CN108133139A - A kind of Android malicious application detecting system compared based on more running environment behaviors - Google Patents
A kind of Android malicious application detecting system compared based on more running environment behaviors Download PDFInfo
- Publication number
- CN108133139A CN108133139A CN201711217805.1A CN201711217805A CN108133139A CN 108133139 A CN108133139 A CN 108133139A CN 201711217805 A CN201711217805 A CN 201711217805A CN 108133139 A CN108133139 A CN 108133139A
- Authority
- CN
- China
- Prior art keywords
- behavior
- application program
- simulator
- application
- record
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
A kind of Android malicious application detecting system compared based on more running environment behaviors, including:Information extraction modules carry out decompiling to detected APK installation files, and providing data for follow-up log analysis supports;Dynamic analysis module carries out Android application programs dynamic analysis, and the behavior performed in logging program operational process using Sandboxing;Environment measuring fights module, detects the environment measuring behavior in program operation process in real time, and fought for the detection behavior of different levels, by the running environment feature that the results modification that running environment in application program detects is camouflage;Behavior record analysis module is uniformly processed and is analyzed to all user behaviors logs after operation whole is repeated several times in a certain application program to be measured;System operation scheduler module controls whole service flow in system operation.The present invention can capture the behavioral difference situation of application program, and detect whether malicious act, suitable for environment-identification sensitivity malicious application.
Description
Technical field
The invention belongs to technical field of network security, more particularly to a kind of Android compared based on more running environment behaviors is disliked
Meaning is using detecting system.
Background technology
Current internet fast development has had comparable scale.It is emerging with intelligent mobile terminal equipment in recent years
It rises, mobile Internet is also developed rapidly therewith, and smart mobile phone is just a large amount of universal in people's lives with tablet computer.
With gradually popularizing for intelligent mobile terminal operating system, android system platform is easy-to-use, outstanding by facilitating for its operation
Many advantages, such as increasing income with autgmentability and system can be transformed, receive numerous mobile equipment research and development and the welcome of manufacturer,
Also gradually have a batch huge system fans and user group simultaneously.
Exactly because the also high user's occupation rate of android system and its distinctive increasing income property feature, android system
Become the target of attack of many Malware producers and black industry pursuer, a large amount of malice for being directed to Android platform
Code also occurs therewith.Therefore, it studies and mature technology that is quick and effectively detecting is realized to malicious code, be not only able to vast
Privacy of user is implemented to protect with property safety, reduces the interests loss of user, and can largely protect
The interests of Android application developers.The technology being detected at present to Android malicious codes can be mainly divided into it is static and
Dynamically two class.
Traditional static detection method is to beat again packet phenomenon and for evil for largely existing in malicious code mostly
Privilege abuse phenomenon in meaning code is analyzed, and needs to analyze the APK installation kits of Android application programs, anti-to compile
Translate wherein executable file and analyze other resource files to obtain basic data, then further excavated and classify from
And judge the property of application program.But with the continuous development of encryption technology and obfuscation, the method for static analysis is difficult
Get effective detail of information.
Existing malicious code dynamic detection technology is mainly to be detected by veritably being run in various simulated environments
Application program, malicious code is detected on the basis of the true dynamic feature information that shows of monitoring application program.
It is virtual that the widely used dry run environment of current dynamic detection system is based primarily upon QEMU, Virtual Box, VMWare etc.
Change technology, regardless of using which kind of technology, dry run environment with true physical equipment always there are certain difference, and
Application program can get these information that can show that running environment during operation from running environment.Therefore such as
The application program of one malice of fruit is very sensitive to running environment, it is found that it is currently running in a simulated environment, and this
Kind simulated environment is likely to be a kind of component part of dynamic detection system, then the malicious application would not directly perform its
Sensitive behavior, so as to achieve the purpose that escape detection.This behavior for detecting dry run environment and changing operating status is claimed
For anti-simulator behavior, such case is to limit a key factor of dynamic testing method detection result.Therefore, it needs at present
A kind of anti-simulator behavior for coping with application program, the method for effectively detecting environmentally sensitive malicious application, to answer
The deficiency existing in these areas to dynamic detection technology.
Invention content
In order to overcome the disadvantages of the above prior art, the purpose of the present invention is to provide one kind to be based on more running environment behaviors
The Android malicious application detecting system of comparison, it relies on dynamic analysis isolation sandbox technology, was run by detecting application program
Running environment detection behavior in journey, and targetedly counter measure is taken, by the practical a variety of differences of running environment disguise as
Running environment, application program is placed in these different running environment, using behavior dynamic method for catching is applied, to application
Concrete behavior in different running environment is recorded, and analysis comparison application program expression behaviour compares it in varying environment
Under operation action otherness, so as to capture the behavioral difference situation of application program, and detected whether malicious act, be applicable in
In the environment sensitive malicious application that the existing detection technique of identification can not be detected effectively.
To achieve these goals, the technical solution adopted by the present invention is:
A kind of Android malicious application detecting system compared based on more running environment behaviors, including:
Information extraction modules carry out decompiling to detected APK installation files, analyze the smali generated after decompiling
The relevant information of each class in file provides data for subsequent log analysis and supports;
Dynamic analysis module carries out dynamic analysis, including being based on Android original using Sandboxing to Android application programs
There is system to call the system operation mirror image of writing function and pass through the simulator operating file system of customization for raw system modification,
Simulator sandbox running environment is combined into, and a series of behaviors performed in application program operation process are recorded, by
The submodule recorded to being detected application program operation when institute's expression behaviour forms;
Environment measuring fights module, detects the environment measuring behavior in application program operational process in real time, and for difference
The detection behavior of level is fought, by the running environment spy that the results modification that running environment in application program detects is camouflage
Sign, including being changed into Mobile state application layer, Android system layer, linux system layer and simulator architecture layers feature respectively
Dynamic modification submodule;
Behavior record analysis module, to all behaviors after operation whole is repeated several times in a certain application program to be measured
Daily record is uniformly processed and is analyzed, and submodule, behavior sequence extracting sub-module, behavior point are pre-processed including application user behaviors log
Analysis comparison submodule and report generation submodule;
System operation scheduler module controls whole service flow, including simulator traffic control in system operation
Submodule, application management submodule to be analyzed, system event simulation submodule and user interface event triggering submodule.
The system operation mirror image is holding of carrying out that compiling after secondary modification obtains on the basis of android system source code
Style of writing part, modification content are that the execution of API is called to specifically system each in 6 class behaviors described in application dynamic analysis module
Flow, it is therefore intended that so that during application program implementation procedure, dynamic analysis module is able to record the various actions of application program.
The simulator operating file system by customization is the Android simulator file system mirror in initial configuration
After adding users' usage behavior data such as address list information, message registration information, short message, photographic intelligence in file
File system mirror file.
The dynamic analysis module includes network communication operations record sub module, file operation record sub module, encryption and decryption
Operation note submodule, system Shell operation notes submodule, privacy behavior obtain record sub module, sensitive operation record
Module etc..
Compared with prior art, the beneficial effects of the invention are as follows:
1st, using dynamic analysing method, the confrontation inspection such as the insoluble application shell adding of static analysis is effectively prevented, obscures
The method of survey.
2nd, using the application program that reruns in a variety of running environment, the method for its behavior expression of analysing and comparing can
Accurately detect the anti-simulator behavior of application program, and judge its whether there is hide malicious act, indicate its whether be
Malicious application.
3rd, it using simple, efficient data analysis algorithm, can record in real time using real behavior, efficient process high number of row
For data.
4th, the application behavioral data of acquisition has reliability and accuracy, and does not need to obtain application program to be detected times
What additional other information.
5th, its flexibly customized various environmental characteristic of the running environment of dynamic generation can easily carry out whole system
Update upgrading and expansion.
6th, Android malicious application analysis platform can be enhanced as a kind of expansion of existing various Android applied analysis platforms
Whole analysis detectability.
Description of the drawings
Fig. 1 is present system overall operation flow chart.
Fig. 2 is each sub-modular structure figure in dynamic analysis module of the present invention.
Fig. 3 is present system traffic control module flow diagram.
Fig. 4 is dynamic analysis module flow diagram of the present invention.
Specific embodiment
In order to which the purpose of the present invention, technical solution and advantage is more clearly understood, below in conjunction with attached drawing and exemplary
Embodiment, the present invention will be described in further detail.It should be appreciated that exemplary embodiment described herein is only explaining
The present invention, the scope of application being not intended to limit the present invention.
First, the Android malicious application detecting system overall operation flow that Behavior-based control of the invention compares is as shown in Figure 1.
4 main modulars wherein drawn are respectively information extraction modules, dynamic analysis module, environment measuring confrontation module and behavior note
Analysis module is recorded, system operation scheduler module is not drawn in the flow chart.System operation scheduler module is responsible for transporting in system
Control whole service flow, same application program to be detected is reruned repeatedly during row:First by dynamic analysis module
In simulator sandbox running environment revert to preset original state;Then installation starts application program to be detected, is applying
When program is run, module is fought respectively to application layer, Android system layer, linux system layer and simulator system by environment measuring
The environmental characteristic of structure sheaf carries out camouflage confrontation, while system when application program can be run by dynamic analysis module calls row
To record, it is stored in a series of user behaviors log file;After whole is run multiple times in same application, behavior
A series of running logs that History Parser Module will generate the application carry out processing analysis, and calculate between each other consistent
Property, judge the application with the presence or absence of the malicious act hidden in specific run environment, mark according to the consistency matrix being calculated
Bright its is malicious, and exports examining report.
Each module detailed functions content is as follows:
1st, information extraction modules
Due to needing the information of all class files in acquisition application program in subsequent behavior comparing module, so right first
Original APK installation files carry out decompiling, analyze the information of each class in the smali files after decompiling, are subsequent row
It prepares for log analysis.
Before each application program is running in dynamic analysis environment, Android APK installation file decompiling works are used
Have apktool by the APK file decompiling, obtain a series of smali formatted files, obtained by scanning decompiling
The information of class file in smali files extraction wherein institute's source code, and preserve in the database, treat that subsequent behavior compares mould
Block uses.
2nd, dynamic analysis module
The dynamic analysis module of this system carries out dynamic analysis, the module using Sandboxing to Android application programs
Main body is there is system to call the system operation mirror image of writing function and pass through the mould of customization based on Android primary system modification
Intend the simulator sandbox running environment that both device operating file systems are combined into, carrying out practically flow is as shown in Figure 4.
The system operation mirror image applied in the module is compiles after carrying out secondary modification on the basis of android system source code
Obtained executable file, modification content are to call API to specific system each in 6 class behaviors described in dynamic analysis module
Execution flow, it is therefore intended that so that during application program implementation procedure, dynamic analysis module is able to record each of application program
Kind behavior.
The simulator operating file system by customization applied in the module is the Android simulator in initial configuration
The users such as address list information, message registration information, short message, photographic intelligence use is added in file system mirror file
File system mirror file after behavioral data.
Main flow is as follows:
Step 1:Start simulator, simulator is waited for solve lock screen after starting.
Step 2:If bugNum under present analysis state be less than 2 if continue from be analyzing the application list or
APK file is obtained in queue to be analyzed.
Step 3:It is busy to set simulator state, installs application program, application program is opened, by application program front and rear
It is switched between platform, calls simulation system event action, close and unload application program.If occur in this whole process any
BugNum is then directly added 1 by mistake, into next step.
Step 4:After cancelling simulator busy states, using the closing simulator of telnet orders gracefulness, if it fails, then
Simulator process is directly closed using kill orders.
Wherein, it can be carried out only after simulator starts completely including every behaviour such as application program is installed
Make.And simply judge whether the sys.boot_completed system properties set automatically in system are 1 to be not enough to accurately judge
Simulator startup finishes.Therefore, after discovery sys.boot_completed system properties have been 1, it is also necessary to judge
Whether simulator screen also remains as completely black at present, if still blank screen explanation starts completely not yet;When simulator screen goes out
Also need to judge whether number of processes is also increasing in system after existing picture, when number of processes all no longer increases whithin a period of time
Then show the complete start completion of simulator after adding.
Malicious application activates its malicious act to be connect by registering the broadcast of reception particular system event in systems mostly
It receives device to realize, and the system event that they are utilized belongs to a few class events that can reflect system running state mostly,
With certain regularity, for example the broadcast of system start completion, user mutual behavior are broadcasted, WIFI network state change is broadcasted,
SIM card network state variation broadcast etc..Therefore start completely in simulator, detected application program and setting are installed thereto
After running environment feature, it is necessary to start application program, and input a series of aforementioned system events to trigger application program
Respondent behavior.
And it is identical in order to ensure to input information in operational process different several times with an application program, it needs
Record sends sequence and the interval time of system event sequence for the first time, when being recorded in identical according to this during follow-up operation
Between point send identical system event.In addition to this, malicious application may start after system event is received
Service components are performed in the hidden carry out running environment detection in backstage and sensitive behavior, it is also possible to will be in application program
Some Activity component is bound to foreground, lures that user is operated by interface of going fishing, so as to obtain other permissions or use
Family privacy information.So it needs to grasp come the user interface to application program using UI (User Interface) triggering technique
Make, this certain customers' interface operation has system operation scheduler module to be handled.
Meanwhile the module is also responsible for recording a series of behaviors performed in application program operational process, mainly
Writing function includes following 6 aspects, as shown in Figure 2:
(1) network communication behavior record:Including TCP communication record, UDP communications records, http communication record, DNS communications
Record and network traffic record.
(2) file operation behavior record:Including file operation record and sqlite database manipulations record.
(3) encryption and decryption operation behavior records:Operation note is recorded and decrypted including cryptographic operation.
(4) system shell operation behaviors record:Including putting forward power order, mount orders, chown orders, chmod orders note
Record.
(5) privacy information obtains behavior record:Including obtaining system information behavior record, obtaining phone/call/email
Information behavior record obtains browser information behaviors record and obtains location information behavior record.
(6) sensitive operation behavior record:It is recorded including dynamic load behavior record, Android components operation behavior and quick
Feel operation behavior record.
Dynamic analysis module can be monitored and remember to all of above behavior in application program operational process to be detected
Record, and be stored in journal file, it extracts, protects from simulated environment after an end of run of the application program to be measured
There are in logfile directory to be analyzed, the processing of behavior record analysis module is waited for.
All monitoring information is exported in the log system of android system, can be with by its included logging tools
System log according to label is filtered and is extracted, and is recorded in disk file.But if tune to all monitored system API
It is all recorded with situation, then a large amount of behaviors of system application execution are also required for by additional magnetic disc storage operation, meeting
The efficiency of system operation is caused to substantially reduce, seriously affects the execution speed of dynamic analysis.Therefore when monitored API is called
It can judge whether the process number of caller is equal to the process number of monitored application, if equal just can really be recorded
Otherwise disk operating does not record it, the degree that can will be preferably minimized in this way to the influence of system running speed.
Due to Android application program be frequently present of multithreading execution situation, this module used it is a kind of adaptation mostly into
Journey application program performs behavior record generation technique and the behavior record comparison techniques of feature to cope with the above problem.It should in record
With can be by the process number where this API Calls person and API Calls person institute during the system API called in program operation process
It records in the call stack of thread, is finally stored in disk file together.Application program in simulator after end of run,
Dynamic analysis module can will record file the behavior and be extracted from simulator, and to every therein record according to its operation
Class name and the process number of caller carry out Classifying Sum, are ranked up according to the timestamp of record, and ultimately forming one should
With the respective android system API Calls sequence of process each in program operation process.
3rd, environment measuring confrontation module
The module can detect the environment measuring behavior in application program operational process in real time, and for the detection of different levels
Behavior is fought, by the running environment feature that the results modification that running environment in application program detects is camouflage.According to application
The difference of Programmable detection dry run environment method, these can show that running environment class another characteristic is belonging respectively to 4 differences
Level:
(1) application layer
The anti-simulator method of application layer is mainly by detecting in the equipment with the presence or absence of contact person record, call note
Record, short message record etc. judges the running environment for simulated environment or true environment using indication character.
(2) Android system layer
The anti-simulator method of android system layer mainly by detection device status information (including IMSI, ICCID,
IMEI, telephone number etc.), device hardware information (including battery level information, WiFi module Mac address informations, GPS positioning letter
Breath etc.), the spies such as system property information (including calling Android device system attribute acquisition methods, reading build.prop files etc.)
It levies to judge running environment for simulated environment or true environment
(3) linux system layer
The anti-simulator method of linux system layer mainly by detection device activation bit, equipment tag file,
Getprop orders etc. judge the running environment for simulated environment or true environment.
(4) simulator architecture layers
The anti-simulator method of simulator architecture layers is mainly detection device CPU information tag file, equipment feature
The methods of process, judges running environment for simulated environment or true environment.
In addition to method included in 4 class listed above, environment measuring confrontation module can also be as needed to others
Feature is modified, and generates new running environment, so as to achieve the purpose that deception application program to be detected.
For the dynamic camouflage with features above running environment, can be realized by changing android system source code,
It can also be realized by other methods.The realization of android system source code is changed, mainly using following three kinds of methods come to each
A feature carries out Dynamic Customization.
First, special system property modifiers can be used after simulator startup by belonging to the environmental characteristic of system property
Change the property value in system kernel, at the same increase some Custom Attributes be used for controlling for android system API features and
The camouflage of file characteristic.Why need to modify to the tool is because some read only attribute is in system default situation
Under cannot change, it is therefore desirable to by change memory method realize modification.There are a kind of special feelings in system property
Condition is exactly the Build static variables in android system, Build.DEVICE attributes as mentioned above etc..This generic attribute
Belong to the Java object for being modified to static final, directly can not change its numerical value by changing memory, need to pass through process
The mode of injection initializes process injecting codes to zygote, changes its modifier by reflection mode, then changes its numerical value.
Since zygote processes are the parent processes of every other application program in android system, so after modifying to it, after
The numerical value of Build static variables is all same in the continuous application program started.
Secondly, for judging the spy of running environment information by the way that android system API is called to obtain its return value and be used as
Sign, during the application call API, Android frames can be obtained from system property add before it is corresponding with the API from
Defined attribute value, and the value of the Custom Attributes is returned into application program as the return value of API Calls rather than returns to it
Actual value.Since many system applications also can be by calling API fetching portion system categories in android system operational process
Property value, and if its obtain return value be not consistent with actual conditions, it is likely that system operation can be caused unstable even
Directly result in system crash.So in these Android frames these API run when can judge currently call from which into
Journey, the calling only from process where detected application program can just be returned the value after camouflage.
Again, for belonging to the detection method of file characteristic, whether application program can detect in running environment tag file
In the presence of or file in judge running environment with the presence or absence of the method for feature string.Therefore the Android when opening file
Frame can judge to call whether the process of the open file operation is process where detected application program, then judge again
Whether the file to be opened is the tag file that can embody running environment, if two conditions all meet if by this text
Part operation is redirected to preprepared simulated papers, so as to fulfill the camouflage to running environment file characteristic.
4th, behavior record analysis module
The module can carry out all user behaviors logs after operation whole is repeated several times in a certain application program to be measured
It is uniformly processed and analyzes, submodule, behavior sequence extracting sub-module, behavioural analysis comparison are pre-processed including application user behaviors log
Four submodules of module and report generation submodule.
User behaviors log pretreatment submodule arranges original user behaviors log file, extracts and goes out in all daily records
Existing system is called, and is arranged as a list, each unique integer number of corresponding one of system calling;Then behavior sequence
The system that extracting sub-module can be generated according to previous step calls the correspondence with number to be converted to each individual behavior
Daily record behavior sequence;Behavioural analysis comparison submodule each behavior sequence is compared using alignment algorithm, calculating two-by-two it
Between similarity, measure matrix, while count the number of API Calls in each behavior record;Report generation submodule
Judge that the application with the presence or absence of hiding malicious act, indicates that its is malicious, and export detection according to the feature of consistency matrix
Report.
Wherein behavioural analysis compare submodule to an application program obtained two in different running environment
When behavior record is compared, calculated respectively first, in accordance with the thread number in two behavior records corresponding in two behavior records
The system API Calls sequence similarity of cross-thread.In order to accurately reflect the similarity between two calling sequences, the two is calculated
Between editing distance weigh similarity therebetween, obtain measurement of the real number between 0 to 1 as similarity,
Similarity is bigger to represent that the two is more similar.After the similarity between per thread pair is calculated, according in each thread
The number that API Calls record in system API Calls sequence ratio shared in API Calls record sum in entire behavior record
These individual similarities are added up into the similarity for a totality, as the final of two behavior record similarities of application program
As a result.Behavior is consistent when application program operation is just constituted after the similarity-rough set between all behavior records is completed
Property matrix.Other than the similarity between statistics application program behavior record, which can also count two corresponding threads
Between difference in specific calling system api function type and number, obtain behavior statistic of classification result.If two behavior notes
Behavior record in record in the corresponding thread of certain a pair is not identical, and sensitive API letter is had invoked in one of thread
Number, another thread do not call the api function then, then show the running environment information that the application program is collected into according to it
To this part, sensitive behavior is hidden.
Report generation submodule one application program of synthesis exports the consistency between behavior record after dynamic operation several times
Matrix sentences the application program with the presence or absence of behavioral difference using decision algorithm.If after certain one kind camouflage in running environment
The comparison result between behavior record in behavior record and original analog running environment is less than threshold value, then proves the application program
There are behavioral difference, and its detection dry run environment method used is to belong to the category, so as to judge application program institute
The anti-simulator behavior generic used.In addition, decision algorithm can also according to the differential analysis of behavior statistic of classification result its
Whether in certain running environment sensitive behavior is concealed, then judge that this application program is if there is hiding sensitive behavior
The malicious application application program of anti-simulator method is used.Finally, the submodule by all analysis results summarize for
Analysis examining report is simultaneously exported to user.
6th, system operation scheduler module
The module controls the operational process of whole system, including simulator traffic control submodule, application management to be analyzed
Submodule, system event simulation submodule and user interface event triggering 4 submodules of submodule.
Simulator traffic control submodule can start in system initialization according to the startup simulator quantity of input simulates
Then device starts the control thread of each simulator, as shown in Figure 3.Simulator control thread is provided to a series of of simulator
Control operation:Run stopping, being unloaded using acquisition, using installation and operation, using stopping etc..
Application management submodule to be analyzed monitors application to be analyzed and saves contents, one application queue to be analyzed of maintenance, and one
It is a to analyze application queue and an analysis completion application queue.Each simulator traffic control submodule is from application to be analyzed
It gets an application to be analyzed in queue to be analyzed, and place it in and analyzing application queue, completion to be analyzed is placed on
Application queue is completed in analysis.
System event simulation submodule, which is responsible for simulating some real equipments in the application program operational process detected, to be made
With the system event that can occur in the process, to trigger application program to be detected to the possible respondent behavior of these system times, wrap
Simulation boot complete events, screen locking are included with unlock action event, reception with sending short message, dialing with receiving phone, position
Variation etc..
User interface event triggering submodule analog subscriber operation application program, to trigger application program for these users
Respondent behavior caused by operation, while the submodule can also start the various assemblies in the presence of application program automatically, including
Exposure component and non-exposed component.According to depth-priority-searching method traversal UI Tree during user interface interactive simulation.In traversal UI
During UI controls in Tree, user interface interactive simulation function triggers different UI component things according to the difference of UI control types
Part realizes the simulation of user's operation.UI Tree traversals are using depth-first traversal.During traversal, first start application program, then
Traverse all UI interfaces.When often traversing a UI interface, need first to obtain all effective UI controls at this interface, then traverse
All UI controls obtained, and according to the difference of UI control types, trigger different UI component events.If trigger certain control
After the UI component events of part, UI interfaces are changed, then the information at former UI interfaces are stored in stack, then traverse new UI circle
Face traverses completion and then returns to former UI interfaces and continues to traverse other controls.
After the whole that an application program is completed in the detection system reruns process, ending phase output detection
Report.
Sizable ratio, Er Qiejie are accounted for due to there is malicious application in the application program of specific anti-simulator behavior
The record analysis to application program sensitive behavior is closed with comparing, the output result of the Android malicious application detecting system in the present invention
It can be determined that whether the application program is that there are the malicious applications of anti-simulator behavior, i.e. the application program can be in specific fortune
Its sensitive malicious act is hidden in row environment.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention
All any modification, equivalent and improvement made within refreshing and principle etc., should all be included in the protection scope of the present invention.
To sum up, a kind of Android malicious application detecting system compared based on more running environment behaviors provided by the invention, is led to
It crosses the behavior for showing APK programs in different running environment to analyze, detects its malicious act, so as to further true
Whether recognize is malicious application.
Claims (10)
1. a kind of Android malicious application detecting system compared based on more running environment behaviors, which is characterized in that including:
Information extraction modules carry out decompiling to detected APK installation files, analyze the smali files generated after decompiling
In each class relevant information, for subsequent log analysis provide data support;
Dynamic analysis module carries out dynamic analysis, including being based on Android primary system using Sandboxing to Android application programs
There is system to call the system operation mirror image of writing function and pass through the simulator operating file system of customization, combination for system modification
Into simulator sandbox running environment, a series of behaviors performed by it are recorded in application program operational process, by right
It is detected the submodule composition that application program operation when institute's expression behaviour is recorded;Environment measuring fights module, detects in real time
Environment measuring behavior in application program operational process, and fought for the detection behavior of different levels, by application program
The results modification of middle running environment detection be the running environment feature pretended, including respectively to application layer, Android system layer,
Linux system layer and simulator architecture layers feature change submodule into the dynamic that Mobile state is changed;
Behavior record analysis module, to all user behaviors logs after operation whole is repeated several times in a certain application program to be measured
It is uniformly processed and is analyzed, submodule, behavior sequence extracting sub-module, behavioural analysis pair are pre-processed including application user behaviors log
Than submodule and report generation submodule;
System operation scheduler module controls whole service flow, including simulator traffic control submodule in system operation
Block, application management submodule to be analyzed, system event simulation submodule and user interface event triggering submodule.
2. the Android malicious application detecting system compared according to claim 1 based on more running environment behaviors, feature are existed
In the dynamic analysis module workflow is as follows:
Step 1:Start simulator, simulator is waited for solve lock screen after starting;
Step 2:Continue if bugNum under present analysis state is less than 2 from being analyzing the application list or treat point
APK file is obtained in analysis queue;
Step 3:It is busy to set simulator state, installs application program, application program is opened, by application program between front and back
It switches over, calls simulation system event action, close and unload application program, if occurring any mistake in this whole process
Accidentally, then bugNum is directly added 1, into next step;
Step 4:After cancelling simulator busy states, simulator is closed using telnet orders, if it fails, then being ordered using kill
It enables and directly closes simulator process.
3. the Android malicious application detecting system compared according to claim 2 based on more running environment behaviors, feature are existed
In after finding that sys.boot_completed system properties have been 1, also judging current simulator screen whether also still
To be completely black, if still blank screen illustrates that simulator starts completely not yet;It also needs to sentence after picture occurs in simulator screen
Whether number of processes is also increasing in disconnected system, then shows that simulator is complete after number of processes is not further added by whithin a period of time
Full start completion;Start completely in simulator, after detected application program is installed thereto and sets running environment feature,
Start application program, input a series of system events to trigger the respondent behavior of application program, and record first time transmission system
The sequence of sequence of events and interval time are recorded in identical time point according to this during follow-up operation and send identical system
Event.
4. the Android malicious application detecting system compared according to claim 1 based on more running environment behaviors, feature are existed
In the system operation mirror image is carries out the executable text compiled after secondary modification on the basis of android system source code
Part, modification content are that the execution flow of API, mesh are called to specific system each in 6 class behaviors described in dynamic analysis module
Be that dynamic analysis module is able to record the various actions of application program so that during application program implementation procedure.
The simulator operating file system by customization is the Android simulator file system mirror text in initial configuration
The text after users' usage behavior data such as address list information, message registration information, short message, photographic intelligence is added in part
Part system image file.
5. the Android malicious application detecting system compared according to claim 1 based on more running environment behaviors, feature are existed
In the environment measuring is fought in module, according to the difference of application program detection dry run environment method, can show that operation
Environmental classes another characteristic difference is as follows:
(1) application layer
Judge the running environment for simulated environment or true ring using indication character by detecting to whether there is in the equipment
Border;
(2) Android system layer
By detection device status information, device hardware information, system property information come judge running environment for simulated environment also
It is true environment;
(3) linux system layer
By detection device activation bit, equipment tag file, getprop orders come judge running environment for simulated environment still
True environment;
(4) simulator architecture layers
Judge running environment for simulated environment or true by detection device CPU information tag file, equipment characteristic course
Environment;
In addition to method included in 4 class listed above, as needed, environment measuring confrontation module carries out other features pair
Anti- modification generates new running environment, so as to achieve the purpose that deception application program to be detected.
6. the Android malicious application detecting system compared according to claim 1 based on more running environment behaviors, feature are existed
In, by change android system source code dynamic generation have the feature running environment, specifically include:
First, belonging to the environmental characteristic of system property can be changed after simulator startup using special system property modifiers
Property value in system kernel, while increase some Custom Attributes and be used for controlling for android system API features and file
The camouflage of feature for the Build static variables of android system in system property, can not directly be changed by changing memory
Its numerical value then initializes process injecting codes to zygote by way of process injection, its modification is changed by reflection mode
Symbol, then changes its numerical value;
Secondly, it for judging the feature of running environment information by the way that android system API is called to obtain its return value and be used as, answers
During with the routine call API, Android frames can be obtained from system property add before it is corresponding with the API self-defined
Property value, and return to application program using the value of the Custom Attributes as the return value of API Calls rather than return to it really
Value can judge currently to call from which process, only from detected application in Android frames during these API operations
The calling of process can just be returned the value after camouflage where program;
Again, for belonging to the detection method of file characteristic, application program can detect tag file in running environment and whether there is
Or judge running environment with the presence or absence of the method for feature string in file, when opening file, Android frames can be sentenced
Whether the disconnected process for calling the open file operation is process where detected application program, is then judged again open
Whether file is the tag file that can embody running environment, if two conditions all meet if by this file operation weight
Preprepared simulated papers are directed to, so as to fulfill the camouflage to running environment file characteristic.
7. the Android malicious application detecting system compared according to claim 1 based on more running environment behaviors, feature are existed
In the dynamic analysis module, essential record function includes following aspect:
(1) network communication behavior record:Including TCP communication record, UDP communications records, http communication record, DNS communications records
It is recorded with network traffic;
(2) file operation behavior record:Including file operation record and sqlite database manipulations record;
(3) encryption and decryption operation behavior records:Operation note is recorded and decrypted including cryptographic operation;
(4) system shell operation behaviors record:Including putting forward power order, mount orders, chown orders, chmod command records;
(5) privacy information obtains behavior record:Including obtaining system information behavior record, obtaining phone/call/email information
Behavior record obtains browser information behaviors record and obtains location information behavior record;
(6) sensitive operation behavior record:Including dynamic load behavior record, Android components operation behavior record and sensitive behaviour
Make behavior record.
Dynamic analysis module is monitored and records to all of above behavior in application program operational process to be detected, owns
Monitoring information export in the log system of android system, monitored API judges the process number of caller when called
Whether the process number of monitored application is equal to, if the equal disk operating that just can be really recorded, otherwise not to it
It is recorded;
In the dynamic analysis module, when system API called in records application program operational process, can be by this API tune
The call stack of thread is recorded together where process number and API Calls person where user, is finally stored in disk file
In;For application program in simulator after end of run, behavior record generation module can will record file the behavior from simulator
It extracts, and class name of caller and process number progress Classifying Sum is run according to it to every therein record, press
It is ranked up according to the timestamp of record, ultimately forms each respective Android systems of process in an application program operational process
System API Calls sequence.
8. the Android malicious application detecting system compared according to claim 1 based on more running environment behaviors, feature are existed
In the user behaviors log pretreatment submodule arranges original user behaviors log file, extracts and goes out in all daily records
Existing system is called, and is arranged as a list, each unique integer number of corresponding one of system calling;
The system that the behavior sequence extracting sub-module is generated according to previous step calls the correspondence with number to be converted to will be every
One individual user behaviors log behavior sequence;
The behavioural analysis comparison submodule is compared each behavior sequence using alignment algorithm, calculates phase between any two
Like degree, measure matrix, while count the number of API Calls in each behavior record;
The report generation submodule judges the application with the presence or absence of hiding malicious act, mark according to the feature of consistency matrix
Bright its is malicious, and exports examining report.
9. the Android malicious application detecting system compared according to claim 1 based on more running environment behaviors, feature are existed
In the behavioural analysis compares submodule to obtained two behaviors are remembered in different running environment with an application program
When record is compared, is calculated respectively in two behavior records first, in accordance with the thread number in two behavior records and correspond to cross-thread
System API Calls sequence similarity;After the similarity between per thread pair is calculated, according to being in each thread
The number and ratio shared in API Calls record sum in entire behavior record that API Calls record in API Calls sequence of uniting
These individual similarities are added up the similarity for a totality, as two behavior record similarities of application program by example
Final result, behavior is consistent when application program operation is formed after the similarity-rough set between all behavior records is completed
Property matrix;
The behavioural analysis compares submodule and also counts specific calling system api function type and number between two corresponding threads
On difference, if obtain behavior statistic of classification as a result, the behavior record in two behavior records in certain corresponding thread of a pair not
It is identical, and sensitive API function is had invoked in one of thread, another thread does not call the API letters then
Number, then show that the running environment information that the application program is collected into according to it hides this part sensitive behavior;
One application program of the report generation submodule synthesis exports the consistency between behavior record after dynamic operation several times
Matrix sentences the application program with the presence or absence of behavioral difference using decision algorithm, if after certain one kind camouflage in running environment
The comparison result between behavior record in behavior record and original analog running environment is less than threshold value, then proves the application program
There are behavioral difference, and its detection dry run environment method used is to belong to the category, so as to judge application program institute
The anti-simulator behavior generic used;The decision algorithm also according to behavior statistic of classification result differential analysis its whether
Sensitive behavior is concealed in certain running environment, then judges this application program to use if there is hiding sensitive behavior
The malicious application application program of anti-simulator method.
10. the Android malicious application detecting system compared according to claim 1 based on more running environment behaviors, feature are existed
In, the simulator traffic control submodule starts simulator in system initialization according to the startup simulator quantity of input,
Then start the control thread of each simulator, a series of controls that simulator control thread is provided to simulator operate;
The application management submodule to be analyzed, monitors application to be analyzed and saves contents, one application queue to be analyzed of maintenance, and one
A to analyze application queue and application queue is completed in an analysis, each simulator traffic control submodule is from application to be analyzed
It gets an application to be analyzed in queue to be analyzed, and place it in and analyzing application queue, completion to be analyzed is placed on
Application queue is completed in analysis;
The system event simulation submodule, which is responsible for simulating some real equipments in the application program operational process detected, to be made
With the system event that can occur in the process, to trigger application program to be detected to the possible respondent behavior of these system times;
The user interface event triggering submodule analog subscriber operation application program, to trigger application program for these users
Respondent behavior caused by operation, while the submodule also starts the various assemblies in the presence of application program automatically, including sudden and violent
Reveal component and non-exposed component, UI Tree are traversed according to depth-priority-searching method during user interface interactive simulation, in traversal UI
During UI controls in Tree, user interface interactive simulation function triggers different UI component things according to the difference of UI control types
Part realizes the simulation of user's operation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711217805.1A CN108133139B (en) | 2017-11-28 | 2017-11-28 | Android malicious application detection system based on multi-operation environment behavior comparison |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711217805.1A CN108133139B (en) | 2017-11-28 | 2017-11-28 | Android malicious application detection system based on multi-operation environment behavior comparison |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108133139A true CN108133139A (en) | 2018-06-08 |
CN108133139B CN108133139B (en) | 2020-06-26 |
Family
ID=62389035
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711217805.1A Active CN108133139B (en) | 2017-11-28 | 2017-11-28 | Android malicious application detection system based on multi-operation environment behavior comparison |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108133139B (en) |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109492391A (en) * | 2018-11-05 | 2019-03-19 | 腾讯科技(深圳)有限公司 | A kind of defence method of application program, device and readable medium |
CN110135160A (en) * | 2019-04-29 | 2019-08-16 | 北京邮电大学 | The method, apparatus and system of software detection |
CN110166493A (en) * | 2019-07-01 | 2019-08-23 | 武汉斗鱼鱼乐网络科技有限公司 | A kind of social client address list dynamic protection method and device |
CN110377499A (en) * | 2019-06-06 | 2019-10-25 | 北京奇安信科技有限公司 | The method and device that a kind of pair of application program is tested |
CN110427752A (en) * | 2019-08-06 | 2019-11-08 | 北京智游网安科技有限公司 | A kind of method, mobile terminal and the storage medium of sandbox monitoring application program |
CN110430177A (en) * | 2019-07-26 | 2019-11-08 | 北京智游网安科技有限公司 | A kind of monitoring method, intelligent terminal and the storage medium of APP network behavior |
CN110543760A (en) * | 2019-08-28 | 2019-12-06 | 南京市晨枭软件技术有限公司 | Software management system and software protection method thereof |
CN110737463A (en) * | 2019-10-24 | 2020-01-31 | 北京智游网安科技有限公司 | analysis method of key function source information, intelligent terminal and storage medium |
CN110889113A (en) * | 2019-10-30 | 2020-03-17 | 泰康保险集团股份有限公司 | Log analysis method, server, electronic device and storage medium |
CN110990054A (en) * | 2019-12-03 | 2020-04-10 | 北京明略软件***有限公司 | Configuration processing method and device of open source framework |
CN111104337A (en) * | 2019-12-30 | 2020-05-05 | 杭州云缔盟科技有限公司 | Method for detecting terminal simulator |
CN111259382A (en) * | 2018-11-30 | 2020-06-09 | 中国电信股份有限公司 | Malicious behavior identification method, device and system and storage medium |
CN111385309A (en) * | 2020-03-21 | 2020-07-07 | 薛爱君 | Security detection method, system and terminal for online office equipment |
CN111382424A (en) * | 2018-12-27 | 2020-07-07 | 全球能源互联网研究院有限公司 | Mobile application sensitive behavior detection method and system based on controlled environment |
CN111740817A (en) * | 2020-06-17 | 2020-10-02 | 国网天津市电力公司电力科学研究院 | Code tampering detection method and system for concentrator in electric power data acquisition system |
CN112527672A (en) * | 2020-12-21 | 2021-03-19 | 北京深思数盾科技股份有限公司 | Detection method and equipment for shell adding tool |
CN112685737A (en) * | 2020-12-24 | 2021-04-20 | 恒安嘉新(北京)科技股份公司 | APP detection method, device, equipment and storage medium |
CN112887388A (en) * | 2021-01-20 | 2021-06-01 | 每日互动股份有限公司 | Data processing system based on sandbox environment |
CN113672918A (en) * | 2021-08-04 | 2021-11-19 | 安天科技集团股份有限公司 | Malicious code detection method and device, storage medium and electronic equipment |
CN114528205A (en) * | 2022-01-24 | 2022-05-24 | 山东浪潮科学研究院有限公司 | Android-based application program analysis method, device and medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102930210A (en) * | 2012-10-14 | 2013-02-13 | 江苏金陵科技集团公司 | System and method for automatically analyzing, detecting and classifying malicious program behavior |
CN103077351A (en) * | 2012-12-20 | 2013-05-01 | 北京奇虎科技有限公司 | Anti-detection system of virtual machine system |
CN105718793A (en) * | 2015-09-25 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Method and system for preventing malicious code from identifying sandbox on the basis of sandbox environment modification |
US20170111374A1 (en) * | 2015-10-20 | 2017-04-20 | Sophos Limited | Mitigation of anti-sandbox malware techniques |
-
2017
- 2017-11-28 CN CN201711217805.1A patent/CN108133139B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102930210A (en) * | 2012-10-14 | 2013-02-13 | 江苏金陵科技集团公司 | System and method for automatically analyzing, detecting and classifying malicious program behavior |
CN103077351A (en) * | 2012-12-20 | 2013-05-01 | 北京奇虎科技有限公司 | Anti-detection system of virtual machine system |
CN105718793A (en) * | 2015-09-25 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Method and system for preventing malicious code from identifying sandbox on the basis of sandbox environment modification |
US20170111374A1 (en) * | 2015-10-20 | 2017-04-20 | Sophos Limited | Mitigation of anti-sandbox malware techniques |
Non-Patent Citations (1)
Title |
---|
张翔飞: "基于多层次行为差异的沙箱逃逸检测及其实现", 《计算机工程与应用》 * |
Cited By (27)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109492391B (en) * | 2018-11-05 | 2023-02-28 | 腾讯科技(深圳)有限公司 | Application program defense method and device and readable medium |
CN109492391A (en) * | 2018-11-05 | 2019-03-19 | 腾讯科技(深圳)有限公司 | A kind of defence method of application program, device and readable medium |
CN111259382A (en) * | 2018-11-30 | 2020-06-09 | 中国电信股份有限公司 | Malicious behavior identification method, device and system and storage medium |
CN111382424A (en) * | 2018-12-27 | 2020-07-07 | 全球能源互联网研究院有限公司 | Mobile application sensitive behavior detection method and system based on controlled environment |
CN110135160A (en) * | 2019-04-29 | 2019-08-16 | 北京邮电大学 | The method, apparatus and system of software detection |
CN110135160B (en) * | 2019-04-29 | 2021-11-30 | 北京邮电大学 | Software detection method, device and system |
CN110377499A (en) * | 2019-06-06 | 2019-10-25 | 北京奇安信科技有限公司 | The method and device that a kind of pair of application program is tested |
CN110377499B (en) * | 2019-06-06 | 2023-05-23 | 奇安信科技集团股份有限公司 | Method and device for testing application program |
CN110166493A (en) * | 2019-07-01 | 2019-08-23 | 武汉斗鱼鱼乐网络科技有限公司 | A kind of social client address list dynamic protection method and device |
CN110166493B (en) * | 2019-07-01 | 2021-10-15 | 武汉斗鱼鱼乐网络科技有限公司 | Social client address book dynamic protection method and device |
CN110430177A (en) * | 2019-07-26 | 2019-11-08 | 北京智游网安科技有限公司 | A kind of monitoring method, intelligent terminal and the storage medium of APP network behavior |
CN110427752A (en) * | 2019-08-06 | 2019-11-08 | 北京智游网安科技有限公司 | A kind of method, mobile terminal and the storage medium of sandbox monitoring application program |
CN110543760A (en) * | 2019-08-28 | 2019-12-06 | 南京市晨枭软件技术有限公司 | Software management system and software protection method thereof |
CN110737463A (en) * | 2019-10-24 | 2020-01-31 | 北京智游网安科技有限公司 | analysis method of key function source information, intelligent terminal and storage medium |
CN110889113A (en) * | 2019-10-30 | 2020-03-17 | 泰康保险集团股份有限公司 | Log analysis method, server, electronic device and storage medium |
CN110990054A (en) * | 2019-12-03 | 2020-04-10 | 北京明略软件***有限公司 | Configuration processing method and device of open source framework |
CN110990054B (en) * | 2019-12-03 | 2023-03-21 | 北京明略软件***有限公司 | Configuration processing method and device of open source framework |
CN111104337A (en) * | 2019-12-30 | 2020-05-05 | 杭州云缔盟科技有限公司 | Method for detecting terminal simulator |
CN111385309A (en) * | 2020-03-21 | 2020-07-07 | 薛爱君 | Security detection method, system and terminal for online office equipment |
CN111385309B (en) * | 2020-03-21 | 2020-12-08 | 浙江电科智盛科技有限公司 | Security detection method, system and terminal for online office equipment |
CN111740817A (en) * | 2020-06-17 | 2020-10-02 | 国网天津市电力公司电力科学研究院 | Code tampering detection method and system for concentrator in electric power data acquisition system |
CN112527672B (en) * | 2020-12-21 | 2021-10-22 | 北京深思数盾科技股份有限公司 | Detection method and equipment for shell adding tool |
CN112527672A (en) * | 2020-12-21 | 2021-03-19 | 北京深思数盾科技股份有限公司 | Detection method and equipment for shell adding tool |
CN112685737A (en) * | 2020-12-24 | 2021-04-20 | 恒安嘉新(北京)科技股份公司 | APP detection method, device, equipment and storage medium |
CN112887388A (en) * | 2021-01-20 | 2021-06-01 | 每日互动股份有限公司 | Data processing system based on sandbox environment |
CN113672918A (en) * | 2021-08-04 | 2021-11-19 | 安天科技集团股份有限公司 | Malicious code detection method and device, storage medium and electronic equipment |
CN114528205A (en) * | 2022-01-24 | 2022-05-24 | 山东浪潮科学研究院有限公司 | Android-based application program analysis method, device and medium |
Also Published As
Publication number | Publication date |
---|---|
CN108133139B (en) | 2020-06-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108133139A (en) | A kind of Android malicious application detecting system compared based on more running environment behaviors | |
CN105653956B (en) | Android malware classification method based on dynamic behaviour dependency graph | |
CN104766012B (en) | The data safety dynamic testing method and system followed the trail of based on dynamic stain | |
CN110737899B (en) | Intelligent contract security vulnerability detection method based on machine learning | |
CN106203113B (en) | The privacy leakage monitoring method of Android application file | |
US10581879B1 (en) | Enhanced malware detection for generated objects | |
CN105893848A (en) | Precaution method for Android malicious application program based on code behavior similarity matching | |
US6735703B1 (en) | Multi-platform sequence-based anomaly detection wrapper | |
CN102054149B (en) | Method for extracting malicious code behavior characteristic | |
CN105787366B (en) | Android software visualization safety analytical method based on component relation | |
CN111931166B (en) | Application program anti-attack method and system based on code injection and behavior analysis | |
CN112685737A (en) | APP detection method, device, equipment and storage medium | |
CN107341401A (en) | A kind of malicious application monitoring method and equipment based on machine learning | |
CN105956468B (en) | A kind of Android malicious application detection method and system based on file access dynamic monitoring | |
CN104834858A (en) | Method for statically detecting malicious code in android APP (Application) | |
CN109992968A (en) | Android malicious act dynamic testing method based on binary system dynamic pitching pile | |
CN112149124B (en) | Android malicious program detection method and system based on heterogeneous information network | |
CN106845234A (en) | A kind of Android malware detection method based on the monitoring of function flow key point | |
CN108090360A (en) | The Android malicious application sorting technique and system of a kind of Behavior-based control feature | |
CN103905423A (en) | Harmful advertisement piece detecting method and system based on dynamic behavior analysis | |
CN113158251B (en) | Application privacy disclosure detection method, system, terminal and medium | |
CN112688966A (en) | Webshell detection method, device, medium and equipment | |
CN109800569A (en) | Program identification method and device | |
CN113468524B (en) | RASP-based machine learning model security detection method | |
CN112817877A (en) | Abnormal script detection method and device, computer equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |