TW201805803A - Method of dynamically and statically detecting mobile application wherein dynamic detection and static detection approaches are used in sync - Google Patents
Method of dynamically and statically detecting mobile application wherein dynamic detection and static detection approaches are used in sync Download PDFInfo
- Publication number
- TW201805803A TW201805803A TW105124839A TW105124839A TW201805803A TW 201805803 A TW201805803 A TW 201805803A TW 105124839 A TW105124839 A TW 105124839A TW 105124839 A TW105124839 A TW 105124839A TW 201805803 A TW201805803 A TW 201805803A
- Authority
- TW
- Taiwan
- Prior art keywords
- clue
- security
- static
- malicious
- static analysis
- Prior art date
Links
Abstract
Description
本發明係關於一種電腦程式與其結合之方法,尤指一種兼具動靜態檢測行動應用程式之方法。 The present invention relates to a computer program and a method for combining the same, and more particularly, to a method with both dynamic and static detection mobile application programs.
載入(包括傳輸、下載、複製或寫入等)行動應用以資運用,不僅是成為現代人生活中不可或缺的部分,而且也日漸轉變為所有企業營運的一部分,尤其隨著雲端運算的出現,企業組織需要提升安全性來適應這個重大的轉變。雲端運算架構可以讓應用程式能夠即時的被使用,尤其是載入之行動應用程式,這個趨勢賦予了企業在資訊化使用上的極大靈活性。伴隨著這樣的便利,包括所載入之行動應用程式在內,但是一般而言由於在部件及使用上缺乏透明度,因而導致程度不同的安全問題,這將會是行動風險管理方面的挑戰。 Loading (including transmitting, downloading, copying, or writing) mobile applications for use, not only has become an indispensable part of modern people's lives, but also has gradually become a part of all business operations, especially as cloud computing It appears that organizations need to improve security to accommodate this major shift. Cloud computing architecture allows applications to be used in real time, especially mobile applications that are loaded. This trend has given enterprises great flexibility in the use of information. With this convenience, including the loaded mobile applications, but generally due to the lack of transparency in components and use, resulting in different levels of security issues, this will be a challenge in mobile risk management.
在資訊安全產業中,許多人基於上述問題亟思研發解決方案,而主要致力於建置一個行動應用程式(如APP)之驗測平台,來驗測並保護行動應用程式,經由建立系統驗測的工程方法套用在應用程式的結構,設計測試與審查並且發證。整合並引進安全,質量控制,以及讓行動應用開發和管理有依循的依據。 In the information security industry, many people are eager to develop solutions based on the above problems, and are mainly committed to building a test platform for mobile applications (such as APPs) to test and protect mobile applications. The engineering method applied to the structure of the application, design testing and review and certification. Integrate and introduce security, quality control, and evidence for mobile application development and management.
惟,目前現階段驗測的方法有分成原始碼檢測及無原始碼檢測兩種,可以追朔至原始開發時是否惡意或者疏忽,以至於開發時即已誤 用錯誤的函式庫或者隱藏使用者不知情的活動,絕大多數的行動應用程式(如APP)檢測產生一個很嚴重的問題,就是所謂的「安全」議題與惡意樣態等,都是靠「經驗」累積及技術分享得來,在「真實世界」中實際的惡意樣態或條規遠超過實際可以做到的驗測,換而言之,精確度其實面臨考驗並且有待改善。 However, the current testing methods are divided into source code detection and non-source code detection. They can be traced back to whether the original development was malicious or negligent, so that it was mistaken during development. Using the wrong function library or hiding the user ’s unsuspecting activities, the detection of most mobile applications (such as APP) generates a very serious problem, which is the so-called "security" issue and malicious behavior. The accumulation of "experience" and the sharing of technology, in the "real world", the actual malicious patterns or rules far exceed the actual testing that can be done. In other words, the accuracy is actually facing tests and needs to be improved.
曾有台灣發明專利I541669提出一種靜態檢測應用程式之檢測系統及方法、以及電腦程式產品,主要係由檢測系統之一擷取器截取出經編譯及加密之一待測應用程式中之至少一模組檔頭位元組碼、至少一模組程式碼及一使用權限檔;由檢測系統之一反組譯及解密器對經編譯及加密之至少一模組檔頭位元組碼、至少一模組程式碼及使用權限檔進行反組譯及解密;由檢測系統之一驗證器分析經反組譯及解密之使用權限檔、至少一模組程式碼及至少一模組檔頭位元組碼,以判斷是否對智慧型裝置執行不當之操作;以及由驗證器根據判斷是否對智慧型裝置執行不當之操作之結果產生一檢測報告。 A Taiwan invention patent I541669 proposed a detection system and method for a static detection application, and a computer program product. The detection system intercepts at least one of the compiled and encrypted one application under test by an extractor of the detection system. A file header byte code, at least one module code, and a use permission file; at least one module file header byte code that is compiled and encrypted is decoded and decrypted by one of the detection systems. Module code and usage permission file for anti-group translation and decryption; the verifier of one of the detection systems analyzes the usage permission file, at least one module code, and at least one module file header byte Code to determine whether an improper operation is performed on the smart device; and the verifier generates a detection report based on the result of determining whether the improper operation is performed on the smart device.
惟該先前技術僅能提供「靜態檢測」應用程式,但對於該應用程式在「執行時之動態狀況」下,並未提出較佳之解決。 However, the previous technology can only provide a "static detection" application, but does not propose a better solution for the application under "dynamic state during execution".
有鑑於先前技術之問題,本發明者認為應有一種改善之技術產生,更進一步對於兼具動態與靜態均能稽核與檢測,為此設計一種兼具動靜態檢測行動應用程式之方法,對於行動應用程式進行其原始碼是否有在開發時植入惡意程式或疏忽導致執行時資料外泄等行為結果之動態監測與靜態檢測進行混用,用於更精確判讀行動應用程式檢測安全疑慮結果,並且產生自我收斂精確度的參數修正模型,模型敘述如下: 本發明係關於一種兼具動靜態檢測行動應用程式之方法,由選自電腦或手持電子裝置之檢測系統實施,至少包括以下步驟:以載入該電腦或手持電子裝置之應用程式進行靜態之佇留分析,並與動態分析形成兩個路徑之比對性檢測。且將靜態分析之安全態樣採集之資訊反饋回靜態分析安全之資料,形成循環與自我修正比對檢測之路徑。 In view of the problems of the prior art, the present inventor believes that there should be an improved technology to further audit and detect both dynamic and static. To this end, a method for mobile applications with dynamic and static detection is designed. The application performs a mix of dynamic monitoring and static detection of whether its source code is embedded with malicious programs during development or negligently causes data leakage during execution, and is used to more accurately interpret the results of security concerns detected by mobile applications and generate Parameter correction model of self-convergence accuracy. The model description is as follows: The invention relates to a method for detecting both mobile and static mobile applications. The method is implemented by a detection system selected from a computer or a handheld electronic device. The method includes at least the following steps: The application program loaded on the computer or the handheld electronic device is used for static testing. Remain analysis, and form a contrastive detection of the two paths with dynamic analysis. And the information collected by the static analysis security pattern is fed back to the static analysis security data to form a path of loop and self-correction comparison and detection.
至少包括以下步驟:步驟A:載入待測應用程式;步驟B:靜態分析工作佇列:以Queue佇列方式排候與進行送至步驟C、步驟D靜態分析引擎準備進行靜態分析;步驟C:以靜態分析引擎A進行靜態分析:接收來自於步驟B的靜態分析工作佇列指派工作,進行靜態分析;步驟D:以靜態分析引擎B進行靜態分析:接收來自於步驟B的靜態分析工作佇列指派工作,進行靜態分析;步驟H:靜態分析安全線索條規集合A:接收來自於步驟C的靜態分析引擎A拆解與分析條規吻合之結果,進行靜態分析結果之安全線索條規集合;步驟I:靜態分析安全線索條規集合B:接收來自於步驟D的靜態分析引擎B拆解與分析條規吻合之結果,進行靜態分析結果之安全線索條規集合;步驟J:安全樣態採集:接收來自於步驟H、步驟I的分析結果之線索並進行比對工作;步驟K:共同安全線索:接收來自於步驟J的安全樣態採集結果中惡意樣態吻合及程式出處位置之交集之線索並進行以下工作:(1).暫定判讀該惡意樣態為共同安全線索,該線索可以判定受測之 應用APP有該惡意樣態或者數個以上;(2).共同安全線索同時間合併步驟L輔助安全線索做為確認或發佈惡意樣態之依據:共同安全線索有顯示惡意樣態,且該惡意樣態在動態檢測之步驟L輔助安全線索中亦出現,則該線索為惡意樣態的主樣態,可被視為可靠的安全線索;共同安全線索有顯示惡意樣態,且該惡意樣態在動態檢測之步驟L輔助安全線索中未出現,則該惡意樣態將被歸類至修正樣態中,但不發佈或者做為確認;共同安全線索未顯示惡意樣態,但該惡意樣態在動態檢測之步驟L輔助安全線索中出現,則該惡意樣態將被歸類至確認之樣態規則中,在進行盲測後才做為檢測發布確認;步驟M:移動應用安全檢測可信結果:接收來自於步驟K共同安全線索與步驟L輔助安全線索比對結果並進行步驟K共同安全線索說明中三種樣態比對結果並確認其可靠度再決定;步驟N:非共同線索:接收來自於步驟J安全樣態採集結果中惡意樣態吻合但靜態分析引擎A與B無交集結果之聯集資料及程式出處位置之聯集之線索,並進行比對工作;步驟O:線索幾何樣態判讀:接收來自於步驟N非共同線索進行線索資料幾何(Data Geo)距離之判讀;判讀線索幾何樣態與前述步驟N非共同線索樣態乖離,將會被列入條規集合(O1),並且進行更新靜態分析引擎之靜態分析安全線索條規集合之步驟(O5),完成一自動更新線索循環;判讀線索幾何樣態與前述步驟N非共同線索樣態相近,將會 被檢索條規集合加以去除(O4),並且進行更新靜態分析引擎之靜態分析安全線索條規集合之步驟(O5),完成一自動更新線索循環;步驟E:動態模擬器分析引擎:建立一模擬環境,並且接收來自於步驟A應用程式,進行模擬環境的作業執行並且在模擬器中介接管道,以觀察執行階段揭露之資訊或設備資料;步驟G:動態分析安全線索集合:動態模擬以產出可以輔助作為動態分析安全線索集合之步驟L輔助安全線索,已經確化判讀結果。 At least the following steps are included: Step A: Load the application to be tested; Step B: Static analysis task queue: Wait and proceed in Queue mode Send to Step C, Step D The static analysis engine is ready to perform static analysis; Step C : Perform static analysis with static analysis engine A: Receive static analysis job queue assignment from step B to perform static analysis; Step D: Perform static analysis with static analysis engine B: receive static analysis job from step B 伫Assign work to perform static analysis; Step H: Static analysis security clue rule set A: Receive the static analysis engine A disassembly and analysis rule results from step C, and perform static analysis result security clue rule set; Step I : Static analysis security clue rule set B: receiving the static clue rule set from static analysis engine B disassembly and analysis rule from step D, and performing static analysis result security clue rule set; step J: security pattern collection: receiving from step H, clue result of the step I analyzed and compared to the work; step K: common security cues: access The clues from the intersection of the malicious patterns and the location of the source of the program from the security pattern collection results of step J are performed as follows: (1). The malicious patterns are tentatively judged as a common security clue, and the clue can determine the tested ones. The application APP has the malicious pattern or more than one; (2). The common security clue is merged at the same time step L. The auxiliary security clue is used as the basis for confirming or publishing the malicious pattern: the common security clue shows the malicious pattern, and the malicious pattern The pattern also appears in the auxiliary security clue of step L of the dynamic detection. The clue is the main pattern of the malicious pattern and can be regarded as a reliable security clue. The common security clue shows the malicious pattern, and the malicious pattern If it does not appear in the auxiliary security clue of step L of the dynamic detection, the malicious appearance will be classified into the modified appearance, but not released or confirmed; the common security clue does not show the malicious appearance, but the malicious appearance If it appears in the auxiliary security clue of step L of the dynamic detection, the malicious pattern will be classified into the confirmed pattern rule, and it will be confirmed as the detection and release after the blind test is performed. Step M: Mobile application security detection credible results: receive the comparison result from step K common security clue and step L auxiliary security clue and perform the comparison of the three types in the description of step K common security clue and confirm its reliability before deciding; step N : Non-common clues: Receive and compare the clues from the combination of the malicious patterns in the security pattern collection result of step J but the static analysis engine A and B without the intersection result and the combination of the source of the program; Step O: Interpretation of clue geometry: Receive the non-common clue from step N to judge the data geometries (Data Geo) distance; the interpretation of clue geometry will deviate from the non-common clue of step N, and will be included Rule set (O1), and update the static analysis security clue rule set (O5) of the static analysis engine to complete an automatic update of the clue cycle; the geometry of the read clue is similar to the non-common clue form of step N, and will be The retrieved rule set is removed (O4), and the static analysis security clue rule set of the static analysis engine is updated (O5), Complete an automatic update clue cycle; Step E: Dynamic simulator analysis engine: Establish a simulation environment and receive the application from Step A to perform the operation of the simulation environment and interface the pipeline in the simulator to observe the exposure during the execution phase Information or equipment information; Step G: Dynamic analysis of security clues collection: Dynamic simulation to produce a step L to assist in the dynamic analysis of security clues to assist security clues, and the interpretation results have been confirmed.
第一圖係本發明之流程圖 The first diagram is a flowchart of the present invention
以下藉由圖式之輔助,說明本發明之內容、特點與實施例,俾使 貴審查人員對於本發明有更進一步之瞭解。 The following describes the contents, features, and embodiments of the present invention with the aid of drawings, so that your examiners can have a better understanding of the present invention.
本發明之步驟,由選自電腦或手持電子裝置(例如但不限於手機、平板電腦)之檢測系統實施,請參閱第一圖所示: The steps of the present invention are implemented by a detection system selected from a computer or a handheld electronic device (such as, but not limited to, a mobile phone, a tablet computer). Please refer to the first figure:
步驟A:載入待測應用程式:Step A: Load the application under test:
將Android作業系統的APK應用程式,或者iOS作業系統的IPA應用程式(合稱為應用程式),以載入(例如但不限於傳輸、下載、複製、寫入等)置入待測的工作區域或者伺服器的特定儲存區域中,等待其他步驟進行後續驗測分析之工作。 Place the APK application of the Android operating system or the IPA application of the iOS operating system (collectively referred to as the application) to load (such as, but not limited to, transfer, download, copy, write, etc.) into the work area to be tested Or in a specific storage area of the server, waiting for other steps for subsequent inspection and analysis.
步驟B:靜態分析工作佇列:Step B: Static analysis work queue:
將前述之該等應用程式列為待測工作,以Queue佇列方式排候與進行送至步驟C、步驟D靜態分析引擎準備進行靜態分析;靜態分析工作佇列可以包括先進先出佇列(Sequence),也就是當一個應 用程式,例如APK或者IPA應用程式送至靜態分析工作佇列時依照送達順序先進就先出送檢,以及另一種佇列方式,定義之為時間佇列方式,將應用程式,例如送達的APK或者IPA應用程式,附加標註時間標籤(Time Stamp),依照時間標籤進行「預約」式送檢。 The aforementioned applications are listed as tasks to be tested, and are queued and sent to Step C and Step D. The static analysis engine is ready for static analysis; the static analysis task queue may include a first-in-first-out queue ( Sequence), that is, when an application Use a program, such as APK or IPA application, to send to the static analysis task queue according to the order of delivery first, and then send out the inspection first, and another queue method is defined as the time queue method, and the application, such as the delivered APK Or an IPA application, attach a time stamp, and perform an "appointment" type inspection according to the time stamp.
步驟C:以靜態分析引擎A進行靜態分析:Step C: Perform static analysis with static analysis engine A:
接收來自於步驟B的靜態分析工作佇列指派工作,進行靜態分析,靜態分析方式採取以下方式進行:(1).被定義檢測之條規(RULE)A,代表一連串檢測原始程式內容之表頭(Header)以及測試碼(Testing Code);(2).被定義進行檔案拆解,無論使用反組譯或者呼叫測試碼(Testing Code)方式均可;(3).根據拆解檔案內容做搜尋條規符合之處,進行吻合驗測(Match Query)確定惡意樣態;靜態分析引擎A以Service或者executive tool執行工具方式被trigger(觸發)執行,且條規發展需要隔離於靜態分析引擎B以外之自然衍生的驗測規則與方法,在自然發展情況下產生無故意模仿的驗測規則。 Receive the static analysis work queue assignment task from step B to perform static analysis. The static analysis method is carried out in the following ways: (1). Rule (A) that is defined to detect (RULE) A represents a series of headers that detect the content of the original program ( Header) and Testing Code; (2). It is defined for file disassembly, whether it is using anti-compilation or calling the Test Code method; (3). Search rules based on the content of the disassembled file In accordance with the requirements, a match query is performed to determine the malicious state; the static analysis engine A is executed by the trigger as a service or executive tool execution tool, and the rule development needs to be isolated from the natural derivatives other than the static analysis engine B The rules and methods of testing have produced testing rules without intentional imitation under natural development.
步驟D:以靜態分析引擎B進行靜態分析:Step D: Perform static analysis with static analysis engine B:
接收來自於步驟B的靜態分析工作佇列指派工作,進行靜態分析,靜態分析方式採取以下方式進行:(1).被定義檢測之條規(RULE)A,代表一連串檢測原始程式內容之表頭(Header)以及測試碼(Testing Code);(2).被定義進行檔案拆解,無論使用反組譯或者呼叫測試碼(Testing Code)方式均可;(3).根據拆解檔案內容做搜尋條規符合之處,進行吻合驗測(Match Query) 確定惡意樣態;靜態分析引擎B以Service或者executive tool執行工具方式被trigger(觸發)執行,且條規發展需要隔離於靜態分析引擎A以外之自然衍生的驗測規則與方法,在自然發展情況下產生無故意模仿的驗測規則,也就是說靜態分析引擎A與B的分析方法、規則、條件各自發展且均為獨立分析引擎,以作為後續篩選過濾惡意線索的一個重要比對依據。 Receive the static analysis work queue assignment task from step B to perform static analysis. The static analysis method is carried out in the following ways: (1). Rule (A) that is defined to detect (RULE) A represents a series of headers that detect the content of the original program ( Header) and Testing Code; (2). It is defined for file disassembly, whether it is using anti-compilation or calling the Test Code method; (3). Search rules based on the content of the disassembled file Matches, perform Match Query Determine the malicious state; the static analysis engine B is executed by the trigger (trigger) as a service or executive tool execution tool, and the rule development needs to be isolated from the naturally derived test rules and methods other than the static analysis engine A. In the case of natural development An unintentional imitation test rule is generated, that is, the analysis methods, rules, and conditions of the static analysis engines A and B are developed independently and are independent analysis engines, which serve as an important comparison basis for subsequent screening and filtering of malicious clues.
步驟H:靜態分析安全線索條規集合A:Step H: Static analysis of security clue rule set A:
接收來自於步驟C的靜態分析引擎A拆解與分析條規吻合之結果,進行靜態分析結果之安全線索條規集合,該集合可為檔案格式或者資料庫格式,並且具有單一安全線索明確吻合之對應數據與資訊。 Receiving the result of the disassembly and analysis of the static analysis engine A from step C, and a set of security clue rules for the static analysis results. The set can be in file format or database format, and has a single security clue that clearly matches the corresponding data. And information.
靜態分析安全線索條規集合A之安全線索條規集合又稱為惡意樣態(MalPattern),該惡意樣態將會儲存作為數位鑑識需要之索引,但尚未作為安全證據發布使用。 The security clue rule set of static analysis security clue rule set A is also called MalPattern. This malicious pattern will be stored as an index required for digital identification, but has not yet been issued for use as security evidence.
步驟I:靜態分析安全線索條規集合B:Step I: Static analysis of security clue rule set B:
接收來自於步驟D的靜態分析引擎B拆解與分析條規吻合之結果,進行靜態分析結果之安全線索條規集合,該集合可為檔案格式或者資料庫格式,並且具有單一安全線索明確吻合之對應數據與資訊。 Receiving the results from the static analysis engine B disassembling with the analysis rules from step D, and performing a set of security clue rules for the static analysis results. The set can be in file format or database format, and has a single security clue that clearly matches the corresponding data And information.
靜態分析安全線索條規集合B之安全線索條規集合又稱為惡意樣態(MalPattern),該惡意樣態將會儲存作為數位鑑識需要之索引,但尚未作為安全證據發布使用。 The security clue rule set of static analysis security clue rule set B is also called MalPattern. This malicious pattern will be stored as an index required for digital identification, but has not yet been issued for use as security evidence.
步驟J:安全樣態採集:Step J: Safe Sample Collection:
接收來自於步驟H、步驟I的分析結果之線索並進行以下比對工作:(1).惡意樣態吻合及程式出處位置之交集,也就是說靜態分析引擎A與靜態分析引擎B以不同條規但均檢測出同一位置之同一安全問題; (2).惡意樣態不吻合時,將靜態分析安全線索條規集合A與B不吻合之線索另以檔案或資料庫格式獨立儲存之,並標出原始驗測條規、該程式吻合條規之位置、以及程式名稱、檔案範本等,包含但不限於前述之足夠資訊以供後續比對判讀。 Receive clues from the analysis results of steps H and I and perform the following comparisons: (1). The intersection of malicious patterns and the source of the program, that is, the static analysis engine A and the static analysis engine B use different rules. But all detected the same security issues at the same location; (2). When the malicious patterns do not match, the static analysis security clue rule set A and B mismatched clues are stored separately in a file or database format, and the original inspection rule and the position where the program matches the rule are marked , As well as the program name, file template, etc., including but not limited to the foregoing sufficient information for subsequent comparison and interpretation.
步驟K:共同安全線索:Step K: Common security clues:
接收來自於步驟J安全樣態採集結果中惡意樣態吻合及程式出處位置之交集之線索並進行以下工作:(1).暫定判讀該惡意樣態為共同安全線索,該線索可以判定受測之應用APP有該惡意樣態或者數個以上;(2).共同安全線索同時間合併步驟L輔助安全線索做為確認或發佈惡意樣態之依據:共同安全線索有顯示惡意樣態,且該惡意樣態在動態檢測之步驟L輔助安全線索中亦出現,則該線索為惡意樣態的主樣態,可被視為可靠的安全線索;共同安全線索有顯示惡意樣態,且該惡意樣態在動態檢測之步驟L輔助安全線索中未出現,則該惡意樣態將被歸類至修正樣態中,但不發佈或者做為確認;共同安全線索未顯示惡意樣態,但該惡意樣態在動態檢測之步驟L輔助安全線索中出現,則該惡意樣態將被歸類至確認之樣態規則中,在進行盲測後才做為檢測發布確認。 Receive the clues from the intersection of the malicious patterns in the security pattern collection result of step J and the location of the source of the program and perform the following tasks: (1). The temporary interpretation of the malicious patterns is a common security clue, and the clue can determine the tested The application APP has the malicious pattern or more than one; (2). The common security clue is merged at the same time step L. The auxiliary security clue is used as the basis for confirming or publishing the malicious pattern: the common security clue shows the malicious pattern, and the malicious pattern The pattern also appears in the auxiliary security clue of step L of the dynamic detection. The clue is the main pattern of the malicious pattern and can be regarded as a reliable security clue. The common security clue shows the malicious pattern, and the malicious pattern If it does not appear in the auxiliary security clue of step L of the dynamic detection, the malicious appearance will be classified into the modified appearance, but not released or confirmed; the common security clue does not show the malicious appearance, but the malicious appearance Appearing in the auxiliary security clue of step L of the dynamic detection, the malicious appearance will be classified into the confirmation appearance rule, and it will be confirmed as a detection release after a blind test.
步驟M:移動應用安全檢測可信結果:Step M: Trusted results of mobile application security detection:
接收來自於步驟K共同安全線索與步驟L輔助安全線索比對結果進行步驟K共同安全線索說明中三種樣態比對結果並確認其可靠度再決定。 Receive the comparison results of the common safety clues from step K and the auxiliary safety clues from step L to perform the comparison results of the three types in the description of the common safety clues from step K and confirm their reliability before deciding.
步驟N:非共同線索:Step N: Non-common clues:
接收來自於步驟J安全樣態採集結果中惡意樣態吻合但靜態分析引擎A與B無交集結果之聯集資料及程式出處位置之聯集之線索,並進行以下比對工作:(1).暫定判讀該惡意樣態為非安全線索,該線索暫時不可以判定受測之應用APP有該惡意樣態或者數個以上;(2).系統將該惡意線索聯集進行數據整理,並標出原始驗測條規、該程式吻合條規之位置、以及程式名稱、檔案範本等,包含但不限於前述之足夠資訊以供後續比對判讀。 Receive the clues from the joint data of the malicious patterns in the security pattern collection result of step J but the static analysis engine A and B have no intersection results and the joints of the program source location, and perform the following comparison work: (1). It is tentatively judged that the malicious pattern is a non-security clue. The clue cannot temporarily determine that the tested application APP has the malicious pattern or more than one; (2). The system collates the data of the malicious clues and marks them. The original inspection rules and regulations, the location where the program conforms to the regulations, and the program name, file template, etc., include but are not limited to the foregoing sufficient information for subsequent comparison and interpretation.
步驟O:線索幾何樣態判讀:Step O: Interpretation of cue geometry:
接收來自於步驟N非共同線索進行線索資料幾何(Data Geo)距離之判讀,判讀如下:(1).靜態分析引擎A或B所產生之某一非共同線索,定義為X,當X如果在不同APK或IPA測試中(至少是不同的APP共20個以上)於不同分析引擎中重複出現,則該線索將可被歸入作為樣態作為查詢檢測之用;(2).靜態分析引擎A或B所產生之某一非共同線索,定義為X,當X如果在不同APK或IPA測試中(至少是不同的APP共20個以上)於同一分析引擎中重複出現,則該線索將可被進行盲測後確認為新的惡意樣態。 Receive the non-common clues from step N to determine the data geo-data distance. The interpretation is as follows: (1). A non-common clue generated by the static analysis engine A or B is defined as X. When X is in In different APK or IPA tests (at least 20 different APPs in total) appear repeatedly in different analysis engines, the clue will be classified as a sample for query detection; (2). Static analysis engine A Or a non-common clue generated by B is defined as X. When X repeatedly appears in the same analysis engine in different APK or IPA tests (at least 20 different APPs in total), the clue can be used. After blind testing, it was confirmed as a new malicious appearance.
判讀線索幾何樣態與前述步驟N非共同線索樣態乖離,將會被列入條規集合(O1),並且進行更新靜態分析引擎之靜態分析安全線索條規之步驟(O5),完成一自動更新線索循環; 判讀線索幾何樣態與前述步驟N非共同線索樣態相近,將會被檢索條規集合加以去除(O4),並且進行更新靜態分析引擎之靜態分析安全線索條規之步驟(O5),完成一自動更新線索循環。 Determining the clue geometry that deviates from the non-common clue situation in the previous step N will be included in the rule set (O1), and the step (O5) of updating the static analysis security clue rule of the static analysis engine is completed to complete an automatic clue update cycle; The interpretation of the clue geometry pattern is similar to the non-common clue pattern in the previous step N, and will be removed by the retrieval rule set (O4), and the static analysis security clue rule update step (O5) of the static analysis engine is updated to complete an automatic update The clues loop.
步驟E:動態模擬器分析引擎:Step E: Dynamic simulator analysis engine:
建立一模擬環境,並且接收來自於步驟A的APK或IPA應用程式,進行模擬環境的作業執行並且在模擬器中介接管道,以觀察一個APK或IPA應用程式在執行階段揭露哪些資訊或者設備資料。 Establish a simulation environment, and receive the APK or IPA application from step A, perform the operation of the simulation environment and interface the pipeline in the simulator to observe what information or device data is revealed by an APK or IPA application during the execution phase.
動態模擬器將附加一步驟F動態模擬壓縮技術以模擬執行一段時日或者數百萬次執行結果,以確認APP之木馬或惡意程式。 The dynamic simulator will attach a step F dynamic simulation compression technology to simulate the execution of a period of time or millions of execution results to confirm the Trojan horse or malicious program of the APP.
步驟G:動態分析安全線索集合:Step G: Dynamically analyze the collection of security clues:
動態模擬以產出可以輔助作為動態分析安全線索集合之步驟L輔助安全線索,已經確化判讀結果。 The dynamic simulation uses the output to assist as a step in the dynamic analysis of the safety clue set. L assists the safety clue, and the interpretation result has been confirmed.
本發明建構一自我修正驗測模型,藉由模型系統之運作以及各模組作業結果,讓惡意樣態或條規在每次檢測中自我檢索及修正,藉此產生自動修正及增加之條規,讓模型運作至一定程度後,產生逐漸收斂精確度以及漸次增加條規之機制。 The present invention constructs a self-correcting test model. Through the operation of the model system and the operation results of each module, malicious patterns or rules are automatically retrieved and corrected in each test, thereby generating automatic corrections and added rules. After the model is operated to a certain degree, a mechanism of gradually converging accuracy and gradually increasing rules is generated.
藉由本發明之系統建構,可以延伸使用本模型至其他開發驗測系統中做為自我修正的機制以及流程化作業,本發明模型之運作為自動化過程以及循環式作業方式。本發明確實符合產業利用性,且未於申請前見於刊物或公開使用,亦未為公眾所知悉,且具有非顯而易知性,符合可專利之要件,爰依法提出專利申請。 Through the system construction of the present invention, the model can be extended to other development and testing systems as a self-correcting mechanism and process operation. The operation of the model of the present invention is an automated process and a cyclic operation. The invention is indeed in line with industrial applicability, has not been seen in publications or public use before application, and is not known to the public.
惟上述所陳,為本發明在產業上一較佳實施例,舉凡依本發明申請專利範圍所作之均等變化,皆屬本案訴求標的之範疇。 However, what has been described above is a preferred embodiment of the present invention in the industry. For example, all equal changes made in accordance with the scope of patent application of the present invention are within the scope of the subject matter of this case.
Claims (12)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW105124839A TW201805803A (en) | 2016-08-04 | 2016-08-04 | Method of dynamically and statically detecting mobile application wherein dynamic detection and static detection approaches are used in sync |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW105124839A TW201805803A (en) | 2016-08-04 | 2016-08-04 | Method of dynamically and statically detecting mobile application wherein dynamic detection and static detection approaches are used in sync |
Publications (1)
Publication Number | Publication Date |
---|---|
TW201805803A true TW201805803A (en) | 2018-02-16 |
Family
ID=62014347
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW105124839A TW201805803A (en) | 2016-08-04 | 2016-08-04 | Method of dynamically and statically detecting mobile application wherein dynamic detection and static detection approaches are used in sync |
Country Status (1)
Country | Link |
---|---|
TW (1) | TW201805803A (en) |
-
2016
- 2016-08-04 TW TW105124839A patent/TW201805803A/en unknown
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Tian et al. | Automatically diagnosing and repairing error handling bugs in C | |
CN103257919B (en) | Inspection method and device for script programs | |
Nguyen et al. | Detection of embedded code smells in dynamic web applications | |
US9389852B2 (en) | Technique for plagiarism detection in program source code files based on design pattern | |
US9563543B2 (en) | Test framework extension for testing logic on a modeled user interface | |
US8868976B2 (en) | System-level testcase generation | |
CN107102885A (en) | The method and device of Android simulator is detected using ADB modes | |
Arzt et al. | The soot-based toolchain for analyzing android apps | |
CN111859380A (en) | Zero false alarm detection method for Android App vulnerability | |
US8595559B2 (en) | Method and apparatus for model-based testing of a graphical user interface | |
CN105320592A (en) | FOG data based software verification method and device | |
Ognawala et al. | Compositional fuzzing aided by targeted symbolic execution | |
Kellogg et al. | Verifying object construction | |
US9268944B2 (en) | System and method for sampling based source code security audit | |
US10592703B1 (en) | Method and system for processing verification tests for testing a design under test | |
Chen et al. | Automatic Mining of Security-Sensitive Functions from Source Code. | |
US20090327971A1 (en) | Informational elements in threat models | |
KR20140088963A (en) | System and method for testing runtime error | |
CN104536880A (en) | GUI program testing case augmentation method based on symbolic execution | |
KR102165747B1 (en) | Lightweight crash report based debugging method considering security | |
CN107957954B (en) | Method and system for improving test data security in Linux system | |
TW201805803A (en) | Method of dynamically and statically detecting mobile application wherein dynamic detection and static detection approaches are used in sync | |
Senanayake et al. | Labelled Vulnerability Dataset on Android source code (LVDAndro) to develop AI-based code vulnerability detection models. | |
CN106384046B (en) | Method for detecting mobile application program with dynamic and static states | |
TWI715647B (en) | System and method for ip fingerprinting and ip dna analysis |