A power mobile terminal security monitoring method, device, equipment and storage medium

By generating behavioral signature codes for Java, Native, and Kernel layers on power mobile terminals and performing similarity calculations in conjunction with a business security threat policy library, malicious applications can be identified and blocked. This solves the problem of missed detection of malicious behavior in existing technologies and achieves efficient security monitoring.

CN115203691BActive Publication Date: 2026-07-07CHINA ELECTRIC POWER RESEARCH INSTITUTE CO LTD +2

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA ELECTRIC POWER RESEARCH INSTITUTE CO LTD
Filing Date
2022-05-18
Publication Date
2026-07-07

AI Technical Summary

Technical Problem

Existing security monitoring methods for mobile power terminals rely solely on terminal status logs and alarm information, lacking correlation analysis of log information, which leads to a high risk of missed malicious behavior detection.

Method used

By acquiring application behavior data on mobile power terminals, behavioral feature codes of the Java layer, Native layer, and Kernel layer are generated, analyzed, and compared. Similarity calculations are performed in conjunction with a pre-set business security threat policy library to identify and block malicious applications and prevent access to sensitive data.

Benefits of technology

It enables rapid identification and interception of malicious behavior from mobile power terminals, reduces the risk of missed malicious behavior reports, and improves the accuracy and efficiency of security monitoring.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115203691B_ABST
    Figure CN115203691B_ABST
Patent Text Reader

Abstract

This invention discloses a method, device, equipment, and storage medium for security monitoring of power mobile terminals. The method includes: acquiring Java layer behavioral signature codes, Native layer behavioral signature codes, and Kernel layer behavioral signature codes; analyzing and comparing the Java layer behavioral signature codes, Native layer behavioral signature codes, and Kernel layer behavioral signature codes to obtain Java layer hidden behavioral signature codes and Native layer hidden behavioral signature codes; using a preset business security threat policy library as a reference standard, calculating the similarity between the application's Java layer behavioral signature codes, Native layer behavioral signature codes, Kernel layer behavioral signature codes, Java layer hidden behavioral signature codes, and Native layer hidden behavioral signature codes and the reference standard to determine the application's category; and by analyzing the malicious behavior audit of the power mobile terminal and the applications running on it, combined with the terminal business security threat policy library, rapid identification and interception of malicious behavior can be achieved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of power mobile terminal operation monitoring technology, specifically relating to a power mobile terminal safety monitoring method, device, equipment and storage medium. Background Technology

[0002] Mobile application technology boasts advantages such as wide coverage, easy access, large capacity, and high reliability. In power grid field operations, mobile application technology enables intelligent management of these operations, improving efficiency and quality. Most mobile (terminal) APP technologies used in the power grid employ a B / S architecture, supporting mainstream database products such as Oracle 10g, 11g, and 12c. The client-side development language is JAVA, and the mobile operating system is Android. The Android platform offers excellent openness and scalability, facilitating integration with industrial equipment. Currently, Android devices are widely used in enterprise field operations.

[0003] Traditional security monitoring methods for mobile power terminals primarily rely on collecting terminal status logs and alarm information to achieve application monitoring, traffic monitoring, and compliance checks. Existing technologies monitor security status solely based on terminal status logs and alarm information, lacking correlation analysis of log information. This may result in the risk of undetected malicious behavior and a lack of interception capabilities for malicious activities. Summary of the Invention

[0004] The purpose of this invention is to provide a method, device, equipment, and storage medium for monitoring the security status of a power mobile terminal, in order to solve the problem in the prior art that the monitoring of security status based on terminal status logs and alarm information lacks correlation analysis of log information and may have the risk of missed detection of malicious behavior.

[0005] To achieve the above objectives, the present invention adopts the following technical solution:

[0006] In a first aspect, the present invention provides a method for security monitoring of a power mobile terminal, comprising the following steps:

[0007] Acquire behavioral data from applications on mobile power terminals;

[0008] Based on the behavioral data, Java layer behavioral feature codes, Native layer behavioral feature codes, and Kernel layer behavioral feature codes are generated.

[0009] By analyzing and comparing the Java layer behavior signature, the Native layer behavior signature, and the Kernel layer behavior signature, the hidden behavior signature of the Java layer and the hidden behavior signature of the Native layer are obtained.

[0010] Using a pre-defined business security threat policy library as a reference standard, the similarity calculation of the application's Java layer behavioral signature, Native layer behavioral signature, Kernel layer behavioral signature, Java layer hidden behavioral signature, and Native layer hidden behavioral signature with the reference standard is performed to determine the category of the application; wherein, the category includes: malicious applications and non-malicious applications;

[0011] For the malicious applications mentioned above, malicious behavior is intercepted at the Java layer, Native layer, and Kernel layer, respectively.

[0012] As an optional embodiment of the present invention, in the step of obtaining the behavioral data of the application on the power mobile terminal, the behavioral data includes: permission feature code, behavioral feature code and heuristic feature code.

[0013] As an optional solution of the present invention, in the step of generating Java layer behavior feature code, Native layer behavior feature code and Kernel layer behavior feature code based on the behavior data, the behavior data is organized into Java layer behavior feature code, Native layer behavior feature code and Kernel layer behavior feature code according to a preset behavior feature selection rule.

[0014] As an optional solution of the present invention, in the step of analyzing and comparing the Java layer behavioral feature code, the Native layer behavioral feature code and the Kernel layer behavioral feature code, a cross-view monitoring method is used to analyze and compare the Java layer behavioral feature code, the Native layer behavioral feature code and the Kernel layer behavioral feature code.

[0015] As an optional solution of the present invention, in the step of using a preset business security threat policy library as a reference standard, and performing similarity calculations on the Java layer behavioral signature, Native layer behavioral signature, Kernel layer behavioral signature, Java layer hidden behavioral signature, and Native layer hidden behavioral signature of the application with the reference standard to determine the category of the application, the specific method for determining the category of the application is as follows:

[0016] Based on the pre-deployed application permission management event chain, the Java layer behavior signature code and Java layer hidden behavior signature code of the application are monitored, the similarity of the application's permissions with the reference standard is calculated, and applications with similarity exceeding a preset value are classified as malicious applications.

[0017] Alternatively, based on the KNN algorithm, the Java layer behavioral signature, Native layer behavioral signature, Kernel layer behavioral signature, Java layer hidden behavioral signature, and Native layer hidden behavioral signature of the application are monitored, and the dynamic behavior of the application is compared with the reference standard to calculate the similarity. Applications with similarity exceeding a preset value are classified as malicious applications.

[0018] Alternatively, based on the SVM algorithm, the Java layer behavioral signature, Native layer behavioral signature, Kernel layer behavioral signature, Java layer hidden behavioral signature, and Native layer hidden behavioral signature of the application are monitored. The static behavior of the application is compared with the reference standard to calculate the similarity. Applications with similarity exceeding a preset value are classified as malicious applications.

[0019] As an optional embodiment of the present invention, after the step of determining the category of the application, the method further includes the step of blocking the malicious application from accessing sensitive data.

[0020] As an optional solution of the present invention, in the step of blocking the malicious application from accessing sensitive data, the specific method for determining whether the data accessed by the malicious application is sensitive data is as follows:

[0021] Use the pre-defined terminal sensitive information database as a reference standard;

[0022] Based on reference standards, the TFIDF algorithm is used to identify whether the data called by the malicious application is sensitive data.

[0023] In a second aspect, the present invention provides a power mobile terminal safety monitoring device, comprising:

[0024] The behavior data acquisition module is used to acquire behavior data of applications on the power mobile terminal;

[0025] The feature code generation module is used to generate Java layer behavior feature codes, Native layer behavior feature codes, and Kernel layer behavior feature codes based on the behavior data.

[0026] The analysis and comparison module is used to analyze and compare the Java layer behavior signature code, the Native layer behavior signature code, and the Kernel layer behavior signature code to obtain the Java layer hidden behavior signature code and the Native layer hidden behavior signature code.

[0027] The application category determination module is used to use a preset business security threat policy library as a reference standard, and to perform similarity calculations on the Java layer behavior signature, Native layer behavior signature, Kernel layer behavior signature, Java layer hidden behavior signature, and Native layer hidden behavior signature of the application with the reference standard to determine the category of the application; wherein, the category includes: malicious applications and non-malicious applications;

[0028] The malicious application interception module is used to intercept malicious behaviors of the malicious application from the Java layer, Native layer and Kernel layer respectively.

[0029] In a third aspect, the present invention provides an electronic device including a processor and a memory, wherein the processor is configured to execute a computer program stored in the memory to implement the above-described method for monitoring the safety of a mobile power terminal.

[0030] In a fourth aspect, the present invention provides a computer-readable storage medium storing at least one instruction that, when executed by a processor, implements the above-described method for monitoring the safety of a power mobile terminal.

[0031] Compared with the prior art, the beneficial effects of the present invention are as follows:

[0032] The present invention provides a power mobile terminal security monitoring method that acquires behavioral data of applications on the power mobile terminal; organizes the behavioral data to obtain Java layer behavioral signature codes, Native layer behavioral signature codes, and Kernel layer behavioral signature codes; analyzes and compares the Java layer behavioral signature codes, Native layer behavioral signature codes, and Kernel layer behavioral signature codes to obtain Java layer hidden behavioral signature codes and Native layer hidden behavioral signature codes; uses a preset business security threat policy library as a reference standard, and performs similarity calculations between the application's Java layer behavioral signature codes, Native layer behavioral signature codes, Kernel layer behavioral signature codes, Java layer hidden behavioral signature codes, and Native layer hidden behavioral signature codes and the reference standard to determine the application category; by analyzing the malicious behavior audit of the power mobile terminal and the applications running on it, combined with the terminal business security threat policy library, it is possible to quickly identify and intercept malicious behavior. Attached Figure Description

[0033] The accompanying drawings, which form part of this application, are used to provide a further understanding of the invention. The illustrative embodiments of the invention and their descriptions are used to explain the invention and do not constitute an undue limitation of the invention. In the drawings:

[0034] Figure 1 This is a schematic diagram of the power mobile terminal security monitoring method according to Embodiment 1 of the present invention.

[0035] Figure 2 This is a flowchart of the power mobile terminal security monitoring method according to Embodiment 1 of the present invention.

[0036] Figure 3 This is a flowchart of the method for determining the application type in Embodiment 1 of the present invention.

[0037] Figure 4 This is a flowchart of the method for determining whether data called by a malicious application is sensitive data in Embodiment 1 of the present invention.

[0038] Figure 5 This is a structural block diagram of the power mobile terminal safety monitoring device of the present invention.

[0039] Figure 6 This is a structural block diagram of an electronic device according to the present invention. Detailed Implementation

[0040] The present invention will now be described in detail with reference to the accompanying drawings and embodiments. It should be noted that, unless otherwise specified, the embodiments and features described in this application can be combined with each other.

[0041] The following detailed description is exemplary and intended to provide further detailed explanation of the invention. Unless otherwise specified, all technical terms used in this invention have the same meaning as commonly understood by one of ordinary skill in the art to which this application pertains. The terminology used in this invention is for the purpose of describing particular embodiments only and is not intended to limit the scope of exemplary embodiments according to the invention.

[0042] Explanation of related terms

[0043] Security monitoring: By analyzing online data streams in real time, illegal intrusion activities are monitored, and alarms and responses are issued in real time based on the monitoring results, so as to proactively detect intrusion activities and ensure network security.

[0044] Security audit: Based on certain security policies, by recording and analyzing historical operation times and data, we can identify areas where we can improve system performance and security.

[0045] Malicious behavior: Malicious behavior on the network refers to the act of damaging, altering, or leaking the hardware, software, and data of a network system due to malicious code attacks, causing the system to be unable to operate continuously, reliably, and normally, and resulting in the interruption of network services.

[0046] Example 1

[0047] like Figure 2 As shown, a method for security monitoring of a mobile power terminal includes the following steps:

[0048] S1. Obtain behavioral data of applications on the power mobile terminal;

[0049] In this step, the behavioral data includes: permission feature code, behavioral feature code, and heuristic feature code.

[0050] In a more specific embodiment, the selection of behavioral data includes: specific feature selection. Specifically, the behavior of the application is monitored through permission feature codes, behavioral feature codes, and heuristic feature codes. The following section refines each feature code and uses it as the basis for selecting feature words for machine learning algorithms.

[0051] Permission feature code

[0052] 1) Messaging and Telephone – Permissions to access and modify SMS, MMS, telephone calls, contacts, and call logs;

[0053] 2) Privacy related – Permission to access information such as location, mobile phone information (number, IMEI, etc.), and mobile phone account;

[0054] 3) Multimedia related permissions—camera, video recording, call recording, and read / write storage permissions;

[0055] 4) Network-related – Permissions to access the network via Wi-Fi or data connection;

[0056] 5) System settings related to permissions such as Wi-Fi, Bluetooth, and screen lock.

[0057] Behavioral signature

[0058] 1) Sensitive Information Acquisition – APIs related to operations on SMS messages, phone calls, contacts, call behavior, location, phone information, camera, video recording, and call recording on a mobile phone;

[0059] 2) Sensitive information transmission – using APIs related to external communication operations such as network, SMS, and Bluetooth;

[0060] 3) File operations – APIs related to reading and writing files and databases;

[0061] 4) Accept and Recall – Broadcast accept, send broadcast, and recall other process-related APIs.

[0062] Heuristic signature

[0063] 1) Monitor the behavior of dynamically loading Java binary code through a website;

[0064] 2) Monitor the behavior of mobile software loading and using other classes from external .apk or .jar files via the DexClassLoader class;

[0065] 3) Monitor the behavior of mobile software using native C / C++ code.

[0066] S2. Based on the behavioral data, generate Java layer behavioral feature codes, Native layer behavioral feature codes, and Kernel layer behavioral feature codes;

[0067] In this step, the behavioral data is organized into Java layer behavioral feature codes, Native layer behavioral feature codes, and Kernel layer behavioral feature codes according to preset behavioral feature selection rules. In a more specific embodiment, because the feature codes are located at different levels, the preset behavioral feature selection rules are defined in this step as follows: Java layer behavioral monitoring includes permission feature codes and behavioral feature codes, while the native layer and kernel layer include behavioral feature codes and heuristic feature codes.

[0068] S3. Analyze and compare the Java layer behavior signature, Native layer behavior signature, and Kernel layer behavior signature to obtain the Java layer hidden behavior signature and the Native layer hidden behavior signature.

[0069] In this step, the cross-view monitoring method is used to analyze and compare the Java layer behavior signature code, the Native layer behavior signature code, and the Kernel layer behavior signature code to obtain the hidden behavior features of the Java layer and the hidden behavior features of the Native layer. The specific principle and operation are as follows:

[0070] It should be noted that the principle of the cross-view detection method is as follows: by comparing and analyzing two or more views, items that exist in the trusted view but not in the untrusted view are considered hidden items. This method is applied to the detection of hidden processes, hidden files, and hidden network connections. For example, the discrimination condition for hidden process detection is: let Pt represent the trusted view of process information and Pu represent the untrusted view of process information, then for any process P, if The process is then identified as a hidden process. This method can also be applied to detect malicious code hiding behavior.

[0071] First, define the basic entities in this step:

[0072] Pm = {p | p is a malicious program with hidden behavior};

[0073] M = {m | m is the behavior monitoring program, or simply the monitor};

[0074] O = {o | o represents the behavior that occurs in the system};

[0075] OM = {o | o represents behavior visible to the monitoring program M};

[0076] OH = {o | o represents hidden behavior}, and according to the above definition, OH = O - OM;

[0077] V = vb(m, O), where vb is the view generation function and m represents the monitor. The view V represents the set of behaviors visible to the monitor, and the views generated for the same set of behaviors may differ between different observers.

[0078] Vt = {v | v is a trusted view};

[0079] Vu = {v | v is a non-trusted view};

[0080] And Vt∪Vu=V;

[0081] VB = {vb | vb is a view generation function}, vb: O → Vo;

[0082] CMP = {cmp | cmp is the view comparison function}, cmp:(v,v′)→OH.

[0083] For monitor m, if If the following two conditions are met, then PM is said to have launched a covert attack on monitor m:

[0084] When PM is not running There is o∈OM; when PM is running, but

[0085] In this step, M = {m_kernel, m_native, m_java}, where m_kernel, m_native, and m_java represent the monitors located in the system's Kernel layer, Native layer, and Java layer, respectively. Vt = {v_kernel}, where v_kernel is the Kernel layer behavior view generated by m_kernel, and v_kernel is assumed to be trustworthy. Vu = {v_native, v_java}. In the system hierarchy, the lower layer has complete control over the upper layer, and the trustworthiness of the lower layer's view is higher than that of the upper layer's view. Therefore, v_native is more trustworthy than v_java, but since it is still susceptible to being bypassed by malicious programs, it is also an untrustworthy view.

[0086] VB = {vb_kernel, vb_native, vb_java}, where vb_java generates a Java layer behavior view by intercepting system calls using Dalvik virtual machine interception techniques; vb_native generates a Native layer behavior view by intercepting system calls using process injection techniques and intercepting and parsing Binder communication data packets; and vb_kernel generates a Kernel layer behavior view by hijacking and replacing system calls. For these three views, two types of hidden attacks can be identified through pairwise comparisons between adjacent views: Java layer hidden behavior signatures and Native layer hidden behavior signatures.

[0087] This step monitors the three layers of application operation behavior to obtain the following five layers of behavioral characteristics:

[0088] Java layer behavioral signature, Java layer hidden behavioral signature, Native layer behavioral signature, Native layer hidden behavioral signature, Kernel layer behavioral signature.

[0089] S4. Using a preset business security threat policy library as a reference standard, perform similarity calculations on the Java layer behavioral signature, Native layer behavioral signature, Kernel layer behavioral signature, Java layer hidden behavioral signature, and Native layer hidden behavioral signature of the application with the reference standard to determine the category of the application; wherein, the category includes: malicious applications and non-malicious applications;

[0090] like Figure 3 As shown, in this step, the category of the application is determined based on terminal malicious behavior analysis of behavioral characteristics. An application is classified as malicious if it meets one of the following conditions. The specific method is as follows:

[0091] 1) Based on the event chain of pre-deployed application permission management, monitor the Java layer behavior signature code and Java layer hidden behavior signature code of the application, calculate the similarity between the permissions of the application and the reference standard, and classify the application with a similarity exceeding the preset value as a malicious application.

[0092] It should be noted that the Event Chain used in this step is a system that grants permissions to applications based on program behavior. In this embodiment, it is deployed in the Android framework layer, system processes, and the Dalvik virtual machine. Event Chain trusts the Linux kernel and the Android framework itself, but does not trust any third-party applications or code.

[0093] The EventChain system is built on the Android framework layer, system processes, and the Dalvik virtual machine, and has the ability to monitor application bytecode, system processes, and application APIs. EventChain instrumentes function calls in the Dalvik virtual machine and the Binder and Looper architecture in Android, ensuring the tracing of application execution flow. Furthermore, by monitoring bytecode, it ensures that the values ​​of shared variables on the heap are passed through the context.

[0094] 2) Based on the KNN algorithm, monitor the Java layer behavior signature, Native layer behavior signature, Kernel layer behavior signature, Java layer hidden behavior signature, and Native layer hidden behavior signature of the application, calculate the similarity between the dynamic behavior of the application and the reference standard, and classify the application with a similarity exceeding a preset value as a malicious application.

[0095] It should be noted that the KNN dynamic behavior analysis used in this step refers to executing or simulating the installation and operation of an application in an environment such as a sandbox or virtual machine, and then monitoring and recording various behavioral data of the application during its operation (such as network communication access, file data reading and writing, process operations, etc.). This embodiment uses the KNN (K-Nearest Neighbor algorithm) algorithm to analyze the dynamic behavior of the terminal and its applications. In this embodiment, the training sample set of the KNN classification algorithm includes a malicious sample set and a legitimate sample set. The malicious sample set consists of malicious program samples from mobile terminals on the network (covering malicious behaviors such as sending text messages, making phone calls, stealing privacy, remote control, and privilege escalation), while the legitimate samples are normal applications on mobile terminals.

[0096] 3) Based on the SVM algorithm, monitor the Java layer behavior signature, Native layer behavior signature, Kernel layer behavior signature, Java layer hidden behavior signature, and Native layer hidden behavior signature of the application, calculate the similarity between the static behavior of the application and the reference standard, and classify the application with a similarity exceeding a preset value as a malicious application.

[0097] It should be noted that SVM static behavior analysis refers to scanning application files without running the application, using techniques such as syntax analysis, lexical analysis, data flow analysis, and control flow analysis to generate disassembled code. Reading this disassembled code allows for understanding the program's flow and functionality. This embodiment primarily employs the SVM (Support Vector Machine) algorithm for static behavior analysis, transforming captured static permission behavior samples into sample feature vectors, which are then learned and analyzed using a support vector machine.

[0098] S5. For the malicious applications mentioned above, malicious behavior is intercepted at the Java layer, Native layer and Kernel layer respectively.

[0099] In a more specific step of this embodiment, the malicious behavior interception is as follows:

[0100] 1) Java layer behavior monitoring and interception

[0101] The Java layer behavior monitoring module is mainly implemented using Dalvik virtual machine interception technology. The main principle of Dalvik virtual machine interception technology is to process a Java method into a native method at runtime, causing the virtual machine to abandon the original execution sequence and execute another execution sequence instead, thereby intercepting sensitive Java functions in the target application process or system process and monitoring malicious behavior at the Java layer.

[0102] 2) Native layer behavior monitoring and interception

[0103] Monitoring malicious code behavior at the native layer is achieved through process injection techniques, specifically by intercepting and parsing Binder communication data packets. Binder is an efficient and easy-to-use inter-process communication (IPC) mechanism. It uses a client / server communication model, employs drivers to facilitate inter-process communication, improves performance through shared memory, and provides synchronous inter-process calls.

[0104] 3) Kernel layer behavior monitoring and interception

[0105] The kernel-level behavior monitoring module primarily achieves its functionality by hijacking and replacing system call methods. System calls are a set of calling interfaces provided by the operating system to user programs, through which user programs obtain the services they need from the system kernel. By issuing an explicit request to the kernel via a software interrupt or system call instruction, the kernel will invoke relevant kernel functions to fulfill the request, such as `sys_read()`, `sys_write()`, and `sys_fork()`. User programs cannot directly call these kernel-related functions; these functions run in kernel mode and are used to intercept malicious behavior.

[0106] In a preferred embodiment of the present invention, step S6 is further included: blocking the sensitive data invoked by the malicious application.

[0107] like Figure 4 As shown, in step S6, the specific method for determining whether the data called by the malicious application is sensitive data is as follows: a preset terminal sensitive information database is used as a reference standard; based on the reference standard, the TFIDF algorithm is used to identify whether the data called by the malicious application is sensitive data.

[0108] like Figure 1 As shown in Embodiment 1, the power mobile terminal security monitoring method operates on the following principle: Java layer behavioral signature codes, Native layer behavioral signature codes, and Kernel layer behavioral signature codes are obtained through dynamic monitoring of malicious behavior. These three layers of signature codes are then subjected to cross-behavioral view analysis to obtain Java hidden behavioral signature codes and Native layer hidden behavioral signature codes. These signature codes are stored in a database as the basis for malicious application identification. In the malicious behavior auditing stage, a sample set of malicious and non-malicious applications from the business security threat strategy library is first received for training, serving as a reference standard. Then, the Java layer behavioral signature codes, Native layer behavioral signature codes, Kernel layer behavioral signature codes, Java hidden behavioral signature codes, and Native layer hidden behavioral signature codes in the database are read and classified (malicious and non-malicious) using a similarity-based classification algorithm. The obtained malicious applications are updated in the behavior interception system's list, and a malicious behavior audit report is generated. In the malicious behavior interception stage, based on the pre-set interception list in the terminal business security policy library and the malicious application list updated by the malicious behavior audit, malicious behavior is intercepted and sensitive data calls are blocked at the Java layer, Native layer, and Kernel layer, respectively, and an audit report is finally generated.

[0109] The present invention provides a power mobile terminal security monitoring method based on dynamic auditing of malicious behavior. It comprehensively monitors the power mobile terminal and the applications running on it, as well as the mobile channels used by it. It preprocesses and aggregates the complex and diverse data such as monitored operating indicators, alarm data and log audit data into the background data center, analyzes the malicious behavior audit of the power mobile terminal and the applications running on it, and intercepts malicious behavior by combining the business security threat strategy library.

[0110] Example 2

[0111] like Figure 5As shown, based on the same inventive concept as Embodiment 1, Embodiment 2 also provides a power mobile terminal safety monitoring device, including the following modules:

[0112] The behavior data acquisition module is used to acquire behavior data of applications on the power mobile terminal;

[0113] The feature code generation module is used to generate Java layer behavior feature codes, Native layer behavior feature codes, and Kernel layer behavior feature codes based on the behavior data.

[0114] The analysis and comparison module is used to analyze and compare the Java layer behavior signature code, the Native layer behavior signature code, and the Kernel layer behavior signature code to obtain the Java layer hidden behavior signature code and the Native layer hidden behavior signature code.

[0115] The application category determination module is used to use a preset business security threat policy library as a reference standard, and to perform similarity calculations on the Java layer behavior signature, Native layer behavior signature, Kernel layer behavior signature, Java layer hidden behavior signature, and Native layer hidden behavior signature of the application with the reference standard to determine the category of the application; wherein, the category includes: malicious applications and non-malicious applications;

[0116] The malicious application interception module is used to intercept malicious behaviors of the malicious application from the Java layer, Native layer and Kernel layer respectively;

[0117] The sensitive data blocking module is used to block the access of sensitive data by the malicious application.

[0118] In the signature generation module, the behavioral data is organized into Java layer behavioral signature codes, Native layer behavioral signature codes, and Kernel layer behavioral signature codes according to preset behavioral signature selection rules. In this module, the preset behavioral signature selection rules are defined as follows: Java layer behavioral monitoring includes permission signature codes and behavioral signature codes, while the native and kernel layers include behavioral signature codes and heuristic signature codes.

[0119] In the analysis and comparison module, the cross-view monitoring method is used to analyze and compare the behavior feature codes of the Java layer, the Native layer, and the Kernel layer.

[0120] In the application category determination module, the specific method for determining the application category is as follows:

[0121] Based on the pre-deployed application permission management event chain, the Java layer behavior signature code and Java layer hidden behavior signature code of the application are monitored, the similarity of the application's permissions with the reference standard is calculated, and applications with similarity exceeding a preset value are classified as malicious applications.

[0122] Alternatively, based on the KNN algorithm, the Java layer behavioral signature, Native layer behavioral signature, Kernel layer behavioral signature, Java layer hidden behavioral signature, and Native layer hidden behavioral signature of the application are monitored, and the dynamic behavior of the application is compared with the reference standard to calculate the similarity. Applications with similarity exceeding a preset value are classified as malicious applications.

[0123] Alternatively, based on the SVM algorithm, the Java layer behavioral signature, Native layer behavioral signature, Kernel layer behavioral signature, Java layer hidden behavioral signature, and Native layer hidden behavioral signature of the application are monitored. The static behavior of the application is compared with the reference standard to calculate the similarity. Applications with similarity exceeding a preset value are classified as malicious applications.

[0124] In the sensitive data blocking module, the specific method for determining whether the data called by the malicious application is sensitive data is as follows: a preset terminal sensitive information database is used as a reference standard; based on the reference standard, the TFIDF algorithm is used to identify whether the data called by the malicious application is sensitive data.

[0125] Example 3

[0126] like Figure 6 As shown, based on the same inventive concept as Embodiment 1, Embodiment 3 also provides an electronic device 100 for implementing the power mobile terminal security monitoring method in the above embodiments; the electronic device 100 includes a memory 101, at least one processor 102, a computer program 103 stored in the memory 101 and executable on at least one processor 102, and at least one communication bus 104. The memory 101 can be used to store the computer program 103, and the processor 102 implements the steps of the power mobile terminal security monitoring method described in Embodiment 1 by running or executing the computer program stored in the memory 101 and calling data stored in the memory 101.

[0127] The memory 101 may primarily include a program storage area and a data storage area. The program storage area may store the operating system, application programs required for at least one function (such as sound playback function, image playback function, etc.), etc.; the data storage area may store data created based on the use of the electronic device 100 (such as audio data), etc. In addition, the memory 101 may include non-volatile memory, such as hard disk, RAM, plug-in hard disk, smart media card (SMC), secure digital (SD) card, flash card, at least one disk storage device, flash memory device, or other non-volatile solid-state storage device.

[0128] At least one processor 102 may be a Central Processing Unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. Processor 102 may be a microprocessor or any conventional processor. Processor 102 is the control center of electronic device 100, connecting various parts of electronic device 100 via various interfaces and lines.

[0129] The memory 101 in the electronic device 100 stores multiple instructions to implement a power mobile terminal safety monitoring method, and the processor 102 can execute multiple instructions to achieve the following:

[0130] Acquire behavioral data from applications on mobile power terminals;

[0131] Based on the behavioral data, Java layer behavioral feature codes, Native layer behavioral feature codes, and Kernel layer behavioral feature codes are generated.

[0132] By analyzing and comparing the Java layer behavior signature, the Native layer behavior signature, and the Kernel layer behavior signature, the hidden behavior signature of the Java layer and the hidden behavior signature of the Native layer are obtained.

[0133] Using a pre-defined business security threat policy library as a reference standard, the similarity calculation of the application's Java layer behavioral signature, Native layer behavioral signature, Kernel layer behavioral signature, Java layer hidden behavioral signature, and Native layer hidden behavioral signature with the reference standard is performed to determine the category of the application; wherein, the category includes: malicious applications and non-malicious applications;

[0134] For the malicious applications mentioned above, malicious behavior is intercepted at the Java layer, Native layer, and Kernel layer, respectively.

[0135] Example 4

[0136] If the modules / units integrated in the electronic device 100 are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, all or part of the processes in the methods of the above embodiments of the present invention can also be implemented by a computer program instructing related hardware. The computer program can be stored in a computer-readable storage medium, and when executed by a processor, it can implement the steps of the various method embodiments described above. The computer program includes computer program code, which can be in the form of source code, object code, executable files, or certain intermediate forms. The computer-readable medium can include: any entity or device capable of carrying computer program code, recording media, USB flash drives, portable hard drives, magnetic disks, optical disks, computer memory, and read-only memory (ROM).

[0137] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0138] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0139] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0140] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0141] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit it. Although the present invention has been described in detail with reference to the above embodiments, those skilled in the art should understand that modifications or equivalent substitutions can still be made to the specific implementation of the present invention. Any modifications or equivalent substitutions that do not depart from the spirit and scope of the present invention should be covered within the scope of protection of the claims of the present invention.

Claims

1. A method for safety monitoring of a mobile power terminal, characterized in that, Includes the following steps: Acquire behavioral data from applications on mobile power terminals; Based on the behavioral data, Java layer behavioral feature codes, Native layer behavioral feature codes, and Kernel layer behavioral feature codes are generated. By analyzing and comparing the Java layer behavior signature, the Native layer behavior signature, and the Kernel layer behavior signature, the hidden behavior signature of the Java layer and the hidden behavior signature of the Native layer are obtained. Using a pre-defined business security threat policy library as a reference standard, the Java layer behavioral signature, Native layer behavioral signature, Kernel layer behavioral signature, Java layer hidden behavioral signature, and Native layer hidden behavioral signature of the application are compared with the reference standard to determine the application's category. The category includes malicious applications and non-malicious applications. The specific method for determining the application's category is as follows: based on the pre-deployed application permission management event chain, the Java layer behavioral signature and Java layer hidden behavioral signature of the application are monitored; the application's permissions are compared with the reference standard to calculate similarity; applications with similarity exceeding a preset value are classified as malicious applications. Alternatively, based on KN... The N algorithm monitors the Java layer behavioral signature, Native layer behavioral signature, Kernel layer behavioral signature, Java layer hidden behavioral signature, and Native layer hidden behavioral signature of the application, calculates the similarity between the application's dynamic behavior and the reference standard, and classifies applications with similarity exceeding a preset value as malicious applications; or, based on the SVM algorithm, monitors the Java layer behavioral signature, Native layer behavioral signature, Kernel layer behavioral signature, Java layer hidden behavioral signature, and Native layer hidden behavioral signature of the application, calculates the similarity between the application's static behavior and the reference standard, and classifies applications with similarity exceeding a preset value as malicious applications; For the malicious applications mentioned above, malicious behavior is intercepted at the Java layer, Native layer, and Kernel layer, respectively.

2. The power mobile terminal security monitoring method according to claim 1, characterized in that, In the step of obtaining behavioral data of applications on the power mobile terminal, the behavioral data includes: permission feature code, behavioral feature code, and heuristic feature code.

3. The power mobile terminal security monitoring method according to claim 1, characterized in that, In the step of generating Java layer behavior feature codes, Native layer behavior feature codes, and Kernel layer behavior feature codes based on the behavior data, the behavior data is organized into Java layer behavior feature codes, Native layer behavior feature codes, and Kernel layer behavior feature codes according to preset behavior feature selection rules.

4. The power mobile terminal security monitoring method according to claim 1, characterized in that, In the step of analyzing and comparing the Java layer behavioral feature code, the Native layer behavioral feature code, and the Kernel layer behavioral feature code, a cross-view monitoring method is used to analyze and compare the Java layer behavioral feature code, the Native layer behavioral feature code, and the Kernel layer behavioral feature code.

5. The power mobile terminal security monitoring method according to claim 1, characterized in that, Following the step of determining the category of the application, the method further includes the step of blocking the malicious application from accessing sensitive data.

6. The method for security monitoring of mobile power terminals according to claim 5, characterized in that, In the step of blocking the malicious application from accessing sensitive data, the specific method for determining whether the data accessed by the malicious application is sensitive data is as follows: Use the pre-defined terminal sensitive information database as a reference standard; Based on reference standards, the TFIDF algorithm is used to identify whether the data called by the malicious application is sensitive data.

7. A power mobile terminal safety monitoring device, characterized in that, include: The behavior data acquisition module is used to acquire behavior data of applications on the power mobile terminal; The feature code generation module is used to generate Java layer behavior feature codes, Native layer behavior feature codes, and Kernel layer behavior feature codes based on the behavior data. The analysis and comparison module is used to analyze and compare the Java layer behavior signature code, the Native layer behavior signature code, and the Kernel layer behavior signature code to obtain the Java layer hidden behavior signature code and the Native layer hidden behavior signature code. The application category determination module uses a preset business security threat policy library as a reference standard to calculate the similarity between the application's Java layer behavioral signature, Native layer behavioral signature, Kernel layer behavioral signature, Java layer hidden behavioral signature, and Native layer hidden behavioral signature and the reference standard, thereby determining the application's category. The category includes malicious applications and non-malicious applications. The specific method for determining the application's category is as follows: based on a pre-deployed application permission management event chain, the application's Java layer behavioral signature and Java layer hidden behavioral signature are monitored; the application's permissions are calculated for similarity with the reference standard; and applications with similarity exceeding a preset value are classified as malicious applications. Alternatively... Based on the KNN algorithm, the Java layer behavioral signature, Native layer behavioral signature, Kernel layer behavioral signature, Java layer hidden behavioral signature, and Native layer hidden behavioral signature of the application are monitored. The dynamic behavior of the application is compared with the reference standard, and applications with similarity exceeding a preset value are classified as malicious applications. Alternatively, based on the SVM algorithm, the Java layer behavioral signature, Native layer behavioral signature, Kernel layer behavioral signature, Java layer hidden behavioral signature, and Native layer hidden behavioral signature of the application are monitored. The static behavior of the application is compared with the reference standard, and applications with similarity exceeding a preset value are classified as malicious applications. The malicious application interception module is used to intercept malicious behaviors of the malicious application from the Java layer, Native layer and Kernel layer respectively.

8. An electronic device, characterized in that, It includes a processor and a memory, the processor being used to execute a computer program stored in the memory to implement the power mobile terminal security monitoring method as described in any one of claims 1 to 6.

9. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores at least one instruction, which, when executed by a processor, implements the power mobile terminal security monitoring method as described in any one of claims 1 to 6.