CN103279709A - Method and system for comprehensively detecting advertisement plug-in based on multi-features - Google Patents
Method and system for comprehensively detecting advertisement plug-in based on multi-features Download PDFInfo
- Publication number
- CN103279709A CN103279709A CN2012105832594A CN201210583259A CN103279709A CN 103279709 A CN103279709 A CN 103279709A CN 2012105832594 A CN2012105832594 A CN 2012105832594A CN 201210583259 A CN201210583259 A CN 201210583259A CN 103279709 A CN103279709 A CN 103279709A
- Authority
- CN
- China
- Prior art keywords
- advertisement part
- feature
- information list
- analysis result
- tabulation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 238000009434 installation Methods 0.000 claims abstract description 28
- 238000000605 extraction Methods 0.000 claims description 28
- 239000000284 extract Substances 0.000 claims description 19
- 238000001514 detection method Methods 0.000 claims description 15
- 230000006837 decompression Effects 0.000 claims description 12
- 230000000694 effects Effects 0.000 claims description 10
- 239000008186 active pharmaceutical agent Substances 0.000 description 14
- 230000002596 correlated effect Effects 0.000 description 4
- 230000000875 corresponding effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a method and device for comprehensively detecting an advertisement plug-in based on multi-features. A compressed APK installation package is uncompressed, and configuration files, resource files and executable files all of which are obtained after the APK is uncompressed are analyzed. The features are extracted regarding to the analysis result of the configuration files, the analysis result of the resource files and the analysis result of the executable files respectively. After the extracted features are synthesized, the matching process is carried out on the extracted features and an advertisement plug-in feature library. If the matching degree between the extracted features and any record in the advertisement plug-in feature library reaches a preset value, the APK installation package contains the advertisement plug-in, and the record advertisement plug-in name in the advertisement plug-in feature library is output. Otherwise, the APK installation package does not contain the advertisement plug-in. Therefore, the method is high in heuristic detecting capacity and capable of detecting the advertisement plug-in of an android platform comprehensively and in time.
Description
Technical field
The present invention relates to portable terminal safety technique field, relate in particular to a kind of advertisement part method for comprehensive detection and system based on many features.
Background technology
Along with the intelligentized trend of portable terminal, mobile Internet business emerges in an endless stream, and throws in the target that advertisement becomes a lot of businessmans to portable terminal, and the business opportunity that may bring is also more and more obvious thus.Because the user can download the software program that needs easily, so the security of software program is to be difficult to determine.Conventional ads part checking and killing method is transplanted to has a lot of problems on the portable terminal: at first, operating system on the portable terminal is various, for example android, ios, windows, symbian etc., the software program installation kit difference of each platform, the security mechanism of each platform is widely different, if use unified advertisement part checking and killing method, its effect is well imagined; Secondly, nowadays advertisement is one of most important source of profits of domestic mobile Internet, if the interception software program built-in advertising of imposing uniformity without examining individual cases, the interests that will threaten quite a few people.
At present, using maximum terminal operation platforms is android, therefore maximum at the advertisement part supply volume of android platform.There are a lot of differences in the Android platform in the other-end platform, wherein, when the android platform is installed software program, the android platform is given the user with a lot of power to make decision, determine by the user whether a program can carry out associative operation, and require the developer when using API, to declare, be called permission, use to some sensitive API just can be pointed out to consumer's risk when mounted, but, can't make correct selection for the user who does not possess certain safe general knowledge, very easy installation contains the software program of advertisement part.
Summary of the invention
At above-mentioned technical matters, the invention provides a kind of advertisement part method for comprehensive detection and system based on many features, this method utilizes the file characteristic of android platform installation kit itself to carry out suspicious feature extraction by decompression APK installation kit, and mates with advertisement part feature database; Can detect the advertisement part of android platform accurately.
The present invention adopts following method to realize: a kind of advertisement part method for comprehensive detection based on many features comprises:
Decompression APK installation kit is analyzed the configuration file, resource file and the executable file that obtain after decompressing respectively;
Analysis result at configuration file, resource file and executable file extracts feature respectively;
After carrying out comprehensively for the feature of extracting, mate with the record in the advertisement part feature database, if the feature of extracting and the matching degree of arbitrary record in the advertisement part feature database reach preset value, then there is the advertisement part in the described APK installation kit, and the advertisement part title that records described in the output advertisement part feature database, otherwise, do not have the advertisement part in the described APK installation kit;
Known advertisement part title and correlated characteristic information have been recorded in the described advertisement part feature database.
In the method, described analysis result at configuration file extracts feature and comprises extraction: authority information tabulation, activity information list or SDK information list.
In the method, described analysis result at resource file extracts feature and comprises extraction: responsive word string information list, responsive URL information list or resource file information list.
In the method, described analysis result at executable file extracts feature and comprises extraction: sensitive API information list, the tabulation of sensitive API parameter information, the tabulation of sensitive words word information or the tabulation of sensitive code frag info.
In the method, described preset value can be 80%.
A kind of advertisement part comprehensive detection system based on many features comprises:
Decompression module, decompression APK installation kit is analyzed the configuration file, resource file and the executable file that obtain after decompressing respectively;
Characteristic extracting module, the analysis result at configuration file, resource file and executable file extracts feature respectively;
Determination module, after carrying out comprehensively for the feature of extracting, mate with the record in the advertisement part feature database, if the feature of extracting and the matching degree of arbitrary record in the advertisement part feature database reach preset value, then there is the advertisement part in the described APK installation kit, and the advertisement part title that records described in the output advertisement part feature database, otherwise, there is not the advertisement part in the described APK installation kit;
Known advertisement part title and correlated characteristic information have been recorded in the described advertisement part feature database.
In the system, described analysis result at configuration file extracts feature and comprises extraction: authority information tabulation, activity information list or SDK information list.
In the system, described analysis result at resource file extracts feature and comprises extraction: responsive word string information list, responsive URL information list or resource file information list.
In the system, described analysis result at executable file extracts feature and comprises extraction: sensitive API information list, the tabulation of sensitive API parameter information, the tabulation of sensitive words word information or the tabulation of sensitive code frag info.
In the system, described preset value can be 80%.
In sum, the invention provides a kind of advertisement part method for comprehensive detection and system based on many features, utilize decompression APK installation kit, extract configuration file, resource file and executable file, analyze respectively and feature extraction for these three files, the feature of extraction and the record in the advertisement part feature database are mated, thereby determine whether to contain the advertisement part.Described method has good recall rate for the advertisement part of android platform itself.
Description of drawings
In order to be illustrated more clearly in technical scheme of the present invention, to do to introduce simply to the accompanying drawing of required use among the embodiment below, apparently, the accompanying drawing that describes below only is some embodiment that put down in writing among the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is a kind of advertisement part method for comprehensive detection process flow diagram based on many features provided by the invention;
Fig. 2 is a kind of advertisement part comprehensive detection system structural drawing based on many features provided by the invention.
Embodiment
The present invention has provided a kind of advertisement part method for comprehensive detection and system based on many features, in order to make those skilled in the art person understand technical scheme in the embodiment of the invention better, and above-mentioned purpose of the present invention, feature and advantage can be become apparent more, below in conjunction with accompanying drawing technical scheme among the present invention is described in further detail:
The present invention at first provides a kind of advertisement part method for comprehensive detection based on many features, as shown in Figure 1, comprising:
S101 decompression APK installation kit is analyzed the configuration file, resource file and the executable file that obtain after decompressing respectively;
S102 extracts feature at the analysis result of configuration file, resource file and executable file respectively;
S103 for the feature of extracting carry out comprehensive after, mate with record in the advertisement part feature database, and judge whether the feature extracted and the matching degree of arbitrary record in the advertisement part feature database reach preset value, if then carry out S104; Otherwise, do not have the advertisement part in the described APK installation kit;
Known advertisement part title and correlated characteristic information have been recorded in the described advertisement part feature database;
Every record in the described advertisement part feature database can be defined as various ways, preferably, provides a kind of version of every record in the advertisement part feature database here:
Wherein, AMPermissions represents the authority information word string; AMActivity represents activity information word string; AMSDK represents SDK information word string; APIs represents API information word string; Parameters represents API parameter information word string; ResFileHash resource file HASH; DexBufferHash represents code snippet HASH; Adname represents advertisement part title;
There is the advertisement part in the described APK installation kit of S104, and the advertisement part title that records described in the output advertisement part feature database.
