(19)
(11)EP 2 852 913 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
10.06.2020 Bulletin 2020/24

(21)Application number: 13819956.7

(22)Date of filing:  05.07.2013
(51)International Patent Classification (IPC): 
G06F 21/56(2013.01)
(86)International application number:
PCT/CN2013/078894
(87)International publication number:
WO 2014/012441 (23.01.2014 Gazette  2014/04)

(54)

METHOD AND APPARATUS FOR DETERMINING MALICIOUS PROGRAM

VERFAHREN UND VORRICHTUNG ZUR BESTIMMUNG VON SCHADPROGRAMMEN

PROCÉDÉ ET APPAREIL DE DÉTERMINATION DE PROGRAMME MALVEILLANT


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(30)Priority: 16.07.2012 CN 201210245337

(43)Date of publication of application:
01.04.2015 Bulletin 2015/14

(73)Proprietor: Tencent Technology (Shenzhen) Company Limited
Shenzhen, Guangdong 518000 (CN)

(72)Inventors:
  • LI, Wei
    Shenzhen Guangdong 518000 (CN)
  • TONG, Yongliang
    Shenzhen Guangdong 518000 (CN)

(74)Representative: Gunzelmann, Rainer 
Wuesthoff & Wuesthoff Patentanwälte PartG mbB Schweigerstraße 2
81541 München
81541 München (DE)


(56)References cited: : 
WO-A2-2011/122845
KR-A- 20110 128 632
US-A1- 2009 158 260
US-B1- 7 779 472
CN-A- 1 818 823
US-A1- 2009 037 976
US-B1- 7 779 472
  
  • J Bergeron ET AL: "Static Detection of Malicious Code in Executable Programs *", Int. J. on Req. Eng., 1 October 2001 (2001-10-01), XP055235521, Retrieved from the Internet: URL:http://citeseerx.ist.psu.edu/viewdoc/d ownload;jsessionid=A8B7E83DBB0811435B7AE90 6C47AAE51?doi=10.1.1.102.6845&rep=rep1&typ e=pdf [retrieved on 2015-12-10]
  
Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


Description

CROSS-REFERENCES TO RELATED APPLICATIONS


FIELD OF THE DISCLOSURE



[0001] The present disclosure generally relates to the field of computer technology and particularly relates to methods and apparatus for determining a malicious program.

BACKGROUND



[0002] With development of software technology, more and more application programs are developed and usedto enrich people's life with significant convenience. However, there are malicious programs appeared for the purposesof stealing user's private information and/orphone charges. This causes personal information and property to become unsafe.

[0003] Currently, malicious programs may be identified by manually testing the application program. Specifically, various functions of the application program may bemanually triggered. The operating behavior of the application program may be observed and analyzed to determine whether the application program is a malicious program.

[0004] However, such manual testing of the application program to determine whether the application program is a malicious program requires high cost but with slow testing speed and is thus inefficient.

[0005] The document "Static Detection of Malicious Code in Executable Programs" by J Bergeron et al describes a new approach for the static detection of malicious code in executable programs, including three major steps of construction of an intermediate representation, flow-based analysis and static verification.

[0006] The document US 7,779,472 B1 relates to application behavior based malware detection by use of a virtual machine arranged to emulate the instructions of the executable file.

[0007] The document US 2009/0037976A1 relates to a system and method for securing a network session in which a security component is included capable of executing a security policy.

[0008] The document WO 2011/122845 A2 relates to mobile communication terminal having a behavior-based malicious code detection function and detection method thereof.

BRIEF SUMMARY OF THE DISCLOSURE



[0009] The scope of the invention is defined by the appended independent claims. Further embodiments are defined in their respective dependent claims. Those embodiments which do not fall within the scope of the appended set of claims are to be interpreted as examples or background information, useful only for understanding the invention.

BRIEF DESCRIPTION OF THE DRAWINGS



[0010] The following drawings are merely examples for illustrative purposes according to various disclosed embodiments and are not intended to limit the scope of the disclosure.

FIG. 1 depicts an exemplary method for determining a malicious program in accordance with various disclosed embodiments;

FIG. 2 depicts another exemplary method for determining a malicious program in accordance with various disclosed embodiments;

FIG. 3 depicts an exemplary apparatus for determining a malicious program in accordance with various disclosed embodiments;

FIG. 4 depicts an exemplary obtaining module in accordance with various disclosed embodiments;

FIG. 5 depicts an exemplary second determining obtaining module in accordance with various disclosed embodiments;

FIG. 6 depicts another exemplary apparatus for determining a malicious program in accordance with various disclosed embodiments;

FIG. 7 depicts an exemplary environment incorporating certain embodiments of the present invention; and

FIG. 8 depicts a block diagram of an exemplary computing system consistent with the disclosed embodiments.


DETAILED DESCRIPTION



[0011] Reference will now be made in detail to exemplary embodiments of the disclosure, which are illustrated in the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings to refer to the same or like parts.

[0012] FIG. 1 depicts an exemplary method for determining a malicious program in accordance with various disclosed embodiments.

[0013] In Step 101, a specific application programming interface (API) within an application program is obtained.

[0014] In Step 102, call logic for calling the specific API is determined. The call logic can include a triggering event to trigger the specific API to be called and/or a feedback path provided after the specific API is called.

[0015] In Step 103, according to the call logic, it is determined whether the application program is a malicious program.

[0016] In this manner, by obtaining a specific API within the application program to determine call logic for calling the specific API, and whether the application program is a malicious program can be determined according to the call logic. The exemplary method can avoid the manual testing procedure and improve testing efficiency. In one embodiment, determining a malicious application according to call logic of a specific API thatmay potentially steal user's privacy and/or phone charges within an application program can improve the degree of accuracy for determining whether the application program is a malicious program.

[0017] FIG. 2 depicts another exemplary method for determining a malicious program in accordance with various disclosed embodiments.

[0018] In Step 201, an application program isdecompiled to obtain a code file of the application program.

[0019] In Step 202, the code file from decompiling can be scanned to extract the specific API from the code file. The specific API may include, but is not limited to, a function of accessing user's private information, a function of modifying user's private information, a network access function, a call function, a message feedback function, a function of modifying system settings, a function of silently installing a third-party application program, and/or a function of terminating a program process.

[0020] The function of accessing user's private information may include, but is not limited to, a function of reading user's address book, message (e.g., SMS) contents, call records, and/or contact information. The function of modifying user's private information may include, but is not limited to, a function of deleting message contents, modifying the message contents, and/or modifying the user's address book.The network access function may include, but is not limited to, a function of connecting to the network and accessing business for fee deductions, for example, a function of connecting to the network to send text messages for fee deductions and other business deductions. The call function is referred to a function of calling a called party to establish a connection for conversation, e.g., for making a phone call, etc. The message feedback function may include, but is not limited to, a function of intercepting and replying to a text message for fee deductions and/or a function of automatically sending a text message for fee deductions.

[0021] In many cases, the obtained specific API may steal user's private information and/or phone charges, when the application program is in operation. Alternatively, when the application program is in operation, the obtained specific API may silently install, e.g., a Trojans program, software products with charges, or other possible third-party application programs, and/or maliciously terminate other currently-operating programs.

[0022] For example, when the specific API is a function of reading user's address book, message contents, call records, and/or contact information, the application program may be a malicious program for the purposes of stealing user's private information. Once this application program is in operation, the user's address book, message contents, call records, contact information and/or other user's private information may be stolen.

[0023] When the specific API is a function of connecting to a network and accessing a business for fee deductions, the application program may be a malicious program for the purposes of stealing user's phone charges. Once this application program is in operation, the network can be connected to consume user's network fees. Further, the business for fee deductions may be accessed and the user's phone charges may be consumed.

[0024] When the specific API is a function of silently installing a third-party application program and once this application program is in operation, a Trojans program and/or some software products with charges may be silently installed. This can cause potential safety issues and/or loss in phone charges to the user.

[0025] When the specific API is a function of terminating a program process and once this application program is in operation, the currently-operated processing of office software products, instant messaging software products, and/or browser may be maliciously terminated.

[0026] In Step 203: call logic for calling the specific API is determined. The call logic can include a triggering event to trigger the specific API to be called and/or a feedback path provided after the specific API is called.

[0027] It is necessary to determine the call logic for calling the specific API. This is because it is possible that the specific API is called in a legal situation. For example, when the specific API is a function of reading user's address book, calling the user's address book may be for managing the user's address book (e.g., which is a legal use), not for stealing the user's address book (e.g., which is a malicious use). Therefore, to further determine whether the API interface is used for the purposes of stealing the user's private information and/or the user's phone charges, it is necessary to analyze the call logic for calling the specific API.

[0028] In various disclosed embodiments, determining the call logic for calling the specific API can include: analyzing classes, functions, procedure events, and calling relationship between functions in the decompiled code file, and extracting the call logic for calling the specific API.

[0029] In Step 204, according to the determined call logic, it is determined whether the application program is a malicious program. For example, the determining of whether the application program is a malicious program according to the call logic may include: matching the call logic with a pre-stored logic model that provides call logic for malicious programs. For example, when a terminal device installed with application programs is powered on to self-start, the specific API may be executed and the calling results may be returned to a specific path (a designated address), etc.

[0030] The determining of whether the application program is a malicious program according to the call logic may further include: determining that the application program is a malicious program, when the call logic matches with the call logic of the logic model; and determining that the application program is safe, when the call logic does not match with any call logic in the logic model.

[0031] In an exemplary embodiment, the called specific API is likely to be malicious, if the determined call logic is in a condition: that the specific API is called to execute without authorization (e.g.,the specific API is called to execute when the terminal device is powered on to self-start), or that the calling results is returned to a designated address after the specific API is called.

[0032] In specific embodiments where the specific API is a function of reading user's address book, message (e.g., SMS) contents, call records, and/or contact information and the determined specific API is called having a call logic:that the specific API is called when the terminal device is powered on to self-start; that the user's address book, message (e.g., SMS) contents, call records, and/or contact information obtained after the specific API is called are returned to a designated address; and that the call logic indicates that the specific API is called to execute without being authorized by the user, the application program is considered as a malicious program for the purposes of stealing the user's address book, message contents, call records, contact information, and/or other private information of the user.

[0033] In specific embodiments where the specific API is a function of connecting to a network to access a business for fee deductions and the determined specific API is called having a call logicconnecting to a network to access a business for fee deductions via the specific API when the device is powered on to self-start, and that the call logic indicates that the action for accessing the business for fee deductions is not authorized by the user, the application program is considered as a malicious program for the purposes of consuming user's network resource and the user's phone charges.

[0034] In specific embodiments where the specific API is a function of intercepting and replying a message for fee deductions and the determined specific API is called having a call logic monitoring and intercepting the message for fee deductions, and that once the message for fee deductions is replied thereto, the user's phone charges are consumed, the application program is considered as a malicious program for the purposes of consuming the user's phone charges.

[0035] In specific embodiments where the specific API is a function of silently installing a third-party application program or a function of terminating a program process and the determined specific API is called having a call logic: automatically installing some software products with charges/fees or terminating currently operated programs without authorization by the user when the application program is in operation (and installing software products with charges may cause loss of user's phone charges and terminating the currently operated programs may cause user's data loss), the application program is considered as a malicious program for the purposes of consuming the user's phone charges.

[0036] In Step 205, when the application program is determined to be a malicious program, information of the application program including, for example, an icon, name, and/or installation path of the application program, is returned to the user to inform the user of possible malicious programs. Further, the user can also be provided with a selection tab such that the user can choose whether to uninstall this application program based on the selection tab.

[0037] In this manner, by obtaining the specific API in the application program and determining the call logic for calling the specific API, it is determined whether the application program is a malicious program according to the call logic for calling the specific API. This can avoid manual testing procedures and improve testing efficiency. In addition, by using call logic for calling a specific API in an application program for possibly stealing user's private information and phone charges to determine whether the application program is a malicious program, degree of accuracy for determining if it is a malicious program can be improved.

[0038] FIG. 3 depicts an exemplary apparatus for determining a malicious program in accordance with various disclosed embodiments. The exemplary apparatus can include an obtaining module 301, a first determining module 302, and/or a second determining module 303.

[0039] The obtaining module 301 is configured to obtain a specific API in an application program. The specific API can include, but is not limited to, a function of accessing user's private information, a function of modifying user's private information, a network access function, a call function, a message feedback function, a function of modifying system settings, a function of silently installing a third-party application program, and/or a function of terminating a program process.

[0040] The first determining module 302 is configured to determine call logic for calling the specific API. The call logic can include a triggering event to trigger the specific API to be called and/or a feedback path provided after calling the specific API. The second determining module 303 is configured, according to the call logic, to determine whether the application program is a malicious program.

[0041] FIG. 4 depicts an exemplary obtaining module 301. The obtaining module 301 includesa decompiling unit 3011, and/or a scan-extracting unit 3012. The decompiling unit 3011 is configured to decompile the application program to obtain a code file of the application program. The scan-extracting unit 3012 is configured to scan the code file and extract the specific API within the code file.

[0042] Furthermore, the first determining module 302 is configured to analyze classes, functions, procedure events, and calling relationship between functions in the decompiled code file; and to extract the call logic for calling the specific API.

[0043] FIG. 5 depicts an exemplary second determining obtaining module 303. The exemplary second determining obtaining module 303 can include a model matching unit 3031, and/or a determining unit 3032.

[0044] The model matching unit 3031 is configured to match the call logic with a pre-stored logic model that provides call logic for malicious programs. The determining unit 3032 is configured to determine that the application program is a malicious program, when the call logic matches with the call logic in the logic model. The determining unit 3032 is configured to determine that the application program is a safe program, when the call logic does not match with any call logic in the logic model.

[0045] In FIG. 6, the exemplary apparatus can further include a feedback module 304. The feedback module 304 is configured to return information of the application program to the user to inform the user of possible malicious programs, when the application program is determined to be a malicious program. The user can also be provided with a selection tab such that the user can choose whether to uninstall this application program based on the selection tab.

[0046] In this manner, by obtaining the specific API in the application program and determining the call logic for calling the specific API, it is then determined whether the application program is a malicious program according to the call logic for calling the specific API. This can avoid manual testing procedures and improve testing efficiency. In addition, by using call logic for calling a specific API in an application program for possibly stealing user's private information and phone charges to determine whether the application program is a malicious program, degree of accuracy for determining if it is a malicious program can be improved.

[0047] In various embodiments, the application program may be installed on a terminal device. As used herein, a terminal device may refer to any appropriate user terminal with certain computing capabilities including, for example, a personal computer (PC), a work station computer, a server computer, a hand-held computing device (tablet), a smart phone or mobile phone, or any other user-side computing device.

[0048] An exemplary terminal device can include a terminal 706 as depicted in FIG. 7. Specifically, FIG. 7 illustrates an exemplary environment 700 incorporating certain disclosed embodiments. As shown in FIG. 7, environment 700 may include a server 704, a terminal 706, and a communication network 702. The server 704 and the terminal 706 may be coupled through the communication network 702 for information exchange, such as message communications. Although only one terminal 706 and one server 704 is shown in the environment 700, any number of clients 706 or servers 704 may be included, and other devices may also be included.

[0049] Communication network 702 may include any appropriate type of communication network for providing network connections to the server 704 and terminal 706 or among multiple servers 704 or clients 706. For example, communication network 702 may include the Internet or other types of computer networks or telecommunication networks, either wired or wireless. The server 704 may refer one or more server computers configured to provide certain server functionalities, such as database management and search engines. A server may also include one or more processors to execute computer programs in parallel.

[0050] The terminal (or terminal device) and the server may be implemented on any appropriate computing platform. FIG. 8 depicts a block diagram of an exemplary computer system 800 capable of implementing a terminal and/or a server.

[0051] As shown in FIG. 8, the computing system 800 may include a processor 802, a storage medium 804, a monitor 806, a communication module 808, a database 810, and peripherals 812. Certain devices may be omitted and other devices may be included.

[0052] Processor 802 may include any appropriate processor or processors. Further, processor 802 can include multiple cores for multi-thread or parallel processing. Storage medium 804 may include memory modules, such as ROM, RAM, and flash memory modules, and mass storages, such as CD-ROM, U-disk, hard disk, etc. Storage medium 804 may store computer programs for implementing various processes, when executed by processor 802.

[0053] Further, peripherals 812 may include I/O devices such as keyboard and mouse, and communication module 808 may include network devices for establishing connections through a wireless or wired communication network. Database 810 may include one or more databases for storing certain data and for performing certain operations on the stored data, such as database searching.

[0054] It should be noted that when the disclosed apparatus for determining a malicious program is implemented, the functional modules disclosed herein are for example only. Other modules can be added and exemplary modules can be removed, modified, or otherwise rearranged. In various embodiments, the disclosed modules can be configured in one apparatus or configured in multiple apparatus as desired. The modules disclosed herein can be integrated in one module or in multiple modules. Each of the modules disclosed herein can be divided into one or more sub-modules, which can be recombined in any manner.

[0055] The disclosed embodiments can be examples only. In various embodiments, the disclosed apparatus for determining a malicious program can be used to implement the disclosed method for determining a malicious program. One of ordinary skill in the art would appreciate that suitable software and/or hardware (e.g., a universal hardware platform) may be included and used to predict, manage, and execute the disclosed schemes. For example, the disclosed embodiments can be implemented by hardware only, which alternatively can be implemented by software products only. The software products can be stored in a storage medium. The software products can include suitable commands to enable a terminal device (e.g., including a mobile phone, a personal computer, a server, or a network device, etc.) to implement the disclosed embodiments.

[0056] For example, various embodiments may include a computer readable medium containing executable computer instructions for performing a method for determining a malicious program. In the method, a specific application programming interface (API) within an application program can be obtained. Call logic for calling the specific API can be determined and the call logic can include a triggering event to trigger the specific API to be called, a feedback path provided after the specific API is called, or a combination thereof. It can be determined whether the application program is a malicious program according to the call logic.

INDUSTRIAL APPLICABILITY AND ADVANTAGEOUS EFFECTS



[0057] Without limiting the scope of any claim and/or the specification, examples of industrial applicability and certain advantageous effects of the disclosed embodiments are listed for illustrative purposes.

[0058] The disclosed methods, apparatus, and computer readable medium for determining a malicious program. In an exemplary method, a specific application programming interface (API) within an application program can be obtained. Call logic for calling the specific API can be determined and the call logic can include a triggering event to trigger the specific API to be called, a feedback path provided after the specific API is called, or a combination thereof. It can be determined whether the application program is a malicious program according to the call logic. Accordingly, an apparatus for determining a malicious program can include an obtaining module, a first determining module, and a second determining module. Accordingly, a computer readable medium containing executable computer instructions for performing a method for determining a malicious program can also be provided.

[0059] In this manner, by obtaining the specific API in the application program and determining the call logic for calling the specific API, it is determined whether the application program is a malicious program according to the call logic for calling the specific API. This can avoid manual testing procedures and improve testing efficiency. In addition, by using call logic for calling a specific API in an application program for possibly stealing user's private information and phone charges to determine whether the application program is a malicious program, degree of accuracy for determining a malicious program can be improved.

Reference Sign List



[0060] 

Obtaining module 301

First determining module 302

Second determining module 303

Feedback module 304

Decompiling unit 3011

Scan-extracting unit 3012

Model matching unit 3031

Determining unit 3032

Environment 700

Communication network 702

Server 704

Client terminal 706

Processor 802

Storage medium 804

Monitor 806

Communications 808

Database 810

Peripherals 812




Claims

1. A method for determining a malicious program, comprising:

decompiling (201) an application program to obtain a code file of the application program;

scanning (202) the decompiled code file to extract a specific application programming interface, API, from the code file;

determining (102, 203) call logic for calling the specific API, wherein the call logic comprises a triggering event to trigger the specific API to be called, a feedback path provided after the specific API is called, or a combination thereof; and

determining (103, 204) whether the application program is a malicious program according to the call logic,

characterized in that

the application program is determined to be malicious when:

the specific API is a function of connecting to a network to access a business for fee deductions, and the determined specific API is called having the call logic to connect to the network to access the business for fee deductions when the device is powered on to self-start without being authorized by a user for the purposes of consuming a user's network resource and a user's phone charges; or

the specific API is a function of intercepting and replying a message for fee deductions and the determined specific API is called having the call logic that once the message for fee deductions is replied thereto, a user's phone charges are consumed.


 
2. The method of claim 1, wherein the specific API further comprises a function of accessing user's private information, a function of modifying user's private information, a network access function, a call function, a message feedback function, a function of modifying system settings, a function of silently installing a third-party application program, a function of terminating a program process, or a combination thereof.
 
3. The method of claim 1, wherein determining (103, 204) whether the application program is a malicious program according to the call logic comprises:

matching the call logic with a pre-stored logic model, wherein the pre-stored logic model provides call logic for malicious programs; and

determining that the application program is the malicious program, when the call logic matches with call logic in the pre-stored logic model; or

determining that the application program is a safe program, when the call logic does not match with any call logic in the pre-stored logic model.


 
4. An apparatus for determining a malicious program, comprising:

an obtaining module (301), configured to identify a specific application programming interface, API, called within an application program;

a first determining module (302), configured to determine call logic for calling the specific API, wherein the call logic comprises a triggering event to trigger the specific API to be called, a feedback path provided after the specific API is called, or a combination thereof;

a second determining module (303), configured to determine whether the application program is a malicious program according to the call logic, wherein the obtaining module (301) comprises:

a decompiling unit (3011), configured to decompile the application program to obtain a code file of the application program; and

a scan-extracting unit (3012), configured to scan the code file to extract the specific API from the code file,

characterized in that

the application program is determined to be malicious when:

the specific API is a function of connecting to a network to access a business for fee deductions, and the determined specific API is called having the call logic to connect to the network to access the business for fee deductions when the device is powered on to self-start without being authorized by a user for the purposes of consuming a user's network resource and a user's phone charges; or

the specific API is a function of intercepting and replying a message for fee deductions and the determined specific API is called having the call logic that once the message for fee deductions is replied thereto, a user's phone charges are consumed.


 
5. The apparatus of claim 4, wherein the specific API further comprises a function of accessing user's private information, a function of modifying user's private information, a network access function, a call function, a message feedback function, a function of modifying system settings, a function of silently installing a third-party application program, a function of terminating a program process, or a combination thereof.
 
6. The apparatus of claim 4, wherein the second determining module (303) comprises:

a model matching unit (3031), configured to match the call logic with a pre-stored logic model, wherein the pre-stored logic model provides call logic for malicious programs; and

a determining unit (3032), configured to determine that the application program is the malicious program, when the call logic matches with call logic in the pre-stored logic model; or to determine that the application program is a safe program, when the call logic does not match with any call logic in the pre-stored logic model.


 
7. A computer readable medium containing executable computer instructions for performing a method for determining a malicious program, the method comprising:

decompiling (201) an application program to obtain a code file of the application program;

scanning (202) the decompiled code file to extract a specific application programming interface, API, from the code file;

determining (102, 203) call logic for calling the specific API, wherein the call logic comprises a triggering event to trigger the specific API to be called, a feedback path provided after the specific API is called, or a combination thereof; and

determining (103, 204) whether the application program is a malicious program according to the call logic,

characterized in that

the application program is determined to be malicious when:

the specific API is a function of connecting to a network to access a business for fee deductions, and the determined specific API is called having the call logic to connect to the network to access the business for fee deductions when the device is powered on to self-start without being authorized by a user for the purposes of consuming a user's network resource and a user's phone charges; or

the specific API is a function of intercepting and replying a message for fee deductions and the determined specific API is called having the call logic that once the message for fee deductions is replied thereto, a user's phone charges are consumed.


 
8. The medium of claim 7, wherein the specific API further comprises a function of accessing user's private information, a function of modifying user's private information, a network access function, a call function, a message feedback function, a function of modifying system settings, a function of silently installing a third-party application program, a function of terminating a program process, or a combination thereof.
 
9. The medium of claim 7, wherein determining (103, 204) whether the application program is a malicious program according to the call logic comprises:

matching the call logic with a pre-stored logic model, wherein the pre-stored logic model provides call logic for malicious programs; and

determining that the application program is the malicious program, when the call logic matches with call logic in the pre-stored logic model; or

determining that the application program is a safe program, when the call logic does not match with any call logic in the pre-stored logic model.


 


Ansprüche

1. Verfahren zur Bestimmung eines bösartigen Programms, umfassend:

Dekompilieren (201) eines Anwendungsprogramms, um eine Codedatei des Anwendungsprogramms zu erhalten;

Scannen (202) der dekompilierten Codedatei, um eine bestimmte Anwendungsprogrammierschnittstelle, API, aus der Codedatei zu extrahieren;

Bestimmen (102, 203) einer Anruflogik zum Anrufen der spezifischen API, wobei die Anruflogik ein auslösendes Ereignis zum Auslösen des Anrufens der spezifischen API, einen Rückmeldungspfad, der nach dem Anrufen der spezifischen API bereitgestellt wird, oder eine Kombination davon umfasst; und

Bestimmen (103, 204), ob das Anwendungsprogramm gemäß der Anruflogik ein bösartiges Programm ist,

dadurch gekennzeichnet, dass

das Anwendungsprogramm als bösartig bestimmt wird, wenn:

die spezifische API eine Funktion einer Verbindung mit einem Netzwerk ist, um auf ein Unternehmen für Gebührenabzüge zuzugreifen, und wenn die bestimmte spezifische API mit der Anruflogik angerufen wird, um sich mit dem Netzwerk zu verbinden, um auf das Unternehmen für Gebührenabzüge zuzugreifen, wenn die Vorrichtung eingeschaltet wird, um von selbst zu starten, ohne von einem Benutzer autorisiert zu sein, um Netzwerkressourcen eines Benutzers und Telefongebühren eines Benutzers zu verbrauchen; oder

die spezifische API eine Funktion zum Abfangen und Beantworten einer Nachricht für Gebührenabzüge ist und wenn die bestimmte spezifische API mit der Anruflogik angerufen wird, die besagt, dass, sobald die Nachricht für Gebührenabzüge beantwortet wird, Telefongebühren eines Benutzers verbraucht werden.


 
2. Verfahren nach Anspruch 1, wobei die spezifische API ferner umfasst: eine Funktion zum Zugreifen auf private Information des Benutzers, eine Funktion zum Modifizieren privater Information des Benutzers, eine Netzzugriffsfunktion, eine Anruffunktion, eine Nachrichtenrückmeldungsfunktion, eine Funktion zum Modifizieren von Systemeinstellungen, eine Funktion zum automatischen Installieren eines Anwendungsprogramms eines Drittanbieters, eine Funktion zum Beenden eines Programmprozesses oder eine Kombination davon.
 
3. Verfahren nach Anspruch 1, wobei das Bestimmen (103, 204), ob das Anwendungsprogramm ein bösartiges Programm gemäß der Anruflogik ist, umfasst:

Abgleichen der Anruflogik mit einem vorgespeicherten Logikmodell, wobei das vorgespeicherte Logikmodell eine Anruflogik für bösartige Programme bereitstellt; und

Bestimmen, dass das Anwendungsprogramm das bösartige Programm ist, wenn die Anruflogik mit der Anruflogik im vorgespeicherten Logikmodell übereinstimmt; oder

Bestimmen, dass das Anwendungsprogramm ein sicheres Programm ist, wenn die Anruflogik nicht mit irgendeiner Anruflogik im vorgespeicherten Logikmodell übereinstimmt.


 
4. Vorrichtung zum Bestimmen eines bösartigen Programms, umfassend:

ein Abrufmodul (301), das so konfiguriert ist, dass es eine bestimmte Anwendungsprogrammierschnittstelle, API, identifiziert, die innerhalb eines Anwendungsprogramms angerufen wird;

ein erstes Bestimmungsmodul (302), das konfiguriert ist, um eine Anruflogik zum Anrufen der spezifischen API zu bestimmen, wobei die Anruflogik ein Auslöseereignis zum Auslösen des Anrufens der spezifischen API, einen Rückmeldungspfad, der bereitgestellt wird, nachdem die spezifische API angerufen wurde, oder eine Kombination davon umfasst;

ein zweites Bestimmungsmodul (303), das konfiguriert ist, um zu bestimmen, ob das Anwendungsprogramm gemäß der Anruflogik ein bösartiges Programm ist, wobei das Abrufmodul (301) umfasst:

eine Dekompiliereinheit (3011), die konfiguriert ist, um das Anwendungsprogramm zu dekompilieren, um eine Codedatei des Anwendungsprogramms zu erhalten; und

eine Scan-Extraktionseinheit (3012), die konfiguriert ist, um die Codedatei zu scannen, um die spezifische API aus der Codedatei zu extrahieren,

dadurch gekennzeichnet, dass

das Anwendungsprogramm als bösartig bestimmt wird, wenn:

die spezifische API eine Funktion einer Verbindung mit einem Netzwerk ist, um auf ein Unternehmen für Gebührenabzüge zuzugreifen, und wenn die bestimmte spezifische API mit der Anruflogik angerufen wird, um sich mit dem Netzwerk zu verbinden, um auf das Unternehmen für Gebührenabzüge zuzugreifen, wenn die Vorrichtung eingeschaltet wird, um von selbst zu starten, ohne von einem Benutzer autorisiert zu sein, um Netzwerkressourcen eines Benutzers und Telefongebühren eines Benutzers zu verbrauchen; oder

die spezifische API eine Funktion zum Abfangen und Beantworten einer Nachricht für Gebührenabzüge ist und wenn die bestimmte spezifische API mit der Anruflogik angerufen wird, die besagt, dass, sobald die Nachricht für Gebührenabzüge beantwortet wird, Telefongebühren eines Benutzers verbraucht werden.


 
5. Vorrichtung nach Anspruch 4, wobei die spezifische API ferner umfasst: eine Funktion zum Zugreifen auf private Information des Benutzers, eine Funktion zum Modifizieren privater Information des Benutzers, eine Netzzugriffsfunktion, eine Anruffunktion, eine Nachrichtenrückmeldungsfunktion, eine Funktion zum Modifizieren von Systemeinstellungen, eine Funktion zum automatischen Installieren eines Anwendungsprogramms eines Drittanbieters, eine Funktion zum Beenden eines Programmprozesses oder eine Kombination davon.
 
6. Vorrichtung nach Anspruch 4, wobei das zweite Bestimmungsmodul (303) umfasst:

eine Modellabgleicheinheit (3031), die konfiguriert ist, um die Anruflogik mit einem vorgespeicherten Logikmodell abzugleichen, wobei das vorgespeicherte Logikmodell eine Anruflogik für bösartige Programme bereitstellt; und

eine Bestimmungseinheit (3032), die konfiguriert ist, um zu bestimmen, dass das Anwendungsprogramm das bösartige Programm ist, wenn die Anruflogik mit der Anruflogik in dem vorgespeicherten Logikmodell übereinstimmt; oder um zu bestimmen, dass das Anwendungsprogramm ein sicheres Programm ist, wenn die Anruflogik mit keiner Aufruflogik im vorgespeicherten Logikmodell übereinstimmt.


 
7. Computerlesbares Medium, das ausführbare Computerbefehle zum Durchführen eines Verfahrens zur Bestimmung eines bösartigen Programms enthält, wobei das Verfahren umfasst:

Dekompilieren (201) eines Anwendungsprogramms, um eine Codedatei des Anwendungsprogramms zu erhalten;

Scannen (202) der dekompilierten Codedatei, um eine bestimmte Anwendungsprogrammierschnittstelle, API, aus der Codedatei zu extrahieren;

Bestimmen (102, 203) einer Anruflogik zum Anrufen der spezifischen API, wobei die Anruflogik ein auslösendes Ereignis zum Auslösen des Anrufens der spezifischen API, einen Rückmeldungspfad, der nach dem Anrufen der spezifischen API bereitgestellt wird, oder eine Kombination davon umfasst; und

Bestimmen (103, 204), ob das Anwendungsprogramm gemäß der Anruflogik ein bösartiges Programm ist,

dadurch gekennzeichnet, dass

das Anwendungsprogramm als bösartig bestimmt wird, wenn:

die spezifische API eine Funktion einer Verbindung mit einem Netzwerk ist, um auf ein Unternehmen für Gebührenabzüge zuzugreifen, und wenn die bestimmte spezifische API mit der Anruflogik angerufen wird, um sich mit dem Netzwerk zu verbinden, um auf das Unternehmen für Gebührenabzüge zuzugreifen, wenn die Vorrichtung eingeschaltet wird, um von selbst zu starten, ohne von einem Benutzer autorisiert zu sein, um Netzwerkressourcen eines Benutzers und Telefongebühren eines Benutzers zu verbrauchen; oder

die spezifische API eine Funktion zum Abfangen und Beantworten einer Nachricht für Gebührenabzüge ist und wenn die bestimmte spezifische API mit der Anruflogik angerufen wird, die besagt, dass, sobald die Nachricht für Gebührenabzüge beantwortet wird, Telefongebühren eines Benutzers verbraucht werden.


 
8. Medium nach Anspruch 7, wobei die spezifische API ferner umfasst: eine Funktion zum Zugreifen auf private Information des Benutzers, eine Funktion zum Modifizieren privater Information des Benutzers, eine Netzzugriffsfunktion, eine Anruffunktion, eine Nachrichtenrückmeldungsfunktion, eine Funktion zum Modifizieren von Systemeinstellungen, eine Funktion zum automatischen Installieren eines Anwendungsprogramms eines Drittanbieters, eine Funktion zum Beenden eines Programmprozesses oder eine Kombination davon.
 
9. Medium nach Anspruch 7, wobei das Bestimmen (103, 204), ob das Anwendungsprogramm ein bösartiges Programm gemäß der Anruflogik ist, umfasst:

Abgleichen der Anruflogik mit einem vorgespeicherten Logikmodell, wobei das vorgespeicherte Logikmodell eine Anruflogik für bösartige Programme bereitstellt; und

Bestimmen, dass das Anwendungsprogramm das bösartige Programm ist, wenn die Anruflogik mit der Anruflogik im vorgespeicherten Logikmodell übereinstimmt; oder

Bestimmen, dass das Anwendungsprogramm ein sicheres Programm ist, wenn die Anruflogik nicht mit irgendeiner Anruflogik im vorgespeicherten Logikmodell übereinstimmt.


 


Revendications

1. Procédé de détermination d'un programme malveillant, comprenant :

la décompilation (201) d'un programme d'application pour obtenir un fichier de code du programme d'application ;

le balayage (202) du fichier de code décompilé pour extraire une interface de programmation d'application, API, spécifique à partir du fichier de code ;

la détermination (102, 203) d'une logique d'appel pour appeler l'API spécifique, la logique d'appel comprenant un événement déclencheur pour déclencher l'API spécifique à appeler, un chemin de rétroaction fourni après l'appel de l'API spécifique, ou une combinaison de ceux-ci ; et

le fait de déterminer (103, 204) si le programme d'application est un programme malveillant selon la logique d'appel, caractérisé en ce que le programme d'application est déterminé comme malveillant lorsque :

l'API spécifique est fonction de la connexion à un réseau permettant d'accéder à une entreprise pour des déductions de frais, et l'API spécifique déterminée est appelée avec la logique d'appel pour se connecter au réseau permettant d'accéder à l'entreprise pour des déductions de frais lorsque l'appareil est mis sous tension pour s'auto-démarrer sans être autorisé par un utilisateur dans le but de consommer les ressources réseau d'un utilisateur et les frais de téléphone d'un utilisateur ; ou

l'API spécifique est fonction de l'interception et de la réponse d'un message pour des déductions de frais et l'API spécifique déterminée est appelée avec la logique d'appel qu'une fois que le message pour des déductions de frais a reçu une réponse, les frais de téléphone d'un utilisateur sont consommés.


 
2. Procédé selon la revendication 1, dans lequel l'API spécifique comprend en outre une fonction d'accès aux informations privées de l'utilisateur, une fonction de modification des informations privées de l'utilisateur, une fonction d'accès au réseau, une fonction d'appel, une fonction de rétroaction de message, une fonction de modification des paramètres du système, une fonction d'installation silencieuse d'un programme d'application tiers, une fonction de fin d'un processus de programme, ou une combinaison de ceux-ci.
 
3. Procédé selon la revendication 1, dans lequel le fait de déterminer (103, 204) si le programme d'application est un programme malveillant selon la logique d'appel comprend :

la mise en correspondancede la logique d'appel avec un modèle logique préenregistré, le modèle logique préenregistré fournissant une logique d'appel pour des programmes malveillants ; et

le fait de déterminer que le programme d'application est le programme malveillant, lorsque la logique d'appel correspond à la logique d'appel dans le modèle logique préenregistré ; ou

le fait de déterminer que le programme d'application est un programme sécurisé, lorsque la logique d'appel ne correspond à aucune logique d'appel dans le modèle logique préenregistré.


 
4. Appareil de détermination d'un programme malveillant, comprenant :

un module d'obtention (301), configuré pour identifier une interface de programmation d'application, API, spécifique appelée dans un programme d'application ;

un premier module de détermination (302), configuré pour déterminer la logique d'appel pour appeler l'API spécifique, la logique d'appel comprenant un événement déclencheur pour déclencher l'API spécifique à appeler, un chemin de rétroaction fourni après l'appel de l'API spécifique, ou une combinaison de ceux-ci ;

un second module de détermination (303), configuré pour déterminer si le programme d'application est un programme malveillant selon la logique d'appel, le module d'obtention (301) comprenant :

une unité de décompilation (3011), configurée pour décompiler le programme d'application pour obtenir un fichier de code du programme d'application ; et

une unité d'extraction par balayage (3012), configurée pour balayer le fichier de code afin d'extraire l'API spécifique du fichier de code, caractérisé en ce que le programme d'application est déterminé comme malveillant lorsque :

l'API spécifique est fonction de la connexion à un réseau permettant d'accéder à une entreprise pour des déductions de frais, et l'API spécifique déterminée est appelée avec la logique d'appel pour se connecter au réseau permettant d'accéder à l'entreprise pour des déductions de frais lorsque l'appareil est mis sous tension pour s'auto-démarrer sans être autorisé par un utilisateur dans le but de consommer les ressources réseau d'un utilisateur et les frais de téléphone d'un utilisateur ; ou

l'API spécifique est fonction de l'interception et de la réponse d'un message pour des déductions de frais et l'API spécifique déterminée est appelée avec la logique d'appel qu'une fois que le message pour des déductions de frais a reçu une réponse, les frais de téléphone d'un utilisateur sont consommés.


 
5. Appareil selon la revendication 4, dans lequel l'API spécifique comprend en outre une fonction d'accès aux informations privées de l'utilisateur, une fonction de modification des informations privées de l'utilisateur, une fonction d'accès au réseau, une fonction d'appel, une fonction de rétroaction de message, une fonction de modification des paramètres du système, une fonction d'installation silencieuse d'un programme d'application tiers, une fonction de fin d'un processus de programme, ou une combinaison de ceux-ci.
 
6. Appareil selon la revendication 4, dans lequel le second module de détermination (303) comprend :

une unité de mise en correspondance de modèles (3031), configurée pour mettre en correspondance la logique d'appel avec un modèle logique préenregistré, le modèle logique préenregistré fournissant une logique d'appel pour des programmes malveillants ; et

une unité de détermination (3032), configurée pour déterminer que le programme d'application est le programme malveillant, lorsque la logique d'appel correspond à la logique d'appel dans le modèle logique préenregistré ; ou

pour déterminer que le programme d'application est un programme sécurisé, lorsque la logique d'appel ne correspond à aucune logique d'appel dans le modèle logique préenregistré.


 
7. Support lisible par ordinateur contenant des instructions informatiques exécutables pour réaliser un procédé de détermination d'un programme malveillant, le procédé comprenant :

la décompilation (201) d'un programme d'application pour obtenir un fichier de code du programme d'application ;

le balayage (202) du fichier de code décompilé pour extraire une interface de programmation d'application, API, spécifique à partir du fichier de code ;

la détermination (102, 203) d'une logique d'appel pour appeler l'API spécifique, la logique d'appel comprenant un événement déclencheur pour déclencher l'API spécifique à appeler, un chemin de rétroaction fourni après l'appel de l'API spécifique, ou une combinaison de ceux-ci ; et

le fait de déterminer (103, 204) si le programme d'application est un programme malveillant selon la logique d'appel, caractérisé en ce que le programme d'application est déterminé comme malveillant lorsque :

l'API spécifique est fonction de la connexion à un réseau permettant d'accéder à une entreprise pour des déductions de frais, et l'API spécifique déterminée est appelée avec la logique d'appel pour se connecter au réseau permettant d'accéder à l'entreprise pour des déductions de frais lorsque l'appareil est mis sous tension pour s'auto-démarrer sans être autorisé par un utilisateur dans le but de consommer les ressources réseau d'un utilisateur et les frais de téléphone d'un utilisateur ; ou

l'API spécifique est fonction de l'interception et de la réponse d'un message pour des déductions de frais et l'API spécifique déterminée est appelée avec la logique d'appel qu'une fois que le message pour des déductions de frais a reçu une réponse, les frais de téléphone d'un utilisateur sont consommés.


 
8. Support selon la revendication 7, dans lequel l'API spécifique comprend en outre une fonction d'accès aux informations privées de l'utilisateur, une fonction de modification des informations privées de l'utilisateur, une fonction d'accès au réseau, une fonction d'appel, une fonction de rétroaction de message, une fonction de modification des paramètres du système, une fonction d'installation silencieuse d'un programme d'application tiers, une fonction de fin d'un processus de programme, ou une combinaison de ceux-ci.
 
9. Support selon la revendication 7, dans lequel le fait de déterminer (103, 204) si le programme d'application est un programme malveillant selon la logique d'appel comprend :

la mise en correspondance de la logique d'appel avec un modèle logique préenregistré, dans lequel le modèle logique préenregistré fournit une logique d'appel pour des programmes malveillants ; et

le fait de déterminer que le programme d'application est le programme malveillant, lorsque la logique d'appel correspond à la logique d'appel dans le modèle logique préenregistré ; ou

le fait de déterminer que le programme d'application est un programme sécurisé, lorsque la logique d'appel ne correspond à aucune logique d'appel dans le modèle logique préenregistré.


 




Drawing

















Cited references

REFERENCES CITED IN THE DESCRIPTION



This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

Patent documents cited in the description




Non-patent literature cited in the description