[go: up one dir, main page]

CN104915600B - A kind of Android application securitys methods of risk assessment and device - Google Patents

A kind of Android application securitys methods of risk assessment and device Download PDF

Info

Publication number
CN104915600B
CN104915600B CN201510370083.8A CN201510370083A CN104915600B CN 104915600 B CN104915600 B CN 104915600B CN 201510370083 A CN201510370083 A CN 201510370083A CN 104915600 B CN104915600 B CN 104915600B
Authority
CN
China
Prior art keywords
mrow
impact
msub
malicious
api
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510370083.8A
Other languages
Chinese (zh)
Other versions
CN104915600A (en
Inventor
刘元安
范文浩
余小秋
吴帆
张洪光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN201510370083.8A priority Critical patent/CN104915600B/en
Publication of CN104915600A publication Critical patent/CN104915600A/en
Application granted granted Critical
Publication of CN104915600B publication Critical patent/CN104915600B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Debugging And Monitoring (AREA)

Abstract

本发明公开了一种Android应用程序安全风险评估方法与装置,其中,该方法包括:监视并统计应用程序A在运行中调用的所有API事件E,记应用程序A在运行中调用的所有API事件的总数为n;依次指定每一个被调用的API事件Ei;计算应用程序A调用该API事件Ei为恶意调用的概率L(Ei);计算应用程序A调用该API事件Ei为恶意调用事件时,恶意调用造成的影响I(Ei);出应用程序A调用该API事件Ei的影响期望R(Ei),并继续指定下一个被调用的API事件;所有API事件E均被指定过之后,对每一个被调用的API事件Ei的影响期望R(Ei)求和,得到应用程序A的整体风险水平RA;将应用程序A的整体风险水平RA与风险阈值R0进行比对,判断应用程序A的安全风险是否可以接受。

The present invention discloses a method and device for assessing security risks of Android applications, wherein the method includes: monitoring and counting all API events E called by application program A during operation, and recording all API events called by application program A during operation The total number is n; specify each called API event E i in turn; calculate the probability L(E i ) of application A calling the API event E i as a malicious call; calculate the application A calling the API event E i as malicious When the event is called, the impact I(E i ) caused by the malicious call; the expected impact R(E i ) of the application A calling the API event E i , and continue to specify the next API event to be called; all API events E After being specified, sum the impact expectation R(E i ) of each called API event E i to obtain the overall risk level R A of application A ; combine the overall risk level R A of application A with the risk threshold R 0 is compared to determine whether the security risk of application A is acceptable.

Description

一种Android应用程序安全风险评估方法与装置An Android application security risk assessment method and device

技术领域technical field

本发明涉及移动终端软件安全技术领域,特别地,涉及一种Android应用程序安全风险评估方法与装置。The present invention relates to the technical field of mobile terminal software security, in particular, to a method and device for assessing security risks of Android application programs.

背景技术Background technique

Android是基于Linux平台的开源操作系统,可使用于如智能手机、平板电脑等的移动终端中,受到移动终端设备厂商和用户的广泛关注。随着Android移动终端的迅速普及,基于Android操作系统的应用程序也层出不穷。Android is an open-source operating system based on the Linux platform, which can be used in mobile terminals such as smart phones and tablet computers, and has received extensive attention from mobile terminal equipment manufacturers and users. With the rapid popularization of Android mobile terminals, applications based on the Android operating system also emerge in endlessly.

然而,由于Android操作系统的开放性特点,开发人员可以随意开发Android平台上的应用程序并发布到Android应用程序市场,而无需进行任何安全风险检查。然而,一些应用程序具有访问敏感资源的行为,比如窃取个人隐私数据、消耗用户资费、占用网络流量等;这类应用程序都存在潜在的风险,一旦被恶意利用,将造成用户的损失。However, due to the openness of the Android operating system, developers can freely develop applications on the Android platform and release them to the Android application market without any security risk checks. However, some applications have the behavior of accessing sensitive resources, such as stealing personal privacy data, consuming user charges, occupying network traffic, etc.; such applications have potential risks, and once they are maliciously used, they will cause losses to users.

现有技术中,软件安全性风险研究都是基于计算机软件的。由于Android移动终端有区别于计算机的特点,如存储大量的私人信息等,且Android移动终端的恶意应用程序攻击的方式、效果也和计算机有较大区别,例如一些Android移动终端恶意应用程序恶意占用网络流量等,因此计算机端的软件安全度量模型并不是很适用于Android移动终端的应用程序安全风险评估。In the prior art, software security risk research is all based on computer software. Because Android mobile terminals have characteristics different from computers, such as storing a large amount of private information, and the attack methods and effects of malicious applications on Android mobile terminals are also quite different from those on computers. For example, some malicious applications on Android mobile terminals maliciously occupy Network traffic, etc., so the computer-side software security measurement model is not very suitable for the application security risk assessment of Android mobile terminals.

针对现有技术中缺乏针对Android应用程序评估恶意应用程序威胁与安全风险方法的问题,目前尚未有有效的解决方案。There is no effective solution to the problem of the lack of methods for assessing threats and security risks of malicious application programs for Android applications in the prior art.

发明内容Contents of the invention

针对现有技术中缺乏针对Android应用程序评估恶意应用程序威胁与安全风险方法的问题,本发明的目的在于提出一种Android应用程序安全风险评估方法与装置,能够全面而且有效地对Android应用程序进行安全风险评估,判断应用程序可能带来的安全损失大小,为制定安全策略提供参考依据。In view of the lack of methods for evaluating malicious application threats and security risks for Android applications in the prior art, the purpose of the present invention is to propose a method and device for evaluating Android application security risks, which can comprehensively and effectively evaluate Android applications. Security risk assessment, judging the size of the security loss that the application may bring, and providing a reference for formulating security policies.

基于上述目的,本发明提供的技术方案如下:Based on the above object, the technical scheme provided by the invention is as follows:

根据本发明的一个方面,提供了一种Android应用程序安全风险评估方法,包括:According to one aspect of the present invention, a kind of Android application security risk assessment method is provided, comprising:

在Android系统环境下,调用待评估的Android应用程序A,监视并统计应用程序A在运行中调用的所有API事件E,记应用程序A在运行中调用的所有API事件的总数为n;In the Android system environment, call the Android application A to be evaluated, monitor and count all API events E called by the application A during operation, and record the total number of all API events called by the application A during operation as n;

依次指定每一个被调用的API事件Ei,其中,i=1,2,…,n;Specify each called API event E i in turn, where i=1,2,...,n;

对当前指定的API事件Ei,计算应用程序A调用该API事件Ei为恶意调用的概率L(Ei);For the currently specified API event E i , calculate the probability L(E i ) that the application program A invokes the API event E i as a malicious call;

对当前指定的API事件Ei,计算应用程序A调用该API事件Ei为恶意调用事件时,恶意调用造成的影响I(Ei);For the currently specified API event E i , calculate the impact I(E i ) caused by the malicious call when the application A invokes the API event E i as a malicious call event;

根据恶意调用的概率L(Ei)与恶意调用造成的影响I(Ei),计算出应用程序A调用该API事件Ei的影响期望R(Ei),并继续指定下一个被调用的API事件;According to the probability L(E i ) of the malicious call and the impact I(E i ) caused by the malicious call, calculate the impact expectation R(E i ) of the API event E i called by the application A, and continue to specify the next called API events;

所有API事件E均被指定过之后,对每一个被调用的API事件Ei的影响期望R(Ei)求和,得到应用程序A的整体风险水平RA,其中RA=∑iR(Ei)=∑iL(Ei)×I(Ei);After all API events E have been specified, the impact expectation R(E i ) of each called API event E i is summed to obtain the overall risk level R A of the application program A, where R A =∑ i R( E i )=∑ i L(E i )×I(E i );

将应用程序A的整体风险水平RA与风险阈值R0进行比对,判断应用程序A的安全风险是否可以接受。Compare the overall risk level R A of application A with the risk threshold R 0 to determine whether the security risk of application A is acceptable.

其中,计算应用程序A调用该API事件Ei为恶意调用的概率L(Ei)为:Among them, the probability L(E i ) of calling the API event E i by the application program A is a malicious call is calculated as:

其中,P(Ei|A是恶意应用程序)是一个恶意应用程序发生调用某个敏感API不良事件Ei发生的概率,P(A是恶意应用程序)是所有统计的应用程序中一个应用程序是恶意应用程序的概率,P(Ei)是所有的应用程序的调用某个敏感API不良事件Ei的概率。Among them, P(E i |A is a malicious application) is the probability that a malicious application calls a sensitive API bad event E i occurs, and P(A is a malicious application) is an application in all statistical applications is the probability of a malicious application, P(E i ) is the probability of all applications calling a sensitive API bad event E i .

并且,计算应用程序A调用该API事件Ei为恶意调用事件时,恶意调用造成的影响I(Ei)为:And, when the API event E i called by application A is a malicious call event, the impact I(E i ) caused by the malicious call is:

计算恶意调用造成的主观评定影响IS(Ei);Calculate the subjective assessment impact I S (E i ) caused by malicious calls;

计算恶意调用造成的客观评定影响IO(Ei);Calculate the objective evaluation impact I O (E i ) caused by the malicious call;

计算恶意调用造成的主观评定影响的权重Hi(Ei);Calculate the weight H i (E i ) of the subjective assessment impact caused by the malicious call;

根据恶意调用造成的主观评定影响IS(Ei)、恶意调用造成的客观评定影响IO(Ei)、恶意调用造成的主观评定影响的权重Hi (Ei),计算恶意调用造成的影响I(Ei):According to the subjective evaluation impact I S (E i ) caused by the malicious call, the objective evaluation impact I O (E i ) caused by the malicious call, and the weight H i ( E i ) of the subjective evaluation impact caused by the malicious call, calculate the Impact I(E i ):

I(Ei)=Hi(Ei)×IS(Ei)+Wi(Ei)×IO(Ei)I(E i )=H i (E i )×I S (E i )+W i (E i )×I O (E i )

其中,Wi(Ei)=1-Hi(Ei)。Wherein, W i (E i )=1-H i (E i ).

