[go: up one dir, main page]

CN115203692B - A Multidimensional Approach to Security Assessment of Android Platform Application Behavior that Integrates User Subjective Evaluation - Google Patents

A Multidimensional Approach to Security Assessment of Android Platform Application Behavior that Integrates User Subjective Evaluation

Info

Publication number
CN115203692B
CN115203692B CN202210564742.1A CN202210564742A CN115203692B CN 115203692 B CN115203692 B CN 115203692B CN 202210564742 A CN202210564742 A CN 202210564742A CN 115203692 B CN115203692 B CN 115203692B
Authority
CN
China
Prior art keywords
application
tested
authority
subjective
software
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210564742.1A
Other languages
Chinese (zh)
Other versions
CN115203692A (en
Inventor
冯渊
时光
周清禾
李涛
胡爱群
刘梦琳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Southeast University
Original Assignee
Southeast University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southeast University filed Critical Southeast University
Priority to CN202210564742.1A priority Critical patent/CN115203692B/en
Publication of CN115203692A publication Critical patent/CN115203692A/en
Application granted granted Critical
Publication of CN115203692B publication Critical patent/CN115203692B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/53Decompilation; Disassembly
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/451Execution arrangements for user interfaces

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Human Computer Interaction (AREA)
  • Debugging And Monitoring (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses a multi-dimensional Android platform application behavior security assessment method integrating subjective evaluation of users, according to the method, static detection based on authority correlation, dynamic monitoring based on historical confidence and subjective expectation of a user based on subjective correlation are combined, and behavior safety quantitative evaluation is carried out on the application of the Android platform. The method comprises an application analysis method and an application evaluation method. The method comprises the steps of carrying out static detection on the apk source file based on the authority, improving fineness and objectivity, carrying out dynamic monitoring on the application real-time behavior to obtain the calling condition of each authority in a certain time, and providing guidance for dynamic monitoring and compensating for inefficiency of the static detection result. The method is characterized in that subjective expectations of users for different applications using different authorities are integrated on the basis of a two-dimensional result of the application analysis method, personalized application quantitative evaluation scores are obtained according to the sensitivity of different users, and different attitudes of different users are considered while objective and scientific detection analysis is ensured.

