CN106778247A - The method and device that application program is dynamically analyzed - Google Patents
The method and device that application program is dynamically analyzed Download PDFInfo
- Publication number
- CN106778247A CN106778247A CN201611160804.3A CN201611160804A CN106778247A CN 106778247 A CN106778247 A CN 106778247A CN 201611160804 A CN201611160804 A CN 201611160804A CN 106778247 A CN106778247 A CN 106778247A
- Authority
- CN
- China
- Prior art keywords
- installation package
- package file
- behavioral data
- analyzed
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Stored Programmes (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses the method and device that a kind of application program is dynamically analyzed.Wherein, method includes:Obtain the installation package file of application program to be analyzed;Installation package file is put into sandbox and is run, collect the behavioral data that installation package file is produced in the process of running;Behavioral data is analyzed, analysis result is obtained such that it is able to is comprehensively monitored and is analyzed the operation action of application program, and allow user to decide whether to be adjusted application program according to analysis result.
Description
Technical field
The present invention relates to Internet technical field, and in particular to the method and device that a kind of application program is dynamically analyzed.
Background technology
With a large amount of popularizations of application program, application program miscellaneous is occurred in that in application market, in order to protect use
The interests at family, it is necessary to detect the behavior of these application programs whether in accordance with rule.However, in face of the application of magnanimity, it is how high
Effect, the accurately behavior and making of detection application program have rationally been judged into urgent demand.
For these application programs, domestic security firm have developed corresponding product, but these manufacturers are pin
To certain specific aspect, such as:Detect malice application, detect whether the application program reinforces, but not yet have for should
The dynamic detection scheme analyzed with program behavior, therefore, a kind of behavior to application program is lacked in the prior art and enters Mobile state
The method of analysis.
The content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome above mentioned problem or at least in part solve on
State the device that the method and corresponding application program of the application program dynamic analysis of problem are dynamically analyzed.
According to an aspect of the invention, there is provided a kind of method of the dynamic analysis of application program, method includes:
Obtain the installation package file of application program to be analyzed;
Installation package file is put into sandbox and is run, collect the behavioral data that installation package file is produced in the process of running;
Behavioral data is analyzed, analysis result is obtained.
According to another aspect of the present invention, there is provided a kind of device that application program is dynamically analyzed, device includes:
Acquisition module, the installation package file for obtaining application program to be analyzed;
Behavioral data collection module, runs for installation package file to be put into sandbox, collects installation package file in operation
During produce behavioral data;
Analysis module, for being analyzed to behavioral data, obtains analysis result.
According to the scheme that the present invention is provided, after the installation package file for obtaining application program to be analyzed, by installation kit text
Part is run in being put into sandbox, collects the behavioral data that installation package file is produced in the process of running, and behavioral data is analyzed,
Obtain analysis result such that it is able to comprehensively monitor and analyze the operation action of application program, and allow user according to analysis
Result decides whether to be adjusted application program.
Described above is only the general introduction of technical solution of the present invention, in order to better understand technological means of the invention,
And can be practiced according to the content of specification, and in order to allow the above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by specific embodiment of the invention.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit is common for this area
Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention
Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 shows the schematic flow sheet of the method that application program according to an embodiment of the invention is dynamically analyzed;
Fig. 2 shows the schematic flow sheet of the method that application program in accordance with another embodiment of the present invention is dynamically analyzed;
Fig. 3 shows the structural representation of the device that application program according to an embodiment of the invention is dynamically analyzed;
Fig. 4 shows the structural representation of the device that application program in accordance with another embodiment of the present invention is dynamically analyzed.
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
Limited.Conversely, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.
Fig. 1 shows the schematic flow sheet of the method that application program according to an embodiment of the invention is dynamically analyzed.Such as
Shown in Fig. 1, the method is comprised the following steps:
Step S100, obtains the installation package file of application program to be analyzed.
In embodiments of the present invention, the installation package file of application program to be analyzed can be the installation kit of client upload
File, it is also possible to the installation package file of application program downloaded from website or local, for example, the developer of application program exists
After developing new application program, before application program is listed, the entrance of the upper transmitting file that can be provided by client,
The installation package file of application program is uploaded, carrying out behavior with the installation package file to application program dynamically analyzes;Certainly, it is common to use
Family is after the installation package file for having downloaded certain application program from application shop etc., it is also possible to by client provided it is upper
The entrance of transmitting file, uploads the installation package file of application program, and carrying out behavior with the installation package file to application program dynamically divides
Analysis.
Step S101, installation package file is put into sandbox and is run, and collects what installation package file was produced in the process of running
Behavioral data.
After installation package file is got, it is possible to which installation package file is put into sandbox, operation should in sandbox
Installation package file, and in installation package file running produce behavioral data be collected, as subsequent analysis point
Analysis object.Here installation package file is run in sandbox can be avoided producing influence to real system.
Step S102, is analyzed to behavioral data, obtains analysis result.
After the behavioral data produced in installation package file running is collected into, the behavioral data to being collected into is carried out
Analysis, wherein, behavioral data is analyzed specially:Data behavior is carried out sensitive behavior analysis, malicious act analysis, OK
It is trend analysis, privilege analysis and/or behavior classification analysis.Wherein, sensitive behavior analysis can be used for analyzing installation package file
Whether sensitive data is operated during operation, for example, reading sensitive data;Malicious act analysis can be used for analyzing installation kit
Whether the behaviors such as fraud is had during running paper;Which authority privilege analysis are related to when referring to that analysis installation package file is run,
For example, modification, deletion etc..Certainly, however it is not limited to above-mentioned analysis, those skilled in the art can according to actual needs carry out other
Behavioural analysis.
According to the method that the above embodiment of the present invention is provided, after the installation package file for obtaining application program to be analyzed,
Installation package file is put into sandbox and is run, the behavioral data that installation package file is produced in the process of running is collected, to behavior number
According to being analyzed, analysis result is obtained such that it is able to the comprehensive operation action of monitoring and analysis application program, and make the user can
Decide whether to be adjusted application program with according to analysis result.
Fig. 2 shows the schematic flow sheet of the method that application program in accordance with another embodiment of the present invention is dynamically analyzed.
As shown in Fig. 2 the method is comprised the following steps:
Step S200, obtains the installation package file of application program to be analyzed.
In embodiments of the present invention, the installation package file of application program to be analyzed can be the installation kit of client upload
File, it is also possible to the installation package file of application program downloaded from website or local, for example, the developer of application program exists
After developing new application program, before application program is listed, the entrance of the upper transmitting file that can be provided by client,
The installation package file of application program is uploaded, carrying out behavior with the installation package file to application program dynamically analyzes;Certainly, it is common to use
Family is after the installation package file for having downloaded certain application program from application shop etc., it is also possible to by client provided it is upper
The entrance of transmitting file, uploads the installation package file of application program, and carrying out behavior with the installation package file to application program dynamically divides
Analysis.Here application program can be mobile applications or non-mobile application.
Step S201, judges whether installation package file is processed by shell adding, if so, then performing step S202;If it is not, then holding
Row step S203.
After the completion of application development, shell adding treatment may be carried out to the installation package file of application program, this is mainly
Attacked to resist reverse-engineering and code injection.But also because installation package file is being carried out program behavior analysis by shell adding
During bring great difficulty, therefore after installation package file is got, in addition it is also necessary to whether judge installation package file
Processed by shell adding.
In general reinforce in the installation package file that Scheme of Strengthening is to determine and that it is reinforced in process that manufacturer uses
Mark with the reinforcing manufacturer, therefore, it can carry out script dissection process by installation package file, judge installation package file
In whether determine whether installation package file is processed by shell adding comprising reinforcing identification of the manufacturer and Scheme of Strengthening.
Step S202, heat treatment is carried out to installation package file.
After judging that installation package file is processed by shell adding, heat treatment can be carried out to installation package file, so as to
In follow-up analyzing and processing, specific hulling method is not described in detail here.
Step S203, pitching pile treatment is carried out to installation package file.
After heat treatment is carried out to installation package file, or, judge that installation package file processes it without shell adding
Afterwards, pitching pile treatment can also be carried out to installation package file, one section of code or node etc. is inserted in the code of installation package file,
When installation package file is run, to obtain corresponding behavioral data.It should be noted that the step is optional, in some implementations
In example, pitching pile treatment can not be carried out to installation package file.
Step S204, installation package file is put into sandbox and is run, and is collected using stain analysis and/or Hook Technique and passed through
The behavioral data produced during application simulation device operation installation package file after kernel light-weight technologg.
Application simulation device is provided with sandbox, for running installation package file, application simulation device is interior in the embodiment of the present invention
Core is, by light-weight technologg, to be enhanced by the speed of service of the application simulation device after light-weight technologg, but also carry
Height obtains the accuracy rate of behavioral data.
In addition, the embodiment of the present invention can be by the application mould after code coverage technology is activated through kernel light-weight technologg
Intend device automatic running installation package file, and without manually controlling application simulation device, be input into corresponding operation, realize installation
The full-automation of APMB package operation.In installation package file running, it is possible to use stain is analyzed and/or hook (Hook) skill
Art come collect by after kernel light-weight technologg application simulation device operation installation package file during produce behavioral data.Its
In, stain analysis refers to for an installation package file, to define a starting point and an end point forms polluted sequence, by with
Track polluted sequence carries out stain analysis, and whether analysis installation package file is contaminated.Hook Technique can be run to installation package file
When specifies behavior be monitored, collect installation package file running in produce behavioral data.
Behavioral data includes one or more in data below:Running log, operation sectional drawing, transmission data.Illustrate
It is bright, can be with generating run daily record when File read operation and file write operations.
Step S205, behavioral data is input in the behavioral data model for pre-setting, and behavioral data is analyzed,
Obtain analysis result.
After the behavioral data produced in installation package file running is collected into, behavioral data can be input to pre-
In the behavioral data model for first setting, the behavioral data to being collected into is analyzed, specifically, by that will be collected into behavioral data
Compare with the behavioural characteristic in behavioral data model, corresponding analysis result can be obtained.Wherein, behavioral data is carried out
Analysis is specially:Data behavior is carried out sensitive behavior analysis, malicious act analysis, behavior trend analysis, privilege analysis and/or
Behavior classification analysis.Wherein, whether sensitive behavior analysis can be used for being carried out sensitive data when analysis installation package file is run
Operation, for example, reading sensitive data;Whether malicious act analysis can be used for having fraud when analysis installation package file is run
Deng behavior;Which authority privilege analysis are related to when referring to that analysis installation package file is run, for example, modification, deletion etc..Certainly, and
Above-mentioned analysis is not limited to, those skilled in the art can according to actual needs carry out other behavioural analyses.
Behavioral data model is to be trained what is obtained by the behavioural characteristic in application feature database, and behavioural characteristic refers to
The behavioral data of behavior type is had determined that, is referred specifically to, certain behavioral data is malicious act data or non-malicious behavioral data, quick
Sense behavioral data or nonsensitive data etc..
Behavioral data model of the invention is obtained by batch mode of learning or incremental learning pattern drill.Batch is learned
Habit pattern refers to that the behavioral data collected before preset time period is to the preset time period is trained, so as to default at each
Time period obtains a behavior data model, and wherein preset time period can be one hour or one day, and those skilled in the art can be with
According to being configured the need for practical application, it is not especially limited herein;Incremental learning pattern refers to collection behavioral data, to collecting
Behavioral data be trained, and the result of training is learnt to the behavioral data mould obtained before preset time period by interface
Type, so as to obtain new behavioral data model in each preset time period.To can be collected in real time using incremental learning pattern
Behavioral data study to behavioral data model, reduce the workload of machine learning training, and can quickly obtain behavior
Data model.
In a kind of optional embodiment of the invention, behavioral data can also be divided by pattern matching mode
Analysis, obtains analysis result, wherein it is possible to corresponding pattern is pre-set, for example, malicious patterns, sensitive mode etc., also,
The matched rule of each pattern is preset, after behavioral data is obtained, behavioral data is carried out using the matched rule of each pattern
Analysis, obtains analysis result.
After analysis result is obtained, analysis result can be showed user, for user according to analysis result to application
The installation package file of program is processed;Additionally, analysis result can be stored in applies feature database, as behavioral data model
Or the training data source of pattern match.
According to the method that the above embodiment of the present invention is provided, after the installation package file for obtaining application program to be analyzed,
Judge whether installation package file is processed by shell adding, if so, then carrying out heat treatment to installation package file, be easy to later collection row
It is data, pitching pile treatment is carried out to installation package file, can targetedly collect behavioral data, installation package file is put into sand
Run in case, collect the behavioral data that installation package file is produced in the process of running, the behavioral data that will be collected into is input to pre-
In the behavioral data model for first setting, behavioral data is analyzed, obtains analysis result such that it is able to comprehensively monitored and divide
The operation action of application program is analysed, and allows user to decide whether to be adjusted application program according to analysis result.
Fig. 3 shows the structural representation of the device that application program according to an embodiment of the invention is dynamically analyzed.Such as
Shown in Fig. 3, the device includes:Acquisition module 310, behavioral data collection module 320 and analysis module 330.
Acquisition module 310, the installation package file for obtaining application program to be analyzed.
In embodiments of the present invention, the installation package file of application program to be analyzed can be the installation kit of client upload
File, it is also possible to the installation package file of application program downloaded from website or local, for example, the developer of application program exists
After developing new application program, before application program is listed, the entrance of the upper transmitting file that can be provided by client,
The installation package file of application program is uploaded, carrying out behavior with the installation package file to application program dynamically analyzes;Certainly, it is common to use
Family is after the installation package file for having downloaded certain application program from application shop etc., it is also possible to by client provided it is upper
The entrance of transmitting file, uploads the installation package file of application program, and carrying out behavior with the installation package file to application program dynamically divides
Analysis.
Behavioral data collection module 320, runs for installation package file to be put into sandbox, collects installation package file in fortune
The behavioral data produced during row.
After installation package file is got, it is possible to which installation package file is put into sandbox, operation should in sandbox
Installation package file, and in installation package file running produce behavioral data be collected, as subsequent analysis point
Analysis object.Here installation package file is run in sandbox can be avoided producing influence to real system.
Analysis module 330, for being analyzed to behavioral data, obtains analysis result.
According to the device that the above embodiment of the present invention is provided, after the installation package file for obtaining application program to be analyzed,
Installation package file is put into sandbox and is run, the behavioral data that installation package file is produced in the process of running is collected, to behavior number
According to being analyzed, analysis result is obtained such that it is able to the comprehensive operation action of monitoring and analysis application program, and make the user can
Decide whether to be adjusted application program with according to analysis result.
Fig. 4 shows the structural representation of the device that application program in accordance with another embodiment of the present invention is dynamically analyzed.
As shown in figure 4, the device includes:Acquisition module 410, behavioral data collection module 420 and analysis module 430.
Acquisition module 410, the installation package file for obtaining application program to be analyzed.Wherein, application program is movement
Application program or non-mobile application.
Behavioral data collection module 420, runs for installation package file to be put into sandbox, using stain analysis and/or
Hook Technique collects the behavior number produced during the application simulation device operation installation package file after kernel light-weight technologg
According to.
Wherein, behavioral data includes one or more in data below:Running log, operation sectional drawing, transmission data.
Specifically, behavioral data collection module 420 includes:Trigger element 421, is passed through for being triggered by code coverage technology
The application simulation device automatic running installation package file crossed after kernel light-weight technologg.
Behavioral data collector unit 422, for collecting operation installation package file mistake using stain analysis and/or Hook Technique
The behavioral data produced in journey.
Analysis module 430, for being analyzed to behavioral data, obtains analysis result.
Wherein, analysis module 430 specifically for:Sensitive behavior analysis, malicious act analysis, behavior are carried out to behavioral data
Trend analysis, privilege analysis and/or behavior classification analysis.
Additionally, analysis module 430 is further used for:Behavioral data is input in the behavioral data model for pre-setting,
Behavioral data is analyzed, analysis result is obtained, wherein, behavioral data model is that the behavioural characteristic in application feature database is entered
Row training is obtained.
Or, analysis module 430 is further used for:Behavioral data is analyzed by pattern matching mode, is divided
Analysis result.
Additionally, device also includes:Heat treatment module 440, for judging whether installation package file is processed by shell adding,
In the case of judging that installation package file is processed by shell adding, heat treatment is carried out to installation package file.
Specifically, heat treatment module 440 is further used for:Script dissection process is carried out to installation package file, peace is judged
Whether comprising reinforcing identification of the manufacturer and Scheme of Strengthening in dress APMB package.
After the completion of application development, it is also possible to shell adding treatment can be carried out to the installation package file of application program, this is main
It is to be attacked to resist reverse-engineering and code injection.But also because installation package file is given by shell adding is carrying out program behavior point
Great difficulty is brought during analysis, therefore after installation package file is got, in addition it is also necessary to judge that installation package file is
It is no to be processed by shell adding.
In general reinforce in the installation package file that Scheme of Strengthening is to determine and that it is reinforced in process that manufacturer uses
Mark with the reinforcing manufacturer, therefore, it can carry out script dissection process by installation package file, judge installation package file
In whether determine whether installation package file is processed by shell adding comprising reinforcing identification of the manufacturer and Scheme of Strengthening.
The device also includes:Pitching pile processing module 450, for carrying out pitching pile treatment to installation package file.
After heat treatment is carried out to installation package file, or, judge that installation package file processes it without shell adding
Afterwards, pitching pile treatment can also be carried out to installation package file, one section of code or node etc. is inserted in the code of installation package file,
When installation package file is run, to obtain corresponding behavioral data.
According to the device that the above embodiment of the present invention is provided, after the installation package file for obtaining application program to be analyzed,
Judge whether installation package file is processed by shell adding, if so, then carrying out heat treatment to installation package file, be easy to later collection row
It is data, pitching pile treatment is carried out to installation package file, can targetedly collect behavioral data, installation package file is put into sand
Run in case, collect the behavioral data that installation package file is produced in the process of running, behavioral data is input to behavioral data mould
In type, behavioral data is analyzed, obtains analysis result such that it is able to comprehensively monitor and analyze the operation row of application program
For, and allow user to decide whether to be adjusted application program according to analysis result.
So far, although those skilled in the art will appreciate that detailed herein have shown and described multiple of the invention and show
Example property embodiment, but, without departing from the spirit and scope of the present invention, still can be directly true according to disclosure of invention
Determine or derive many other variations or modifications for meeting the principle of the invention.Therefore, the scope of the present invention is it should be understood that and recognize
It is set to and covers all these other variations or modifications.
It will be appreciated by those skilled in the art that embodiments of the present invention can be implemented as a kind of system, device, equipment,
Method or computer program product.Additionally, the present invention is not also directed to any certain programmed language, it should be appreciated that can be using each
The content that programming language realizes present invention description is planted, and the description done to language-specific above is of the invention in order to disclose
Preferred forms.
Although it should be noted that describing some of the device that application program is dynamically analyzed in superincumbent explanation in detail
Module, but what this division was merely exemplary, it is not enforceable.It will be understood to those skilled in the art that actual
On, the module in embodiment can adaptively be changed, by the multiple block combiners in embodiment an into module,
Also can be by a Module Division into multiple modules.
Additionally, although describing the present invention with particular order in the accompanying drawings implements operation, this is not required that or secretly
Showing must perform these operations according to the particular order, or the operation having to carry out shown in whole could realize desired knot
Really.Some steps can be omitted, multiple steps are merged into a step performs, or a step is divided into multiple steps and held
OK.
To sum up, the method and device dynamically analyzed using application program of the invention, is obtaining application program to be analyzed
Installation package file after, installation package file is put into sandbox and is run, collect the row that installation package file is produced in the process of running
It is data, behavioral data is analyzed, obtain analysis result such that it is able to comprehensively monitoring and the operation of analysis application program
Behavior, and allow user to decide whether to be adjusted application program according to analysis result.
The method of the present invention and specific implementation method are described in detail above, and give corresponding implementation
Example.Certainly, in addition to the implementation, the present invention can also have other embodiment, all use equivalents or equivalent transformation shape
Into technical scheme, all fall within invention which is intended to be protected.
The invention discloses:A kind of method that A1, application program are dynamically analyzed, wherein, methods described includes:
Obtain the installation package file of application program to be analyzed;
The installation package file is put into sandbox and is run, collect the row that the installation package file is produced in the process of running
It is data;
The behavioral data is analyzed, analysis result is obtained.
A2, the method according to A1, wherein, it is described to collect the behavior that the installation package file is produced in the process of running
Data are further included:
Collect described by the application simulation device operation after kernel light-weight technologg using stain analysis and/or Hook Technique
The behavioral data produced during installation package file.
A3, the method according to A2, wherein, it is described described by the application simulation device operation after kernel light-weight technologg
Installation package file is specially:Application simulation device automatic running after code coverage technology is activated through kernel light-weight technologg
The installation package file.
A4, the method according to any one of A1-A3, wherein, run it in the installation package file is put into sandbox
Before, methods described also includes:
Judge whether the installation package file is processed by shell adding;
If so, then carrying out heat treatment to the installation package file.
A5, the method according to A4, wherein, it is described to judge whether the installation package file processes further by shell adding
Including:
Script dissection process is carried out to the installation package file, judges whether include reinforcing manufacturer in the installation package file
Mark and Scheme of Strengthening.
A6, the method according to A4, wherein, after heat treatment is carried out to the installation package file, methods described is also
Including:
Pitching pile treatment is carried out to the installation package file.
A7, the method according to any one of A1-A3, wherein, described being analyzed to the behavioral data specifically includes:
Sensitive behavior analysis, malicious act analysis, behavior trend analysis, privilege analysis and/or behavior point are carried out to the behavioral data
Alanysis.
A8, the method according to any one of A1-A3, wherein, it is described that the behavioral data is analyzed, analyzed
Result is further included:
The behavioral data is input in the behavioral data model for pre-setting, the behavioral data is analyzed,
Analysis result is obtained, wherein, the behavioral data model is to be trained what is obtained to the behavioural characteristic in application feature database.
A9, the method according to any one of A1-A3, wherein, it is described that the behavioral data is analyzed, analyzed
Result is further included:
The behavioral data is analyzed by pattern matching mode, obtains analysis result.
A10, the method according to any one of A1-A3, wherein, the behavioral data include data below in one kind or
It is various:Running log, operation sectional drawing, transmission data.
A11, the method according to any one of A1-A3, wherein, the application program is mobile applications or non-moving
Application program.
The invention also discloses:The device that B12, a kind of application program are dynamically analyzed, wherein, described device includes:
Acquisition module, the installation package file for obtaining application program to be analyzed;
Behavioral data collection module, runs for the installation package file to be put into sandbox, collects the installation kit text
The behavioral data that part is produced in the process of running;
Analysis module, for being analyzed to the behavioral data, obtains analysis result.
B13, the device according to B12, wherein, the behavioral data collection module is further used for:Using stain point
Analysis and/or Hook Technique are collected and produced during the application simulation device after kernel light-weight technologg runs the installation package file
Raw behavioral data.
B14, the device according to B13, wherein, the behavioral data collection module includes:Trigger element, for passing through
Code coverage technology is activated through installation package file described in the application simulation device automatic running after kernel light-weight technologg;
Behavioral data collector unit, for collecting the operation installation package file using stain analysis and/or Hook Technique
During produce behavioral data.
B15, the device according to any one of B12-B14, wherein, described device also includes:Heat treatment module, is used for
Judge whether the installation package file is processed by shell adding, judging the situation that the installation package file is processed by shell adding
Under, heat treatment is carried out to the installation package file.
B16, the device according to B15, wherein, the heat treatment module is further used for:To installation kit text
Whether part carries out script dissection process, judges include reinforcing identification of the manufacturer and Scheme of Strengthening in the installation package file.
B17, the device according to B15, wherein, described device also includes:Pitching pile processing module, for the installation
APMB package carries out pitching pile treatment.
B18, the device according to any one of B12-B14, wherein, the analysis module specifically for:To the behavior
Data carry out sensitive behavior analysis, malicious act analysis, behavior trend analysis, privilege analysis and/or behavior classification analysis.
B19, the device according to any one of B12-B14, wherein, the analysis module is further used for:By the row
In for data input to the behavioral data model for pre-setting, the behavioral data is analyzed, obtains analysis result, its
In, the behavioral data model is to be trained what is obtained to the behavioural characteristic in application feature database.
B20, the device according to any one of B12-B14, wherein, the analysis module is further used for:By pattern
Matching way is analyzed to the behavioral data, obtains analysis result.
B21, the device according to any one of B12-B14, wherein, the behavioral data includes the one kind in data below
Or it is various:Running log, operation sectional drawing, transmission data.
B22, the device according to any one of B12-B14, wherein, the application program is mobile applications or non-shifting
Dynamic application program.
Claims (10)
1. a kind of method that application program is dynamically analyzed, it is characterised in that methods described includes:
Obtain the installation package file of application program to be analyzed;
The installation package file is put into sandbox and is run, collect the behavior number that the installation package file is produced in the process of running
According to;
The behavioral data is analyzed, analysis result is obtained.
2. method according to claim 1, it is characterised in that the collection installation package file is produced in the process of running
Raw behavioral data is further included:
Collected using stain analysis and/or Hook Technique and run the installation by the application simulation device after kernel light-weight technologg
The behavioral data produced during APMB package.
3. method according to claim 2, it is characterised in that the application simulation device by after kernel light-weight technologg
The installation package file is run to be specially:Application simulation device after code coverage technology is activated through kernel light-weight technologg
Installation package file described in automatic running.
4. the method according to claim any one of 1-3, it is characterised in that be put into sandbox by the installation package file
Before operation, methods described also includes:
Judge whether the installation package file is processed by shell adding;
If so, then carrying out heat treatment to the installation package file.
5. method according to claim 4, it is characterised in that it is described judge the installation package file whether by shell adding at
Reason is further included:
Script dissection process is carried out to the installation package file, judges whether include reinforcing identification of the manufacturer in the installation package file
And Scheme of Strengthening.
6. method according to claim 4, it is characterised in that after heat treatment is carried out to the installation package file, institute
Stating method also includes:
Pitching pile treatment is carried out to the installation package file.
7. the method according to claim any one of 1-3, it is characterised in that described that tool is analyzed to the behavioral data
Body includes:The behavioral data is carried out sensitive behavior analysis, malicious act analysis, behavior trend analysis, privilege analysis and/or
Behavior classification analysis.
8. the method according to claim any one of 1-3, it is characterised in that described to be analyzed to the behavioral data,
Analysis result is obtained to further include:
The behavioral data is input in the behavioral data model for pre-setting, the behavioral data is analyzed, obtained
Analysis result, wherein, the behavioral data model is to be trained what is obtained to the behavioural characteristic in application feature database.
9. the method according to claim any one of 1-3, it is characterised in that described to be analyzed to the behavioral data,
Analysis result is obtained to further include:
The behavioral data is analyzed by pattern matching mode, obtains analysis result.
10. the device that a kind of application program is dynamically analyzed, it is characterised in that described device includes:
Acquisition module, the installation package file for obtaining application program to be analyzed;
Behavioral data collection module, runs for the installation package file to be put into sandbox, collects the installation package file and exists
The behavioral data produced in running;
Analysis module, for being analyzed to the behavioral data, obtains analysis result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611160804.3A CN106778247B (en) | 2016-12-15 | 2016-12-15 | Method and device for dynamically analyzing application program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611160804.3A CN106778247B (en) | 2016-12-15 | 2016-12-15 | Method and device for dynamically analyzing application program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106778247A true CN106778247A (en) | 2017-05-31 |
| CN106778247B CN106778247B (en) | 2020-09-08 |
Family
ID=58887552
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611160804.3A Active CN106778247B (en) | 2016-12-15 | 2016-12-15 | Method and device for dynamically analyzing application program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106778247B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108009424A (en) * | 2017-11-22 | 2018-05-08 | 北京奇虎科技有限公司 | Virus behavior detection method, apparatus and system |
| CN108021806A (en) * | 2017-11-24 | 2018-05-11 | 北京奇虎科技有限公司 | A kind of recognition methods of malice installation kit and device |
| CN108920943A (en) * | 2018-05-08 | 2018-11-30 | 国家计算机网络与信息安全管理中心 | The method and device of installation binding behavior is detected for application software |
| CN109492355A (en) * | 2018-11-07 | 2019-03-19 | 中国科学院信息工程研究所 | A kind of software analysis resistant method and system based on deep learning |
| CN109740351A (en) * | 2018-12-28 | 2019-05-10 | 广东电网有限责任公司 | A kind of leak detection method, device and the equipment of embedded firmware |
| WO2020019524A1 (en) * | 2018-07-27 | 2020-01-30 | 平安科技(深圳)有限公司 | Data processing method and device |
| CN111079146A (en) * | 2019-12-10 | 2020-04-28 | 苏州浪潮智能科技有限公司 | Malicious software processing method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104751052A (en) * | 2013-12-30 | 2015-07-01 | 南京理工大学常熟研究院有限公司 | Dynamic behavior analysis method for mobile intelligent terminal software based on support vector machine algorithm |
| CN105160251A (en) * | 2015-07-06 | 2015-12-16 | 国家计算机网络与信息安全管理中心 | Analysis method and device of APK (Android Packet) application software behavior |
| CN105959372A (en) * | 2016-05-06 | 2016-09-21 | 华南理工大学 | Internet user data analysis method based on mobile application |
| CN106022130A (en) * | 2016-05-20 | 2016-10-12 | 中国科学院信息工程研究所 | Shelling method and device for reinforced application program |
-
2016
- 2016-12-15 CN CN201611160804.3A patent/CN106778247B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104751052A (en) * | 2013-12-30 | 2015-07-01 | 南京理工大学常熟研究院有限公司 | Dynamic behavior analysis method for mobile intelligent terminal software based on support vector machine algorithm |
| CN105160251A (en) * | 2015-07-06 | 2015-12-16 | 国家计算机网络与信息安全管理中心 | Analysis method and device of APK (Android Packet) application software behavior |
| CN105959372A (en) * | 2016-05-06 | 2016-09-21 | 华南理工大学 | Internet user data analysis method based on mobile application |
| CN106022130A (en) * | 2016-05-20 | 2016-10-12 | 中国科学院信息工程研究所 | Shelling method and device for reinforced application program |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108009424A (en) * | 2017-11-22 | 2018-05-08 | 北京奇虎科技有限公司 | Virus behavior detection method, apparatus and system |
| CN108021806A (en) * | 2017-11-24 | 2018-05-11 | 北京奇虎科技有限公司 | A kind of recognition methods of malice installation kit and device |
| CN108021806B (en) * | 2017-11-24 | 2021-10-22 | 北京奇虎科技有限公司 | Malicious installation package identification method and device |
| CN108920943A (en) * | 2018-05-08 | 2018-11-30 | 国家计算机网络与信息安全管理中心 | The method and device of installation binding behavior is detected for application software |
| WO2020019524A1 (en) * | 2018-07-27 | 2020-01-30 | 平安科技(深圳)有限公司 | Data processing method and device |
| CN109492355A (en) * | 2018-11-07 | 2019-03-19 | 中国科学院信息工程研究所 | A kind of software analysis resistant method and system based on deep learning |
| CN109740351A (en) * | 2018-12-28 | 2019-05-10 | 广东电网有限责任公司 | A kind of leak detection method, device and the equipment of embedded firmware |
| CN111079146A (en) * | 2019-12-10 | 2020-04-28 | 苏州浪潮智能科技有限公司 | Malicious software processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106778247B (en) | 2020-09-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106778247A (en) | The method and device that application program is dynamically analyzed | |
| CN105184160B (en) | A kind of method of the Android phone platform application program malicious act detection based on API object reference relational graphs | |
| CN108021806B (en) | Malicious installation package identification method and device | |
| CN107360137A (en) | Construction method and device for the neural network model of identifying code identification | |
| US20180357201A1 (en) | Ability-providing-data generation apparatus | |
| CN101976187B (en) | Stack tracing method and device in decompilation process and decompiler | |
| CN106095654A (en) | Performance verification device, the system with performance verification device and method | |
| CN105701016B (en) | A kind of test method for exception handling code | |
| CN104715190A (en) | Method and system for monitoring program execution path on basis of deep learning | |
| CN110298007A (en) | User behavior statistical method, device, electronic equipment and computer readable storage medium | |
| CN111914814A (en) | Wheat rust detection method and device and computer equipment | |
| CN111460452A (en) | Android malicious software detection method based on frequency fingerprint extraction | |
| CN105487973B (en) | The abnormal processor abnormality test method of continuous prize procedure | |
| Agustian et al. | Implementation of Machine Learning Using Google's Teachable Machine Based on Android | |
| KR102418212B1 (en) | Architecture-independent similarity measuring method for program function | |
| Talasila et al. | Black gram disease classification using a novel deep convolutional neural network | |
| CN109743200B (en) | Resource feature-based cloud computing platform computing task cost prediction method and system | |
| CN110347570A (en) | A kind of Code automatic build tool analysis method under IDE environment | |
| CN114285587A (en) | Domain name identification method and device and domain name classification model acquisition method and device | |
| Volna et al. | Pattern recognition and classification in time series data | |
| CN102929614A (en) | Adjustable object program characteristic extracting method for detecting loophole | |
| Rafaila et al. | Design of experiments for effective pre-silicon verification of automotive electronics | |
| CN107317811A (en) | A kind of simulation PLC implementation method | |
| Sasaki et al. | Evaluation of Flexibility to Changes Focusing on the Variable Structures in Legacy Software | |
| CN117539367B (en) | Image recognition tracking method based on interactive intelligent experiment teaching system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20200728 Address after: 215028 No. 88 Dongchang Road, Suzhou Industrial Park, Jiangsu Province Applicant after: JIANGSU PAY EGIS TECHNOLOGY Co.,Ltd. Applicant after: JIANGSU TONGFUDUN INFORMATION SECURITY TECHNOLOGY Co.,Ltd. Address before: Suzhou City, Jiangsu province 215021 East Road, Suzhou Industrial Park, No. 88 building 2.5 Industrial Park building C2 4F Applicant before: JIANGSU PAY EGIS TECHNOLOGY Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |