US20160205124A1 - System and method for detecting mobile cyber incident - Google Patents

System and method for detecting mobile cyber incident Download PDF

Info

Publication number
US20160205124A1
US20160205124A1 US14/602,602 US201514602602A US2016205124A1 US 20160205124 A1 US20160205124 A1 US 20160205124A1 US 201514602602 A US201514602602 A US 201514602602A US 2016205124 A1 US2016205124 A1 US 2016205124A1
Authority
US
United States
Prior art keywords
mobile
collection server
information
url
incident collection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/602,602
Inventor
Byung Ik Kim
Tai Jin Lee
Youngsang Shin
Hong Koo Kang
Seul Gi LEE
Hyei Sun CHO
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Korea Internet and Security Agency
Original Assignee
Korea Internet and Security Agency
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to KR20150006948 priority Critical
Priority to KR10-2015-0006948 priority
Application filed by Korea Internet and Security Agency filed Critical Korea Internet and Security Agency
Assigned to KOREA INTERNET & SECURITY AGENCY reassignment KOREA INTERNET & SECURITY AGENCY ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CHO, HYEI SUN, KANG, HONG KOO, KIM, BYUNG IK, LEE, SEUL GI, LEE, TAI JIN, SHIN, YOUNGSANG
Publication of US20160205124A1 publication Critical patent/US20160205124A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/13File access structures, e.g. distributed indices
    • G06F16/137Hash-based
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links
    • G06F17/30097
    • G06F17/30867
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00Arrangements for user-to-user messaging in packet-switching networks, e.g. e-mail or instant messages
    • H04L51/08Messages including annexed information, e.g. attachments
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/12Messaging; Mailboxes; Announcements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/60Subscription-based services using application servers or record carriers, e.g. SIM application toolkits
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/18Service support devices; Network management devices
    • H04W88/184Messaging devices, e.g. message centre

Abstract

A system for detecting mobile cyber incidents includes: a mobile incident collection server adapted to collect text messages sent through communication company servers to produce text message detection information, to collect URL information based on real-time search words provided by search portals to produce URL detection information, and to collect basic information of application files being sold in application market servers to produce APK detection information; and a detection information DB adapted to receive, store and manage the text message detection information, the URL detection information and the APK detection information produced from the mobile incident collection server.

