TW201807611A - Sampling and judging method for unknown state by APP detection comparing the double-wire test result with each other through an intelligent mobile device - Google Patents

Sampling and judging method for unknown state by APP detection comparing the double-wire test result with each other through an intelligent mobile device Download PDF

Info

Publication number
TW201807611A
TW201807611A TW105127318A TW105127318A TW201807611A TW 201807611 A TW201807611 A TW 201807611A TW 105127318 A TW105127318 A TW 105127318A TW 105127318 A TW105127318 A TW 105127318A TW 201807611 A TW201807611 A TW 201807611A
Authority
TW
Taiwan
Prior art keywords
rules
analysis
security
malicious
analysis system
Prior art date
Application number
TW105127318A
Other languages
Chinese (zh)
Other versions
TWI606361B (en
Inventor
王明賢
Original Assignee
青島天龍安全科技有限公司
王明賢
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 青島天龍安全科技有限公司, 王明賢 filed Critical 青島天龍安全科技有限公司
Priority to TW105127318A priority Critical patent/TWI606361B/en
Application granted granted Critical
Publication of TWI606361B publication Critical patent/TWI606361B/en
Publication of TW201807611A publication Critical patent/TW201807611A/en

Links

Abstract

This invention relates to a sampling and judging method for an unknown state by APP detection. The sampling and judging method is a method comprising the steps: when a mobile application APP program is used for a safe detection, carrying out a double-wire test on an unknown detection result, comparing the double-wire test result with each other, and deducting a correct convergence result by mutual comparison.

Description

APP檢測未知態樣採集及判斷方法 APP detection unknown pattern acquisition and judgment method

本發明係關於一種智慧型移動裝置其應用程式的安全檢定項目之條規與判讀的收斂方法。 The invention relates to a smart mobile device, and a convergence method for judging the security verification items of its application program.

絕大多數的行動APP惡意內容及相關安全檢測,產生的實際危害問題,就是所謂的「安全」議題與「惡意態樣」,在「真實世界」中,實際的惡意態樣或安全遠超過一般使用工具可以做到的驗測,或者說無法用人為單純設計一個檢驗工具就可以達到檢測出與「真實世界」相同風險危害的問題,也就是說,精確度其實面臨考驗並有待改善。 The actual harm caused by the vast majority of mobile app malicious content and related security detection is the so-called "security" issue and "malicious appearance". In the "real world", the actual malicious appearance or security is far more than ordinary The testing that can be done with tools, or that it is impossible to design a testing tool artificially, can detect the same risks as the "real world". That is to say, the accuracy is actually facing testing and needs to be improved.

就先前所存在之技術而言,檢測APP安全的工具最多做到一部份接近真實世界的惡意數量或者只是其中一部分,所以,並沒有100%符合所有風險的驗測工具,以至於以現今而言,只能儘量猜測工具驗測能力的可靠度但無法確認。 As far as the existing technologies are concerned, the tools for detecting APP security can at most part be close to the malicious number in the real world or only a part of them. Therefore, there is no 100% inspection tool that meets all risks. In other words, the reliability of the tool's testing ability can only be guessed as far as possible but cannot be confirmed.

有鑑於先前技術之問題,本發明者認為應有一種改善之裝置,為此設有一種APP檢測未知態樣採集及判斷方法,係以電腦設備與程式進行運作,亦即一種對於行動應用程式檢測判讀,根據判讀的多重線索進行交叉比對,並且產生收斂判斷確認度的檢測修正方法。 In view of the problems of the prior art, the present inventor believes that there should be an improved device. To this end, an APP is used to detect and collect unknown patterns. It uses computer equipment and programs to operate, that is, a method for detecting mobile applications. Interpretation, cross-comparison based on the interpreted multiple clues, and a detection and correction method for convergence judgment confirmation.