Description

Multi-dimensional Android platform application behavior security assessment method integrating subjective evaluation of user
Technical Field
The invention relates to the field of mobile application safety, in particular to a multi-dimensional Android platform application behavior safety assessment method integrating subjective evaluation of users.
Background
The mobile device based on the Android platform attracts a large number of users due to the advantages of convenience in operation, abundant functions, convenience in expansion and the like, and along with popularization of the Android operating system platform, a large number of application programs are developed, so that the mobile device provides abundant functions for terminal users. But more and more applications also carry serious security risks. The Android software can easily acquire sensitive information of the user, so that the privacy of the user can be easily revealed due to improper protection. This risk also attracts the interests of bad operators and even attackers, and malware starts to spread in the application market, and threatens the user privacy security by being mixed into benign software. For example, there is rogue software, such as spyware tracking the location of the user and reporting to the controller, adware collecting user identity information to effect accurate marketing, malware stealing bank passwords and user sensitive information to effect criminal activity, and so forth.
To protect against such applications, it is necessary to assist the user in reviewing them at the time of installation. Android systems rely on permission to help users understand the security and privacy risks of applications. The application must request rights to access the sensitive resource. In other words, an Android application must present its intended behavior to the user. But this is coarse-grained, even though the rights introduce resources that the application attempts to access, they do not provide fine-grained information about how to use these resources. Suppose that the user installs an application and allows it to access his address book information. It is difficult for the user to know whether the application is accessing according to his expectations or is continuously accessing without explicit consent from the user. In addition to the static analysis based on rights, it is therefore also necessary to conduct a dynamic analysis of the continuous tracking and to know the degree of attention of the user to the sensitive behavior. On one hand, the sensitive behavior is recorded in real time by continuously tracking the calling behavior of the application in the actual running process, and on the other hand, the monitoring key point is adjusted based on subjective expectation, so that the marked is focused. The comprehensive mechanism needs to guide monitoring of API call conditions of installed application programs such as software running and making judgment in combination with user expectations on the basis of static analysis work so as to make the user aware before malicious application programs misuse sensitive information of the application programs.
In daily use by the user, the mobile application should be given a risk judgment based on his personality and opinion if the behavior is appropriate. However, making software security decisions is not exactly what everyone can do. In addition, users are also required to grasp the behavior of the application program under different environments without generating security threats. But it is impractical for an average user to make such an assessment. Accordingly, there is a need to provide an automated evaluation mechanism to evaluate applications and effectively alert users in the event of a violation of their security expectations.
Disclosure of Invention
In order to solve the problems, the invention provides a multidimensional Android platform application behavior security assessment method integrating subjective evaluation of users.
The invention adopts the following technical scheme:
The multi-dimensional Android platform application behavior security assessment method integrating subjective evaluation of users is characterized by comprising an application analysis method and an application assessment method:
the application analysis method is used for carrying out static detection based on the authority on the application to be detected, carrying out real-time dynamic monitoring on the behavior of the application to be detected, and obtaining the calling condition of the application to be detected on each authority;
the application evaluation method is used for quantifying static detection and dynamic monitoring results to obtain feature vectors, integrating subjective expectation of users for calling different authorities for software categories to which the application to be tested belongs, and evaluating and scoring the software to be tested according to the sensitivity of different users based on existing malicious software and benign software data sets.
The further preferable technical scheme of the invention is as follows:
Obtaining an apk file of the application to be tested from the mobile phone application market, obtaining an application source code by utilizing a decompilation technology, analyzing the android management file obtained after decompilation by utilizing a character string matching technology, and obtaining an authority application condition defined under a < user-permission > label.
The method for dynamically monitoring the behavior of the application to be detected in real time based on the static detection result comprises the steps of installing the application to be detected in an Android environment after root, controlling a system service process by utilizing a hook technology, increasing the number of the monitored related APIs for more application rights obtained in the static detection, reducing the monitoring force of the application to be detected for no application rights or less application rights in the static detection, and running the application to be detected to obtain records of various privacy rights and sensitive APIs called by the application within a certain time.
The further preferable technical scheme of the invention is as follows:
the application evaluation method comprises the following steps:
Step 1, obtaining a static index-authority correlation according to static detection data in an application analysis method;
Step 2, obtaining a dynamic index-historical confidence according to dynamic monitoring data in an application analysis method;
Step 3, calling tolerance degrees and sensitivity of different authorities of a user on the software category to which the application to be tested belongs to obtain a subjective expected index, namely a subjective expected value;
and 4, according to the existing malicious software and benign software data set, combining static, dynamic and subjective expected three-dimensional indexes of the application to be tested to evaluate the score.
The further preferable technical scheme of the invention is as follows:
The step 1 comprises the following steps:
The software is divided into 17 classes according to the Hua mobile phone application market and is recorded as A j, j epsilon { 1.,. The.17 }, the authority is divided into 9 groups according to the Android official and is recorded as P i, i epsilon { 1.,. The.9 }, and the authority declaration vector is obtained by static detection, wherein:
SMF={p1,p2,...,pg,C} (1)
C=j,ifC∈Aj (3)
According to the authority declaration vector, the calculation formula of the static index authority correlation W (P i,Aj) is as follows:
wherein N is the number of applications of the software class to which the application to be tested belongs in the existing dataset, N (P i,Aj) represents the frequency of occurrence of the authority group P i in the application class a j, and W (P i,Aj) represents the authority correlation degree of the ith authority group in the jth software class.
The step 2 comprises the following steps:
Dynamically monitoring to obtain the calling times of the API functions corresponding to each group of rights of the application to be tested in a certain time, and calculating the historical confidence H (API i) of the dynamic index:
Where H (API i) represents the historical confidence that the detected application A j calls the API set function API i, the call frequency t (API i,Aj) illustrates the likelihood of privacy leakage through the rights, β is the adjustment coefficient, σ is the growth coefficient, and the tolerable degree to which the system calls the rights to the application as the leakage probability increases is measured.
The step 3 comprises the following steps:
For class A j software, the user judges the type of authority or sensitive API function to be used, the score is 5,4,3,2,1 from high to low, and from very irrelevant to very relevant, the higher the possibility that the user considers that the authority or API function is used to generate security threat, the higher the score, otherwise, the score is low, the subjective evaluation vector is defined as E user,
Euser(Aj)={J(1,Aj),J(2,Aj),…,J(9,Aj),C) (6)
Where J (i, A j) is the subjective expectation of the user.
The step 4 comprises the steps of carrying out weighted addition on static, dynamic and subjective expected three-dimensional indexes of an application to be tested to obtain a sample index vector to be tested, training an existing data set by utilizing SVM soft intervals to obtain a hyperplane and a discriminant function Risk between malicious software and benign software, inputting the sample index vector to be tested, and carrying out evaluation scoring according to the distance from the hyperplane and the probability of judging the sample index vector to be tested as the benign software.
The invention has the beneficial effects that:
The method comprises the steps of obtaining application conditions of each group of rights based on static detection, obtaining a rights correlation degree corresponding to each group of rights of a software category corresponding to the application to be tested, obtaining call records of each group of rights of the application to be tested in a certain time based on dynamic monitoring, obtaining historical confidence degrees of each group of rights of the software to be tested, obtaining subjective prediction values of the software to be tested according to the tolerance degree and sensitivity of a user to each group of rights used by the software category of the application to be tested, and finally carrying out behavior security quantitative evaluation on the application of an Android platform according to existing malicious software and benign software data sets by combining static, dynamic and subjective expected three-dimensional indexes of the application to be tested. Compared with the traditional static analysis and dynamic analysis method, the method has the advantages that the authority correlation degree is introduced in static detection, the historical confidence degree is introduced in dynamic monitoring, objective authority demand conditions of the software category to which the application to be tested belongs can be objectively embodied, meanwhile, the actual authority use conditions of the application to be tested in a certain time are quantitatively embodied, the static detection and the dynamic monitoring are combined, the static detection result is utilized to guide the dynamic monitoring, the authority application of a code layer and the actual operation condition of the application can be simultaneously considered, the condition of the category to which the application to be tested belongs is combined to conduct specific real-time behavior analysis on the application to be tested, the inefficiency of the dynamic monitoring is compensated, the comprehensive and scientific evaluation is guaranteed, compared with the subjective judgment based on experience of traditional reference security specialists, the subjective expectation of users on the application to be tested is introduced, the difference of different users can be embodied, the differentiated evaluation results are provided for different attitudes and sensitivity degrees, compared with the traditional grading evaluation results, the evaluation score of the output percent is more specific, and the user can conveniently weigh and compare different application security performances by oneself.
The method comprises an application analysis method and an application evaluation method, wherein the application analysis method is used for carrying out static detection on the application apk source file based on the authority, improving fineness and objectivity, and carrying out dynamic monitoring on the application real-time behavior to obtain the calling condition of the application to be tested on each authority within a certain time. Meanwhile, the result of static detection provides guidance for dynamic monitoring and compensates for the inefficiency. The application evaluation method integrates subjective expectations of users for different applications to use different authorities on the basis of the two-dimensional result of the application analysis method, obtains personalized application quantitative evaluation scores according to the sensitivity of different users, and considers different attitudes of different users while ensuring the objective science of detection analysis.
Drawings
FIG. 1 is a flow chart diagram of a multi-dimensional Android platform application behavior security assessment method integrating subjective evaluation of users;
FIG. 2 is a block diagram of a flow chart of a specific implementation of a static monitoring step based on rights;
FIG. 3 is a flow chart of a specific implementation of the real-time dynamic monitoring step of the application behavior based on static detection;
FIG. 4 is a graph of the authority correlation of the navigational travel class software for testing;
FIG. 5 is a historical confidence of navigation travel class software for testing;
FIG. 6 is a subjective expectation of the pilot travel class software for the experimental and control groups;
FIG. 7 is a comparison of navigation trip benign and malware location and sensory authority assessment values;
FIG. 8 is a comparison of navigation trip benign and malware locations, phone and sensory authority assessment values;
FIG. 9 is a graph of distance assessment scores for different subjective degrees;
fig. 10 is a graph of probability assessment scores for different subjectivity cases.
Detailed Description
The present invention is further illustrated in the following drawings and detailed description, which are to be understood as being merely illustrative of the invention and not limiting the scope of the invention.
A multi-dimensional Android platform application behavior security assessment method integrating subjective evaluation of users comprises an application analysis method and an application assessment method.
The application analysis method comprises two steps of carrying out static detection based on permission on the application to be detected and carrying out real-time dynamic monitoring on the behavior of the application to be detected based on a static detection result.
As shown in fig. 2, the specific implementation method of the static detection based on the authority is as follows:
For static detection, an application apk file to be detected is obtained from the Hua-Cheng official mobile phone application market, decompilation is carried out, and the android management.xml file is analyzed to obtain the permission application condition, wherein the specific steps are as follows:
(1) Firstly, obtaining an apk file of an application to be tested from the mobile phone application market;
(2) Secondly, decompiling the apk file to obtain a source code of a sample to be tested;
(3) Then, carrying out character string analysis on authority declaration conditions under a < user-permission > tag in an android management.xml file in a source code;
(4) And finally, classifying the authority declaration condition according to the authority category to obtain the authority declaration vector.
As shown in fig. 3, the specific implementation method for dynamically monitoring the application behavior in real time based on the static detection result is as follows:
The method comprises the following specific steps of installing an application to be tested in an Android environment after root, selectively monitoring related sensitive APIs by combining a hook system service related process with a static detection result, and running the application to be tested to obtain the condition that the application to be tested calls each group of rights in a certain time, wherein the specific steps are as follows:
(1) Firstly, redesigning an app_process file to replace an original file of an Android system, loading a pre-compiled jar package, and replacing a program entry;
(2) Secondly, waking up an incubation process Zygote through an init process, starting SYSTEMSERVER processes and the like by using a fork function, loading a class library, and calling a function;
(3) Then, according to the analysis result of static detection, focusing on applying more authorities, more monitoring related API behaviors, and reducing the number of monitoring APIs for no application or less authorities;
(4) Finally, the application to be tested is installed in the Android environment, the application is operated, and a hook module is used for calling and monitoring the system API function and recording the call monitoring in a log;
As shown in fig. 1, the application evaluation method is divided into four steps of obtaining authority correlation based on static detection, obtaining historical confidence based on dynamic monitoring, obtaining subjective expected value based on user subjectivity, and carrying out quantitative evaluation according to three-dimensional indexes.
For obtaining the authority correlation based on static detection, the specific steps are as follows:
(1) The software is divided into 17 classes according to the Hua mobile phone application market and is recorded as A j, j epsilon { 1.,. The.17 }, the authority is divided into 9 groups according to the Android official and is recorded as P i, i epsilon { 1.,. The.9 }, and the authority declaration vector is obtained by static detection, wherein:
SMF={p1,p2,…,p9,C} (1)
C=j,ifC∈Aj (3)
(2) For an A j application program, each statically detected authority P i respectively shows that the relation between the authority and the application is from weak to strong from big to small, the use frequency of each authority is F (P i,Aj), wherein N (P i,Aj) shows the frequency of occurrence of an authority group P i in an A j application class, and N shows the total number of applications analyzed in the application class;
(3) The calculation formula of the authority correlation weight is as follows:
F′(Pi,Aj)=(1-F(Pi,Aj))2 (8)
the historical confidence is obtained based on dynamic monitoring, and the specific steps are as follows:
(1) Dividing the API functions with higher related privacy disclosure relevance into 9 API groups corresponding to authority groups, and defining the API groups as APIs i, i epsilon {1, 2.,. 9};
(2) The use times t (API i,Aj) of the privacy API function in a certain time and the correlation degree of the API group and the software function are used as evaluation indexes of the historical confidence, the lower the correlation degree and the more the use times are, the confidence degree of a certain API group of the software is exponentially attenuated, and the historical confidence indexes are defined:
Where H (API i) represents the historical confidence that the detected application a j calls API group API i, the call frequency t (API i,Aj) illustrates the likelihood of privacy disclosure by this authority, H (API i) represents the degree of trust to call a certain API group for a certain application, and β is the adjustment coefficient. Sigma is a growth coefficient, the tolerable degree of the system for calling the authority of the application along with the increase of the leakage probability is measured, and the system is designed according to the actual situation;
(3) H (API i) finally gets the dynamic feature vector D API,
DAPI={H(API1),H(API2),…,H(API9),C} (10)
Subjective expected values are obtained based on subjective users, and the specific method is as follows:
For class A j software, the user determines the authority or sensitive API function class that the user will use, and the scores are 5,4,3,2 and 1 from high to low, respectively, from being considered to be very irrelevant to being considered to be very relevant. The higher the likelihood that the user believes the security threat will be generated using the rights or API function, the higher the score, otherwise the lower the score. The subjective evaluation vector is defined as E user, where J (i, a j) is the subjective expectation of the user:
Euser(Aj)={J(1,Aj),J(2,(Aj),…,J(9,Aj),C} (6)
The quantitative evaluation is carried out according to the three-dimensional index, the method comprises the following specific steps:
(1) The static, dynamic and subjective three-dimensional indexes of the application to be tested are subjected to normalization and then weighted and added to obtain an evaluation vector Risk of the application to be tested;
(2) Based on the existing data set, training sample data by utilizing SupportVectorMachines (SVM) model, judging the input Risk evaluation vector by SVM, converting the Risk evaluation vector into linear classification problem in the feature space of a certain dimension by nonlinear transformation, training the linear SVM in the high-dimensional feature space, and replacing inner products in the objective function and the classification decision function by using kernel function K (Risk i,riskj) to realize nonlinear transformation, wherein a Gaussian kernel function is adopted.
And selecting a proper kernel function and a penalty parameter C >0 to obtain a nonlinear support vector machine to determine a separation hyperplane and a separation decision function between two types of samples, namely f w (G), wherein G is a training set.
Wherein B i is a classification result, benign is 1, and malware is-1. Alpha i *,b* is the optimal solution of the convex quadratic programming problem.
(3) According to the obtained separation hyperplane and the separation decision function, two quantization scoring modes exist, the distance-based scoring is that a distance function dist (A wait,fw) is set, A wait is an application to be distinguished, for a given data set G and the obtained hyperplane f w (G), the geometric interval of the hyperplane relative to a sample point G i is defined as gamma i, if the application is benign software gamma i is positive, gamma i of malicious software is negative, and the sample set is trained. If the maximum distance in the training set is maxDist, the minimum distance is minDist, absolute values of distances from the hyperplane to the benign class and the malware class samples are respectively normalized, the malware class is required to be inverted, then the samples are mapped to a range of 1-100, an evaluation Score (dist, A wait, G) is output, the interval of 0-50 is illustrated as malware, and the interval of 51-100 is illustrated as benign;
(4) Probability-based scoring: probability of being a benign software class is prob (a wait, G, 0), probability of being a malware class is prob (a wait, G, 1):
prob(Await,G,0)+prob(Await,G,1)=1 (13)
and calculating the probability of the distribution of the two sides of the discriminant function to obtain Score (dist, A wait, G), wherein the Score is illustrated as malware in the interval of 0-50, and the Score is illustrated as benign in the interval of 51-100.
The technical means disclosed by the scheme of the invention is not limited to the technical means disclosed by the embodiment, and also comprises the technical scheme formed by any combination of the technical features.
Method test cases
Take travel navigation class as an example.
And acquiring an apk file of the application to be tested from the Hua serving as an official mobile phone application market, and detecting by using a static detection tool to obtain the authority correlation of the navigation travel type application. As shown in fig. 4, the rights of cameras, locations, phones and storage classes have low correlation, which means that the software applies for these classes of rights frequently, so that the calling actions of the navigation travel class software on these rights can be tolerated when the security analysis is performed on the application used by the user.
And installing the travel navigation software to be tested in an Android environment provided with a dynamic monitoring tool, running the software to be tested, and monitoring and recording application behaviors by the dynamic monitoring tool to obtain the historical confidence. The historical confidence of a certain software X is shown in fig. 5, and it can be seen that the extreme situation of the historical confidence is reduced by adjusting the growth coefficient and the value of the adjustment coefficient, and the difference and the interval of each index are controlled in a proper interval. In this test, α=2 and β=3 are selected.
The subjective expected values with opposite configuration degrees are set, the experimental group is more sensitive to the use of each authority, the privacy protection is more focused, the comparison group is relatively more tolerant, and various authorities used for applications are more contained, as shown in fig. 6.
Fig. 7 and 8 show the feature distribution of the navigation travel class test application. Fig. 7 shows two representative feature distributions of selecting positions and sensing, and fig. 8 shows three-dimensional feature by adding a telephone. It can be seen that the difference between benign class and malware class is relatively obvious, and although the analysis values of a few samples are relatively outlier, the two classes are obviously separable as a whole, thus reflecting the complementary effect of the comprehensive framework.
Fig. 9 and 10 are a distance-based evaluation scheme and a probability-based evaluation scheme, respectively, TN represents each software, the experimental group is user a, and the control group is user B. It can be seen that in the distance-based evaluation scheme, no application meets the safety expectations for privacy-conscious user a, and the score of the safer TN4 is only about 40. Compared with the user B which is not very concerned about the geographical position information and the communication privacy, TN4 and TN5 are applied to achieve the safety expectation, and the evaluation value is higher. In the evaluation scheme based on the distribution probability, the software security condition of the user B is approximately the same as that of the scheme one, and for the user A, the evaluation condition of TN4 software reaches the security expectation, and the application security coefficients of TN5 and TN1 are also slightly improved. In a comprehensive view, the user-oriented evaluation scheme is good in usability, certain differences exist in APP classification results corresponding to different users, different subjective judgment can be caused by the same behavior of the same category of software, different evaluation results are further generated, the model is proved to be capable of highlighting the differences among different software behaviors, the differences are quantized into obvious digital features, the user can understand and perceive conveniently, and good references are provided for the user. In addition, in the two evaluation schemes, the evaluation scheme safety evaluation based on the distribution probability is more tolerant to the attention of the user, and can balance the subjective scoring influence which is extremely high.

Claims (7)

1. The multi-dimensional Android platform application behavior security assessment method integrating subjective evaluation of users is characterized by comprising an application analysis method and an application assessment method:
the application analysis method is used for carrying out static detection based on the authority on the application to be detected, carrying out real-time dynamic monitoring on the behavior of the application to be detected, and obtaining the calling condition of the application to be detected on each authority; the method comprises the steps of providing a static detection result for dynamic monitoring, providing guidance for the dynamic monitoring, compensating the inefficiency of the dynamic monitoring, increasing the quantity of the monitored related APIs for the application of more rights obtained in the static detection, and reducing the monitoring force for the application of no rights or less rights applied in the static detection;
The application evaluation method is used for quantifying static detection and dynamic monitoring results to obtain feature vectors, integrating subjective expectations of users for calling different authorities of software types of applications to be tested, weighting and adding static, dynamic and subjective expected three-dimensional indexes of the applications to be tested to obtain index vectors of samples to be tested, training existing data sets by utilizing SVM soft intervals to obtain hyperplanes and discriminant functions between malicious software and benign software, and obtaining the standard data sets of the malicious software and the benign software And inputting a sample index vector to be tested, and evaluating and scoring according to the distance from the sample index vector to the hyperplane and the probability of judging the sample index vector to be tested as benign software.
2. The method for evaluating the security of the application behavior of the multidimensional Android platform fused with the subjective evaluation of the user according to claim 1 is characterized in that the static detection of the application to be tested based on the permission comprises the steps of obtaining an apk file of the application to be tested from a mobile phone application market, obtaining an application source code by a decompilation technology, and analyzing an Android management.xml file obtained after decompilation by a character string matching technology to obtain the permission application condition defined under a < user-permission > label.
3. The method for evaluating the safety of the application behaviors of the multidimensional Android platform fused with the subjective evaluation of the user according to claim 2 is characterized in that the method for dynamically monitoring the application behaviors to be tested in real time based on the static detection result comprises the steps of installing the application to be tested in an Android environment after root, controlling a system service process by using a hook technology, and running the application to be tested to obtain records of various privacy authorities and sensitive APIs called by the application within a certain time.
4. The method for evaluating the safety of application behaviors of a multidimensional Android platform fused with subjective evaluations of users according to claim 1, wherein the method for evaluating the application comprises the following steps:
Step 1, obtaining a static index-authority correlation according to static detection data in an application analysis method;
Step 2, obtaining a dynamic index-historical confidence according to dynamic monitoring data in an application analysis method;
Step 3, calling tolerance degrees and sensitivity of different authorities of a user on the software category to which the application to be tested belongs to obtain a subjective expected index, namely a subjective expected value;
and 4, according to the existing malicious software and benign software data set, combining static, dynamic and subjective expected three-dimensional indexes of the application to be tested to evaluate the score.
5. The method for evaluating the security of the application behavior of the multidimensional Android platform fused with the subjective evaluation of the user according to claim 4, wherein the step 1 comprises the following steps:
the software is classified into 17 categories according to the Hua mobile phone application market and is recorded as The rights are divided into 9 groups according to the Android authorities and recorded as,Static detection to obtain authority declaration vector, which includes:
static index authority correlation according to authority declaration vector The calculation formula is as follows:
Wherein the method comprises the steps of For the number of applications in the software class to which the application to be tested belongs in the existing dataset,Representing rights groupsAt the position ofThe frequency of occurrence in the application class,Represent the firstThe right group is at the firstRights correlation in the individual software categories.
6. The method for evaluating the security of the application behavior of the multidimensional Android platform fused with the subjective evaluation of the user according to claim 5, wherein the step 2 comprises:
Dynamically monitoring to obtain calling times of API functions corresponding to each group of rights of an application to be tested in a certain time, and calculating historical confidence of dynamic indexes :
Wherein the method comprises the steps ofRepresenting the detected applicationCalling API set functionsHistorical confidence of (a) call frequencyThe possibility of revealing privacy by this authority is illustrated,For adjusting the coefficient; to increase the coefficient, the system measures the tolerable degree to which the application invokes the right as the likelihood of leakage increases.
7. The method for evaluating the security of the application behavior of the multidimensional Android platform fused with the subjective evaluation of the user according to claim 5, wherein the step 3 comprises:
For the following Class software, the user judges the authority or sensitive API function class to be used, the scores are 5,4,3,2 and 1 from high to low, and from far irrelevant to far relevant, the user considers that the higher the possibility of using the authority or the API function to generate security threat, the higher the score, otherwise the score is low, and the subjective evaluation vector is defined as,
Wherein the method comprises the steps ofIs the subjective expectation of the user.
CN202210564742.1A 2022-05-23 2022-05-23 A Multidimensional Approach to Security Assessment of Android Platform Application Behavior that Integrates User Subjective Evaluation Active CN115203692B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210564742.1A CN115203692B (en) 2022-05-23 2022-05-23 A Multidimensional Approach to Security Assessment of Android Platform Application Behavior that Integrates User Subjective Evaluation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210564742.1A CN115203692B (en) 2022-05-23 2022-05-23 A Multidimensional Approach to Security Assessment of Android Platform Application Behavior that Integrates User Subjective Evaluation

Publications (2)

Publication Number Publication Date
CN115203692A CN115203692A (en) 2022-10-18
CN115203692B true CN115203692B (en) 2025-12-30

Family

ID=83574412

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210564742.1A Active CN115203692B (en) 2022-05-23 2022-05-23 A Multidimensional Approach to Security Assessment of Android Platform Application Behavior that Integrates User Subjective Evaluation

Country Status (1)

Country Link
CN (1) CN115203692B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116436701B (en) * 2023-06-12 2023-08-18 杭州明实科技有限公司 Method, device, equipment and storage medium for predicting network attacks

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102799822A (en) * 2012-07-11 2012-11-28 中国信息安全测评中心 Software running security measurement and estimation method based on network environment
CN111417121A (en) * 2020-02-17 2020-07-14 西安电子科技大学 Multi-malware hybrid detection method, system and device with privacy protection function

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9152789B2 (en) * 2008-05-28 2015-10-06 Zscaler, Inc. Systems and methods for dynamic cloud-based malware behavior analysis
BR112013004345B1 (en) * 2010-08-25 2020-12-08 Lookout, Inc. system and method to avoid malware attached to a server
CN102055613B (en) * 2010-12-13 2012-12-26 宁波大学 Network quality evaluation method
CN103177214B (en) * 2011-12-23 2016-02-10 宇龙计算机通信科技(深圳)有限公司 The detection method of Malware, system and communication terminal
CN108446848A (en) * 2018-03-21 2018-08-24 北京理工大学 Individual networks awareness of safety scalar quantization evaluation method
CN112395626A (en) * 2020-11-18 2021-02-23 平安普惠企业管理有限公司 Risk assessment method and device for user permission, computer equipment and storage medium
CN112800437B (en) * 2021-04-08 2021-07-27 国家信息中心 Information security risk evaluation system
CN114357509A (en) * 2021-12-28 2022-04-15 深圳Tcl新技术有限公司 Privacy security evaluation method and device, computer equipment and readable storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102799822A (en) * 2012-07-11 2012-11-28 中国信息安全测评中心 Software running security measurement and estimation method based on network environment
CN111417121A (en) * 2020-02-17 2020-07-14 西安电子科技大学 Multi-malware hybrid detection method, system and device with privacy protection function

Also Published As

Publication number Publication date
CN115203692A (en) 2022-10-18

Similar Documents

Publication Publication Date Title
US20250337742A1 (en) Anomaly-based mitigation of access request risk
US11995518B2 (en) Machine learning model understanding as-a-service
Du et al. Statistical estimation of malware detection metrics in the absence of ground truth
CN118568695B (en) Digital security management method and system based on block chain
Sepczuk et al. A new risk-based authentication management model oriented on user's experience
Ofili et al. Enhancing federal cloud security with AI: zero trust, threat intelligence, and CISA compliance
CN118965234B (en) A method and system for preventing enterprise data assets from leaking
Chang et al. A framework for estimating privacy risk scores of mobile apps
CN115203692B (en) A Multidimensional Approach to Security Assessment of Android Platform Application Behavior that Integrates User Subjective Evaluation
Schnitzer et al. AI Hazard Management: A framework for the systematic management of root causes for AI risks
CN106997434A (en) Secret protection module and guard method based on android system
CN117668400A (en) Front-end page operation abnormality identification method, device, equipment and medium
Akhuseyinoglu et al. AntiWare: An automated Android malware detection tool based on machine learning approach and official market metadata
Wang et al. Malware detection using cnn via word embedding in cloud computing infrastructure
Duraz et al. Explainability-based metrics to help cyber operators find and correct misclassified cyberattacks
CN119728167A (en) SQL injection attack protection method and device based on zero trust framework
Kalantari et al. Browser Polygraph: Efficient Deployment of Coarse-Grained Browser Fingerprints for Web-Scale Detection of Fraud Browsers
Biswas et al. 3P framework: Customizable permission architecture for mobile applications
Izergin et al. Risk assessment model of compromising personal data on mobile devices
CN115221514A (en) Android malicious software detection method based on two-layer machine learning
Parmar et al. Dynamic trust score explanation and adjustment in zero trust architecture using large language models
Izuchukwu Data privacy rights and regulatory challenges of Generative AI models: a case study approach
US12462027B2 (en) Robust feature selection for computer security applications
Shi et al. Multi-dimensional assessment for Android application security based on users’ evaluation
Yu et al. Android Malware Detection Using Ensemble Learning on Sensitive APIs

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant