Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Object reference graph-based Android cellphone malicious software detection method

A technology of malware and detection methods, applied in computer security devices, instruments, electrical digital data processing, etc., can solve problems such as the application of VF2 algorithm, achieve wide applicability, avoid code confusion attacks, and reduce system overhead.

Active Publication Date: 2015-08-26
HARBIN INST OF TECH
View PDF8 Cites 13 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0006] The VF2 algorithm used in the detection process in "Research on Android Malicious Code Detection Based on Object Reference Graph" cannot be applied in the real environment, because the running time of the VF2 algorithm increases exponentially with the number of nodes in the ORGB graph. A match for a common graph may take 10 hours
However, it is unacceptable in the actual application environment

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Object reference graph-based Android cellphone malicious software detection method
  • Object reference graph-based Android cellphone malicious software detection method
  • Object reference graph-based Android cellphone malicious software detection method

Examples

Experimental program
Comparison scheme
Effect test

specific Embodiment approach 1

[0041] Specific embodiment one: a kind of Android mobile phone malware detection method based on the object reference graph of the present embodiment is specifically prepared according to the following steps:

[0042] Step 1. Run the classified malicious programs under the Android platform separately, and extract the corresponding reference relationship graph ORG between objects from the malicious program heap memory; wherein, ORG (Object Reference Graph) is an object reference graph, which is a binary group ORG =(N, E), N is a collection of nodes in the graph, and each element in N represents the class of the generated object; E∈N×N is a collection of reference relationships between objects; the object is the object in the ORG graph Nodes and edges represent the reference relationship between objects; ORG is the abbreviation of object reference graph; ORG is a directed graph, the nodes in the graph represent objects, and the edges represent the reference relationship between o...

specific Embodiment approach 2

[0061] Specific embodiment 2: The difference between this embodiment and specific embodiment 1 is that in step 1, the timing of extracting the corresponding reference relationship graph ORG between objects from the malicious program heap memory is specifically:

[0062] Malicious programs are usually hosted in normal programs, and the malicious code will be executed only under certain trigger conditions; and different trigger conditions, the programs executed by malicious code will be different, which leads to different ORG graphs obtained in different periods. are different, so it is necessary to study the timing of extraction;

[0063] Through the analysis of various types of malicious programs, we found that the malicious behavior of malicious programs is usually extracted at the following times:

[0064] (1) Start with the host program;

[0065] (2) Start with the boot;

[0066] (3) Self-start after the program is closed;

[0067] (4) Start under specific trigger condit...

specific Embodiment approach 3

[0069] Specific embodiment three: the difference between this embodiment and specific embodiment one or two is that in step one, the classified malicious programs under the Android platform are run separately, and the reference relationship graph ORG corresponding to objects is extracted from the malicious program heap memory Specific process:

[0070] The object reference graph ORG is obtained under the Android platform; the main reason for this is that the exported original heap memory file (Hprof) is too large, and the file size is in M; therefore, it is necessary to analyze the original heap memory file (Hprof) under the Android platform. Effective information in the file is extracted and transmitted to the server, thereby reducing the amount of transmitted data;

[0071] Obtaining the object reference graph under the Android platform is divided into 3 steps; figure 1 shown;

[0072] (1) Export the original heap memory file; the Android SDK provides a feature-rich memor...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses an object reference graph-based Android cellphone malicious software detection method and relates to an Android cellphone malicious software detection method. The invention provides the object reference graph-based Android cellphone malicious software detection method which solves the problems that an inner core level monitoring method relates to inner core modification, and the system detection cost is high; a sandbox technology only providing a finite system service is easily attacked; a control flow method is easily attacked by code confusion, an API calling dynamic birthmark establishing-based method needs more API calling and has larger limitation, and the detection efficient of an ORGB extraction method and a VF2 algorithm is low. The method is realized by the steps of: 1 extracting an object reference graph (ORG); 2, obtaining ORGB of a malicious program; 3 screening a possible type of an unknown program; 4, determining that the unknown program is in a certain type of matched malicious program. The invention is applied to the field of detection of Android cellphone malicious software.

Description

technical field [0001] The invention relates to Android mobile phone malicious software detection technology, in particular to an Android mobile phone malicious software detection method based on an object reference graph. Background technique [0002] The prior art includes using a kernel-level monitoring method to record system calls and information of an Android program. The Crowdroid system based on abnormal behavior detection is a classifier based on abnormal behavior detection, which adopts a lightweight C / S architecture. Sandbox technology, which is a new development direction for analyzing Android malicious code, has a lot of research space. G. Myles and C. Collberg first proposed dynamic birthmarks, they used the complete control flow of the program to identify software during operation. Tamada et al proposed two methods to establish dynamic birthmarks based on API function calls. Wang et al. proposed a method for building dynamic birthmarks based on system call ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56
CPCG06F21/56G06F21/561G06F21/566G06F2221/033
Inventor 张伟哲何慧余翔湛李肖强张启振陆亮郭斌程文杰
Owner HARBIN INST OF TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com