CN104239797B - Active defense method and device - Google Patents

Abstract

The present invention provides an active defense method and device, comprising the following steps: responding to an instruction to run a target application, running a corresponding shell application; using the shell application to load a monitoring unit and the target application successively, and the monitoring unit applies the target application The event behavior is monitored and captured; after the specific event behavior is captured, the event behavior processing strategy is obtained, and the specific event behavior is processed according to the processing strategy. The active defense scheme proposed by the invention requires little modification to the existing system, does not affect the compatibility of the system, and is simple and efficient to implement.

Description

Active defense method and device

technical field

The present invention relates to the field of computer security, specifically, the present invention relates to an active defense method, and correspondingly also relates to an active defense device.

Background technique

Unix-based operating systems, typically represented by Android, are widely used in various mobile communication terminals. Android has a relatively strict user rights management mechanism. By default, users have low rights. To break through the authority restriction, the authority of the system needs to be raised to the highest level, that is, ROOT authorization. After obtaining the highest authority, the user can intercept the malicious behavior of the third-party application and modify the setting items that consume system resources. Therefore, in most cases, the security software on the market needs to be installed on the Android mobile terminal that has obtained ROOT authorization. work to achieve its optimum effect. However, general users do not have high professional knowledge, and may not be able to perform ROOT authorization on their terminals. Even if ROOT authorization is performed, while opening higher permissions for security software, it also gives malicious programs an opportunity to take advantage of. What is even more paradoxical is that some malicious programs can work under non-ROOT conditions, but traditional security defense software will lose its absolute advantage. Therefore, solving the security defense requirements of Android, Ubuntu and other similar systems under non-ROOT conditions has been the direction of the industry's efforts.

Active defense technology is a better solution to meet the above requirements. Active defense is a real-time protection technology based on the independent analysis and judgment of program event behavior. It does not use the virus signature as the basis for judging the virus, but starts from the most original virus definition, and directly uses the behavior of the program as the basis for judging the virus. Active defense is to use software to automatically realize the process of anti-virus engineers analyzing and judging viruses, which solves the disadvantage that traditional security software cannot defend against unknown malware, and technically realizes active defense against Trojan horses and viruses.

Please refer to the patent application published on September 3, 2014 with publication number CN104023122A, which requests protection of a security defense method and device. The basic idea of this solution is to replace the corresponding application program on the current terminal by downloading a pre-customized application program to be injected, and to start the application program to be injected first after the system is restarted, so as to realize active defense. This idea is mainly to solve the problem of how to build a security defense mechanism, and the application to be injected is generated by decompiling, modifying the code and repackaging the current terminal application, that is, using secondary packaging technology. Those skilled in the art can understand that there are deficiencies in this behavior monitoring method that relies on comprehensive secondary packaging of the application program, which is manifested in the following aspects:

First, the installation failure rate is high. In fact, more and more applications already have the immunity to prevent secondary packaging. If the application has already made immune settings to prevent secondary packaging, then forcibly injecting monitoring code into the target application will cause the target If the application cannot be installed, or crashes abnormally after installation, the success rate of constructing an active defense environment is low.

Secondly, there is an inherent deficiency of incomplete monitoring. The hook function constitutes a part of the application program, and malicious programs can use technologies such as reflection calls in the JAVA reflection mechanism and JNI native calls (Native) to evade this defense mechanism.

In addition, the degree of granularity of monitoring is not high. After secondary packaging, the monitoring object is often limited to the application itself, and it is difficult to specify fine behaviors, such as SMS operations, contact access or deletion operations, URL access operations, derivative operations, installation operations, child operations, etc. Detailed monitoring of specific behaviors such as process intrusion.

Based on the above analysis, it can be seen that there is still a lot of room for improvement in the research on active defense technology in the industry.

Contents of the invention

The primary purpose of the present invention is to realize more efficient active security defense under the ROOT-free condition, thereby providing an active defense method.

Another object of the present invention is to provide an active defense device in conjunction with the primary object.

In order to realize the above-mentioned purpose of the present invention, the present invention provides following technical scheme:

A kind of active defense method provided by the present invention comprises the following steps:

Responding to an instruction to run a target application, run a corresponding shell application;

The monitoring unit and the target application are successively loaded by the shell application, and the monitoring unit monitors and captures the event behavior of the target application;

After the specific event behavior is captured, an event behavior processing strategy is obtained, and the specific event behavior is processed according to the processing strategy.

In addition, the following pre-step is included: a shortcut is provided in the graphical user interface for acquiring the instruction for running the target application, and the icon of the shortcut is modified from a default icon of the target application.

Specifically, the monitoring unit invokes a hook plug-in to hook a specific event directly or indirectly triggered by the target application process at runtime, so as to monitor the target application.

Specifically, the monitoring unit obtains the hook plug-in corresponding to a specific event behavior from a remote plug-in interface.

Specifically, the monitoring unit monitors the event behavior triggered by the target application process, and when the monitoring unit monitors the event behavior triggered by the target application process to release the sub-process, the monitoring unit is loaded for the sub-process to continue monitoring the event behavior triggered by the sub-process .

Specifically, the monitoring unit realizes the hooking by injecting an inline hook into the subprocess of the target application.

Preferably, the event behavior monitored by the monitoring module includes any one or more of the following behavior types: obtaining operator information, APN operation, notification column advertisement operation, obtaining mobile phone identification code operation, creating shortcuts, making phone calls Operation, text message insertion or deletion operation, contact insertion or deletion operation, URL access operation, sub-process intrusion operation, application loading operation, command operation, derivative operation, activation device manager operation.

Further, when the monitoring module monitors that the target application triggers the event behavior of generating derivatives, it obtains the processing rules for the derivatives through the remote rule base interface and processes the derivatives.

Further, the method includes the step of registering a preset interactive module as a system service, the shell application communicates with the interactive module through its built-in interactive interface, and realizes human-computer interaction by popping a window to the user interface through the interactive module.

Specifically, the shell application dynamically loads the target application in a JAVA reflective calling manner.

Further, after the event behavior is captured, the processing strategy for the event behavior is acquired in at least one of the following ways:

Alerting the user interface with a pop-up window, receiving user instructions to obtain the processing strategy;

Retrieving the corresponding processing policy from the local policy database;

Send a request to the cloud through the remote policy interface and obtain the corresponding feedback processing policy.

In addition, the following steps are further included: downloading the cloud policy database and updating the local policy database, the local policy database is used to provide a processing policy corresponding to a specific event behavior of a specific target application.

A kind of active defense device provided by the present invention, it comprises:

A startup module, configured to run a corresponding shell application in response to an instruction to run the target application;

A security module, which utilizes the shell application to successively load the monitoring unit and the target application, and the monitoring unit monitors and captures the event behavior of the target application;

The processing module is configured to obtain an event behavior processing strategy after the specific event behavior is captured, and process the specific event behavior according to the processing strategy.

Further, it also includes:

A shortcut, which is placed in the graphical user interface, is used to obtain the instruction for running the target application, and the icon of the shortcut is modified from the default icon of the target application.

Specifically, the monitoring unit invokes a hook plug-in for hooking a specific event directly or indirectly triggered by the target application process at runtime, so as to monitor the target application.

Specifically, the monitoring unit obtains the hook plug-in corresponding to a specific event behavior from a remote plug-in interface.

Further, the monitoring unit monitors the event behavior triggered by the target application process, and when the monitoring unit monitors the event behavior triggered by the target application process to release the sub-process, loads the monitoring unit for the sub-process to continue monitoring the event behavior triggered by the sub-process.

Specifically, the monitoring unit realizes the hooking by injecting an inline hook into the subprocess of the target application.

Preferably, the event behavior monitored by the monitoring module includes any one or more of the following behavior types: obtaining operator information, APN operation, notification column advertisement operation, obtaining mobile phone identification code operation, creating shortcuts, making phone calls Operation, text message insertion or deletion operation, contact insertion or deletion operation, URL access operation, sub-process intrusion operation, application loading operation, command operation, derivative operation, activation device manager operation.

Further, when the monitoring module monitors that the target application triggers the event behavior of generating derivatives, it obtains the processing rules for the derivatives through the remote rule base interface and processes the derivatives.

In addition, the device includes an interaction module, which is registered as a system service, and the shell application communicates with the interaction module through its built-in interaction interface, and realizes human-computer interaction by popping a window to the user interface through the interaction module.

Further, the security module includes a configuration module, configured to dynamically load the target application through JAVA reflective calling.

In addition, said processing policy for event behavior is provided by one of the following policy generating means:

It is used to alert the user interface with a pop-up window, and receive user instructions to obtain the processing strategy;

Used to retrieve the corresponding processing policy from the local policy database;

The processing strategy used to send requests to the cloud through the remote strategy interface and obtain corresponding feedback.

Further this device also includes:

The update module is used to download the cloud policy database and update the local policy database, and the local policy database is used to retrieve the processing policy corresponding to the specific event behavior of the specific target application.

Compared with the prior art, the present invention has at least the following advantages:

1. Realized dynamic active defense. The present invention proposes a solution for constructing an active defense environment with the target application as the basic unit. After the target application is installed in real time, or by identifying the user's selection of the target program that needs to establish an active defense mechanism, the target application Construct a shell application disguised as the target application, and then load the monitoring unit and the real target application by the shell application, and establish a defense mechanism for the target application in a timely and dynamic manner, and then use the operation of this shell application to implement active defense. This process does not require ROOT authorization for the system, does not depend on network conditions, and does not depend on signature-based virus databases, so it truly realizes active defense against target applications.

2. The established active defense mechanism is safe and effective. As mentioned above, when the present invention constructs the shell application, it is constructed according to the installation package of the target application, and the installation package of the target application itself is safely stored. Thus, on the one hand, the present invention does not change the code and configuration of the target application to be run, so the target application can meet the self-verification requirements, and the shell application is regarded as the target application and exists legally; on the other hand, even Malicious target applications try to use the JAVA reflection mechanism to avoid detection, and it is difficult to escape the observation of the monitoring unit; on the other hand, the monitoring unit can also monitor the event behavior of the real target program, and use the identity of an observer to comprehensively Monitor all event behaviors of the target application, respond to various specific event behaviors in a timely manner, break through the limitations of the JVM, and monitor Java functions, JNI functions, and system function calls, which is obviously more comprehensive.

