[go: up one dir, main page]

CN108810018A - A mobile application detection cloud platform - Google Patents

A mobile application detection cloud platform Download PDF

Info

Publication number
CN108810018A
CN108810018A CN201810763997.4A CN201810763997A CN108810018A CN 108810018 A CN108810018 A CN 108810018A CN 201810763997 A CN201810763997 A CN 201810763997A CN 108810018 A CN108810018 A CN 108810018A
Authority
CN
China
Prior art keywords
module
cloud platform
mobile application
security
mobile
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810763997.4A
Other languages
Chinese (zh)
Inventor
杜金燃
许爱东
陈华军
刘振
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China South Power Grid International Co ltd
China Southern Power Grid Co Ltd
Original Assignee
China South Power Grid International Co ltd
China Southern Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China South Power Grid International Co ltd, China Southern Power Grid Co Ltd filed Critical China South Power Grid International Co ltd
Priority to CN201810763997.4A priority Critical patent/CN108810018A/en
Publication of CN108810018A publication Critical patent/CN108810018A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/302Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/55Push-based network services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Technology Law (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a mobile application detection cloud platform, which comprises a detection cloud platform and a mobile security application front end, wherein the mobile security application front end is installed on an intelligent terminal of a user or an enterprise, the detection cloud platform is deployed on a distributed computer cluster, the mobile security application front end is connected with the detection cloud platform through a network to perform data interaction, and the mobile security application front end is used for monitoring the mobile application of the intelligent terminal, collecting mobile application data information and sending the mobile application data information to the detection cloud platform to perform detection, pushing security threat information to the user, and positioning and controlling a threat source; the detection cloud platform is used for monitoring the safety condition of the intelligent terminal, auditing the mobile application source codes, evaluating the safety condition of the mobile application and testing the function of the mobile application, and can detect and monitor the application data information acquired by the front end at the cloud end, push related threat information to a user, position and control a threat source and ensure the information data safety of the user.

Description

一种移动应用检测云平台A mobile application detection cloud platform

技术领域technical field

本发明涉及信息安全领域,尤其涉及一种移动应用检测云平台。The invention relates to the field of information security, in particular to a mobile application detection cloud platform.

背景技术Background technique

随着软件行业的快速发展,移动应用的规模以及复杂度日益增加,在为用户带来方便的同时,许多不法分子也盯上了移动应用快速发展的势头,通过在移动应用中植入恶意代码为自己牟取私利,同时对用户的隐私信息安全性造成了极大的威胁,对于现今大多数智能终端用户而言,所使用的智能终端内往往安装有数十个以上的移动应用,对于这些移动应用的安全监控成了摆在用户面前的难题,特别是对于配合企业管理所使用的移动应用,由于安全监控措施不到位而遭受到恶意代码的蓄意破坏,将给个人乃至整个企业带来巨大的危害,因此,对于移动应用的安全检测技术进行研究,并建立一个移动应用检测云平台,从而充分保障信息安全,显得尤为重要。With the rapid development of the software industry, the scale and complexity of mobile applications are increasing day by day. While bringing convenience to users, many criminals are also eyeing the rapid development of mobile applications. By implanting malicious codes in mobile applications To seek personal gain for oneself, and at the same time pose a great threat to the security of users' private information. For most smart terminal users today, there are often more than dozens of mobile applications installed in the smart terminals used. For these mobile Application security monitoring has become a difficult problem for users, especially for mobile applications used in conjunction with enterprise management. Due to inadequate security monitoring measures and malicious code damage, it will bring huge harm to individuals and even the entire enterprise. Therefore, it is particularly important to conduct research on mobile application security detection technology and establish a mobile application detection cloud platform to fully protect information security.

发明内容Contents of the invention

鉴以此,本发明的目的在于提供一种移动应用检测云平台,以至少解决以上问题。In view of this, the object of the present invention is to provide a mobile application detection cloud platform to at least solve the above problems.

一种移动应用检测云平台,包括检测云平台与移动安全应用前端,所述移动安全应用前端安装在用户或企业的智能终端上,所述检测云平台部署在分布式计算机集群上,移动安全应用前端通过网络与所述检测云平台建立连接以进行数据交互,A mobile application detection cloud platform, including a detection cloud platform and a mobile security application front-end, the mobile security application front-end is installed on the smart terminal of a user or an enterprise, the detection cloud platform is deployed on a distributed computer cluster, and the mobile security application The front end establishes a connection with the detection cloud platform through the network for data interaction,

所述移动安全应用前端用于监控智能终端移动应用、采集移动应用数据信息发送至检测云平台进行检测、向用户推送安全威胁信息、对威胁源进行定位与控制;The mobile security application front end is used to monitor mobile applications of smart terminals, collect mobile application data information and send it to the detection cloud platform for detection, push security threat information to users, and locate and control threat sources;

所述检测云平台用于监测智能终端安全情况、审计移动应用源代码、测评移动应用安全情况、移动应用功能测试。The detection cloud platform is used for monitoring the security situation of the smart terminal, auditing the source code of the mobile application, evaluating the security situation of the mobile application, and testing the function of the mobile application.

进一步的,所述移动安全应用前端包括前端数据收发模块、移动应用监控模块、终端监控模块、信息推送模块以及威胁处理模块,所述移动应用监控模块、终端监控模块、信息推送模块分别与所述前端数据收发模块相连接,所述威胁处理模块与所述移动应用监控模块相连接,所述前端数据收发模块通过网络与所述检测云平台相连接。Further, the mobile security application front-end includes a front-end data transceiver module, a mobile application monitoring module, a terminal monitoring module, an information push module, and a threat processing module, and the mobile application monitoring module, the terminal monitoring module, and the information push module are respectively connected to the The front-end data transceiver module is connected, the threat processing module is connected to the mobile application monitoring module, and the front-end data transceiver module is connected to the detection cloud platform through a network.

进一步的,所述检测云平台包括云端数据收发模块、终端安全监控模块、威胁预警模块、功能测试模块、安全测评模块、源码审计模块以及恶意代码样本库,所述云端数据收发模块分别与所述威胁预警模块、源码审计模块、功能测试模块相连接,所述源码审计模块、功能测试模块分别与所述安全测评模块相连接,安全测评模块与所述终端安全监控模块相连接,所述恶意代码样本库与源码审计模块相连接。Further, the detection cloud platform includes a cloud data transceiver module, a terminal security monitoring module, a threat early warning module, a function test module, a security evaluation module, a source code audit module, and a malicious code sample library, and the cloud data transceiver module is respectively connected to the The threat early warning module, the source code audit module, and the function test module are connected, and the source code audit module and the function test module are respectively connected to the security evaluation module, the security evaluation module is connected to the terminal security monitoring module, and the malicious code The sample library is connected with the source code audit module.

进一步的,所述云端数据收发模块与威胁预警模块、源码审计模块、功能测试模块之间设有负载均衡模块。Further, a load balancing module is provided between the cloud data sending and receiving module, the threat warning module, the source code audit module, and the function testing module.

进一步的,所述恶意代码样本库包括恶意代码特征库以及恶意行为库,所述恶意代码特征库用于存储作为恶意代码标识的特征码;所述恶意行为库用于存储作为判断恶意代码依据的恶意行为特征信息。Further, the malicious code sample library includes a malicious code feature library and a malicious behavior library, the malicious code feature library is used to store the feature code as a malicious code identifier; the malicious behavior library is used to store the Malicious behavior characteristic information.

进一步的,所述特征码包括单一特征码以及复合特征码。Further, the feature code includes a single feature code and a composite feature code.

进一步的,所述恶意行为特征包括入侵感染、恶意自启动、镜像劫持、隐藏、远程控制终端、窃取隐私信息、破坏用户数据、修改系统配置。Further, the malicious behavior characteristics include intrusion infection, malicious self-starting, image hijacking, hiding, remote control terminal, stealing private information, destroying user data, and modifying system configuration.

进一步的,所述检测云平台基于MapReduce分布式计算框架部署在分布式计算机集群上。Further, the detection cloud platform is deployed on a distributed computer cluster based on the MapReduce distributed computing framework.

与现有技术相比,本发明的有益效果是:Compared with prior art, the beneficial effect of the present invention is:

本发明所提供的一种移动应用检测云平台,通过移动安全应用前端采集智能终端所安装移动应用数据信息并发送至检测云平台进行检测,同时检测云平台具备终端安全监测、源代码审计、功能测试、安全测评等功能,可向移动安全应用前端用户推送相关威胁情报,同时对威胁源进行定位与控制,充分保障移动应用与用户信息数据的安全,平台基于MapReduce分布式计算框架,可实现大规模数据集的并行处理。The mobile application detection cloud platform provided by the present invention collects the mobile application data information installed on the smart terminal through the mobile security application front end and sends it to the detection cloud platform for detection. At the same time, the detection cloud platform has terminal security monitoring, source code audit, functions Testing, security evaluation and other functions can push relevant threat information to front-end users of mobile security applications, and at the same time locate and control threat sources to fully guarantee the security of mobile applications and user information data. Based on the MapReduce distributed computing framework, the platform can realize large-scale Parallel processing of scale datasets.

附图说明Description of drawings

为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的优选实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the following will briefly introduce the drawings that need to be used in the description of the embodiments. Obviously, the drawings in the following description are only preferred embodiments of the present invention. For those skilled in the art, other drawings can also be obtained based on these drawings without creative effort.

图1是本发明的实施例的移动应用检测云平台整体结构示意图。FIG. 1 is a schematic diagram of the overall structure of a mobile application detection cloud platform according to an embodiment of the present invention.

图2是本发明的实施例的移动应用监控模块运行流程示意图。Fig. 2 is a schematic diagram of the operation flow of the mobile application monitoring module according to the embodiment of the present invention.

图中,1是检测云平台,2是移动安全应用前端,11是云端数据收发模块,12是终端安全监控模块,13是威胁预警模块,14是功能测试模块,15是安全测评模块,16是源码审计模块,17是恶意代码样本库,21是前端数据收发模块,22是移动应用监控模块,23是终端监控模块,24是信息推送模块,25是威胁处理模块。In the figure, 1 is the detection cloud platform, 2 is the mobile security application front end, 11 is the cloud data sending and receiving module, 12 is the terminal security monitoring module, 13 is the threat early warning module, 14 is the function testing module, 15 is the security evaluation module, 16 is the Source code audit module, 17 is a malicious code sample library, 21 is a front-end data sending and receiving module, 22 is a mobile application monitoring module, 23 is a terminal monitoring module, 24 is an information push module, and 25 is a threat processing module.

具体实施方式Detailed ways

以下结合附图对本发明的原理和特征进行描述,所列举实施例只用于解释本发明,并非用于限定本发明的范围。The principles and features of the present invention will be described below in conjunction with the accompanying drawings, and the enumerated embodiments are only used to explain the present invention, and are not intended to limit the scope of the present invention.

参照图1,本发明提供一种移动应用检测云平台,所述移动应用检测云平台主要由两部分组成:安装在用户或者企业的智能终端上的移动安全应用前端2,以及部署在分布式计算机集群上的检测云平台1。所述移动安全应用前端2用于监控智能终端移动应用、采集移动应用数据信息发送至检测云平台1进行检测、向用户推送安全威胁信息、对威胁源进行定位与控制;所述检测云平台1用于监测智能终端安全情况、审计移动应用源代码、测评移动应用安全情况、移动应用功能测试。With reference to Fig. 1, the present invention provides a kind of mobile application detection cloud platform, described mobile application detection cloud platform is mainly made up of two parts: the mobile security application front-end 2 installed on the intelligent terminal of user or enterprise, and deployment on distributed computer Detection cloud platform 1 on the cluster. The mobile security application front end 2 is used to monitor mobile applications of smart terminals, collect mobile application data information and send them to the detection cloud platform 1 for detection, push security threat information to users, and locate and control threat sources; the detection cloud platform 1 It is used to monitor the security of smart terminals, audit the source code of mobile applications, evaluate the security of mobile applications, and test the functions of mobile applications.

所述移动安全应用前端2包括前端数据收发模块21、移动应用监控模块22、终端监控模块23、信息推送模块24以及威胁处理模块25。所述移动应用监控模块22、终端监控模块23、信息推送模块24分别与所述前端数据收发模块21相连接,所述威胁处理模块25与所述移动应用监控模块22相连接,所述前端数据收发模块21通过网络与所述检测云平台2相连接。The mobile security application front-end 2 includes a front-end data transceiving module 21 , a mobile application monitoring module 22 , a terminal monitoring module 23 , an information push module 24 and a threat processing module 25 . The mobile application monitoring module 22, the terminal monitoring module 23, and the information push module 24 are respectively connected to the front-end data transceiving module 21, the threat processing module 25 is connected to the mobile application monitoring module 22, and the front-end data The transceiver module 21 is connected with the detection cloud platform 2 through a network.

具体的,所述前端数据收发模块21用于接收、发送、处理移动安全应用前端2与检测云平台1之间的信息交互数据流。Specifically, the front-end data transceiving module 21 is used for receiving, sending, and processing the information exchange data flow between the mobile security application front-end 2 and the detection cloud platform 1 .

所述移动应用监控模块22用于监测智能终端上所安装的移动应用的安全性。参照图2,移动应用监控模块22对智能终端上的移动应用监控包括对移动应用源码的检测以及对移动应用可疑行为的监控。移动应用监控模块22会搜索智能终端上的所有移动应用,并遍历解析每个移动应用的所有数据文件,完成解析后,移动应用监控模块22通过前端数据收发模块21将解析后的所有移动应用数据文件发送至检测云平台2进行恶意代码检测。另一方面,在移动应用运行过程中,移动应用监控模块22会记录移动应用的操作行为,并将操作行为记录通过前端数据收发模块21发送至所述检测云平台2进行恶意行为匹配,如果恶意行为匹配成功,说明该移动应用可能存在恶意代码,移动应用监控模块22将对该移动应用进行解析并将应用数据文件发送至检测云平台2进行恶意代码检测以确定恶意代码具体位置。移动应用监控模块22通过将所监控的移动应用的源码文件与操作行为记录发送至检测云平台2进行检测以判断移动应用是否含有恶意代码,以避免恶意代码造成进一步破坏,保障智能终端的数据安全。The mobile application monitoring module 22 is used to monitor the security of the mobile applications installed on the smart terminal. Referring to FIG. 2 , the mobile application monitoring module 22 monitors the mobile application on the smart terminal including detection of the source code of the mobile application and monitoring of suspicious behavior of the mobile application. Mobile application monitoring module 22 will search all mobile applications on the smart terminal, and traverse and analyze all data files of each mobile application. The file is sent to the detection cloud platform 2 for malicious code detection. On the other hand, during the operation of the mobile application, the mobile application monitoring module 22 will record the operation behavior of the mobile application, and send the operation behavior record to the detection cloud platform 2 through the front-end data transceiver module 21 for malicious behavior matching. If the behavior matches successfully, it means that there may be malicious code in the mobile application. The mobile application monitoring module 22 will analyze the mobile application and send the application data file to the detection cloud platform 2 for malicious code detection to determine the specific location of the malicious code. The mobile application monitoring module 22 sends the source code files and operation behavior records of the monitored mobile application to the detection cloud platform 2 for detection to determine whether the mobile application contains malicious code, so as to avoid further damage caused by malicious code and ensure the data security of the smart terminal .

所述终端监控模块23用于监控智能终端的系统运行状况,在移动应用监控模块22监测到恶意代码时,终端监控模块23能够将实时的智能终端系统运行状态发送至检测云平台2,以便后台人员收集系统运行状态信息,总结恶意代码的运行特征,从而提供根据系统运行状态判断恶意代码的依据。所述系统运行状态包括当前各寄存器的值、当前进程信息、相关内存的镜像以及近一段时间的网络数据流。The terminal monitoring module 23 is used to monitor the system running status of the smart terminal. When the mobile application monitoring module 22 monitors malicious codes, the terminal monitoring module 23 can send the real-time running status of the smart terminal system to the detection cloud platform 2, so that the background Personnel collect system operating status information, summarize the operating characteristics of malicious code, and provide a basis for judging malicious code based on system operating status. The system running status includes the current value of each register, current process information, the image of the relevant memory, and the network data flow in the recent period.

所述信息推送模块24用于通过可视化界面向用户展示由检测云平台1发送至前端数据收发模块21的安全威胁情报信息,以帮助用户根据安全威胁情报以及相应的整改建议,采取防范措施以提高智能终端的安全性。The information push module 24 is used to display the security threat intelligence information sent to the front-end data transceiver module 21 by the detection cloud platform 1 to the user through a visual interface, so as to help the user take preventive measures according to the security threat intelligence and corresponding rectification suggestions to improve Security of smart terminals.

所述威胁处理模块25用于定位恶意代码位置并对其进行控制和处理。在所述移动应用监控模块22监控到恶意代码后,移动应用监控模块22发送恶意代码具体文件路径、位置信息及其相关特性至所述威胁处理模块25,威胁处理模块25通过可视化界面向用户展示,同时用户可以通过威胁处理模块25执行删除恶意代码数据、卸载包含恶意代码的移动应用等操作,消除智能终端安全威胁。The threat processing module 25 is used for locating malicious codes and controlling and processing them. After the mobile application monitoring module 22 monitors the malicious code, the mobile application monitoring module 22 sends the specific file path, location information and related characteristics of the malicious code to the threat processing module 25, and the threat processing module 25 displays the malicious code to the user through a visual interface. At the same time, the user can perform operations such as deleting malicious code data and uninstalling mobile applications containing malicious code through the threat processing module 25, so as to eliminate the security threat of the smart terminal.

所述检测云平台1包括云端数据收发模块11、终端安全监控模块12、威胁预警模块13、功能测试模块14,安全测评模块15、源码审计模块16以及恶意代码样本库17,所述云端数据收发模块11分别与所述威胁预警模块13、源码审计模块16、功能测试模块14相连接,所述源码审计模块16、功能测试模块14分别与所述安全测评模块15相连接,安全测评模块15与所述终端安全监控模块12相连接,所述恶意代码样本库17与源码审计模块16相连接。The detection cloud platform 1 includes a cloud data transceiving module 11, a terminal security monitoring module 12, a threat early warning module 13, a functional testing module 14, a security evaluation module 15, a source code audit module 16 and a malicious code sample library 17. Module 11 is connected with described threat early warning module 13, source code audit module 16, function test module 14 respectively, and described source code audit module 16, function test module 14 are connected with described safety evaluation module 15 respectively, safety evaluation module 15 and The terminal security monitoring module 12 is connected, and the malicious code sample library 17 is connected with the source code auditing module 16 .

具体的,所述云端数据收发模块11用于接收、发送、处理检测云平台1与移动安全应用前端2之间的信息交互数据流。Specifically, the cloud data transceiving module 11 is used for receiving, sending, processing and detecting the information interaction data flow between the cloud platform 1 and the mobile security application front end 2 .

所述威胁预警模块13用于采集网络威胁信息、向后台人员或智能终端用户推送相关威胁情报,所述威胁情报包括网络威胁信息与已记录在检测云平台1的恶意代码威胁信息。The threat early warning module 13 is used to collect network threat information and push relevant threat information to background personnel or smart terminal users. The threat information includes network threat information and malicious code threat information recorded in the detection cloud platform 1 .

所述功能测试模块14用于对移动应用进行功能测试以检测其功能是否正常。后台人员将编写好的移动应用测试用例录入功能测试模块14并指定欲测试的移动应用,功能测试模块14将根据测试用例自动对指定的移动应用进行测试,并记录移动应用的输出结果,将输出结果发送至所述安全测评模块15。The functional testing module 14 is used for functional testing of mobile applications to detect whether their functions are normal. Backstage personnel will write the mobile application test case input function test module 14 and specify the mobile application to be tested, and the function test module 14 will automatically test the specified mobile application according to the test case, and record the output result of the mobile application, and output The result is sent to the safety evaluation module 15 .

所述源码审计模块16用于审计移动应用源代码,以检测其中是否含有恶意代码。所述源码审计模块16与所述恶意代码样本库17相连接,所述恶意代码样本库17用于存储作为恶意代码判断依据的恶意代码特征数据。源码审计模块16通过云端数据收发模块11接收所述移动应用监控模块22发送的解析后的移动应用数据文件,对文件内容进行审计并与恶意代码特征数据进行匹配,如果匹配成功,则说明该移动应用包含恶意代码,源码审计模块16记录恶意代码具体位置,并调取恶意代码样本库17中相应恶意代码的特性一同发送至所述安全测评模块15;如果直至审计完成都未匹配成功,说明该移动应用中未包含恶意代码,源码审计模块16输出未发现恶意代码的结果至安全测评模块15。The source code audit module 16 is used to audit the source code of the mobile application to detect whether malicious code is contained therein. The source code auditing module 16 is connected with the malicious code sample library 17, and the malicious code sample library 17 is used for storing malicious code feature data as a basis for judging malicious code. The source code audit module 16 receives the analyzed mobile application data file sent by the mobile application monitoring module 22 through the cloud data transceiver module 11, audits the content of the file and matches it with the malicious code feature data. If the match is successful, it means that the mobile application The application contains malicious code, and the source code audit module 16 records the specific location of the malicious code, and calls the characteristics of the corresponding malicious code in the malicious code sample library 17 and sends them to the security evaluation module 15 together; if no matching is successful until the audit is completed, it means that the No malicious code is contained in the mobile application, and the source code audit module 16 outputs the result that no malicious code is found to the security evaluation module 15 .

所述恶意代码样本库17包括恶意代码特征库以及恶意行为库。所述恶意代码特征库用于存储作为恶意代码标识的特征码,所述特征码为由恶意代码样本中提取的字符串,用以作为判断恶意代码的依据,所述字符串包括单一特征码与复合特征码,单一特征码即由恶意代码样本中提取的一段连续字符串,其优点是体积小,易维护,针对性强,但易出现误查杀;所述复合特征码为由恶意代码样本中提取的几段不连续的字符串作为特征码,可以有效防止误查杀的情况发生。所述恶意行为库用于存储作为判断恶意代码依据的恶意行为特征信息,所述恶意行为包括入侵感染、恶意自启动、镜像劫持、隐藏、远程控制终端、窃取隐私信息、破坏用户数据、修改系统配置等。The malicious code sample library 17 includes a malicious code feature library and a malicious behavior library. The malicious code feature library is used to store a feature code as a malicious code identifier, the feature code is a character string extracted from a malicious code sample, and is used as a basis for judging the malicious code, and the character string includes a single feature code and Composite feature code, a single feature code is a continuous character string extracted from malicious code samples, which has the advantages of small size, easy maintenance, and strong pertinence, but it is prone to false detection and killing; the composite feature code is composed of malicious code samples Several discontinuous character strings extracted from , as feature codes, can effectively prevent accidental detection and killing. The malicious behavior library is used to store malicious behavior characteristic information as a basis for judging malicious codes, and the malicious behaviors include intrusion infection, malicious self-starting, image hijacking, hiding, remote control terminal, stealing private information, destroying user data, modifying system configuration etc.

所述安全测评模块15用于根据功能测试模块14的测试结果与源码审计模块16的审计结果对移动应用的安全性能以及智能终端的安全等级做出评价,其具体评价标准由开发人员根据实际情况制定,评价结果将通过云端数据收发模块11通过网络发送至移动安全应用前端供用户查看。同时,安全测评模块15会将评价数据发送至终端安全监控模块12。The security evaluation module 15 is used to evaluate the security performance of the mobile application and the security level of the smart terminal according to the test results of the function test module 14 and the audit results of the source code audit module 16, and the specific evaluation criteria are determined by the developer according to the actual situation. Formulated, the evaluation results will be sent to the front end of the mobile security application through the cloud data transceiver module 11 through the network for users to view. At the same time, the safety evaluation module 15 will send the evaluation data to the terminal safety monitoring module 12 .

所述终端安全监控模块12用于监控各个智能终端的安全等级以及移动应用信息,后台人员可以通过终端安全监控模块12了解所有智能终端的安全信息,为工作人员采取提高信息安全性的相应措施提供依据。The terminal security monitoring module 12 is used to monitor the security level and mobile application information of each intelligent terminal, and the background personnel can know the security information of all intelligent terminals through the terminal security monitoring module 12, and provide information for the staff to take corresponding measures to improve information security. in accordance with.

具体的,所述检测云平台1基于MapReduce分布式计算框架部署在分布式计算机集群上。MapReduce是一种面向大规模数据集并行处理的框架,所述检测云平台1同时可能面临多个移动安全应用前端2的数据处理请求,对于检测云平台1的并行运算能力是一个极大的挑战,通过采取MapReduce分布式计算框架,可以将检测云平台1部署在由普通商用服务器组成的分布式计算机集群上,自动完成计算任务的并行化处理,自动划分计算数据和计算任务,在集群节点上自动分配和执行任务以及收集结果,大大减轻开发运维人员的负担,同时提高了检测云平台1的并行运算能力。Specifically, the detection cloud platform 1 is deployed on a distributed computer cluster based on the MapReduce distributed computing framework. MapReduce is a framework for parallel processing of large-scale data sets. The detection cloud platform 1 may face data processing requests from multiple mobile security application front ends 2 at the same time, which is a great challenge for the parallel computing capability of the detection cloud platform 1. , by adopting the MapReduce distributed computing framework, the detection cloud platform 1 can be deployed on a distributed computer cluster composed of common commercial servers, automatically complete the parallel processing of computing tasks, automatically divide computing data and computing tasks, and run Automatically assign and execute tasks and collect results, greatly reducing the burden on development and maintenance personnel, and at the same time improving the parallel computing capability of the detection cloud platform 1.

所述所述云端数据收发模块11与威胁预警模块13、源码审计模块16、功能测试模块14之间设有负载均衡模块。所述负载均衡模块用于根据云端数据收发模块11接收的数据处理请求以及分布式计算机集群的计算节点空闲情况合理安排计算任务,进一步加强检测云平台1的数据处理能力,提高业务处理灵活性。A load balancing module is provided between the cloud data transceiving module 11 and the threat warning module 13 , source code auditing module 16 and function testing module 14 . The load balancing module is used to reasonably arrange computing tasks according to the data processing requests received by the cloud data transceiver module 11 and the idleness of the computing nodes of the distributed computer cluster, so as to further strengthen the data processing capability of the detection cloud platform 1 and improve the flexibility of business processing.

以上所述仅为本发明的较佳实施例,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the protection of the present invention. within range.

Claims (8)

1.一种移动应用检测云平台,其特征在于,所述平台包括检测云平台与移动安全应用前端,所述移动安全应用前端安装在用户或企业的智能终端上,所述检测云平台部署在分布式计算机集群上,移动安全应用前端通过网络与所述检测云平台建立连接以进行数据交互,1. A mobile application detection cloud platform, characterized in that the platform includes a detection cloud platform and a mobile security application front end, the mobile security application front end is installed on the smart terminal of a user or an enterprise, and the detection cloud platform is deployed on On the distributed computer cluster, the front end of the mobile security application establishes a connection with the detection cloud platform through the network for data interaction, 所述移动安全应用前端用于监控智能终端移动应用、采集移动应用数据信息发送至检测云平台进行检测、向用户推送安全威胁信息、对威胁源进行定位与控制;The mobile security application front end is used to monitor mobile applications of smart terminals, collect mobile application data information and send it to the detection cloud platform for detection, push security threat information to users, and locate and control threat sources; 所述检测云平台用于监测智能终端安全情况、审计移动应用源代码、测评移动应用安全情况、移动应用功能测试。The detection cloud platform is used for monitoring the security situation of the smart terminal, auditing the source code of the mobile application, evaluating the security situation of the mobile application, and testing the function of the mobile application. 2.根据权利要求1所述的一种移动应用检测云平台,其特征在于,所述移动安全应用前端包括前端数据收发模块、移动应用监控模块、终端监控模块、信息推送模块以及威胁处理模块,所述移动应用监控模块、终端监控模块、信息推送模块分别与所述前端数据收发模块相连接,所述威胁处理模块与所述移动应用监控模块相连接,所述前端数据收发模块通过网络与所述检测云平台相连接。2. A kind of mobile application detection cloud platform according to claim 1, characterized in that, the mobile security application front-end comprises a front-end data transceiver module, a mobile application monitoring module, a terminal monitoring module, an information push module and a threat processing module, The mobile application monitoring module, the terminal monitoring module, and the information push module are respectively connected to the front-end data transceiver module, the threat processing module is connected to the mobile application monitoring module, and the front-end data transceiver module is connected to the front-end data transceiver module through the network. The above detection cloud platform is connected. 3.根据权利要求1所述的一种移动应用检测云平台,其特征在于,所述检测云平台包括云端数据收发模块、终端安全监控模块、威胁预警模块、功能测试模块、安全测评模块、源码审计模块以及恶意代码样本库,所述云端数据收发模块分别与所述威胁预警模块、源码审计模块、功能测试模块相连接,所述源码审计模块、功能测试模块分别与所述安全测评模块相连接,安全测评模块与所述终端安全监控模块相连接,所述恶意代码样本库与源码审计模块相连接。3. A mobile application detection cloud platform according to claim 1, wherein the detection cloud platform includes a cloud data transceiver module, a terminal security monitoring module, a threat early warning module, a functional testing module, a security evaluation module, a source code An audit module and a malicious code sample library, the cloud data sending and receiving module are respectively connected with the threat early warning module, source code audit module, and function test module, and the source code audit module and function test module are respectively connected with the security evaluation module , the security assessment module is connected to the terminal security monitoring module, and the malicious code sample library is connected to the source code audit module. 4.根据权利要求3所述的一种移动应用检测云平台,其特征在于,所述云端数据收发模块与威胁预警模块、源码审计模块、功能测试模块之间设有负载均衡模块。4. A mobile application detection cloud platform according to claim 3, wherein a load balancing module is provided between the cloud data sending and receiving module, the threat warning module, the source code audit module, and the function testing module. 5.根据权利要求3所述的一种移动应用检测云平台,其特征在于,所述恶意代码样本库包括恶意代码特征库以及恶意行为库,所述恶意代码特征库用于存储作为恶意代码标识的特征码;所述恶意行为库用于存储作为判断恶意代码依据的恶意行为特征信息。5. A kind of mobile application detecting cloud platform according to claim 3, it is characterized in that, described malicious code sample library comprises malicious code feature library and malicious behavior library, and described malicious code feature library is used for storing as malicious code identification feature code; the malicious behavior library is used to store malicious behavior feature information as a basis for judging malicious codes. 6.根据权利要求5所述的一种移动应用检测云平台,其特征在于,所述特征码包括单一特征码以及复合特征码。6 . A mobile application detection cloud platform according to claim 5 , wherein the feature codes include single feature codes and composite feature codes. 7 . 7.根据权利要求5所述的一种移动应用检测云平台,其特征在于,所述恶意行为特征包括入侵感染、恶意自启动、镜像劫持、隐藏、远程控制终端、窃取隐私信息、破坏用户数据、修改系统配置。7. A mobile application detection cloud platform according to claim 5, wherein the malicious behavior features include intrusion infection, malicious self-starting, image hijacking, hiding, remote control terminal, stealing private information, destroying user data , Modify the system configuration. 8.根据权利要求1所述的一种移动应用检测云平台,其特征在于,所述检测云平台基于MapReduce分布式计算框架部署在分布式计算机集群上。8. A mobile application detection cloud platform according to claim 1, wherein the detection cloud platform is deployed on a distributed computer cluster based on the MapReduce distributed computing framework.
CN201810763997.4A 2018-07-12 2018-07-12 A mobile application detection cloud platform Pending CN108810018A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810763997.4A CN108810018A (en) 2018-07-12 2018-07-12 A mobile application detection cloud platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810763997.4A CN108810018A (en) 2018-07-12 2018-07-12 A mobile application detection cloud platform

Publications (1)

Publication Number Publication Date
CN108810018A true CN108810018A (en) 2018-11-13

Family

ID=64076361

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810763997.4A Pending CN108810018A (en) 2018-07-12 2018-07-12 A mobile application detection cloud platform

Country Status (1)

Country Link
CN (1) CN108810018A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109639705A (en) * 2018-12-27 2019-04-16 成都国信安信息产业基地有限公司 Cloud platform safety detection method
CN111814157A (en) * 2019-04-12 2020-10-23 阿里巴巴集团控股有限公司 Data security processing system, method, storage medium, processor and hardware security card
CN119830286A (en) * 2024-12-24 2025-04-15 浙江政安信息安全研究中心有限公司 Handheld intelligent recognition system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104184728A (en) * 2014-08-14 2014-12-03 电子科技大学 Safety detection method and device for Web application system
CN104537309A (en) * 2015-01-23 2015-04-22 北京奇虎科技有限公司 Application program bug detection method, application program bug detection device and server
CN105897807A (en) * 2015-01-14 2016-08-24 江苏博智软件科技有限公司 Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics
CN106126417A (en) * 2016-06-17 2016-11-16 深圳开源互联网安全技术有限公司 Interactive application safety detecting method and system thereof
CN106341426A (en) * 2016-11-11 2017-01-18 中国南方电网有限责任公司 Method for defending APT attack and safety controller
CN106874761A (en) * 2016-12-30 2017-06-20 北京邮电大学 A kind of Android system malicious application detection method and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104184728A (en) * 2014-08-14 2014-12-03 电子科技大学 Safety detection method and device for Web application system
CN105897807A (en) * 2015-01-14 2016-08-24 江苏博智软件科技有限公司 Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics
CN104537309A (en) * 2015-01-23 2015-04-22 北京奇虎科技有限公司 Application program bug detection method, application program bug detection device and server
CN106126417A (en) * 2016-06-17 2016-11-16 深圳开源互联网安全技术有限公司 Interactive application safety detecting method and system thereof
CN106341426A (en) * 2016-11-11 2017-01-18 中国南方电网有限责任公司 Method for defending APT attack and safety controller
CN106874761A (en) * 2016-12-30 2017-06-20 北京邮电大学 A kind of Android system malicious application detection method and system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109639705A (en) * 2018-12-27 2019-04-16 成都国信安信息产业基地有限公司 Cloud platform safety detection method
CN111814157A (en) * 2019-04-12 2020-10-23 阿里巴巴集团控股有限公司 Data security processing system, method, storage medium, processor and hardware security card
CN119830286A (en) * 2024-12-24 2025-04-15 浙江政安信息安全研究中心有限公司 Handheld intelligent recognition system

Similar Documents

Publication Publication Date Title
CN101751535B (en) Data loss protection through application data access classification
US9832214B2 (en) Method and apparatus for classifying and combining computer attack information
CN110213207B (en) Network security defense method and equipment based on log analysis
US8220054B1 (en) Process exception list updating in a malware behavior monitoring program
CN107577947B (en) Vulnerability detection method and system for information system, storage medium and electronic equipment
US11061756B2 (en) Enabling symptom verification
US20150172303A1 (en) Malware Detection and Identification
US20200341868A1 (en) System and Method for Reactive Log Spooling
US10776487B2 (en) Systems and methods for detecting obfuscated malware in obfuscated just-in-time (JIT) compiled code
JP2019079492A (en) System and method for detection of anomalous events on the basis of popularity of convolutions
US12124569B2 (en) Command inspection method and apparatus, computer device, and storage medium
CN113836237A (en) Method and device for auditing data operation of database
US10262133B1 (en) System and method for contextually analyzing potential cyber security threats
CN103095821A (en) Continuous auditing system based on virtual machine migration recognition
CN108810018A (en) A mobile application detection cloud platform
US10360381B2 (en) Detection of persistent threats in a computerized environment background
US20140222496A1 (en) Determining cost and risk associated with assets of an information technology environment
US12242609B2 (en) Exact restoration of a computing system to the state prior to infection
CN118585994B (en) A method, device, equipment and storage medium for detecting and warning malicious files
KR101580624B1 (en) Method of Penalty-based Unknown Malware Detection and Response
CN115296895B (en) Request response method and device, storage medium and electronic equipment
US10554672B2 (en) Causality identification and attributions determination of processes in a network
CN113094709B (en) Detection method, device and server for risk application
JP7302223B2 (en) Script detection device, method and program
CN115834188A (en) Vulnerability scanning monitoring method and system, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181113

RJ01 Rejection of invention patent application after publication