并且,计算恶意调用造成的主观评定影响IS(Ei)为:And, calculate the subjective evaluation impact I S (E i ) caused by the malicious call as:

建立主观影响评定标度集合U,其中U={1,2,3,4,5,6,7,8,9,10};Establish subjective impact assessment scale set U, where U={1,2,3,4,5,6,7,8,9,10};

要求所有的m个主观评定者依次对所有n个调用API事件,从主观影响评定标度集合U的元素中,按照主观经验分别挑选出对应的评定数值,进行评分;All m subjective evaluators are required to sequentially select the corresponding evaluation values from the elements of the subjective impact evaluation scale set U for all n calling API events according to subjective experience, and then score them;

建立评分矩阵Score,并将评分写入评分矩阵Score中如下:Create a scoring matrix Score, and write the score into the scoring matrix Score as follows:

其中,scoreji表示第j个主观评定者对第i个调用API事件的主观经验评定数值,其中,1≤scoreji≤10,1≤j≤m,1≤i≤n;Among them, score ji represents the subjective experience evaluation value of the j-th subjective evaluator on the i-th calling API event, among which, 1≤score ji ≤10, 1≤j≤m, 1≤i≤n;

根据评分矩阵Score,计算出第i个调用API事件的主观评定影响IS(Ei)为:According to the scoring matrix Score, the subjective evaluation impact I S (E i ) of the i-th API call event is calculated as:

同时,计算恶意调用造成的客观评定影响IO(Ei)为;At the same time, calculate the objective evaluation impact I O (E i ) caused by the malicious call as;

建立客观影响评定标度集合V,其中V={1,2,3,4,5,6,7,8,9,10};Establish objective impact assessment scale set V, where V={1,2,3,4,5,6,7,8,9,10};

对大量应用程序样本进行分析,统计出恶意应用程序在运行时,调用各API事件次数的百分比;Analyze a large number of application samples, and calculate the percentage of the number of calls to each API event when the malicious application is running;

定义恶意应用程序调用每个API事件产生的量化不良影响;Define the quantified adverse impact of each API event invoked by a malicious application;

根据恶意应用程序在运行时调用各API事件次数的百分比、与恶意应用程序调用每个API事件产生的量化不良影响,计算出各API事件被应用程序调用为被恶意应用程序调用的概率M(Ei);According to the percentage of the number of times the malicious application calls each API event at runtime, and the quantified adverse impact of each API event called by the malicious application, the probability M(E i );

将各API事件被应用程序调用为被恶意应用程序调用的概率M(Ei),套用客观影响评定标度集合V量化为恶意调用造成的客观评定影响IO(Ei)。The probability M(E i ) that each API event is called by an application program is called by a malicious application program, and the objective impact assessment scale set V is used to quantify the objective assessment impact I O (E i ) caused by malicious calls.

同时,计算恶意调用造成的主观评定影响的权重Hj(Ei)为:At the same time, the weight H j (E i ) for calculating the subjective evaluation impact caused by malicious calls is:

对第i个调用API事件的主观评定影响IS(Ei)进行归一化处理,得到归一化公式主观评定因子pjiThe subjective evaluation impact I S (E i ) of the i-th API call event is normalized, and the normalized formula subjective evaluation factor p ji is obtained:

其中,i=1,2,…n;Among them, i=1,2,...n;

建立归一化评分矩阵Score':Create a normalized scoring matrix Score':

其中,score'ji表示第j个主观评定者对第i个调用API事件的主观经验评定数值,其中,1≤scoreji≤10,1≤j≤m,1≤i≤n,且有pj1+pj2+…pjn=1;Among them, score' ji represents the subjective experience evaluation value of the j-th subjective evaluator on the i-th call API event, among which, 1≤score ji ≤10, 1≤j≤m, 1≤i≤n, and p j1 +p j2 +...p jn = 1;

根据归一化评分矩阵Score',使用熵值法计算主观评定影响的权重Hi(Ei):According to the normalized scoring matrix Score', the entropy method is used to calculate the weight H i (E i ) of subjective evaluation influence:

其中,0≤Hi(Ei)≤1,i=1,2,…n。Wherein, 0≤H i (E i )≤1, i=1, 2,...n.

根据本发明的另一个方面,提供了一种Android应用程序安全风险评估装置,包括:According to another aspect of the present invention, a kind of Android application security risk assessment device is provided, comprising:

监视模块,监视模块在Android系统环境下,调用待评估的Android应用程序A,监视并统计应用程序A在运行中调用的所有API事件E,记应用程序A在运行中调用的所有API事件的总数为n;Monitoring module, in the Android system environment, the monitoring module calls the Android application A to be evaluated, monitors and counts all API events E called by the application A during operation, and records the total number of all API events called by the application A during operation for n;

调用指针,调用指针依次指定每一个被调用的API事件Ei,其中,i=1,2,…,n;Call pointer, which specifies each called API event E i in turn, where i=1,2,...,n;

概率计算模块,概率计算模块对当前指定的API事件Ei,计算应用程序A调用该API事件Ei为恶意调用的概率L(Ei);Probability calculation module, the probability calculation module calculates the probability L(E i ) that the application program A invokes the API event E i as a malicious call for the currently specified API event E i ;

影响计算模块,影响计算模块对当前指定的API事件Ei,计算应用程序A调用该API事件Ei为恶意调用事件时,恶意调用造成的影响I(Ei);Influence calculation module, for the currently specified API event E i , the influence calculation module calculates the impact I(E i ) caused by the malicious call when the API event E i called by the application program A is a malicious call event;

期望评定模块,期望评定模块根据恶意调用的概率L(Ei)与恶意调用造成的影响I(Ei),计算出应用程序A调用该API事件Ei的影响期望R(Ei),并继续指定下一个被调用的API事件;The expectation assessment module, the expectation assessment module calculates the impact expectation R(E i ) of the API event E i called by the application program A according to the probability L(E i ) of the malicious call and the impact I(E i ) caused by the malicious call, and Continue to specify the next API event to be called;

求和模块,求和模块在所有API事件E均被指定过之后,对每一个被调用的API事件Ei的影响期望R(Ei)求和,得到应用程序A的整体风险水平RA,其中RA=∑iR(Ei)=∑iL(Ei)×I(Ei);The summation module, after all the API events E are specified, the summation module sums the impact expectation R(E i ) of each called API event E i to obtain the overall risk level R A of the application program A, Where R A =∑ i R(E i )=∑ i L(E i )×I(E i );

判别模块,判别模块将应用程序A的整体风险水平RA与风险阈值R0进行比对,判断应用程序A的安全风险是否可以接受。A judging module. The judging module compares the overall risk level R A of the application program A with the risk threshold R 0 to judge whether the security risk of the application program A is acceptable.

其中,概率计算模块计算应用程序A调用该API事件Ei为恶意调用的概率L(Ei)为:Among them, the probability calculation module calculates the probability L(E i ) that the application A calls the API event E i is a malicious call as:

其中,P(Ei|A是恶意应用程序)是一个恶意应用程序发生调用某个敏感API不良事件Ei发生的概率,P(A是恶意应用程序)是所有统计的应用程序中一个应用程序是恶意应用程序的概率,P(Ei)是所有的应用程序的调用某个敏感API不良事件Ei的概率。Among them, P(E i |A is a malicious application) is the probability that a malicious application calls a sensitive API bad event E i occurs, and P(A is a malicious application) is an application in all statistical applications is the probability of a malicious application, P(E i ) is the probability of all applications calling a sensitive API bad event E i .

并且,影响计算模块还包括主观影响计算模块、客观影响计算模块、与主观评定影响权重计算模块,影响计算模块计算应用程序A调用该API事件Ei为恶意调用事件时,恶意调用造成的影响I(Ei)为:Moreover, the impact calculation module also includes a subjective impact calculation module, an objective impact calculation module, and a subjective assessment impact weight calculation module. (E i ) is:

主观影响计算模块用于计算恶意调用造成的主观评定影响IS(Ei);The subjective impact calculation module is used to calculate the subjective assessment impact I S (E i ) caused by malicious calls;

客观影响计算模块用于计算恶意调用造成的客观评定影响IO(Ei);The objective impact calculation module is used to calculate the objective assessment impact I O (E i ) caused by the malicious call;

主观影响权重计算模块用于计算恶意调用造成的主观评定影响的权重Hi(Ei);The subjective impact weight calculation module is used to calculate the weight H i (E i ) of the subjective assessment impact caused by the malicious call;

影响计算模块根据恶意调用造成的主观评定影响IS(Ei)、恶意调用造成的客观评定影响IO(Ei)、恶意调用造成的主观评定影响的权重Hi(Ei),计算恶意调用造成的影响I(Ei): The impact calculation module calculates malicious The impact I(E i ) caused by the call:

I(Ei)=Hi(Ei)×IS(Ei)+Wi(Ei)×IO(Ei)I(E i )=H i (E i )×I S (E i )+W i (E i )×I O (E i )

其中,Wi(Ei)=1-Hi(Ei)。Wherein, W i (E i )=1-H i (E i ).

并且,主观影响计算模块计算恶意调用造成的主观评定影响IS(Ei)为:Moreover, the subjective impact calculation module calculates the subjective assessment impact I S (E i ) caused by malicious calls as:

建立主观影响评定标度集合U,其中U={1,2,3,4,5,6,7,8,9,10};Establish subjective impact assessment scale set U, where U={1,2,3,4,5,6,7,8,9,10};

要求所有的m个主观评定者依次对所有n个调用API事件,从主观影响评定标度集合U的元素中,按照主观经验分别挑选出对应的评定数值,进行评分;All m subjective evaluators are required to sequentially select the corresponding evaluation values from the elements of the subjective impact evaluation scale set U for all n calling API events according to subjective experience, and then score them;

建立评分矩阵Score,并将评分写入评分矩阵Score中如下:Create a scoring matrix Score, and write the score into the scoring matrix Score as follows:

其中,scoreji表示第j个主观评定者对第i个调用API事件的主观经验评定数值,其中,1≤scoreji≤10,1≤j≤m,1≤i≤n;Among them, score ji represents the subjective experience evaluation value of the j-th subjective evaluator on the i-th calling API event, among which, 1≤score ji ≤10, 1≤j≤m, 1≤i≤n;

根据评分矩阵Score,计算出第i个调用API事件的主观评定影响IS(Ei)为:According to the scoring matrix Score, the subjective evaluation impact I S (E i ) of the i-th API call event is calculated as:

同时,客观影响计算模块计算恶意调用造成的客观评定影响IO(Ei)为;At the same time, the objective impact calculation module calculates the objective evaluation impact I O (E i ) caused by the malicious call as;

建立客观影响评定标度集合V,其中V={1,2,3,4,5,6,7,8,9,10};Establish objective impact assessment scale set V, where V={1,2,3,4,5,6,7,8,9,10};

对大量应用程序样本进行分析,统计出恶意应用程序在运行时,调用各API事件次数的百分比;Analyze a large number of application samples, and calculate the percentage of the number of calls to each API event when the malicious application is running;

定义恶意应用程序调用每个API事件产生的量化不良影响;Define the quantified adverse impact of each API event invoked by a malicious application;

根据恶意应用程序在运行时调用各API事件次数的百分比、与恶意应用程序调用每个API事件产生的量化不良影响,计算出各API事件被应用程序调用为被恶意应用程序调用的概率M(Ei);According to the percentage of the number of times the malicious application calls each API event at runtime, and the quantified adverse impact of each API event called by the malicious application, the probability M(E i );

将各API事件被应用程序调用为被恶意应用程序调用的概率M(Ei),套用客观影响评定标度集合V量化为恶意调用造成的客观评定影响IO(Ei)。The probability M(E i ) that each API event is called by an application program is called by a malicious application program, and the objective impact assessment scale set V is used to quantify the objective assessment impact I O (E i ) caused by malicious calls.

同时,主观影响权重计算模块计算恶意调用造成的主观评定影响的权重Hj(Ei)为:At the same time, the subjective impact weight calculation module calculates the weight H j (E i ) of the subjective assessment impact caused by malicious calls as:

对第i个调用API事件的主观评定影响IS(Ei)进行归一化处理,得到归一化公式主观评定因子pjiThe subjective evaluation impact I S (E i ) of the i-th API call event is normalized, and the normalized formula subjective evaluation factor p ji is obtained:

其中,i=1,2,…n;Among them, i=1,2,...n;

建立归一化评分矩阵Score':Create a normalized scoring matrix Score':

其中,score'ji表示第j个主观评定者对第i个调用API事件的主观经验评定数值,其中,1≤scoreji≤10,1≤j≤m,1≤i≤n,且有pj1+pj2+…pjn=1;Among them, score' ji represents the subjective experience evaluation value of the j-th subjective evaluator on the i-th call API event, among which, 1≤score ji ≤10, 1≤j≤m, 1≤i≤n, and p j1 +p j2 +...p jn = 1;

根据归一化评分矩阵Score',使用熵值法计算主观评定影响的权重Hi(Ei):According to the normalized scoring matrix Score', the entropy method is used to calculate the weight H i (E i ) of subjective evaluation influence:

其中,0≤Hi(Ei)≤1,i=1,2,…n。Wherein, 0≤H i (E i )≤1, i=1, 2,...n.

从上面所述可以看出,本发明提供的技术方案通过使用主观与客观相结合的方式计算恶意软件的影响、并与恶意软件的概率相结合对应用程序的风险损失进行评估,填补了目前在Android应用程序安全评估领域的空缺;同时运用了信息熵理论,对应用程序的安全风险进行评估,避免了采用单一的主观和客观方法而造成的片面性和局限性。From the above, it can be seen that the technical solution provided by the present invention calculates the impact of malicious software in a subjective and objective way, and combines it with the probability of malicious software to evaluate the risk loss of the application program, filling the current gap There is a vacancy in the field of Android application security assessment; at the same time, the information entropy theory is used to assess the security risk of the application, avoiding the one-sidedness and limitations caused by a single subjective and objective method.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the accompanying drawings required in the embodiments. Obviously, the accompanying drawings in the following description are only some of the present invention. Embodiments, for those of ordinary skill in the art, other drawings can also be obtained based on these drawings without any creative effort.

图1为根据本发明实施例的一种Android应用程序安全风险评估方法的流程图;Fig. 1 is the flow chart of a kind of Android application security risk assessment method according to the embodiment of the present invention;

图2为根据本发明实施例的一种Android应用程序安全风险评估装置的结构图。Fig. 2 is a structural diagram of an Android application security risk assessment device according to an embodiment of the present invention.

具体实施方式detailed description

为使本发明的目的、技术方案和优点更加清楚明白,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进一步进行清楚、完整、详细地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the present invention clearer, the technical solutions in the embodiments of the present invention will be further clearly, completely and detailedly described in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described The embodiments are only some of the embodiments of the present invention, not all of them. All other embodiments obtained by persons of ordinary skill in the art based on the embodiments of the present invention belong to the protection scope of the present invention.

根据本发明的一个实施例,提供了一种Android应用程序安全风险评估方法。According to one embodiment of the present invention, a method for evaluating security risks of Android application programs is provided.

如图1所示,根据本发明实施例提供的Android应用程序安全风险评估方法包括:As shown in Figure 1, the Android application security risk assessment method provided according to the embodiment of the present invention includes:

步骤S101,在Android系统环境下,调用待评估的Android应用程序A,监视并统计应用程序A在运行中调用的所有API事件E,记应用程序A在运行中调用的所有API事件的总数为n;Step S101, in the Android system environment, call the Android application A to be evaluated, monitor and count all API events E called by the application A during operation, and record the total number of all API events called by the application A during operation as n ;

步骤S103,依次指定每一个被调用的API事件Ei,其中,i=1,2,…,n;Step S103, sequentially designate each called API event E i , where i=1, 2,...,n;

步骤S105,对当前指定的API事件Ei,计算应用程序A调用该API事件Ei为恶意调用的概率L(Ei);Step S105, for the currently specified API event E i , calculate the probability L(E i ) that the application program A calling the API event E i is a malicious call;

步骤S107,对当前指定的API事件Ei,计算应用程序A调用该API事件Ei为恶意调用事件时,恶意调用造成的影响I(Ei);Step S107, for the currently specified API event E i , calculate the impact I(E i ) caused by the malicious call when the application program A invokes the API event E i as a malicious call event;

步骤S109,根据恶意调用的概率L(Ei)与恶意调用造成的影响I(Ei),计算出应用程序A调用该API事件Ei的影响期望R(Ei),并继续指定下一个被调用的API事件;Step S109, according to the probability L(E i ) of the malicious call and the impact I(E i ) caused by the malicious call, calculate the impact expectation R(E i ) of the API event E i invoked by the application program A, and continue to specify the next The API event being called;

步骤S111,所有API事件E均被指定过之后,对每一个被调用的API事件Ei的影响期望R(Ei)求和,得到应用程序A的整体风险水平RA,其中RA=∑iR(Ei)=∑iL(Ei)×I(Ei);Step S111, after all API events E have been specified, sum the expected impact R(E i ) of each called API event E i to obtain the overall risk level R A of application A, where R A =∑ i R(E i )=∑ i L(E i )×I(E i );

步骤S113,将应用程序A的整体风险水平RA与风险阈值R0进行比对,判断应用程序A的安全风险是否可以接受。Step S113 , comparing the overall risk level R A of the application program A with the risk threshold R 0 to determine whether the security risk of the application program A is acceptable.

本发明提出的对Android应用程序安全风险评估所采用的技术方案是:以应用程序与Android系统直接交互的API为分析中心,通过分别计算各个API不良事件的风险损失,进而计算出整个应用程序的风险损失。The technical solution adopted by the present invention for Android application security risk assessment is: take the API directly interacting between the application program and the Android system as the analysis center, calculate the risk loss of each API adverse event, and then calculate the risk loss of the entire application program. risk loss.

应用程序在系统中运行时,会调用相应的API来完成既定的功能。对于一些敏感功能的API称之为不良事件Ei,例如,发送短信的API、获取手机号码的API等。一个应用程序有多个不良事件,并认为每一个不良事件都是独立发生的。因此,通过计算每一个不良事件的影响期望R(Ei),再加权则可得到整个应用程序的整体风险水平RAWhen the application program runs in the system, it will call the corresponding API to complete the predetermined function. An API with some sensitive functions is called an adverse event E i , for example, an API for sending a short message, an API for obtaining a mobile phone number, and the like. An application has multiple adverse events, and each adverse event is considered to occur independently. Therefore, by calculating the impact expectation R(E i ) of each adverse event, and then weighting it, the overall risk level R A of the entire application can be obtained.

其中,计算应用程序A调用该API事件Ei为恶意调用的概率L(Ei)为:Among them, the probability L(E i ) of calling the API event E i by the application program A is a malicious call is calculated as:

其中,P(Ei|A是恶意应用程序)是一个恶意应用程序发生调用某个敏感API不良事件Ei发生的概率,P(A是恶意应用程序)是所有统计的应用程序中一个应用程序是恶意应用程序的概率,P(Ei)是所有的应用程序的调用某个敏感API不良事件Ei的概率。Among them, P(E i |A is a malicious application) is the probability that a malicious application calls a sensitive API bad event E i occurs, and P(A is a malicious application) is an application in all statistical applications is the probability of a malicious application, P(E i ) is the probability of all applications calling a sensitive API bad event E i .

上式时变形的贝叶斯公式。对于应用程序A,它要么是恶意的,否则是正常的,且这两个事件是互斥的。对于敏感API被应用程序调用的情况,它总是被恶意应用程序调用或者被正常应用程序调用。而所求的L(Ei)表示敏感API被调用事件Ei发生的条件下,应用程序A是恶意应用程序的概率,完全符合了贝叶斯公式的条件。The Bayesian formulation of the deformation of the above formula. For application A, it is either malicious or normal, and these two events are mutually exclusive. For the case where a sensitive API is called by an application, it is always called by a malicious application or by a normal application. The obtained L(E i ) represents the probability that the application A is a malicious application under the condition that the sensitive API call event E i occurs, which fully meets the conditions of the Bayesian formula.

并且,计算应用程序A调用该API事件Ei为恶意调用事件时,恶意调用造成的影响I(Ei)为:And, when the API event E i called by application A is a malicious call event, the impact I(E i ) caused by the malicious call is:

计算恶意调用造成的主观评定影响IS(Ei);Calculate the subjective assessment impact I S (E i ) caused by malicious calls;

计算恶意调用造成的客观评定影响IO(Ei);Calculate the objective evaluation impact I O (E i ) caused by the malicious call;

计算恶意调用造成的主观评定影响的权重Hi(Ei);Calculate the weight H i (E i ) of the subjective assessment impact caused by the malicious call;

根据恶意调用造成的主观评定影响IS(Ei)、恶意调用造成的客观评定影响IO(Ei)、恶意调用造成的主观评定影响的权重Hi(Ei),计算恶意调用造成的影响I(Ei):According to the subjective assessment impact I S (E i ) caused by the malicious call, the objective assessment impact I O (E i ) caused by the malicious call, and the weight H i (E i ) of the subjective assessment impact caused by the malicious call, calculate the Impact I(E i ):

I(Ei)=Hi(Ei)×IS(Ei)+Wi(Ei)×IO(Ei)I(E i )=H i (E i )×I S (E i )+W i (E i )×I O (E i )

其中,Wi(Ei)=1-Hi(Ei)。Wherein, W i (E i )=1−H i (E i ).

不良事件的影响期望R(Ei)由不良事件的概率L(Ei)和不良事件的影响I(Ei)共同决定。不良事件的可能性L(Ei)运用贝叶斯公式进行计算。不良事件的影响I(Ei)包含两部分:主观评定的不良事件的影响和客观评定的不良事件的影响。主观评定的不良事件的影响由专家根据经验主观判断得,客观评定的不良事件的影响由现实世界中的实际数据根据评定规则得到;并利用信息熵理论,计算主观评定的不良事件的影响和客观评定的不良事件的影响在不良事件的影响I(Ei)中的权重。The impact expectation R(E i ) of an adverse event is jointly determined by the probability L(E i ) of an adverse event and the impact I(E i ) of an adverse event. The probability L(E i ) of an adverse event was calculated using the Bayesian formula. The impact of adverse events I (E i ) consists of two parts: the impact of subjectively assessed adverse events and the impact of objectively assessed adverse events. The impact of subjectively assessed adverse events is judged subjectively by experts based on experience, and the impact of objectively assessed adverse events is obtained from actual data in the real world according to the assessment rules; and the information entropy theory is used to calculate the impact of subjectively assessed adverse events and the objective The weight of the impact of the assessed adverse event in the impact of the adverse event I (E i ).

并且,计算恶意调用造成的主观评定影响IS(Ei)为:And, calculate the subjective evaluation impact I S (E i ) caused by the malicious call as:

建立主观影响评定标度集合U,其中U={1,2,3,4,5,6,7,8,9,10};Establish subjective impact assessment scale set U, where U={1,2,3,4,5,6,7,8,9,10};

要求所有的m个主观评定者依次对所有n个调用API事件,从主观影响评定标度集合U的元素中,按照主观经验分别挑选出对应的评定数值,进行评分;All m subjective evaluators are required to sequentially select the corresponding evaluation values from the elements of the subjective impact evaluation scale set U for all n calling API events according to subjective experience, and then score them;

建立评分矩阵Score,并将评分写入评分矩阵Score中如下:Create a scoring matrix Score, and write the score into the scoring matrix Score as follows:

其中,scoreji表示第j个主观评定者对第i个调用API事件的主观经验评定数值,其中,1≤scoreji≤10,1≤j≤m,1≤i≤n;Among them, score ji represents the subjective experience evaluation value of the j-th subjective evaluator on the i-th calling API event, among which, 1≤score ji ≤10, 1≤j≤m, 1≤i≤n;

根据评分矩阵Score,计算出第i个调用API事件的主观评定影响IS(Ei)为:According to the scoring matrix Score, the subjective evaluation impact I S (E i ) of the i-th API call event is calculated as:

主观评定的不良事件的影响IS是依据专家对事件的重要性认识来确定不良事件影响值的方法。在目前研究的主观评定方法中比较常用的有层次分析法,该方法需要将问题分成许多指标,对于这些指标由专家或分析人员进行两两比较利用1-9标度发来构建比较判断矩阵。1-9标度法对于指标的个数选择往往是不宜过多,然而敏感API不良事件的数量相对而言是比较多的,以往的1-9标度法不是很适用本发明的专家主观评定。因此,将借鉴并改进层次分析法中专家进行1-9标度。The impact IS of subjectively assessed adverse events is a method to determine the impact value of adverse events based on experts' understanding of the importance of the event. Among the subjective evaluation methods of current research, the AHP is commonly used. This method needs to divide the problem into many indicators. For these indicators, experts or analysts make pairwise comparisons and use a scale of 1-9 to construct a comparative judgment matrix. The 1-9 scaling method is often not suitable for selecting too many indicators, but the number of sensitive API adverse events is relatively large, and the previous 1-9 scaling method is not very suitable for the subjective evaluation of experts in the present invention . Therefore, we will learn from and improve the scale of 1-9 by experts in AHP.

对于主观评定的不良事件的影响,我们采用专家评分机制来计算,为了统一,专家评分的影响值范围由1~9变成1~10之间。并且由于敏感API不良事件的数量居多,且存在有些敏感API不良事件造成的风险影响是相同的,因此本文对所有的敏感API主观赋值时,专家给出的影响值评分完全凭经验,只要是认为合理,允许给出多个相同的评分。比如假设有m个敏感API,专家认为其中m1(m1<m)个API的风险影响是一致的,那么对于这m1个敏感API专家可以给出同一风险影响值。For the impact of subjectively assessed adverse events, we use the expert scoring mechanism to calculate. In order to unify, the impact value range of expert scoring is changed from 1 to 9 to 1 to 10. And because the number of sensitive API adverse events is the majority, and the risk impact caused by some sensitive API adverse events is the same, so when assigning subjective values to all sensitive APIs in this paper, the impact value scores given by experts are based entirely on experience. Reasonable, multiple identical ratings are allowed. For example, assuming that there are m sensitive APIs, and experts believe that the risk impact of m 1 (m 1 <m) APIs is consistent, then experts can give the same risk impact value for these m 1 sensitive APIs.

U={1,2,3,4,5,6,7,8,9,10}是本实施例中专家评分的一个合集,专家按照经验评估不良事件被恶意程序调用可能造成的损失的大小,分别赋予1~10的某个值。U={1, 2, 3, 4, 5, 6, 7, 8, 9, 10} is a collection of expert scores in this embodiment. Experts evaluate the size of the possible losses caused by adverse events being invoked by malicious programs based on experience , assign a value from 1 to 10, respectively.

同时,计算恶意调用造成的客观评定影响IO(Ei)为;At the same time, calculate the objective evaluation impact I O (E i ) caused by the malicious call as;

建立客观影响评定标度集合V,其中V={1,2,3,4,5,6,7,8,9,10};Establish objective impact assessment scale set V, where V={1,2,3,4,5,6,7,8,9,10};

对大量应用程序样本进行分析,统计出恶意应用程序在运行时,调用各API事件次数的百分比;Analyze a large number of application samples, and calculate the percentage of the number of calls to each API event when the malicious application is running;

定义恶意应用程序调用每个API事件产生的量化不良影响;Define the quantified adverse impact of each API event invoked by a malicious application;

根据恶意应用程序在运行时调用各API事件次数的百分比、与恶意应用程序调用每个API事件产生的量化不良影响,计算出各API事件被应用程序调用为被恶意应用程序调用的概率M(Ei);According to the percentage of the number of times the malicious application calls each API event at runtime, and the quantified adverse impact of each API event called by the malicious application, the probability M(E i );

将各API事件被应用程序调用为被恶意应用程序调用的概率M(Ei),套用客观影响评定标度集合V量化为恶意调用造成的客观评定影响IO(Ei)。The probability M(E i ) that each API event is called by an application program is called by a malicious application program, and the objective impact assessment scale set V is used to quantify the objective assessment impact I O (E i ) caused by malicious calls.

客观评定的不良事件的影响IO(Ei)的确定完全来源于客观实际,是根据现实世界中获取的信息来确定影响值的方法。恶意应用程序的恶意行为往往是在利益的驱动下进行的,因此一般来讲能够使恶意应用程序作者获利最大的、被调用最多的API往往对于用户的风险影响损失也是最大。基于此,可以通过分析Android恶意应用程序的API调用情况,得出敏感API不良事件的客观风险影响值。客观风险影响值确定的优点是完全依靠观测数据判断,不受人为因素的干扰,可以做出客观、公正的评价。The determination of the impact I O (E i ) of an objectively assessed adverse event is entirely derived from objective reality, and is a method of determining the impact value based on information obtained in the real world. Malicious behaviors of malicious applications are often driven by profit, so generally speaking, the APIs that can make the most profit for malicious application authors and are most frequently called often have the greatest risk impact and loss on users. Based on this, the objective risk impact value of sensitive API adverse events can be obtained by analyzing the API calls of Android malicious applications. The advantage of determining the objective risk impact value is that it relies entirely on observational data to judge, without interference from human factors, and can make an objective and fair evaluation.

可以通过分析大量恶意应用程序样本调用API情况的百分比,然后据此制定一些规则定义每个API不良事件的客观影响。具体规则如下,其中M表示API被恶意应用程序调用的百分比:It is possible to analyze the percentage of API calls by a large number of malicious application samples, and then formulate some rules to define the objective impact of each API bad event. The specific rules are as follows, where M represents the percentage of API calls by malicious applications:

(1)如果M≥90%,则定义客观风险影响值IO(Ei)=10;(1) If M≥90%, then define the objective risk impact value I O (E i )=10;

(2)如果90%>M≥80%,则定义客观风险影响值IO(Ei)=9;(2) If 90%>M≥80%, then define the objective risk impact value I O (E i )=9;

(3)如果80%>M≥70%,则定义客观风险影响值IO(Ei)=8;(3) If 80%>M≥70%, then define the objective risk impact value I O (E i )=8;

(4)如果70%>M≥60%,则定义客观风险影响值IO(Ei)=7;(4) If 70%>M≥60%, then define the objective risk impact value I O (E i )=7;

(5)如果60%>M≥50%,则定义客观风险影响值IO(Ei)=6;(5) If 60%>M≥50%, define the objective risk impact value I O (E i )=6;

(6)如果50%>M≥40%,则定义客观风险影响值IO(Ei)=5;(6) If 50%>M≥40%, define the objective risk impact value I O (E i )=5;

(7)如果40%>M≥30%,则定义客观风险影响值IO(Ei)=4;(7) If 40%>M≥30%, then define the objective risk impact value I O (E i )=4;

(8)如果30%>M≥20%,则定义客观风险影响值IO(Ei)=3;(8) If 30%>M≥20%, define the objective risk impact value I O (E i )=3;

(9)如果20%>M≥10%,则定义客观风险影响值IO(Ei)=2;(9) If 20%>M≥10%, then define the objective risk impact value I O (E i )=2;

(10)如果10%>M≥0,则定义客观风险影响值IO(Ei)=1;(10) If 10%>M≥0, then define the objective risk impact value I O (E i )=1;

在本实施例中,API不良事件的客观影响评定标度集合V被设定为与主观影响评定标度集合U相同,以进行一一对应。对于某个API,通过统计其被恶意应用程序调用的百分比,查看规则看百分比落在哪个区间,则其IO(Ei)确定为相应区间的值。In this embodiment, the objective impact assessment scale set V of API adverse events is set to be the same as the subjective impact assessment scale set U for one-to-one correspondence. For a certain API, by counting its percentage called by malicious applications and checking the rules to see which range the percentage falls in, its I O (E i ) is determined as the value of the corresponding range.

同时,计算恶意调用造成的主观评定影响的权重Hj(Ei)为:At the same time, the weight H j (E i ) for calculating the subjective evaluation impact caused by malicious calls is:

对第i个调用API事件的主观评定影响IS(Ei)进行归一化处理,得到归一化公式主观评定因子pjiThe subjective evaluation impact I S (E i ) of the i-th API call event is normalized, and the normalized formula subjective evaluation factor p ji is obtained:

其中,i=1,2,…n;Among them, i=1,2,...n;

建立归一化评分矩阵Score':Create a normalized scoring matrix Score':

其中,score'ji表示第j个主观评定者对第i个调用API事件的主观经验评定数值,其中,1≤scoreji≤10,1≤j≤m,1≤i≤n,且有pj1+pj2+…pjn=1;Among them, score' ji represents the subjective experience evaluation value of the j-th subjective evaluator on the i-th call API event, among which, 1≤score ji ≤10, 1≤j≤m, 1≤i≤n, and p j1 +p j2 +...p jn = 1;

根据归一化评分矩阵Score',使用熵值法计算主观评定影响的权重Hi(Ei):According to the normalized scoring matrix Score', the entropy method is used to calculate the weight H i (E i ) of subjective evaluation influence:

其中,0≤Hi(Ei)≤1,i=1,2,…n。Wherein, 0≤H i (E i )≤1, i=1, 2,...n.

客观风险影响值的确定有优点,也存在缺点,缺点是其容易受样本数据差异的影响,造成客观赋值时产生误差。专家主观确定风险影响值的缺点是容易受主观因素的影响,评价者往往根据自身的主观意愿来确定重要性,易受个人学因素的影响。The determination of objective risk impact value has both advantages and disadvantages. The disadvantage is that it is easily affected by the difference of sample data, resulting in errors in objective value assignment. The disadvantage of experts' subjective determination of risk impact value is that it is easily affected by subjective factors. Evaluators often determine the importance according to their own subjective wishes, which is easily affected by personal factors.

为减弱主观因素的干扰,同时为了弱化客观因素误差的问题,本文提出了主观和客观相结合的方法来确定应用程序行为的风险影响值,也就是敏感API的风险影响值。首先利用前文所述方式计算出险影响主观值和风险影响客观值,然后根据专家评分矩阵,利用信息熵来调整风险影响主观值和风险影响客观值所占的比重,得出优化综合的风险影响值。In order to reduce the interference of subjective factors and the error of objective factors, this paper proposes a combination of subjective and objective methods to determine the risk impact value of application behavior, that is, the risk impact value of sensitive APIs. Firstly, the subjective value of risk impact and the objective value of risk impact are calculated using the method described above, and then according to the expert scoring matrix, the information entropy is used to adjust the proportion of the subjective value of risk impact and the objective value of risk impact to obtain an optimized comprehensive risk impact value .

对于专家的评分矩阵Score,矩阵的元素scoreji都介于1~10之间。对scoreji数据进行归一化处理时得到归一化公式主观评定因子pji,显然有pj1+pj2+…pjn=1,其中,i=1,2,…n。For the scoring matrix Score of experts, the elements score ji of the matrix are all between 1 and 10. When the score ji data is normalized, the subjective evaluation factor p ji of the normalization formula is obtained, obviously p j1 +p j2 +...p jn =1, where i=1,2,...n.

处理过后的Score'的每一列也表示了m个专家对于某个API的影响值的评估,其实也反映了某个API被恶意调用的概率。对于上述Score',如果专家对API的风险影响值赋值相差较大,即pj1+pj2+…pjn=1相差较大,则说明专家对于API价值大小的看法不一致,专家们的主观赋值不具有很强的说服力,应减弱专家主观赋值在综合风险影响值所占的比重;相反,如果赋值相差较小,说明专家对于API价值大小的看法较一致,专家提供的数据具有较高的说服力,应该在综合评价中起关键作用。因此,本文采用熵值法来评估专家设置的主观风险影响值在综合风险影响值中的相对重要性。Each column of the processed Score' also represents the evaluation of the influence value of an API by m experts, which actually reflects the probability of an API being maliciously called. For the above Score', if there is a large difference in the risk impact value assignments of the API by experts, that is, p j1 + p j2 +...p jn = 1, it means that the experts have inconsistent views on the value of the API, and the subjective assignment of the experts It is not very convincing, and the proportion of experts’ subjective assignments in the comprehensive risk impact value should be weakened; on the contrary, if the difference in assignments is small, it means that experts have more consistent views on the value of API, and the data provided by experts has a higher Persuasiveness should play a key role in the comprehensive evaluation. Therefore, this paper uses the entropy method to evaluate the relative importance of the subjective risk impact value set by experts in the comprehensive risk impact value.

Hi(Ei)越大,表明专家对第i个API风险影响值的评估贡献越大;相反,Hi(Ei)越小,表明专家对第i个API风险影响值的评估贡献越小。因此专家主观赋值得到的风险影响值在综合风险影响值中的权重为Hi(Ei),相对而言,客观数据得到的风险影响值的权值为:The larger the H i (E i ), the greater the expert's contribution to the evaluation of the risk impact value of the i-th API; on the contrary, the smaller the H i (E i ), the greater the expert's contribution to the evaluation of the i-th API risk impact value. small. Therefore, the weight of the risk impact value obtained by the expert's subjective assignment in the comprehensive risk impact value is H i (E i ), relatively speaking, the weight of the risk impact value obtained by objective data is:

Wi(Ei)=1-Hi(Ei)W i (E i )=1-H i (E i )

Wi(Ei)大则表明客观数据得到的风险损失值相对重要且贡献大。A large W i (E i ) indicates that the risk loss value obtained from objective data is relatively important and contributes a lot.

根据本发明的另一个实施例,提供了一种Android应用程序安全风险评估装置。According to another embodiment of the present invention, an Android application security risk assessment device is provided.

如图2所示,根据本发明实施例提供的Android应用程序安全风险评估装置包括:As shown in Figure 2, the Android application security risk assessment device provided according to the embodiment of the present invention includes:

监视模块21,监视模块21在Android系统环境下,调用待评估的Android应用程序A,监视并统计应用程序A在运行中调用的所有API事件E,记应用程序A在运行中调用的所有API事件的总数为n;Monitoring module 21, the monitoring module 21 calls the Android application program A to be evaluated under the Android system environment, monitors and counts all API events E called by the application program A in operation, and records all API events called by the application program A in operation The total number of is n;

调用指针22,调用指针22依次指定每一个被调用的API事件Ei,其中,i=1,2,…,n;Call pointer 22, which in turn specifies each called API event E i , where i=1, 2,...,n;

概率计算模块23,概率计算模块23对当前指定的API事件Ei,计算应用程序A调用该API事件Ei为恶意调用的概率L(Ei);Probability calculation module 23, the probability calculation module 23 calculates the probability L(E i ) that the application program A invokes the API event E i as a malicious call for the currently specified API event E i ;

影响计算模块24,影响计算模块24对当前指定的API事件Ei,计算应用程序A调用该API事件Ei为恶意调用事件时,恶意调用造成的影响I(Ei);Influence calculation module 24, influence calculation module 24 For the currently specified API event E i , when the calculation application program A invokes the API event E i as a malicious call event, the impact I(E i ) caused by the malicious call;

期望评定模块25,期望评定模块25根据恶意调用的概率L(Ei)与恶意调用造成的影响I(Ei),计算出应用程序A调用该API事件Ei的影响期望R(Ei),并继续指定下一个被调用的API事件;The expectation evaluation module 25, the expectation evaluation module 25 calculates the impact expectation R(E i ) of the API event E i invoked by the application program A according to the probability L(E i ) of the malicious call and the impact I(E i ) caused by the malicious call , and continue to specify the next API event to be called;

求和模块26,求和模块26在所有API事件E均被指定过之后,对每一个被调用的API事件Ei的影响期望R(Ei)求和,得到应用程序A的整体风险水平RA,其中RA=∑iR(Ei)=∑iL(Ei)×I(Ei);The summation module 26, after all the API events E are specified, the summation module 26 sums the impact expectation R(E i ) of each called API event E i to obtain the overall risk level R of the application program A A , where R A =∑ i R(E i )=∑ i L(E i )×I(E i );

判别模块27,判别模块27将应用程序A的整体风险水平RA与风险阈值R0进行比对,判断应用程序A的安全风险是否可以接受。A judging module 27. The judging module 27 compares the overall risk level R A of the application program A with the risk threshold R 0 to judge whether the security risk of the application program A is acceptable.

其中,概率计算模块计算应用程序A调用该API事件Ei为恶意调用的概率L(Ei)为:Among them, the probability calculation module calculates the probability L(E i ) that the application A calls the API event E i is a malicious call as:

其中,P(Ei|A是恶意应用程序)是一个恶意应用程序发生调用某个敏感API不良事件Ei发生的概率,P(A是恶意应用程序)是所有统计的应用程序中一个应用程序是恶意应用程序的概率,P(Ei)是所有的应用程序的调用某个敏感API不良事件Ei的概率。Among them, P(E i |A is a malicious application) is the probability that a malicious application calls a sensitive API bad event E i occurs, and P(A is a malicious application) is an application in all statistical applications is the probability of a malicious application, P(E i ) is the probability of all applications calling a sensitive API bad event E i .

并且,影响计算模块还包括主观影响计算模块、客观影响计算模块、与主观评定影响权重计算模块,影响计算模块计算应用程序A调用该API事件Ei为恶意调用事件时,恶意调用造成的影响I(Ei)为:Moreover, the impact calculation module also includes a subjective impact calculation module, an objective impact calculation module, and a subjective assessment impact weight calculation module. (E i ) is:

主观影响计算模块用于计算恶意调用造成的主观评定影响IS(Ei);The subjective impact calculation module is used to calculate the subjective assessment impact I S (E i ) caused by malicious calls;

客观影响计算模块用于计算恶意调用造成的客观评定影响IO(Ei);The objective impact calculation module is used to calculate the objective assessment impact I O (E i ) caused by the malicious call;

主观影响权重计算模块用于计算恶意调用造成的主观评定影响的权重Hi(Ei);The subjective impact weight calculation module is used to calculate the weight H i (E i ) of the subjective assessment impact caused by the malicious call;

影响计算模块根据恶意调用造成的主观评定影响IS(Ei)、恶意调用造成的客观评定影响IO(Ei)、恶意调用造成的主观评定影响的权重Hi(Ei),计算恶意调用造成的影响I(Ei): The impact calculation module calculates malicious The impact I(E i ) caused by the call:

I(Ei)=Hi(Ei)×IS(Ei)+Wi(Ei)×IO(Ei)I(E i )=H i (E i )×I S (E i )+W i (E i )×I O (E i )

其中,Wi(Ei)=1-Hi(Ei)。Wherein, W i (E i )=1−H i (E i ).

并且,主观影响计算模块计算恶意调用造成的主观评定影响IS(Ei)为:Moreover, the subjective impact calculation module calculates the subjective assessment impact I S (E i ) caused by malicious calls as:

建立主观影响评定标度集合U,其中U={1,2,3,4,5,6,7,8,9,10};Establish subjective impact assessment scale set U, where U={1,2,3,4,5,6,7,8,9,10};

要求所有的m个主观评定者依次对所有n个调用API事件,从主观影响评定标度集合U的元素中,按照主观经验分别挑选出对应的评定数值,进行评分;All m subjective evaluators are required to sequentially select the corresponding evaluation values from the elements of the subjective impact evaluation scale set U for all n calling API events according to subjective experience, and then score them;

建立评分矩阵Score,并将评分写入评分矩阵Score中如下:Create a scoring matrix Score, and write the score into the scoring matrix Score as follows:

其中,scoreji表示第j个主观评定者对第i个调用API事件的主观经验评定数值,其中,1≤scoreji≤10,1≤j≤m,1≤i≤n;Among them, score ji represents the subjective experience evaluation value of the j-th subjective evaluator on the i-th calling API event, among which, 1≤score ji ≤10, 1≤j≤m, 1≤i≤n;

根据评分矩阵Score,计算出第i个调用API事件的主观评定影响IS(Ei)为:According to the scoring matrix Score, the subjective evaluation impact I S (E i ) of the i-th API call event is calculated as:

同时,客观影响计算模块计算恶意调用造成的客观评定影响IO(Ei)为;At the same time, the objective impact calculation module calculates the objective evaluation impact I O (E i ) caused by the malicious call as;

建立客观影响评定标度集合V,其中V={1,2,3,4,5,6,7,8,9,10};Establish objective impact assessment scale set V, where V={1,2,3,4,5,6,7,8,9,10};

对大量应用程序样本进行分析,统计出恶意应用程序在运行时,调用各API事件次数的百分比;Analyze a large number of application samples, and calculate the percentage of the number of calls to each API event when the malicious application is running;

定义恶意应用程序调用每个API事件产生的量化不良影响;Define the quantified adverse impact of each API event invoked by a malicious application;

根据恶意应用程序在运行时调用各API事件次数的百分比、与恶意应用程序调用每个API事件产生的量化不良影响,计算出各API事件被应用程序调用为被恶意应用程序调用的概率M(Ei);According to the percentage of the number of times the malicious application calls each API event at runtime, and the quantified adverse impact of each API event called by the malicious application, the probability M(E i );

将各API事件被应用程序调用为被恶意应用程序调用的概率M(Ei),套用客观影响评定标度集合V量化为恶意调用造成的客观评定影响IO(Ei)。The probability M(E i ) that each API event is called by an application program is called by a malicious application program, and the objective impact assessment scale set V is used to quantify the objective assessment impact I O (E i ) caused by malicious calls.

同时,主观影响权重计算模块计算恶意调用造成的主观评定影响的权重Hj(Ei)为:At the same time, the subjective impact weight calculation module calculates the weight H j (E i ) of the subjective assessment impact caused by malicious calls as:

对第i个调用API事件的主观评定影响IS(Ei)进行归一化处理,得到归一化公式主观评定因子pjiThe subjective evaluation impact I S (E i ) of the i-th API call event is normalized, and the normalized formula subjective evaluation factor p ji is obtained:

其中,i=1,2,…n;Among them, i=1,2,...n;

建立归一化评分矩阵Score':Create a normalized scoring matrix Score':

其中,score'ji表示第j个主观评定者对第i个调用API事件的主观经验评定数值,其中,1≤scoreji≤10,1≤j≤m,1≤i≤n,且有pj1+pj2+…pjn=1;Among them, score' ji represents the subjective experience evaluation value of the j-th subjective evaluator on the i-th call API event, among which, 1≤score ji ≤10, 1≤j≤m, 1≤i≤n, and p j1 +p j2 +...p jn = 1;

根据归一化评分矩阵Score',使用熵值法计算主观评定影响的权重Hi(Ei):According to the normalized scoring matrix Score', the entropy method is used to calculate the weight H i (E i ) of subjective evaluation influence:

其中,0≤Hi(Ei)≤1,i=1,2,…n。Wherein, 0≤H i (E i )≤1, i=1, 2,...n.

综上所述,借助于本发明上述的技术方案,通过使用主观与客观相结合的方式计算恶意软件的影响、并与恶意软件的概率相结合对应用程序的风险损失进行评估,填补了目前在Android应用程序安全评估领域的空缺;同时运用了信息熵理论,对应用程序的安全风险进行评估,避免了采用单一的主观和客观方法而造成的片面性和局限性。In summary, with the help of the above-mentioned technical solution of the present invention, the impact of malicious software is calculated by combining subjective and objective methods, and combined with the probability of malicious software to evaluate the risk loss of the application program, filling the current gap There is a vacancy in the field of Android application security assessment; at the same time, the information entropy theory is used to assess the security risk of the application, avoiding the one-sidedness and limitations caused by a single subjective and objective method.

Claims (8)

1.一种Android应用程序安全风险评估方法,其特征在于,包括:1. An Android application security risk assessment method, characterized in that, comprising: 在Android系统环境下,调用待评估的Android应用程序A,监视并统计所述应用程序A在运行中调用的所有API事件E,令所述应用程序A在运行中调用的所有API事件的总数为n;Under the Android system environment, call the Android application A to be evaluated, monitor and count all API events E called by the application A in operation, so that the total number of all API events called by the application A in operation is n; 依次指定每一个被调用的所述API事件Ei,其中,i=1,2,…,n;Specify each called API event E i in turn, where i=1,2,...,n; 对当前指定的所述API事件Ei,计算所述应用程序A调用该API事件Ei为恶意调用的概率L(Ei);For the currently specified API event E i , calculate the probability L(E i ) that the application program A invokes the API event E i as a malicious call; 对当前指定的所述API事件Ei,计算所述应用程序A调用该API事件Ei为恶意调用事件时,所述恶意调用造成的影响I(Ei);For the currently specified API event E i , calculate the impact I(E i ) caused by the malicious call when the application program A invokes the API event E i as a malicious call event; 根据所述恶意调用的概率L(Ei)与所述恶意调用造成的影响I(Ei),计算出所述应用程序A调用该API事件Ei的影响期望R(Ei),并继续指定下一个被调用的API事件;According to the probability L(E i ) of the malicious call and the impact I(E i ) caused by the malicious call, calculate the impact expectation R(E i ) of the API event E i called by the application program A, and continue Specify the next API event to be called; 所有API事件E均被指定过之后,对每一个被调用的所述API事件Ei的影响期望R(Ei)求和,得到应用程序A的整体风险水平RA,其中RA=∑iR(Ei)=∑iL(E)i×I(E)iAfter all the API events E have been specified, sum the expected impact R(E i ) of each called API event E i to obtain the overall risk level R A of the application program A, where R A =∑ i R(E i )=∑ i L(E) i ×I(E) i ; 将所述应用程序A的整体风险水平RA与风险阈值R0进行比对,判断所述应用程序A的安全风险是否可以接受;Comparing the overall risk level RA of the application program A with the risk threshold R 0 to determine whether the security risk of the application program A is acceptable; 其中,计算所述应用程序A调用该API事件Ei为恶意调用的概率L(Ei)为:Wherein, the calculation of the probability L(E i ) that the application program A calls the API event E i is a malicious call is: 其中,P(Ei|A是恶意应用程序)是一个恶意应用程序发生调用某个敏感API不良事件Ei发生的概率,P(A是恶意应用程序)是所有统计的应用程序中一个应用程序是恶意应用程序的概率,P(Ei)是所有的应用程序的调用某个敏感API不良事件Ei的概率。Among them, P(E i |A is a malicious application) is the probability that a malicious application calls a sensitive API bad event E i occurs, and P(A is a malicious application) is an application in all statistical applications is the probability of a malicious application, P(E i ) is the probability of all applications calling a sensitive API bad event E i . 2.根据权利要求1所述的一种Android应用程序安全风险评估方法,其特征在于,计算所述应用程序A调用该API事件Ei为恶意调用事件时,所述恶意调用造成的影响I(Ei)为:2. a kind of Android application security risk assessment method according to claim 1, is characterized in that, when calculating described application program A to call this API event E i is a malicious call event, the influence I( E i ) is: 计算所述恶意调用造成的主观评定影响IS(Ei);Calculating the subjective evaluation impact I S (E i ) caused by the malicious call; 计算所述恶意调用造成的客观评定影响IO(Ei);Calculating the objective assessment impact I O (E i ) caused by the malicious call; 计算所述恶意调用造成的主观评定影响的权重Hi(Ei);Calculating the weight H i (E i ) of the subjective evaluation impact caused by the malicious call; 根据所述恶意调用造成的主观评定影响IS(Ei)、所述恶意调用造成的客观评定影响IO(Ei)、所述恶意调用造成的主观评定影响的权重Hi(Ei),计算所述恶意调用造成的影响I(Ei):According to the subjective evaluation impact I S (E i ) caused by the malicious call, the objective evaluation impact I O (E i ) caused by the malicious call, and the weight H i (E i ) of the subjective evaluation impact caused by the malicious call , calculate the impact I(E i ) caused by the malicious call: I(Ei)=Hi(Ei)×IS(Ei)+Wi(Ei)×IO(Ei)I(E i )=H i (E i )×I S (E i )+W i (E i )×I O (E i ) 其中,所述Wi(Ei)=1-Hi(Ei)。Wherein, said W i (E i )=1-H i (E i ). 3.根据权利要求2所述的一种Android应用程序安全风险评估方法,其特征在于,计算所述恶意调用造成的主观评定影响IS(Ei)为:3. a kind of Android application program security risk assessment method according to claim 2, is characterized in that, calculates the subjective evaluation influence IS (E i ) that described malicious call causes is: 建立主观影响评定标度集合U,其中U={1,2,3,4,5,6,7,8,9,10};Establish subjective impact assessment scale set U, where U={1,2,3,4,5,6,7,8,9,10}; 要求所有的m个主观评定者依次对所有n个调用API事件,从所述主观影响评定标度集合U的元素中,按照主观经验分别挑选出对应的评定数值,进行评分;All m subjective evaluators are required to sequentially select corresponding evaluation values from the elements of the subjective impact evaluation scale set U for all n call API events according to subjective experience, and perform scoring; 建立评分矩阵Score,并将所述评分写入所述评分矩阵Score中如下:Establish scoring matrix Score, and write described scoring in described scoring matrix Score as follows: 其中,scoreji表示第j个主观评定者对第i个调用API事件的主观经验评定数值,其中,1≤scoreji≤10,1≤j≤m,1≤i≤n;Among them, score ji represents the subjective experience evaluation value of the j-th subjective evaluator on the i-th calling API event, among which, 1≤score ji ≤10, 1≤j≤m, 1≤i≤n; 根据所述评分矩阵Score,计算出第i个调用API事件的主观评定影响IS(Ei)为:According to the scoring matrix Score, the subjective evaluation impact I S (E i ) of the i-th calling API event is calculated as: <mrow> <msub> <mi>I</mi> <mi>S</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>E</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>=</mo> <mfrac> <mrow> <msub> <mi>score</mi> <mrow> <mn>1</mn> <mi>i</mi> </mrow> </msub> <mo>+</mo> <msub> <mi>score</mi> <mrow> <mn>2</mn> <mi>i</mi> </mrow> </msub> <mo>+</mo> <mo>...</mo> <msub> <mi>score</mi> <mrow> <mi>m</mi> <mi>i</mi> </mrow> </msub> </mrow> <mi>m</mi> </mfrac> </mrow> <mrow><msub><mi>I</mi><mi>S</mi></msub><mrow><mo>(</mo><msub><mi>E</mi><mi>i</mi></msub><mo>)</mo></mrow><mo>=</mo><mfrac><mrow><msub><mi>score</mi><mrow><mn>1</mn><mi>i</mi></mrow></msub><mo>+</mo><msub><mi>score</mi><mrow><mn>2</mn><mi>i</mi></mrow></msub><mo>+</mo><mo>...</mo><msub><mi>score</mi><mrow><mi>m</mi><mi>i</mi></mrow></msub></mrow><mi>m</mi></mfrac></mrow> 同时,计算所述恶意调用造成的客观评定影响IO(Ei)为:At the same time, the objective evaluation impact I O (E i ) caused by the malicious call is calculated as: 建立客观影响评定标度集合V,其中V={1,2,3,4,5,6,7,8,9,10};Establish objective impact assessment scale set V, where V={1,2,3,4,5,6,7,8,9,10}; 对大量应用程序样本进行分析,统计出恶意应用程序在运行时,调用各API事件次数的百分比;Analyze a large number of application samples, and calculate the percentage of the number of calls to each API event when the malicious application is running; 定义所述恶意应用程序调用每个API事件产生的量化不良影响;Define the quantified adverse impact produced by each API event invoked by the malicious application; 根据所述恶意应用程序在运行时调用各API事件次数的百分比、与所述恶意应用程序调用每个API事件产生的量化不良影响,计算出各API事件被应用程序调用为被所述恶意应用程序调用的概率M(Ei);According to the percentage of the number of times that the malicious application calls each API event during operation, and the quantified adverse effect produced by the malicious application calling each API event, it is calculated that each API event is called by the malicious application as being called by the malicious application. The probability of calling M(E i ); 将各API事件被应用程序调用为被所述恶意应用程序调用的概率M(Ei),套用所述客观影响评定标度集合V量化为所述恶意调用造成的客观评定影响IO(Ei)。The probability M(E i ) that each API event is called by the application program is called by the malicious application program, and the objective impact assessment scale set V is applied to quantify the objective assessment impact I O (E i ) caused by the malicious call. ). 4.根据权利要求3所述的一种Android应用程序安全风险评估方法,其特征在于,计算所述恶意调用造成的主观评定影响的权重Hj(Ei)为:4. a kind of Android application program security risk assessment method according to claim 3, is characterized in that, calculates the weight H j (E i ) of the subjective evaluation influence that described malicious call causes: 对所述第i个调用API事件的主观评定影响IS(Ei)进行归一化处理,得到归一化公式主观评定因子pjiPerform normalization processing on the subjective evaluation impact I S (E i ) of the i-th calling API event, and obtain the normalization formula subjective evaluation factor p ji : <mrow> <msub> <mi>p</mi> <mrow> <mi>j</mi> <mi>i</mi> </mrow> </msub> <mo>=</mo> <mfrac> <mrow> <msub> <mi>score</mi> <mrow> <mi>j</mi> <mi>i</mi> </mrow> </msub> </mrow> <mrow> <msub> <mi>score</mi> <mrow> <mi>j</mi> <mn>1</mn> </mrow> </msub> <mo>+</mo> <msub> <mi>score</mi> <mrow> <mi>j</mi> <mn>2</mn> </mrow> </msub> <mo>+</mo> <mn>...</mn> <msub> <mi>score</mi> <mrow> <mi>j</mi> <mi>n</mi> </mrow> </msub> </mrow> </mfrac> </mrow> <mrow><msub><mi>p</mi><mrow><mi>j</mi><mi>i</mi></mrow></msub><mo>=</mo><mfrac><mrow><msub><mi>score</mi><mrow><mi>j</mi><mi>i</mi></mrow></msub></mrow><mrow><msub><mi>score</mi><mrow><mi>j</mi><mn>1</mn></mrow></msub><mo>+</mo><msub><mi>score</mi><mrow><mi>j</mi><mn>2</mn></mrow></msub><mo>+</mo><mn>...</mn><msub><mi>score</mi><mrow><mi>j</mi><mi>n</mi></mrow></msub></mrow></mfrac></mn>mrow> 其中,i=1,2,…n;Among them, i=1,2,...n; 建立归一化评分矩阵Score':Create a normalized scoring matrix Score': 其中,score'ji表示第j个主观评定者对第i个调用API事件的主观经验评定数值,其中,1≤scoreji≤10,1≤j≤m,1≤i≤n,且有pj1+pj2+…pjn=1;Among them, score' ji represents the subjective experience evaluation value of the j-th subjective evaluator on the i-th call API event, among which, 1≤score ji ≤10, 1≤j≤m, 1≤i≤n, and p j1 +p j2 +...p jn = 1; 根据所述归一化评分矩阵Score',使用熵值法计算所述主观评定影响的权重Hi(Ei):According to the normalized scoring matrix Score', the entropy method is used to calculate the weight H i (E i ) influenced by the subjective assessment: <mrow> <msub> <mi>H</mi> <mi>i</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>E</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>=</mo> <mo>-</mo> <mfrac> <mn>1</mn> <mrow> <mi>ln</mi> <mi> </mi> <mi>m</mi> </mrow> </mfrac> <munderover> <mo>&amp;Sigma;</mo> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>m</mi> </munderover> <msub> <mi>p</mi> <mrow> <mi>j</mi> <mi>i</mi> </mrow> </msub> <mi>ln</mi> <mi> </mi> <msub> <mi>p</mi> <mrow> <mi>j</mi> <mi>i</mi> </mrow> </msub> </mrow> <mrow><msub><mi>H</mi><mi>i</mi></msub><mrow><mo>(</mo><msub><mi>E</mi><mi>i</mi></msub><mo>)</mo></mrow><mo>=</mo><mo>-</mo><mfrac><mn>1</mn><mrow><mi>ln</mi><mi></mi><mi>m</mi></mrow></mfrac><munderover><mo>&amp;Sigma;</mo><mrow><mi>j</mi><mo>=</mo><mn>1</mn></mrow><mi>m</mi></munderover><msub><mi>p</mi><mrow><mi>j</mi><mi>i</mi></mrow></msub><mi>ln</mi><mi></mi><msub><mi>p</mi><mrow><mi>j</mi><mi>i</mi></mrow></msub></mrow> 其中,0≤Hi(Ei)≤1,i=1,2,…n。Wherein, 0≤H i (E i )≤1, i=1, 2,...n. 5.一种Android应用程序安全风险评估装置,其特征在于,包括:5. An Android application security risk assessment device, characterized in that it comprises: 监视模块,所述监视模块在Android系统环境下,调用待评估的Android应用程序A,监视并统计所述应用程序A在运行中调用的所有API事件E,令所述应用程序A在运行中调用的所有API事件的总数为n;The monitoring module, the monitoring module calls the Android application program A to be evaluated under the Android system environment, monitors and counts all API events E called by the application program A in operation, and makes the application program A call in operation The total number of all API events for is n; 调用指针,所述调用指针依次指定每一个被调用的所述API事件Ei,其中,i=1,2,…,n;A call pointer, the call pointer specifies each called API event E i in turn, where i=1, 2,...,n; 概率计算模块,所述概率计算模块对当前指定的所述API事件Ei,计算所述应用程序A调用该API事件Ei为恶意调用的概率L(Ei);A probability calculation module, the probability calculation module calculates the probability L(E i ) that the application program A invokes the API event E i as a malicious call for the currently specified API event E i ; 影响计算模块,所述影响计算模块对当前指定的所述API事件Ei,计算所述应用程序A调用该API事件Ei为恶意调用事件时,所述恶意调用造成的影响I(Ei);An impact calculation module, for the currently specified API event E i , calculate the impact I(E i ) caused by the malicious call when the API event E i called by the application program A is a malicious call event ; 期望评定模块,所述期望评定模块根据所述恶意调用的概率L(Ei)与所述恶意调用造成的影响I(Ei),计算出所述应用程序A调用该API事件Ei的影响期望R(Ei),并继续指定下一个被调用的API事件;Expectation assessment module, the expectation assessment module calculates the impact of the API event E i called by the application program A according to the probability L(E i ) of the malicious call and the impact I(E i ) caused by the malicious call Expect R(E i ), and continue to specify the next API event to be called; 求和模块,所述求和模块在所有API事件E均被指定过之后,对每一个被调用的所述API事件Ei的影响期望R(Ei)求和,得到应用程序A的整体风险水平RA,其中RA=∑iR(Ei)=∑iL(Ei)×I(Ei);A summation module, after all API events E are specified, the summation module sums the impact expectation R(E i ) of each called API event E i to obtain the overall risk of the application program A Level R A , where R A =∑ i R(E i )=∑ i L(E i )×I(E i ); 判别模块,所述判别模块将所述应用程序A的整体风险水平RA与风险阈值R0进行比对,判断所述应用程序A的安全风险是否可以接受;A judging module, the judging module compares the overall risk level RA of the application program A with the risk threshold R0 , and judges whether the security risk of the application program A is acceptable; 其中,所述概率计算模块计算所述应用程序A调用该API事件Ei为恶意调用的概率L(Ei)为:Wherein, the probability calculation module calculates the probability L(E i ) that the application program A invokes the API event E i as a malicious call as: 其中,P(Ei|A是恶意应用程序)是一个恶意应用程序发生调用某个敏感API不良事件Ei发生的概率,P(A是恶意应用程序)是所有统计的应用程序中一个应用程序是恶意应用程序的概率,P(Ei)是所有的应用程序的调用某个敏感API不良事件Ei的概率。Among them, P(E i |A is a malicious application) is the probability that a malicious application calls a sensitive API bad event E i occurs, and P(A is a malicious application) is an application in all statistical applications is the probability of a malicious application, P(E i ) is the probability of all applications calling a sensitive API bad event E i . 6.根据权利要求5所述的一种Android应用程序安全风险评估装置,其特征在于,所述影响计算模块还包括主观影响计算模块、客观影响计算模块、与主观评定影响权重计算模块,所述影响计算模块计算所述应用程序A调用该API事件Ei为恶意调用事件时,所述恶意调用造成的影响I(Ei)为:6. A kind of Android application program security risk evaluation device according to claim 5, it is characterized in that, described influence calculation module also comprises subjective influence calculation module, objective influence calculation module, and subjective evaluation influence weight calculation module, the When the impact calculation module calculates that the API event E i called by the application program A is a malicious call event, the impact I(E i ) caused by the malicious call is: 所述主观影响计算模块用于计算所述恶意调用造成的主观评定影响IS(Ei);The subjective impact calculation module is used to calculate the subjective assessment impact I S (E i ) caused by the malicious call; 所述客观影响计算模块用于计算所述恶意调用造成的客观评定影响IO(Ei);The objective impact calculation module is used to calculate the objective assessment impact I O (E i ) caused by the malicious call; 所述主观影响权重计算模块用于计算所述恶意调用造成的主观评定影响的权重Hi(Ei);The subjective impact weight calculation module is used to calculate the weight H i (E i ) of the subjective assessment impact caused by the malicious call; 所述影响计算模块根据所述恶意调用造成的主观评定影响IS(Ei)、所述恶意调用造成的客观评定影响IO(Ei)、所述恶意调用造成的主观评定影响的权重Hi(Ei),计算所述恶意调用造成的影响I(Ei):The impact calculation module is based on the subjective evaluation impact I S (E i ) caused by the malicious call, the objective evaluation impact I O (E i ) caused by the malicious call, and the weight H of the subjective evaluation impact caused by the malicious call. i (E i ), calculate the impact I(E i ) caused by the malicious call: I(Ei)=Hi(Ei)×IS(Ei)+Wi(Ei)×IO(Ei)I(E i )=H i (E i )×I S (E i )+W i (E i )×I O (E i ) 其中,所述Wi(Ei)=1-Hi(Ei)。Wherein, said W i (E i )=1-H i (E i ). 7.根据权利要求6所述的一种Android应用程序安全风险评估装置,其特征在于,所述主观影响计算模块计算所述恶意调用造成的主观评定影响IS(Ei)为:7. A kind of Android application program security risk assessment device according to claim 6, is characterized in that, described subjective impact calculation module calculates the subjective evaluation impact IS (E i ) that described malicious call causes is: 建立主观影响评定标度集合U,其中U={1,2,3,4,5,6,7,8,9,10};Establish subjective impact assessment scale set U, where U={1,2,3,4,5,6,7,8,9,10}; 要求所有的m个主观评定者依次对所有n个调用API事件,从所述主观影响评定标度集合U的元素中,按照主观经验分别挑选出对应的评定数值,进行评分;All m subjective evaluators are required to sequentially select corresponding evaluation values from the elements of the subjective impact evaluation scale set U for all n call API events according to subjective experience, and perform scoring; 建立评分矩阵Score,并将所述评分写入所述评分矩阵Score中如下:Establish scoring matrix Score, and write described scoring in described scoring matrix Score as follows: 其中,scoreji表示第j个主观评定者对第i个调用API事件的主观经验评定数值,其中,1≤scoreji≤10,1≤j≤m,1≤i≤n;Among them, score ji represents the subjective experience evaluation value of the j-th subjective evaluator on the i-th calling API event, among which, 1≤score ji ≤10, 1≤j≤m, 1≤i≤n; 根据所述评分矩阵Score,计算出第i个调用API事件的主观评定影响IS(Ei)为:According to the scoring matrix Score, the subjective evaluation impact I S (E i ) of the i-th calling API event is calculated as: <mrow> <msub> <mi>I</mi> <mi>S</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>E</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>=</mo> <mfrac> <mrow> <msub> <mi>score</mi> <mrow> <mn>1</mn> <mi>i</mi> </mrow> </msub> <mo>+</mo> <msub> <mi>score</mi> <mrow> <mn>2</mn> <mi>i</mi> </mrow> </msub> <mo>+</mo> <mo>...</mo> <msub> <mi>score</mi> <mrow> <mi>m</mi> <mi>i</mi> </mrow> </msub> </mrow> <mi>m</mi> </mfrac> </mrow> <mrow><msub><mi>I</mi><mi>S</mi></msub><mrow><mo>(</mo><msub><mi>E</mi><mi>i</mi></msub><mo>)</mo></mrow><mo>=</mo><mfrac><mrow><msub><mi>score</mi><mrow><mn>1</mn><mi>i</mi></mrow></msub><mo>+</mo><msub><mi>score</mi><mrow><mn>2</mn><mi>i</mi></mrow></msub><mo>+</mo><mo>...</mo><msub><mi>score</mi><mrow><mi>m</mi><mi>i</mi></mrow></msub></mrow><mi>m</mi></mfrac></mrow> 同时,所述客观影响计算模块计算所述恶意调用造成的客观评定影响IO(Ei)为:Simultaneously, the objective evaluation impact I O (E i ) caused by the malicious call is calculated by the objective impact calculation module as: 建立客观影响评定标度集合V,其中V={1,2,3,4,5,6,7,8,9,10};Establish objective impact assessment scale set V, where V={1,2,3,4,5,6,7,8,9,10}; 对大量应用程序样本进行分析,统计出恶意应用程序在运行时,调用各API事件次数的百分比;Analyze a large number of application samples, and calculate the percentage of the number of calls to each API event when the malicious application is running; 定义所述恶意应用程序调用每个API事件产生的量化不良影响;Define the quantified adverse impact produced by each API event invoked by the malicious application; 根据所述恶意应用程序在运行时调用各API事件次数的百分比、与所述恶意应用程序调用每个API事件产生的量化不良影响,计算出各API事件被应用程序调用为被所述恶意应用程序调用的概率M(Ei);According to the percentage of the number of times that the malicious application calls each API event during operation, and the quantified adverse effect produced by the malicious application calling each API event, it is calculated that each API event is called by the malicious application as being called by the malicious application. The probability of calling M(E i ); 将各API事件被应用程序调用为被所述恶意应用程序调用的概率M(Ei),套用所述客观影响评定标度集合V量化为所述恶意调用造成的客观评定影响IO(Ei)。The probability M(E i ) that each API event is called by the application program is called by the malicious application program, and the objective impact assessment scale set V is applied to quantify the objective assessment impact I O (E i ) caused by the malicious call. ). 8.根据权利要求7所述的一种Android应用程序安全风险评估装置,其特征在于,所述主观影响权重计算模块计算所述恶意调用造成的主观评定影响的权重Hj(Ei)为:8. A kind of Android application program security risk evaluation device according to claim 7, is characterized in that, the weight H j (E i ) of the subjective assessment influence that described malicious call is calculated by described subjective impact weight calculation module is: 对所述第i个调用API事件的主观评定影响IS(Ei)进行归一化处理,得到归一化公式主观评定因子pjiPerform normalization processing on the subjective evaluation impact I S (E i ) of the i-th calling API event, and obtain the normalization formula subjective evaluation factor p ji : <mrow> <msub> <mi>p</mi> <mrow> <mi>j</mi> <mi>i</mi> </mrow> </msub> <mo>=</mo> <mfrac> <mrow> <msub> <mi>score</mi> <mrow> <mi>j</mi> <mi>i</mi> </mrow> </msub> </mrow> <mrow> <msub> <mi>score</mi> <mrow> <mi>j</mi> <mn>1</mn> </mrow> </msub> <mo>+</mo> <msub> <mi>score</mi> <mrow> <mi>j</mi> <mn>2</mn> </mrow> </msub> <mo>+</mo> <mo>...</mo> <msub> <mi>score</mi> <mrow> <mi>j</mi> <mi>n</mi> </mrow> </msub> </mrow> </mfrac> </mrow> <mrow><msub><mi>p</mi><mrow><mi>j</mi><mi>i</mi></mrow></msub><mo>=</mo><mfrac><mrow><msub><mi>score</mi><mrow><mi>j</mi><mi>i</mi></mrow></msub></mrow><mrow><msub><mi>score</mi><mrow><mi>j</mi><mn>1</mn></mrow></msub><mo>+</mo><msub><mi>score</mi><mrow><mi>j</mi><mn>2</mn></mrow></msub><mo>+</mo><mo>...</mo><msub><mi>score</mi><mrow><mi>j</mi><mi>n</mi></mrow></msub></mrow></mfrac></mrow> 其中,i=1,2,…n;Among them, i=1,2,...n; 建立归一化评分矩阵Score':Create a normalized scoring matrix Score': 其中,score'ji表示第j个主观评定者对第i个调用API事件的主观经验评定数值,其中,1≤scoreji≤10,1≤j≤m,1≤i≤n,且有pj1+pj2+…pjn=1;Among them, score' ji represents the subjective experience evaluation value of the j-th subjective evaluator on the i-th call API event, among which, 1≤score ji ≤10, 1≤j≤m, 1≤i≤n, and p j1 +p j2 +...p jn = 1; 根据所述归一化评分矩阵Score',使用熵值法计算所述主观评定影响的权重Hi(Ei):According to the normalized scoring matrix Score', the entropy method is used to calculate the weight H i (E i ) influenced by the subjective assessment: <mrow> <msub> <mi>H</mi> <mi>i</mi> </msub> <mrow> <mo>(</mo> <msub> <mi>E</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>=</mo> <mo>-</mo> <mfrac> <mn>1</mn> <mrow> <mi>ln</mi> <mi> </mi> <mi>m</mi> </mrow> </mfrac> <munderover> <mo>&amp;Sigma;</mo> <mrow> <mi>j</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>m</mi> </munderover> <msub> <mi>p</mi> <mrow> <mi>j</mi> <mi>i</mi> </mrow> </msub> <mi>ln</mi> <mi> </mi> <msub> <mi>p</mi> <mrow> <mi>j</mi> <mi>i</mi> </mrow> </msub> </mrow> <mrow><msub><mi>H</mi><mi>i</mi></msub><mrow><mo>(</mo><msub><mi>E</mi><mi>i</mi></msub><mo>)</mo></mrow><mo>=</mo><mo>-</mo><mfrac><mn>1</mn><mrow><mi>ln</mi><mi></mi><mi>m</mi></mrow></mfrac><munderover><mo>&amp;Sigma;</mo><mrow><mi>j</mi><mo>=</mo><mn>1</mn></mrow><mi>m</mi></munderover><msub><mi>p</mi><mrow><mi>j</mi><mi>i</mi></mrow></msub><mi>ln</mi><mi></mi><msub><mi>p</mi><mrow><mi>j</mi><mi>i</mi></mrow></msub></mrow> 其中,0≤Hi(Ei)≤1,i=1,2,…n。Wherein, 0≤H i (E i )≤1, i=1, 2,...n.
CN201510370083.8A 2015-04-28 2015-06-29 A kind of Android application securitys methods of risk assessment and device Active CN104915600B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510370083.8A CN104915600B (en) 2015-04-28 2015-06-29 A kind of Android application securitys methods of risk assessment and device

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
CN2015102088079 2015-04-28
CN201510208807 2015-04-28
CN201510370083.8A CN104915600B (en) 2015-04-28 2015-06-29 A kind of Android application securitys methods of risk assessment and device

Publications (2)

Publication Number Publication Date
CN104915600A CN104915600A (en) 2015-09-16
CN104915600B true CN104915600B (en) 2017-11-10

Family

ID=54084661

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510370083.8A Active CN104915600B (en) 2015-04-28 2015-06-29 A kind of Android application securitys methods of risk assessment and device

Country Status (1)

Country Link
CN (1) CN104915600B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110245848A (en) * 2019-05-31 2019-09-17 口碑(上海)信息技术有限公司 The methods of risk assessment and device of program code

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6319369B2 (en) * 2016-06-23 2018-05-09 日本電気株式会社 PROCESS CONTROL DEVICE, PROCESS CONTROL METHOD, AND PROCESS CONTROL PROGRAM
CN107194002B (en) * 2017-06-14 2019-10-18 北京邮电大学 Mobile application influence evaluation method and device
CN107679404A (en) * 2017-08-31 2018-02-09 百度在线网络技术(北京)有限公司 Method and apparatus for determining software systems potential risk
CN107832609B (en) * 2017-09-25 2020-11-13 暨南大学 Android malicious software detection method and system based on authority characteristics
CN110633568B (en) * 2019-09-19 2021-03-30 北京广成同泰科技有限公司 Monitoring system for host and method thereof
CN112052139B (en) * 2020-08-31 2022-12-27 河南中烟工业有限责任公司 Application program consumption and quality evaluation system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102279793A (en) * 2011-08-05 2011-12-14 清华大学 Method for measuring dependability of component based on entropy
CN103366123A (en) * 2013-05-07 2013-10-23 天津大学 Software risk assessment method based on defect analysis
CN104125217A (en) * 2014-06-30 2014-10-29 复旦大学 A real-time risk assessment method for cloud data centers based on host log analysis

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030037063A1 (en) * 2001-08-10 2003-02-20 Qlinx Method and system for dynamic risk assessment, risk monitoring, and caseload management
US8280833B2 (en) * 2008-06-12 2012-10-02 Guardian Analytics, Inc. Fraud detection and analysis
US20100094967A1 (en) * 2008-10-15 2010-04-15 Patentvc Ltd. Large Scale Distributed Content Delivery Network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102279793A (en) * 2011-08-05 2011-12-14 清华大学 Method for measuring dependability of component based on entropy
CN103366123A (en) * 2013-05-07 2013-10-23 天津大学 Software risk assessment method based on defect analysis
CN104125217A (en) * 2014-06-30 2014-10-29 复旦大学 A real-time risk assessment method for cloud data centers based on host log analysis

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110245848A (en) * 2019-05-31 2019-09-17 口碑(上海)信息技术有限公司 The methods of risk assessment and device of program code

Also Published As

Publication number Publication date
CN104915600A (en) 2015-09-16

Similar Documents

Publication Publication Date Title
CN104915600B (en) A kind of Android application securitys methods of risk assessment and device
CN109684118B (en) Abnormal data detection method, apparatus, device, and computer-readable storage medium
CN104519032B (en) A kind of security strategy and system of internet account number
US20190362242A1 (en) Computing resource-efficient, machine learning-based techniques for measuring an effect of participation in an activity
US10375095B1 (en) Modeling behavior in a network using event logs
US9119086B1 (en) Evaluating 3G and voice over long term evolution voice quality
US20090049555A1 (en) Method and system of detecting account sharing based on behavior patterns
CN112132676B (en) Method and device for determining contribution degree of joint training target model and terminal equipment
CN105262760A (en) Method and device for preventing action of maliciously visiting login/register interface
CN108876188B (en) Inter-connected service provider risk assessment method and device
CN112801670B (en) Risk assessment method and device for payment operations
CN111754241B (en) User behavior perception method, device, equipment and medium
CN108229176A (en) A kind of method and device of determining Web applications protection effect
Mishra et al. Investigating contextual cues as indicators for EMA delivery
CN112968796A (en) Network security situation awareness method and device and computer equipment
CN112506765A (en) Software testing method, device, equipment and storage medium
Piorkowski et al. Quantitative ai risk assessments: Opportunities and challenges
Zhang et al. How android apps break the data minimization principle: an empirical study
CN119854140B (en) Method and device for distributing index weight in network security performance evaluation
CN116208513B (en) Gateway health prediction method and device
CN114090407A (en) Interface performance early warning method and related equipment based on linear regression model
CN110704614B (en) Information processing method and device for predicting user group type in application
CN107563188A (en) Safe evaluating method, device and the computer-readable storage medium of application
KR102608923B1 (en) Apparatus and method of valuation for security vulnerability
CN114185754B (en) Application health status assessment method, system, device and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant