WO2013069758A1 - 不正アプリケーション検知システム及び、方法 - Google Patents
不正アプリケーション検知システム及び、方法 Download PDFInfo
- Publication number
- WO2013069758A1 WO2013069758A1 PCT/JP2012/079084 JP2012079084W WO2013069758A1 WO 2013069758 A1 WO2013069758 A1 WO 2013069758A1 JP 2012079084 W JP2012079084 W JP 2012079084W WO 2013069758 A1 WO2013069758 A1 WO 2013069758A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- application
- fraud detection
- terminal device
- information
- feature value
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/128—Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
- H04W12/37—Managing security policies for mobile devices or for controlling mobile applications
Definitions
- the present invention relates to a system and method for detecting unauthorized operability of an application installed in a terminal device, and relates to a detection technique combined with a fraud detection server device.
- virus detection software For computer virus detection software that runs on a personal computer, etc., it is common to run virus detection software on the computer to detect whether unauthorized applications are installed or suspicious behavior is not observed. is there. However, since a portable terminal device has limited hardware resources, a method different from that of a personal computer or the like has been proposed.
- Patent Document 1 discloses a technique for performing a virus check by connecting a user mobile phone to a content server before downloading and sending the content from the content server to a virus check server.
- Patent Document 2 discloses a system for monitoring the software status of a terminal device connected to a network by a monitoring device.
- the monitoring device of this system has a first DB for storing feature information of software defined including feature information of a file that causes a vulnerability and a file generated at the time of malware infection, and the terminal device It has a second DB that sequentially acquires and holds the feature information of the files it owns.
- the monitoring device sends the feature information stored in the first DB to the terminal device together with the verification request via the network.
- the terminal device searches the second DB, verifies the existence of a file related to the feature information, and transmits the verification result to the monitoring device. Based on the received verification result, the monitoring device determines the vulnerability of the terminal device or the malware infection status, performs access control, and prevents the spread of damage.
- Patent Document 3 provides a mail storage unit that stores the same mail as the mail transmitted from the mail server to the client terminal, and after the virus definition file is updated, the mail stored in the mail storage unit Discloses a technology for detecting viruses lurking in
- Patent Document 4 the virus check means and virus definition file information used at that time are attached to the virus check file once, and the same virus check means and virus definition file are used at the next virus check.
- a technique for determining whether or not it is necessary to execute virus check is disclosed.
- Patent Document 1 has a problem that it takes a long time to download a virus check by a virus check server at the time of download and a problem that cannot protect a mobile phone from a virus that is not found at the time of check.
- the terminal device can be monitored strongly from the monitoring device, but a very large number of applications are distributed because the terminal device searches for whether it matches the feature information sent from the monitoring device. In the current situation, it is not practical to send all feature information to the terminal device.
- Patent Document 3 The technology of Patent Document 3 is excellent in that virus check can always be performed with the latest virus definition file, but storing a large amount of mail and all applications requires a large storage area. It is not an efficient method.
- Patent Document 4 has an advantage in that virus check can be performed at high speed on a weak computer, but it has been deleted from the technique for targeting terminal devices used by unspecified users or from the terminal devices. Later, no technology has been provided to detect unauthorized operability of applications.
- the present invention has been made in view of the above-described problems of the prior art, and it is an object of the present invention to provide a technique for detecting an unauthorized operation of an application on a terminal device with a low load and increasing detection accuracy.
- a technique capable of detecting an application deleted on a terminal device is provided.
- the present invention is a fraud that includes a terminal device that allows a user to install an application as appropriate, and a fraud detection server device that detects unauthorized operability of the application installed in the terminal device.
- a fraud detection server device that detects unauthorized operability of the application installed in the terminal device.
- an installation state detection processing unit for detecting that the installation state of the application has changed, an installation notification processing unit for notifying the fraud detection server device of the installed application information when the installation state has changed,
- a feature value calculation processing unit that calculates a predetermined feature value based on the application file or an element file constituting the package of the application, and a feature value transmission processing unit that notifies the fraud detection server device of the application information and the feature value
- a fraud detection information reception processing unit that receives fraud detection information when at least fraud operability of the application is detected from the fraud detection server device, and a predetermined response process on the terminal device when the fraud detection information is received.
- a fraud handling unit that performs the fraud.
- the fraud detection server device includes an installation notification reception processing unit that receives application information installed from the installation notification processing unit of the terminal device, and a feature value reception process that receives feature values from the feature value transmission processing unit of the terminal device. Detection results for registering in the application database by associating the feature value with the information on the unauthorized operation, and the unauthorized detection processing unit that detects the unauthorized operation of the registered application in the apparatus or acquired from the outside. A recording processing unit and a fraud detection information transmission processing unit that transmits fraud detection information to the terminal device when at least fraudulent operability of the application is detected.
- an application information search processing unit that searches whether or not the notified application information has been registered in the application database, and registration that notifies the terminal device of the search result of whether or not it has been registered
- a state notification processing unit, and the feature value transmission processing unit of the terminal device notifies the fraud detection server device of the application information and the feature value according to whether or not the application information has been registered in the fraud detection server device. It may be configured.
- the fraud detection result recording unit records the installation state of the application for each terminal device in the application database triggered by the installation notification from the terminal device, and the fraud detection processing unit A configuration in which the fraud detection information transmission processing unit transmits fraud detection information even after the application has already been deleted from the terminal device when the fraud operability is detected may be employed.
- the application database is divided into a terminal application database that records the installation status of each terminal, and an unauthorized operability database that records the feature values and the unauthorized operability information in association with each other. Also good.
- the fraud detection server device includes a feature value calculation processing unit that calculates a predetermined feature value based on an input arbitrary application file or an element file constituting the package of the application, and the fraud detection processing unit The unauthorized operation of the application can be detected, and the unauthorized detection result recording unit can also register the feature value and the unauthorized operation information in the application database.
