RU2713760C1 - Method and system for detecting emulated mobile operating system using machine learning techniques - Google Patents

Abstract

FIELD: calculating; counting.

SUBSTANCE: group of inventions relates to computer engineering. Said result is achieved by a method of detecting an emulated mobile operating system using machine learning techniques, wherein data are collected on a mobile application which is installed on a mobile user communication device; sending the data received at the previous step from the mobile communication device of the user to the server; performs extraction of the obtained data by means of the parser containing the collected features, in accordance with the field names; sending selected features to a trained statistical data model located on a server, having feature groups which include a group of statistical features, dynamic features, user metrics, file metrics and modified metrics; decision is made by means of trained statistical data model mobile application is installed on real device or emulated mobile operating system.

EFFECT: technical result is high quality of analysing transactions performed in banking applications running in an emulated operating system.

11 cl, 9 dwg

Description

FIELD OF TECHNOLOGY

[001] This technical solution relates to the field of computer technology, and in particular to methods and systems for detecting an emulated mobile operating system using machine learning methods, in order to prevent the application from launching, or to limit the functionality of a mobile application in an emulated environment.

BACKGROUND

[002] Currently, the use of smartphones in everyday life is not limited to voice calls and CMC. The ability to download and execute programs, as well as mobile Internet access, has led to the emergence of a large number of mobile applications. The functionality of a modern smartphone consists of browsers, client programs of social networks, office applications and all kinds of services that work on the Web.

[003] Currently, it is possible to run a mobile application unhindered, for example, banking clients, on a variety of software emulators of the Android operating system. Attackers use emulated devices to perform fraudulent activities, as in this case, you do not need to buy a new phone to make another attempt of fraud, just reinstall the emulator, or change a number of parameters in the configuration files.

[004] As disclosed in [1, 2], there are methods for determining an emulator based on data received from equipment sensors, such as an accelerometer, gyroscope, GPS, light sensor, gravity. The output values of these sensors are based on information collected from the environment, and therefore their realistic emulation is a complex task. The presence of these kinds of sensors is the main difference between smartphones and desktop computers. The increasing number of sensors on smartphones provides new opportunities for identifying mobile devices.

[005] However, these technologies may not work or lead to incorrect results if the malicious part of the program code is not present in the anti-virus databases or the code contains hidden and unobvious malicious behavior. In these cases, hidden code can be sent to the analyst to review and decide on the harmfulness of the program. The process of viewing by the analyst gives accurate results, but it takes time and is not effective from this point of view.

[006] The analysis of the prior art allows us to conclude about the inefficiency and, in some cases, the impossibility of applying previous technologies, the disadvantages of which are solved by the present invention.

ESSENCE OF TECHNICAL SOLUTION

[007] A technical problem or a technical problem solved in this technical solution is to identify an emulated mobile operating system using machine learning methods.

[008] The technical result achieved in solving the above problem is to reduce the financial fraud by improving the quality of the analysis of transactions performed in banking applications running in an emulated operating system.

[009] An additional technical result is the prevention of the ability to repeatedly execute the "first" order in mobile applications. Many applications provide discounts / bonuses / points for starting using their service for the first order of a service / product. The emulated operating system allows you to repeatedly execute the "first" order by one person.

[0010] The specified technical result is achieved through the implementation of a method for identifying an emulated mobile operating system using machine learning methods, in which data is collected on a mobile application that is installed on a user's mobile communication device; send the data obtained in the previous step from the user's mobile communication device to the server; carries out the selection of the obtained data through a parser containing the collected features, in accordance with the name of the fields; directing the selected features to a trained statistical data model located on the server containing groups of features that include a group of statistical features, dynamic features, user metrics, file metrics and modified metrics; make a decision by means of a trained statistical data model, a mobile application is installed on a real device or an emulated mobile operating system.

[0011] In some embodiments of the technical solution, data collection on a mobile application is performed in a JSON file and / or XML, and / or YML, and / or TXT.

[0012] In some embodiments of the technical solution, the server is located in a cloud data storage or locally.

[0013] In some embodiments of the technical solution, the statistical model is a logistic regression, or a decision tree, or a random forest, or a naive Bayesian classifier, or a support vector method.

[0014] In some embodiments of the technical solution, cross-validation is used to determine the effectiveness of the statistical model.

[0015] In some embodiments of the technical solution, the parser parses the elements containing the collected features in accordance with the name of their fields.

[0016] In some embodiments of the technical solution, the parser, after parsing the file, maps the attributes to the table fields in the database.

[0017] In some embodiments of the technical solution, the mapping of data into the table fields in the database occurs by executing an INSERT request.

[0018] In some embodiments of the technical solution, when highlighting by means of a parser of signs, they are divided into static and dynamic.

[0019] In some embodiments of the technical solution, dynamic data includes readings of an accelerometer and / or gyroscope, and / or light sensor, and / or magnetic field sensor, and / or motion sensor, and / or distance sensor, and / or rotation sensor .

[0020] Each embodiment of the present technology includes at least one of the above objectives and / or objects, but the presence of all is not required. It should be borne in mind that some objects of this technology, obtained as a result of attempts to achieve the aforementioned goal, may not satisfy this goal and / or may satisfy other goals not specifically indicated here.

[0021] Additional and / or alternative characteristics, aspects and advantages of embodiments of the present technology will become apparent from the following description, the accompanying drawings, and the accompanying technology claims.

BRIEF DESCRIPTION OF THE DRAWINGS

[0022] The features and advantages of this technical solution will become apparent from the following detailed description and the accompanying drawings, in which:

[0023] In FIG. Figure 1 shows an embodiment of the architecture of a system for detecting an emulated mobile operating system using machine learning methods.

[0024] In FIG. 2 shows the structure of an application for collecting data from a device.

[0025] In FIG. Figure 3 shows an example of coefficients for a logistic regression model.

[0026] In FIG. Figure 4 shows an example of the significance of the coefficients for a random forest statistical model.

[0027] In FIG. 5 shows the amount of battery power consumed depending on the functions of the device used.

[0028] In FIG. Figure 6 shows an embodiment of splitting a data set and building a model on one piece of data.

[0029] In FIG. 7 shows an embodiment of a decision tree.

[0030] In FIG. Figure 8 shows an embodiment of a system for detecting an emulated mobile operating system using machine learning methods.

[0031] In FIG. Figure 9 shows an embodiment of a system for detecting an emulated mobile operating system using machine learning methods in the form of a flowchart.

DETAILED DESCRIPTION

[0032] This technical solution can be implemented on a computer, in the form of an automated information system (AIS) or a machine-readable medium containing instructions for performing the above method.

[0033] The technical solution can be implemented as a distributed computer system, which can be installed on a centralized server (a set of servers). In some implementations, the model can also function locally on the phone as part of a mobile application. User access to the system is possible both from the Internet and from the internal network of the enterprise / organization through a mobile communication device on which software with the corresponding graphical user interface is installed, or a personal computer with access to the web version of the system with the corresponding graphical user interface.

[0034] The terms and concepts necessary for the implementation of this technical solution will be described below.

[0035] In this solution, a system means a computer system, a computer (electronic computer), CNC (numerical control), PLC (programmable logic controller), computerized control systems, and any other devices capable of performing a given, well-defined sequence of computing operations (actions, instructions).

[0036] An instruction processing device is understood to mean an electronic unit or an integrated circuit (microprocessor) executing machine instructions (programs).

[0037] The command processing device reads and executes machine instructions (programs) from one or more data storage devices. Storage devices may include, but are not limited to, hard disks (HDDs), flash memory, ROM (read-only memory), solid state drives (SSDs), and optical drives.

[0038] A program is a sequence of instructions for execution by a computer control device or an instruction processing device.

[0039] In the context of the present description, unless clearly indicated otherwise, "server" means a computer program running on the appropriate equipment, which is able to receive requests (for example, from client devices) over the network and execute these requests or initiate the execution of these requests . The equipment may be one physical computer or one physical computer system, but neither one nor the other is mandatory for this technology. In the context of this technology, the use of the expression “server” does not mean that each task (for example, received instructions or requests) or any specific task will be received, completed or initiated to be executed by the same server (that is, by the same software software and / or hardware); this means that any number of software items or hardware devices can be involved in the reception / transmission, execution or initiation of any request or the consequences of any request associated with the client device, and all this software and hardware can be one server or several servers , both options are included in the expression “at least one server”.

[0040] In the context of the present description, unless clearly indicated otherwise, "client device" or "mobile user communication device" means a hardware device capable of working with software suitable for solving the corresponding problem. Thus, examples of client devices (among others) include personal computers (desktop computers, laptops, netbooks, etc.), smartphones, tablets, and network equipment such as routers, switches, and gateways. It should be borne in mind that a device behaving as a client device in the present context may behave like a server in relation to other client devices. The use of the expression “client device” does not exclude the possibility of using multiple client devices to receive / send, execute, or initiate the execution of any task or request, or the consequences of any task or request, or the steps of any method described above.

[0041] In the context of the present description, unless clearly indicated otherwise, the term "database" means any structured data set that is independent of the specific structure, database management software, hardware of the computer on which the data is stored, used or otherwise are available for use. The database may reside on the same hardware that runs the process that stores or uses the information stored in the database, or it may reside on separate hardware, such as a dedicated server or multiple servers.

[0042] In the context of the present description, unless clearly indicated otherwise, the term "information" includes any information that may be stored in a database. Thus, information includes, among other things, audiovisual works (images, videos, sound recordings, presentations, etc.), data (location data, digital data, etc.), text (opinions, comments, questions , messages, etc.), documents, tables, etc.

[0043] In the context of the present description, unless clearly indicated otherwise, the term "component" means software (corresponding to a specific hardware context) that is necessary and sufficient to perform the specific (s) of the specified function (s) )

[0044] In the context of the present description, unless clearly indicated otherwise, the term "computer-based computer information medium" means a medium of absolutely any type and nature, including RAM, ROM, disks (CDs, DVDs, floppy disks, hard drives etc.), USB flash drives, solid state drives, tape drives, etc.

[0045] In the context of the present description, unless clearly indicated otherwise, the words "first", "second", "third", etc. used in the form of adjectives solely to distinguish the nouns to which they relate from each other, and not for the purpose of describing any specific connection between these nouns. So, for example, it should be borne in mind that the use of the terms “first server” and “third server” does not imply any ordering, chronology, hierarchy or ranking (for example) of servers / between servers, as well as their use (by itself) does not imply that a certain “second server” must exist in a given situation.

[0046] A list of key components of an emulated mobile operating system detection system using the machine learning methods of FIG. 8 includes the following items.

[0047] The data collector is a mobile application that installs on an Android device and collects data, as shown in FIG. 2, which are various device metrics described in detail below. In some implementations, the resulting data is divided into groups of signs that allow further classification of the sign of a sign to a particular group.

[0048] A statistical feature group may include the presence of a Bluetooth module and the presence of a Vibracall module in a user's mobile communication device.

[0049] The group of dynamic features may include readings of an accelerometer, gyroscope, light sensor, linear acceleration sensor, battery level, magnetic field sensor readings, motion sensor readings, distance sensor readings, rotation sensor readings.

[0050] A group of user metrics may include features such as the number of SMS / MMS, the number of contacts, the number of calls made, the number of photos (user files), a browser history, etc.

[0051] A group of file metrics can include, for example, the presence of the file network_thoughput token in the / proc / mosc file, the presence of the 0ff \ 0: token in the / proc / ioports file, the presence of the / proc / uid_stat file, the presence of the token “ MINOR = 5 "in the file / sys / device / virtual / misc / cpu_dma_latency / uevent. A group of modified metrics, including a set of different tokens in the parameters, for example, the userdebug token in the Build.DISPLAY parameter, userdebug, vbox86 or remix tokens in the Build.FINGERPRINT parameter, etc.

[0052] The text parser or parser is located on the server side of the system, parses the data string and maps the fields into the database from the JSON file, which may contain attributes, into the database fields. As an JSON parser, any Open Source product that solves this problem, or a proprietary parser can be used. Data transfer by means of a JSON file is not the only possible and limiting implementation option. Also, direct requests (Insert command) to the database can be used to transfer data, or data can be transferred by generating and transmitting XML, YML, TXT and other text file formats, not limited to.

[0053] The database is located on the server side, provides long-term data storage. The database is used in the process of studying the mechanisms of the OS (for example, Android) to collect and store a list of all metrics that potentially indicate the presence of an emulated environment. The database stores a summary list of metrics.

[0054] The statistical model that resides on the server side may be logistic regression, or a decision tree, or a random forest, or a naive Bayesian classifier, or a support vector method and other machine learning algorithms. This statistical model processes and analyzes data with the subsequent formation of an output result (whether the device is an emulator or a real device). Previously, the formation of the training sample and its marking. In some implementations, in addition to the training set, a test set is used to control the quality of training. To train the statistical model, data is collected from a variety of real devices and many currently available emulators. Then comes the learning process of the model. For example, for a decision tree, the learning process is to build an optimal tree by searching for features that best divide the entire sample into two classes - emulators and real devices. In a particular embodiment of this technical solution, one to three questions must be answered, as shown in FIG. 7, to clearly say, an emulator or a real device is used.

[0055] As an exemplary embodiment, the following questions may be used:

• is there a uid_stat file in the / proc / directory?

• is there a switch file in the / sys / device / virtual / directory?

• have the gyro sensor values changed since the last data collection?

[0056] In the next step, the effectiveness of the obtained model is tested on various data sets. In some implementations, cross-validation is used for this, according to which the data set is broken down and the statistical model is built on one part of the data (called the training set or training sample), then the model results are validated on the other part (called the test set or test sample ) Thus, in an exemplary embodiment, 20 cross-validation cycles were performed. In order to reduce the scatter of the results, different cross-validation cycles were performed on different partitions, as shown in FIG. 6. The results for each cross-validation cycle are presented below.

[0057] As an example of implementation, the algorithm of one of the statistical models that can be used to identify the emulated environment is described below. The decision tree method (English “DecisionTree”) is one of the most popular methods for solving classification and forecasting problems in the field of machine learning. So, in a specific embodiment, as shown in FIG. 7, the main elements of the decision tree are:

[0058] The root of the decision tree is the flag “f3” - the presence of the file / proc / uid_stat. The internal node of the tree or the verification node is the sign “f6” - the presence of the file / sys / device / virtual / switch. A leaf (the final node of the tree) is the decision node or the vertex “emulator”, “real device”. The tree branch (response cases) can be “Yes” or “No”.

[0059] To form a training sample, the infrastructure is prepared, including the operation of a data collector, a JSON file parser, and a database. The data collector is implemented as a mobile application that is installed on many real devices or in an emulated operating system and with a given time interval (for example, once every 5 seconds) collects data on the metrics under study. The JSON file parser and database are installed on a separate server, which can be located both in the cloud data storage (in a specific example of implementation in MS Azure) and locally.

[0060] The parser parses the elements of the JSON file containing the collected features, in accordance with the name of their fields. Then, mapping occurs in the fields of the same name with the JSON file in the database. The following example shows the possible contents of the JSON file for the case of using the decision tree method that describes the emulated operating system:

[0061] The parsing algorithm for such a JSON file includes the following steps:

1. reading a JSON file;

2. search for the first token - f3 and write data to variable A;

3. search for the second token - f6 and write data to variable B;

4. search for the third token - gyroscope_value_m and write data to variable C.

[0062] Then, the values of the variables A, B, and C are mapped to the fields of the table in the database for long-term storage and the transfer of the values of the variables to the model for analysis and decision making. Data mapping to table fields in the database occurs by executing an INSERT request.

[0063] In this technical solution for implementing the invention, a data set was collected that included data on 125 features collected from 631 devices (246 emulators, 385 real phones). After cleaning and processing the data, the most significant features were selected that were used to train the final statistical model. Significance of a trait is determined based on the efficiency of dividing the data set, i.e. each of 125 features is sequentially tested for the ability to reliably divide the generated data set into a lot of data from real devices and a lot of data from emulators.

[0064] Various configurations of the following emulators, used as an example, and not limitations, were used to collect data: Andy OS, BlueStacks, Genymotion, KO Player, LeapDroid, MEmu, etc.

[0065] And the following models of real mobile communication devices were used, not limited to: Samsung Galaxy S4, Samsung Galaxy A5, Motorola XT1541, Lenovo A600 Plus.

[0066] After analyzing the collected data and selecting the most significant parameters, the following metrics were selected that do not require additional modifications: the presence and accessibility of the Bluetooth module, the presence of a vibrating alert function, the presence of the network_thoughput token in the / proc / mosc file, and the presence of the 0ff token \ 0: "in the file / proc / ioports, the presence of the file / proc / uid_stat, the presence of the token" MINOR = 5 "in the file / sys / device / virtual / misc / cpu_dma_latency / uevent, the presence of the file / sys / device / virtual / pp , the presence of the file / sys / device / virtual / switch, the presence of the file / sys / module / alarm / parameters, the presence of the file / sys / device / system / cpu / cpuO / cpufreq, the presence of the file / sys / device / virtual / misc / android_adb , on the Ichiye file / proc / sys / net / ipv4 / tcp_syncookies, etc., without limitation.

[0067] The selection of significant features occurs after the formation of the data set. Significant features are selected by analyzing the data collected and selecting features that allow the most efficient way to split multiple devices into real devices and emulators. The analysis consists in calculating the efficiency indicator of the separation of multiple devices into emulators and real devices for each of 125 features in series. Then there is an assessment of the possibility of modifying the trait and re-analysis is carried out in a similar way. Assessment of the possibility of modifying a feature is analytical in nature and is based on data specific to a particular feature. For example, the data returned by the telephonyManager.getAIICelllnfo () function is a list of GSM, LTE, and WCDMA tower identifiers. In the initial form, this data is not an effective sign for dividing the entire data set into two groups: 1 - data from emulators, 2 - data from real devices. But after analyzing these data, namely, counting the number of each type of towers in the data from emulators and in data from real devices, it is possible to effectively divide the entire data set according to the following criterion: the presence of LTE and WCDMA towers with a high probability indicates that the data were obtained from real device. Based on this analytics, two modified attributes were generated: n_cells_lte - the number of LTE towers, n_cells_wcdma - the number of WCDMA towers in the output of the telephonyManager.getAIICelllnfo () function.

[0068] A separate group included the readings of various sensors. Due to the low accuracy of the readings obtained from them, in the vast majority of cases, the values taken with an interval of at least 5 seconds differ, even if the devices themselves are stationary. These differences are usually small, but they may be enough to distinguish a real device from an emulator, where the data is static until it is manually changed. To verify the correctness of this assumption, modified features were added, formed on the basis of readings from sensors. The characteristic value for a particular sensor took on a value of 1 if the sensor readings have changed since the last measurement, and 0 if the value has not changed.

[0069] Then, based on these characteristics, a repeated analysis was performed on the effectiveness of dividing the entire data set into two groups — data from emulators and data from real devices. Some features successfully shared the data set and were used in the models. For example, the gyroscope_val ue_m attribute is successfully used in the above decision tree model.

[0070] The dynamic data includes readings from the following sensors: accelerometer, gyroscope, light sensor, magnetic field sensor, motion sensor, distance sensor, rotation sensor, and others.

[0071] Since any manipulation of the device’s sensors involves increased battery consumption of the device, only static features are pre-used, and then dynamic features are added for use. For testing in a specific implementation example, five classifiers were selected: logistic regression, or decision tree, or random forest, or naive Bayesian classifier, or support vector method, as well as other machine learning algorithms.

[0072] In the analysis of static indicators, the data set included 25 features listed above. Below is data on 20 iterations of cross-validation based on StratifiedKFold and the metric roc_auc (a metric that evaluates the quality of the classifier that calculates the probability that an object belongs to a positive class).

[0073] The table shows the performance indicators of the models without using data from the sensors.

[0074] StratifiedKFold is a scikit-learn library class that allows you to split a data set so that in the resulting sets the ratio of the number of objects belonging to different classes (emulators and real devices) corresponds to this ratio for the original data set.

[0075] When dynamic metrics were added to the dataset, the total number of features considered increased to 35. Models were evaluated in the same way as described above.

[0076] As can be seen from the above data, the selected features allowed us to build statistical models that demonstrate close to ideal results. According to the results of the tests, the best indicators are demonstrated by the case of forest, the support vector method and logistic regression, reaching the available data on the probability of detecting an emulated medium close to 1. In FIG. 3-4 examples of coefficients for these models are shown.

[0077] All considered statistical models stably demonstrate high accuracy even without using data from sensors. The latter, although they increase the accuracy of individual models, but, as a rule, require more battery consumption of the device, which imposes its limitations. In FIG. 5 provides information on energy consumption, depending on the functions used by the user’s mobile communication device. The decision-making process consists of the following steps:

• data collection;

• sending data to a statistical model for analysis;

• formation of the result by the model;

• response to the mobile application.

[0078] After collecting the data and using the parser, the corresponding fields are passed to the statistical model, where they are analyzed. An example of the analysis process is described above using the decision tree method as an example. The result of this model is a verdict that uniquely identifies a mobile application on an actual device or in an emulated operating system. The result of the statistical model can be transferred further to the fraud monitoring system for further processing, or to a mobile application to limit the functionality or launch ability. The process of transferring the result to the application can be carried out by means of one of the software interfaces known in the prior art for providing data exchange between processes, for example, Socket, and / or WebSocket, and / or WCF, and / or REST, etc.

[0079] For example, an application can check the operating system for an emulated environment at launch, or when certain events occur, register a new user, change a password, and others.

[0080] The architecture of the entire detection system of an emulated mobile operating system using machine learning techniques is shown in FIG. 8.

[0081] In FIG. 9 illustrates an example of a computing device 800 that can be used to perform logical processing functions of necessary data to implement the claimed method for identifying an emulated mobile operating system using machine learning methods. It should be noted that the user's computer device and server indicated in the materials of this application may be one of the embodiments of computing device 800.

[0082] In general, the computing device 800 comprises one or more processors 801 connected by a common bus 810, memory means such as RAM 802 and ROM 803, input / output interfaces 804, input / output means 805, and means for network communication 806 .

[0083] The 801 processor (or multiple processors, a multi-core processor) can be selected from a variety of devices currently in wide use, for example, Intel ™, AMD ™, Apple ™, Samsung Exynos ™, MediaTEK ™, Qualcomm Snapdragon ™, etc. P.

[0084] RAM 802 is a random access memory and is intended to store machine-readable instructions executed by the processor 801, to perform the necessary logical data processing operations. RAM 802, as a rule, contains executable instructions of the operating system and associated software components (applications, software modules, etc.).

[0085] The ROM 803 is one or more permanent storage devices, for example, a hard disk drive (HDD), a solid state drive (SSD), flash memory (EEPROM, NAND, etc.), optical storage media (CD- R / RW, DVD-R / RW, BlueRay Disc, MD), etc.

[0086] To organize the operation of the components of the device 800 and organize the work of external connected devices, various types of I / O 804 interfaces are used. The choice of appropriate interfaces depends on the particular design of the computing device, which may include, but not limited to: PCI, AGP, PS / 2, IrDa, FireWire, LPT, COM, SATA, IDE, Lightning, USB (2.0, 3.0, 3.1, micro, mini, type C), TRS / Audio jack (2.5, 3.5, 6.35), HDMI, DVI, VGA, Display Port , RJ45, RS232, etc.

[0087] Various means of 805 I / O information are used to facilitate user interaction with computing device 800, such as a keyboard, display (monitor), touch screen, touch pad, joystick, mouse pad, light pen, stylus pen, touch pad, trackball , speakers, microphone, augmented reality tools, optical sensors, tablet, light indicators, projector, camera, biometric identification tools (retina scanner, fingerprint scanner, voice recognition module), etc.

[0088] The network interaction tool 806 enables data transmission by the device 800 via an internal or external computer network, such as an Intranet, Internet, LAN, or the like. As one or more means, 806 can be used, but not limited to: Ethernet card, GSM modem, GPRS modem, LTE modem, 5G modem, satellite communications module, NFC module, Bluetooth and / or BLE module, Wi-Fi module, etc.

[0089] Additionally, satellite navigation aids, such as GPS, GLONASS, BeiDou, Galileo, etc., may also be used.

[0090] The submitted application materials disclose preferred examples of the implementation of the technical solution and should not be construed as limiting other, specific examples of its implementation, not going beyond the scope of the requested legal protection, which are obvious to specialists in the relevant field of technology.

[0091] It should be appreciated that the present invention is not limited to the precise construction or implementation that has been described above and illustrated in the accompanying drawings, and various modifications and changes can be made without departing from its scope. It is intended that the scope of the present invention be limited only by the appended claims.

USED INFORMATION SOURCES

[0092] 1. Petsas, T. et al. Rage against the virtual machine: hindering dynamic analysis of android malware // Proceedings of the Seventh European Workshop on System Security. ACM, 2014. P. 5.

[0093] 2. Jing Y. et al. Morpheus: automatically generating heuristics to detect Android emulators // Proceedings of the 30th Annual Computer Security Applications Conference. ACM, 2014. P. 216-225.

Claims (23)

1. A method for identifying an emulated mobile operating system using machine learning methods, comprising the following steps: • collect data on a mobile application that is installed on the user's mobile communication device; • send the data obtained in the previous step from the user's mobile communication device to the server; • extracts the received data through a parser containing the collected features, in accordance with the name of the fields; • direct the selected features to a trained statistical data model located on the server, containing groups of features that include a group of statistical features, including the presence of a Bluetooth module and the presence of a Vibracall module (vibrating alert) in the user's mobile communication device, dynamic signs, including the readings of the accelerometer, gyroscope, light sensor, linear acceleration sensor, battery level, magnetic field sensor readings, motion sensor readings, distance sensor readings, readings rotation sensor, user metrics, file metrics and modified metrics, including a set of tokens in the parameters of the user's mobile communication device; • make a decision using a trained statistical data model, a mobile application is installed on a real device or in an emulated mobile operating system. 2. The method according to p. 1, characterized in that the data collection on the mobile application is carried out in a JSON file and / or XML, and / or YML, and / or TXT. 3. The method according to p. 1, characterized in that the server is located in a cloud data warehouse or locally. 4. The method according to claim 1, characterized in that the statistical model is a logistic regression, or a decision tree, or a random forest, or a naive Bayesian classifier, or a support vector method. 5. The method according to claim 1, characterized in that cross-validation is used to determine the effectiveness of the statistical model. 6. The method according to p. 1, characterized in that the parser parses the elements containing the collected features, in accordance with the name of their fields. 7. The method according to claim 1, characterized in that the parser, after parsing the file, maps the attributes to the table fields in the database. 8. The method according to claim 7, characterized in that the mapping of the data into the table fields in the database occurs by executing an INSERT request. 9. The method according to p. 1, characterized in that when highlighting through a parser of signs, they are divided into static and dynamic. 10. The method according to p. 1, characterized in that the dynamic data include readings of the accelerometer and / or gyroscope, and / or light sensor, and / or magnetic field sensor, and / or motion sensor, and / or distance sensor, and / or rotation sensor. 11. A system for identifying an emulated mobile operating system using machine learning methods, comprising: • at least one mobile user communication device on which a mobile application is installed, configured to • data collection; • directing the received data from the user's mobile communication device to at least one server; • at least one server configured to • extracting the received data from the mobile communication device of the user by means of a parser, the data containing the collected features, in accordance with the name of the fields; • directions by the parser of the selected features to the trained statistical data model containing groups of features that include a group of statistical features, including the presence of a Bluetooth module and the presence of a Vibracall module (vibrating alert) in the user's mobile communication device, dynamic signs, including the readings of the accelerometer, gyroscope, light sensor , linear acceleration sensor, battery level, magnetic field sensor readings, motion sensor readings, distance sensor readings, while anija rotation sensor, user metrics file metrics and the modified metrics which include a set of tokens in the mobile communication device user parameters; • making a decision by means of a trained statistical data model, a mobile application is installed on a real device or an emulated mobile operating system.

Images