本發明設立一驗雙重通道模型,將同一APP做兩組不同檢驗 引擎,使其產出兩組結果,再將這兩組結果做交叉比對,找出可確認的可靠線索,判斷APP是否有惡意及安全問題等,藉由交叉比對找出確認線索,也藉由交叉比對,找出乖離線索,並且加以分析,確認其線索是否有參考價值,藉由本發明的系統建構,產生修正精確判讀之機制,形成持續收斂精確度的演算模式。本發明模型之運作為自動化過程以及持續式作業方式。 The present invention sets up a double channel test model, and performs two different tests on the same APP. The engine allows it to produce two sets of results, and then cross-compares the two sets of results to find identifiable and reliable clues, determine whether the APP has malicious and security issues, etc., and finds confirmation clues by cross-comparison. Through cross-comparison, find out the good line, and analyze it to confirm whether its clues have reference value. Through the system construction of the present invention, a mechanism for correcting accurate interpretation is generated, and a calculation mode of continuous convergence accuracy is formed. The operation of the model of the present invention is an automated process and a continuous operation method.

第一圖係本發明之方法流程之方塊示意圖 The first diagram is a block diagram of the method flow of the present invention.

第二圖係本發明之作業定義示意圖 The second diagram is a schematic diagram of the job definition of the present invention

第三圖係本發明第一圖方塊6之細部示意圖 The third diagram is a detailed schematic diagram of block 6 of the first diagram of the present invention

以下藉由圖式之輔助,說明本發明之內容、特點以及實施例,俾使 貴審對於本發明有更進一步之理解。 The following describes the contents, features, and embodiments of the present invention with the aid of drawings, so that your reviewer can have a further understanding of the present invention.

1. 請參閱第一圖標示方塊1,將Android作業系統的APK應用程式或者iOS作業系統的IPA應用程式(合稱APP或應用程式)以傳輸或複製方式放入待測的工作區域或伺服器的特定儲存區域中,等待進行後續驗測分析之工作,本模組中所指之APK或IPA來源可以為下載、複製、自行儲存或受委託攜帶等來源且不限於前述的來源方式。 1. Please refer to the first icon box 1 to put the APK application of Android operating system or the IPA application (collectively APP or application) of iOS operating system into the working area or server to be tested by transferring or copying In the specific storage area of, waiting for the subsequent inspection and analysis, the APK or IPA source referred to in this module can be downloaded, copied, stored by itself, or entrusted to carry, and is not limited to the aforementioned source method.

2. 請參閱第一圖標示方塊2與方塊3,接收來自於步驟1的APK或IPA(APP或應用程式)指派工作,進行分析,分析方式採取以下方式進行: 2. Please refer to the first icon showing box 2 and box 3 to receive the APK or IPA (APP or application) assignment from step 1 for analysis. The analysis method is as follows:

(A).被定義檢測之條規(RULE)A,代表一連串檢測原始程式內容之表頭 (Header)以及測試碼(Testing Code)或者以執行模擬環境進行執行的檢測被定義進行檔案拆解或者APP執行行為與結果,無論使用反組譯或者呼叫測試碼(Testing Code)方式以及模擬執行,均可視為拆解與判斷。 (A). Rule (RULE) A which defines the detection, represents a series of headers for detecting the content of the original program (Header) and testing code (Testing Code) or testing performed in the execution simulation environment is defined to perform file disassembly or APP execution behavior and results, regardless of the use of inverse translation or calling the Test Code method and simulation execution, Can be regarded as dismantling and judgment.

(B).根據拆解與判斷檔案內容做搜尋條規符合之處,進行吻合驗測(MatchQuery)確定惡意態樣。 (B). According to the dismantling and judgment of the contents of the file, search for compliance with the rules and conduct a MatchQuery to determine the malicious state.

(C).根據執行結果與判斷執行產生之記錄檔(log)內容做搜尋條規符合之處,進行吻合驗測(MatchQuery)確定惡意態樣。 (C). According to the execution result and the content of the log file generated by the execution, search for the compliance of the rules, and conduct a MatchQuery to determine the malicious state.

(D).分析系統A以Service或者執行工具(Executive tool)方式被觸發(trigger)執行,且條規發展需要隔離於分析系統B以外之自然衍生的驗測規則與方法,在自然發展情況下產生無故意模仿的驗測規則。分析系統B以Service或者執行工具(Executive tool)執行工具方式被觸發(trigger)執行,且條規發展需要隔離於分析系統A以外之自然衍生的驗測規則與方法,在自然發展情況下產生無故意模仿的驗測規則。也就是分析系統A與B的分析方法、規則、條件各自發展且均為獨立分析系統,以作為後續篩選過濾惡意線索的一個重要比對依據。 (D). Analysis system A is triggered by the implementation of Service or Executive tool, and the development of rules and regulations needs to be isolated from the analysis rules B and the naturally derived testing rules and methods, which are generated under natural development Test rules without intentional imitation. The analysis system B is triggered by the execution of the service or the execution tool (Executive tool), and the development of rules and regulations needs to be isolated from the analysis rules and methods derived from the analysis system A, which will occur unintentionally under natural development. Imitation test rules. That is, the analysis methods, rules, and conditions of analysis systems A and B have been developed independently and are independent analysis systems, which serve as an important comparison basis for subsequent screening and filtering of malicious clues.

請參閱第二圖所示,並配合第一圖標示方塊1、2已知標準或已知安全判別之技術累積,制定與建立驗測規則(條規),如第二圖標示方塊3。 Please refer to the second figure, and cooperate with the first icon to show the known standards of blocks 1 and 2 or the accumulation of known safety discrimination techniques to formulate and establish inspection rules (rules), such as the second icon to show box 3.

根據驗測條規而定義惡意態樣的清單與關鍵控制碼,如第二圖標示方塊5。根據驗測條規建立拆解與判讀方法(檢測內容),如第二圖標示方塊4。根據定義的惡意態樣清單與拆解、判讀方法進行檢測與判讀,並確認是否有符合惡意清單,如第二圖標示方塊6、方塊7。分析安全線索條 規集合A與B接收來自於如第一圖標示方塊2、3的分析系統A與B拆解與分析條規吻合之結果,進行分析結果之安全線索條規集合,該集合可為檔案格式或者資料庫格式,並且具有單一安全線索明確吻合之對應惡意清單之判讀。靜態分析安全線索條規集合A之安全線索條規集合又稱為惡意樣態(MalPattern)之比對,該惡意樣態將會儲存作為進一步數位鑑識需要之索引,但尚未作為安全證據發布使用。 A list of malicious patterns and key control codes are defined according to the inspection rules and regulations, as shown in the second icon box 5. Establish a dismantling and interpretation method (test content) according to the inspection rules, as shown by the second icon in block 4. Detect and interpret according to the defined malicious pattern list and disassembly and interpretation methods, and confirm whether there is a malicious list, as shown in the second icon in boxes 6 and 7. Analyze security clues The rule sets A and B receive the results from the analysis systems A and B disassembled and analyzed according to the first and second blocks 2 and 3, and perform a security clue rule set of the analysis result. The set can be a file format or a database. Format, and has a single security clue that clearly matches the interpretation of the corresponding malicious list. The security clue rule set A of static analysis security clue rule set A is also called MalPattern. This malicious pattern will be stored as an index for further digital identification, but it has not yet been issued for use as security evidence.

3. 接收來自步驟(2),請參閱第三圖所示,配合第一圖標示方塊4、5之分析結果之線索並進行以下判斷工作:(A).分析系統A與B所產生的分析安全線索條規集合A與B的(動態)惡意態樣吻合及原始受檢測程式之出處位置產生交集,也就是分析系統A與分析系統B以不同條規但均檢測出同一位置之同一安全問題,亦即落在a區,則視為「快篩條規可信度高之動態惡意判讀」;(B).分析系統A與B所產生的分析安全線索條規集合A與B的(靜態)關鍵控制碼吻合及原始受檢測程式之出處位置產生交集,也就是分析系統A與分析系統B以不同條規但均檢測出同一位置之同一安全問題,亦即落在b區,則視為「快篩條規可信度高之靜態惡意判讀」;(C).分析系統A與B所產生的分析安全線索條規集合A與B的(靜態)關鍵控制碼吻合且(動態)惡意態樣及原始受檢測程式之出處位置產生交集,也就是分析系統A與分析系統B以不同條規但均檢測出同一位置之同一安全問題,亦即落在e區,則視為「相依共同安全線索」之「移動應用安全檢測可信結果」;(D).以此類推,惡意態樣或關鍵控制碼不吻合時將分析安全線索條規集合A與B不吻合之線索如d區與c區,均被視為「未檢出」或條規定義 與驗測方法設計不良所致,將另以檔案或資料庫格式獨立儲存之,並標出原始驗測條規、該程式吻合條規之位置、以及程式名稱、檔案範本等,包含但不限於前述之足夠資訊以供後續比對判讀;(E).以此類推,惡意態樣及關鍵控制碼不吻合時將分析安全線索條規集合A與B不吻合之線索如f區,被視為「未檢出」且條規定義未符合,但幾何距離相近如第一圖標示方塊9、10、11,將另以檔案或資料庫格式獨立儲存之,並標出原始驗測條規、該程式吻合條規之位置、以及程式名稱、檔案範本等,並進行人工比對與重複驗測確認線索,並且在確認後納入條規與驗測方法,如第一圖標示方塊12、13。 3. Receive the step (2), please refer to the third figure, and cooperate with the first icon to show the clues of the analysis results of blocks 4 and 5 and perform the following judgments: (A). Analysis generated by the analysis systems A and B The (dynamic) malicious patterns of security clue rule sets A and B coincide with the origin of the original detected program, which means that analysis system A and analysis system B use different rules but both detect the same security problem at the same location. That is, if it falls in area a, it will be regarded as "dynamic malicious interpretation with high credibility of fast screening rules"; (B). (Static) key control codes for analyzing security clue rules set A and B generated by analysis systems A and B The coincidence and the origin of the original detected program intersect, that is, analysis system A and analysis system B use different rules but both detect the same security problem at the same location, that is, they fall in zone b. (C). The analysis of security clues generated by analysis systems A and B. The (static) key control codes of A and B match (dynamic) malicious patterns and the original detected program. The intersection of the provenances, that is, It is analysis system A and analysis system B that have different rules but both detect the same security problem at the same location, that is, they fall in area e, and are regarded as "trusted results of mobile application security detection" of "dependent common security clues"; ( D). By analogy, when the malicious pattern or key control code does not match, the security clue rule set A and B. The clues that do not match, such as zone d and zone c, are regarded as "not detected" or the rule definition Due to poor design of the testing method, it will be stored separately in a file or database format, and the original testing rules, the location where the program matches the rules, and the program name, file template, etc., including but not limited to the foregoing Enough information for subsequent comparison and interpretation; (E). By analogy, when the malicious pattern and the key control code do not match, the analysis of the clues of the security clue rules set A and B, such as f area, will be regarded as "unchecked" Out "and the rules and regulations are not met, but the geometric distance is similar, as shown in the first icon box 9, 10, 11 and will be stored separately in a file or database format, and the original inspection rules and regulations, and the location where the program meets the rules and regulations are marked. , As well as program names, file templates, etc., and manually compare and repeat the test to confirm the clues, and after the confirmation, incorporate the rules and test methods, such as the first icon shown in boxes 12 and 13.

綜上所述,本發明所提供之技術,當具有產業利用性、新穎性以及進步性而足以獲得專利之核准,惟上述所陳,僅為本發明於產業上較佳之實施例,舉凡依據本發明之揭露所為之均等變化,皆為本發明所欲涵蓋之範疇。 In summary, the technology provided by the present invention is sufficiently industrially applicable, novel, and progressive enough to obtain patent approval. However, what has been described above is only an industrially preferred embodiment of the present invention. The equal variations of the disclosure of the invention are all within the scope of the present invention.

Claims (2)

一種APP檢測未知態樣採集及判斷方法,係以電腦設備與程式進行運作,以一驗雙重通道模型,將同一APP做兩組不同檢驗引擎,使其產出兩組結果,再將這兩組結果做交叉比對,找出可確認的可靠線索。 A method for collecting and judging unknown patterns of APP detection. It uses computer equipment and programs to operate, and uses a dual channel model to verify the same APP as two different inspection engines to produce two sets of results. The results were cross-matched to find identifiable and reliable clues. 如申請專利範圍第1項所述之APP檢測未知態樣採集及判斷方法,包括以下步驟:(1). 將APP以傳輸或複製方式放入待測的工作區域或伺服器的特定儲存區域中;(2). 經由分析系統A所定義之規範與分析系統B所定義之規範分析是否吻合惡意態樣;(3). 接收來自步驟(2)之分析結果之線索並進行以下判斷工作:(A).分析系統A與B所產生的分析安全線索條規集合A與B的動態惡意態樣吻合及原始受檢測程式之出處位置產生交集,也就是分析系統A與分析系統B以不同條規但均檢測出同一位置之同一安全問題,亦即落在a區,則視為快篩條規可信度高之動態惡意判讀;(B).分析系統A與B所產生的分析安全線索條規集合A與B的(靜態)關鍵控制碼吻合及原始受檢測程式之出處位置產生交集,也就是分析系統A與分析系統B以不同條規但均檢測出同一位置之同一安全問題,亦即落在b區,則視為快篩條規可信度高之靜態惡意判讀;(C).分析系統A與B所產生的分析安全線索條規集合A與B的(靜態)關鍵控制碼吻合且動態惡意態樣及原始受檢測程式之出處位置產生交集,也就是分析系統A與分析系統B以不同條規但均檢測出同一位置之同一安全問題,亦即落在e區,則視為相依共同安全 線索之移動應用安全檢測可信結果;(D).以此類推,惡意態樣或關鍵控制碼不吻合時將分析安全線索條規集合A與B不吻合之線索如d區與e區,均被視為未檢出或條規定義與驗測方法設計不良所致,將另以檔案或資料庫格式獨立儲存之,並標出原始驗測條規、該程式吻合條規之位置、以及程式名稱、檔案範本等,包含但不限於前述之足夠資訊以供後續比對判讀;(E).以此類推,惡意態樣及關鍵控制碼不吻合時將分析安全線索條規集合A與B不吻合之線索如f區,均被視為未檢出且條規定義未符合,但幾何距離相近,將另以檔案或資料庫格式獨立儲存之,並標出原始驗測條規、該程式吻合條規之位置、以及程式名稱、檔案範本等,並進行人工比對與重複驗測確認線索,並且在確認後納入條規與驗測方法。 The method for collecting and judging unknown patterns of APP detection as described in item 1 of the scope of patent application, includes the following steps: (1). Put the APP into the work area to be tested or a specific storage area of the server by transmission or copying ; (2). Analyze whether the analysis is in accordance with the specifications defined by analysis system A and the specifications defined by analysis system B whether they are in a malicious state; (3). Receive clues from the analysis results of step (2) and perform the following judgments: ( A). Analytical security clue rules set A and B generated by analysis systems A and B coincide with the dynamic malicious pattern of A and B and the origin of the original detected program intersects, that is, analysis system A and analysis system B use different rules but both have different rules. If the same security problem at the same location is detected, that is, if it falls in area a, it is regarded as a dynamic malicious interpretation with high credibility of the fast screening rules; (B). The analysis security clue rules set A and B generated by the analysis systems A and B The (static) key control code of B coincides with the origin of the original program under test, which means that analysis system A and analysis system B use different rules but both detect the same security problem at the same location, that is, they fall in zone b. It is regarded as a static malicious interpretation with high credibility of the fast screening rules; (C). The analysis of the security clue rules generated by the analysis systems A and B coincides with the (static) key control codes of the analysis rules A and B, and the dynamic malicious appearance and original impact The origin of the detection program intersects, that is, analysis system A and analysis system B use different rules but both detect the same security problem at the same location, that is, they fall in area e, they are regarded as dependent and common security. The credible mobile application security detection credible results; (D). By analogy, when the malicious pattern or key control code does not match, the security clue rule set A and B that do not match, such as d and e, are analyzed. Deemed to be undetected or due to poorly defined rules and design and testing methods, will be stored separately in a file or database format, and the original testing rules, the location where the program matches the rules, and the program name, file template Etc., including but not limited to the foregoing sufficient information for subsequent comparison and interpretation; (E). By analogy, when the malicious pattern and key control code do not match, the security clue rule set A and B that do not match will be analyzed, such as f Areas are considered unchecked and the rules and regulations are not met, but the geometric distance is similar. They will be stored separately in a file or database format, and the original inspection rules and regulations, the location where the program matches the rules, and the program name will be marked. , File templates, etc., and carry out manual comparison and repeated testing to confirm the clues, and after the confirmation, incorporate the rules and testing methods.
TW105127318A 2016-08-25 2016-08-25 APP Detection Unknown Pattern Acquisition and Judgment Method TWI606361B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW105127318A TWI606361B (en) 2016-08-25 2016-08-25 APP Detection Unknown Pattern Acquisition and Judgment Method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW105127318A TWI606361B (en) 2016-08-25 2016-08-25 APP Detection Unknown Pattern Acquisition and Judgment Method

Publications (2)

Publication Number Publication Date
TWI606361B TWI606361B (en) 2017-11-21
TW201807611A true TW201807611A (en) 2018-03-01

Family

ID=61023479

Family Applications (1)

Application Number Title Priority Date Filing Date
TW105127318A TWI606361B (en) 2016-08-25 2016-08-25 APP Detection Unknown Pattern Acquisition and Judgment Method

Country Status (1)

Country Link
TW (1) TWI606361B (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7356587B2 (en) * 2003-07-29 2008-04-08 International Business Machines Corporation Automatically detecting malicious computer network reconnaissance by updating state codes in a histogram
TWI470468B (en) * 2009-03-16 2015-01-21 Chunghwa Telecom Co Ltd System and method for detecting web malicious programs and behaviors
US20120331303A1 (en) * 2011-06-23 2012-12-27 Andersson Jonathan E Method and system for preventing execution of malware

Also Published As

Publication number Publication date
TWI606361B (en) 2017-11-21

Similar Documents

Publication Publication Date Title
CN107368417B (en) Testing method of vulnerability mining technology testing model
CN105068925A (en) Software security flaw discovering system
US20150205966A1 (en) Industrial Control System Emulator for Malware Analysis
CN111881452A (en) Safety test system for industrial control equipment and working method thereof
WO2014180107A1 (en) Test-based static analysis false positive elimination method
CN112288079A (en) Graph neural network model training method, software defect detection method and system
KR101640479B1 (en) Software vulnerability attack behavior analysis system based on the source code
CN112035359A (en) Program testing method, program testing device, electronic equipment and storage medium
CN114238980B (en) Industrial control equipment vulnerability mining method, system, equipment and storage medium
CN110059010A (en) The buffer overflow detection method with fuzz testing is executed based on dynamic symbol
CN114372519A (en) Model training method, API request filtering method, device and storage medium
CN111581110B (en) Service data accuracy detection method, device, system and storage medium
CN102681932A (en) Method for detecting processing correctness of software on abnormal input
CN115952503B (en) Application safety test method and system fused with black and white ash safety detection technology
TW201807611A (en) Sampling and judging method for unknown state by APP detection comparing the double-wire test result with each other through an intelligent mobile device
Lingzi et al. An overview of source code audit
CN104751059A (en) Function template based software behavior analysis method
CN101833505A (en) Method for detecting security bugs of software system
RU168346U1 (en) VULNERABILITY IDENTIFICATION DEVICE
CN111934949A (en) Safety test system based on database injection test
CN106384046B (en) Method for detecting mobile application program with dynamic and static states
CN104866769A (en) Vulnerability analyzing method and system based on fingerprint acquisition of business system host
CN106411816A (en) Industrial control system, secure interconnection system and processing method thereof
CN116383031A (en) Automatic audit method for source code security vulnerabilities based on scene data
Varenitca et al. Topical Issues Related to Certification Tests of Information Security Tools

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees
MM4A Annulment or lapse of patent due to non-payment of fees