Preferably, described analysis result extraction feature at configuration file comprises extraction: authority information tabulation, activity information list or SDK information list.
Preferably, described analysis result extraction feature at resource file comprises extraction: responsive word string information list, responsive URL information list or resource file information list.
Preferably, described analysis result extraction feature at executable file comprises extraction: sensitive API information list, the tabulation of sensitive API parameter information, the tabulation of sensitive words word information or the tabulation of sensitive code frag info.
Preferably, described preset value is 80%.After taking all factors into consideration recall rate and rate of false alarm, think that 80% is proper preset value.
Can generate the characteristic set of various ways after carrying out the feature of extracting comprehensively, preferably, provide a kind of characteristic set form of data structure here:
What wherein, permissionslist preserved is the authority information tabulation; What activitieslist preserved is the activity information list; What SDKslist preserved is the tabulation of SDK log-on message; What stringslist preserved is responsive word string information list; What filehashlist preserved is resource file hash information list; What APIslist preserved is the API information list; What parameterslist preserved is the parameter information tabulation; What codebufferhashlist preserved is code snippet hash information list; The number for the corresponding information tabulation of int class definition.
The present invention also provides a kind of advertisement part comprehensive detection system based on many features, as shown in Figure 2, comprising:
Known advertisement part title and correlated characteristic information have been recorded in the described advertisement part feature database.
Preferably, described analysis result extraction feature at configuration file comprises extraction: authority information tabulation, activity information list or SDK information list.
Preferably, described analysis result extraction feature at resource file comprises extraction: responsive word string information list, responsive URL information list or resource file information list.
Preferably, described analysis result extraction feature at executable file comprises extraction: sensitive API information list, the tabulation of sensitive API parameter information, the tabulation of sensitive words word information or the tabulation of sensitive code frag info.
Preferably, described preset value is 80%.After taking all factors into consideration recall rate and rate of false alarm, think that 80% is proper preset value.
As mentioned above, the present invention has provided a kind of advertisement part method for comprehensive detection and system based on many features, this method is at the android system, decompression APK installation kit, carry out feature extraction for the configuration file in the installation kit, resource file and executable file, with the feature of extracting carry out comprehensive after, mate with the record of advertisement part feature database, thereby reach the purpose that detects the advertisement part.Described method has taken full advantage of the file characteristic of APK installation kit itself, reaches better detection effect.
Above embodiment is unrestricted technical scheme of the present invention in order to explanation.Any modification or partial replacement that does not break away from spirit and scope of the invention all should be encompassed in the middle of the claim scope of the present invention.
Claims (10)
1. the advertisement part method for comprehensive detection based on many features is characterized in that, comprising:
Decompression APK installation kit is analyzed the configuration file, resource file and the executable file that obtain after decompressing respectively;
Analysis result at configuration file, resource file and executable file extracts feature respectively;
After carrying out comprehensively for the feature of extracting, mate with the record in the advertisement part feature database, if the feature of extracting and the matching degree of arbitrary record in the advertisement part feature database reach preset value, then there is the advertisement part in the described APK installation kit, and the advertisement part title that records described in the output advertisement part feature database, otherwise, do not have the advertisement part in the described APK installation kit;
Known advertisement part title and characteristic information have been recorded in the described advertisement part feature database.
2. the method for claim 1 is characterized in that, described analysis result at configuration file extracts feature and comprises extraction: authority information tabulation, activity information list or SDK information list.
3. the method for claim 1 is characterized in that, described analysis result at resource file extracts feature and comprises extraction: responsive word string information list, responsive URL information list or resource file information list.
4. the method for claim 1, it is characterized in that described analysis result at executable file extracts feature and comprises extraction: sensitive API information list, the tabulation of sensitive API parameter information, the tabulation of sensitive words word information or the tabulation of sensitive code frag info.
5. the method for claim 1 is characterized in that, described preset value is 80%.
6. the advertisement part comprehensive detection system based on many features is characterized in that, comprising:
Decompression module, decompression APK installation kit is analyzed the configuration file, resource file and the executable file that obtain after decompressing respectively;
Characteristic extracting module, the analysis result at configuration file, resource file and executable file extracts feature respectively;
Determination module, after carrying out comprehensively for the feature of extracting, mate with the record in the advertisement part feature database, if the feature of extracting and the matching degree of arbitrary record in the advertisement part feature database reach preset value, then there is the advertisement part in the described APK installation kit, and the advertisement part title that records described in the output advertisement part feature database, otherwise, there is not the advertisement part in the described APK installation kit;
Known advertisement part title and characteristic information have been recorded in the described advertisement part feature database.
7. system as claimed in claim 6 is characterized in that, described analysis result at configuration file extracts feature and comprises extraction: authority information tabulation, activity information list or SDK information list.
8. system as claimed in claim 6 is characterized in that, described analysis result at resource file extracts feature and comprises extraction: responsive word string information list, responsive URL information list or resource file information list.
9. system as claimed in claim 6, it is characterized in that described analysis result at executable file extracts feature and comprises extraction: sensitive API information list, the tabulation of sensitive API parameter information, the tabulation of sensitive words word information or the tabulation of sensitive code frag info.
10. system as claimed in claim 6 is characterized in that, described preset value is 80%.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012105832594A CN103279709A (en) | 2012-12-28 | 2012-12-28 | Method and system for comprehensively detecting advertisement plug-in based on multi-features |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012105832594A CN103279709A (en) | 2012-12-28 | 2012-12-28 | Method and system for comprehensively detecting advertisement plug-in based on multi-features |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103279709A true CN103279709A (en) | 2013-09-04 |
Family
ID=49062224
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012105832594A Pending CN103279709A (en) | 2012-12-28 | 2012-12-28 | Method and system for comprehensively detecting advertisement plug-in based on multi-features |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103279709A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104484598A (en) * | 2014-12-31 | 2015-04-01 | 北京奇虎科技有限公司 | Method and device for protecting safety of intelligent terminal |
| CN104063664B (en) * | 2014-06-26 | 2017-04-05 | 北京奇虎科技有限公司 | The safety detection method of software installation bag, client, server and system |
| CN106991323A (en) * | 2017-03-10 | 2017-07-28 | 中时瑞安(北京)网络科技有限责任公司 | The model and method of a kind of detection Android application program ad plug-ins |
| CN108037928A (en) * | 2017-12-13 | 2018-05-15 | 北京小米移动软件有限公司 | Software development kit tools SDK detection method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040123117A1 (en) * | 2002-12-18 | 2004-06-24 | Symantec Corporation | Validation for behavior-blocking system |
| US20110047620A1 (en) * | 2008-10-21 | 2011-02-24 | Lookout, Inc., A California Corporation | System and method for server-coupled malware prevention |
| CN102779257A (en) * | 2012-06-28 | 2012-11-14 | 奇智软件(北京)有限公司 | Security detection method and system of Android application program |
| CN102789506A (en) * | 2012-07-19 | 2012-11-21 | 腾讯科技(深圳)有限公司 | Method and device for extracting characteristic information of application program installation package as well as client equipment |
| CN102831338A (en) * | 2012-06-28 | 2012-12-19 | 北京奇虎科技有限公司 | Security detection method and system of Android application program |
-
2012
- 2012-12-28 CN CN2012105832594A patent/CN103279709A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040123117A1 (en) * | 2002-12-18 | 2004-06-24 | Symantec Corporation | Validation for behavior-blocking system |
| US20110047620A1 (en) * | 2008-10-21 | 2011-02-24 | Lookout, Inc., A California Corporation | System and method for server-coupled malware prevention |
| CN102779257A (en) * | 2012-06-28 | 2012-11-14 | 奇智软件(北京)有限公司 | Security detection method and system of Android application program |
| CN102831338A (en) * | 2012-06-28 | 2012-12-19 | 北京奇虎科技有限公司 | Security detection method and system of Android application program |
| CN102789506A (en) * | 2012-07-19 | 2012-11-21 | 腾讯科技(深圳)有限公司 | Method and device for extracting characteristic information of application program installation package as well as client equipment |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104063664B (en) * | 2014-06-26 | 2017-04-05 | 北京奇虎科技有限公司 | The safety detection method of software installation bag, client, server and system |
| CN104484598A (en) * | 2014-12-31 | 2015-04-01 | 北京奇虎科技有限公司 | Method and device for protecting safety of intelligent terminal |
| CN106991323A (en) * | 2017-03-10 | 2017-07-28 | 中时瑞安(北京)网络科技有限责任公司 | The model and method of a kind of detection Android application program ad plug-ins |
| CN108037928A (en) * | 2017-12-13 | 2018-05-15 | 北京小米移动软件有限公司 | Software development kit tools SDK detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Tao et al. | MalPat: Mining patterns of malicious and benign Android apps via permission-related APIs | |
| Fan et al. | Dapasa: detecting android piggybacked apps through sensitive subgraph analysis | |
| Sanz et al. | Puma: Permission usage to detect malware in android | |
| CN103839005B (en) | The malware detection method of Mobile operating system and malware detection system | |
| US20140181973A1 (en) | Method and system for detecting malicious application | |
| Aswini et al. | Droid permission miner: Mining prominent permissions for Android malware analysis | |
| CN109992968A (en) | A dynamic detection method of Android malicious behavior based on binary dynamic instrumentation | |
| CN103927485A (en) | Android application program risk assessment method based on dynamic monitoring | |
| CN105683990A (en) | Method and apparatus for protecting dynamic libraries | |
| CN106502879A (en) | A kind of method and device for realizing applications security detection | |
| CN103324615A (en) | Method and system for detecting phishing website based on SEO (search engine optimization) | |
| Faheem et al. | Smartphone forensic analysis: A case study for obtaining root access of an android samsung s3 device and analyse the image without an expensive commercial tool | |
| CN103279709A (en) | Method and system for comprehensively detecting advertisement plug-in based on multi-features | |
| CN105975855B (en) | A kind of malicious code detecting method and system based on apk certificate similitude | |
| CN108733551A (en) | Control visiting method and device, analysis system | |
| CN105160251A (en) | Analysis method and device of APK (Android Packet) application software behavior | |
| CN108681671A (en) | A kind of Android mobile attacks source tracing method | |
| Liccardi et al. | Improving mobile app selection through transparency and better permission analysis | |
| Liccardi et al. | Improving user choice through better mobile apps transparency and permissions analysis | |
| Hochfellner et al. | Employment in retirement: continuation of a working career or essential additional income? | |
| CN113568626A (en) | Dynamic packaging method, application package starting method, device and electronic equipment | |
| CN105912935B (en) | Commercial detection method and purposes of commercial detection device | |
| CN111639333A (en) | Information management method and device and electronic equipment | |
| CN102693374A (en) | File analysis method, user equipment, server and system for data security monitoring and controlling | |
| CN103246846A (en) | Method and device for detecting safety of customized ROM (read only memory) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20130904 |