- the present invention can be provided only by a terminal device used in the unauthorized application detection system. It can also be provided only by the fraud detection server device.
- the present invention detects an unauthorized application installed in a terminal device using a terminal device in which a user can install an application as appropriate and an unauthorized detection server device that detects unauthorized operability of the application installed in the terminal device. It is also possible to provide a way to do this.
- the method consists of the following steps.
- Step ⁇ A fraud detection information sending step for sending fraud detection information to the terminal device at least when fraudulent operability of the application is detected. Characterized in that it has an incorrect time corresponding processing step of performing corresponding processing.
- an application information search step for searching whether the application information notified from the terminal device has been registered in the application database-Registration for notifying the terminal device of the search result of whether it has been registered A state notifying step, and notifying the fraud detection server device of a predetermined feature value based on an application file not registered in the feature value transmitting step or an element file constituting the package of the application. Good.
- the application installation state is recorded in the application database for each terminal device, and when the unauthorized operation of the application is detected, the terminal is already Even after the application is deleted from the device, the fraud detection information may be transmitted to the terminal device.
- the predetermined feature value based on the input arbitrary application file or the element file constituting the package of the application is calculated, and the illegal operability of the application is detected.
- the configuration may be such that information on unauthorized operability is associated and registered in the application database.
- the present invention has the following effects by adopting the above configuration. That is, since it is sufficient for the terminal device to perform simple processing such as feature value calculation only when the application installation state changes, the load on the terminal device can be minimized. In particular, it contributes to power saving which is important in the terminal device. Since the detection of unauthorized operation of the application is performed centrally by the fraud detection server device, the latest signature file can always be used, and fraud detection is performed by a server device with high processing capability, High-speed detection can be realized.
- the terminal device By recording the installation state of the application in the terminal device in the fraud detection server device, when the unauthorized operation of the application is confirmed with the latest signature file, even if the application is deleted, the terminal device To take necessary measures.
- FIG. 1 is an overall view of an unauthorized application detection system in the present invention. It is a flowchart of the unauthorized application detection method of this invention. It is a sequence diagram in case an application is unregistered. It is a sequence diagram in case an application has been registered. It is a sequence diagram when an application is deleted on the terminal side. It is a sequence diagram when a detection result is updated.
- FIG. 1 is an overall view of an unauthorized application detection system according to the present invention.
- the system includes a terminal device (hereinafter referred to as a terminal) (1) in which an application can be appropriately installed by a user (1), and a fraud detection server device (hereinafter referred to as a server) that detects unauthorized operability of an application installed in each terminal device. Called) (2).
- the terminal (1) and the server (2) are connected by a network (3) such as the Internet, a LAN, or a mobile phone network.
- the terminal (1) is mainly assumed to be a portable terminal device such as a known smartphone, mobile phone, or tablet PC, but may be a personal computer or the like. As is well known, these devices include a network connection means, a CPU, a memory, a display means such as a liquid crystal screen, an input means such as a keyboard / touch panel.
- the server (2) can also be easily configured by a general personal computer and server equipment, and these are similarly provided with external storage means such as a CPU, memory, hard disk, display means, and input means.
- the terminal (1) is provided with the following processing means by the cooperation of the CPU and the memory.
- the installation state detection unit (10) detects that the installation state of the application has changed on the terminal (1), and the installation notification unit (11) installs through the network (3) when the installation state changes.
- the notified application information is notified to the server (2) side.
- the feature value calculation processing unit (12) calculates a predetermined feature value based on the installed application file or an element file constituting the package of the application. In this embodiment, a hash value or the like can be used as the feature value.
- the calculated feature value is notified from the feature value transmission unit (13) to the server (2) through the network (3).
- a fraud detection information receiving unit (14) that receives fraud detection information when the server (2) detects fraudulent operability of the application, and a predetermined response process on the terminal device when the fraud detection information is received.
- a fraud response unit (15) that receives fraud detection information when the server (2) detects fraudulent operability of the application, and a predetermined response process on the terminal device when the fraud detection information is received.
- the server (2) is provided with the following processing means by the cooperation of the CPU and the memory.
- the installation notification receiving unit (20) receives the installed application information from the installation notification unit (11) of the terminal.
- the application information retrieval unit (21) retrieves whether or not the notified application information has been registered in the application database.
- the registration status notification unit (22) notifies the terminal (1) of the search result as to whether registration has been completed.
- the feature value receiving unit (23) receives the feature value from the feature value transmitting unit (13) of the terminal (1). Furthermore, the fraud detection unit (24) that detects the improper operability of the registered application within the apparatus or is acquired and detected from the outside, and the feature value and the improper operability information are associated and registered in the application database (28). And a fraud detection information transmitting unit (26) for transmitting fraud detection information to the terminal (1). Furthermore, as another embodiment, the server (2) may be provided with a feature value calculation unit (27).
- FIG. 2 is a flowchart of the unauthorized application detection method of the present invention. A specific embodiment of the present invention will be described using this flowchart.
- the detection of an unauthorized application starts when an installation state of the application is first detected on the terminal (1) side. (Installation state detection step: S1)
- the installation status refers to various statuses of the application on the terminal, such as application installation, deletion, version update, and change from the trial version to the regular version.
- the process of the installation state detection unit (10) may be operated in the background at all times. However, in order to reduce the processing load, it is desirable to detect the installation state triggered by an event that occurs when the installation state is changed.
- an installation notification (S2) is sent from the installation notification unit (11) to the installation notification reception unit (20).
- the feature value may be transmitted regardless of whether or not the application information is registered on the server (2) side.
- the server (2) It is preferable to search in advance the registration state of the application information. Therefore, on the server (2), the application information search unit (21) searches the application database (28) to determine whether the information related to the notified application has been registered. (Application information search step: S3) Then, the registration status notification unit (22) notifies the registration status to the terminal (1) (S4). On the terminal (1) side, processing differs depending on the registration state.
- the feature value calculated in advance by the feature value calculation unit (12) is transmitted to the server (S6) for registration. Do not send for used applications. Thus, only when there is an unregistered feature value, the feature value is transmitted from the feature value transmitting unit (13) to the feature value receiving unit (23), thereby contributing to speeding up of processing and reduction of communication amount.
- the application to which the feature value is sent is recorded in the application database (28) together with the application information.
- the fraud detection result recording unit (25) records the information together with the feature value in the application database (28).
- the fraud detection unit (24) can arbitrarily use a known detection method for viruses, malware, and the like, and a description of the fraud detection method is omitted.
- the fraud detection unit (24) itself may detect the unauthorized operability of the application, or may be configured to acquire information from an information database of an unauthorized application provided separately.
- the detection by the fraud detection unit (24) may be performed at a constant cycle or each time a new application is registered, and is updated to the latest signature file each time.
- the information on the unauthorized operability is not limited to the case where unauthorized operability is recognized, and may include information on which unauthorized operations are not permitted. Moreover, when it cannot fully confirm, you may record as incomplete information. Furthermore, when the detection by the fraud detection unit (24) is not performed immediately, it is registered as fraudulent operability undetected immediately after receiving the feature value, and the application database (28) is registered when the detection is performed later. The structure to update may be sufficient.
- the fraud detection information transmitting unit (26) transmits to the fraud detection information receiving unit (14) whether or not fraudulent operability is recognized in the application. It may be transmitted only when unauthorized operability is recognized, or the presence or absence of unauthorized operability may be transmitted. (Injustice detection information transmission step: S9)
- the fraud handling unit (15) When the fraud detection information receiving unit (14) receives the illegal operability of the application, the fraud handling unit (15) performs fraud handling processing (S10). Examples of fraud handling processing include screen display that prompts the user to delete the application, automatic deletion processing, and the like. In addition, even when unauthorized operability is not recognized, a response process such as displaying that the application is safe may be performed.
- FIG. 3 is a sequence diagram when an application is not registered in the server (2).
- the terminal (1) inquires whether apk (Android application package) information exists in the application database (28). Returns No if the application is not registered. This corresponds to the registration notification step (S4) from the installation notification step (S2) of the present invention.
- apk Android application package
- the feature value transmission unit (13) transmits the apk information to the server (2).
- a hash value of a file included in the apk for example, a hash value using SHA1 as a hash function can be used.
- the file name and version can be included.
- a feature value calculation method using a hash function is known, and is appropriately performed at any timing before transmission by the feature value calculation unit (12).
- a feature value related to a component element (denoted as dna) included in the apk is transmitted (S32). Since a plurality of dna are included in the apk, transmission is repeated as many times as the number of dna to be inspected.
- the feature value related to dna the name (name), type (dna_type), hash value (filehash), and hash type (hash_type) of dna are transmitted. From the viewpoint of reducing the load on the terminal device, it is preferable to predefine dna that has a strong influence on unauthorized operability as the inspection target and inspect only the necessary minimum dna. This process corresponds to the feature value transmission step (S6) and the fraud detection result recording step (s7) of the present invention.
- processing for adding terminal installation information is performed. That is, the terminal identification number (device id) and the hash value of the apk are registered in the application database (28). This process may be performed at this time, or may be performed simultaneously with the installation notification step (S2).
- the present invention is characterized in that the application database (28) stores application installation status for each terminal.
- the application database (28) stores application installation status for each terminal.
- the application database is described as a single database.
- the database may be divided and configured.
- the management entity of the unauthorized operability database can be entrusted to a security company, and only the application database for each terminal can be managed by an organization such as a company or a school.
- the terminal (1) inquires whether or not the apk is illegal (S34), and the fraud detection information transmitting unit (26) responds (S35). This corresponds to the fraud detection information transmission step (S9).
- a warning is displayed, and a process for displaying a screen for prompting uninstallation to the user (30) is performed. This corresponds to the fraud handling process (S10).
- FIG. 4 is a sequence diagram when the application is registered.
- Yes is returned if apk information is recorded in the application database (28).
- this list is requested (S40).
- the registration status notification unit (22) returns a list of dna feature values recorded in the application database (28) (S41).
- dna feature values for example, filehash, hash_type, and dna_type are provided.
- the feature value transmission unit (13) transmits the feature value relating to the dna deficiency (S42), and the server (2) records it in the application database (28). . Subsequent processing is the same as that shown in FIG.
- FIG. 5 is a sequence diagram when the application is deleted on the terminal side.
- the installation state detection unit (10) detects this, and updates the installation information (S51) from the installation notification unit (11).
- installation information in addition to the terminal identification number (device id) and the hash value (hash) of the application, information indicating that the uninstallation has been performed (uninstall) is included.
- the application database (28) is updated.
- FIG. 6 shows a sequence diagram when the detection result is updated.
- the administrator (60) of this system registers a new unauthorized application whose unauthorized operability is confirmed by the latest signature in the application database (28) (S60).
- the fraud detection step (S7) of the present invention the illegal operability of the application may be detected and registered in the application database (28).
- the fraud detection information transmission unit (26) refers to the installation history of the application database, and transmits the fraud detection information to the terminal (1) having the installed record. In the terminal (1), processing is performed by the fraud countermeasure unit (15) in the same manner as described above.
- the fraud detection information transmitting unit (26) may change the fraud detection information to be notified depending on the current installation state. For example, in the case of an application that exhibits unauthorized operability even after uninstallation, fraud detection information may be transmitted, while in the case of an application that has no problem when uninstalled, the fraud detection information may not be transmitted.
- fraud detection information may be changed depending on the combination of applications. For example, when the unauthorized operation is shown only when the application A and the application B are installed, the configuration may be such that the fraud detection information is transmitted only to the terminal (1) where both applications are installed.
- the processing of the illustrated sequence diagram is as described above. Finally, some details of the embodiment in each processing step are given.
- the feature value transmission step (S6) when application information is first registered in the server (2), not only the feature value but also the application itself can be uploaded to the server (2).
- the server (2) can perform fraud detection processing (S7) for the uploaded application. Instead of transmitting the application itself from the terminal (1), the server (2) may be notified of the URL of the acquisition location, and the server (2) may download and acquire from the URL.
- the process of inquiring whether or not the apk is illegal is performed in the communication range from the outside of the communication range in the smartphone / mobile phone terminal when the terminal (1) is activated or when the application is uninstalled, in addition to the trigger in the figure.
- the feature value according to the present invention is not limited to the above hash value.
- the hash function is not limited to the SHA1, and any function such as SHA1, SHA256, MD5 can be used as the type of hash.
- a hash function defined for this system may be used, or the type may be changed according to a target to be hashed.
- the target for calculating the hash value is an application file or an element file constituting a package of the application.
- Preferable examples include dex file (program code) included in android apk package, manifest (application configuration XML file including package name, etc.), CERT (signature file), elf (Linux (registered trademark)) Execution code).
- dex file program code
- manifest application configuration XML file including package name, etc.
- CERT signature file
- elf Linux (registered trademark)
- Execution code When another apk is included in apk, the hash value of the included apk may be used.
- the hash value of the file itself may be calculated. That is, the hash value of each class code in the dex file may be used. In this case, instead of taking one hash value from the dex file, different hash values are calculated for each class code included in the dex file.
- the feature value is not limited to a hash value, and metadata or a character string based on an application file or an element file constituting the package may be used.
- the class name list in the dex file may be used as the feature value and the partial match may be adopted.
- the feature value calculation unit (12) is provided only on the terminal (1) side.
- the server (2) can also be provided with the feature value calculation unit (27). For example, when detecting unauthorized operation of an application and recording it in a database regardless of whether or not the terminal (1) is installed on the server (2), downloading of the application, calculation of feature values, and unauthorized detection are performed. It is performed alone and stored in the application database (28).
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Stored Programmes (AREA)
- Storage Device Security (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
しかし、携帯型の端末装置では、ハードウェア資源に限りがあるため、パソコン等とは異なる手法が提案されてきた。
端末装置には、アプリケーションのインストール状態が変化したことを検出するインストール状態検出処理部と、インストール状態が変化した時に、インストールされたアプリケーション情報を、不正検知サーバ装置に通知するインストール通知処理部と、当該アプリケーションファイル、又は当該アプリケーションのパッケージを構成する要素ファイルに基づく所定の特徴値を計算する特徴値計算処理部と、アプリケーション情報とその特徴値を、不正検知サーバ装置に通知する特徴値送信処理部と、不正検知サーバ装置から少なくとも当該アプリケーションの不正動作性が検知された場合に不正検知情報を受信する不正検知情報受信処理部と、不正検知情報の受信時に、端末装置上で所定の対応処理を行う不正時対応処理部とを備える。
・端末装置におけるアプリケーションのインストール状態が変化したことを検出するインストール状態検出ステップ
・インストール状態が変化した時に、インストールされたアプリケーション情報を、不正検知サーバ装置に通知するインストール通知ステップ
・アプリケーションファイル、又は当該アプリケーションのパッケージを構成する要素ファイルに基づく所定の特徴値を不正検知サーバ装置に通知する特徴値送信ステップ
・特徴値と、当該アプリケーションの不正動作性とを関連付けてアプリケーションデータベースに登録する不正検知結果記録ステップ
・少なくとも当該アプリケーションの不正動作性が検知された場合に不正検知情報を端末装置に送信する不正検知情報送信ステップ
・不正検知情報の受信時に、端末装置上で所定の対応処理を行う不正時対応処理ステップ
を有することを特徴とする。
・不正検知サーバ装置において、端末装置から通知されたアプリケーション情報についてアプリケーションデータベースに登録済みか否かを検索するアプリケーション情報検索ステップ
・端末装置に向けて、登録済みか否かの検索結果を通知する登録状態通知ステップ
をさらに有し、特徴値送信ステップでは登録されていなかったアプリケーションファイル、又は当該アプリケーションのパッケージを構成する要素ファイルに基づく所定の特徴値を該不正検知サーバ装置に通知するようにしてもよい。
すなわち、端末装置ではアプリケーションのインストール状態が変化した時だけ、特徴値の計算などの簡易な処理を行えば足りるので、端末装置における負荷を最小限にすることができる。特に、端末装置において重要な省電力化にも寄与する。
アプリケーションの不正動作性の検知は不正検知サーバ装置で集中的に行うので、常に最新のシグネチャファイルを用いることができるほか、処理能力の高いサーバ装置で不正検知を行うことで、検知精度の向上、高速な検知を実現できる。
図1は、本発明における不正アプリケーション検知システムの全体図である。本システムは、ユーザが適宜アプリケーションをインストール可能な端末装置(以下、端末と呼ぶ)(1)と、各端末装置にインストールされたアプリケーションの不正動作性を検知する不正検知サーバ装置(以下、サーバと呼ぶ)(2)から構成される。
端末(1)とサーバ(2)はインターネットやLAN、携帯電話網などのネットワーク(3)で接続される。
またサーバ(2)も、一般的なパソコン、サーバ機器によって構成するのが簡便であり、これらも同様にCPU、メモリ、ハードディスク等の外部記憶手段、表示手段、入力手段が備えられている。
まず、インストール状態検出部(10)は、端末(1)上でアプリケーションのインストール状態が変化したことを検出し、インストール通知部(11)は、インストール状態が変化した時に、ネットワーク(3)を通じてインストールされたアプリケーション情報を、サーバ(2)側に通知する。
計算された特徴値は、特徴値送信部(13)からネットワーク(3)を通じてサーバ(2)側に通知する。
すなわち、インストール通知受信部(20)では、端末のインストール通知部(11)からインストールされたアプリケーション情報を受信する。アプリケーション情報検索部(21)は、通知された該アプリケーション情報についてアプリケーションデータベースに登録済みか否かを検索する。登録状態通知部(22)から端末(1)に向けて、登録済みか否かの検索結果を通知する。
さらに、別実施例としてサーバ(2)に特徴値計算部(27)を備えてもよい。
不正アプリケーションの検知は、まず端末(1)側でアプリケーションのインストール状態を検出したことを契機に動作が開始する。(インストール状態検出ステップ:S1)
そのため、サーバ(2)上では、アプリケーション情報検索部(21)が、通知されたアプリケーションに係る情報が登録済みか否か、アプリケーションデータベース(28)を検索する。(アプリケーション情報検索ステップ:S3)
そして、登録状態通知部(22)から、端末(1)に向けて登録状態を通知(S4)する。端末(1)側では、登録状態に応じて処理が異なる。
このように未登録の特徴値があったときだけ特徴値送信部(13)から特徴値受信部(23)に特徴値を送信することにより、処理の高速化、通信量の軽減に寄与する。
このとき、不正検知部(24)によって不正動作性に関する情報が得られた場合には、不正検知結果記録部(25)が特徴値と共にアプリケーションデータベース(28)に記録する。(不正検知結果記録ステップ:S8)
不正検知部(24)による検知は、一定の周期で行ってもよいし、新しいアプリケーションが登録される毎に行ってもよく、そのたびに最新のシグネチャファイルに更新する。
さらに、不正検知部(24)による検知がすぐに行われない場合には、特徴値を受信した直後はとりあえず不正動作性未検知として登録し、後に検知が行われた時にアプリケーションデータベース(28)を更新する構成でもよい。
不正時対応処理としては、ユーザに当該アプリケーションの削除を促す画面表示や、自動的な削除処理などが挙げられる。
また、不正動作性が認められなかった場合にも、アプリケーションが安全である旨の表示を行うなどの対応処理を行っても良い。
図3はサーバ(2)においてアプリケーションが未登録の場合のシーケンス図である。
ハッシュ関数を用いた特徴値の計算方法は公知であり、特徴値計算部(12)により送信前のいずれかのタイミングで適宜行われる。
検査対象としては、不正動作性に影響の強いdnaを予め定義しておき、必要最小限なdnaだけを検査することが端末装置の負荷の軽減の観点から好ましい。
本処理は、本発明の特徴値送信ステップ(S6)及び不正検知結果記録ステップ(s7)に該当する。
この場合、不正動作性データベースの管理主体をセキュリティ専門会社に委ね、端末毎アプリデータベースのみを会社や学校等の組織で管理することもできる。
不正アプリの場合は、警告表示を行い、アンインストールを促す画面をユーザ(30)に対して表示する処理を行う。これは不正時対応処理(S10)に該当する。
図3の場合と同様に、apk情報がサーバ上に存在するかを照会した時、アプリケーションデータベース(28)にapk情報が記録されている場合はYesを返す。上記のように、apk情報が登録されている場合には、dnaに係る情報が紐付いて登録されているため、この一覧を要求(S40)する。
以後の処理は図3と同様であるので説明は省略する。
サーバ(2)ではアプリケーションデータベース(28)が更新される。
このインストール履歴を利用する例として、図6には、検知結果が更新された時にシーケンス図を示す。
この時、不正検知情報送信部(26)は、アプリケーションデータベースの上記インストール履歴に照会し、インストールされた記録がある端末(1)に対して、不正検知情報を送信する。端末(1)では上記と同様に不正時対応部(15)によって処理される。
まず、特徴値送信ステップ(S6)において、最初にサーバ(2)にアプリケーション情報を登録する場合には、特徴値だけでなくアプリケーション自体をサーバ(2)にアップロードすることもできる。サーバ(2)はこのアップロードされたアプリケーションを対象に不正検知処理(S7)を行うことができる。
端末(1)からアプリケーション自体を送信せず、その入手先のURL等をサーバ(2)に通知し、サーバ(2)が該URLからダウンロードして取得する構成でもよい。
まずハッシュ関数としては上記SHA1に限らず、ハッシュの種類はSHA1, SHA256, MD5など任意の関数を用いることができる。本システム用に定義したハッシュ関数でもよいし、ハッシュをとる対象に応じて種類を変化させてもよい。
好適な例としては、androidのapkパッケージに含まれるdexファイル(プログラムコード)、manifest(アプリ構成のXMLファイルで、パッケージ名などが含まれる)、CERT(署名ファイル)、elf(Linux(登録商標)の実行コード)が挙げられる。
apkに別のapkが内包されている場合には、内包されているapkのハッシュ値を用いても良い。
例えば、dexファイル内のクラス名一覧を特徴値とし、その部分一致をとる構成でもよい。
10 インストール状態検出部
11 インストール通知部
12 特徴値計算部
13 特徴値送信部
14 不正検知情報受信部
15 不正時対応部
2 不正検知サーバ
20 インストール通知受信部
21 アプリケーション情報検索部
22 登録状態通知部
23 特徴値受信部
24 不正検知部
25 不正検知結果記録部
26 不正検知情報送信部
27 特徴値計算部
28 アプリケーションデータベース
3 ネットワーク
Claims (11)
- ユーザが適宜アプリケーションをインストール可能な端末装置と、該端末装置にインストールされたアプリケーションの不正動作性を検知する不正検知サーバ装置とから構成される不正アプリケーション検知システムであって、
該端末装置には、
アプリケーションのインストール状態が変化したことを検出するインストール状態検出処理部と、
インストール状態が変化した時に、該インストールされたアプリケーション情報を、該不正検知サーバ装置に通知するインストール通知処理部と、
当該アプリケーションファイル、又は当該アプリケーションのパッケージを構成する要素ファイルに基づく所定の特徴値を計算する特徴値計算処理部と、
該アプリケーション情報とその特徴値を、該不正検知サーバ装置に通知する特徴値送信処理部と、
該不正検知サーバ装置から少なくとも当該アプリケーションの不正動作性が検知された場合に不正検知情報を受信する不正検知情報受信処理部と、
該不正検知情報の受信時に、該端末装置上で所定の対応処理を行う不正時対応処理部と
を備えると共に、
該不正検知サーバ装置には、
端末装置の該インストール通知処理部からインストールされたアプリケーション情報を受信するインストール通知受信処理部と、
端末装置の該特徴値送信処理部から該特徴値を受信する特徴値受信処理部と、
登録したアプリケーションの不正動作性を装置内で検出、又は外部から取得して検知する不正検知処理部と、
該特徴値と該不正動作性の情報とを関連付けてアプリケーションデータベースに登録する不正検知結果記録処理部と、
少なくとも当該アプリケーションの不正動作性が検知された場合に不正検知情報を該端末装置に送信する不正検知情報送信処理部と
を備えた
ことを特徴とする不正アプリケーション検知システム。 - 前記不正検知サーバ装置に、
通知された該アプリケーション情報についてアプリケーションデータベースに登録済みか否かを検索するアプリケーション情報検索処理部と、
該端末装置に向けて、登録済みか否かの該検索結果を通知する登録状態通知処理部と
を備え、
前記端末装置の特徴値送信処理部が、
該不正検知サーバ装置において当該アプリケーション情報が登録済みか否かに応じ、該アプリケーション情報とその特徴値を、該不正検知サーバ装置に通知する
請求項1に記載の不正アプリケーション検知システム。 - 前記不正検知サーバ装置において、
前記不正検知結果記録部が、前記端末装置からのインストール通知を契機として、端末装置毎にアプリケーションのインストール状態を前記アプリケーションデータベースに記録し、
前記不正検知処理部において当該アプリケーションの不正動作性が検知されたときに、
すでに端末装置上から当該アプリケーションが削除された後であっても、前記不正検知情報送信処理部が不正検知情報を送信する
請求項1又は2に記載の不正アプリケーション検知システム。 - 前記アプリケーションデータベースが、
端末毎のインストール状態を記録した端末毎アプリデータベースと、
前記特徴値と前記不正動作性の情報とを関連づけて記録した不正動作性データベースと
に分割して構成される
請求項1ないし3のいずれかに記載の不正アプリケーション検知システム。 - 前記不正検知サーバ装置に、
入力された任意のアプリケーションファイル、又は当該アプリケーションのパッケージを構成する要素ファイルに基づく所定の特徴値を計算する特徴値計算処理部を備えると共に、
前記不正検知処理部において当該アプリケーションの不正動作性を検知し、
前記不正検知結果記録部が、該特徴値と該不正動作性の情報とを関連付けてアプリケーションデータベースに登録する
請求項1ないし4のいずれかに記載の不正アプリケーション検知システム。 - ユーザが適宜アプリケーションをインストール可能な端末装置と、該端末装置にインストールされたアプリケーションの不正動作性を検知する不正検知サーバ装置とから構成される不正アプリケーション検知システムで用いられる端末装置であって、
アプリケーションのインストール状態が変化したことを検出するインストール状態検出処理部と、
インストール状態が変化した時に、該インストールされたアプリケーション情報を、該不正検知サーバ装置に通知するインストール通知処理部と、
当該アプリケーションファイル、又は当該アプリケーションのパッケージを構成する要素ファイルに基づく所定の特徴値を計算する特徴値計算処理部と、
該アプリケーション情報とその特徴値を、該不正検知サーバ装置に通知する特徴値送信処理部と、
該不正検知サーバ装置から少なくとも当該アプリケーションの不正動作性が検知された場合に不正検知情報を受信する不正検知情報受信処理部と、
該不正検知情報の受信時に、該端末装置上で所定の対応処理を行う不正時対応処理部と
を備えたことを特徴とする端末装置。 - ユーザが適宜アプリケーションをインストール可能な端末装置と、該端末装置にインストールされたアプリケーションの不正動作性を検知する不正検知サーバ装置とから構成される不正アプリケーション検知システムで用いられる不正検知サーバ装置であって、
該端末装置のインストール通知処理部からインストールされたアプリケーション情報を受信するインストール通知受信処理部と、
端末装置の該特徴値送信処理部から該特徴値を受信する特徴値受信処理部と、
登録したアプリケーションの不正動作性を装置内で検出、又は外部から取得して検知する不正検知処理部と、
該特徴値と該不正動作性の情報とを関連付けてアプリケーションデータベースに登録する不正検知結果記録処理部と、
少なくとも当該アプリケーションの不正動作性が検知された場合に不正検知情報を該端末装置に送信する不正検知情報送信処理部と
を備えたことを特徴とする不正検知サーバ装置。 - ユーザが適宜アプリケーションをインストール可能な端末装置と、該端末装置にインストールされたアプリケーションの不正動作性を検知する不正検知サーバ装置とを用いて端末装置にインストールされた不正アプリケーションを検知する方法であって、
端末装置におけるアプリケーションのインストール状態が変化したことを検出するインストール状態検出ステップ、
インストール状態が変化した時に、該インストールされたアプリケーション情報を、該不正検知サーバ装置に通知するインストール通知ステップ、
アプリケーションファイル、又は当該アプリケーションのパッケージを構成する要素ファイルに基づく所定の特徴値を該不正検知サーバ装置に通知する特徴値送信ステップ、
該特徴値と、当該アプリケーションの不正動作性とを関連付けてアプリケーションデータベースに登録する不正検知結果記録ステップ、
少なくとも当該アプリケーションの不正動作性が検知された場合に不正検知情報を該端末装置に送信する不正検知情報送信ステップ、
該不正検知情報の受信時に、該端末装置上で所定の対応処理を行う不正時対応処理ステップ、
を有する
ことを特徴とする不正アプリケーション検知方法。 - 前記インストール通知ステップに続いて、
不正検知サーバ装置において、前記端末装置から通知されたアプリケーション情報についてアプリケーションデータベースに登録済みか否かを検索するアプリケーション情報検索ステップ、
該端末装置に向けて、登録済みか否かの該検索結果を通知する登録状態通知ステップ、
をさらに有し、
前記特徴値送信ステップでは登録されていなかったアプリケーションファイル、又は当該アプリケーションのパッケージを構成する要素ファイルに基づく所定の特徴値を該不正検知サーバ装置に通知するようにした
請求項8に記載の不正アプリケーション検知方法。 - 前記不正検知サーバ装置において、前記端末装置からのインストール通知を契機として、端末装置毎にアプリケーションのインストール状態を前記アプリケーションデータベースに記録し、
当該アプリケーションの不正動作性が検知されたときに、すでに端末装置上から当該アプリケーションが削除された後であっても、該端末装置に不正検知情報を送信する
請求項8又は9に記載の不正アプリケーション検知方法。 - 前記不正検知サーバ装置において、入力された任意のアプリケーションファイル、又は当該アプリケーションのパッケージを構成する要素ファイルに基づく所定の特徴値を計算すると共に、当該アプリケーションの不正動作性を検知し、該特徴値と該不正動作性の情報とを関連付けてアプリケーションデータベースに登録する
請求項8ないし10のいずれかに記載の不正アプリケーション検知方法。
Priority Applications (7)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP12847492.1A EP2779015A4 (en) | 2011-11-10 | 2012-11-09 | SYSTEM AND METHOD FOR DETECTING UNAUTHORIZED APPLICATION |
JP2013543037A JP6030566B2 (ja) | 2011-11-10 | 2012-11-09 | 不正アプリケーション検知システム及び、方法 |
US14/356,825 US9071639B2 (en) | 2011-11-10 | 2012-11-09 | Unauthorized application detection system and method |
CN201280055264.6A CN103917981A (zh) | 2011-11-10 | 2012-11-09 | 未授权应用程序的检测系统及方法 |
SG11201402078XA SG11201402078XA (en) | 2011-11-10 | 2012-11-09 | Unauthorized application detection system and method |
KR1020147014840A KR20140093699A (ko) | 2011-11-10 | 2012-11-09 | 부정 어플리케이션 검지 시스템 및 방법 |
HK14113047.0A HK1199519A1 (en) | 2011-11-10 | 2014-12-29 | Unauthorized application detection system and method |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2011-246193 | 2011-11-10 | ||
JP2011246193 | 2011-11-10 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2013069758A1 true WO2013069758A1 (ja) | 2013-05-16 |
Family
ID=48290126
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2012/079084 WO2013069758A1 (ja) | 2011-11-10 | 2012-11-09 | 不正アプリケーション検知システム及び、方法 |
Country Status (8)
Country | Link |
---|---|
US (1) | US9071639B2 (ja) |
EP (1) | EP2779015A4 (ja) |
JP (1) | JP6030566B2 (ja) |
KR (1) | KR20140093699A (ja) |
CN (1) | CN103917981A (ja) |
HK (1) | HK1199519A1 (ja) |
SG (1) | SG11201402078XA (ja) |
WO (1) | WO2013069758A1 (ja) |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2013142948A1 (en) * | 2012-03-30 | 2013-10-03 | Irdeto Canada Corporation | Method and system for preventing and detecting security threats |
EP3136277B1 (en) * | 2014-04-25 | 2020-04-08 | Hitachi Systems, Ltd. | Illicit activity sensing network system and illicit activity sensing method |
CN106203104A (zh) * | 2016-06-27 | 2016-12-07 | 北京金山安全软件有限公司 | 一种恶意代码查杀方法、装置及设备 |
US10715533B2 (en) * | 2016-07-26 | 2020-07-14 | Microsoft Technology Licensing, Llc. | Remediation for ransomware attacks on cloud drive folders |
US10628585B2 (en) | 2017-01-23 | 2020-04-21 | Microsoft Technology Licensing, Llc | Ransomware resilient databases |
US10367833B2 (en) | 2017-03-07 | 2019-07-30 | International Business Machines Corporation | Detection of forbidden software through analysis of GUI components |
US10628591B2 (en) * | 2017-11-20 | 2020-04-21 | Forcepoint Llc | Method for fast and efficient discovery of data assets |
US11295026B2 (en) | 2018-11-20 | 2022-04-05 | Forcepoint, LLC | Scan, detect, and alert when a user takes a photo of a computer monitor with a mobile phone |
CN114553514A (zh) * | 2022-02-16 | 2022-05-27 | 中国建设银行股份有限公司 | 移动应用的静态注入风险检测方法及装置 |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002197006A (ja) | 2000-12-25 | 2002-07-12 | Nec Corp | 携帯電話用ウィルスチェックシステムおよび方法 |
JP2006040196A (ja) | 2004-07-30 | 2006-02-09 | Hitachi Information & Control Systems Inc | ソフトウェア監視システムおよび監視方法 |
JP2007018182A (ja) | 2005-07-06 | 2007-01-25 | Mitsubishi Electric Corp | ウイルス検査装置及びウイルス検査システム |
JP2007200102A (ja) | 2006-01-27 | 2007-08-09 | Nec Corp | 不正コードおよび不正データのチェックシステム、プログラムおよび方法 |
JP2011523748A (ja) * | 2008-05-28 | 2011-08-18 | シマンテック コーポレーション | 中央集中的にマルウェアを検出するための知的ハッシュ |
JP2011210058A (ja) * | 2010-03-30 | 2011-10-20 | Fujitsu Ltd | 情報処理装置およびコンピュータプログラム |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8713680B2 (en) * | 2007-07-10 | 2014-04-29 | Samsung Electronics Co., Ltd. | Method and apparatus for modeling computer program behaviour for behavioural detection of malicious program |
US8667583B2 (en) * | 2008-09-22 | 2014-03-04 | Microsoft Corporation | Collecting and analyzing malware data |
US8347386B2 (en) * | 2008-10-21 | 2013-01-01 | Lookout, Inc. | System and method for server-coupled malware prevention |
GB2471716A (en) * | 2009-07-10 | 2011-01-12 | F Secure Oyj | Anti-virus scan management using intermediate results |
US8549641B2 (en) * | 2009-09-03 | 2013-10-01 | Palo Alto Research Center Incorporated | Pattern-based application classification |
US9239800B2 (en) * | 2011-07-27 | 2016-01-19 | Seven Networks, Llc | Automatic generation and distribution of policy information regarding malicious mobile traffic in a wireless network |
-
2012
- 2012-11-09 EP EP12847492.1A patent/EP2779015A4/en not_active Withdrawn
- 2012-11-09 SG SG11201402078XA patent/SG11201402078XA/en unknown
- 2012-11-09 KR KR1020147014840A patent/KR20140093699A/ko not_active Application Discontinuation
- 2012-11-09 WO PCT/JP2012/079084 patent/WO2013069758A1/ja active Application Filing
- 2012-11-09 JP JP2013543037A patent/JP6030566B2/ja active Active
- 2012-11-09 CN CN201280055264.6A patent/CN103917981A/zh active Pending
- 2012-11-09 US US14/356,825 patent/US9071639B2/en active Active
-
2014
- 2014-12-29 HK HK14113047.0A patent/HK1199519A1/xx unknown
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002197006A (ja) | 2000-12-25 | 2002-07-12 | Nec Corp | 携帯電話用ウィルスチェックシステムおよび方法 |
JP2006040196A (ja) | 2004-07-30 | 2006-02-09 | Hitachi Information & Control Systems Inc | ソフトウェア監視システムおよび監視方法 |
JP2007018182A (ja) | 2005-07-06 | 2007-01-25 | Mitsubishi Electric Corp | ウイルス検査装置及びウイルス検査システム |
JP2007200102A (ja) | 2006-01-27 | 2007-08-09 | Nec Corp | 不正コードおよび不正データのチェックシステム、プログラムおよび方法 |
JP2011523748A (ja) * | 2008-05-28 | 2011-08-18 | シマンテック コーポレーション | 中央集中的にマルウェアを検出するための知的ハッシュ |
JP2011210058A (ja) * | 2010-03-30 | 2011-10-20 | Fujitsu Ltd | 情報処理装置およびコンピュータプログラム |
Non-Patent Citations (1)
Title |
---|
See also references of EP2779015A4 |
Also Published As
Publication number | Publication date |
---|---|
JPWO2013069758A1 (ja) | 2015-04-02 |
HK1199519A1 (en) | 2015-07-03 |
US20140298468A1 (en) | 2014-10-02 |
CN103917981A (zh) | 2014-07-09 |
KR20140093699A (ko) | 2014-07-28 |
EP2779015A1 (en) | 2014-09-17 |
SG11201402078XA (en) | 2014-09-26 |
JP6030566B2 (ja) | 2016-11-24 |
US9071639B2 (en) | 2015-06-30 |
EP2779015A4 (en) | 2015-09-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6030566B2 (ja) | 不正アプリケーション検知システム及び、方法 | |
US11687653B2 (en) | Methods and apparatus for identifying and removing malicious applications | |
US10389740B2 (en) | Detecting a malicious file infection via sandboxing | |
CN111488571B (zh) | 配置用于恶意件测试的沙箱环境 | |
US9596257B2 (en) | Detection and prevention of installation of malicious mobile applications | |
US9015829B2 (en) | Preventing and responding to disabling of malware protection software | |
US9467463B2 (en) | System and method for assessing vulnerability of a mobile device | |
US9953164B2 (en) | Confirming a malware infection on a client device using a remote access connection tool, to identify a malicious file based on fuzz hashes | |
US10027704B2 (en) | Malicious program finding and killing device, method and server based on cloud security | |
US20120210431A1 (en) | Detecting a trojan horse | |
US10176327B2 (en) | Method and device for preventing application in an operating system from being uninstalled | |
JP6000465B2 (ja) | プロセス検査装置、プロセス検査プログラムおよびプロセス検査方法 | |
CN102882875A (zh) | 主动防御方法及装置 | |
CN105791221B (zh) | 规则下发方法及装置 | |
CN113836542B (zh) | 可信白名单匹配方法、系统和装置 | |
KR20140059967A (ko) | 해킹 프로세스 감지 방법 및 장치 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12847492 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2013543037 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14356825 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2012847492 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 20147014840 Country of ref document: KR Kind code of ref document: A |