) a secure application monitoring tool designed to detect the overlap of at least one active interface of a secure application by application interface elements whose status is unknown, where an application with unknown status is an application whose status is not contained in the database;
b) a secure application collection tool designed to collect information about an application with an unknown status, at least one interface element of which has blocked at least one protected application interface element;
c) a secure application analysis tool for:
- analysis of information received from the means of collecting information by comparing information about an application with an unknown status with information from a database that contains forbidden and safe characteristics for applications that have blocked a protected application;
- determining the status of the application that has blocked the protected application, where the application that blocked the protected application, the characteristics of which are similar in comparison with the prohibited characteristics, receives a dangerous status;
d) a database intended for storage:
- application status;
- Forbidden and secure features for applications that override a secure application. 13. The system of claim 12, wherein the analysis tool compares the characteristics of at least one interface element of an unknown application that has performed overlapping with the characteristics of interface elements stored in a database that are prohibited from overlapping interface elements of a secure application. 14. The system according to p. 12, in which the analysis tool enters the previously defined status into the database. 15. The system according to p. 12, in which the analysis tool additionally, based on the status of the application, determines the category of trust of the application that performed the overlap of the protected application.

Images