3. Realize fine monitoring of the target application. Since the monitoring unit can monitor all event behaviors of the target application, and monitor various function calls without hindrance, the present invention can not only realize the concrete monitoring of conventional applications including telephone calls, short messages, contacts, etc. The monitoring of operation behavior can also realize the monitoring of high-end event behaviors such as derivatives (installation packages), privilege escalation commands, application loading, etc., and its monitoring effect is more comprehensive, specific and effective.

In combination with the above analysis, it can be seen that the above solution proposed by the present invention has little modification to the existing system, does not affect the compatibility of the system, and is simple and efficient to implement.

Additional aspects and advantages of the invention will be set forth in part in the description which follows, and will become apparent from the description, or may be learned by practice of the invention.

Description of drawings

The above and/or additional aspects and advantages of the present invention will become apparent and easy to understand from the following description of the embodiments in conjunction with the accompanying drawings, wherein:

Fig. 1 is a schematic diagram of the principle of a typical embodiment of a ROOT-free active defense configuration method of the present invention;

Fig. 2 is a schematic diagram of the principle of the process of configuring the installation original package into a shell application in the ROOT-free active defense configuration method of the present invention;

3 is a schematic structural diagram of a ROOT-free active defense configuration device of the present invention;

FIG. 4 is a schematic diagram of a typical embodiment of an active defense method of the present invention;

5 is a schematic diagram of the principle of monitoring the event behavior of the target application by using the operation of the shell application in the active defense method of the present invention;

6 is a schematic diagram of the principle of processing captured events in the active defense method of the present invention;

Fig. 7 is a schematic structural view of an active defense device of the present invention;

Fig. 8 is one of the user interfaces of a program example implemented according to the present invention, which is used to display the bullet box interaction function after the undefended application is found;

9 is one of the user interfaces of a program example implemented according to the present invention, which is used to display a list of scanned applications and provide the user with a selection area for determining the target application;

Fig. 10 is one of the user interfaces of a program example implemented according to the present invention, which is used to display the default processing strategy of all event behaviors of a single application, and provides the user with the option to modify the processing strategy;

Figure 11 is one of the user interfaces of a program example implemented according to the present invention, which is used to show the human-computer interaction effect after event behavior interception, specifically intercepting the event behavior of sending short messages;

Fig. 12 is one of the user interfaces of a program example implemented according to the present invention, which is used to display the human-computer interaction effect after event behavior interception, specifically intercepting the event behavior of inserting short messages.

detailed description

Embodiments of the present invention are described in detail below, examples of which are shown in the drawings, wherein the same or similar reference numerals designate the same or similar elements or elements having the same or similar functions throughout. The embodiments described below by referring to the figures are exemplary only for explaining the present invention and should not be construed as limiting the present invention.

Those skilled in the art will understand that unless otherwise stated, the singular forms "a", "an", "said" and "the" used herein may also include plural forms. It should be further understood that the word "comprising" used in the description of the present invention refers to the presence of said features, integers, steps, operations, elements and/or components, but does not exclude the presence or addition of one or more other features, Integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Additionally, "connected" or "coupled" as used herein may include wireless connection or wireless coupling. The expression "and/or" used herein includes all or any elements and all combinations of one or more associated listed items.

Those skilled in the art can understand that, unless otherwise defined, all terms (including technical terms and scientific terms) used herein have the same meaning as commonly understood by those of ordinary skill in the art to which this invention belongs. It should also be understood that terms, such as those defined in commonly used dictionaries, should be understood to have meanings consistent with their meaning in the context of the prior art, and unless specifically defined as herein, are not intended to be idealized or overly Formal meaning to explain.

Those skilled in the art can understand that the "terminal" and "terminal equipment" used here not only include wireless signal receiver equipment, which only has wireless signal receiver equipment without transmission capabilities, but also include receiving and transmitting hardware. A device having receiving and transmitting hardware capable of performing bi-directional communication over a bi-directional communication link. Such equipment may include: cellular or other communication equipment, which has a single-line display or a multi-line display or a cellular or other communication equipment without a multi-line display; PCS (Personal Communications Service, personal communication system), which can combine voice, data Processing, facsimile and/or data communication capabilities; PDA (Personal Digital Assistant, Personal Digital Assistant), which may include radio frequency receiver, pager, Internet/Intranet access, web browser, notepad, calendar and/or GPS (Global Positioning System (Global Positioning System) receiver; a conventional laptop and/or palmtop computer or other device having and/or including a radio frequency receiver. As used herein, a "terminal", "terminal device" may be portable, transportable, installed in a vehicle (air, sea, and/or land), or adapted and/or configured to operate locally, and/or In distributed form, the operation operates at any other location on Earth and/or in space. The "terminal" and "terminal equipment" used here can also be communication terminals, Internet terminals, music/video playback terminals, such as PDAs, MIDs (Mobile Internet Devices, mobile Internet devices) and/or with music/video playback terminals. Functional mobile phones, smart TVs, set-top boxes and other devices.

Those skilled in the art can understand that the remote network device used here includes, but is not limited to, a computer, a network host, a single network server, a set of multiple network servers, or a cloud formed by multiple servers. Here, the cloud is composed of a large number of computers or network servers based on cloud computing (Cloud Computing), wherein cloud computing is a kind of distributed computing, a super virtual computer composed of a group of loosely coupled computer sets. In the embodiment of the present invention, the communication between the remote network equipment, the terminal equipment and the WNS server can be realized through any communication method, including but not limited to, mobile communication based on 3GPP, LTE, WIMAX, based on TCP/IP, UDP protocol Computer network communication and short-distance wireless transmission methods based on Bluetooth and infrared transmission standards.

Those skilled in the art should understand that the concepts of "application", "application program", "application software" and similar expressions referred to in the present invention are the same concepts well known to those skilled in the art, and refer to a series of computer instructions and related Computer software that is organically constructed from data resources and suitable for electronic operation. Unless otherwise specified, this naming itself is not limited by the type of programming language, level, or the operating system or platform on which it runs. Naturally, such concepts are also not limited by any form of terminal. Similarly, there is a corresponding relationship between the "target application" and "installation package" mentioned in the present invention, and the installation package is the file existence form of the target application.

The ROOT-free active defense configuration method of the present invention is mainly used to construct a security defense environment for application programs for the operating system, so as to realize active defense without affecting the normal operation of the application programs. Therefore, the present invention will provide a typical embodiment to illustrate the basic realization of the method. Correspondingly, the application program applying the above-mentioned ROOT-free active defense configuration method uses the mechanism of the configuration method to work, and also includes a corresponding active defense method to the former. For the convenience of description, the following will take the Unix-based Android operating system and its application program as an example to describe the implementation of the above two methods and their corresponding devices in detail.

The environment to which the method of the present invention is applied includes a mobile terminal capable of communicating with a remote server or a cloud, the mobile terminal is installed with an Android operating system, and the system is in a state without ROOT authorization. It should be pointed out that even if the operating system is in a ROOT authorized state, the various methods described in the present invention are still applicable to the operating system. That is to say, the implementation of various methods of the present invention is not limited by whether the operating system opens the highest authority.

Please refer to the schematic diagram of Figure 1, which discloses a typical embodiment of the ROOT-free active defense configuration method, including the following major steps:

S11. Determine the target application, and save its installation package to a designated directory.

The target application described above, that is, the target application program that needs to construct an active defense environment, is generally applicable to third-party applications for the specific Android system in a non-ROOT authorized environment due to permission restrictions.

The designated directory referred to in the present invention refers to the self-defined default directory provided by the present invention for the purpose of constructing an active defense environment for these needs in consideration of file organization and management efficiency, and all target applications that have established an active defense environment through the present invention The installation package can be moved or copied and saved to the specified directory, and it can be encrypted or hidden further to ensure its security. It should be pointed out that the specified directory here may also be a directory that already exists in the system. It can be either a single directory or multiple directories. In a nutshell, it is the directory used by the present invention for storing the target application installation package constructed by the present invention to construct the active defense environment.

The determination and processing of the target application is very flexible. The following provides several implementation methods for determining the target application and subsequent processing:

method one:

For the application programs that have been installed, the present invention can automatically or be controlled by user instructions to scan these installed application programs, obtain the installation information of these application programs, and display these application programs as a list of candidate target applications in the user interface (Refer to FIG. 9 ), provide corresponding selection switches for each candidate target application in the list in the corresponding indication area of the graphical user interface, and set the state of these switches by the user, so as to obtain the determination of the specific target application by the user . Specifically, the user can switch the selection switch in the indication area corresponding to a certain target application from the unselected state to the selected state, as shown in the example of the two-state switch of "monitored" and "click to monitor" in Figure 9 , in this case, it can be considered that the user has completed the determination operation of the target application.

As we all know, in the Android system, the installation of third-party applications will involve the following operations on the following directories: data/app, the third-party application installation directory, first copy the apk file to this directory during installation; data/dalvik-cache, copy the apk The decompressed code file (.dex file) is installed in this directory; data/data is used to create and store the data required by the application. Based on the above principles, it can be seen that the apk file of the third-party application is its installation package, which can be found in data/app. Therefore, for an installed target application, the corresponding apk file can be copied from data/app to a specified directory, and then the target application can be uninstalled.

Method 2:

Referring to FIG. 8 , for an application program that is about to be installed or is being installed, the present invention can obtain the installation broadcast information of the application program by registering itself as a default installer. Then, the newly installed application is used as the target application, and the characteristic information such as its installation package or signature is sent to the cloud server through the remote rule base interface, and the cloud server makes a security judgment on it. In one embodiment, the cloud server sets three levels for the security level of the application program: black, gray, and white, respectively representing different risk levels, and sets corresponding processing rules. For example, black apps are prohibited from being installed, gray apps are selected by the user, and white apps can be installed directly. Of course, it can be further simplified into gray and white, or into black and white. Those skilled in the art are familiar with this cloud control technology of the server, which will be further briefly disclosed later. In any case, the present invention will obtain feedback from the cloud server on the processing rules of these applications from the local remote rule base interface, and use the feedback results to make corresponding follow-up processing. Specifically, when a black application identification is returned for the current target application, the installation of the target application can be stopped immediately; when the identification is a white application or a gray application, the installation can be released. For the sake of interactivity, after the remote judgment is completed, the present invention will remind the user of the judgment result in a pop-up window on the user interface, and display corresponding processing suggestions, asking the user whether to confirm the construction of an active defense environment for the current newly installed application, from which the user can determine After the active defense identification is performed on the currently newly installed target application, the target application is determined.

Similarly, after the user determines the target application, the present invention will store the installation package of the target application in the specified directory. In addition, considering that the present invention will construct an active defense environment for the determined target application, the present invention will immediately stop the installation of the target application, and the operation of stopping the installation can occur before the user determines the target application. After.

Other workarounds:

The two typical methods for determining the target application provided above can be utilized by those skilled in the art. For example, for the installed target application in the first method, the installed application can be sent to the cloud through the remote rule base interface in the second method to judge the security level, and after returning the result, refer to the processing method in the second method to The installed app is processed. For another example, if the current application is a black application and the user still wants to install the application, the user may still be allowed to keep the installed application under the premise of establishing an active defense environment, or allow the corresponding newly installed application to continue to be installed.

The two typical ways of determining the target application and their alternatives disclosed above are enough for those skilled in the art to understand that the first step of the active defense configuration method of the present invention involves multiple ways of determining the target application and how to obtain the target application. A variety of implementations of determining the installation package of the target application and saving it in a specified directory.

S12. Using the installation package of the target application to configure the installation package of the shell application.

After determining the target application that needs to construct an active defense environment, further create a shell application. Please refer to Figure 2, the creation of the shell application includes the following specific steps:

S121. Parse the target application installation package, and generate a shell application image.

As we all know, the target application installation package is a compressed file, and the files in it can be obtained by decompressing the installation package. Preferably, the target application installation package is decompressed to a temporary working directory to complete the decompression work. After decompression, each file in the target application installation package can be parsed. In another manner, the target application installation package may also be directly parsed in memory. In any case, those skilled in the art can parse the target application in a known manner, obtain relevant parameters and resources for configuring the shell application, and generate a shell application image accordingly. The image can be either a hard disk image or a memory image, and its function is to appear as an intermediate state during the construction of the shell application process, so its specific form of existence should not affect the realization of the present invention, and those skilled in the art can flexibly combine common knowledge Work around it, so I won’t repeat it below. S122. Modify or replace the code file in the image to inject the stub module.

As known, the constituent files of the apk installation package include the code file Classes.dex. In the present invention, by means of modification or replacement, a new Classes.dex is constructed for the shell application image, so that the new file includes the stub module nStub provided by the present invention. The stub module loads the monitoring unit 14 realized by using HOOK technology, so that the monitoring unit 14 can monitor and capture the event behavior of the process created by the target application 15 during operation.

S123. Modify the configuration parameters of the configuration file in the image, so as to load the target application 15 in the specified directory.

Similarly, the configuration file of the installation package also includes the configuration file Androidmanifest.xml, which is modified to modify the configuration information of the target application 15 in the shell application image correspondingly, so that it is suitable for loading the target application 15 in the specified directory. In addition, the present invention uses the Java reflection calling mechanism to replace the runtime configuration information involved in LoadApk and ActivityThread with the ClassLoader and resources of the target application 15 installation package in the specified directory, thereby realizing the loading of the target application 15 by the shell application at runtime .

In addition, the icon, as a resource that can be recognized by man and machine, is also modified as one of the configuration files in the present invention. In order to make the icon easier to identify, the present invention uses the original icon of the target application 15 as a draft, adds a stamp to it, and saves and replaces the original icon with the original file name, so that after the shell application is installed, it can be identified by the stamp for the user It is a defended application. The same target application 15 may include multiple icon resources, and only the main icon used by the target application 15 may be modified, or multiple or all icons contained in it may be modified similarly.

S124 , completing the encapsulation of the shell application.

This sub-step is a conventional step known to those skilled in the art. After completing the above modification, the shell application image is packaged and signed, and the package of the shell application can be completed. When signing, referring to known methods, the mobile phone identification code IME can be used, or a random code can be used to sign.

After the above four sub-steps, a corresponding shell application installation package can be constructed based on the target application 15 installation package. It can be understood that the shell application is a light application with a small volume, and its function is mainly manifested in sequentially loading the monitoring unit 14 and the target application 15 . During operation, the monitoring unit 14 is first loaded by the stub module, and after loading, it starts to hook all or part of the specified event behaviors of the subsequently loaded target application 15, which is actually equivalent to handing over the control of the event behavior of the target application 15 to Monitoring unit 14 hands.

It should be pointed out that the monitoring unit 14 is realized by obtaining a hook plug-in corresponding to a specific event behavior from a background sandbox HOOK framework, and using the hook plug-in to monitor the specific event behavior of the target application 15 . The background sandbox HOOK framework is centrally managed in the cloud and distributed to each terminal. Among them, the main structure of the cloud is the Java hook plug-in library and the Native hook plug-in library. The monitoring unit 14 can send a request to the background sandbox HOOK framework through the remote plug-in interface to obtain a HOOK function for a specific event behavior, that is, the hook plug-in, so as to establish monitoring capture and processing of a specific event behavior.

Since the loading of the monitoring unit 14 and the target application 15 are both driven by the shell application process, and the monitoring unit 14 is loaded before the target application 15, the monitoring unit 14 can theoretically monitor all event behaviors of the target application 15. The following outlines several typical event behaviors and their capture instances:

(1) Operations related to terminal and networking:

Obtaining operator information: the target application 15 can obtain the IMSI of the mobile terminal, for example, through the getSimOperatorName() function, thereby further determining the name of the operator, and further sending an agreed command to the operator to achieve illegal purposes such as deduction. The monitoring platform can capture the event behavior by hooking the related messages.

APN switching operation: Similarly, the target application 15 realizes the operation of ANP switching control through functions related to APN switching, and can also be monitored by the monitoring unit 14 by calling the corresponding hook plug-in.

Similar operations also include the operation of obtaining the mobile phone identification code IME, which is also the same as above.

(2) Notification bar advertisement operation: Notification bar advertisement is the method most likely to be used by malicious programs. The monitoring unit 14 can monitor the event message generated by the notify function by calling the corresponding hook plug-in, and can also monitor it.

(3) Communication operation:

For example, the call operation can monitor the event behavior of the call through the StartActivity() function, and use the corresponding hook plug-in to establish event behavior monitoring for the call operation.

SMS operation corresponds to functions such as SendTextMessage(). Similarly, event behavior monitoring can be established for such functions with the help of hook plug-ins.

Contact operation: generally corresponds to the Query() and Insert() functions, and the monitoring unit 14 can monitor and capture such event behaviors by hooking such functions with hook plug-ins.

(4) Command operation:

For example, the SU privilege escalation operation or command execution operation requires the Execve() function, and the monitoring unit 14 can monitor the behavior of such events by monitoring the return message of this function.

(5) Interface and access operations:

For example, the event behavior of creating a shortcut corresponds to the SentBroacast() function. Similarly, for the operation of hiding the program icon, it can also be monitored corresponding to a specific function.

Such as HTTP network access operations, corresponding to Sentto (), Write () and other functions.

(6) Program operation:

For example, an application loading operation refers to an operation in which the current target application 15 loads a related application. By hooking and monitoring functions such as dexclassloader() and loadlibrary(), such event behaviors can be captured.

Another example is installing a subpackage, which corresponds to the StartActivity() function.

(7) Other dangerous operations:

For example, child process intrusion operation, derivative operation, activate device manager operation, etc., correspond to respectively.

Wherein, the sub-process refers to the sub-process created by the target application 15. When the target application 15 creates a sub-process, the monitoring unit 14 will receive a corresponding message and determine the event behavior of creating the sub-process. Thus, the monitoring unit 14 further implants the monitoring unit 14 into the sub-process in the form of an inline hook, and then the event behavior of the sub-process can be continuously monitored. Therefore, whether it is the target application 15's own process or its created sub-processes, the event behaviors triggered directly or indirectly by them can be monitored by the monitoring unit 14 of the present invention, so that the active defense effect is better.

The derivative refers to a file created by the target application 15 itself, or a file downloaded remotely, and usually refers to a sensitive derivative, such as an installation package. This event can be captured by hooking the fclose() function. It should be pointed out that after the monitoring unit 14 captures the event behavior, it can further use the remote rule base interface to send a request to the cloud according to the aforementioned method, and the cloud can use its black, white, and gray security level behavior rules to judge the derivative. After obtaining the cloud judgment result through the remote rule library interface, the present invention further pops up a window to ask the user whether to establish an active defense against the sensitive derivative, thereby further consolidating the effect of active defense.

The above-mentioned event behaviors are only used for excerpts, and should not be construed as limitations on the event behaviors monitored by the present invention. In combination with the above classification of event behaviors, it can be known that the monitoring unit 14 of the present invention can monitor the event behaviors originating from the target application 15 , no matter the event behaviors triggered directly or indirectly by the target application 15 .

The file name of the installation package of the shell application of the present invention is completely consistent with the file name of the installation package of the target application 15 , therefore, it can be seen that the shell application constitutes a disguised application of the target application 15 . The shell application is small in size, its construction process is relatively fast, and its construction and operation process is relatively transparent to users, and basically does not affect the installation and operation efficiency of the target application 15 when constructing an active defense environment.

In addition, in order to facilitate user interaction, the present invention is also equipped with an interactive interface for the shell application. Through this interactive interface, messages can be sent to pre-registered system services, and user instructions can be inquired from the pop-up window of the user interface through the system services, and the system services can obtain After the user command returns to the process of the shell application, the shell application can perform the above-mentioned series of follow-up processing according to the user command, and this follow-up processing part will be disclosed in detail in the subsequent part related to the active defense method.

S13. Install the shell application.

After completing the construction of the shell application, the present invention installs the shell application, and then, the target application 15 has the aforementioned active defense environment. When the user runs the target application 15, he will be directed to the file with the same name as the running file. The shell application, once the shell application runs, can realize active defense against the target application 15 .

Since the application environment of the method of the present invention is a non-ROOT authorized environment, some permissions are limited. In this case, if the installed target application 15 is not uninstalled, an interface for uninstalling the target application 15 will pop up first to guide the user to uninstall. The target application 15 has been installed; then an interface for installing the shell application pops up to guide the customer to install the shell application. Of course, if the system has been authorized by ROOT, the method of the present invention can directly uninstall the old application and then install the shell application.

It needs to be further emphasized that the sub-steps of uninstalling the target application 15 mentioned above, as described in this step, can be processed later as needed, and the timing of the uninstallation does not affect the implementation of the method of the present invention.

The above only illustrates the active defense configuration method of the present invention, and further, the active defense configuration method can be used to construct a corresponding active defense configuration device.

Please refer to Figure 3, the ROOT-free active defense configuration device of the present invention has a strict correspondence with the aforementioned configuration method, including a determination device 11, a construction device 12, and an installation device 13, as follows:

The determining means 11 is configured to determine the target application 15, and save the installation package of the target application 15 to a designated directory.

The target application 15, that is, the target application 15 program that needs to construct an active defense environment, is generally applicable to third-party applications for the specific Android system in a non-ROOT authorized environment due to permission restrictions.

The designated directory referred to in the present invention refers to the self-defined default directory provided by the present invention for the purpose of constructing an active defense environment for these needs in consideration of file organization and management efficiency. All target applications that have established an active defense environment through the present invention15 All installation packages can be moved or copied to the specified directory, and further encrypted or hidden to ensure its security. It should be pointed out that the specified directory here may also be a directory that already exists in the system. It can be either a single directory or multiple directories. In a nutshell, it is the directory used by the present invention to store the installation package of the target application 15 constructed by the present invention to construct the active defense environment.

The configuration of the determination device 11 is very flexible, and several implementations of the configuration of the determination device 11 are provided below:

method one:

For the application programs that have been installed, the present invention can scan these installed application programs automatically or controlled by user instructions, obtain the installation information of these application programs, and use these application programs as candidate target applications through a selection unit 15 The list is displayed in the user interface as shown in Figure 9, and a corresponding selection switch is provided for each candidate target application 15 in the list in the corresponding indication area of the graphical user interface, and the state of these switches is set by the user, thereby A user's determination of a specific target application 15 is obtained. Specifically, the user can switch the selection switch in the indication area corresponding to a certain target application 15 from the unselected state to the selected state. In this case, it can be considered that the user has completed the target application 15 confirm operation.

As we all know, in the Android system, the installation of third-party applications will involve the following operations on the following directories: data/app, the third-party application installation directory, first copy the apk file to this directory during installation; data/dalvik-cache, copy the apk The decompressed code file (.dex file) is installed in this directory; data/data is used to create and store the data required by the application. Based on the above principles, it can be seen that the apk file of the third-party application is its installation package, which can be found in data/app. Therefore, for the installed target application 15, the present invention further constructs a processing unit for the determining device 11, which copies the corresponding apk file from data/app to the designated directory, and then uninstalls the target application 15.

Method 2:

Referring to FIG. 8 , for an application program that is about to be installed or is being installed, the present invention can register itself as a default installer, and obtain the installation broadcast information of the application program through a selected unit. Then, take this newly installed application program as the target application 15, and send its feature information such as its installation package or signature to the cloud server through the remote rule base interface, and the cloud server makes a security judgment on it. In one embodiment, the cloud server sets three levels for the security level of the application program: black, gray, and white, respectively representing different risk levels, and sets corresponding processing rules. For example, black apps are prohibited from being installed, gray apps are selected by the user, and white apps can be installed directly. Of course, it can be further simplified into gray and white, or into black and white. Those skilled in the art are familiar with this cloud control technology of the server, so details are not repeated here. In any case, the present invention will obtain feedback from the cloud server on the processing rules of these applications from the local remote rule base interface, and use the feedback results to make corresponding follow-up processing. Specifically, when the black application identification is returned for the current target application 15, the installation of the target application 15 can be stopped immediately; when the identification is a white application or a gray application, the installation can be released. For the sake of interactivity, after the remote judgment is completed, the present invention will remind the user of the judgment result in a pop-up window on the user interface, and display corresponding processing suggestions, asking the user whether to confirm the construction of an active defense environment for the current newly installed application, from which the user can determine After actively defending the currently newly installed target application 15, the target application 15 is determined.

Similarly, after the user determines the target application 15, the present invention will store the installation package of the target application 15 in the specified directory. In addition, considering that the present invention will subsequently construct an active defense environment for the determined target application 15, the present invention will immediately stop the installation of the target application 15 by a processing unit. Before the target application 15 can also happen after.

Other workarounds:

The two typical methods for determining the target application 15 provided above can be utilized by those skilled in the art. For example, for the installed target application 15 in the first method, the installed application in the second method can be sent to the cloud through the remote rule base interface for security level judgment, and after returning the result, refer to the processing method in the second method, Process installed applications. For another example, if the current application is a black application and the user still wants to install the application, the user may still be allowed to keep the installed application under the premise of establishing an active defense environment, or allow the corresponding newly installed application to continue to be installed.

The two typical configurations of the determining device 11 and their alternatives disclosed above are sufficient for those skilled in the art to understand that the determining device 11 of the active defense configuration device of the present invention involves multiple ways of determining the target application 15, and How to obtain the installation package of the determined target application 15 and save it in a designated directory in various ways.

The construction device 12 uses the installation package of the target application 15 to configure the installation package of the shell application.

After determining the target application 15 that needs to construct an active defense environment, a shell application is further created. The construction device 12 includes a parsing unit, a code unit, a configuration unit and an encapsulation unit, and the function realization of these units is disclosed in detail below:

The parsing unit is configured to parse the installation package of the target application 15 to generate a shell application image.

As we all know, the installation package of the target application 15 is a compressed file, and the files in it can be obtained by decompressing the installation package. Preferably, the target application 15 installation package is decompressed to a temporary working directory to complete the decompression work. After decompression, each file in the target application installation package can be parsed. In another manner, the target application installation package may also be directly parsed in memory. In any case, those skilled in the art can parse the target application in a known manner, obtain relevant parameters and resources for configuring the shell application, and generate a shell application image accordingly.

The code unit is used to modify or replace the code file in the image to inject the stub module.

As known, the constituent files of the apk installation package include the code file Classes.dex. In the present invention, a new Classes.dex is constructed through modification or replacement, so that the new file includes the stub module nStub provided by the present invention. The stub module loads the monitoring unit 14 realized by using HOOK technology, so that the monitoring unit 14 can monitor and capture the event behavior of the process created by the target application 15 during operation.

The configuration unit is used to modify the configuration parameters of the configuration file in the image, so as to load the target application 15 in the specified directory.

Similarly, the configuration file of the installation package also includes the configuration file Androidmanifest.xml, which is modified to modify the configuration information of the target application 15 in the shell application image correspondingly, so that it is suitable for loading the target application 15 in the specified directory. In addition, the present invention uses the Java reflection calling mechanism to replace the runtime configuration information involved in LoadApk and ActivityThread with the ClassLoader and resources of the target application 15 installation package in the specified directory, thereby realizing the loading of the target application 15 by the shell application at runtime .

In addition, the icon, as a resource that can be recognized by man and machine, is also modified as one of the configuration files in the present invention. In order to make the icon easier to identify, the present invention uses the original icon of the target application 15 as a draft, adds a stamp to it, and saves and replaces the original icon with the original file name, so that after the shell application is installed, it can be identified by the stamp for the user It is a defended application. The same target application 15 may include multiple icon resources, and only the main icon used by the target application 15 may be modified, or multiple or all icons contained in it may be modified similarly.

The encapsulation unit is used to complete the encapsulation of the shell application.

The function implementation of the encapsulation unit should be understood by those skilled in the art. After completing the above modifications, package and sign the shell application image to complete the packaging of the shell application. When signing, referring to known methods, the mobile phone identification code IME can be used, or a random code can be used to sign.

By executing the construction device 12, a corresponding shell application installation package can be constructed based on the target application 15 installation package. It can be understood that the shell application is a light application with a small volume, and its function is mainly manifested in sequentially loading the monitoring unit 14 and the target application 15 . During operation, the monitoring unit 14 is first loaded by the stub module, and after loading, it starts to hook all or part of the specified event behaviors of the subsequently loaded target application 15, which is actually equivalent to handing over the control of the event behavior of the target application 15 to Monitoring unit 14 hands.

It should be pointed out that the monitoring unit 14 is realized by obtaining a hook plug-in corresponding to a specific event behavior from a background sandbox HOOK framework, and using the hook plug-in to monitor the specific event behavior of the target application 15 . The background sandbox HOOK framework is centrally managed in the cloud and distributed to each terminal. Among them, the main structure of the cloud is the Java hook plug-in library and the Native hook plug-in library. The monitoring unit 14 can send a request to the background sandbox HOOK framework through the remote plug-in interface to obtain a HOOK function for a specific event behavior, that is, the hook plug-in, so as to establish monitoring capture and processing of a specific event behavior.

Since the loading of the monitoring unit 14 and the target application 15 are both driven by the shell application process, and the monitoring unit 14 is loaded before the target application 15, the monitoring unit 14 can theoretically monitor all event behaviors of the target application 15.

The events and behaviors processed by the monitoring unit 14 in the active defense configuration device of the present invention are closely related to the above-mentioned active defense configuration method, so they are not described in detail.

Similarly, the file name of the installation package of the shell application in the present invention is completely consistent with the file name of the installation package of the target application 15 , therefore, it can be seen that the shell application constitutes a disguised application of the target application 15 . The shell application is small in size, and its construction process is relatively fast. The construction and operation process is relatively transparent to users, and basically does not affect the installation and operation efficiency of the target application 15 when constructing an active defense environment.

In addition, in order to facilitate user interaction, the present invention is also equipped with an interactive interface for the shell application. Through this interactive interface, messages can be sent to pre-registered system services, and user instructions can be inquired from the pop-up window of the user interface through the system services, and the system services can obtain After the user command returns to the process of the shell application, the shell application can perform the above-mentioned series of follow-up processing according to the user command, and this follow-up processing part will be disclosed in detail in the subsequent part related to the active defense method.

The installation device 13 is used for installing the housing application.

After the shell application is completed, the installation device 13 is executed to directly install the shell application. After the installation is completed, the target application 15 has the active defense environment described above. When the user runs the target application 15, he will be directed to the running file The shell application with the same name can realize the active defense against the target application 15 once the shell application is running.

Since the application environment of the method of the present invention is a non-ROOT authorized environment, some permissions are limited. In this case, if the installed target application 15 is not uninstalled, an interface for uninstalling the target application 15 will pop up first to guide the user to uninstall. The target application 15 has been installed; then an interface for installing the shell application pops up to guide the customer to install the shell application. Of course, if the system has been authorized by ROOT, the method of the present invention can directly uninstall the old application and then install the shell application.

It needs to be further emphasized that the sub-steps of uninstalling the target application 15 mentioned above, as described in this step, can be processed later as needed, and the timing of the uninstallation does not affect the implementation of the method of the present invention.

The present invention constructs an active defense environment for application programs in the aforementioned method and device, and on this basis, from the perspective of program execution, it also provides an active defense method and an active defense device.

Please refer to Fig. 4, the active defense method of the present invention is a specific application of the active defense environment constructed in the aforementioned active defense configuration method, the method is based on the target application 15 constructed with the active defense environment configuration, and implements security protection for the target application 15 . With reference to Figure 7, the method includes the following steps:

S31. Run a corresponding shell application in response to an instruction to run the target application 35 .

Referring to the description of the aforementioned configuration method, it can be seen that after the shell application is installed, its file name is the same as that of the original target application 35, masquerading as the target application 35, and the user's operation on the target application 35 is actually guided by the desktop icon. The shortcut will be directed to run a pre-disguised shell application, and at this time, the user's click operation on the user interface constitutes an operation command to run the shell application. It should be noted that the instruction to run the target application 35 is not limited to being triggered by the user, but also includes, as mentioned above, a loading instruction executed by an application program, a timed task, or a function call through other known means. The shell application is a light application, which can be quickly loaded into the memory to run, and its startup process is transparent to the user.

The icon of the shell application is improved from the default icon of the target application 35, and the improvement is usually achieved by adding a picture to the default icon. Therefore, from the perspective of visual effects, it can also play a certain warning role.

Once the command to run the target application 35 is generated, the present invention responds, and the shell application is loaded into the JAVA virtual machine to run.

S32. A loading process of the shell application.

As described in the previous configuration method, in the shell application of the present invention, its code file Classes.dex is configured with a stub module nstub, through which the monitoring module can be loaded; its configuration file Androidmanifest.xml uses the principle of Java reflection call, to which Modify the configuration parameters of the target application 35 to make it suitable for loading the target application 35 stored in the specified directory. In addition, the runtime configuration parameters of the target application 35 are also adaptively modified to ensure that the target application 35 can run normally.

Therefore, referring to FIG. 5, after the shell application runs, as disclosed in step S321, the monitoring unit 34 is first invoked through the stub module, and the monitoring unit 34 obtains a hook corresponding to a specific event behavior from a background sandbox HOOK framework. A plug-in, using the hook plug-in to hook and monitor specific event behaviors of the target application 35 . The background sandbox HOOK framework is centrally managed in the cloud and distributed to each terminal. Among them, the main structure of the cloud is the Java hook plug-in library and the Native hook plug-in library. When the monitoring unit 34 needs to hook a specific event behavior, it sends a request to the background sandbox HOOK framework through the remote plug-in interface to obtain the HOOK function for the specific event behavior, that is, the hook plug-in, thereby establishing monitoring and capture of the specific event behavior. deal with.

Furthermore, as disclosed in step S322, the running shell application will further load the target application 35 located in the specified directory. As mentioned above, the invocation of the target application 35 is realized by using the well-known Java reflective invocation mechanism. The process of the shell application replaces the runtime configuration information involved in LoadApk and ActivityThread with the ClassLoader and resources of the installation package of the target application 35 in the specified directory by reflection, so as to realize the loading of the target application 35 .

As shown in step S323 , when the target application 35 is loaded, it has been monitored by the monitoring unit 34 using the hook plug-in. Therefore, all event behaviors of the target application 35 are within the monitoring range of the monitoring unit 34 . The installation package located in the target application 35 is complete and unmodified. Therefore, after the target application 35 is loaded by the shell application, it can run completely legally and normally, and realize all the functions that the target application 35 can originally realize.

Because the loading of the monitoring unit 34 and the target application 35 are all driven by the shell application process, they are also part of the shell application process, and the monitoring unit 34 is loaded earlier than the target application 35. Therefore, the monitoring unit 34 in operation has established a pair of The target application 35 monitors all event behaviors. Any event behavior generated during the running of the target application 35 will be captured by the monitoring unit 34 and processed accordingly.

S33. A processing process after the event behavior is captured.

Please refer to FIG. 6, step S331 shows that the specific event behavior generated by the target application 35 is captured by the monitoring unit 34, in essence, when a specific event behavior is triggered, the generated event message is captured by the corresponding hook plug-in (hook function) in the monitoring unit 34. captured. By capturing the event message, the intent of the event can be known, and subsequent processing can be performed.

Step S332 shows that to process a specific event behavior, it is necessary to obtain an event behavior processing policy. In this sub-step, the human-computer interaction function can be further implemented with the help of system services. In order to realize the human-computer interaction effect, the present invention pre-registers an interaction module as a system service, and the shell application can communicate with the interaction module through its interaction interface, thereby realizing the acquisition of user instructions or preset instructions by the shell application.

The acquisition methods of the event behavior strategy are very flexible and diverse. The following are several strategies selected by the present invention or used in any combination:

(1) After the monitoring unit 34 captures a specific event behavior, it sends a request to the interaction module through the built-in interaction interface of the shell application, and the interaction module inquires the user processing strategy from the user interface pop-up window, as shown in Figure 11 and Figure 12 The pop-up window interface can directly inform the user about the content and risks of the event behavior, and the user can choose the corresponding option as a processing strategy. After the user selects the corresponding option and confirms it, the interaction module obtains the processing strategy for the specific event behavior, and feeds it back to the monitoring unit 34, and the monitoring unit 34 can respond to the corresponding event behavior of the target application 35 according to the processing strategy generated by the user instruction. Proceed to the next step.

(2) When certain event behaviors that have been recognized as relatively low risk occur, such as the read-only operation behavior on contacts, or when the user sets the processing strategy for the invention to search for a specific event behavior by itself , the present invention utilizes a local policy database to retrieve corresponding processing policies for specific event behaviors. For example, as shown in FIG. 10 , the default processing policy for all event behaviors of an application can be given in the form of a form. That is to say, in the local policy database, the association between a specific event behavior and the corresponding processing strategy is established, and the record data of the corresponding relationship between various event behaviors and corresponding processing strategies is stored, which can be retrieved by the present invention use. After the present invention obtains the corresponding processing strategy from the local policy database, the next step of processing the corresponding event behavior can be performed.

(3) If the user sets the option of remote acquisition processing policy for the present invention, or by default, the specific policy of specific event behavior can be obtained remotely when the local policy database cannot retrieve it, or through the interaction in the aforementioned case (1) The user’s response to the pop-up window cannot be obtained within the specified time limit. In such cases, the shell application can send a request to the pre-architected cloud through its built-in remote policy interface to obtain the corresponding processing corresponding to the specific event behavior strategy and used for subsequent processing.

It should be pointed out that the above three ways of obtaining processing strategies can be used in cross-coordination. For example, once the interaction module receives the characteristics of the event message transmitted by the monitoring unit 34, it can follow the default setting and refer to the method (2). Search the local policy database in advance to obtain the processing policy recommended by the system (if it cannot be obtained from the local policy database, it can even be further obtained from the cloud policy database according to (3) method). Then, referring to method (1), set the processing strategy recommended by the system as the default option on the pop-up window interface. If the user does not confirm the default option within the specified time limit, the subsequent instructions will be executed based on the processing strategy recommended by the system; if the user changes it to a new default option, the processing strategy set by the user will be returned to the monitoring unit 34 . It can be seen that the human-computer interaction process can be realized more flexibly and freely.

The local policy database may be a copy of the cloud policy database. Therefore, in the present invention, an updating step is set for downloading the cloud policy database for updating the local policy database.

In general, the policy for a specific event behavior can be set to three common options of "deny", "run", and "ask", and the specific intentions represented by it are:

Rejection: for the specific event behavior, send a false message that the event behavior has been executed to the target application 35, so as to prohibit the actual occurrence of the event behavior;

Running: no change is made to the specific event behavior, and the corresponding event message is directly forwarded to the system message mechanism, allowing the target application 35 to continue its event behavior;

Inquiry: Independently or attached to any of the above two options, for the specific event behavior, mark its status as an unknown state, and when the behavior occurs repeatedly in the future, it is necessary to pop up a window to ask the user again.

In practical applications, the option "ask" can be ignored, and only need to consider whether to reject or allow the current event behavior to occur.

The described event behaviors are various, including the following major types:

(1) Operations related to terminal and networking:

Obtaining operator information: the target application 35 can obtain the IMSI of the mobile terminal, for example, through the getSimOperatorName() function, thereby further determining the name of the operator, and further sending an agreed command to the operator to achieve illegal purposes such as deduction. The monitoring platform can capture the event behavior by hooking the related messages.

APN switching operation: similarly, the target application 35 realizes the operation of ANP switching control through functions related to APN switching, and can also be monitored by the monitoring unit 34 by calling the corresponding hook plug-in.

Similar operations also include the operation of obtaining the mobile phone identification code IME, which is also the same as above.

(2) Notification bar advertisement operation: Notification bar advertisement is the method most likely to be used by malicious programs. The monitoring unit 34 can monitor the event message generated by the notify function by calling the corresponding hook plug-in, and can also monitor it.

(3) Communication operation:

For example, the call operation can monitor the event behavior of the call through the StartActivity() function, and use the corresponding hook plug-in to establish event behavior monitoring for the call operation.

SMS operation corresponds to functions such as SendTextMessage(). Similarly, event behavior monitoring can be established for such functions with the help of hook plug-ins.

Contact operation: generally corresponds to the Query() and Insert() functions, and the monitoring unit 34 can use the hook plug-in to hook such functions to realize the monitoring and capturing of such event behaviors.

(4) Command operation:

The Execve() function is required for the SU privilege escalation operation or command execution operation, and the monitoring unit 34 can monitor the behavior of such events by monitoring the return message of this function.

(5) Interface and access operations:

For example, the event behavior of creating a shortcut corresponds to the SentBroacast() function. Similarly, for the operation of hiding the program icon, it can also be monitored corresponding to a specific function.

Such as HTTP network access operations, corresponding to Sentto (), Write () and other functions.

(6) Program operation:

For example, an application loading operation refers to an operation in which the current target application 35 loads a related application. By hooking and monitoring functions such as dexclassloader() and loadlibrary(), such event behaviors can be captured.

Another example is installing a subpackage, which corresponds to the StartActivity() function.

(7) Other dangerous operations:

For example, child process intrusion operation, derivative operation, activate device manager operation, etc., correspond to respectively.

Wherein, the sub-process refers to the sub-process established by the target application 35. When the target application 35 creates a sub-process, the monitoring unit 34 will receive a corresponding message and determine the event behavior of creating the sub-process. Thus, the monitoring unit 34 further embeds the monitoring unit 34 in the sub-process in the form of an inline hook, so that the event behavior of the sub-process can be continuously monitored subsequently. Therefore, whether it is the target application 35's own process or its created sub-processes, the event behaviors triggered directly or indirectly by them can be monitored by the monitoring unit 34 of the present invention, so that the active defense effect is better.

The derivative refers to a file created by the target application 35 itself, or a file downloaded remotely, and usually refers to a sensitive derivative, such as an installation package. This event can be captured by hooking the fclose() function. It should be pointed out that after the monitoring unit 34 captures the event behavior, it can further use the remote rule base interface to send a request to the cloud according to the aforementioned method, and the cloud can use its black, white, and gray security level behavior rules to judge the derivative. After obtaining the cloud judgment result through the remote rule library interface, the present invention further pops up a window to ask the user whether to establish an active defense against the sensitive derivative, thereby further consolidating the effect of active defense.

The above-mentioned event behaviors are only used for excerpts, and should not be construed as limitations on the event behaviors monitored by the present invention.

Step S333 shows that according to the above-mentioned processing strategy and the above-mentioned description about event behavior, the active defense method of the present invention can handle various event behaviors accordingly. Further enumerate several typical application examples:

(1) The application of fine interception to the target application 35:

After some malicious programs are installed, they are in normal use for a long period of time, paralyzing the user's security awareness. However, after running for a long time, the target application 35 attempts to insert a short message from the background to attract the attention of the user, thereby achieving the effect of advertisement and fraud. Referring to Fig. 12, after the active defense mechanism is established for the target application 35, the present invention, as described above, monitors the SMS operation function through the corresponding hook plug-in in the monitoring unit 34. Once the target application 35 generates an event behavior of SMS operation, it will This event behavior can be captured, and then the monitoring unit 34 notifies the interactive module running as a system service through its interactive interface, and the interactive module pops up a warning to the user interface. After the user clicks the processing strategy of "reject", it is fed back to the monitoring unit 34, and the corresponding hook plug-in can prevent the actual occurrence of the event behavior and achieve the purpose of preventing risks.

(2) An application that releases malicious files to the target application 35 .

The target application 35 is a game software, which downloads and releases a malicious subpackage by checking for updates, and calls a system function to install the subpackage. After the present invention establishes an active defense for the target application 35, it can monitor the event behavior generated by the target application 35 after it finishes downloading the file, and an alarm will be popped up through the interactive module accordingly. After the user instruction is rejected, the corresponding hook plug-in in the monitoring unit 34 can directly delete the file, or simply reject the installation of the file.

In the present invention, such malicious subpackages are regarded as sensitive derivatives, and whether the derivatives are maliciously judged refers to the method of determining the security level described in the aforementioned defense configuration method for remote judgment. Specifically, when a derivative is detected, the corresponding file or characteristic information such as its signature is sent to the cloud through the remote rule base interface, and its security level is obtained from the cloud. In the pop-up window, the user is suggested to refuse the installation; if it is a white application, it can be allowed to pass. In this way, security defense against sensitive derivatives can be achieved. If the cloud cannot detect the relevant records of the derivative, you can request this method to upload the file for it, and the cloud will mark it as an unknown application, and correspondingly, mark it as a gray application for future use.

(3) The application of sub-process intrusion.

The monitored target application 35 creates sub-processes during running, and the sub-processes further release malicious event behaviors. When the monitoring unit 34 monitors that the target application 35 creates a sub-process, it obtains the entry of the sub-process, and then implants the monitoring unit 34 of the present invention into the sub-process, and all HOOK plug-ins (hook plug-ins) will be loaded into The child process is initialized to implement the hook, so as to establish the monitoring of the event behavior of the child process. From this, it can be seen that no matter the event behavior directly triggered by the process of the target application 35 or the indirect event behavior triggered by the child process created by the process of the target application 35 can be successfully monitored by the monitoring unit 34 .

The realization and application of the active defense method of the present invention have been described in detail through the three key steps of S31, S32, and S33 above. It can be seen that the active defense technology working with this method has sufficient feasibility.

Further, adapting to the above-mentioned active defense method, the present invention further provides an active defense device, both of which naturally have a strict correspondence, and the specific disclosure of the device is as follows:

The active defense device of the present invention includes a starting module 31, a security module 32 and a processing module 33, and the specific functions and realizations of each module are as follows:

The startup module 31 is configured to run a corresponding shell application in response to an instruction to run the target application 35 .

Referring to the description of the aforementioned configuration method, it can be seen that after the shell application is installed, its file name is the same as that of the original target application 35, masquerading as the target application 35, and the user's operation on the target application 35 is actually guided by the desktop icon. The shortcut will be directed to run a pre-disguised shell application, and at this time, the user's click operation on the user interface constitutes an operation command to run the shell application. It should be noted that the instruction to run the target application 35 is not limited to being triggered by the user, but also includes, as mentioned above, a loading instruction executed by an application program, a timed task, or a function call through other known means. The shell application is a light application, which can be quickly loaded into the memory to run, and its startup process is transparent to the user.

The icon of the shell application is improved from the default icon of the target application 35, and the improvement is usually achieved by adding a picture to the default icon. Therefore, from the perspective of visual effects, it can also play a certain warning role.

Once the command to run the target application 35 is generated, the present invention responds, and the shell application is loaded into the JAVA virtual machine to run.

The security module 32 mainly implements the loading process of the shell application. The shell application loads the monitoring unit 34 and the target application 35 successively, and the monitoring unit 34 monitors the event behavior of the target application 35 .

In the application of the shell of the present invention, its code file Classes.dex is configured with a pile module nstub, and the monitoring module can be loaded by the pile module; its configuration file Androidmanifest.xml uses the Java reflection calling principle to modify the configuration parameters therein so that it It is suitable for loading the target application 35 stored in the specified directory. In addition, the runtime configuration parameters of the target application 35 are also adaptively modified to ensure that the target application 35 can run normally.

Therefore, after the shell application runs, the monitoring unit 34 is first invoked through the stub module, and the monitoring unit 34 obtains a hook plug-in corresponding to a specific event behavior from a background sandbox HOOK framework, and uses the hook plug-in to hook and monitor the target application 35 specific event behavior. The background sandbox HOOK framework is centrally managed in the cloud and distributed to each terminal. Among them, the main structure of the cloud is the Java hook plug-in library and the Native hook plug-in library. When the monitoring unit 34 needs to hook a specific event behavior, it sends a request to the background sandbox HOOK framework through the remote plug-in interface to obtain the HOOK function for the specific event behavior, that is, the hook plug-in, thereby establishing monitoring and capture of the specific event behavior. deal with.

Furthermore, the running shell application will further load the target application 35 located in the specified directory. As mentioned above, the invocation of the target application 35 is realized by using the well-known Java reflective invocation mechanism. A configuration module is constructed in the security module 32, which uses reflection to replace the runtime configuration information involved in LoadApk and ActivityThread with the ClassLoader and resources of the target application 35 installation package in the specified directory by the process of the shell application, thereby realizing the loading of the target application 35 . When the target application 35 is loaded, it has already been monitored by the monitoring unit 34 using a hook plug-in. Therefore, all event behaviors of the target application 35 are within the monitoring range of the monitoring unit 34 . The installation package located in the target application 35 is complete and unmodified. Therefore, after the target application 35 is loaded by the shell application, it can run completely legally and normally, and realize all the functions that the target application 35 can originally realize.

Because the loading of the monitoring unit 34 and the target application 35 are all driven by the shell application process, they are also part of the shell application process, and the monitoring unit 34 is loaded earlier than the target application 35. Therefore, the monitoring unit 34 in operation has established a pair of The target application 35 monitors all event behaviors. Any event behavior generated during the running of the target application 35 will be captured by the monitoring unit 34 and processed accordingly.

The processing module 33 is configured to execute the processing after capturing the event behavior.

The specific event behavior generated by the target application 35 is captured by the monitoring unit 34 , in essence, when the specific event behavior is triggered, the generated event message is captured by the corresponding hook plug-in (hook function) in the monitoring unit 34 . By capturing the event message, the intent of the event can be known, and subsequent processing can be performed.

To process a specific event behavior, it is necessary to obtain an event behavior processing strategy. In this sub-step, the human-computer interaction function can be further implemented with the help of system services. In order to realize the human-computer interaction effect, the present invention pre-registers an interaction module as a system service, and the shell application can communicate with the interaction module through its interaction interface, thereby realizing the acquisition of user instructions or preset instructions by the shell application.

As mentioned above, the acquisition mode of the event behavior strategy is very flexible and diverse, and is executed by constructing a strategy generating device. The following lists several strategies for the present invention to choose one or use in any combination:

(1) After the monitoring unit 34 captures a specific event behavior, it sends a request to the interaction module through the built-in interaction interface of the shell application, and the interaction module inquires the user's processing strategy from the pop-up window of the user interface, and the pop-up window interface can directly inform The content and risk of the user's event behavior, the user selects the corresponding option as a processing strategy. After the user selects the corresponding option and confirms it, the interaction module obtains the processing strategy for the specific event behavior, and feeds it back to the monitoring unit 34, and the monitoring unit 34 can respond to the corresponding event behavior of the target application 35 according to the processing strategy generated by the user instruction. Proceed to the next step.

(2) When certain event behaviors that have been recognized as relatively low risk occur, such as the read-only operation behavior on contacts, or when the user sets the processing strategy for the invention to search for a specific event behavior by itself , the present invention utilizes a local policy database to retrieve corresponding processing policies for specific event behaviors. That is to say, in the local policy database, the association between the specific event behavior and the corresponding processing strategy is established, and the record data of the corresponding relationship between various event behaviors and corresponding processing strategies is stored, which can be retrieved by the present invention use. After the present invention obtains the corresponding processing strategy from the local policy database, the next step of processing the corresponding event behavior can be performed.

(3) If the user sets the option of remote acquisition processing policy for the present invention, or by default, the specific policy of specific event behavior can be obtained remotely when the local policy database cannot retrieve it, or through the interaction in the aforementioned case (1) If the user fails to respond to the pop-up window within the specified time limit, the shell application can send a request to the pre-architected cloud through its built-in remote policy interface to obtain the corresponding processing corresponding to the specific event behavior strategy and used for subsequent processing.

It should be pointed out that the above three ways of obtaining processing strategies can be used in cross-coordination. For example, once the interaction module receives the characteristics of the event message transmitted by the monitoring unit 34, it can follow the default setting and refer to the method (2). Search the local policy database in advance to obtain the processing policy recommended by the system (if it cannot be obtained from the local policy database, it can even be further obtained from the cloud policy database according to (3) method). Then, referring to method (1), set the processing strategy recommended by the system as the default option on the pop-up window interface. If the user does not confirm the default option within the specified time limit, the subsequent instructions will be executed based on the processing strategy recommended by the system; if the user changes it to a new default option, the processing strategy set by the user will be returned to the monitoring unit 34 . It can be seen that the human-computer interaction process can be realized more flexibly and freely.

The local policy database may be a copy of the cloud policy database. Therefore, in the present invention, an updating step is set for downloading the cloud policy database for updating the local policy database.

In general, the policy for a specific event behavior can be set to three common options of "deny", "run", and "ask", and the specific intentions represented by it are:

Rejection: for the specific event behavior, send a false message that the event behavior has been executed to the target application 35, so as to prohibit the actual occurrence of the event behavior;

Running: no change is made to the specific event behavior, and the corresponding event message is directly forwarded to the system message mechanism, allowing the target application 35 to continue its event behavior;

Inquiry: Independently or attached to any of the above two options, for the specific event behavior, mark its status as an unknown state, and when the behavior occurs repeatedly in the future, it is necessary to pop up a window to ask the user again.

In practical applications, the option "ask" can be ignored, and only need to consider whether to reject or allow the current event behavior to occur.

The described event behaviors are various, including the following major types:

(1) Operations related to terminal and networking:

Obtaining operator information: the target application 35 can obtain the IMSI of the mobile terminal, for example, through the getSimOperatorName() function, thereby further determining the name of the operator, and further sending an agreed command to the operator to achieve illegal purposes such as deduction. The monitoring platform can capture the event behavior by hooking the related messages.

APN switching operation: similarly, the target application 35 realizes the operation of ANP switching control through functions related to APN switching, and can also be monitored by the monitoring unit 34 by calling the corresponding hook plug-in.

Similar operations also include the operation of obtaining the mobile phone identification code IME, which is also the same as above.

(2) Notification bar advertisement operation: Notification bar advertisement is the method most likely to be used by malicious programs. The monitoring unit 34 can monitor the event message generated by the notify function by calling the corresponding hook plug-in, and can also monitor it.

(3) Communication operation:

For example, the call operation can monitor the event behavior of the call through the StartActivity() function, and use the corresponding hook plug-in to establish event behavior monitoring for the call operation.

SMS operation corresponds to functions such as SendTextMessage(). Similarly, event behavior monitoring can be established for such functions with the help of hook plug-ins.

Contact operation: generally corresponds to the Query() and Insert() functions, and the monitoring unit 34 can use the hook plug-in to hook such functions to realize the monitoring and capturing of such event behaviors.

(4) Command operation:

The Execve() function is required for the SU privilege escalation operation or command execution operation, and the monitoring unit 34 can monitor the behavior of such events by monitoring the return message of this function.

(5) Interface and access operations:

For example, the event behavior of creating a shortcut corresponds to the SentBroacast() function. Similarly, for the operation of hiding the program icon, it can also be monitored corresponding to a specific function.

Such as HTTP network access operations, corresponding to Sentto (), Write () and other functions.

(6) Program operation:

For example, an application loading operation refers to an operation in which the current target application 35 loads a related application. By hooking and monitoring functions such as dexclassloader() and loadlibrary(), such event behaviors can be captured.

Another example is installing a subpackage, which corresponds to the StartActivity() function.

(7) Other dangerous operations:

For example, child process intrusion operation, derivative operation, activate device manager operation, etc., correspond to respectively.

Wherein, the sub-process refers to the sub-process established by the target application 35. When the target application 35 creates a sub-process, the monitoring unit 34 will receive a corresponding message and determine the event behavior of creating the sub-process. Thus, the monitoring unit 34 further embeds the monitoring unit 34 in the sub-process in the form of an inline hook, so that the event behavior of the sub-process can be continuously monitored subsequently. Therefore, whether it is the target application 35's own process or its created sub-processes, the event behaviors triggered directly or indirectly by them can be monitored by the monitoring unit 34 of the present invention, so that the active defense effect is better.

The derivative refers to a file created by the target application 35 itself, or a file downloaded remotely, and usually refers to a sensitive derivative, such as an installation package. This event can be captured by hooking the fclose() function. It should be pointed out that after the monitoring unit 34 captures the event behavior, it can further use the remote rule base interface to send a request to the cloud according to the aforementioned method, and the cloud can use its black, white, and gray security level behavior rules to judge the derivative. After obtaining the cloud judgment result through the remote rule library interface, the present invention further pops up a window to ask the user whether to establish an active defense against the sensitive derivative, thereby further consolidating the effect of active defense.

The above-mentioned event behaviors are only used for excerpts, and should not be construed as limitations on the event behaviors monitored by the present invention.

According to the above-mentioned processing strategies and the above-mentioned explanations about event behaviors, the active defense method of the present invention can handle various event behaviors accordingly. Several typical application examples are listed below:

(1) Application of fine interception to the target application 35:

After some malicious programs are installed, they are in normal use for a long period of time, paralyzing the user's security awareness. However, after running for a long time, the target application 35 attempts to insert a short message from the background to attract the user's attention, thereby achieving the effect of advertising and fraud. After the active defense mechanism is established for the target application 35, as mentioned above, the present invention monitors the SMS operation function through the corresponding hook plug-in in the monitoring unit 34. Once the target application 35 generates an event behavior of SMS operation, it can capture this The event behavior, and then, the monitoring unit 34 notifies the interactive module running as a system service through its interactive interface, and the interactive module pops up a warning to the user interface. After the user clicks the processing strategy of "deny", it is fed back to the monitoring unit 34, and the corresponding hook plug-in can prevent the actual occurrence of the event behavior and achieve the purpose of preventing risks.

(2) An application that releases malicious files to the target application 35 .

The target application 35 is a game software, which downloads and releases a malicious subpackage by checking for updates, and calls a system function to install the subpackage. After the present invention establishes an active defense for the target application 35, it can monitor the event behavior generated by the target application 35 after it finishes downloading the file, and an alarm will be popped up through the interactive module accordingly. After the user instruction is rejected, the corresponding hook plug-in in the monitoring unit 34 can directly delete the file, or simply reject the installation of the file.

In the present invention, such malicious subpackages are regarded as sensitive derivatives, and whether the derivatives are maliciously judged refers to the method of determining the security level described in the aforementioned defense configuration method for remote judgment. Specifically, when a derivative is detected, the corresponding file or characteristic information such as its signature is sent to the cloud through the remote rule base interface, and its security level is obtained from the cloud. In the pop-up window, the user is suggested to refuse the installation; if it is a white application, it can be allowed to pass. In this way, security defense against sensitive derivatives can be achieved. If the cloud cannot detect the relevant records of the derivative, you can request this method to upload the file for it, and the cloud will mark it as an unknown application, and correspondingly, mark it as a gray application for future use.

(3) The application of sub-process intrusion.

The monitored target application 35 creates sub-processes during running, and the sub-processes further release malicious event behaviors. When the monitoring unit 34 monitors that the target application 35 creates a sub-process, it obtains the entry of the sub-process, and then implants the monitoring unit 34 of the present invention into the sub-process, and all HOOK plug-ins (hook plug-ins) will be loaded into The child process is initialized to implement the hook, so as to establish the monitoring of the event behavior of the child process. From this, it can be seen that no matter the event behavior directly triggered by the process of the target application 35 or the indirect event behavior triggered by the child process created by the process of the target application 35 can be successfully monitored by the monitoring unit 34 .

It can be seen from the above analysis that the active defense device of the present invention, corresponding to the active defense method, has high efficiency and feasibility.

In order to facilitate those skilled in the art to further realize the present invention, the following further discloses how the cloud server and the terminal device cooperate with each other to realize the relevant content of judging the security level of the installation package:

As mentioned above, the feature information sent by the client to the cloud server through the remote rule base interface includes: the package name of the Android installation package, and/or, the version number, and/or, the digital signature, and/or, the Android component The characteristics of the receiver, and/or, the characteristics of the Android component service, and/or, the characteristics of the Android component activity, and/or, the instructions or strings in the executable file, and/or, the characteristics of each file in the Android installation package directory MD5 value (signature).

The client that realizes the method or device of the present invention uploads the specified feature information to the server (cloud), and searches for a feature record that matches the specified single feature information or its combination in the rule library preset by the server; wherein, The rule library preset by the server includes feature records and security levels corresponding to the feature records, and each feature record includes a single feature information or a combination of feature information;

Thousands of feature records are preset in the server-side rule base. Among them, the first feature record lists the Android installation package name of a certain virus, and the second feature record lists the Android installation package name of a normal application. The version number of the installation package and the MD5 value of its digital signature, the third feature record lists the Android installation package name of a normal application and its receiver features, and the fourth feature record lists a certain Trojan Android Install the package name, version number and specific strings in its ELF file, etc.

Regarding the identification of the security level, that is, three identifications of black, white (safe) or gray (unknown, suspicious), it can be further expressed as:

Security: The application is a normal application, without any behavior that threatens the security of the user's mobile phone;

Dangerous: This application has security risks. It is possible that the application itself is malicious software; it is also possible that the application is originally a normal software released by a regular company, but because of security holes, the user's privacy and mobile phone security are threatened;

Cautious: The app is a normal app, but there are some problems, such as users being charged accidentally, or complaints about unfriendly advertisements, etc.; when such an app is found, the user will be prompted to use it with caution and inform possible behavior of the app, but it is at the user's discretion whether to clear the app;

Trojan horse: The application is a virus, Trojan horse or other malicious software, which is collectively referred to as a Trojan horse here for simplicity, but it does not mean that the application is just a Trojan horse.

It should be understood that the cooperation between the cloud and the client can be improved by further expansion, transformation, addition and deletion by those skilled in the art according to the content disclosed in the present invention. Accordingly, the above disclosure should not be construed as limiting the method and apparatus for implementing the present invention.

After testing, the present invention has wider range of application and application effect relative to the prior art, as follows:

Since the present invention has made the HOOK framework into a service platform, and configures the monitoring unit 34 for the terminal in the form of a hook plug-in, its loading only needs to depend on the corresponding configuration file, and the management is efficient and easy to implement. For technicians, Some simple function calls only need to write the configuration file to realize the configuration of the hook plug-in, HOOK is reentrant and has high concurrency performance.

The shell application is used to load the monitoring unit 34 and the target application 35 successively, and then monitor the event behavior of the target application 35 by means of the monitoring unit 34, which can realize the hooking of Java functions and Native functions.

The present invention is not only applicable to the Dalvik mode, but also to the ART mode. There is no difference between the two in terms of functional performance, and the user does not need to adapt to different modes to write different codes, which simplifies the development work (test Android version numbers 4.4.2, 4.4 in a small range .3, 4.4.4).

After actual measurement, the following data are provided to prove the superiority of the examples of the present invention:

(1) In the development example of the present invention, on 16 mobile phones, 107 mainstream application software (such as QQ, WeChat, Weibo, mobile phone guard, payment class, multiple group buying apps, each video player software, etc.) have been stabilized Depth test, all can run normally.

(2) The development example of the present invention, test covers mobile phone Android operating system version number from 2.3 to 4.4.3. Models include nexus4/5, 7, Samsung, Xiaomi, Huawei, Lenovo, Sony, HTC and some counterfeit mobile phones, all of which achieved relatively excellent performance.

(3) The development examples of the present invention support reinforcement applications, such as support for 360 reinforcement, NetQin reinforcement, Tencent reinforcement, Bangbang and love encryption, APKProtect, etc. For the reinforcement applications provided by the above manufacturers, the test shows that the present invention Instances are running normally.

(4) The test result of the development example of the present invention shows that the success rate of generating the shell package at the mobile terminal is 99.7% (the base is 100W).

To sum up, the active defense technology provided by the present invention is safer and more efficient.

The above descriptions are only part of the embodiments of the present invention. It should be pointed out that those skilled in the art can make some improvements and modifications without departing from the principles of the present invention. It should be regarded as the protection scope of the present invention.

Claims (16)

1. A kind of active defense method, it is characterized in that, it comprises the steps: Responding to an instruction to run a target application, run a corresponding shell application; Use the shell application to load the monitoring unit and the target application successively, and the monitoring unit calls the hook plug-in corresponding to the specific event behavior obtained from the remote plug-in interface, hooks the event behavior triggered by the target application process at runtime, and When the monitoring unit monitors the event behavior of the target application process releasing the sub-process, it injects the monitoring unit into the sub-process of the target application in the form of an inline hook, so as to monitor the event behavior of the target application and the sub-process it creates capture; After the specific event behavior is captured, an event behavior processing strategy is obtained, and the specific event behavior is processed according to the processing strategy. 2. The active defense method according to claim 1, characterized in that it comprises the following pre-step: providing a shortcut in the graphical user interface for obtaining instructions for running the target application, and the icon of the shortcut is defaulted by the target application The icon has been modified. 3. The active defense method according to claim 1, wherein the event behavior monitored by the monitoring module includes any one or more of the following behavior types: obtaining operator information, APN operation, notification bar advertisement operation, Obtain mobile phone identification code operations, create shortcuts, call operations, insert or delete text messages, insert or delete contacts, URL access operations, sub-process intrusion operations, application loading operations, command operations, derivative operations, activate devices Manager action. 4. The active defense method according to claim 1, wherein when the monitoring module detects that the target application triggers an event behavior that generates a derivative, it acquires a processing rule for the derivative through a remote rule base interface and processes the derivative. derivative. 5. The active defense method according to claim 1, characterized in that the method comprises the step of registering a preset interactive module as a system service, and the shell application communicates with the interactive module through its built-in interactive interface, by means of which The interaction module realizes human-computer interaction to the pop-up window of the user interface. 6. The active defense method according to claim 1, wherein the shell application dynamically loads the target application by way of JAVA reflection call. 7. The active defense method according to claim 1, characterized in that, after the event behavior is captured, the processing strategy for the event behavior is obtained in at least one of the following arbitrary ways: Alerting the user interface with a pop-up window, receiving user instructions to obtain the processing strategy; Retrieving the corresponding processing policy from the local policy database; Send a request to the cloud through the remote policy interface and obtain the corresponding feedback processing policy. 8. The active defense method according to any one of claims 1 to 7, further comprising the steps of: downloading the cloud policy database and updating the local policy database, the local policy database is used to provide information corresponding to specific target applications The processing strategy for specific event behavior. 9. An active defense device, characterized in that it comprises: A startup module, configured to run a corresponding shell application in response to an instruction to run the target application; The security module, which uses the shell application to successively load the monitoring unit and the target application, and the monitoring unit invokes the hook plug-in corresponding to the specific event behavior obtained from the remote plug-in interface, and hooks the event triggered by the target application process at runtime Behavior, and when the monitoring unit monitors the event behavior of the target application process releasing the child process, inject the monitoring unit into the target application's child process in the form of an inline hook to monitor the event behavior of the target application and its created child processes capture; The processing module is configured to obtain an event behavior processing strategy after the specific event behavior is captured, and process the specific event behavior according to the processing strategy. 10. The active defense device according to claim 9, characterized in that it comprises: A shortcut, which is placed in the graphical user interface, is used to obtain the instruction for running the target application, and the icon of the shortcut is modified from the default icon of the target application. 11. The active defense device according to claim 9, wherein the event behavior monitored by the monitoring module includes any one or more of the following behavior types: obtaining operator information, APN operation, notification bar advertisement operation, Obtain mobile phone identification code operations, create shortcuts, call operations, insert or delete text messages, insert or delete contacts, URL access operations, sub-process intrusion operations, application loading operations, command operations, derivative operations, activate devices Manager action. 12. The active defense device according to claim 9, wherein when the monitoring module monitors that the target application triggers an event behavior that generates derivatives, it obtains the processing rules for the derivatives through the remote rule base interface and processes the derivatives. derivative. 13. The active defense device according to claim 9, characterized in that the device includes an interaction module, which is registered as a system service, and the shell application communicates with the interaction module through its built-in interaction interface, and communicates to the user with the help of the interaction module The interface pop-up window realizes human-computer interaction. 14. The active defense device according to claim 9, wherein the security module includes a configuration module, configured to dynamically load the target application through JAVA reflection calling. 15. The active defense device according to claim 9, wherein the processing strategy for event behavior is provided by one of the following strategy generation devices: It is used to alert the user interface with a pop-up window, and receive user instructions to obtain the processing strategy; Used to retrieve the corresponding processing policy from the local policy database; The processing strategy used to send requests to the cloud through the remote strategy interface and obtain corresponding feedback. 16. The active defense device according to any one of claims 9 to 15, further comprising: The update module is used to download the cloud policy database and update the local policy database, and the local policy database is used to retrieve the processing policy corresponding to the specific event behavior of the specific target application.