TW201805803A - Method of dynamically and statically detecting mobile application wherein dynamic detection and static detection approaches are used in sync - Google Patents

Abstract

The invention relates to a method of dynamically and statically detecting mobile application. The method includes performing safety checks on mobile applications with universal load functions (e.g., downloading, copying or writing). More specifically, the invention uses dynamic detection and dual static detection approaches in sync. The invention also implements automatically self-correction approaches to converge the models of detection precision, including corrections on detection clue generations, comparisons, universal clue assembly, scenario determinations, and clue geometry and variations to achieve an effective detection method.

Description

Method for both dynamic and static detection of mobile applications

The present invention relates to a computer program and a method for combining the same, and more particularly, to a method with both dynamic and static detection mobile application programs.

Loading (including transmitting, downloading, copying, or writing) mobile applications for use, not only has become an indispensable part of modern people's lives, but also has gradually become a part of all business operations, especially as cloud computing It appears that organizations need to improve security to accommodate this major shift. Cloud computing architecture allows applications to be used in real time, especially mobile applications that are loaded. This trend has given enterprises great flexibility in the use of information. With this convenience, including the loaded mobile applications, but generally due to the lack of transparency in components and use, resulting in different levels of security issues, this will be a challenge in mobile risk management.

In the information security industry, many people are eager to develop solutions based on the above problems, and are mainly committed to building a test platform for mobile applications (such as APPs) to test and protect mobile applications. The engineering method applied to the structure of the application, design testing and review and certification. Integrate and introduce security, quality control, and evidence for mobile application development and management.

However, the current testing methods are divided into source code detection and non-source code detection. They can be traced back to whether the original development was malicious or negligent, so that it was mistaken during development. Using the wrong function library or hiding the user ’s unsuspecting activities, the detection of most mobile applications (such as APP) generates a very serious problem, which is the so-called "security" issue and malicious behavior. The accumulation of "experience" and the sharing of technology, in the "real world", the actual malicious patterns or rules far exceed the actual testing that can be done. In other words, the accuracy is actually facing tests and needs to be improved.

A Taiwan invention patent I541669 proposed a detection system and method for a static detection application, and a computer program product. The detection system intercepts at least one of the compiled and encrypted one application under test by an extractor of the detection system. A file header byte code, at least one module code, and a use permission file; at least one module file header byte code that is compiled and encrypted is decoded and decrypted by one of the detection systems. Module code and usage permission file for anti-group translation and decryption; the verifier of one of the detection systems analyzes the usage permission file, at least one module code, and at least one module file header byte Code to determine whether an improper operation is performed on the smart device; and the verifier generates a detection report based on the result of determining whether the improper operation is performed on the smart device.

However, the previous technology can only provide a "static detection" application, but does not propose a better solution for the application under "dynamic state during execution".

In view of the problems of the prior art, the present inventor believes that there should be an improved technology to further audit and detect both dynamic and static. To this end, a method for mobile applications with dynamic and static detection is designed. The application performs a mix of dynamic monitoring and static detection of whether its source code is embedded with malicious programs during development or negligently causes data leakage during execution, and is used to more accurately interpret the results of security concerns detected by mobile applications and generate Parameter correction model of self-convergence accuracy. The model description is as follows: The invention relates to a method for detecting both mobile and static mobile applications. The method is implemented by a detection system selected from a computer or a handheld electronic device. The method includes at least the following steps: The application program loaded on the computer or the handheld electronic device is used for static testing. Remain analysis, and form a contrastive detection of the two paths with dynamic analysis. And the information collected by the static analysis security pattern is fed back to the static analysis security data to form a path of loop and self-correction comparison and detection.

At least the following steps are included: Step A: Load the application to be tested; Step B: Static analysis task queue: Wait and proceed in Queue mode Send to Step C, Step D The static analysis engine is ready to perform static analysis; Step C : Perform static analysis with static analysis engine A: Receive static analysis job queue assignment from step B to perform static analysis; Step D: Perform static analysis with static analysis engine B: receive static analysis job from step B 伫Assign work to perform static analysis; Step H: Static analysis security clue rule set A: Receive the static analysis engine A disassembly and analysis rule results from step C, and perform static analysis result security clue rule set; Step I : Static analysis security clue rule set B: receiving the static clue rule set from static analysis engine B disassembly and analysis rule from step D, and performing static analysis result security clue rule set; step J: security pattern collection: receiving from step H, clue result of the step I analyzed and compared to the work; step K: common security cues: access The clues from the intersection of the malicious patterns and the location of the source of the program from the security pattern collection results of step J are performed as follows: (1). The malicious patterns are tentatively judged as a common security clue, and the clue can determine the tested ones. The application APP has the malicious pattern or more than one; (2). The common security clue is merged at the same time step L. The auxiliary security clue is used as the basis for confirming or publishing the malicious pattern: the common security clue shows the malicious pattern, and the malicious pattern The pattern also appears in the auxiliary security clue of step L of the dynamic detection. The clue is the main pattern of the malicious pattern and can be regarded as a reliable security clue. The common security clue shows the malicious pattern, and the malicious pattern If it does not appear in the auxiliary security clue of step L of the dynamic detection, the malicious appearance will be classified into the modified appearance, but not released or confirmed; the common security clue does not show the malicious appearance, but the malicious appearance If it appears in the auxiliary security clue of step L of the dynamic detection, the malicious pattern will be classified into the confirmed pattern rule, and it will be confirmed as the detection and release after the blind test is performed. Step M: Mobile application security detection credible results: receive the comparison result from step K common security clue and step L auxiliary security clue and perform the comparison of the three types in the description of step K common security clue and confirm its reliability before deciding; step N : Non-common clues: Receive and compare the clues from the combination of the malicious patterns in the security pattern collection result of step J but the static analysis engine A and B without the intersection result and the combination of the source of the program; Step O: Interpretation of clue geometry: Receive the non-common clue from step N to judge the data geometries (Data Geo) distance; the interpretation of clue geometry will deviate from the non-common clue of step N, and will be included Rule set (O1), and update the static analysis security clue rule set (O5) of the static analysis engine to complete an automatic update of the clue cycle; the geometry of the read clue is similar to the non-common clue form of step N, and will be The retrieved rule set is removed (O4), and the static analysis security clue rule set of the static analysis engine is updated (O5), Complete an automatic update clue cycle; Step E: Dynamic simulator analysis engine: Establish a simulation environment and receive the application from Step A to perform the operation of the simulation environment and interface the pipeline in the simulator to observe the exposure during the execution phase Information or equipment information; Step G: Dynamic analysis of security clues collection: Dynamic simulation to produce a step L to assist in the dynamic analysis of security clues to assist security clues, and the interpretation results have been confirmed.

The first diagram is a flowchart of the present invention

The following describes the contents, features, and embodiments of the present invention with the aid of drawings, so that your examiners can have a better understanding of the present invention.

The steps of the present invention are implemented by a detection system selected from a computer or a handheld electronic device (such as, but not limited to, a mobile phone, a tablet computer). Please refer to the first figure:

Step A: Load the application under test:

Place the APK application of the Android operating system or the IPA application of the iOS operating system (collectively referred to as the application) to load (such as, but not limited to, transfer, download, copy, write, etc.) into the work area to be tested Or in a specific storage area of the server, waiting for other steps for subsequent inspection and analysis.

Step B: Static analysis work queue:

The aforementioned applications are listed as tasks to be tested, and are queued and sent to Step C and Step D. The static analysis engine is ready for static analysis; the static analysis task queue may include a first-in-first-out queue ( Sequence), that is, when an application Use a program, such as APK or IPA application, to send to the static analysis task queue according to the order of delivery first, and then send out the inspection first, and another queue method is defined as the time queue method, and the application, such as the delivered APK Or an IPA application, attach a time stamp, and perform an "appointment" type inspection according to the time stamp.

Step C: Perform static analysis with static analysis engine A:

Receive the static analysis work queue assignment task from step B to perform static analysis. The static analysis method is carried out in the following ways: (1). Rule (A) that is defined to detect (RULE) A represents a series of headers that detect the content of the original program ( Header) and Testing Code; (2). It is defined for file disassembly, whether it is using anti-compilation or calling the Test Code method; (3). Search rules based on the content of the disassembled file In accordance with the requirements, a match query is performed to determine the malicious state; the static analysis engine A is executed by the trigger as a service or executive tool execution tool, and the rule development needs to be isolated from the natural derivatives other than the static analysis engine B The rules and methods of testing have produced testing rules without intentional imitation under natural development.

Step D: Perform static analysis with static analysis engine B:

Receive the static analysis work queue assignment task from step B to perform static analysis. The static analysis method is carried out in the following ways: (1). Rule (A) that is defined to detect (RULE) A represents a series of headers that detect the content of the original program ( Header) and Testing Code; (2). It is defined for file disassembly, whether it is using anti-compilation or calling the Test Code method; (3). Search rules based on the content of the disassembled file Matches, perform Match Query Determine the malicious state; the static analysis engine B is executed by the trigger (trigger) as a service or executive tool execution tool, and the rule development needs to be isolated from the naturally derived test rules and methods other than the static analysis engine A. In the case of natural development An unintentional imitation test rule is generated, that is, the analysis methods, rules, and conditions of the static analysis engines A and B are developed independently and are independent analysis engines, which serve as an important comparison basis for subsequent screening and filtering of malicious clues.

Step H: Static analysis of security clue rule set A:

Receiving the result of the disassembly and analysis of the static analysis engine A from step C, and a set of security clue rules for the static analysis results. The set can be in file format or database format, and has a single security clue that clearly matches the corresponding data. And information.

The security clue rule set of static analysis security clue rule set A is also called MalPattern. This malicious pattern will be stored as an index required for digital identification, but has not yet been issued for use as security evidence.

Step I: Static analysis of security clue rule set B:

Receiving the results from the static analysis engine B disassembling with the analysis rules from step D, and performing a set of security clue rules for the static analysis results. The set can be in file format or database format, and has a single security clue that clearly matches the corresponding data And information.

The security clue rule set of static analysis security clue rule set B is also called MalPattern. This malicious pattern will be stored as an index required for digital identification, but has not yet been issued for use as security evidence.

Step J: Safe Sample Collection:

Receive clues from the analysis results of steps H and I and perform the following comparisons: (1). The intersection of malicious patterns and the source of the program, that is, the static analysis engine A and the static analysis engine B use different rules. But all detected the same security issues at the same location; (2). When the malicious patterns do not match, the static analysis security clue rule set A and B mismatched clues are stored separately in a file or database format, and the original inspection rule and the position where the program matches the rule are marked , As well as the program name, file template, etc., including but not limited to the foregoing sufficient information for subsequent comparison and interpretation.

Step K: Common security clues:

Receive the clues from the intersection of the malicious patterns in the security pattern collection result of step J and the location of the source of the program and perform the following tasks: (1). The temporary interpretation of the malicious patterns is a common security clue, and the clue can determine the tested The application APP has the malicious pattern or more than one; (2). The common security clue is merged at the same time step L. The auxiliary security clue is used as the basis for confirming or publishing the malicious pattern: the common security clue shows the malicious pattern, and the malicious pattern The pattern also appears in the auxiliary security clue of step L of the dynamic detection. The clue is the main pattern of the malicious pattern and can be regarded as a reliable security clue. The common security clue shows the malicious pattern, and the malicious pattern If it does not appear in the auxiliary security clue of step L of the dynamic detection, the malicious appearance will be classified into the modified appearance, but not released or confirmed; the common security clue does not show the malicious appearance, but the malicious appearance Appearing in the auxiliary security clue of step L of the dynamic detection, the malicious appearance will be classified into the confirmation appearance rule, and it will be confirmed as a detection release after a blind test.

Step M: Trusted results of mobile application security detection:

Receive the comparison results of the common safety clues from step K and the auxiliary safety clues from step L to perform the comparison results of the three types in the description of the common safety clues from step K and confirm their reliability before deciding.

Step N: Non-common clues:

Receive the clues from the joint data of the malicious patterns in the security pattern collection result of step J but the static analysis engine A and B have no intersection results and the joints of the program source location, and perform the following comparison work: (1). It is tentatively judged that the malicious pattern is a non-security clue. The clue cannot temporarily determine that the tested application APP has the malicious pattern or more than one; (2). The system collates the data of the malicious clues and marks them. The original inspection rules and regulations, the location where the program conforms to the regulations, and the program name, file template, etc., include but are not limited to the foregoing sufficient information for subsequent comparison and interpretation.

Step O: Interpretation of cue geometry:

Receive the non-common clues from step N to determine the data geo-data distance. The interpretation is as follows: (1). A non-common clue generated by the static analysis engine A or B is defined as X. When X is in In different APK or IPA tests (at least 20 different APPs in total) appear repeatedly in different analysis engines, the clue will be classified as a sample for query detection; (2). Static analysis engine A Or a non-common clue generated by B is defined as X. When X repeatedly appears in the same analysis engine in different APK or IPA tests (at least 20 different APPs in total), the clue can be used. After blind testing, it was confirmed as a new malicious appearance.

Determining the clue geometry that deviates from the non-common clue situation in the previous step N will be included in the rule set (O1), and the step (O5) of updating the static analysis security clue rule of the static analysis engine is completed to complete an automatic clue update cycle; The interpretation of the clue geometry pattern is similar to the non-common clue pattern in the previous step N, and will be removed by the retrieval rule set (O4), and the static analysis security clue rule update step (O5) of the static analysis engine is updated to complete an automatic update The clues loop.

Step E: Dynamic simulator analysis engine:

Establish a simulation environment, and receive the APK or IPA application from step A, perform the operation of the simulation environment and interface the pipeline in the simulator to observe what information or device data is revealed by an APK or IPA application during the execution phase.

The dynamic simulator will attach a step F dynamic simulation compression technology to simulate the execution of a period of time or millions of execution results to confirm the Trojan horse or malicious program of the APP.

Step G: Dynamically analyze the collection of security clues:

The dynamic simulation uses the output to assist as a step in the dynamic analysis of the safety clue set. L assists the safety clue, and the interpretation result has been confirmed.

The present invention constructs a self-correcting test model. Through the operation of the model system and the operation results of each module, malicious patterns or rules are automatically retrieved and corrected in each test, thereby generating automatic corrections and added rules. After the model is operated to a certain degree, a mechanism of gradually converging accuracy and gradually increasing rules is generated.

Through the system construction of the present invention, the model can be extended to other development and testing systems as a self-correcting mechanism and process operation. The operation of the model of the present invention is an automated process and a cyclic operation. The invention is indeed in line with industrial applicability, has not been seen in publications or public use before application, and is not known to the public.

However, what has been described above is a preferred embodiment of the present invention in the industry. For example, all equal changes made in accordance with the scope of patent application of the present invention are within the scope of the subject matter of this case.

Claims (12)

A method for dynamic and static detection of a mobile application is implemented by a detection system selected from a computer or a handheld electronic device, including at least the following steps: static retention analysis is performed by an application program loaded on the computer or the handheld electronic device, and It forms a comparison test between the two paths with the dynamic analysis, and feeds back the information collected by the static analysis security pattern back to the static analysis security data, forming a loop and a self-correcting comparison detection path. As described in item 1 of the scope of the patent application, the method with both dynamic and static detection of mobile applications, further specific steps include: Step A: Load the application under test; Step B: Static analysis work queue: Queue Wait in line and proceed to Step C, Step D. The static analysis engine is ready to perform static analysis. Step C: Perform static analysis with static analysis engine A: Receive the static analysis work queued from step B. Assign static work. Analysis; Step D: Perform static analysis with static analysis engine B: Receive static analysis job queue assignments from Step B and perform static analysis; Step H: Static analysis Set of security clue rules A: Receive static from Step C The analysis engine A disassembles the analysis results that match the analysis rules, and performs a static analysis of the security clue rules set; Step I: Static analysis security cue rules set B: Receives the static analysis engine B disassembly that matches the analysis rules from step D As a result, a set of security clue rules for static analysis results is performed; Step J: Security pattern collection: Received from Step H, Step I analyze the clues of the analysis results and perform the comparison work; Step K: Common security clues: Receive clues from the intersection of the malicious pattern match and the program source position in the security pattern collection result of Step J and perform the following tasks : (1). The malicious pattern is tentatively judged to be a common security clue, and the clue can determine that the tested application APP has the malicious pattern or more than one; (2). The common security clue is merged at the same time step L to assist the security clue. As the basis for confirming or publishing a malicious pattern: the common security clue shows a malicious pattern, and the malicious pattern also appears in the auxiliary security clue of step L of the dynamic detection, then the clue is the main pattern of the malicious pattern. It can be regarded as a reliable security clue; if the common security clue shows a malicious appearance, and the malicious appearance does not appear in the auxiliary security clue of step L of the dynamic detection, the malicious appearance will be classified into a modified appearance. , But do not publish or confirm it; the common security clue does not show a malicious pattern, but if the malicious pattern appears in the auxiliary security clue in step L of the dynamic detection, the malicious pattern will be The classification is classified into the confirmation rules, and the confirmation is released as a test only after a blind test is performed. Step M: The mobile application security detection credible result: the comparison of the common security clue from step K and the auxiliary security clue from step L is received. The results are compared with the three patterns in the description of the common security clue in step K, and the reliability is determined. Step N: Non-common clues: The malicious patterns from the security pattern collected in step J are received but the static analysis engine A is received. The associative data of the result of no intersection with B and the cues of the associative set of the source of the program are compared with each other; Step O: Interpretation of the geometric form of the clue: Receive the non-common clue from Step N to perform the data geometry of the clue (Data Geo) Interpretation of distance; the interpretation of the clue geometry pattern that deviates from the non-common clue pattern of the previous step N will be included in the rule set (O1), and the step of updating the static analysis security clue rule set of the static analysis engine (O5), Complete an automatic clue cycle; the clue geometry pattern is similar to the non-common clue pattern in step N, and will be removed by the retrieval rule set (O4) And perform the step (O5) of updating the static analysis security clue rule set of the static analysis engine to complete an automatic update clue cycle; step E: dynamic simulator analysis engine: establish a simulation environment, and receive the application from step A, Carry out the operation of the simulation environment and interface the pipeline in the simulator to observe the information or equipment data disclosed during the execution phase; Step G: Dynamic analysis of the security clue set: Dynamic simulation to produce the output can assist as a step of dynamic analysis of the security clue set L The auxiliary safety clues have confirmed the interpretation results. As described in item 2 of the scope of the patent application, the method with both dynamic and static detection mobile applications, wherein the static analysis work in step B is queued as first-in-first-out (Sequence). As described in item 2 of the scope of the patent application, the method with both dynamic and static detection mobile applications, wherein the static analysis task queue of step B is defined as a time queue method, and the application is time stamped (Time Stamp ), Scheduled inspections based on time tags. As described in item 2 of the scope of the patent application, the method with both dynamic and static detection mobile applications, wherein the static analysis method of step C is performed in one of the following ways: (1). Rule (A) which defines the detection (RULE) A, represents A series of headers and testing codes for testing the content of the original program; (2). It is defined for file disassembly, regardless of the way of inverse translation or calling the testing code; (3) According to the contents of the disassembled file, search for compliance with the rules and conduct a match query to determine the malicious appearance. The method with both dynamic and static detection mobile applications as described in item 2 of the patent application scope, wherein The static analysis method of step D is performed in one of the following ways: (1). Rule (A) (RULE) A, which is defined and tested, represents a series of headers and testing codes for testing the content of the original program; (2). . It is defined to perform file disassembly, no matter using inverse translation or calling Test Code; (3). According to the content of the disassembled file, search for compliance with the rules, and perform match query (Match Query) determination. Malicious appearance. As described in item 2 of the scope of the patent application, the method with both dynamic and static detection mobile applications, wherein the set of step H is a file format or a database format, and has corresponding data and information that are clearly matched by a single security clue. As described in item 2 of the scope of the patent application, the method with both dynamic and static detection mobile applications, wherein the set of step I is a file format or a database format, and has corresponding data and information that clearly match a single security clue. As described in item 2 of the scope of the patent application, the method with both dynamic and static detection mobile applications, wherein the comparison work of step J includes: (1). The intersection of malicious pattern matching and program provenance, that is, the Static analysis engine A and static analysis engine B use different rules but both detect the same security problem at the same location; (2). When the malicious behavior does not match, set the static analysis security clue rule set A and B that do not match. It is stored independently in a file or database format, and the original inspection rules, the location where the program meets the rules, and the program name, file template, etc. are included, including but not limited to the foregoing sufficient information for subsequent comparison and interpretation. As described in item 2 of the scope of the patent application, the method with both dynamic and static detection mobile applications, wherein the comparison of step N includes: (1). The malicious pattern is tentatively judged as a non-security clue, and the clue is temporarily not Can be tested The application APP has the malicious appearance or more than one; (2). The system collates the malicious clues to organize the data, and marks the original inspection rules, the location where the program meets the rules, and the program name, file template, etc. Contains but is not limited to the foregoing sufficient information for subsequent comparison and interpretation. As described in item 2 of the scope of the patent application, the method with both dynamic and static detection mobile applications, wherein the interpretation of step O is: (1). A non-common clue generated by the static analysis engine A or B, defined For X, if X repeatedly appears in different analysis engines in different APK or IPA tests (at least 20 different APPs in total), the clue will be classified as a pattern for query detection; ( 2). A non-common clue generated by the static analysis engine A or B is defined as X. When X is tested in different APKs or IPA (at least 20 different apps in total), it is repeated in the same analysis engine. If it appears, the clue can be blindly confirmed as a new malicious appearance. As described in item 2 of the scope of the patent application, a method with both dynamic and static detection mobile applications, wherein step E is followed by a step F dynamic simulation compression technology to simulate the execution result for a period of time or millions of times, Check if the application is infected with malicious programs.