CN103942494B - Method and system for auditing malicious software - Google Patents
Method and system for auditing malicious software Download PDFInfo
- Publication number
- CN103942494B CN103942494B CN201410129211.5A CN201410129211A CN103942494B CN 103942494 B CN103942494 B CN 103942494B CN 201410129211 A CN201410129211 A CN 201410129211A CN 103942494 B CN103942494 B CN 103942494B
- Authority
- CN
- China
- Prior art keywords
- software
- reviewed
- behavior
- malicious act
- auditing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Abstract
The invention relates to a method and system for auditing malicious software. The method includes the following steps that first audited software is subjected to recognizable format conversion to obtain second audited software; malicious act auditing is conducted on the second audited software according to a malicious act feature library, so that an auditing result is acquired; when the auditing result shows that malicious acts are not included, sensitive act auditing is conducted on the second audited software according to a sensitive act feature library; when an audit result for sensitive act auditing shows that sensitive acts are included, the second audited software is subjected to act pattern analysis according to a software act model; when an act pattern analysis shows that an act is not reasonable, it can be judged that the first audited software is malicious software. By means of the method and system for auditing malicious software, whether software has malicious or potential threads or not can be audited.
Description
Technical field
The present invention relates to information security field is and in particular to a kind of Malware checking method and system.
Background technology
With the high speed development of it technology, substantial amounts of it product quickly spreads, is expanded to the various aspects of daily life.With
When, the intellectuality also more and more higher of it product, and overturned traditional occupation mode of various products.For example, mobile phone is no longer only
It is only used for making a phone call, see a film, play game etc. and also become one of necessary functions of mobile phone.New product, new occupation mode, newly
Function, bring new experience to masses, also bring new problem.Current Malware is no longer as traditional malice is soft
Part (for example, worm, Panda burning incense) is like that based on destructiveness, but in order to steal user account, bank's card number, password etc. is heavy
Want information.Therefore, the important information of active user is faced with serious safety problem.And, only by the generation of analysis software
Code or file can not detect all Malwares exactly.
Content of the invention
It is an object of the invention to provide a kind of Malware checking method and system, by the analysis judgement to software action
Whether there is malice or potential threat it is achieved that examination to Malware, improve the effective of Malware examination & verification
Property and accuracy, protect the information security of user.
For achieving the above object, the invention provides a kind of Malware checking method, the method comprising the steps of:
First is reviewed software carry out can recognize that format conversion obtains second and is reviewed software;
Software is reviewed to described second according to malicious act feature database and carries out malicious act examination & verification, obtain auditing result;
When described auditing result is not comprise malicious act, then it is reviewed to described second according to sensitive behavior feature database
Software carries out sensitive behavior examination & verification;
When the auditing result of described sensitive behavior examination & verification is to comprise sensitive behavior, then according to software action model to described
Second is reviewed software carries out BMAT;
When the result of described BMAT is that behavior is unreasonable, then judge that described first is reviewed software as malice
Software.
Preferably, methods described also includes: when described auditing result is to comprise malicious act, then judges described first quilt
Examination & verification software is Malware.
Preferably, methods described also includes: when the auditing result of described sensitive behavior examination & verification is not comprise sensitive behavior,
Then judge that described first is reviewed software as non-malicious software.
Preferably, methods described also includes: when the result of described BMAT is that behavior is reasonable, then judges described
First is reviewed software for non-malicious software.
Preferably, described malicious act feature database specially comprise known malware malicious act feature and/or from
The Sample Storehouse of the malicious act feature of definition.
Preferably, described sensitive behavior feature database specially comprise known malware sensitive behavior feature and/or from
The Sample Storehouse of the sensitive behavior feature of definition.
Preferably, described software action model specifically by the type of existing software, purposes, programming language, run ring
Border and the feature running authority carry out the model of analysis software behavior.
Present invention also offers a kind of Malware auditing system, described system includes:
Format converting module, for by first be reviewed software carry out recognizable format conversion obtain second be reviewed soft
Part;
Malicious act auditing module, carries out malice row for being reviewed software to described second according to malicious act feature database
For examination & verification, obtain auditing result;
Sensitive behavior auditing module, for when described auditing result is not comprise malicious act, then according to sensitive behavior
Feature database is reviewed software to described second and carries out sensitive behavior examination & verification;
BMAT module, for when the auditing result that described sensitive behavior is audited be comprise sensitive behavior when, then
Software is reviewed to described second according to software action model and carries out BMAT;
When the result of described BMAT is that behavior is unreasonable, then judge that described first is reviewed software as malice
Software.
The Malware checking method that the present invention provides and system are passed through to collect known malware behavior foundation malice row
Be characterized storehouse, can with effective detection go out known to have malice or threaten software.And according to being reviewed software type
Own characteristic and parameter, set up sensitive behavior feature database, using software action model, to analyze and to judge whether sensitive behavior closes
Manage or there is potential threat.So as to detect unknown Malware.Improve the effective of Malware auditing result
Property and accuracy, improve the safety of user profile.
Brief description
Fig. 1 is a kind of flow chart of Malware checking method provided in an embodiment of the present invention;
Fig. 2 is a kind of schematic diagram of Malware auditing system provided in an embodiment of the present invention;
Fig. 3 is a kind of system operation figure of Malware auditing system provided in an embodiment of the present invention.
Specific embodiment
Below by drawings and Examples, technical scheme is described in further detail.
Fig. 1 is Malware checking method flow chart provided in an embodiment of the present invention, describes this in detail below taking Fig. 1 as a example
A kind of Malware checking method that inventive embodiments provide, the method comprises the following steps:
Step 101, first is reviewed software and carries out can recognize that format conversion obtains second and is reviewed software.
Specifically, need to change into file format needed for Malware auditing system by being reviewed software, for example, will
The application software of the apk form of Android system carries out decompiling thus obtaining the tray needed for Malware auditing system
Formula.
Further, before step 101, the method also includes setting up malicious act feature database, malicious act feature database
It is the malicious act feature comprising known malware and/or the Sample Storehouse of self-defined malicious act feature.For example pass through back door
Or system vulnerability illegally obtains System Privileges, steals subscriber data, maliciously deduct fees, no point out to download or uninstall, prison
All malicious act feature database can be included depending on all behaviors invading authority of a users such as monitoring as malicious act sample.
Further, before step 101, the method also includes setting up sensitive behavior feature database, sensitive behavior feature database
It is the sensitive behavior feature comprising known malware and/or the Sample Storehouse of self-defined sensitive behavior feature.For example access user
Important information, such as telephone directory, message registration, browser history record etc. it is desirable to higher authority, running background etc. is all have latent
All may can include sensitive behavior feature database as sensitive behavior sample to the hurtful behavior of user.
Further, before step 101, the method also includes setting up software action model, and software action model is concrete
It is by the type of existing software, purposes, programming language, running environment and to run the feature of authority come the mould of analysis software behavior
Type.Whether the sensitive behavior that software action model is used for judging to be reviewed software is reasonable.
Step 102, is reviewed software according to malicious act feature database to second and carries out malicious act examination & verification.
Step 103, when auditing result is not comprise malicious act, is then reviewed to second according to sensitive behavior feature database
Software carries out sensitive behavior examination & verification.
Further, when auditing result be comprise malicious act when, auditing result be refusal, then judge first be reviewed soft
Part is Malware.
Step 104, when the auditing result of sensitive behavior examination & verification is to comprise sensitive behavior, then according to software action model pair
Second is reviewed software carries out BMAT.
Further, when the auditing result of sensitive behavior examination & verification is not comprise sensitive behavior, auditing result is to pass through, then
Judge that first is reviewed software as non-malicious software.
Step 105, when the result of BMAT is that behavior is unreasonable, then judges that first is reviewed software as malice
Software.
Further, when the result of BMAT is that behavior is reasonable, then judge that first is reviewed software as non-evil
Meaning software.
For example, it is reviewed software in step 104 and be made that the sensitive behavior accessing user-phone book, Malware examination & verification system
This sensitive behavior is arrived in system examination & verification, proceeds step 105, if being reviewed software is social class software or personal information management
Assistant's class software, social class softward interview telephone directory is a normally performed activity, then go out this according to software action model analysis quick
Sense behavior can be assumed that as reasonable.If being reviewed software is game class software or video class software, access telephone directory permissible
It is judged to an improper behavior.Access telephone directory, then basis because video class and game class software do not have adequate reasons
Software action model analysis goes out this sensitive behavior and can be assumed that as unreasonable, so that it is determined that being reviewed software is Malware.
Fig. 2 is a kind of Malware auditing system schematic diagram provided in an embodiment of the present invention, as shown in Fig. 2 this system bag
Include following functions module:
Format conversion module 201, carries out can recognize that format conversion obtains second and is reviewed for being reviewed software by first
Software.
Specifically, change into the file format needed for Malware auditing system by being reviewed software.
Malicious act auditing module 202, carries out malice row for being reviewed software to second according to malicious act feature database
For examination & verification, obtain auditing result.
Specifically, audit whether software contains malicious act feature according to malicious act feature database.Malicious act examination & verification knot
Fruit is that the software that is reviewed of refusal is judged to Malware.
Sensitive behavior auditing module 203, for when auditing result is not comprise malicious act, then special according to sensitive behavior
Levy storehouse and be reviewed software to second and carry out sensitive behavior examination & verification.
Specifically, audit whether software contains sensitive behavior feature according to sensitive behavior feature database.
BMAT module 204, for when the auditing result that sensitive behavior is audited be comprise sensitive behavior when, then root
It is reviewed software according to software action model to second and carry out BMAT;
When the result of BMAT is that behavior is unreasonable, then judge that first is reviewed software as Malware.
Specifically, according to behavior pattern model, the sensitive behavior being reviewed software is analyzed, judges to draw this sensitivity
Whether behavior is reasonable or whether has potential threat, thus judging further to be reviewed whether software is Malware.
Fig. 3 is a kind of system operation figure of Malware auditing system provided in an embodiment of the present invention, the embodiment of the present invention
In, the executive agent of execution following steps is Malware auditing system.As shown in figure 3, system operation comprises the following steps:
Step 301, software format converts.
Specifically, it is converted into the file format needed for Malware auditing system by being reviewed software first.
Step 302, malicious act is audited.
Specifically, according to the malicious act feature in malicious act feature database, to be reviewed software carry out malicious act examine
Core.
Step 303, judges whether to comprise malicious act.
Specifically, through previous step 302, when being reviewed software kit and containing malicious act feature, then it is reviewed software
Auditing result be refusal;When being reviewed software and not comprising malicious act feature, then proceed step 304.
Step 304, sensitive behavior is audited.
Specifically, according to the sensitive behavior feature in sensitive behavior feature database, to be reviewed software carry out sensitive behavior examine
Core.
Step 305, judges whether to comprise sensitive behavior.
Specifically, through previous step 304, contain sensitive behavior feature when being reviewed software kit, then proceed step
306;Do not comprise sensitive behavior feature when being reviewed software, then the auditing result being reviewed software is to pass through.
For example, softward interview user picture, data contact person list etc. easily causes the place of information leakage, but does not send out
Send the behavior of this type of information.If software has similar sensitive behavior feature it is necessary to carry out behavior to these sensitive behaviors
Pattern analysis.
Step 306, BMAT.
Specifically, BMAT is carried out to the sensitive behavior being reviewed software according to software action model.Wherein, soft
Part behavior model be used for judging the sensitive behavior being reviewed software whether belong to normally, in zone of reasonableness.
Step 307, judges whether with potential threat.
Specifically, through previous step 306, according to software action model, every trade is entered to the sensitive behavior being reviewed software
For pattern analysis.When the result of BMAT is that behavior is unreasonable, analysis draws the sensitive behavior pair being reviewed software
User has potential threat, then auditing result is refusal, and this is reviewed software and is defined as Malware;When BMAT
When result is that behavior is reasonable, analysis show that the sensitive behavior being reviewed software does not have potential threat to user, then auditing result
It is to pass through.
Malware checking method provided in an embodiment of the present invention and system are using the malicious act feature database set up, sensitivity
Behavioural characteristic storehouse and software action model, some behaviors or action being reviewed software are analyzed judge whether rationally or
Whether person has potential threat such that it is able to detect unknown Malware.Achieve the comprehensive review to Malware, carry
The high validity of Malware auditing result and accuracy are it is ensured that the safety of user profile.
Professional should further appreciate that, each example describing in conjunction with the embodiments described herein
Unit and algorithm steps, can be hard in order to clearly demonstrate with electronic hardware, computer software or the two be implemented in combination in
Part and the interchangeability of software, generally describe composition and the step of each example in the above description according to function.
These functions to be executed with hardware or software mode actually, the application-specific depending on technical scheme and design constraint.
Professional and technical personnel can use different methods to each specific application realize described function, but this realization
It is not considered that it is beyond the scope of this invention.
The step of the method in conjunction with the embodiments described herein description or algorithm can be with hardware, computing device
Software module, or the combination of the two is implementing.Software module can be placed in random access memory (ram), internal memory, read-only storage
(rom), electrically programmable rom, electrically erasable rom, register, hard disk, moveable magnetic disc, cd-rom or technical field
In interior known any other form of storage medium.
Above-described specific embodiment, has been carried out to the purpose of the present invention, technical scheme and beneficial effect further
Describe in detail, be should be understood that the specific embodiment that the foregoing is only the present invention, be not intended to limit the present invention
Protection domain, all any modification, equivalent substitution and improvement within the spirit and principles in the present invention, done etc., all should comprise
Within protection scope of the present invention.
Claims (6)
1. a kind of Malware checking method is it is characterised in that the method comprising the steps of:
First is reviewed software carry out can recognize that format conversion obtains second and is reviewed software;
Software is reviewed to described second according to malicious act feature database and carries out malicious act examination & verification, obtain auditing result;Described
Malicious act feature database specially comprises the malicious act feature of known malware and/or self-defining malicious act feature
Sample Storehouse, described self-defining malicious act includes illegally being obtained System Privileges behavior, being stolen by back door or system vulnerability
Subscriber data, maliciously deduct fees, no prompting download or uninstall and supervision or monitoring;
When described auditing result is not comprise malicious act, then software is reviewed to described second according to sensitive behavior feature database
Carry out sensitive behavior examination & verification;
When the auditing result of described sensitive behavior examination & verification is to comprise sensitive behavior, then according to software action model to described second
It is reviewed software and carry out BMAT;Described software action model is specifically by the type of existing software, purposes, programming
Language, running environment and the feature running authority carry out the model of analysis software behavior;
When described BMAT result be behavior unreasonable when, then judge described first be reviewed software as malice soft
Part.
2. Malware checking method according to claim 1 is it is characterised in that methods described also includes: examines when described
When core result is to comprise malicious act, then judge that described first is reviewed software as Malware.
3. Malware checking method according to claim 1 is it is characterised in that methods described also includes: when described quick
When the auditing result of sense behavior examination & verification is not comprise sensitive behavior, then judge that described first is reviewed software as non-malicious software.
4. Malware checking method according to claim 1 is it is characterised in that methods described also includes: when described row
For pattern analysis result be behavior reasonable when, then judge that described first is reviewed software as non-malicious software.
5. Malware checking method according to claim 1 is it is characterised in that described sensitive behavior feature database is specially
Comprise the sensitive behavior feature of known malware and/or the Sample Storehouse of self-defining sensitive behavior feature.
6. a kind of Malware auditing system is it is characterised in that described system includes:
Format converting module, carries out can recognize that format conversion obtains second and is reviewed software for being reviewed software by first;
Malicious act auditing module, for according to malicious act feature database be reviewed to described second software carry out malicious act examine
Core, obtains auditing result;Described malicious act feature database specially comprise known malware malicious act feature and/or from
The Sample Storehouse of the malicious act feature of definition, described self-defining malicious act includes illegally obtaining by back door or system vulnerability
Obtain System Privileges behavior, steal subscriber data, maliciously deduct fees, no point out to download or uninstall and supervision or monitoring;
Sensitive behavior auditing module, for when described auditing result is not comprise malicious act, then according to sensitive behavior feature
Storehouse is reviewed software to described second and carries out sensitive behavior examination & verification;
BMAT module, for when the auditing result that described sensitive behavior is audited is to comprise sensitive behavior, then described
Software is reviewed to second according to software action model and carries out BMAT;Described software action model is specifically by existing
The type, purposes, programming language, running environment and the feature running authority that have software carry out the model of analysis software behavior;
When described BMAT result be behavior unreasonable when, then judge described first be reviewed software as malice soft
Part.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410129211.5A CN103942494B (en) | 2014-04-01 | 2014-04-01 | Method and system for auditing malicious software |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410129211.5A CN103942494B (en) | 2014-04-01 | 2014-04-01 | Method and system for auditing malicious software |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103942494A CN103942494A (en) | 2014-07-23 |
| CN103942494B true CN103942494B (en) | 2017-01-18 |
Family
ID=51190161
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410129211.5A Expired - Fee Related CN103942494B (en) | 2014-04-01 | 2014-04-01 | Method and system for auditing malicious software |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103942494B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108549813A (en) * | 2018-03-02 | 2018-09-18 | 彭根 | Method of discrimination, device and pocessor and storage media |
| CN111046386B (en) * | 2019-12-05 | 2020-11-20 | 深圳开源互联网安全技术有限公司 | Method and system for dynamically detecting program third-party library and performing security evaluation |
| CN116881962A (en) * | 2023-07-12 | 2023-10-13 | 上海隽钰网络工程有限公司 | Security monitoring system, method, device and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101373502A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Automatic analysis system of virus behavior based on Win32 platform |
| US7971255B1 (en) * | 2004-07-15 | 2011-06-28 | The Trustees Of Columbia University In The City Of New York | Detecting and preventing malcode execution |
-
2014
- 2014-04-01 CN CN201410129211.5A patent/CN103942494B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7971255B1 (en) * | 2004-07-15 | 2011-06-28 | The Trustees Of Columbia University In The City Of New York | Detecting and preventing malcode execution |
| CN101373502A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Automatic analysis system of virus behavior based on Win32 platform |
Non-Patent Citations (1)
| Title |
|---|
| 基于行为的移动智能终端恶意软件自动化;康文丹等;《信息网络安全》;20131231(第12期);第48-50页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103942494A (en) | 2014-07-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Alazab et al. | Intelligent mobile malware detection using permission requests and API calls | |
| CN103761472B (en) | Application program accessing method and device based on intelligent terminal | |
| Das et al. | The web's sixth sense: A study of scripts accessing smartphone sensors | |
| Rosen et al. | Appprofiler: a flexible method of exposing privacy-related behavior in android applications to end users | |
| CN104335220B (en) | For preventing and detecting the method and system of security threat | |
| CN108133139A (en) | A kind of Android malicious application detecting system compared based on more running environment behaviors | |
| CN103440456B (en) | The method and device that a kind of application security is assessed | |
| CN104376266B (en) | The determination method and device of application software level of security | |
| CN107092830A (en) | The early warning of IOS Malwares and detecting system and its method based on flow analysis | |
| Shaerpour et al. | Trends in android malware detection | |
| CN106845234A (en) | A kind of Android malware detection method based on the monitoring of function flow key point | |
| Cooper et al. | A survey of android malware characterisitics and mitigation techniques | |
| CN113177205B (en) | Malicious application detection system and method | |
| Choi et al. | Personal information leakage detection method using the inference-based access control model on the Android platform | |
| CN103942494B (en) | Method and system for auditing malicious software | |
| Liccardi et al. | Improving user choice through better mobile apps transparency and permissions analysis | |
| CN111767537A (en) | Tamper verification method of application program based on IOS (operating system) and related equipment | |
| Wang et al. | Uncovering and exploiting hidden apis in mobile super apps | |
| CN101308700A (en) | Divulging secret prevention U disk | |
| CN106203110A (en) | Android safety enhancing system based on resolving inversely mechanism | |
| Alkindi et al. | Android Application Permission Model | |
| Kaur et al. | PeMo: Modifying application's permissions and preventing information stealing on smartphones | |
| Jain | Android security: Permission based attacks | |
| Myat et al. | Analysis of Android Applications by Using Reverse Engineering Techniques | |
| Park et al. | Android adware detection using soot and CFG |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170118 Termination date: 20200401 |