WO2014201962A1 - Anti-virus system and method for android system, and device with anti-virus system running thereon - Google Patents

Anti-virus system and method for android system, and device with anti-virus system running thereon Download PDF

Info

Publication number
WO2014201962A1
WO2014201962A1 PCT/CN2014/079596 CN2014079596W WO2014201962A1 WO 2014201962 A1 WO2014201962 A1 WO 2014201962A1 CN 2014079596 W CN2014079596 W CN 2014079596W WO 2014201962 A1 WO2014201962 A1 WO 2014201962A1
Authority
WO
WIPO (PCT)
Prior art keywords
malicious behavior
virus
program
data
android system
Prior art date
Application number
PCT/CN2014/079596
Other languages
French (fr)
Chinese (zh)
Inventor
李卷孺
尹文基
Original Assignee
上海掌御信息科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 上海掌御信息科技有限公司 filed Critical 上海掌御信息科技有限公司
Publication of WO2014201962A1 publication Critical patent/WO2014201962A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45504Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
    • G06F9/45508Runtime interpretation or emulation, e g. emulator loops, bytecode interpretation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Definitions

  • Anti-virus system method and device running the system of Android system
  • the invention relates to an anti-virus system and method, in particular to an anti-virus system and method based on Android system. Background technique
  • a static feature value can be a piece of specific code in a program
  • a dynamic function call feature can be a specific set of API calls.
  • Existing anti-virus systems are mainly based on signatures and heuristics. These two anti-virus systems detect viruses and malware in different ways: For signature-based anti-virus systems, they scan for each target file to find a byte stream that matches a known virus for virus detection. For heuristic-based anti-virus systems, it scans each file for a known virus code.
  • One of the objectives of the present invention is to provide an anti-virus system for an Android system that can monitor dynamic information of a program, monitor and compare these dynamic information to monitor viruses, and achieve accurate protection of the Android system.
  • Another object of the present invention is to provide a device running an anti-virus system of the Android system, which is protected from viruses.
  • the present invention provides an anti-virus system for an Android system, Includes:
  • a monitor that collects dynamic raw data when the program is executed at the virtual machine layer of the Android system, and translates it into available data indicating the running state of the program, and then sends it out;
  • An anti-virus engine connected to the monitor;
  • a malicious behavior signature database which is connected to the anti-virus engine, wherein the malicious behavior signature database stores a plurality of policies, and each of the policies includes malicious behavior characteristic data;
  • the anti-virus engine receives the available data sent by the monitor and compares it with the malicious behavior characteristic data in the malicious behavior signature database to determine whether the program has made malicious behavior.
  • the malicious behavior feature data in the technical solution belongs to the same type of data as the available data, and both of them represent the running state of the program. It should be noted that, in the technical solution, one available data corresponds to a program running state, or a combination of multiple available data corresponds to a program running state. Therefore, when the program is determined to have malicious behavior, it may be that one of the available data matches the malicious behavior characteristic data, or that the combination of the plurality of available data matches the malicious behavior characteristic data.
  • the strategy involved in the anti-virus system of the Android system further includes operation response data corresponding to the malicious behavior characteristic data, and the anti-virus engine responds to the data pair according to the operation when determining that the program has made malicious behavior Malicious behavior responds. That is to say, for a policy, it includes both malicious behavior characteristic data that is compared with the available data, and operation response data for the malicious behavior, so that the anti-virus engine can respond to the data according to the operation. response.
  • the operation response data includes: at least one of data representing the malicious behavior, data representing the rejection of the malicious behavior, and data representing the false information, so that the anti-virus engine can respectively correspond to the data according to the data Make responses to document malicious behavior, reject malicious behavior, and return false information.
  • monitors in the anti-virus system of the above Android system include:
  • a processing module that translates dynamic raw data into usable data representing the operational state of the program replaces the DaMk virtual machine interpreter in the existing Android system, which is compatible with the existing DaMk instruction set, which has monitoring
  • the functional virtual machine interpreter module can also monitor various dynamic raw data when the program is executed, such as the program-related information and the program execution method information, based on the function of the Dalvik virtual machine interpreter in the existing Android system.
  • the instruction information executed by the program, etc., and then the processing module analyzes the association between each dynamic raw data, and restores the running state of the program represented by the dynamic raw data, that is, translates the dynamic raw data into available data indicating the running state of the program.
  • the monitoring function of the above-mentioned virtual machine interpreter module with monitoring function can be realized by a function function, and the function functions are distributed in various steps of the program execution, from initialization to completion, thereby realizing the monitoring and collection of dynamic raw data. It should be understood that after reading this specification, those skilled in the art can implement the monitoring function of the virtual machine interpreter module by writing a specific function function, so the specific function function form will not be described herein.
  • the processing module described above can execute a processing function to translate the dynamic raw data into available data representing the running state of the program.
  • the available data is packaged in an interface manner and is called by an anti-virus engine.
  • the present invention also provides an apparatus on which an anti-virus system of the Android system described above is run.
  • the present invention also provides an anti-virus method for an Android system, comprising:
  • the available data is compared with the malicious behavior characteristic data, and if the two match, the program is determined to have malicious behavior, and if the two do not match, the program is determined not to make malicious behavior.
  • the anti-virus method of the above Android system further includes: when determining that the program has made malicious behavior, responding to the malicious behavior of the program according to the operation corresponding to the malicious behavior characteristic data.
  • the response includes: recording at least one of malicious behavior, rejecting malicious behavior, and returning false information.
  • the dynamic raw data includes at least one of: class information of the program, method information of the program execution, and instruction information of the program execution.
  • the user can configure the policy in the malicious behavior feature database according to his own needs, for example, a policy for monitoring the behavior of the program operation short message, a strategy for monitoring network traffic, and some A strategy for monitoring access to private data. Therefore, the Android system anti-virus system and method described in the technical solution have great flexibility in use, and the utility model has wide application range.
  • the anti-virus system can be updated by simply updating the malicious behavior signature database, without modifying the monitor and the anti-virus engine, so the use thereof is very simple and convenient for continuous updating. upgrade.
  • FIG. 1 is a flow chart of an anti-virus method of an Android system according to an embodiment of the present invention.
  • FIG. 2 is a block diagram showing the structure of an anti-virus system of the Android system according to an embodiment of the present invention. detailed description
  • FIG. 1 is a flow chart showing an anti-virus method of the Android system according to the present invention in an embodiment.
  • an anti-virus method of the Android system includes the following steps:
  • the dynamic raw data (such as the class information of the program, the method information of the program execution, the instruction information of the program execution, etc.) when the program is executed in the Android system is collected by the monitor, and translated into a usable state indicating the running state of the program.
  • the anti-virus engine compares the available data with the malicious behavior characteristic data to determine whether the two match: If the determination is "No”, then return to the step (1), if the judgment is "Yes", then proceed Step (3);
  • the anti-virus engine responds to the malicious behavior of the data according to the operation corresponding to the malicious behavior characteristic data.
  • FIG 2 shows an anti-virus system of the Android system according to the present invention in an embodiment Block diagram of the structure.
  • the anti-virus system of the Android system includes: a monitor running on the virtual machine layer of the Android system, which includes a virtual machine interpreter module and a processing module with monitoring functions, wherein the monitoring module has monitoring
  • the functional virtual machine interpreter module replaces the virtual machine interpreter in the existing Android system. Based on the function of the Dalvik virtual machine interpreter in the existing Android system, it also monitors various dynamic originals when the program is executed.
  • the processing module analyzes the association between each dynamic raw data, and restores the running state of the program represented by the dynamic raw data, that is, the dynamic original
  • the data is translated into available data indicating the running status of the program; the anti-virus engine running on the upper layer of the Dalvik virtual machine is respectively connected with the monitor and the malicious behavior signature database, wherein the malicious behavior signature library stores multiple policies configured according to the user needs.
  • each strategy includes malicious behavior
  • the levy data and the operations corresponding to the malicious behavior trait data match the data (such as data representing the recorded malicious behavior, data representing the refusal of malicious behavior, data representing the return of the false information, etc.), and the anti-virus engine receives the available data sent by the monitor, Comparing it with the malicious behavior characteristic data in the malicious behavior signature database, judging whether the program has made malicious behavior according to whether the available data matches the malicious behavior characteristic data, and if the program makes malicious behavior, the anti-virus engine according to This action should address data responses to malicious behavior (such as recording malicious behavior, rejecting malicious behavior, and returning false information).
  • the malicious behavior feature data and the available data belong to the same type of data, which all represent the running state of the program.
  • a program running state may be represented by one available data, or may be represented by a combination of a plurality of available data. Therefore, when it is determined that the program has made malicious behavior, it may be that one available data matches the malicious behavior characteristic data, or that the combination of the plurality of available data matches the malicious behavior characteristic data.
  • the monitoring function of the Dalvik virtual machine interpreter module described in the above embodiments can be implemented by a function function, and the function functions are distributed in various steps of the program execution, from initialization to completion, thereby realizing monitoring and collection of dynamic raw data.
  • the processing module of the monitor can also execute or process functions to translate the dynamic raw data into available data representing the running state of the program. After reading the present specification, those skilled in the art can implement the processing module to translate the dynamic raw data into available data representing the running state of the program, so the specific translation process of the processing module will not be repeated herein. It is to be noted that the above is only specific embodiments of the present invention, and it is obvious that the present invention is not limited to the above embodiments, and there are many similar variations. All modifications that are directly derived or conceived by those skilled in the art from the disclosure of the present invention should fall within the scope of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Disclosed in the present invention is an anti-virus system for Android system, comprising: a monitor, collecting, on a virtual machine layer of Android system, dynamic original data at the time of program execution, translating the dynamic original data into available data indicative of the program running status, and then sending the available data out; an anti-virus engine, connected with the monitor; and a malicious behavior feature library, connected with the anti-virus engine, and a plurality of policies all comprising malicious behavior feature data being stored therein. The anti-virus engine receives the available data sent by the monitor, and compares the available data with the malicious behavior feature data in the malicious behavior feature library, in order to judge whether malicious behaviors have been made by the program. Accordingly, further disclosed in the present invention are a device equipped with the anti-virus system and an anti-virus method. The technical solution disclosed in the present invention employs dynamic anti-virus techniques, and can provide security protection for Android system.

Description

Android系统的反病毒系统、 方法及运行有该系统的设备  Anti-virus system, method and device running the system of Android system
技术领域 Technical field
本发明涉及一种反病毒系统及方法, 尤其涉及一种基于 Android系统的 反病毒系统及方法。 背景技术  The invention relates to an anti-virus system and method, in particular to an anti-virus system and method based on Android system. Background technique
目前大多数的反病毒系统都是基于签名识别的, 这样的反病毒系统依赖 于检测静态特征值或动态函数调用特征来对病毒和恶意软件进行检测。 举例 来说, 静态特征值可以是程序中的一段特定代码; 动态函数调用特征可以是 一组特定顺序的 API调用。  Most anti-virus systems are currently based on signature recognition. Such anti-virus systems rely on detecting static eigenvalues or dynamic function call features to detect viruses and malware. For example, a static feature value can be a piece of specific code in a program; a dynamic function call feature can be a specific set of API calls.
现有的反病毒系统主要有基于签名和基于启发式这两种。 这两种反病毒 系统通过不同的方式来检测病毒和恶意软件: 对于基于签名的反病毒系统来 说, 其是通过扫描每一个目标文件来寻找和已知病毒匹配的字节流来进行病 毒检测; 对于基于启发式的反病毒系统来说, 其是扫描每一个文件匹配已知 的病毒代码。  Existing anti-virus systems are mainly based on signatures and heuristics. These two anti-virus systems detect viruses and malware in different ways: For signature-based anti-virus systems, they scan for each target file to find a byte stream that matches a known virus for virus detection. For heuristic-based anti-virus systems, it scans each file for a known virus code.
相比较上述两种反病毒系统, 基于程序执行过程监控的反病毒系统更精 确。 发明内容  Compared to the above two anti-virus systems, the anti-virus system based on program execution process monitoring is more accurate. Summary of the invention
本发明的目的之一是提供一种 Android系统的反病毒系统, 其可以监控 程序的动态信息, 通过分析对比这些动态信息来监测病毒, 实现对 Android 系统的精确保护。  One of the objectives of the present invention is to provide an anti-virus system for an Android system that can monitor dynamic information of a program, monitor and compare these dynamic information to monitor viruses, and achieve accurate protection of the Android system.
本发明的另一目的是提供一种运行有 Android 系统的反病毒系统的设 备, 该设备可免受病毒的侵害。  Another object of the present invention is to provide a device running an anti-virus system of the Android system, which is protected from viruses.
本发明的又一目的是提供一种 Android系统的反病毒方法, 该方法可以 实现对 Android系统的精确保护。  It is still another object of the present invention to provide an anti-virus method for an Android system that can achieve precise protection of an Android system.
为了实现上述目的, 本发明提出了一种 Android系统的反病毒系统, 其 包括: In order to achieve the above object, the present invention provides an anti-virus system for an Android system, Includes:
一监视器,其在 Android系统虚拟机层收集程序执行时的动态原始数据, 并将其翻译为表示程序运行状态的可用数据后发送出去;  a monitor that collects dynamic raw data when the program is executed at the virtual machine layer of the Android system, and translates it into available data indicating the running state of the program, and then sends it out;
一反病毒引擎, 其与所述监视器连接;  An anti-virus engine connected to the monitor;
一恶意行为特征库, 其与反病毒引擎连接, 所述恶意行为特征库内存储 有若干策略, 所述各策略均包括恶意行为特征数据;  a malicious behavior signature database, which is connected to the anti-virus engine, wherein the malicious behavior signature database stores a plurality of policies, and each of the policies includes malicious behavior characteristic data;
所述反病毒引擎接收监视器发送的可用数据, 将其与恶意行为特征库内 的恶意行为特征数据进行比对, 以判断该程序是否做出了恶意行为。  The anti-virus engine receives the available data sent by the monitor and compares it with the malicious behavior characteristic data in the malicious behavior signature database to determine whether the program has made malicious behavior.
本技术方案中的恶意行为特征数据与可用数据属于同一类数据, 其均表 征程序的运行状态。 另外需要说明的是, 在本技术方案中, 可以是一个可用 数据对应表示一种程序运行状态, 也可以是多个可用数据的组合对应表示一 种程序运行状态。 因此, 在判断程序做出了恶意行为时, 可以是一个可用数 据与恶意行为特征数据相符, 也可以是多个可用数据的组合与恶意行为特征 数据相符。  The malicious behavior feature data in the technical solution belongs to the same type of data as the available data, and both of them represent the running state of the program. It should be noted that, in the technical solution, one available data corresponds to a program running state, or a combination of multiple available data corresponds to a program running state. Therefore, when the program is determined to have malicious behavior, it may be that one of the available data matches the malicious behavior characteristic data, or that the combination of the plurality of available data matches the malicious behavior characteristic data.
进一歩地, 上述 Android系统的反病毒系统中涉及的策略还包括与恶意 行为特征数据对应匹配的操作应对数据, 所述反病毒引擎在判断程序做出了 恶意行为时, 根据该操作应对数据对恶意行为做出应对。 也就是说, 对于一 个策略来说, 其既包括与可用数据进行比对的恶意行为特征数据, 还包括针 对该种恶意行为的操作应对数据, 从而使得反病毒引擎可以根据该操作应对 数据做出应对。  Further, the strategy involved in the anti-virus system of the Android system further includes operation response data corresponding to the malicious behavior characteristic data, and the anti-virus engine responds to the data pair according to the operation when determining that the program has made malicious behavior Malicious behavior responds. That is to say, for a policy, it includes both malicious behavior characteristic data that is compared with the available data, and operation response data for the malicious behavior, so that the anti-virus engine can respond to the data according to the operation. response.
更进一歩地, 所述操作应对数据包括: 表征记录恶意行为的数据、 表征 拒绝恶意行为的数据、 表征返回虚假信息的数据的至少其中之一, 从而使得 反病毒引擎根据这些数据可以分别对应地做出记录恶意行为、 拒绝恶意行为 和返回虚假信息的应对。  Further, the operation response data includes: at least one of data representing the malicious behavior, data representing the rejection of the malicious behavior, and data representing the false information, so that the anti-virus engine can respectively correspond to the data according to the data Make responses to document malicious behavior, reject malicious behavior, and return false information.
进一歩地, 上述 Android系统的反病毒系统中的监视器包括:  Further, the monitors in the anti-virus system of the above Android system include:
具有监控功能的 Dalvik虚拟机解释器模块,其执行程序且监控收集程序 执行时的动态原始数据;  A Dalvik virtual machine interpreter module with monitoring functions that executes programs and monitors dynamic raw data when the collector is executing;
处理模块, 其将动态原始数据翻译为表示程序运行状态的可用数据。 在该技术方案中,具有监控功能的虚拟机解释器模块替代了现有 Android 系统中的 DaMk虚拟机解释器,其兼容了现有的 DaMk指令集, 该具有监控 功能的虚拟机解释器模块在具有现有 Android系统中 Dalvik虚拟机解释器的 功能的基础上, 还能够监控获取程序执行时的各种动态原始数据, 例如程序 所属类信息、 程序执行的方法信息、 程序执行的指令信息等, 然后由处理模 块分析各个动态原始数据之间的关联, 对动态原始数据代表的程序运行状态 进行还原, 即将动态原始数据翻译为表示程序运行状态的可用数据。 A processing module that translates dynamic raw data into usable data representing the operational state of the program. In this technical solution, the virtual machine interpreter module with monitoring function replaces the DaMk virtual machine interpreter in the existing Android system, which is compatible with the existing DaMk instruction set, which has monitoring The functional virtual machine interpreter module can also monitor various dynamic raw data when the program is executed, such as the program-related information and the program execution method information, based on the function of the Dalvik virtual machine interpreter in the existing Android system. The instruction information executed by the program, etc., and then the processing module analyzes the association between each dynamic raw data, and restores the running state of the program represented by the dynamic raw data, that is, translates the dynamic raw data into available data indicating the running state of the program.
上述具有监控功能的虚拟机解释器模块的监控功能可以通过功能函数实 现, 功能函数分布在程序执行的各个环节, 从初始化到结束运行, 从而实现 动态原始数据的监控和收集。 需要了解的是, 本领域内的技术人员在阅读了 本说明书之后, 可以通过编写具体的功能函数来实现虚拟机解释器模块的监 控功能, 故本文对具体的功能函数形式在此不再赘述。  The monitoring function of the above-mentioned virtual machine interpreter module with monitoring function can be realized by a function function, and the function functions are distributed in various steps of the program execution, from initialization to completion, thereby realizing the monitoring and collection of dynamic raw data. It should be understood that after reading this specification, those skilled in the art can implement the monitoring function of the virtual machine interpreter module by writing a specific function function, so the specific function function form will not be described herein.
上述处理模块可以执行处理函数, 从而对动态原始数据翻译为表示程序 运行状态的可用数据。  The processing module described above can execute a processing function to translate the dynamic raw data into available data representing the running state of the program.
进一歩地, 在上述 Android系统的反病毒系统中, 所述可用数据以接口 的方式被打包, 由反病毒引擎调用。  Further, in the anti-virus system of the above Android system, the available data is packaged in an interface manner and is called by an anti-virus engine.
根据本发明的另一目的, 本发明还提供了一种设备, 其上运行有上文所 描述的 Android系统的反病毒系统。  According to another object of the present invention, the present invention also provides an apparatus on which an anti-virus system of the Android system described above is run.
根据本发明的又一目的, 本发明还提供了一种 Android系统的反病毒方 法, 其包括歩骤:  According to still another object of the present invention, the present invention also provides an anti-virus method for an Android system, comprising:
收集 Android系统中的程序在执行时的动态原始数据, 并将其翻译为表 示程序运行状态的可用数据;  Collecting dynamic raw data of the program in the Android system at execution time and translating it into available data indicating the running state of the program;
将所述可用数据与恶意行为特征数据进行比对, 若二者匹配则判断程序 做出了恶意行为, 若二者不匹配则判断程序未做出恶意行为。  The available data is compared with the malicious behavior characteristic data, and if the two match, the program is determined to have malicious behavior, and if the two do not match, the program is determined not to make malicious behavior.
进一歩地, 上述 Android系统的反病毒方法还包括歩骤: 当判断程序做 出了恶意行为时, 根据与恶意行为特征数据对应匹配的操作应对数据对程序 的恶意行为做出应对。  Further, the anti-virus method of the above Android system further includes: when determining that the program has made malicious behavior, responding to the malicious behavior of the program according to the operation corresponding to the malicious behavior characteristic data.
更进一歩地, 所述应对包括: 记录恶意行为、 拒绝恶意行为以及返回虚 假信息中的至少其中之一。  Further, the response includes: recording at least one of malicious behavior, rejecting malicious behavior, and returning false information.
进一歩地, 在上述 Android系统的反病毒方法中, 所述动态原始数据包 括: 程序所属类信息、 程序执行的方法信息、 程序执行的指令信息的至少其 中之一。 采用本发明所述的技术方案, 用户可以根据自身需要对恶意行为特征库 中的策略进行配置, 例如可以添加对程序操作短信的行为进行监控的策略, 对网络流量进行监控的策略, 以及对一些私密数据的访问进行监控的策略。 从而使得本技术方案所述的 Android系统反病毒系统和方法具有很大的使用 灵活性, 使得其适用范围广。 Further, in the anti-virus method of the Android system, the dynamic raw data includes at least one of: class information of the program, method information of the program execution, and instruction information of the program execution. With the technical solution described in the present invention, the user can configure the policy in the malicious behavior feature database according to his own needs, for example, a policy for monitoring the behavior of the program operation short message, a strategy for monitoring network traffic, and some A strategy for monitoring access to private data. Therefore, the Android system anti-virus system and method described in the technical solution have great flexibility in use, and the utility model has wide application range.
另外, 采用本发明所述的技术方案, 只需更新恶意行为特征库即可完成 反病毒系统的更新换代, 而无需修改监视器和反病毒引擎, 因此其使用非常 简便, 且利于其不断地更新升级。 附图说明  In addition, by adopting the technical solution of the present invention, the anti-virus system can be updated by simply updating the malicious behavior signature database, without modifying the monitor and the anti-virus engine, so the use thereof is very simple and convenient for continuous updating. upgrade. DRAWINGS
图 1为本发明所述的 Android系统的反病毒方法在一种实施方式下的流 程框图。  FIG. 1 is a flow chart of an anti-virus method of an Android system according to an embodiment of the present invention.
图 2为本发明所述的 Android系统的反病毒系统在一种实施方式下的结 构框图。 具体实施方式  2 is a block diagram showing the structure of an anti-virus system of the Android system according to an embodiment of the present invention. detailed description
下面将结合说明书附图和具体实施例来对本发明所述的技术方案做出进 一歩地详细说明, 但是该说明并不构成对于本发明技术方案的不当限定。  The technical solutions described in the present invention will be further described in detail below with reference to the drawings and specific embodiments of the present invention, but the description does not constitute an undue limitation of the technical solutions of the present invention.
图 1显示了本发明所述的 Android系统的反病毒方法在一种实施方式下 的流程框图。  FIG. 1 is a flow chart showing an anti-virus method of the Android system according to the present invention in an embodiment.
如图 1所示, 在本实施例中, Android系统的反病毒方法, 其包括歩骤: As shown in FIG. 1, in this embodiment, an anti-virus method of the Android system includes the following steps:
( 1 ) 由监视器收集在 Android系统中程序执行时的动态原始数据(例如 程序所属类信息、程序执行的方法信息、程序执行的指令信息等), 并将其翻 译为表示程序运行状态的可用数据; (1) The dynamic raw data (such as the class information of the program, the method information of the program execution, the instruction information of the program execution, etc.) when the program is executed in the Android system is collected by the monitor, and translated into a usable state indicating the running state of the program. Data
(2)由反病毒引擎将所述可用数据与恶意行为特征数据进行比对,判断 二者是否匹配: 若判断为 "否"则返回进行歩骤 (1 ), 若判断为 "是"则进 行歩骤 (3 );  (2) The anti-virus engine compares the available data with the malicious behavior characteristic data to determine whether the two match: If the determination is "No", then return to the step (1), if the judgment is "Yes", then proceed Step (3);
(3 )反病毒引擎根据与恶意行为特征数据对应匹配的操作应对数据对程 序的恶意行为做出应对。  (3) The anti-virus engine responds to the malicious behavior of the data according to the operation corresponding to the malicious behavior characteristic data.
图 2显示了本发明所述的 Android系统的反病毒系统在一种实施方式下 的结构框图。 2 shows an anti-virus system of the Android system according to the present invention in an embodiment Block diagram of the structure.
如图 2所示, 在本实施例中, 该 Android系统的反病毒系统包括: 运行 于 Android系统虚拟机层的监视器, 其包括具有监控功能的虚拟机解释器模 块和处理模块, 其中具有监控功能的虚拟机解释器模块替代了现有 Android 系统中的虚拟机解释器, 其在具有现有 Android系统中 Dalvik虚拟机解释器 的功能的基础上, 还监控获取程序执行时的各种动态原始数据, 例如程序所 属类信息、 程序执行的方法信息、 程序执行的指令信息等, 然后由处理模块 分析各个动态原始数据之间的关联, 对动态原始数据代表的程序运行状态进 行还原, 即将动态原始数据翻译为表示程序运行状态的可用数据; 运行于 Dalvik虚拟机上层的反病毒引擎, 其分别与监视器和恶意行为特征库连接, 其中恶意行为特征库内存储有根据用户需要配置的多个策略, 每个策略包括 恶意行为特征数据和与恶意行为特征数据对应匹配的操作应对数据 (例如表 征记录恶意行为的数据、 表征拒绝恶意行为的数据、 表征返回虚假信息的数 据等),反病毒引擎接收监视器发送的可用数据,将其与恶意行为特征库内的 恶意行为特征数据进行比对, 根据可用数据与恶意行为特征数据是否相符判 断该程序是否做出了恶意行为, 若程序做出了恶意行为, 则反病毒引擎根据 该操作应对数据对恶意行为做出应对 (例如记录恶意行为、 拒绝恶意行为和 返回虚假信息等)。  As shown in FIG. 2, in this embodiment, the anti-virus system of the Android system includes: a monitor running on the virtual machine layer of the Android system, which includes a virtual machine interpreter module and a processing module with monitoring functions, wherein the monitoring module has monitoring The functional virtual machine interpreter module replaces the virtual machine interpreter in the existing Android system. Based on the function of the Dalvik virtual machine interpreter in the existing Android system, it also monitors various dynamic originals when the program is executed. Data, such as the class information of the program, the method information of the program execution, the instruction information of the program execution, etc., and then the processing module analyzes the association between each dynamic raw data, and restores the running state of the program represented by the dynamic raw data, that is, the dynamic original The data is translated into available data indicating the running status of the program; the anti-virus engine running on the upper layer of the Dalvik virtual machine is respectively connected with the monitor and the malicious behavior signature database, wherein the malicious behavior signature library stores multiple policies configured according to the user needs. , each strategy includes malicious behavior The levy data and the operations corresponding to the malicious behavior trait data match the data (such as data representing the recorded malicious behavior, data representing the refusal of malicious behavior, data representing the return of the false information, etc.), and the anti-virus engine receives the available data sent by the monitor, Comparing it with the malicious behavior characteristic data in the malicious behavior signature database, judging whether the program has made malicious behavior according to whether the available data matches the malicious behavior characteristic data, and if the program makes malicious behavior, the anti-virus engine according to This action should address data responses to malicious behavior (such as recording malicious behavior, rejecting malicious behavior, and returning false information).
在本技术方案中, 恶意行为特征数据与可用数据属于同一类数据, 其均 表征程序的运行状态。 一种程序运行状态可以由一个可用数据对应表示, 也 可以由多个可用数据的组合对应表示。因此,在判断程序做出了恶意行为时, 可以是一个可用数据与恶意行为特征数据相符, 也可以是多个可用数据的组 合与恶意行为特征数据相符。  In the technical solution, the malicious behavior feature data and the available data belong to the same type of data, which all represent the running state of the program. A program running state may be represented by one available data, or may be represented by a combination of a plurality of available data. Therefore, when it is determined that the program has made malicious behavior, it may be that one available data matches the malicious behavior characteristic data, or that the combination of the plurality of available data matches the malicious behavior characteristic data.
另外,上述实施例中描述的 Dalvik虚拟机解释器模块的监控功能可以通 过功能函数实现, 功能函数分布在程序执行的各个环节, 从初始化到结束运 行, 从而实现动态原始数据的监控和收集。 监视器的处理模块也可以执行或 处理函数, 从而对动态原始数据翻译为表示程序运行状态的可用数据。 本领 域内的技术人员在阅读了本说明书之后, 可以实现采用处理模块将动态原始 数据翻译为表示程序运行状态的可用数据, 故本文对处理模块具体的翻译过 程在此不再赘述。 要注意的是, 以上列举的仅为本发明的具体实施例, 显然本发明不限于 以上实施例, 随之有着许多的类似变化。 本领域的技术人员如果从本发明公 开的内容直接导出或联想到的所有变形, 均应属于本发明的保护范围。 In addition, the monitoring function of the Dalvik virtual machine interpreter module described in the above embodiments can be implemented by a function function, and the function functions are distributed in various steps of the program execution, from initialization to completion, thereby realizing monitoring and collection of dynamic raw data. The processing module of the monitor can also execute or process functions to translate the dynamic raw data into available data representing the running state of the program. After reading the present specification, those skilled in the art can implement the processing module to translate the dynamic raw data into available data representing the running state of the program, so the specific translation process of the processing module will not be repeated herein. It is to be noted that the above is only specific embodiments of the present invention, and it is obvious that the present invention is not limited to the above embodiments, and there are many similar variations. All modifications that are directly derived or conceived by those skilled in the art from the disclosure of the present invention should fall within the scope of the present invention.

Claims

权 利 要 求 书 一种 Android系统的反病毒系统, 其特征在于, 包括: Claims An anti-virus system for Android, which is characterized by:
一监视器,其在 Android系统虚拟机层收集程序执行时的动态原始数 据, 并将其翻译为表示程序运行状态的可用数据后发送出去;  a monitor that collects dynamic raw data at the execution of the program at the virtual machine layer of the Android system and translates it into available data representing the running state of the program and then sends it out;
一反病毒引擎, 其与所述监视器连接;  An anti-virus engine connected to the monitor;
一恶意行为特征库,其与反病毒引擎连接,所述恶意行为特征库内存 储有若干策略, 所述各策略均包括恶意行为特征数据; 其中  a malicious behavior signature database, which is connected to an anti-virus engine, wherein the malicious behavior signature database stores a plurality of policies, and each of the policies includes malicious behavior characteristic data;
所述反病毒引擎接收监视器发送的可用数据,将其与恶意行为特征库 内的恶意行为特征数据进行比对, 以判断该程序是否做出了恶意行为。 如权利要求 1所述的 Android系统的反病毒系统, 其特征在于, 所述策略 还包括与恶意行为特征数据对应匹配的操作应对数据,所述反病毒引擎在 判断程序做出了恶意行为时, 根据该操作应对数据对恶意行为做出应对。 如权利要求 2所述的 Android系统反病毒系统, 其特征在于, 所述操作应 对数据包括: 表征记录恶意行为的数据、表征拒绝恶意行为的数据、表征 返回虚假信息的数据的至少其中之一。  The anti-virus engine receives the available data sent by the monitor and compares it with the malicious behavior characteristic data in the malicious behavior signature database to determine whether the program has made malicious behavior. The anti-virus system of the Android system according to claim 1, wherein the policy further comprises operation response data corresponding to the malicious behavior characteristic data, and the anti-virus engine determines that the program has malicious behavior. According to this operation, the data should respond to malicious behavior. The Android system anti-virus system according to claim 2, wherein the operation response data comprises: at least one of data representing the recorded malicious behavior, data representing the rejection of the malicious behavior, and data characterizing the returning the false information.
如权利要求 1所述的 Android系统的反病毒系统, 其特征在于, 所述监视 器包括:  The anti-virus system of the Android system according to claim 1, wherein the monitor comprises:
具有监控功能的 Dalvik虚拟机解释器模块, 其执行程序且监控收集 程序执行时的动态原始数据;  A Dalvik virtual machine interpreter module with monitoring functions that executes programs and monitors dynamic raw data when the program is executed;
处理模块, 其将动态原始数据翻译为表示程序运行状态的可用数据。 如权利要求 1所述的 Android系统的反病毒系统, 其特征在于, 所述可用 数据以接口的方式被打包后发送出去。  A processing module that translates dynamic raw data into usable data representing the operational state of the program. The anti-virus system of the Android system according to claim 1, wherein the available data is packaged and transmitted in an interface manner.
如权利要求 1所述的 Android系统的反病毒系统, 其特征在于, 所述动态 原始数据包括: 程序所属类信息、程序执行的方法信息、程序执行的指令 信息的至少其中之一。  The anti-virus system of the Android system according to claim 1, wherein the dynamic raw data comprises: at least one of class information of the program, method information of the program execution, and instruction information of the program execution.
一种设备, 其上运行有如权利要求 1-6中任意一项所述的 Android系统的  An apparatus on which the Android system according to any one of claims 1 to 6 is operated
8. 一种 Android系统的反病毒方法, 其特征在于, 包括歩骤: 8. An anti-virus method for an Android system, comprising: steps:
收集 Android系统中的程序在执行时的动态原始数据,并将其翻译为 表示程序运行状态的可用数据; Collect dynamic raw data from the execution of programs in the Android system and translate them into The data available to indicate the running status of the program;
将所述可用数据与恶意行为特征数据进行比对,若二者匹配则判断程 序做出了恶意行为, 若二者不匹配则判断程序未做出恶意行为。  The available data is compared with the malicious behavior characteristic data, and if the two match, the program is determined to have malicious behavior, and if the two do not match, the program is judged to have not made malicious behavior.
9. 如权利要求 8所述的 Android系统的反病毒方法, 其特征在于, 还包括歩 骤:当判断程序做出了恶意行为时,根据与恶意行为特征数据对应匹配的 操作应对数据对程序的恶意行为做出应对。  The anti-virus method of the Android system according to claim 8, further comprising: step: when the determining program makes a malicious behavior, responding to the data to the program according to the operation corresponding to the malicious behavior characteristic data Malicious behavior responds.
10.如权利要求 9所述的 Android系统的反病毒方法, 其特征在于, 所述应对 包括:记录恶意行为、拒绝恶意行为以及返回虚假信息中的至少其中之一。  The anti-virus method of the Android system according to claim 9, wherein the responding comprises: recording at least one of malicious behavior, rejecting malicious behavior, and returning false information.
11.如权利要求 8所述的 Android系统的反病毒方法, 其特征在于, 所述动态 原始数据包括: 程序所属类信息、程序执行的方法信息、程序执行的指令 信息的至少其中之一。  The anti-virus method of the Android system according to claim 8, wherein the dynamic raw data comprises: at least one of class information of the program, method information of the program execution, and instruction information of the program execution.
PCT/CN2014/079596 2013-06-18 2014-06-10 Anti-virus system and method for android system, and device with anti-virus system running thereon WO2014201962A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310242442.2A CN104239791A (en) 2013-06-18 2013-06-18 Anti-virus system and method of Android system and equipment with anti-virus system
CN201310242442.2 2013-06-18

Publications (1)

Publication Number Publication Date
WO2014201962A1 true WO2014201962A1 (en) 2014-12-24

Family

ID=52103942

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/079596 WO2014201962A1 (en) 2013-06-18 2014-06-10 Anti-virus system and method for android system, and device with anti-virus system running thereon

Country Status (2)

Country Link
CN (1) CN104239791A (en)
WO (1) WO2014201962A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107358102A (en) * 2017-07-14 2017-11-17 合肥执念网络科技有限公司 A kind of computer based checking and killing virus system

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105791250B (en) * 2014-12-26 2020-10-02 北京奇虎科技有限公司 Application program detection method and device
CN111863045B (en) * 2020-07-30 2021-06-08 上海势炎信息科技有限公司 Hard disk box of electronic evidence obtaining equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120222120A1 (en) * 2011-02-24 2012-08-30 Samsung Electronics Co. Ltd. Malware detection method and mobile terminal realizing the same
CN102810143A (en) * 2012-04-28 2012-12-05 天津大学 Safety detecting system and method based on mobile phone application program of Android platform
CN103136471A (en) * 2011-11-25 2013-06-05 中国科学院软件研究所 Method and system for testing malicious Android application programs

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102789558A (en) * 2011-05-20 2012-11-21 北京网秦天下科技有限公司 Method and device for analyzing program installation and program operation in mobile device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120222120A1 (en) * 2011-02-24 2012-08-30 Samsung Electronics Co. Ltd. Malware detection method and mobile terminal realizing the same
CN103136471A (en) * 2011-11-25 2013-06-05 中国科学院软件研究所 Method and system for testing malicious Android application programs
CN102810143A (en) * 2012-04-28 2012-12-05 天津大学 Safety detecting system and method based on mobile phone application program of Android platform

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107358102A (en) * 2017-07-14 2017-11-17 合肥执念网络科技有限公司 A kind of computer based checking and killing virus system

Also Published As

Publication number Publication date
CN104239791A (en) 2014-12-24

Similar Documents

Publication Publication Date Title
US12026257B2 (en) Method of malware detection and system thereof
EP3506139B1 (en) Malware detection in event loops
US8479276B1 (en) Malware detection using risk analysis based on file system and network activity
JP5094928B2 (en) Method and apparatus for intelligent bot using fake virtual machine information
US10210325B2 (en) Extracting and detecting malicious instructions on a virtual machine
EP3111330B1 (en) System and method for verifying and detecting malware
US9690936B1 (en) Multistage system and method for analyzing obfuscated content for malware
TWI547823B (en) Method and system for analyzing malicious code, data processing apparatus and electronic apparatus
Bayer et al. Scalable, behavior-based malware clustering.
US8578345B1 (en) Malware detection efficacy by identifying installation and uninstallation scenarios
US9552479B2 (en) Malware detection and computer monitoring methods
US10216934B2 (en) Inferential exploit attempt detection
US20100313269A1 (en) Method and apparatus for automatically protecting a computer against a harmful program
CN103065092A (en) Method for intercepting operating of suspicious programs
WO2012107255A1 (en) Detecting a trojan horse
KR101964148B1 (en) Wire and wireless access point for analyzing abnormal action based on machine learning and method thereof
WO2012163297A1 (en) Method, device and system for processing computer virus
RU2587429C2 (en) System and method for evaluation of reliability of categorisation rules
JP2017142744A (en) Information processing apparatus, virus detection method, and program
WO2014201962A1 (en) Anti-virus system and method for android system, and device with anti-virus system running thereon
RU2750628C2 (en) System and method for determining the file trust level
CN103353930B (en) A kind of method and apparatus of preventing infectious virus infection
CN107483448A (en) A kind of network security detection method and detecting system
CN102984135A (en) Security defense method and device and system
US20230214489A1 (en) Rootkit detection based on system dump files analysis

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14813770

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14813770

Country of ref document: EP

Kind code of ref document: A1