Active mobile terminal malware network traffic data set acquisition method and system

Abstract

The invention discloses an active mobile terminal malicious software network traffic data set acquisition method and system. The method comprises the following steps: decompiling mobile terminal malicious software to obtain a configuration file corresponding to the malicious software after decompiling; extracting parameters required by automatic installation and running of the mobile terminal malicious software from the configuration file corresponding to the malicious software; automatically installing the mobile terminal malicious software; implementing activation and running of the mobile terminal malicious software with an activation priority mechanism, and acquiring mobile terminal malicious software network traffic after activation and running of the mobile terminal malicious software; establishing a mobile terminal malicious target list; and separating malicious interaction traffic generated between the mobile terminal malicious software and a remote control server or between malicious servers according to the established mobile terminal malicious target list. Specific to acquired network traffic data, malicious traffic generated by the malicious software is extracted from mixed traffic in a network data flow way.

Description

technical field [0001] The invention relates to an active network flow data set acquisition method for mobile terminal malware, in particular to an active and automatic acquisition method for large-scale mobile terminal malware network flow data sets. Background technique [0002] Normal mobile terminal application software (program) just becomes mobile terminal malware (application program) after malicious code is added. After collecting 1260 Android malicious applications, Jiang Xuxian and others found that 86% of the malicious applications were repackaged after the source files of the normal applications were modified, and more than 90% of the malicious applications were connected with the remote control A network connection is established between servers or malicious application servers. This statistic finds that on the one hand, most Android malicious applications will communicate with the remote control server or malicious application server to generate network traffi...

AI Technical Summary

Problems solved by technology

However, the mobile terminal network traffic collected by the network service provider has the following problems: (1) the mobile terminal network traffic data from the network service provider includes both the traffic generated by the malicious application program of the mobile terminal, It also includes the traffic generated by normal applications, which is a mixed traffic generated by normal applications and malicious applications, and mobile smart terminal malware behavior analysis urgently needs to separate pure malicious application network behavior traffic; (2) limited to Constraints such as privacy protection and commercial confidentiality, the mobile terminal user network traffic data collected by the network service provider can only provide external traffic data that has undergone privacy processing and application layer information filtering, while mobile smart terminal malware behavior analysis requires a complete (3) Network service providers obtain network traffic data based on passive traffic collection methods, and need to extract and separate malicious behavior traffic from massive mixed traffic data. The storage and calculation costs are quite large, and it is difficult to Obtain enough malicious application traffic data in a short period of time

Images