Description

    CROSS REFERENCE TO RELATED APPLICATION
  • The present application claims the benefit of Korean Patent Application No. 10-2015-0006948 filed in the Korean Intellectual Property Office on Jan. 14, 2015, the entire contents of which are incorporated herein by reference.
  • BACKGROUND OF THE INVENTION
  • 1. Field of the Invention
  • The present invention relates to a system and method for detecting mobile cyber incidents, and more particularly, to a system and method for detecting mobile cyber incidents that collects information on all of paths through which mobile malicious codes spread to detect the mobile cyber incidents generated from the mobile malicious codes.
  • 2. Background of the Related Art
  • Recently, mobile terminal users have been drastically increased. The populations using mobile terminals in the first quarter of 2014 reach about 6.8 billion all over the world, and especially, the number of new mobile users in 2013 is 2 billion. The mobile terminal users are drastically increased because internet is freely used without any limitations in time and space and the friendliness among the users is improved through services like SNS. Further, they obtain many conveniences like financial service availability, free service coupons issuing and so on through simple procedures.
  • Recent mobile terminals, which provide conveniences through various applications and support fast internet services, are called ‘smartphones’.
  • Such smartphones store and manage various kinds of personal information. That is, they store telephone numbers, text messages, bank account numbers for financial services, password numbers, authenticated certificates, card numbers and the like.
  • Like this, since the smartphones store various kinds of personal information therein, they may be attacked by hackers, but unfortunately, the smartphone users do not recognize the attacks from the hackers well.
  • According to Kaspersky Lab, PC and mobile malicious code analyzing company, the mobile malicious codes found in the second quarter of 2014 are 65,118, and the APK files installing the malicious codes are 727,790.
  • The malicious codes operating for mobile banking among the mobile malicious codes are 2,033. The number of total mobile malicious codes is lower than that in the first quarter of 2014, but the number of mobile banking malicious codes is greater by two times than in the first quarter of 2014. More than 90% of the mobile banking malicious codes are found in Russia, and even in Korea, 30 mobile banking malicious codes are detected.
  • Accordingly, the incidents using the mobile malicious codes have been increased, and they are handled with mobile vaccine. The mobile vaccine analyzes the mobile malicious codes, creates information for detecting the mobile malicious codes, transmits the information to a user, and provides a function of detecting the malicious codes. However, actually, most of mobile users do not use the mobile vaccine.
  • According to Korea Internet & Security Agency, it is investigated that only about 33.5% of the mobile terminal users adopt mobile vaccine. So as to make a vaccine signature detecting mobile malicious codes, specific information on the malicious codes should be extracted through manual analysis of analyzers. Further, a method for deleting the detected malicious codes should be found and sent to the user.
  • However, lots of systems for collecting the mobile malicious codes to be checked do not exist. At present, the mobile applications suspected on malicious behaviors are received from a user or the applications suspected in application market are collected. The systems for collecting the mobile malicious codes by means of the sharing of the application through downloading, black markets and blogs have been not sufficient. Accordingly, the attackers who spread the mobile malicious codes insert download link into web sites or connect application download addresses through SMS/MMS.
  • Moreover, the collected applications are analyzed directly by analyzers, and accordingly, the number of collected applications to be analyzed is limited. The system assisting the analysis has been recently developed as a tester, and further, the determination whether malicious behavior exists in the analyzed results of the system has to be made by the analyzers.
  • SUMMARY OF THE INVENTION
  • Accordingly, the present invention has been made in view of the above-mentioned problems occurring in the prior art, and it is an object of the present invention to provide a system and method for detecting mobile cyber incidents that collects information on all of paths through which mobile malicious codes spreads to detect the mobile cyber incidents generated from the mobile malicious codes.
  • It is another object of the present invention to provide a system and method for detecting mobile cyber incidents that informs applications suspected on malicious behavior and the information on the applications to a manager and conducts manual analysis only for the suspected applications.
  • To accomplish the above-mentioned objects, according to a first aspect of the present invention, there is provided a system for detecting mobile cyber incidents, the system including: a mobile incident collection server adapted to collect text messages sent through communication company servers to produce text message detection information, to collect URL information based on real-time search words provided by search portals to produce URL detection information, and to collect basic information of application files being sold in application market servers to produce APK detection information; and a detection information DB adapted to receive, store and manage the text message detection information, the URL detection information and the APK detection information produced from the mobile incident collection server.
  • According to the present invention, preferably, the APK detection information includes at least one or more of application names, versions, sizes, uploader names, and authorization information.
  • According to the present invention, preferably, when the mobile incident collection server produces the text message detection information, the mobile incident collection server is accessed to the corresponding web pages by using the URL information contained in the text messages to check whether applications in the web pages are downloaded.
  • According to the present invention, preferably, when the mobile incident collection server collects the basic information of the applications being sold in the application market servers, the mobile incident collection server analyzes the relation between the collected applications and the previously analyzed applications to check whether the applications are repeated.
  • According to the present invention, preferably, the mobile incident collection server checks whether the collected applications are repeated with the previously analyzed applications on the basis of at least one or more information of the application names, versions, uploader names, and URL information.
  • To accomplish the above-mentioned objects, according to a second aspect of the present invention, there is provided a method for detecting mobile cyber incidents, the method including the steps of: allowing a mobile incident collection server to determine whether new text is received; extracting the text original hash from the received new text by means of the mobile incident collection server; allowing the mobile incident collection server to determine whether attached file exists on the basis of the extracted text original hash; if the attached file exists, extracting the attached file by means of the mobile incident collection server; and storing and managing the APP information of the extracted attached file as mobile cyber incident information in the mobile incident collection server.
  • According to the present invention, preferably, the method for detecting mobile cyber incidents further includes the steps of: extracting text sending information on the basis of the extracted text original hash by means of the mobile incident collection server; and extracting sending number, time, communication company and main phrases from the extracted text sending information and storing and managing the extracted information as the mobile cyber incident information in the mobile incident collection server.
  • According to the present invention, preferably, the method for detecting mobile cyber incidents further includes the steps of: extracting the text content from the extracted text original hash by means of the mobile incident collection server; parsing the URL of the extracted text content by means of the mobile incident collection server; and storing and managing the parsed information as the mobile cyber incident information in the mobile incident collection server.
  • To accomplish the above-mentioned objects, according to a third aspect of the present invention, there is provided a method for detecting mobile cyber incidents, the method including the steps of: allowing a mobile incident collection server to determine whether a search word collection period starts; if the search word collection period starts, calling a real-time search word collection API by portal by means of the mobile incident collection server; calling the number of search words by means of the mobile incident collection server; collecting the API-based real-time search words by portal by means of the mobile incident collection server; parsing the collected search words by means of the mobile incident collection server; and storing and managing the parsed search words as the mobile cyber incident information in the mobile incident collection server.
  • To accomplish the above-mentioned objects, according to a fourth aspect of the present invention, there is provided a method for detecting mobile cyber incidents, the method including the steps of: allowing a mobile incident collection server to determine whether a URL detection period starts; if the URL detection period starts, calling a search API by portal by means of the mobile incident collection server; calling collected search words by means of the mobile incident collection server; receiving the search results through the collected search words by means of the mobile incident collection server; parsing the search results and extracting the URL information from the parsed search results by means of the mobile incident collection server; allowing the mobile incident collection server to determine whether the search words not searched exist; and if the search words not searched exist, receiving the search results corresponding to the search words not searched by means of the mobile incident collection server.
  • According to the present invention, preferably, the method for detecting mobile cyber incidents further includes the steps of: after the mobile incident collection server parses the search results and extracts the URL information from the parsed search results, calling URL repetition collection limitation period by means of the mobile incident collection server; allowing the mobile incident collection server to determine whether URLs are collected; if the URLs are collected, allowing the mobile incident collection server to determine whether the collected URLs are the repetition collection limitation URLs; if it is determined that the collected URLs are the repetition collection limitation URLs, producing and storing URL and hash by means of the mobile incident collection server; and storing the basis information and setting repetition collection limitations by means of the mobile incident collection server.
  • According to the present invention, preferably, the method for detecting mobile cyber incidents further includes the steps of: analyzing the web page source of the extracted URL and extracting the URL downloading the application connected to the corresponding web page by means of the mobile incident collection server.
  • According to the present invention, preferably, the method for detecting mobile cyber incidents further includes the steps of: checking whether the URL is connected to other web pages by means of the mobile incident collection server; and allowing the mobile incident collection server to determine whether the URL automatically visits the corresponding web page to download the applications connected to the web page.
  • According to the present invention, preferably, the method for detecting mobile cyber incidents further includes the step of: allowing the mobile incident collection server to check whether the collected applications are repeated with each other to check the relations of the collected applications with the existing analyzed applications.
  • According to the present invention, preferably, the relations of the collected applications with the existing analyzed applications are checked to check whether at least one or more information of the application names, versions, uploader names, and URL information are similar to or the same as each other.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • The above and other objects, features and advantages of the present invention will be apparent from the following detailed description of the preferred embodiments of the invention in conjunction with the accompanying drawings, in which:
  • FIG. 1 is a block diagram showing a system for detecting mobile cyber incidents according to the present invention;
  • FIG. 2 is a block diagram showing the configuration for text message processing and text content extraction of a mobile incident collection server of FIG. 1;
  • FIG. 3 is a flow chart showing a text message collection routine in a method for detecting mobile cyber incidents according to the present invention; and
  • FIG. 4 is a flow chart showing a search portal-based URL collection routine in the method for detecting mobile cyber incidents according to the present invention.
  • DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • Before the present invention is disclosed and described, it is to be understood that the disclosed embodiments are merely exemplary of the invention, which can be embodied in various forms. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a basis for the claims and as a representative basis for teaching one of ordinary skill in the art to variously employ the present invention in virtually any appropriately detailed structure. Further, if the terminologies used herein fail to accurately indicate the scope of the invention, they should be replaced with the terminologies understood correctly by those skilled in the art. Furthermore, the terminologies used herein should be interpreted according to the context under the definition of the dictionary, and accordingly, they are not interpreted as meaning reduced excessively.
  • The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting. The term ‘a’ or ‘an’, as used herein, are defining as one or more than one. The term ‘including’ and/or ‘having’, as used herein are intended to refer to the above features, numbers, steps, operations, elements, parts or combinations, and it is to be understood that the terms are not intended to preclude the presence of one or more features, numbers, steps, operations, elements, parts or combinations and added possibilities.
  • The present invention is disclosed with reference to the attached drawings wherein the corresponding parts in the embodiments of the present invention are indicated by corresponding reference numerals and the repeated explanation on the corresponding parts will be avoided. If it is determined that the detailed explanation on the well known technology related to the present invention makes the scope of the present invention not clear, the explanation will be avoided for the brevity of the description.
  • FIG. 1 is a block diagram showing a system for detecting mobile cyber incidents according to the present invention.
  • As shown in FIG. 1, a system for detecting mobile cyber incidents according to the present invention includes: a mobile incident collection server 500 adapted to collect text messages sent through communication company servers 100 to produce text message detection information, to collect URL information based on real-time search words provided by search portals 200 to produce URL detection information, and to collect basic information of application files being sold in play stores 300 and black markets 400 to produce APK detection information; a detection information DB 600 adapted to receive, store and manage the text message detection information, the URL detection information and the APK detection information produced from the mobile incident collection server 500; a manager terminal 700 adapted to provide collection conditions for collecting detection information to the mobile incident collection server 500; and a communication network 800 adapted to build communication environments among the mobile incident collection server 500, the communication company servers 100, the search portals 200, the play stores 300, the black markets 400, the detection information DB 600 and the manager terminal 700.
  • The APK detection information includes application names, versions, sizes, uploader names, and authorization information.
  • When the mobile incident collection server 500 produces the text message detection information, it is accessed to the corresponding web page by using the URL information contained in the text message to check whether an application is downloaded or not.
  • When the mobile incident collection server 500 collects the basic information of the applications being sold in the play stores 300 and the black markets 400 as application market servers, it analyzes the relation between the collected applications and the previously analyzed applications to check whether they are repeated with each other.
  • The mobile incident collection server 500 checks whether the collected applications are repeated with the previously analyzed applications on the basis of the application names, versions, uploader names, and URL information.
  • Referring schematically to FIG. 2 showing the configuration for text message processing and text content extraction in the mobile incident collection server 500, an input interface 510 receives text messages sent through spam management servers (not shown) or the communication company servers 100 to provide the text messages to a new text check and collection module 520 through a mobile spam DB addition access module 530.
  • Further, the input interface 510 receives manager input through the manager terminal 700 to provide the manager input to a URL and text message collection module 540.
  • The input interface 510 can receive the text messages through an external system (not shown). At this time, the external system receives texts reported as spam from an SMS spam trap system built in KISC and the communication company servers 100.
  • Further, the input interface 510 receives the web interface input of the manager and the text file input of the system.
  • The text messages collected from the external system like the communication company servers 100 are received as text files in unit of time, and each text message is indicated by one line and filled in the order of the collected time from the external system, sender telephone number, sender communication company, and text message content. The information is divided into TAB, and upon the development of system, the information can be extracted on the basis of TAB (\t) and line breaking (\n).
  • If the mobile spam DB addition access module 530 collects the original copies of the text messages using the input interface 510, the information is collected in the unit of every time, checks the connection of the external system in the unit of every time, selects the original copies of the text messages from the table in which the text messages are stored after the connection is checked, and receives the selected information.
  • The new text check and collection module 520 periodically checks whether the information received from the external system exists or not, and if there is no file recently produced after the collection time on the basis of DB new information and FTP new creation file (which corresponds only to an FTP system), the new text check and collection module 520 checks the file production in the unit of every five minutes.
  • A new text identification information extraction and storage module 550 checks the original copies of the text messages to input the information needed by the system to DB and applies ID to the text messages of the index table for the text messages. At this time, time information, sender telephone number information, and communication company information are extracted and inputted to the DB.
  • A text content extraction and storage module 560 extracts text message content information, performs URL extraction, issues and stores URL index ID, extracts only the contents from the original copies of the text messages collected to produce and manage separate hash values, checks whether the phrases related to URL from the extracted texts exist or not, and if similar information using start information of URL is checked, transmits the similar information to a URL information parsing module 570.
  • The URL information parsing module 570 checks the URL information existing in the text messages to extract the URL phrases, starts URL detection if a given string exists through the check of the start portion of the URL, checks the string after the URL detection has started to check the ending point of the URL, selects the string whose URL detection is finished as an URL phrase, issues URL index to the selected URL phrase, manages repeated information, and checks whether shortened URL exists or not.
  • Under the above-mentioned configuration, an explanation on a method for detecting mobile cyber incidents will be given with respect to FIGS. 3 and 4.
  • (Text Message Collection Routine)
  • FIG. 3 is a flow chart showing a text message collection routine in a method for detecting mobile cyber incidents according to the present invention.
  • As shown in FIG. 3, a text message collection routine in a method for detecting mobile cyber incidents according to the present invention is carried out by allowing the mobile incident collection server 500 to determine whether new text is received (at step S105) and extracting the text original hash from the received new text if the new text is received (at step S110).
  • Next, the mobile incident collection server 500 determines whether attached file exists or not on the basis of the extracted text original hash (at step S115), and if the attached file exists, the mobile incident collection server 500 extracts the attached file (at step S120).
  • After that, the mobile incident collection server 500 stores and manages the APP information of the extracted attached file as mobile cyber incident information (at step S125).
  • On the other hand, the mobile incident collection server 500 extracts text sending information on the basis of the extracted text original hash (at step S130) and extracts sending number, time, communication company and main phrases from the extracted text sending information to store and manage the extracted information as the mobile cyber incident information (at steps S135 to S145).
  • Finally, the mobile incident collection server 500 extracts the text content from the extracted text original hash (at step S150), parses the URL of the extracted text content (at step S155), and stores and manages the parsed information as the mobile cyber incident information (at step S160).
  • (Search Portal-based URL Collection Routine)
  • FIG. 4 is a flow chart showing a search portal-based URL collection routine in the method for detecting mobile cyber incidents according to the present invention.
  • As shown in FIG. 4, the mobile incident collection server 500 determines whether a search word collection period starts or not (at step S202), and if the search word collection period starts, the mobile incident collection server 500 calls a real-time search word collection API by portal (at step S204).
  • After the mobile incident collection server 500 calls the search word collection API, it calls the number of search words (at step S206). Next, after the mobile incident collection server 500 collects the API-based real-time search words by portal (at step S208), it parses the collected search words (at step S210) and stores and manages the parsed search words as the mobile cyber incident information (at step S212).
  • On the other hand, the mobile incident collection server 500 determines whether a URL detection period starts or not (at step S216), and if the URL detection period starts, the mobile incident collection server 500 calls a search API by portal (at step S218).
  • Next, the mobile incident collection server 500 calls collected search words (at step S220), receives the search results through the collected search words (at step S222), and parses the search results and extracts the URL information from the parsed search results (at step S224).
  • The mobile incident collection server 500 determines whether the search words not searched exist or not (at step S226), and if the search words not searched exist, it receives the search results corresponding to them (at step S222).
  • Finally, the mobile incident collection server 500 calls URL repetition collection limitation period (at step S228) and determines whether URLs are collected or not (at step S230). If the URLs are collected, the mobile incident collection server 500 determines whether the collected URLs are the repetition collection limitation URLs (at step S232).
  • After that, if it is determined that the collected URLs are the repetition collection limitation URLs, the mobile incident collection server 500 produces and stores URL and hash (at step S234) and stores the basis information and sets repetition collection limitations (at step S236).
  • At this time, the mobile incident collection server 500 analyzes the web page source of the extracted URL and extracts the URL downloading the application connected to the web page. The mobile incident collection server 500 checks whether the URL is connected to other web pages, and after that, it determines whether the URL automatically visits the corresponding web page to download the applications connected to the corresponding web page. Accordingly, the mobile incident collection server 500 checks whether the collected applications are repeated with each other to check the relations of the collected applications with the existing analyzed applications. In this case, the collected applications may be similar to or the same as the existing analyzed applications through the comparison of application names, versions, uploader names, and URL information therebetween.
  • As described above, the system and method for detecting mobile cyber incidents according to the present invention collects information on all of paths through which mobile malicious code spreads to detect the mobile cyber incidents generated from the mobile malicious code.
  • Moreover, the system and method for detecting mobile cyber incidents according to the present invention informs applications suspected on malicious behavior and the information on the applications to a manager and conducts manual analysis only for the suspected applications.
  • Furthermore, the system and method for detecting mobile cyber incidents according to the present invention provides the stability in application analysis and the sharing system in the detected information, thus dynamically handling the mobile cyber incidents to occur.
  • While the present invention has been described with reference to the particular illustrative embodiments, it is not to be restricted by the embodiments but only by the appended claims. It is to be appreciated that those skilled in the art can change or modify the embodiments without departing from the scope and spirit of the present invention.

Claims (15)

What is claimed is:
1. A system for detecting mobile cyber incidents, the system comprising:
a mobile incident collection server adapted to collect text messages sent through communication company servers to produce text message detection information, to collect URL information based on real-time search words provided by search portals to produce URL detection information, and to collect basic information of application files being sold in application market servers to produce APK detection information; and
a detection information DB adapted to receive, store and manage the text message detection information, the URL detection information and the APK detection information produced from the mobile incident collection server.
2. The system for detecting mobile cyber incidents according to claim 1, wherein the APK detection information comprises at least one or more of application names, versions, sizes, uploader names, and authorization information.
3. The system for detecting mobile cyber incidents according to claim 1, wherein when the mobile incident collection server produces the text message detection information, the mobile incident collection server is accessed to the corresponding web pages by using the URL information contained in the text messages to check whether applications in the web pages are downloaded.
4. The system for detecting mobile cyber incidents according to claim 1, wherein when the mobile incident collection server collects the basic information of the applications being sold in the application market servers, the mobile incident collection server analyzes the relation between the collected applications and the previously analyzed applications to check whether the applications are repeated.
5. The system for detecting mobile cyber incidents according to claim 4, wherein the mobile incident collection server checks whether the collected applications are repeated with the previously analyzed applications on the basis of at least one or more information of the application names, versions, uploader names, and URL information.
6. A method for detecting mobile cyber incidents, the method comprising the steps of:
allowing a mobile incident collection server to determine whether new text is received;
extracting the text original hash from the received new text by means of the mobile incident collection server;
allowing the mobile incident collection server to determine whether attached file exists on the basis of the extracted text original hash;
if the attached file exists, extracting the attached file by means of the mobile incident collection server; and
storing and managing the APP information of the extracted attached file as mobile cyber incident information in the mobile incident collection server.
7. The method for detecting mobile cyber incidents according to claim 6, further comprising the steps of:
extracting text sending information on the basis of the extracted text original hash by means of the mobile incident collection server; and
extracting sending number, time, communication company and main phrases from the extracted text sending information and storing and managing the extracted information as the mobile cyber incident information in the mobile incident collection server.
8. The method for detecting mobile cyber incidents according to claim 6, further comprising the steps of:
extracting the text content from the extracted text original hash by means of the mobile incident collection server;
parsing the URL of the extracted text content by means of the mobile incident collection server; and
storing and managing the parsed information as the mobile cyber incident information in the mobile incident collection server.
9. A method for detecting mobile cyber incidents, the method comprising the steps of:
allowing a mobile incident collection server to determine whether a search word collection period starts;
if the search word collection period starts, calling a real-time search word collection API by portal by means of the mobile incident collection server;
calling the number of search words by means of the mobile incident collection server;
collecting the API-based real-time search words by portal by means of the mobile incident collection server;
parsing the collected search words by means of the mobile incident collection server; and
storing and managing the parsed search words as the mobile cyber incident information in the mobile incident collection server.
10. A method for detecting mobile cyber incidents, the method comprising the steps of:
allowing a mobile incident collection server to determine whether a URL detection period starts;
if the URL detection period starts, calling a search API by portal by means of the mobile incident collection server;
calling collected search words by means of the mobile incident collection server;
receiving the search results through the collected search words by means of the mobile incident collection server;
parsing the search results and extracting the URL information from the parsed search results by means of the mobile incident collection server;
allowing the mobile incident collection server to determine whether the search words not searched exist; and
if the search words not searched exist, receiving the search results corresponding to the search words not searched by means of the mobile incident collection server.
11. The method for detecting mobile cyber incidents according to claim 10, further comprising the steps of:
after the mobile incident collection server parses the search results and extracts the URL information from the parsed search results, calling URL repetition collection limitation period by means of the mobile incident collection server;
allowing the mobile incident collection server to determine whether URLs are collected;
if the URLs are collected, allowing the mobile incident collection server to determine whether the collected URLs are the repetition collection limitation URLs;
if it is determined that the collected URLs are the repetition collection limitation URLs, producing and storing URL and hash by means of the mobile incident collection server; and
storing the basis information and setting repetition collection limitations by means of the mobile incident collection server.
12. The method for detecting mobile cyber incidents according to claim 11, further comprising the steps of: analyzing the web page source of the extracted URL and extracting the URL downloading the application connected to the corresponding web page by means of the mobile incident collection server.
13. The method for detecting mobile cyber incidents according to claim 12, further comprising the steps of: checking whether the URL is connected to other web pages by means of the mobile incident collection server; and allowing the mobile incident collection server to determine whether the URL automatically visits the corresponding web page to download the applications connected to the web page.
14. The method for detecting mobile cyber incidents according to claim 9, further comprising the step of: allowing the mobile incident collection server to check whether the collected applications are repeated with each other to check the relations of the collected applications with the existing analyzed applications.
15. The method for detecting mobile cyber incidents according to claim 14, wherein the relations of the collected applications with the existing analyzed applications are checked to check whether at least one or more information of the application names, versions, uploader names, and URL information are similar to or the same as each other.
US14/602,602 2015-01-14 2015-01-22 System and method for detecting mobile cyber incident Abandoned US20160205124A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
KR20150006948 2015-01-14
KR10-2015-0006948 2015-01-14

