CN108920943A - The method and device of installation binding behavior is detected for application software - Google Patents
The method and device of installation binding behavior is detected for application software Download PDFInfo
- Publication number
- CN108920943A CN108920943A CN201810430169.9A CN201810430169A CN108920943A CN 108920943 A CN108920943 A CN 108920943A CN 201810430169 A CN201810430169 A CN 201810430169A CN 108920943 A CN108920943 A CN 108920943A
- Authority
- CN
- China
- Prior art keywords
- application software
- api
- virtual machine
- engine
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/565—Static detection by checking file integrity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/031—Protect user input by software means
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a kind of method and devices that installation binding behavior is detected for application software, quick analysis engine and dynamic sandbox engine is arranged in the embodiment of the present invention, wherein, dynamic sandbox engine uses virtual machine environment multiple sample operating analyses therein to application software, installation binding behavior is determined whether according to operating analysis result, if so, then confirming that application software has installation binding behavior;If do not had, carry out the intermediate file looked into shell processing and get no shell sample therein and the release of all samples to application software by the quick analysis engine again, the scanning for carrying out application programming interface (API) determines whether application software has installation binding behavior according to scanning result.In this way, method and device provided in an embodiment of the present invention guarantees the accuracy and completeness of detection, so that testing result is accurate just for the detection of the installation binding behavior of application software.
Description
Technical field
The present invention relates to field of computer technology, in particular to a kind of side that installation binding behavior is detected for application software
Method and device.
Background technique
It can be installed in a local computer when local computer runs application software not by illegal infringement in order to prevent
Antivirus software, such as, the black ice computer fire proof wall that Ou Aisi installations and facilities management service Co., Ltd (ISS) provides
(BlackICE PC Protection), McAfee company provide anti-virus software (McAfee VirusScan) and
360 security guards etc. that 360 companies provide.Wherein, ISS BlackICE PC Protection is integrated with very powerful inspection
Survey and analysis engine can identify more than 200 kinds of invasion skills, carry out overall network detection and protecting computer system, can be immediately
Monitoring network port and protocol intercepts all suspicious network intrusions.Mcfee VirusScan provides complete trustworthy
The anti-virus solution of desktop environment can accurately and effectively remove floppy disk, loading internet document, Email and various pressures
There may be virus in contracting file, the function having has the inspection and removing of memory, file and leading viruses, real time scan
Technology can rename in disk access, file duplication, document creation, file, journey in the file operation of background monitoring operating system
Bundled software is checked when sequence executes and system starts, and is further answered unwelcome by " harmful program control function " realization
It is set as harmful application software with software, to prevent binding installation in advance.There is 360 security guards checking and killing Trojan, cleaning to insert
Part, patching bugs, computer physical examination, computer rescue, protection privacy, computer elite, cleaning rubbish and cleaning trace etc. are more
Kind function.
Currently, can be carried out using antivirus software described above for application software detection installation binding behavior, binding
Installation software action refers in application software installation process, will be installed and some other executes without dependence with application software
The software of relationship, this behavior are known as bundling installation behavior.It is corresponding that the antivirus software is normally applied secure black box detection method
It is detected with the installation of software binding behavior, detailed process is:Step 1, antivirus software establish network on a target computer
Agency intercepts the data that computer is received and dispatched in runs software, and as network agent, antivirus software is mounted on non-targeted computer
Another computer on, have storage, intercept, modification and network Secure Socket Layer (SSL) mediating function;Step 2 is right
The file system that computer currently runs application software carries out snapshot, to create during safety analysis process to application software
Which file;Step 3, according to snapshot, antivirus software installs corresponding application software, can be by under official market
Installation is carried, may can also be encrypted by other installation approach, the application software of the installation;Step 4, to installation
By encryption application software be decrypted, with so that subsequent analysis process can be carried out;Step 5 again works as computer
The file system of preceding operation application software carries out snapshot, to obtain during installing corresponding application software, which increases
A little files;Step 6 is analyzed the application software of installation and increased file using analysis engine, so that it is determined that using soft
Part whether there is installation binding behavior in the process of running.
As can be seen that this can exist for application software detection installation binding behavior using existing antivirus software
Many defects:
Defect one, existing antivirus software are more the safeties of application software in computer-oriented, and for detection compared with
For shallow-layers, the modes such as scanning and the comparison of application software have been installed merely by analysis engine and have been carried out, inspecting force compared with
Low, the accuracy of detection and completeness are all poor;
Defect two, currently used is dynamic detection mode, this dynamic detection process is depended on to computer system
Simulation or virtualization technology are realized completely, but in simulation process, the triggering behavior for detecting application software is not thorough,
Or deficiency is analyzed to the subprogram of application software, cause testing result inaccurate;
Defect three, static detection method lack, and existing antivirus software is directed to pacify to the static analysis of application software
Quan Xing, and static analysis is then lacked to specific behavior, such as installation binding behavior;
Defect four, lacks targeted testing process, existing antivirus software all just for application program respectively into
Then Mobile state or static analysis obtain antivirus as a result, all there are the various problems of static analysis or dynamic analysis in this way, imitate
Fruit is bad for the installation binding behavioral value analytical effect of application.
To sum up, lack the detection scheme just for application software installation binding behavior at present, not can guarantee the accurate of detection
Degree and completeness, so as to cause testing result inaccuracy.
Summary of the invention
An embodiment provides a kind of method for detecting installation binding behavior for application software, this method
The detection that binding behavior can be installed just for application software, guarantees the accuracy and completeness of detection, so that testing result is quasi-
Really.
Another embodiment of the present invention provides a kind of device that installation binding behavior is detected for application software, the device
The detection that binding behavior can be installed just for application software, guarantees the accuracy and completeness of detection, so that testing result is quasi-
Really.
The embodiments of the present invention are implemented as follows:
A method of installation binding behavior being detected for application software, quick analysis engine is set and dynamic sandbox draws
It holds up, this method further includes:
A, the dynamic sandbox engine virtual machine constructor environment multiple sample operating analyses therein to application software, according to
Operating analysis result determines whether installation binding behavior, if there is, it is determined that application software has installation binding behavior, otherwise,
Execute step B;
B, the quick analysis engine is after carrying out application software to look into shell processing, using the application programming of setting
Interface API rule base carries out the API of the release intermediate file for the API and all samples without shell sample being applied in software
Scanning, when the API rule being arranged in the API rule base that API therein meets setting, confirmation has the installation of application software to bundle
Behavior;Otherwise, it determines application software is fitted without binding behavior.
Quick analysis engine described in step B look into shell processing to application software is executed in step A, or in step
Rapid B executes volume.
The quick analysis engine carries out looking into shell processing:Scan application software whether shell adding, and point out the type of shell adding.
The API of the release intermediate file of the described couple of API and all samples without shell sample being applied in software is carried out
The process of scanning is:
By the API in set API rule base combine corresponding API feature respectively be applied in software without shell
The API of the release intermediate file of the API of sample and all samples is matched, if successful match, confirmation has application software
Installation bundle behavior.
The API rule base updates.
The process of dynamic sandbox engine virtual machine constructor environment described in step A is:Central processing virtual machine and each visitor are set
Family end virtual machine, wherein
Central processing virtual machine multiple samples therein to application software are allocated, and distribute to each client virtual machine
It executes, obtains the operating analysis result that each client obtains;
Client virtual machine receives the distribution of central processing virtual machine, and operating analysis knot is obtained after the sample run
Fruit is sent to the processing of central processing virtual machine.
A kind of device detecting installation binding behavior for application software, described device include:Engine unit, application are set
Software obtaining unit, static analysis unit and dynamic analysis unit, wherein
Engine unit is set, for quick analysis engine and dynamic sandbox engine to be arranged;
Application software acquiring unit is sent to dynamic analysis unit for obtaining the application software of operation on computers;
Dynamic analysis unit is used for the dynamic sandbox engine virtual machine constructor environment multiple samples therein to application software
This operating analysis determines whether installation binding behavior according to operating analysis result, if it is, confirmation application software has bundle
Tie up installation behavior;Otherwise, by dynamic sandbox engine confirmation application software, there is no binding installation behaviors to be sent to static point
Analyse unit;
Static analysis unit carries out application software for the quick analysis engine to look into shell processing, and be applied software
In the release intermediate file without shell sample and all samples, the dynamic sandbox engine confirmation application software there is no binding
When installation behavior, by the quick analysis engine using setting API rule base to be applied in software without shell sample
The API of the release intermediate file of API and all samples is scanned, and is arranged when in the API rule base that API therein meets setting
API rule when, confirmation have application software installation binding behavior;Otherwise, there is no binding installation behaviors for confirmation application software.
The setting engine unit, the quick analysis engine for being also used to be arranged also set up API rule base, the API rule
It include API combination and corresponding API feature in library, and API rule base dynamic updates.
It is therein to application software to be also used to the dynamic sandbox engine virtual machine constructor environment for the dynamic analysis unit
During multiple sample operating analyses, the virtual machine environment is:
Central processing virtual machine and each client virtual machine are set, wherein central processing virtual machine, for application software
Multiple samples therein are allocated, and are distributed to each client virtual machine and are executed, and the operation point that each client obtains is obtained
Analyse result etc.;Client virtual machine obtains operation point for receiving the distribution of central processing virtual machine after the sample run
Analysis is as a result, be sent to the processing of central processing virtual machine.
Described device is the generation of computers reason computer for running application program.
As above as it can be seen that quick analysis engine and dynamic sandbox engine is arranged in the embodiment of the present invention, wherein dynamic sandbox engine
Using virtual machine environment multiple sample operating analyses therein to application software, determine whether to install according to operating analysis result
Binding behavior, if so, then confirming that application software has installation binding behavior;If not provided, again by the quick analysis engine pair
Application software carries out the intermediate file looked into shell processing and get no shell sample therein and the release of all samples, carries out using journey
The scanning of sequence programming interface (API) determines whether application software has installation binding behavior according to scanning result.In this way, of the invention
The method and device that embodiment provides guarantees the accuracy and complete of detection just for the detection of the installation binding behavior of application software
Cheng Du, so that testing result is accurate.
Detailed description of the invention
Fig. 1 is a kind of method flow diagram that installation binding behavior is detected for application software provided in an embodiment of the present invention;
Fig. 2 is dynamic sandbox engine structure schematic diagram provided in an embodiment of the present invention;
Fig. 3 is that a kind of apparatus structure for detecting installation binding behavior for application software provided in an embodiment of the present invention is illustrated
Figure.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention more comprehensible, right hereinafter, referring to the drawings and the embodiments,
The present invention is further described.
From background technique as can be seen that existing antivirus software to the safety detection of application software not only just for answering
With the detection of software installation binding behavior, so detection sophistication is low, there are wide and shallow safety detection defects.Therefore, it moves
State sandbox engine uses virtual machine environment multiple sample operating analyses therein to application software, is determined according to operating analysis result
Whether installation binding behavior is had, if so, then confirming that application software has installation binding behavior;If not provided, again by described quick
Analysis engine carries out the intermediate file looked into shell processing and get no shell sample therein and the release of all samples to application software,
The scanning for carrying out API determines whether application software has installation binding behavior according to scanning result.Therefore, the embodiment of the present invention mentions
The method and device of confession guarantees the accuracy and completeness of detection, makes just for the detection of the installation binding behavior of application software
It is accurate to obtain testing result.
In this way, the embodiment of the present invention is achieved that the automatic detection of the installation binding behavior for application software.
Fig. 1 is the method flow diagram provided in an embodiment of the present invention for application software detection installation binding behavior, setting
Quick analysis engine and dynamic sandbox engine, the specific steps are that:
Step 101, the quick analysis engine look into shell processing to application software, be applied in software without shell sample
The release intermediate file of this and all samples;
The multiple sample operations point therein to application software of step 102, the dynamic sandbox engine virtual machine constructor environment
Analysis determines whether installation binding behavior according to operating analysis result, if so, thening follow the steps 103;If it is not, then executing
Step 104;
Step 103, the dynamic sandbox engine determine that application software has installation binding behavior;
Step 104, the quick analysis engine using setting API rule base to be applied in software without shell sample
API and the API of release intermediate file of all samples be scanned, set when in the API rule base that API therein meets setting
When the API rule set, confirmation has the installation binding behavior of application software;Otherwise, it determines application software is fitted without binding behavior.
In the method, the quick analysis engine in step 101 carries out application software to look into shell processing, is applied
The release intermediate file without shell sample and all samples in software can carry out after step 103, with step 102~step
There is no precedences between 103.
In the method, the quick analysis engine is the static inspection whether for application software with installation binding behavior
It surveys, and the dynamic sandbox engine is the dynamic detection whether to application software with installation binding behavior.
In the method, the sample is the executable file set in application software, is in most cases .exe
The file of suffix.
In the method, the quick analysis engine can be formed using ClamAV antivirus software.ClamAV be it is a by
The open source antivirus engine of Sourcefire organization development, Sourcefire are also the owner of Snort intrusion detection engine simultaneously.
ClamAV provides a kind of frame of more fast and flexible to detect malicious code and software product, can be used as existing desk-top
The supplemental tool of antivirus scanning software in machine, file server, mail server and other scanning software scenes that need to kill virus
Or substitute products.
In the method, the quick analysis engine, which look into shell and handle, is:Scan application software whether shell adding, and point out
The type of shell adding.There is one section to be responsible for specially protecting software not to be illegally modified or the program of decompiling in some application software, one
As be all prior to application software run, take control, then complete they protect softwares task.The quick analysis engine
Look into shell processing one section of python program based on setting, feature be based on portable executable program (PEID) the library dll.
In the method, the API rule base of the quick analysis engine setting can be formed using ClamAV antivirus software.
Since ClamAB can be with the feature in custom rule library, so API rule base, API rule are arranged using ClamAV antivirus software
Then there is in library API combination and corresponding API feature, the API feature can be API special field etc..For in application software
The API of release intermediate file of the API and all samples without shell sample be scanned.
In the method, the API rule base of the quick analysis engine setting can update, can in subsequent scanning
To be made a concrete analysis of to application program, to establish API rule base more perfectly.
In the method, text among the release of the described couple of API and all samples without shell sample being applied in software
The process that the API of part is scanned is:
By the API in set API rule base combine corresponding API feature respectively be applied in software without shell
The API of the release intermediate file of the API of sample and all samples is matched, if successful match, confirmation has application software
Installation bundle behavior.Subsequent, the corresponding API combination of the API feature of successful match can be returned to the upper layer tune of setting
Platform is spent, so that dispatcher knows;Otherwise, null value is returned.
The embodiment of the present invention is in the quick analysis engine realization for looking into the exploitation of shell side sequence and to the API of binding installation
Combined judgement.
In the method, based on the Cuckoo sandbox of the dynamic sandbox engine using open source, to sandbox into
The customization of row depth, the analysis work of each sample with management application software, such as starting analysis work, behavior dump and life
At report etc., completes the analysis of the installation binding behavior to application software and report operating analysis knot to set dispatching platform
The functions such as fruit.The dynamic sandbox engine virtual machine constructor environment is exactly to be handled using multiple virtual machines, each virtual and be
One relatively independent clean performing environment, the operating analysis of the energy each sample of security isolation.
When sample is run in dynamic sandbox engine, some behaviors of oneself can be triggered.And in the method, side
Weight is analyzed binding installation software action.
In the method, as shown in Fig. 2, Fig. 2 is dynamic sandbox engine structure schematic diagram provided in an embodiment of the present invention, such as
Shown in figure, the process of the dynamic sandbox engine virtual machine constructor environment is:Central processing virtual machine is set and each client is empty
Quasi- machine, wherein central processing virtual machine distributes to each client for being allocated to application software multiple samples therein
It holds virtual machine to execute, obtains the operating analysis result etc. that each client obtains;Client virtual machine, for receiving central processing
The distribution of virtual machine obtains operating analysis after the sample run as a result, being sent to the processing of central processing virtual machine.
Herein, central processing virtual machine is properly termed as Host Machine, and load distribution manages the operation of each sample
Analysis, such as starting operating analysis, behavior dump (dump) and generation report;Client virtual machine is properly termed as Guest
Machine, the main operating analysis completed to distribute sample and reports operating analysis result etc., often to central processing virtual machine
A client virtual machine is all a relatively independent clean performing environment, and the energy each sample of security isolation executes analysis.
In Fig. 2, guest machine includes to sample operating analysis:To static data therein and file behavior point
Staticaanalysis results are verified after analysis, the analysis of operation screenshot, API analysis, TCPDUMP intercepts and captures analysis network behavior, Yi Jijin
Row memory mirror carries out memory analysis.
In this way, since open source sandbox itself is more plain for the behavioural analysis of executable file, and the application to Chinese
Software support is very bad, and is customized using set dynamic sandbox engine to sandbox, if detection is a peace
Dress packet, the then executable file that can be released are carrying out depth analysis, detect so more comprehensive.For example, some application software
It is the binding installation software in uninstall process, some are the execution that binding installation software package is carried out when executing main program.
Fig. 3 is the apparatus structure schematic diagram provided in an embodiment of the present invention for application software detection installation binding behavior,
As shown, including:Engine unit, application software acquiring unit, static analysis unit and dynamic analysis unit are set, wherein
Engine unit is set, for quick analysis engine and dynamic sandbox engine to be arranged;
Application software acquiring unit is sent to dynamic analysis unit for obtaining the application software of operation on computers;
Dynamic analysis unit is used for the dynamic sandbox engine virtual machine constructor environment multiple samples therein to application software
This operating analysis determines whether installation binding behavior according to operating analysis result, if it is, confirmation application software has bundle
Tie up installation behavior;Otherwise, by dynamic sandbox engine confirmation application software, there is no binding installation behaviors to be sent to static point
Analyse unit;
Static analysis unit carries out application software for the quick analysis engine to look into shell processing, and be applied software
In the release intermediate file without shell sample and all samples, the dynamic sandbox engine confirmation application software there is no binding
When installation behavior, by the quick analysis engine using setting API rule base to be applied in software without shell sample
The API of the release intermediate file of API and all samples is scanned, and is arranged when in the API rule base that API therein meets setting
API rule when, confirmation have application software installation binding behavior;Otherwise, there is no binding installation behaviors for confirmation application software.
Wherein, the setting engine unit, the quick analysis engine for being also used to be arranged also set up API rule base, the API
It include API combination and corresponding feature in rule base, and API rule base dynamic updates.
Wherein, the dynamic analysis unit is also used to the dynamic sandbox engine virtual machine constructor environment to application software
In multiple sample operating analyses therein, the virtual machine environment is:
Central processing virtual machine and each client virtual machine are set, wherein central processing virtual machine, for application software
Multiple samples therein are allocated, and are distributed to each client virtual machine and are executed, and the operation point that each client obtains is obtained
Analyse result etc.;Client virtual machine obtains operation point for receiving the distribution of central processing virtual machine after the sample run
Analysis is as a result, be sent to the processing of central processing virtual machine.
The device of setting of the embodiment of the present invention does not reside at the computer of operation application program, and is mounted in other calculating
Machine, the generation of computers as operation application program manage computer, realize the binding installation software action for being directed to application program
Dynamic analysis and static analysis.
The embodiment of the present invention provides for user feels at ease easily to use physical examination, before application software is issued or can calculate
Carry out to it monitoring of binding installation software action before machine operation application software, detection while including that application software looks into shell
Quickly analysis, API analysis and the analysis of dynamic sandbox.The wherein complementation between API analysis and dynamic sandbox, ensure that the mistake of detection
Report rate and rate of failing to report are all very low.
As can be seen that the embodiment of the present invention is that have following excellent for the detection of the binding installation software action of application software
Point:
1) detection refinement
After analyzing the feature of environmental protection of computer application, the embodiment of the present invention confirms that row is installed in the binding of application software
To detect the emphasis detected as the feature of environmental protection, and in terms of behavioral value is installed in binding, then by the detection of dynamic sandbox engine
As emphasis.This opposite detection depth for using the antivirus software of background technique to be unable to satisfy binding installation behavior, the present invention
Embodiment then using on the basis of dynamic sandbox engine carries out dynamic detection, carries out static detection using quick analysis engine,
Refinement and in-depth.
2) to the dynamic detection of the sample release intermediate file of application program
Whether the existing Staticasoftware detection means of background technique can only determine in the additional data of application software containing attached
Add binding installation software register, and dynamic analysis means cannot execution route complete traversal to application software.And use this hair
Bright embodiment uses static detection and dynamic to improve the detection accuracy for bundling installation software action to application software
The detection method combined is detected, and cycle detection is carried out to the intermediate file discharged during Dynamic Execution, while to unloading
The process of application software is also taken precautions against, such behavior, can make the detection of application software binding installation behavior more
It is careful.
3) testing process
The detection of background technique is all much to carry out dynamic analysis and static risk respectively, and the result of the two carried out comprehensive
It closes, not certain testing process, waste of resource.And use detection provided in an embodiment of the present invention, it is first determined application software
Whether shell adding, if shell adding is to look into shell analysis by quick analysis engine, the shell adding feelings for the software that can soon be applied
Condition.Secondly, determining whether application software has binding installation behavior in actual installation implementation procedure, mainly in installation process
In, program execute during and uninstall process it is medium, if so, then directly determined binding installation behavior;Otherwise, further into
Row static state API combinatory analysis, to finally determine whether binding installation behavior.Compared with the antivirus software of background technique, number
Higher according to coverage, wrong report rate of failing to report is lower.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the present invention.
Claims (10)
1. a kind of method for detecting installation binding behavior for application software, which is characterized in that quick analysis engine is arranged and moves
State sandbox engine, this method further include:
A, the dynamic sandbox engine virtual machine constructor environment multiple sample operating analyses therein to application software, according to operation
Analysis result determines whether installation binding behavior, if there is, it is determined that application software has installation binding behavior, otherwise, execute
Step B;
B, the quick analysis engine is after carrying out application software to look into shell processing, using the application programming interface of setting
API rule base sweeps the API of the release intermediate file for the API and all samples without shell sample being applied in software
It retouches, when the API rule being arranged in the API rule base that API therein meets setting, confirmation has the installation binding row of application software
For;Otherwise, it determines application software is fitted without binding behavior.
2. the method as described in claim 1, which is characterized in that quick analysis engine described in step B is carried out to application software
Looking into shell processing is to execute in step A, or execute volume in step B.
3. method according to claim 1 or 2, which is characterized in that the quick analysis engine, which look into shell and handle, is:Scanning
Application software whether shell adding, and point out the type of shell adding.
4. the method as described in claim 1, which is characterized in that the described couple of API without shell sample being applied in software and
The process that the API of the release intermediate file of all samples is scanned is:
By the API in set API rule base combine corresponding API feature respectively be applied in software without shell sample
API and the API of release intermediate file of all samples matched, if successful match, confirmation has the peace of application software
Fill binding behavior.
5. method as described in claim 1 or 4, which is characterized in that the API rule base updates.
6. the method as described in claim 1, which is characterized in that dynamic sandbox engine virtual machine constructor environment described in step A
Process is:Central processing virtual machine and each client virtual machine are set, wherein
Central processing virtual machine multiple samples therein to application software are allocated, and are distributed to each client virtual machine and are held
Row, obtains the operating analysis result that each client obtains;
Client virtual machine receives the distribution of central processing virtual machine, obtains operating analysis after the sample run as a result, hair
Give the processing of central processing virtual machine.
7. a kind of device for detecting installation binding behavior for application software, which is characterized in that described device includes:Engine is set
Unit, application software acquiring unit, static analysis unit and dynamic analysis unit, wherein
Engine unit is set, for quick analysis engine and dynamic sandbox engine to be arranged;
Application software acquiring unit is sent to dynamic analysis unit for obtaining the application software of operation on computers;
Dynamic analysis unit, for the dynamic sandbox engine virtual machine constructor environment multiple sample fortune therein to application software
Row analysis determines whether installation binding behavior according to operating analysis result, if it is, confirmation application software has binding peace
Dress behavior;Otherwise, by dynamic sandbox engine confirmation application software, there is no binding installation behaviors to be sent to static analysis list
Member;
Static analysis unit carries out application software for the quick analysis engine to look into shell processing, be applied in software
Release intermediate file without shell sample and all samples, in dynamic sandbox engine confirmation application software, there is no binding installations
When behavior, by the quick analysis engine using the API rule base of setting to the API without shell sample being applied in software and
The API of the release intermediate file of all samples is scanned, as the API being arranged in the API rule base that API therein meets setting
When regular, confirmation has the installation binding behavior of application software;Otherwise, there is no binding installation behaviors for confirmation application software.
8. device as claimed in claim 7, which is characterized in that the setting engine unit is also used to the quick analysis being arranged
Engine also sets up API rule base, includes API combination and corresponding API feature in the API rule base, and the API rule base
Dynamic updates.
9. device as claimed in claim 7, which is characterized in that the dynamic analysis unit is also used to the dynamic sandbox and draws
During holding up multiple sample operating analyses therein to application software of virtual machine constructor environment, the virtual machine environment is:
Central processing virtual machine and each client virtual machine are set, wherein central processing virtual machine is used for application software wherein
Multiple samples be allocated, distribute to each client virtual machine and execute, obtain the operating analysis knot that each client obtains
Fruit etc.;Client virtual machine obtains operating analysis knot for receiving the distribution of central processing virtual machine after the sample run
Fruit is sent to the processing of central processing virtual machine.
10. device as described in claim 1, which is characterized in that described device is to run the generation of computers reason of application program
Computer.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810430169.9A CN108920943A (en) | 2018-05-08 | 2018-05-08 | The method and device of installation binding behavior is detected for application software |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810430169.9A CN108920943A (en) | 2018-05-08 | 2018-05-08 | The method and device of installation binding behavior is detected for application software |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108920943A true CN108920943A (en) | 2018-11-30 |
Family
ID=64403647
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810430169.9A Pending CN108920943A (en) | 2018-05-08 | 2018-05-08 | The method and device of installation binding behavior is detected for application software |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108920943A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111639331A (en) * | 2020-05-11 | 2020-09-08 | 珠海豹趣科技有限公司 | Installation package monitoring method and device and computer readable storage medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103235913A (en) * | 2013-04-03 | 2013-08-07 | 北京奇虎科技有限公司 | System, equipment and method used for identifying and intercepting bundled software |
CN103646209A (en) * | 2013-12-20 | 2014-03-19 | 北京奇虎科技有限公司 | Cloud-security-based bundled software blocking method and device |
CN106055975A (en) * | 2016-05-16 | 2016-10-26 | 杭州华三通信技术有限公司 | Document detection method and sandbox |
CN106295353A (en) * | 2016-08-08 | 2017-01-04 | 腾讯科技(深圳)有限公司 | A kind of method of engine Hole Detection and detection device |
CN106778268A (en) * | 2016-11-28 | 2017-05-31 | 广东省信息安全测评中心 | Malicious code detecting method and system |
CN106778247A (en) * | 2016-12-15 | 2017-05-31 | 江苏通付盾科技有限公司 | The method and device that application program is dynamically analyzed |
CN107729748A (en) * | 2017-09-20 | 2018-02-23 | 杭州安恒信息技术有限公司 | A kind of method for describing file running orbit figure in sandbox |
-
2018
- 2018-05-08 CN CN201810430169.9A patent/CN108920943A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103235913A (en) * | 2013-04-03 | 2013-08-07 | 北京奇虎科技有限公司 | System, equipment and method used for identifying and intercepting bundled software |
CN103646209A (en) * | 2013-12-20 | 2014-03-19 | 北京奇虎科技有限公司 | Cloud-security-based bundled software blocking method and device |
CN106055975A (en) * | 2016-05-16 | 2016-10-26 | 杭州华三通信技术有限公司 | Document detection method and sandbox |
CN106295353A (en) * | 2016-08-08 | 2017-01-04 | 腾讯科技(深圳)有限公司 | A kind of method of engine Hole Detection and detection device |
CN106778268A (en) * | 2016-11-28 | 2017-05-31 | 广东省信息安全测评中心 | Malicious code detecting method and system |
CN106778247A (en) * | 2016-12-15 | 2017-05-31 | 江苏通付盾科技有限公司 | The method and device that application program is dynamically analyzed |
CN107729748A (en) * | 2017-09-20 | 2018-02-23 | 杭州安恒信息技术有限公司 | A kind of method for describing file running orbit figure in sandbox |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111639331A (en) * | 2020-05-11 | 2020-09-08 | 珠海豹趣科技有限公司 | Installation package monitoring method and device and computer readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11960605B2 (en) | Dynamic analysis techniques for applications | |
US11604878B2 (en) | Dynamic analysis techniques for applications | |
Martignoni et al. | A layered architecture for detecting malicious behaviors | |
Bläsing et al. | An android application sandbox system for suspicious software detection | |
Alzaylaee et al. | DynaLog: An automated dynamic analysis framework for characterizing android applications | |
Carmony et al. | Extract Me If You Can: Abusing PDF Parsers in Malware Detectors. | |
Spreitzenbarth et al. | Mobile-sandbox: having a deeper look into android applications | |
US9251343B1 (en) | Detecting bootkits resident on compromised computers | |
Maggi et al. | Andrototal: A flexible, scalable toolbox and service for testing mobile malware detectors | |
US8290763B1 (en) | Emulation system, method, and computer program product for passing system calls to an operating system for direct execution | |
US20090165135A1 (en) | System and methods for detecting software vulnerabilities and malicious code | |
US10771477B2 (en) | Mitigating communications and control attempts | |
US11157618B2 (en) | Context-based analysis of applications | |
US10645099B1 (en) | Malware detection facilitated by copying a memory range from an emulator for analysis and signature generation | |
CN106778246A (en) | The detection method and detection means of sandbox virtualization | |
Pektaş et al. | A dynamic malware analyzer against virtual machine aware malicious software | |
Bello et al. | Ares: triggering payload of evasive android malware | |
EP3029595B1 (en) | Apparatuses, mobile devices, methods and computer programs for evaluating runtime information of an extracted set of instructions based on at least a part of a computer program | |
US10970392B2 (en) | Grouping application components for classification and malware detection | |
Costamagna et al. | Identifying and evading android sandbox through usage-profile based fingerprints | |
Peiró et al. | Detecting stack based kernel information leaks | |
US10880316B2 (en) | Method and system for determining initial execution of an attack | |
CN108920943A (en) | The method and device of installation binding behavior is detected for application software | |
Jurn et al. | A survey of automated root cause analysis of software vulnerability | |
Gassen et al. | HoneyAgent: Detecting malicious Java applets by using dynamic analysis |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181130 |