The present disclosure relates to the field of the mobile device technology, and in particular, to a security detection method and system.
With the development of the smart phone technology, more and more App application programs are developed for smart phones. However, for many existing App applications, there are a lot of potential safety risks during the use of the Apps, e.g., unauthorized charging, traffic consumption, and theft of privacy information, such as, SMS, address book, geographic locations, or the like. The present technologies for detecting whether App applications are safe or not cannot meet the requirements of App application security.
In view of this, the object of the present disclosure is to provide a security detection method and system, so as to solve a technical problem that a malicious application program cannot be rapidly found from a great number of App applications. Moreover, the present disclosure may solve technical problems of performing risk assessment on application programs and grading a risk.
Therefore, the present disclosure provides a security detection method, which comprises steps of:
According to the above method, wherein the security scanning scans the code of the application program by means of a high risk detection logic to detect the high risk application program.
The high risk detection logic is an approach of performing security detection on the application program by utilizing a high risk feature code library.
According to the above method, wherein the step (b) further comprises:
According to the above method, wherein the step (b2) comprises:
According to the above method, wherein the step (c) further comprises:
According to the above method, wherein the moderate risk detection logic is an approach of performing security detection on the application program by utilizing a risk feature library.
According to the above method, wherein the suspicious behavior detection logic is an approach of performing security detection on the application program by utilizing a suspicious behavior rule library.
The present disclosure further provides a security detection system, the system comprising:
According to the above method, wherein the vulnerability detection module comprises:
According to the above method, wherein the analysis module comprises:
According to the above method, wherein the flow analysis sub-module comprises:
According to the above method, wherein the detection determining module comprises:
According to the above system, wherein the moderate risk detection logic is an approach of performing a security detection on the application program by utilizing a risk feature library.
According to the above system, wherein the suspicious behavior detection logic is an approach of performing a security detection on the application program by utilizing a suspicious behavior rule library.
With the security detection method and system provided in accordance with embodiments of the present disclosure, a malicious application program can be rapidly found from a great number of application programs and a risk level of the application program can be provided, so as to enable a user to easily know the risk level of the application program and to avoid using high risk applications, thereby reducing the loss and regulating application markets.
To illustrate embodiments of the present disclosure or solutions of prior art in a clearer manner, brief introductions will be given below with respect to the figures to be used in the descriptions of the embodiments or prior art. It is obvious that the figures in the following descriptions are merely some embodiments of the present disclosure. For one ordinarily skilled in the art, other figures may be derived, without any inventive efforts, from these figures in which:
To present the objects, solutions, and advantages of the embodiments of the present disclosure in a clearer manner, detailed descriptions of the embodiments of the present disclosure will be further given below in conjunction with the figures. Here, the illustrative embodiments of the present disclosure and the description thereof are given for the purpose of illustration only, not for the purpose of limitation.
Referring to
According to the embodiment of the present disclosure, the application program may be any application program on a mobile device, which includes, but not limited to, a mobile phone, a tablet computer, etc. The application program may include, in terms of its security level, a high risk application program, a moderate risk application program, a suspicious application program, or a normal application program.
In an embodiment of the present disclosure, detailed descriptions will be made by taking an application program on an Android-based smart phone as an example.
When it is needed to determine a security level of any application program, the method according to the embodiment of the present disclosure may be described with reference to
At step S210, security scanning is performed on code of the application program to detect whether it is a high risk application program or not.
The security scanning scans the code of the application program by means of a high risk detection logic to detect the high risk application program. The high risk detection logic is an approach of performing security detection on the application program by utilizing a high risk feature code library.
In the practical application, the high risk feature code library may include, but not limited to, feature codes extracted based on the known vulnerabilities attacking program. For example, the feature codes may be a prompting character string, e.g., “abcd”, during a process of executing the vulnerabilities attacking program. It may be determined whether there is the character string in the application program by comparison, so as to determine a high risk of the application program.
At step S220, if the application program is of a high risk, the application program may be marked as a high risk application program, and then a detection result is generated.
At step S230, if the application program is not of a high risk, the code of the application program is analyzed to generate an analysis result.
In this embodiment, the static analysis technology is usually employed to analyze the code of the application program, which is described in detail by referring to
At step S310, the code of the application program is pre-processed to extract binary code from the code, and the binary code is converted into an intermediate code representation.
At step S320, the binary code is converted into an intermediate code representation.
In the practical application, the conversion of the binary code into an intermediate code representation is usually done by conversion and optimization technology.
In an Android application program, a Dalvik bytecode is firstly extracted from the application program and then converted into a Java bytecode, which is finally converted into an intermediate code representation.
At step S330, control flow analysis and data flow analysis is performed based on the intermediate code representation, and then an analysis result is generated.
In the practical application, the analysis result may include a function call graph, which is constructed based on the intermediate code representation. First of all, the function call graph may be obtained by performing control flow analysis based on the intermediate code representation. However, the function call graph is not entirely accurate.
Thereafter, the function call graph may be corrected by performing further control flow analysis on the intermediate code representation in connection with data flow analysis. The operation may be repeatedly performed until an accurate function call graph is reached. The function call graph can accurately express mutual call relationships among respective functions in the code of the application program.
At step S240, moderate risk detection determining is performed on the application program based on the analysis result.
moderate risk detection determining is performed on the application program by means of a moderate risk detection logic. The moderate risk detection logic is an approach of performing security detection on the application program by utilizing a risk feature library.
In the practical application, the risk feature library may include, but not limited to, a feature extracted based on an execution path of a known risky code. For example, the feature may be an execution path “Run, a, b, SendSMS” for the code of the application program. After executing the path, the application program would automatically send an SMS message, which may charge the user's communication fees. It may be determined whether the application program is a moderate risk application program by comparing an execution path of “Thread Run” in the application program with features in the library. If the execution path of the thread is the same as any feature in the feature library, the application program may be determined as a moderate risk application program.
In an Android application program, a moderate risk may include, but not limited to:
At step S250, if a moderate risk is detected, the application program is marked as a moderate risk application program, and then a detection determining result is generated.
At step S260, if there is no moderate risk detected, suspicious behavior detection determining is performed on the application program.
The detection determining may be performed on the application program by means of a suspicious behavior detection logic. The suspicious behavior detection logic is an approach of performing a security detection on the application program by utilizing a suspicious behavior rule library.
In the practical application, the suspicious behavior rule library may include, but not limited to, a suspicious behavior function call library extracted based on characteristics of the existing malicious programs.
In an Android application program, the suspicious behavior may include, but not limited to:
At step S270, if a suspicious behavior is detected, the application program is marked as a suspicious application program, and then a detection determining result is generated.
At step S280, if no suspicious behavior is detected, the application program is marked as a normal application program, and a detection determining result is generated.
At step S290, the detection result or the detection determining result is stored to form security level data.
With the above steps, malicious code can be rapidly found from massive Android applications. A risk level library for App may be created by using the security level data, so as to enable a user to easily know APP's risk level, thereby regulating APP application markets and providing references for local or cloud online virus scanning and killing.
Referring to
Referring to
Referring to
Referring to
Referring to
Preferably, according to an embodiment of the present disclosure, the moderate risk detection logic is an approach of performing a security detection on the application program by utilizing a risk feature library.
Preferably, according to an embodiment of the present disclosure, the suspicious behavior detection logic is an approach of performing a security detection on the application program by utilizing a suspicious behavior rule library.
Moreover, the method according to the present disclosure may be applied in any device requiring for security detection, e.g., a mobile terminal (such as a mobile phone, a PDA, a laptop computer, a tablet computer, etc), a fixed terminal (such as a desktop computer, a work station, a set-top box, etc), a network side device (such as an access point, a base station, a radio network controller, etc), and the like.
Moreover, respective modules, sub-modules, units and the like comprised by the system according to the present disclosure may be embodied by physical hardware in the above one or more devices either alone or in combination. For example, functions of the above respective modules and sub-module units may be implemented by a (micro) processor and a storage in the device in combination with a transceiver and the like device. In the present disclosure, a function described as being implemented by a single module or unit, may be implemented by multiple physical hardware, and a function described as being implemented by multiple modules or units may be implemented by a single hardware. These modifications do not go beyond the scope of the present disclosure and should be covered by the scope of the claims.
Moreover, the method, device or system as described in the present disclosure is not limited to being applied in the Android system as mentioned above. Actually, the method, device or system as described in the present disclosure may be applied in various systems, such as iOS, BlackBerry, WindowsMobile, Symbian or the like.
It should be noted that use of the terms “comprise”, “contain” or any variations thereof do not exclude the presence of elements or steps other than those stated in the disclosure, such that a process, method, item, or device comprising a series of elements not only comprises those elements, but also comprise other elements not listed explicitly, or further comprise elements that are inherent in this process, method, item, or device. Without further limitation, an element defined with a sentence “comprising one . . . ” does not exclude the situation where a process, method, item, or device comprising the element further comprises other element that is identical to the element.
The objects, solutions, and advantages of the present disclosure are further detailed by the above specific embodiments. It should be appreciated that the above descriptions are merely specific embodiments of the present disclosure and not for the purpose of limiting the scope of the present disclosure. Any modification, equivalent substitution, improvement, or the like made within the spirit and principle of the present disclosure should be embraced by the scope of the present disclosure.
Number | Date | Country | Kind |
---|---|---|---|
201210129377.8 | Apr 2012 | CN | national |
This application is a U.S. National Phase Application of International Application No. PCT/CN2013/072534, filed on Mar. 13, 2013, entitled “SECURITY DETECTION METHOD AND SYSTEM,” which claims priority to Chinese Application No. 201210129377.8, filed on Apr. 28, 2012, both of which are incorporated herein by reference in their entirety.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/CN2013/072534 | 3/13/2013 | WO | 00 |