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US15/171,305 US9584537B2 (en) 2015-01-14 2016-06-02 System and method for detecting mobile cyber incident
US15/171,256 US20160285905A1 (en) 2015-01-14 2016-06-02 System and method for detecting mobile cyber incident

Related Child Applications (2)

Application Number Title Priority Date Filing Date
US15/171,256 Division US20160285905A1 (en) 2015-01-14 2016-06-02 System and method for detecting mobile cyber incident
US15/171,305 Division US9584537B2 (en) 2015-01-14 2016-06-02 System and method for detecting mobile cyber incident

Publications (1)

Publication Number Publication Date
US20160205124A1 true US20160205124A1 (en) 2016-07-14

Family

ID=56368366

Family Applications (3)

Application Number Title Priority Date Filing Date
US14/602,602 Abandoned US20160205124A1 (en) 2015-01-14 2015-01-22 System and method for detecting mobile cyber incident
US15/171,305 Active US9584537B2 (en) 2015-01-14 2016-06-02 System and method for detecting mobile cyber incident
US15/171,256 Abandoned US20160285905A1 (en) 2015-01-14 2016-06-02 System and method for detecting mobile cyber incident

Family Applications After (2)

Application Number Title Priority Date Filing Date
US15/171,305 Active US9584537B2 (en) 2015-01-14 2016-06-02 System and method for detecting mobile cyber incident
US15/171,256 Abandoned US20160285905A1 (en) 2015-01-14 2016-06-02 System and method for detecting mobile cyber incident

Country Status (1)

Country Link
US (3) US20160205124A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107844301A (en) * 2017-12-12 2018-03-27 苏州蜗牛数字科技股份有限公司 A kind of Android application channel closes bag method and device

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107832612B (en) * 2017-10-26 2020-12-15 北京邮电大学 API call quantity estimation method during Android application program operation

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2366706B (en) * 2000-08-31 2004-11-03 Content Technologies Ltd Monitoring electronic mail messages digests
GB0512744D0 (en) * 2005-06-22 2005-07-27 Blackspider Technologies Method and system for filtering electronic messages
US8370342B1 (en) * 2005-09-27 2013-02-05 Google Inc. Display of relevant results
US9235704B2 (en) * 2008-10-21 2016-01-12 Lookout, Inc. System and method for a scanning API
US8468602B2 (en) * 2010-03-08 2013-06-18 Raytheon Company System and method for host-level malware detection
KR101299099B1 (en) * 2011-09-07 2013-09-16 주식회사 팬택 Apparatus and method for management of optimized virtualization module in embedded system
KR101329034B1 (en) * 2011-12-09 2013-11-14 한국인터넷진흥원 System and method for collecting url information using retrieval service of social network service
KR101329040B1 (en) * 2011-12-09 2013-11-14 한국인터넷진흥원 Sns trap collection system and url collection method by the same
US8713684B2 (en) * 2012-02-24 2014-04-29 Appthority, Inc. Quantifying the risks of applications for mobile devices
US9178746B2 (en) * 2012-07-03 2015-11-03 Google Inc. Browser-based fetch of external libraries
US9678745B2 (en) * 2013-01-28 2017-06-13 Paptap Ltd Automatic submission of applications to applications stores
WO2015024253A1 (en) * 2013-08-23 2015-02-26 华为终端有限公司 Permission management method and apparatus, and terminal
ES2655207T3 (en) * 2013-12-27 2018-02-19 Buongiorno S.p.A. Method and system to implement sets of software development tools in application
KR20150084221A (en) * 2014-01-13 2015-07-22 삼성전자주식회사 Apparatus and Method for Resigning of Application Package and Terminal Apparatus for Running of the Application Package
US9471469B2 (en) * 2014-10-28 2016-10-18 Zscaler, Inc. Software automation and regression management systems and methods

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107844301A (en) * 2017-12-12 2018-03-27 苏州蜗牛数字科技股份有限公司 A kind of Android application channel closes bag method and device

Also Published As

Publication number Publication date
US20160277430A1 (en) 2016-09-22
US9584537B2 (en) 2017-02-28
US20160285905A1 (en) 2016-09-29

Similar Documents

Publication Publication Date Title
US10567423B2 (en) Performing rule-based actions for domain names accessed by particular parties
US10063584B1 (en) Advanced processing of electronic messages with attachments in a cybersecurity system
US10218740B1 (en) Fuzzy hash of behavioral results
CA2966408C (en) A system and method for network intrusion detection of covert channels based on off-line network traffic
US10121000B1 (en) System and method to detect premium attacks on electronic networks and electronic devices
Gupta et al. XSS-secure as a service for the platforms of online social network-based multimedia web applications in cloud
US10462163B2 (en) Resisting the spread of unwanted code and data
CN106302337B (en) Vulnerability detection method and device
RU2632408C2 (en) Classification of documents using multilevel signature text
EP2859495B1 (en) Malicious message detection and processing
US8893286B1 (en) Systems and methods for preventing fraudulent activity associated with typo-squatting procedures
RU2446459C1 (en) System and method for checking web resources for presence of malicious components
US9038174B2 (en) Resisting the spread of unwanted code and data
US20170054745A1 (en) Method and device for processing network threat
US20160294862A1 (en) Malicious website address prompt method and router
TWI526825B (en) Web page link detection method, device and system
EP2729895B1 (en) Syntactical fingerprinting
CN103679031B (en) A kind of immune method and apparatus of file virus
US10599843B2 (en) Identifying whether an application is malicious
WO2015169158A1 (en) Information protection method and system
KR100723867B1 (en) Apparatus and method for blocking access to phishing web page
KR101162051B1 (en) Using string comparison malicious code detection and classification system and method
ES2446944T3 (en) System, method and computer-readable medium to provide network penetration tests
EP3120286A1 (en) Behavior profiling for malware detection
CN101504673B (en) Method and system for recognizing doubtful fake website

Legal Events

Date Code Title Description
AS Assignment

Owner name: KOREA INTERNET & SECURITY AGENCY, KOREA, REPUBLIC

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KIM, BYUNG IK;LEE, TAI JIN;SHIN, YOUNGSANG;AND OTHERS;REEL/FRAME:034788/0411

Effective date: 20150122

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION