CN109214178A - APP application malicious act detection method and device - Google Patents

APP application malicious act detection method and device Download PDF

Info

Publication number
CN109214178A
CN109214178A CN201710524463.1A CN201710524463A CN109214178A CN 109214178 A CN109214178 A CN 109214178A CN 201710524463 A CN201710524463 A CN 201710524463A CN 109214178 A CN109214178 A CN 109214178A
Authority
CN
China
Prior art keywords
application
app
malicious
sensitive api
app application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710524463.1A
Other languages
Chinese (zh)
Other versions
CN109214178B (en
Inventor
季凌禹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN201710524463.1A priority Critical patent/CN109214178B/en
Publication of CN109214178A publication Critical patent/CN109214178A/en
Application granted granted Critical
Publication of CN109214178B publication Critical patent/CN109214178B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Telephonic Communication Services (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a kind of APP application malicious act detection method and device, method therein includes: to carry out static detection to APP application, obtains the sensitive API that the code of APP application is included;APP application in the process of running is detected, call relation sequence relevant to sensitive API is obtained;Determine whether APP application is malicious application according to sensitive API and call relation sequence.APP application malicious act detection method and device of the invention, the safety in utilization of intelligent terminal can be effectively improved, and the mode combined by using remote control technology with image recognition technology in dynamic analysis, dynamic analysis process for application software is automatically executed, the efficiency and accuracy of application software safety detection are improved.

Description

APP application malicious act detection method and device
Technical field
The present invention relates to field of information security technology more particularly to a kind of APP application malicious act detection method and device.
Background technique
With the continuous development of development of Mobile Internet technology, the people day are increasingly becoming by the mobile intelligent terminal of representative of mobile phone Often essential tool in life.While facilitating people's life, the various quick of user is also inevitably involved Feel information, this results in the appearance of more and more malice or harmful application on platform indirectly, seriously threatens the people of user Body and data safety.For example, two big mobile terminal operating systems one of of the iOS as current most mainstream, have attracted a large amount of evil The attacker that anticipates has the application software of malicious act by the AppStore publication of Apple.To the information and property safety of user Constitute serious threat.However due to the closure of iOS system, the application software for system publication is caused to carry out behavior It analyzes and researches extremely difficult, also, traditional Static Analysis Method usually is used to application software, i.e., when application software is static Malicious act analysis is carried out, the reliability of testing result is affected.
Summary of the invention
In view of this, the invention solves a technical problem be to provide a kind of APP application malicious act detection method And device.
According to an aspect of the present invention, a kind of APP application malicious act detection method is provided, comprising: to APP apply into Row static detection obtains the sensitive API that the code of the APP application is included;To the APP in the process of running apply into Row detection, obtains call relation sequence relevant to the sensitive API;According to the sensitive API and the call relation sequence Determine whether the APP application is malicious application.
Optionally, the sensitive API that APP application is carried out static detection, obtains the code of the APP application to be included Include: that dis-assembling is carried out to the code of APP application, obtains the first dis-assembling code of the APP application;Detect described It whether there is the sensitive API in one dis-assembling code.
Optionally, described to determine whether the APP application is malice according to the sensitive API and the call relation sequence Using including: to be scanned to the first dis-assembling code, extracted and the sensitive API from the first dis-assembling code Relevant characteristic set;The characteristic set is input to BP neural network algorithm model, according to preset malice Data sample carries out Classification and Identification, to determination APP application whether be malicious application and affiliated malicious application class Type.
Optionally, described that APP application in the process of running is detected, is obtained and described and sensitive API phase The call relation sequence of pass include: using Recursive descent parsing and based on the sensitive API relevant control stream, to the APP Using and call the other application of the sensitive API to carry out dis-assembling, be converted to the second dis-assembling code;It is anti-described second The position and call relation relevant to the sensitive API that the sensitive API occurs are determined in assembly code, establish with it is described Call relation sequence relevant to sensitive API.
Optionally, described to determine whether the APP application is malice according to the sensitive API and the call relation sequence Using including: to analyze the sensitive API according to the call relation sequence to apply the APP and other application safety Influence;Determine whether the APP application is malicious application based on the result of analysis.
Optionally, dynamic interaction is carried out with the end-user interface for being equipped with the APP application using remote controlled manner Operation;Triggering executes the corresponding actions of the APP application;It obtains and applies relevant network traffic and log to the APP File determines whether the APP application is malicious application based on the network traffic and journal file.
According to another aspect of the present invention, a kind of APP application malicious act detection device is provided, comprising: static detection mould Block obtains the sensitive API that the code of the APP application is included for carrying out static detection to APP application;Behavior sequence point Module is analysed, for being detected to APP application in the process of running, calling relevant to the sensitive API is obtained and closes It is sequence;Malicious application determining module, for determining that the APP is applied according to the sensitive API and the call relation sequence It whether is malicious application.
Optionally, the static detection module, comprising: the first pretreatment unit, code for being applied to the APP into Row dis-assembling obtains the first dis-assembling code of the APP application;Sensitive API detection unit, for detecting the described first anti-remittance It compiles and whether there is the sensitive API in code.
Optionally, the malicious application determining module, comprising: the first malicious application analytical unit, to the described first anti-remittance It compiles code to be scanned, characteristic set relevant to the sensitive API is extracted from the first dis-assembling code;By institute It states characteristic set and is input to BP neural network algorithm model, Classification and Identification is carried out according to preset malicious data sample, is used With determination APP application whether be malicious application and affiliated malicious application type.
Optionally, the behavior sequence analysis module, comprising: the second pretreatment unit, for using Recursive descent parsing And based on the sensitive API relevant control stream, to the APP apply and call the other application of the sensitive API to carry out Dis-assembling is converted to the second dis-assembling code;Analytical unit is called, for determining described quick in the second dis-assembling code Feel the position and call relation relevant to the sensitive API that API occurs, establishes and the calling relevant with sensitive API Relational sequence.
Optionally, the malicious application determining module, comprising: the second malicious application analytical unit, for according to the tune It analyzes the sensitive API with relational sequence to apply the APP and the influence of other application safety, the knot based on analysis Fruit determines whether the APP application is malicious application.
Optionally, dynamic analysis module, for using remote controlled manner and the terminal user for being equipped with the APP application Interface carries out dynamic interaction operation;Triggering executes the corresponding actions of the APP application;It obtains and applies relevant net to the APP Network transmits information and journal file, determines whether the APP application is malice based on the network traffic and journal file Using taking to the APP using relevant network traffic and journal file, it is based on the network traffic and log text Part determines whether the APP application is malicious application.
According to another aspect of the invention, a kind of APP application malicious act detection device is provided, comprising: memory;And It is coupled to the processor of the memory, the processor is configured to the instruction based on storage in the memory, executes APP application malicious act detection method as described above.
In accordance with a further aspect of the present invention, a kind of computer readable storage medium is provided, which is characterized in that the computer Readable storage medium storing program for executing is stored with computer instruction, and APP application malice as described above is realized when described instruction is executed by processor Behavioral value method.
APP application malicious act detection method and device of the invention, obtain APP application code in sensitive API and Call relation sequence relevant to sensitive API determines whether APP application is malicious application, can effectively improve intelligent terminal and set Standby safety in utilization, and enable to the dynamic analysis process for application software that can automatically execute, it improves The efficiency and accuracy of application software safety detection.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only Some embodiments of the present invention, for those of ordinary skill in the art, without any creative labor, also Other drawings may be obtained according to these drawings without any creative labor.
Fig. 1 is the flow chart of one embodiment of APP application malicious act detection method according to the present invention;
Fig. 2 is the process of static detection in one embodiment of APP application malicious act detection method according to the present invention Schematic diagram;
Fig. 3 is behavior relation analysis in one embodiment of APP application malicious act detection method according to the present invention Flow diagram;
Fig. 4 is the module diagram of one embodiment of APP application malicious act detection device according to the present invention;
Fig. 5 is static detection module in one embodiment of APP application malicious act detection device according to the present invention Module diagram;
Fig. 6 is that the behavior sequence of one embodiment of APP application malicious act detection device according to the present invention analyzes mould The module diagram of block;
Fig. 7 is that the malicious application of one embodiment of APP application malicious act detection device according to the present invention determines mould The module diagram of block;
Fig. 8 is the module diagram of another embodiment of APP application malicious act detection device according to the present invention.
Specific embodiment
With reference to the accompanying drawings to invention is more fully described, wherein illustrating exemplary embodiment of the present invention.Under Face will combine the attached drawing in the embodiment of the present invention, and technical scheme in the embodiment of the invention is clearly and completely described, show So, described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Based on the reality in the present invention Example is applied, every other embodiment obtained by those of ordinary skill in the art without making creative efforts all belongs to In the scope of protection of the invention.
" first " hereinafter, " second " etc. are only used for distinguishing in description, and there is no other special meanings.
Fig. 1 is the flow chart of one embodiment of APP application malicious act detection method according to the present invention, such as Fig. 1 institute Show:
Step 101, static detection is carried out to APP application, obtains the sensitive API that the code of APP application is included (Application Programming Interface, application programming interface).
Static detection refers to the detection carried out in APP application not running.It is application program, APP application installation that APP, which is applied, In the intelligent terminals such as mobile phone, the operating system of intelligent terminal can be Android, IOS etc..
Step 102, APP application in the process of running is detected, obtains call relation sequence relevant to sensitive API Column.
Step 103, determine whether APP application is malicious application according to sensitive API and call relation sequence.
Traditional static analysis cannot go to look into associated calling sequence according to known sensitive API, cannot be according to difference API occurs whether sequential decision impacts program function.APP application malicious act detection method in above-described embodiment, The sensitive API and call relation sequence relevant to sensitive API in APP application code are obtained, determines whether APP application is evil Meaning application, improves the efficiency and accuracy of safety detection.
In one embodiment, API is some functions predetermined, and the API in APP application can execute specific function Can, for example, reading address list, reading geographical location information, read payment accounts and password, access network, modification system file Deng.Illegal or malice application program can do some illegal things, such as obtain contact information and upload, read user's Payment accounts and password transmission, unloading user program etc., to cause the safety issue of intelligent mobile terminal.In the present invention Sensitive API refer to APP application installation or operation when may obtain or call user privacy information and execution may band Carry out the API of safety issue function, for example, reading address list, reading geographical location information, read payment accounts and password, visit Ask that the API of network, modification system file etc. is sensitive API, the type of sensitive API can be set.
Fig. 2 is the process of static detection in one embodiment of APP application malicious act detection method according to the present invention Schematic diagram, as shown in Figure 2:
Step 201, dis-assembling is carried out to the code of APP application, the first dis-assembling code of APP application is obtained, for examining It surveys in the first dis-assembling code with the presence or absence of sensitive API.APP, which is applied, is in not running state.
Step 202, the first dis-assembling code is scanned, is extracted from the first dis-assembling code related to sensitive API Characteristic set.
Step 203, characteristic set is input to BP neural network algorithm model, according to preset malicious data sample Carry out Classification and Identification, to determine APP application whether be malicious application and affiliated malicious application type.
BP (back propagation) neural network is a kind of multilayer feedforward according to the training of error backpropagation algorithm Neural network, BP neural network are increase several layers (one or more layers) neuron between input layer and output layer, BP nerve The calculating process of network is made of positive calculating process and retrospectively calculate process, forward-propagating process, and input pattern is from input layer It is successively handled through hidden unit layer, and turns to output layer, the state of one layer of neuron under the influence of the state of every layer of neuron.
Static analysis is carried out when APP is applied in not running state, is collected generation to ARM of the destination application after reverse Code carries out careful specific analysis, can write program and be scanned and obtain and sample database content type to assembly code Similar characteristic set carries out characteristic matching using BP neural network algorithm and sample (the malicious data sample after training) Assess Application Type and menace.
Fig. 3 is behavior relation analysis in one embodiment of APP application malicious act detection method according to the present invention Flow diagram, as shown in Figure 3:
Step 301, using Recursive descent parsing and based on sensitive API relevant control stream, to APP apply and call quick The other application for feeling API carries out dis-assembling, is converted to the second dis-assembling code.APP is applied in operation or called state.
Step 302, the position and tune relevant to sensitive API that sensitive API occurs are determined in the second dis-assembling code With relationship, call relation sequence relevant to sensitive API is established.
Step 303, sensitive API is analyzed for the shadow of APP application and other application safety according to call relation sequence It rings.
Step 304, determine whether APP application is malicious application based on the result of analysis.
Recursive descent parsing can be existing many algorithms, for example, Recursive descent parsing is by control stream come fixed one by one Position, analysis instruction and data, according to the position of instruction (function call instruction etc.) positioned in sequence subsequent instructions.
APP apply in operation or it is called when, the position reverse, analysis sensitive API occurs is carried out to application program, And analyze simultaneously influence of these contents to application program safety itself and user equipment information safety.Static analysis will be passed through The safety evaluation result of application program is added in analysis result, whole system precision of analysis is improved.
In one embodiment, dynamic is carried out with the end-user interface for being equipped with APP application using remote controlled manner Interactive operation, for example, can use VNC remotely control and respective image identification technology realize be directed to dynamic user interface interaction Function.Triggering executes the corresponding actions of APP application, for example, really triggering the corresponding actions of application by operations such as screen taps. It obtains and applies relevant network traffic and journal file to APP, determine that APP is answered based on network traffic and journal file With whether being malicious application.Can by obtain, analyze triggering application corresponding actions after network transmission and file read-write day Will analysis, determines whether the application program injures the safety of user information.
APP application malicious act detection method in above-described embodiment carries out traversal to ARM assembly code file first and sweeps It retouches, matches sensitive API frequency of occurrence, and extract data relevant to fallacious message critical field, form the spy of the application program Levy data acquisition system.Then classified by BP neural network, judge what the application program belongs to from the characteristic set of the program Kind rogue program is normal use.It is combined by using remote control technology with image recognition technology in dynamic analysis Mode, the dynamic analysis process for application software is automatically executed, application software safety detection is improved Efficiency and accuracy.
In one embodiment, as shown in figure 4, the present invention provides a kind of APP application malicious act detection device 40, packet It includes: static detection module 41, behavior sequence analysis module 42, malicious application determining module 43 and dynamic analysis module 44.
Static detection module 41 carries out static detection to APP application, obtains the sensitive API that the code of APP application is included. Behavior sequence analysis module 42 detects APP application in the process of running, obtains call relation relevant to sensitive API Sequence.Malicious application determining module 43 determines whether APP application is malicious application according to sensitive API and call relation sequence.
Dynamic analysis module 44 carries out dynamic friendship with the end-user interface for being equipped with APP application using remote controlled manner Interoperability, triggering execute the corresponding actions of APP application, obtain and apply relevant network traffic and journal file, base to APP Determine whether APP application is that malicious application takes to APP using relevant network transmission letter in network traffic and journal file Breath and journal file determine whether APP application is malicious application based on network traffic and journal file.
As shown in figure 5, static detection module 41 includes: the first pretreatment unit 411 and sensitive API detection unit 412.The One pretreatment unit 411 carries out dis-assembling to the code that APP is applied, and obtains the first dis-assembling code of APP application.Sensitive API Detection unit 412, which detects, whether there is sensitive API in the first dis-assembling code.
As shown in fig. 7, malicious application determining module 43 includes: that the first malicious application analytical unit 431 and the second malice are answered With analytical unit 432.First malicious application analytical unit 431 is scanned the first dis-assembling code, from the first dis-assembling generation Characteristic set relevant to sensitive API is extracted in code.First malicious application analytical unit 431 inputs characteristic set To BP neural network algorithm model, Classification and Identification is carried out according to preset malicious data sample, to determine APP application whether be The type of malicious application and affiliated malicious application.
As shown in fig. 6, behavior sequence analysis module 42 includes: the second pretreatment unit 421, calls analytical unit 422.The Two pretreatment units 411 using Recursive descent parsing and based on sensitive API relevant control stream, to APP apply and call quick The other application for feeling API carries out dis-assembling, is converted to the second dis-assembling code.
Call analytical unit 422 in the second dis-assembling code determine sensitive API occur position and with sensitive API phase The call relation of pass establishes call relation sequence relevant to sensitive API.Second malicious application analytical unit 432 is according to calling Relational sequence analyzes influence of the sensitive API for APP application and other application safety, determines APP based on the result of analysis Using whether being malicious application.
Fig. 8 is the module diagram of another embodiment of APP application malicious act detection device according to the present invention.Such as Shown in Fig. 8, which may include memory 81, processor 82, communication interface 83 and bus 84.Memory 81 refers to for storing It enables, processor 82 is coupled to memory 81, and the instruction execution that processor 82 is configured as storing based on memory 81 is realized above-mentioned APP application malicious act detection method.
Memory 81 can be high speed RAM memory, nonvolatile memory (non-volatile memory) etc., deposit Reservoir 81 is also possible to memory array.Memory 81 is also possible to by piecemeal, and block can be combined into virtually by certain rule Volume.Processor 82 can be central processor CPU or application-specific integrated circuit ASIC (Application Specific Integrated Circuit), or be arranged to implement one of APP application malicious act detection method of the invention or Multiple integrated circuits.
In one embodiment, the present invention provides a kind of computer readable storage medium, and computer readable storage medium is deposited Computer instruction is contained, the APP application malicious act detection in as above any one embodiment is realized when instruction is executed by processor Method.
APP application malicious act detection method and device provided by the above embodiment obtain the sensitivity in APP application code API and call relation sequence relevant to sensitive API determine whether APP application is malicious application, can effectively improve intelligence The safety in utilization of terminal device, and combined by using remote control technology with image recognition technology in dynamic analysis Mode, the dynamic analysis process for application software is automatically executed, application software safety detection is improved Efficiency and accuracy.
Method and system of the invention may be achieved in many ways.For example, can by software, hardware, firmware or Software, hardware, firmware any combination realize method and system of the invention.The said sequence of the step of for method is only In order to be illustrated, the step of method of the invention, is not limited to sequence described in detail above, especially says unless otherwise It is bright.In addition, in some embodiments, also the present invention can be embodied as to record program in the recording medium, these programs include For realizing machine readable instructions according to the method for the present invention.Thus, the present invention also covers storage for executing according to this hair The recording medium of the program of bright method.
Description of the invention is given for the purpose of illustration and description, and is not exhaustively or will be of the invention It is limited to disclosed form.Many modifications and variations are obvious for the ordinary skill in the art.It selects and retouches It states embodiment and is to more preferably illustrate the principle of the present invention and practical application, and those skilled in the art is enable to manage The solution present invention is to design various embodiments suitable for specific applications with various modifications.

Claims (14)

1. a kind of APP application malicious act detection method characterized by comprising
Static detection is carried out to APP application, obtains the sensitive API that the code of the APP application is included;
APP application in the process of running is detected, call relation sequence relevant to the sensitive API is obtained;
Determine whether the APP application is malicious application according to the sensitive API and the call relation sequence.
2. the method as described in claim 1, which is characterized in that described to carry out static detection to APP application, obtain the APP The sensitive API that the code of application is included includes:
Dis-assembling is carried out to the code of APP application, obtains the first dis-assembling code of the APP application;
It detects in the first dis-assembling code with the presence or absence of the sensitive API.
3. method according to claim 2, which is characterized in that described according to the sensitive API and the call relation sequence Determine whether the APP application is that malicious application includes:
The first dis-assembling code is scanned, is extracted from the first dis-assembling code related to the sensitive API Characteristic set;
The characteristic set is input to BP neural network algorithm model, is classified according to preset malicious data sample Identification, to determination APP application whether be malicious application and affiliated malicious application type.
4. the method as described in claim 1, which is characterized in that described to be examined to APP application in the process of running It surveys, obtain to the call relation sequence relevant with sensitive API and include:
Using Recursive descent parsing and based on the sensitive API relevant control stream, to the APP apply and call described quick The other application for feeling API carries out dis-assembling, is converted to the second dis-assembling code;
The position and tune relevant to the sensitive API that the sensitive API occurs are determined in the second dis-assembling code With relationship, establish and the call relation sequence relevant with sensitive API.
5. method as claimed in claim 4, which is characterized in that described according to the sensitive API and the call relation sequence Determine whether the APP application is that malicious application includes:
The sensitive API is analyzed according to the call relation sequence to apply the APP and the shadow of other application safety It rings;
Determine whether the APP application is malicious application based on the result of analysis.
6. the method as described in claim 1, which is characterized in that further include:
Dynamic interaction operation is carried out with the end-user interface for being equipped with the APP application using remote controlled manner;
Triggering executes the corresponding actions of the APP application;
It obtains and applies relevant network traffic and journal file to the APP, be based on the network traffic and log File determines whether the APP application is malicious application.
7. a kind of APP application malicious act detection device characterized by comprising
Static detection module obtains the sensitivity that the code of the APP application is included for carrying out static detection to APP application API;
Behavior sequence analysis module obtains and the sensitivity for detecting to APP application in the process of running The relevant call relation sequence of API;
Malicious application determining module, for whether determining the APP application according to the sensitive API and the call relation sequence For malicious application.
8. device as claimed in claim 7, which is characterized in that
The static detection module, comprising:
First pretreatment unit, the code for applying to the APP carry out dis-assembling, and obtain the APP application first is anti- Assembly code;
Sensitive API detection unit, for detecting in the first dis-assembling code with the presence or absence of the sensitive API.
9. device as claimed in claim 8, which is characterized in that
The malicious application determining module, comprising:
First malicious application analytical unit is scanned the first dis-assembling code, from the first dis-assembling code Extract characteristic set relevant to the sensitive API;The characteristic set is input to BP neural network algorithm mould Whether type carries out Classification and Identification according to preset malicious data sample, be malicious application and institute to the determination APP application The type of the malicious application of category.
10. device as claimed in claim 8, which is characterized in that
The behavior sequence analysis module, comprising:
Second pretreatment unit, for using Recursive descent parsing and based on the sensitive API relevant control stream, to described APP applies and calls the other application of the sensitive API to carry out dis-assembling, is converted to the second dis-assembling code;
Call analytical unit, for determined in the second dis-assembling code position that the sensitive API occurs and with institute The relevant call relation of sensitive API is stated, is established and the call relation sequence relevant with sensitive API.
11. device as claimed in claim 11, which is characterized in that
The malicious application determining module, comprising:
Second malicious application analytical unit answers the APP for analyzing the sensitive API according to the call relation sequence To and other application securities influence, determine whether APP application is malicious application based on the result of analysis.
12. device as claimed in claim 8, which is characterized in that further include:
Dynamic analysis module, for being moved using remote controlled manner with the end-user interface for being equipped with the APP application State interactive operation;Triggering executes the corresponding actions of the APP application;It obtains and applies relevant network traffic to the APP And journal file, determine whether APP application is that malicious application takes and institute based on the network traffic and journal file APP is stated using relevant network traffic and journal file, based on described in the network traffic and journal file determination Whether APP application is malicious application.
13. a kind of APP application malicious act detection device characterized by comprising
Memory;And
It is coupled to the processor of the memory, the processor is configured to the instruction based on storage in the memory, Execute such as APP application malicious act detection method described in any one of claims 1 to 6.
14. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has computer to refer to It enables, realizes that APP application malicious act described in any one of claims 1 to 6 such as detects when described instruction is executed by processor Method.
CN201710524463.1A 2017-06-30 2017-06-30 APP application malicious behavior detection method and device Active CN109214178B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710524463.1A CN109214178B (en) 2017-06-30 2017-06-30 APP application malicious behavior detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710524463.1A CN109214178B (en) 2017-06-30 2017-06-30 APP application malicious behavior detection method and device

Publications (2)

Publication Number Publication Date
CN109214178A true CN109214178A (en) 2019-01-15
CN109214178B CN109214178B (en) 2021-03-16

Family

ID=64976919

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710524463.1A Active CN109214178B (en) 2017-06-30 2017-06-30 APP application malicious behavior detection method and device

Country Status (1)

Country Link
CN (1) CN109214178B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109816005A (en) * 2019-01-18 2019-05-28 北京智游网安科技有限公司 Application program trade classification method, storage medium and terminal based on CNN
CN110889115A (en) * 2019-11-07 2020-03-17 国家计算机网络与信息安全管理中心 Malicious push behavior detection method and device
CN111797400A (en) * 2020-07-08 2020-10-20 国家计算机网络与信息安全管理中心 Method and device for dynamically detecting malicious applications in Internet of vehicles
CN112765654A (en) * 2021-01-07 2021-05-07 支付宝(杭州)信息技术有限公司 Management and control method and device based on private data calling
CN113051561A (en) * 2019-12-27 2021-06-29 中国电信股份有限公司 Application program feature extraction method and device and classification method and device
CN113449297A (en) * 2020-03-24 2021-09-28 中移动信息技术有限公司 Training method of malicious code recognition model, and malicious code recognition method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103136471A (en) * 2011-11-25 2013-06-05 中国科学院软件研究所 Method and system for testing malicious Android application programs
CN103186740A (en) * 2011-12-27 2013-07-03 北京大学 Automatic detection method for Android malicious software
CN105760761A (en) * 2016-02-04 2016-07-13 中国联合网络通信集团有限公司 Software behavior analyzing method and device
US20160232351A1 (en) * 2015-02-06 2016-08-11 Alibaba Group Holding Limited Method and device for identifying computer virus variants
CN106845236A (en) * 2017-01-18 2017-06-13 东南大学 A kind of application program various dimensions privacy leakage detection method and system for iOS platforms

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103136471A (en) * 2011-11-25 2013-06-05 中国科学院软件研究所 Method and system for testing malicious Android application programs
CN103186740A (en) * 2011-12-27 2013-07-03 北京大学 Automatic detection method for Android malicious software
US20160232351A1 (en) * 2015-02-06 2016-08-11 Alibaba Group Holding Limited Method and device for identifying computer virus variants
CN105760761A (en) * 2016-02-04 2016-07-13 中国联合网络通信集团有限公司 Software behavior analyzing method and device
CN106845236A (en) * 2017-01-18 2017-06-13 东南大学 A kind of application program various dimensions privacy leakage detection method and system for iOS platforms

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109816005A (en) * 2019-01-18 2019-05-28 北京智游网安科技有限公司 Application program trade classification method, storage medium and terminal based on CNN
CN109816005B (en) * 2019-01-18 2021-08-03 北京智游网安科技有限公司 Application program industry classification method based on CNN, storage medium and terminal
CN110889115A (en) * 2019-11-07 2020-03-17 国家计算机网络与信息安全管理中心 Malicious push behavior detection method and device
CN113051561A (en) * 2019-12-27 2021-06-29 中国电信股份有限公司 Application program feature extraction method and device and classification method and device
CN113449297A (en) * 2020-03-24 2021-09-28 中移动信息技术有限公司 Training method of malicious code recognition model, and malicious code recognition method and device
CN111797400A (en) * 2020-07-08 2020-10-20 国家计算机网络与信息安全管理中心 Method and device for dynamically detecting malicious applications in Internet of vehicles
CN111797400B (en) * 2020-07-08 2023-09-01 国家计算机网络与信息安全管理中心 Dynamic detection method and device for malicious application of Internet of vehicles
CN112765654A (en) * 2021-01-07 2021-05-07 支付宝(杭州)信息技术有限公司 Management and control method and device based on private data calling
CN112765654B (en) * 2021-01-07 2022-09-20 支付宝(杭州)信息技术有限公司 Management and control method and device based on private data calling

Also Published As

Publication number Publication date
CN109214178B (en) 2021-03-16

Similar Documents

Publication Publication Date Title
CN109214178A (en) APP application malicious act detection method and device
CN109241711B (en) User behavior identification method and device based on prediction model
CN109034660B (en) Method and related device for determining risk control strategy based on prediction model
Arp et al. Dos and don'ts of machine learning in computer security
CA2223521C (en) Detecting mobile telephone misuse
CN109241709B (en) User behavior identification method and device based on slider verification code verification
CN110442712B (en) Risk determination method, risk determination device, server and text examination system
CN109271762B (en) User authentication method and device based on slider verification code
CN107944274A (en) A kind of Android platform malicious application off-line checking method based on width study
CN112801155B (en) Business big data analysis method based on artificial intelligence and server
CN112330355B (en) Method, device, equipment and storage medium for processing consumption coupon transaction data
CN112149124A (en) Android malicious program detection method and system based on heterogeneous information network
CN109743286A (en) A kind of IP type mark method and apparatus based on figure convolutional neural networks
CN106778151A (en) Method for identifying ID and device based on person's handwriting
CN106603327A (en) Behavior data analysis method and device
CN108600270A (en) A kind of abnormal user detection method and system based on network log
CN109960936A (en) A kind of pair of mobile terminal carries out the Risk Identification Method of automatization simulation business access
CN106845235A (en) A kind of Android platform call back function detection method based on machine learning method
CN108985052A (en) A kind of rogue program recognition methods, device and storage medium
CN108734011A (en) software link detection method and device
CN109544165A (en) Resource transfers processing method, device, computer equipment and storage medium
CN116318974A (en) Site risk identification method and device, computer readable medium and electronic equipment
CN112801156B (en) Business big data acquisition method and server for artificial intelligence machine learning
CN111190813B (en) Android application network behavior information extraction system and method based on automatic testing
CN109726550A (en) Abnormal operation behavioral value method, apparatus and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant