TWI668592B - Method for automatically determining the malicious degree of Android App by using multiple dimensions - Google Patents

Abstract

The invention discloses a method for automatically determining the malicious degree of an Android app by using multiple dimensions, and uses a two-stage eigenvalue method to detect whether the static and dynamic behaviors contain risks. In the first stage, a known black and white list, virus information, behavior information, etc. are performed. Rapid detection, if no risk behavior is detected, then enter the second phase of risk rule calculation, combined with permission, key vulnerability, dynamic behavior detection, embedded software development kit, sensitivity risk, SMS behavior, privacy risk Be a risk rule to calculate the risk score to achieve the two characteristics of quickly detecting known risks and exploring potentially unknown risks.

Description

 Method for automatically determining the malicious degree of Android App by using multiple dimensions  

The invention belongs to a method for automatically determining the malicious degree of an Android app by using multiple dimensions, in particular to a detection method for combining two-stage eigenvalues.

In recent years, due to the rapid development of Android mobile device operating systems and the use of a large number of users, the previous computer hackers have noticed and written malicious programs. They have reversed the translation of normal programs, embedded malicious code and then packaged them. Release, that is, the appearance and function of the normal program, to deceive ignorant or casual users to download, install and run, thus obtaining illegal interests and user profiles; these malicious programs may be scattered in major forums, cloud space, and even Is the official Google Play store.

The malware types of Android can be mainly divided into value-added service abuse software, advertising software, data stealing software, malicious cracking software, click fraud software, spyware, etc. In general, the traditional malware detection method is known. Virus code detection, or static analysis using reverse-compiled code, dynamic analysis of running the program in a mobile device or simulator, and detecting the behavior of the program, or combining the above analysis data to make a comprehensive judgment, but the current action The number of device programs has grown tremendously. For this reason, the analysis system can only continuously expand the software and hardware resources to handle this huge amount of software growth, and the hacker is good at hiding malicious code in the re-packaged normal program, which affects The effectiveness of the analysis, if the analysis system can not quickly and effectively resolve the malicious behavior in the mobile application, it can not detect and protect the mobile device in time.

In the malware detection method and system of the invention patent application of the public number TW 201426381 A, a method for detecting a malicious program is disclosed, which uses static behavior features and algorithms for detection, but the invention does not solve the malicious program. The problem of malicious behavior that occurs during actual operation, and the benign program features that frequently appear in malicious programs can easily confuse such techniques.

In a method and device for detecting malicious code of an Android system of the invention patent application of the publication No. CN 103354540 B, a malicious code detection method of the Android system is disclosed, which detects whether there is a phenomenon of interception of the short message and uses the content of the short message through the monitoring system. The comparison program has a location for receiving and reading SMS messages to detect malicious behavior. However, the invention only uses the SMS interception mechanism as a method for detecting malicious programs, and does not consider that malicious programs may be through other channels, such as The network transmits data.

In a method for generating a malicious program, a method for detecting a malicious program, and a system thereof for detecting a malicious program of the invention patent application number TW I515598 B, a method for generating a purified malicious program is disclosed, which uses a complex data stream path to purify a malicious program. This invention uses only the data stream similarity comparison, and does not use a third-party malware database to enhance its detection effect.

In view of the shortcomings derived from the above-mentioned conventional methods, the inventor of the present invention has improved and innovated, and after years of painstaking research, he finally succeeded in researching and developing the method of automatically determining the malicious degree of the Android App by using multiple dimensions.

The object of the present invention is to provide a method for automatically determining the malicious degree of an Android App by using multiple dimensions. In addition to providing faster and more accurate effects than traditional dynamic and static detection, the present invention is also applicable to unknown malicious types that cannot be detected by virus detection software. The program establishes a unique two-stage detection method to quickly detect malicious programs and suppress the speed and harm.

In order to achieve the above-mentioned invention, a method for automatically determining the malicious degree of an Android app by using multiple dimensions uses a first-stage rapid detection mechanism and a second-stage detailed detection mechanism, which is a feature of the mobile application extracted by the feature analysis system. The value is used for analysis; each mobile application can obtain its own unique feature value through the feature analysis system, and firstly perform the first stage black and white list, virus information, behavior information detection, and if any detection in the phase process If there is a risk, the feedback will be provided immediately; the user can maintain the black and white list information, the signature information, and set the virus information source and comparison mechanism to select the risk behavior information to be determined; if the risk behavior is not detected in the first stage , enter the second stage of detailed testing; prior to testing will give the default risk score, the first step is to compare the risk rules, risk rules by use rights, key vulnerabilities, dynamic behavior detection, embedded software Development kit, sensitivity risk, SMS behavior, privacy risk, one by one The risk rule is the highest similarity. If the similarity is higher than the system setting, the mobile application is judged to meet the risk rule, and the risk score will be upgraded. The blacklist signature and the malicious website will be compared. The risk score, if not met, reduces the risk score and supplements the virus detection rate to increase or decrease the score. If the final risk score is higher than the system threshold, the mobile application is determined to be highly risky; the user can also Maintain risk rules, set similarity ranges, add blacklist signatures, malicious URLs, etc.

A method for automatically determining the malicious degree of an Android app by using multiple dimensions, the steps comprising: Step 1: Selecting an action application to be detected; Step 2, using feature analysis to extract feature values of the App to extract static and dynamic behavior features; Step 3 And stored in the App feature value database; Step 4, perform the first stage of rapid detection, and quickly determine whether the known feature value detection is met; Step 5, if yes, determine as a malicious program; Step 6 if Otherwise, the second stage of detailed detection is performed, and whether the risk value is higher than the critical value is calculated; if the answer is yes, it is determined to be a malicious program; and if it is no, it is determined to be a non-malicious program.

The first step of the fourth step of the rapid detection, the process includes: step one, obtain the action application feature value to be detected; step two, determine whether the test is a blacklist, if yes, determine the malicious program; step three If yes, it is determined whether the detection is a white list. If yes, it is determined to be a non-malicious program; if the determination is yes, the determination is whether the detection is a virus information, and if yes, the determination is a malicious program; 5. If no, it is judged whether the behavior is detected. If it is, it is determined to be a malicious program; and if it is no, if it is no, the second stage of detailed detection is required.

The virus information in step 4 includes the virus manufacturer, the virus name, or the threshold value greater than the threshold set by the system, and the behavior detection of step 5, wherein the behavior includes the behavior of obtaining the highest administrator authority, the behavior of improving the authority, and the key leakage. Behavior.

Therefore, the feature value of the mobile application to be detected is obtained from the App signature database; the known malicious behavior database is used to obtain the blacklist of the mobile application and the comparison action is performed; if the mobile application is blacklisted, it is immediately determined as The malicious program does not need to perform subsequent comparison actions; the malicious behavior database is known to obtain the white list of the mobile application and perform the comparison action. If the mobile application is whitelisted, it is immediately determined to be a non-malicious program, and does not need to be done. Subsequent comparison actions; the malicious behavior database is known to obtain the virus scan result of the mobile application and perform the comparison action. If the virus scan result of the mobile application scans the virus manufacturer, the virus name, or If the number is greater than the threshold set by the system, it is immediately determined to be a malicious program, and no subsequent comparison action is required; the App signature database obtains the feature value of the mobile application and performs a comparison action, and if it is the feature value of the mobile application Compliance with the behavior of obtaining the highest administrator authority, the act of promoting the authority, and the leakage of the key For any of the above behaviors, it is immediately determined to be a malicious program, and no subsequent comparison action is required. If the mobile application has no matching behavior, the subsequent second stage detection action must be continued; and the detection steps are related. Information is stored in the risk results database.

The detailed detection of the second stage of step 6 includes the following steps: Step 1: Obtain the characteristic value of the action application to be tested, and give a predetermined risk score; Step 2: Determine the risk rule comparison, whether the similarity is the highest If yes, increase the risk score. If not, reduce the risk score. Step 3: Determine whether the test is a blacklist signature. If yes, increase the risk score. If not, decrease the risk score. 4. Determine whether the detection is a malicious website. If yes, increase the risk score. If not, reduce the risk score; Step 5, conduct virus detection; and Step 6. Determine whether the risk score is higher than the system threshold. Yes, it is determined to be a malicious program, and if not, it is determined to be a non-malicious program.

Therefore, the feature value of the mobile application to be detected is obtained from the App signature database, and an initial risk score is given for subsequent use; the risk rule database obtains all risk rules and compares the action application feature values one by one. Degree, the rule with the highest similarity is finally obtained, and the risk score is added to the similarity score of the rule. If the degree of similarity is lower than the system threshold, the risk score action is performed; the malicious behavior database is known to obtain the blacklist sign. Chapter information and comparison actions, if the signature value of the mobile application is consistent, the risk score is increased, and if the mobile application does not have the signature signature value, the risk reduction action is performed; the malicious behavior data is known. The library obtains the malicious URL and compares the action. If the mobile application's URL feature value matches, the risk score is increased. If the mobile application does not match the URL feature value, the risk score action is performed; the malicious behavior is known. The database obtains the virus scan results of the mobile application and compares them According to the virus detection ratio of the increase in the risk score; the risk score is judged, if the risk score is high, the system is judged to be a malicious program, if otherwise determined to be non-malicious; and the final test result is stored in the risk Results database.

The invention provides a method for automatically determining the malicious degree of an Android app by using multiple dimensions, and has the following advantages when compared with other conventional technologies:

1. The invention can quickly and accurately achieve the purpose of automatically determining the malicious degree of the Android App, and utilizes the multi-dimensional detection method to perform two methods of rapid detection and detailed detection, and does not need to cost a high cost if faced with a large number of detection requirements. Establish software and hardware devices.

2. The present invention provides the function of risk rule comparison. Based on risk rules consisting of usage rights, key vulnerabilities, dynamic behavior detection, embedded software development kits, sensitivity risks, newsletter behaviors, and privacy risks, the risk rules for determining the eigenvalues of mobile device programs are determined. To judge, to achieve the effect of detecting unknown malware.

3. The invention can be built on the Android App detection mechanism inside and outside the enterprise to fully improve the security of the mobile device. The network system that enters the port of the enterprise can be used to block the path of the malicious program entering the enterprise. If it is established externally, the user can be provided with the uploaded sample and the detection result, so as to increase the number of samples to increase the number of risk rules and improve the number of risk rules. Detect the effect.

S110~S151‧‧‧ Process

S210~S260‧‧‧The first stage of the rapid detection process

S310~S362‧‧‧The second phase of the detailed inspection process

The detailed description of the present invention and its accompanying drawings will be further understood, and the technical contents of the present invention and the functions thereof can be further understood. FIG. 1 is a flow chart of the method for automatically determining the malicious degree of an Android App by using multiple dimensions. FIG. 2 is a flow chart of the first stage of the method for automatically determining the malicious degree of the Android App by using multiple dimensions; FIG. 3 is a detailed view of the second stage of the method for automatically determining the malicious degree of the Android app by using multiple dimensions. Test flow chart.

The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

The present invention is further described with reference to the accompanying drawings. Referring to FIG. 1 , a flowchart of a method for automatically determining the malicious degree of an Android app by using multiple dimensions is provided. The steps include: Step 1 and S110: Selecting a mobile application to be detected. Step 2: S120 uses feature analysis to extract the feature values of the App to extract the static and dynamic behavior features; Step 3: S130 is stored in the App feature value database; Step 4: S140 performs the first phase of the rapid detection, and quickly determines whether Corresponding to the known feature value detection; step 5, if yes, then S141 is determined to be a malicious program; step 6 if not, then S150 performs detailed detection of the second phase, and calculates whether the risk value is higher than the critical value; 7. If yes, S141 determines that it is a malicious program; and if it is no, step S151 determines that it is a non-malicious program.

According to the above process, the dispatching server selects the test sample to be sent from the sample to be detected, and sends it to the feature analysis system for detection. The feature analysis system performs the analysis process of the test sample, and the process includes static analysis and Dynamic analysis, and can parse the eigenvalues of this sample. Its eigenvalues include hash values, signatures, permissions used, connection URLs, dynamic behavior detection, embedded software development work packages, sensitivity risks, SMS behaviors, The risk of privacy exposure, whether there is an act of obtaining the highest administrator's authority, whether there is an act of escalating authority, and whether there is a key leak. The feature analysis system stores the detected feature data in the App feature database for use by the subsequent detection mechanism, and then performs the first phase of the rapid detection mechanism, using the currently known feature value detection to determine whether it is a malicious program. According to the result, the second stage of the rapid detection mechanism is used, and the risk score is used to determine whether it is a malicious program. If the risk result of the malware is completed by the first or second stage detection, it is stored in the risk result database.

The fast detection of the first stage of the foregoing step 4 is as shown in FIG. 2 , which is a fast detection flowchart of the first stage of the method for automatically determining the malicious degree of the Android app by using multiple dimensions, and the process includes: Step 1: S210 obtains the action application feature value to be detected; in step 2, S220 determines whether the detection is a blacklist, and if so, S221 determines that it is a malicious program; and step 3, if not, then S230 determines whether the detection is a white list, if If yes, S231 determines that it is a non-malicious program; if the answer is no, then S240 determines whether the detection is virus information, and if so, S221 determines that it is a malicious program; and if the answer is NO, step S250 determines whether it is passed. Behavior detection, if yes, S221 is determined to be a malicious program; and if it is no, step S26 is required to perform the second phase of detailed detection.

The virus information in step 4 includes the virus manufacturer, the virus name, or the threshold value greater than the threshold set by the system, and the behavior detection of step 5, wherein the behavior includes the behavior of obtaining the highest administrator authority, the behavior of improving the authority, and the key leakage. Behavior.

Therefore, according to the above process, the first-stage analysis server obtains the feature value of the mobile application to be detected from the App feature database to facilitate subsequent comparison operations, and obtains a blacklist of the mobile application from the known malicious behavior database. And the comparison action is performed. If the mobile application is blacklisted, it is immediately determined to be a malicious program, and no subsequent comparison action is required. If the mobile application is not blacklisted, the subsequent comparison action must be continued. Knowing the malicious behavior database to obtain the white list of the mobile application and performing the comparison action. If the mobile application is whitelisted, it is immediately determined to be a non-malicious program, and no subsequent comparison action is required. If the mobile application is not For the whitelist, the subsequent comparison action must be continued. Then, the known malicious behavior database is used to obtain the virus scan result of the mobile application and the comparison action is performed. If the virus scan result of the mobile application is scanned, the system sets the scan result. If the virus manufacturer, virus name, or quantity is greater than the threshold set by the system, it is immediately determined to be The malicious program does not need to perform subsequent comparison actions. If the mobile application does not meet the above set value, the subsequent comparison action must be continued, and the feature data of the mobile application is obtained from the App feature database and the comparison action is performed. If the behavior value of the mobile application conforms to any behavior of obtaining the highest administrator authority, the behavior of promoting the authority, and the behavior of the key leakage, it is immediately determined to be a malicious program, and no subsequent comparison action is required. If the mobile application has no conforming behavior, it must continue the subsequent second phase of the detection. In the detection step in the first phase analysis server, if it is determined that the malicious program stores the information in the risk result database.

For detailed detection of the second stage of step 6 in the process of determining the malicious degree of the Android App, please refer to FIG. 3, which is a detailed detection flowchart of the second stage of the method for automatically determining the malicious degree of the Android App by using multiple dimensions. The process includes: Step 1: S310 obtains the action application feature value to be tested, and gives a preset risk score; Step 2: S320 determines the risk rule comparison, whether the similarity is the highest, and if yes, the S321 is increased. Risk score, if not, then S322 reduces the risk score; Step 3, S330 determines whether the test is a blacklist signature, if yes, then S331 increases the risk score, if not, then S332 reduces the risk score; Step 4, S340 Determine whether the detection is a malicious website. If yes, S341 increases the risk score. If not, then S342 reduces the risk score; Step 5, S350 performs virus detection; and Step 6 and S360 determines whether the risk score is higher than the system threshold. If YES, S361 determines that it is a malicious program, and if not, S362 determines that it is a non-malicious program.

According to the above process, the second-stage analysis server obtains the feature value of the action application to be detected from the App feature database to facilitate subsequent comparison actions, and gives an initial risk score for subsequent use, and then in the risk rule data. The library obtains all the risk rules and compares the action application eigenvalues with their similarity one by one, and finally obtains the rule with the highest similarity, and adds the risk score to the similarity score of the rule. If the degree of similarity is lower than the system criticality Value, the risk reduction action is performed, the blacklist signature information is obtained in the known malicious behavior database and the comparison action is performed, and if the signature signature value of the mobile application is consistent, the risk score is raised, and if the action application is If there is no matching signature feature value, the risk score reduction action is performed, and the malicious malicious database is obtained to obtain a malicious website and the comparison action is performed. If the behavioral value of the mobile application is consistent, the risk score is raised, and if the action is If the app does not match the URL feature value, the risk score action will be reduced. Obtaining the virus scan result of the mobile application in the known malicious behavior database and performing the comparison action, and based on the virus detection ratio, the risk score is finally determined, and if the risk score is high, the threshold value is If it is determined to be a malicious program, otherwise it is determined to be a non-malicious program, and the final detection result is stored in the risk result database.

The detailed description of the present invention is intended to be illustrative of a preferred embodiment of the invention, and is not intended to limit the scope of the invention. The patent scope of this case.

To sum up, this case is not only innovative in terms of technical thinking, but also has many of the above-mentioned functions that are not in the traditional methods of the past. It has fully complied with the statutory invention patent requirements of novelty and progressiveness, and applied for it according to law. Approved this invention patent application, in order to invent invention, to the sense of virtue.

Claims (5)

A method for automatically determining the malicious degree of an Android app by using multiple dimensions, comprising: step one, selecting a mobile application to be detected; and step two, using dynamic and static feature analysis to extract feature values of the App to extract static and dynamic behavior characteristics Step 3: Deposit in the App eigenvalue database; Step 4, perform the first phase of rapid detection, and quickly determine whether it meets the known eigenvalue detection; Step 5, if yes, determine the malware; Step 6 If not, perform a detailed test of the second stage and calculate whether the risk value is higher than the critical value; if the answer is seven, if it is, it is determined to be a malicious program; and if it is no, it is determined to be non-malicious. The program; wherein the detailed detection of the second phase of the step 6 includes: step one: obtaining the action application feature value to be tested, and giving a predetermined risk score; step two, judging the risk rule comparison, similar Whether the degree is the highest, if yes, increase the risk score, if not, reduce the risk score; step 3, determine whether the test is a blacklist signature If yes, increase the risk score, if not, reduce the risk score; step 4, determine whether the detection is a malicious website, if yes, increase the risk score, if not, reduce the risk score; step 5, proceed Virus detection; and determine whether the risk score is higher than the system threshold, if it is, it is determined to be a malicious program, if not, it is determined to be non-malicious formula. For example, in the method of claim 1, the method for automatically determining the malicious degree of the Android App by using multiple dimensions, wherein the feature value of the step 2 is extracted, the feature value includes a hash value, a signature, a used permission, and a connection URL. , dynamic behavior detection, embedded software development work package, sensitivity risk, SMS behavior, privacy exposure risk, whether there is behavior to obtain the highest administrator authority, whether there is an act of escalating authority, whether there is a key leakage behavior. The method for automatically determining the malicious degree of the Android App by using multiple dimensions, as described in claim 1, wherein the fast detection of the first stage of the step 4 includes the following steps: Step 1: Obtaining the characteristics of the mobile application to be detected Value; Step 2: Determine whether the detection is a blacklist, if yes, determine as a malicious program; Step 3, if no, determine whether the detection is a whitelist, and if yes, determine that it is a non-malicious program; Step 4 If yes, it is determined whether the detection is virus information. If yes, it is determined to be a malicious program; if it is YES, it is determined to be a behavior detection, if yes, it is determined to be a malicious program; and if it is, it is determined to be a malicious program; If not, the second phase of detailed testing is required. The method for automatically determining the malicious degree of an Android app by multi-dimensionality as described in claim 3, wherein the virus information includes a virus manufacturer, a virus name, or a threshold greater than a system setting threshold. As described in claim 3, the method for automatically determining the malicious degree of the Android App by using multiple dimensions, wherein the behavior detection system includes the behavior of obtaining the highest administrator authority, the behavior of improving the authority, and the key leakage. Detection of behavior.