Background technique
In recent years, the decline with smart phone production cost with the rapid development of mobile Internet, many PC functionsIt is slowly migrated toward mobile phone terminal, smart phone function becomes more powerful, such as mobile office, e-payment, vehicle mounted guidance, intelligent slidingThe quantity of dynamic terminal software is far beyond the quantity of application software on traditional PC.For PC, intelligent terminal closer toUser, gradually as a part indispensable in people's work, life.Android and iOS occupies mobile intelligent terminal behaviourMake the important share of system.
Compared with the application software on iOS, the quantity of Android application software and number of users have been occupied absolutely at presentTo advantage.Since the camp Android is by using open strategy, while its popularity rate is higher and higher, also become blackThe important goal of visitor and malware attacks, Android platform safety problem can not be ignored.
Software detection is the most important means of Android platform security protection, and intelligent terminal software detection technique is big at presentCause can be divided into static detection and dynamic detection:
Static detection needs the code piece by the means extraction program such as decompiling in the case where not operational objective softwareThe static natures such as section, api function, semantic logic are detected.The characteristics of this method is that detection speed is fast, rate of false alarm is low, detectionEffect depends on the comprehensive of characteristic of malware code library.When Malware quantity is big, mutation is more, sign code library will be made swollen rapidlyIt is swollen, while occupying larger memory space, it also will increase the complexity of retrieval.And it is easy by the factors shadow such as program shell addingIt rings, can not cope with by obscuring the Malware with polymorphic technical treatment, unknown malware can not be detected.
Dynamic detection, which refers to, first to be installed software to be detected and runs at the terminal, then by using each of softwareFunction detects the software to the service condition of system resource.These resources may include whether without authorization networking situation, whetherThere is including contact person etc. the acquisition of sensitive informations, whether request to send short message content without prompt, whether without in prompt requestThe abnormal behaviours such as biography and downloading file etc. are stolen secret information by software operation come whether inspection software accords with, fee suction, illegal contents are propagated.ButDynamic monitoring process needs constantly to run a monitoring program in mobile terminal, will cause the rapid of the resources such as mobile terminal electricityIt exhausts, influences user experience to a certain extent.On the other hand, also cause user to privacy leakage etc. to a certain extentWorry.
Summary of the invention
The object of the invention is that overcoming the existing shortcoming and defect of the prior art, it is flat to propose a kind of AndroidPlatform software anomaly behavioral value system, provides safety assurance for software runtime environment in Android platform.
Realizing the technical solution of the object of the invention is:
In conjunction with the characteristics of static detection and dynamic detection, the information such as combined data analysis, behavior monitoring and Hook log haveEffect ground identification software abnormal behaviour, and abnormal behaviour offer is supported effectively to inquire and define, it is used for Android intelligent terminalSafety guarantee is provided.
Specifically, Android platform software unusual checking system (abbreviation system)
This system includes interconnected Android mobile terminal and software action monitor database;
Android mobile terminal includes kernel Hook module, data analysis module and Hook log module;
Kernel Hook module includes the System_server process successively interacted, the library libbind.so and ioctl function,Realize the extraction of kernel hook information;
Data analysis module includes monitoring resource process, status monitoring process, data analysis engine and data treatment progress;Monitoring resource process and status monitoring process are interacted with data analysis engine respectively, and data analysis engine and data treatment progress are handed overMutually, write-in is defined to software action exception;
Ioctl function and data analysis module interaction, complete data transmission;
Data analysis engine is interacted with Hook log module and monitor database respectively, completes the inquiry of software action featureAnd log write-in;
Data processing process is interacted with Hook log module and software action monitor database respectively, to software action featureIt is bound, Hook log module is written into software action, the software action defined is written in software action monitor database.
The present invention has following advantages and good effect:
1. advanced: the present invention is the method that the method for Hook sensitive API detection combines, and improves software anomaly detectionEfficiency.
2. accuracy: more and more app Malwares not only rest on application, more to start applying frameRack-layer even inner nuclear layer does some malicious operations;These emerging Malwares propose new need to virus analysis systemIt asks;To sensitive API function interface Hook, the malicious act operation of app software can be detected.
3. comprehensive: the advantages of present invention is not only in conjunction with dynamic detection and static detection, by sensitive API interface functionHook, the effective abnormal behaviour for detecting app software passes through the processing of the abnormal behaviour to software;User can pass through inspectionSurvey the method or User behavior property data base of Hook log, the operating system behavioural characteristic of effective statistical software.
Specific embodiment
It is described in detail with reference to the accompanying drawings and examples:
1, overall
Such as Fig. 1, this system includes interconnected Android mobile terminal 100 and software action monitor database 200;
Android mobile terminal 100 includes kernel Hook module 110, data analysis module 120 and Hook log module130;
Kernel Hook module 110 includes successively interactive System_server process 111,112 and of the library libbind.soIoctl function 113 realizes the extraction of kernel hook information;
Data analysis module 120 includes monitoring resource process 121, status monitoring process 122,123 and of data analysis engineData processing process 124;Monitoring resource process 121 and status monitoring process 122 are interacted with data analysis engine 123 respectively, numberAccording to analysis engine 123 and the interaction of data treatment progress 124, abnormal to software action defines write-in;
Ioctl function 113 and the interaction of data analysis module 120, complete data transmission;
Data analysis engine 123 is interacted with Hook log module 130 and monitor database 200 respectively, completes software actionThe inquiry and log of feature are written;
Data processing process 124 is interacted with Hook log module 130 and software action monitor database 200 respectively, to softPart behavioural characteristic is bound, and Hook log module 130 is written in software action, and software action is written in the software action definedIn monitor database 200.
2, functional block
1) Android mobile terminal 100
(1) kernel Hook module 110
The workflow of kernel Hook module 110:
1. utilizing ptrace system function, Shellcode program is injected into System_server process 111, ptraceProviding a kind of parent process can control subprocess operation, it is mainly used for realizing debugging breakpoints;
2. utilizing ptrace system function, the code in Shellcode is executed:
Shellcode is really one section of code (being also possible to fill data), is the generation of the particular vulnerability for the system that is utilizedCode, available higher permission;Shellcode, which is often, is used as data to be sent under fire system;
3. the code of Shellcode is run in System_server process 111, function is to call Hook shared library;
4. the function of Hook shared library is called in the library libbind.so 112 in System_server process 111Ioctl function 113 carries out function abduction, will kidnap data and carries out output redirection, output to data analysis module 120 is countedHook log module 130 and software action monitor database 200 is written according to parsing, and by processing result.
110 working mechanism of kernel Hook module:
Recent mobile phone Malware not only rests on the operation of application layer, has begun to application framework layer even kernelLayer does some malicious operations, proposes higher challenge for inspection software difficulty in this way;Kernel Hook module 110 is exactly to pass throughThe api interface of Hook inner nuclear layer driving function, is monitored system process;Using ptrace system function, by ShellcodeProgram is injected into System_server process 111;The code in Shellcode is executed, the code of Shellcode is in System_It is run in server process 111, function is to call Hook shared library;Hook shared library will kidnap data and carry out output redirection,Output to data analysis module 120 carries out data parsing, and Hook log module 130 and software action prison is written in processing resultMeasured data library 200.
(2) data analysis module 120
The workflow of data analysis module 120:
1. receiving the data that kernel Hook module 110 is sent;
2. data analysis module 120 is to step, 1. middle received data carries out classification parsing, system resource: reads IMEIOr IMSI, send short message, make a phone call, reads GPS information, connection camera service and connection recording service;System mode: it readsWrite system database information;
3. 2. data and the permission of app in software action monitor database 200 that data analysis engine 123 parses stepIt compares, after processing data processing, Hook log module 130 is written by app title, operating time, type, number and contentWith software action monitor database 200;
4. forming behavioral characteristic database, in the operation of app software, data processing process 124 according to the process of operationStatistics is processed to software action, and the data of software action and software action monitor database 200 are compared, is such as being countedThere is obvious exception in time, generates in exception reporting write-in Hook log module 130;
5. forming behavioral characteristic database, in the operation of app software, data processing process according to the process of operation(124) statistics is processed to software action, and the data of software action and software action monitor database 200 is compared, such asIn statistical time, without obvious abnormal, in generation Log Report write-in Hook log module 130.
The working mechanism of data analysis module 120:
Data analysis module 120 is mainly the effect parsed to received operation system of software Hook data;Connect numberClassification parsing is carried out to data according to analysis module 120, by system resource and system mode parsing classification;System resource includes readingIMEI or IMSI, short message is sent, is made a phone call, reads GPS information, connection camera service and connection recording service;System shapeState includes read-write system database information;Data analysis engine 123 does the permission of app in data behavior monitoring database 200Comparison is written after processing data processing by app title, operating time, type, number and Context resolution, and by processing resultHook log module 130 and behavior monitoring database 200;According to the formation behavioral characteristic database of operation, in the behaviour of app softwareIn work, data processing process 124 processes statistics to software action, and to software action and software action monitor database(200) data compare, and such as have obvious exception in statistical time, generate in exception reporting write-in Hook log 130;According toThe formation behavioral characteristic database of operation, in the operation of app software, data processing process 124 processes system to software actionMeter, and the data of software action and data analysis module 120 are compared, without obvious abnormal such as in statistical time, generationLog Report is written in Hook log 130.
(3) Hook log module 130
The workflow of Hook log module 130:
Local log is selected to be based on statistical conclusions after mainly software action is defined in the completion of data processing process 124,If software action is abnormal, exception information is generated in exception reporting write-in Hook log module 130;If software action is justOften, then software action is generated in Log Report write-in Hook log module 130.
The working mechanism of Hook log module 130:
Hook log module 130 and behavior monitoring database 200 are system action logging modle, mainly complete dataIt after processing, will be write in database by app title, operating time, type, number and content, and count certain period users and useNumber, flow, safety statistics and the purpose defined of certain agreement;To after defining as a result, being incited somebody to action if software action is abnormalException information generates in exception reporting write-in Hook log module 130;If software action is normal, software action is generated into dayIn will report write-in Hook log module 130.
2) software action monitor database 200
The workflow of software action monitor database 200:
Software action monitor database 200 is database module, mainly completes the storage of data, will be by app title, behaviourMake time, type, number and content to write in database, counts number, flow that certain period users use certain agreement, reachTo safety statistics and the purpose defined.
The working mechanism of software action monitor database 200:
The abnormal behavior of software is defined, when android mobile terminal is to software action feature, in conjunction with HookWhen log module 130 is analyzed, real-time query is provided for database, and support the reality of the processing result of data analysis module 120When write back.
3, working principle
1) system principle
The purpose of system is to obtain software operation information from android system, identifies the behavior of app software anomaly.
The kernel Hook module 110 of Android mobile terminal 100, in the case where obtaining permission, by Shellcode generationCode injection System_server process 111, by importing ioctl function in the library dynamic link library libbind.so 112 of Hook113, the system operating information of Android is sent to data analysis module 120;120 pairs of data analysis module are applied program lineFor monitoring include: read IMEI or IMSI, send short message, make a phone call, read or writing system database, read GPSInformation, connection camera service and connection recording service;System operating information via monitoring resource process 121 and status monitoring into122 analysis of journey processing, is sent to data analysis engine 123, data processing process 124, in conjunction with software action monitor database200, system status information is handled, and Hook log module 130 is written.
2) Android binder communication mechanism principle:
If Fig. 2, Android Binder are a kind of inter-process communication mechanisms.Each long-range service object of system is allBe in the form of Binder existing for, as soon as and these Binder have a manager, that ServiceManager, Hook theseService, will set about certainly from ServiceManager.In the Binder mechanism of android system, it is made of a system component,Client, Server, Service Manager and Binder driver respectively, wherein Client, Server andService Manager operates in user's space, and Binder driver runs kernel spacing.Binder be exactly it is a kind of this fourThe binder that a component is bonded together, wherein core component is Binder driver, Service ManagerThe function of Added Management is provided, Client and Server are exactly the base provided in Binder driving and Service ManagerOn Infrastructure, the communication between Client-Server is carried out.The mechanism of this Hook system service is referred to as BinderHook, because substantially these ISPs are the Binder objects for being present in each process of system.
(1) Client, Server and Service Manager realize that in the user space, Binder driver is realizedIn kernel spacing;
(2) Binder driver and Service Manager have been carried out in Android platform, and developer only needsOneself Client and Server are realized in user's space;
(3) Binder driver provides device file and interacts with user's space, Client, Server and ServiceManager is communicated by ioctl file manipulation function with Binder driver;
(4) interprocess communication between Client and Server is realized indirectly by Binder driver;
(5) Service Manager is a finger daemon, for managing Server, and provides inquiry to ClientThe ability of Server interface.