WO2013014033A1 - Method and device for detecting mobile phone virus - Google Patents

Method and device for detecting mobile phone virus Download PDF

Info

Publication number
WO2013014033A1
WO2013014033A1 PCT/EP2012/064009 EP2012064009W WO2013014033A1 WO 2013014033 A1 WO2013014033 A1 WO 2013014033A1 EP 2012064009 W EP2012064009 W EP 2012064009W WO 2013014033 A1 WO2013014033 A1 WO 2013014033A1
Authority
WO
WIPO (PCT)
Prior art keywords
session
data packets
virus
mobile phone
scanning
Prior art date
Application number
PCT/EP2012/064009
Other languages
French (fr)
Inventor
Dai Fei Guo
Tao Guo
Ai Fen Sui
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Publication of WO2013014033A1 publication Critical patent/WO2013014033A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware

Definitions

  • the present invention relates to the field of information security, and in particular, to a method and device for detecting a mobile phone virus.
  • MMS MMS-Multimedia Messaging Ser ⁇ vice
  • some mobile phone viruses are actively connected to certain malicious con ⁇ trol servers deployed in the network, and the malicious control servers can provide a control command or preset an attack target for downloading the viruses.
  • Some viruses transmit imposturous SMS (SMS-Short Message Service) or
  • Some mobile phone viruses aim at secretly stealing user information or using the billing service, while the user does not know that his smart phone has been infected with the mobile phone virus.
  • anti ⁇ virus software in smart phones, even if the user has known that his smart phone works abnormally, it is still hard to install the anti-virus software in the smart phone.
  • some locations such as Gn interface, Gi and WAP gateways and MMSC) (WAP- Wireless Access Protocol, MMSC- Multimedia Messaging Service Center) in the network so as to monitor the virus attack.
  • the network speed of the mobile interface is generally gigabit, and the conventional detection technology based on session re ⁇ combination has to recombine and carry out virus scanning on the whole session, thus the high-traffic virus detec- tion cannot be met.
  • Snort is an open-source network-based invasion detection system, and can carry out real-time traffic analysis and message log over the IP network. Snort performs protocol analysis, content searching and content matching. Snort further can be used for detecting probing and attack, including but not limited to, operating system fingerprint attempt, universal gateway interface, buffer zone over ⁇ flow, server message block probe and port scanning.
  • the early version of Snort only needs to carry out stateless protocol processing according to the attack feature information based on single-packet scanning network traffic. However, the early version of Snort cannot recombine the session or perform virus scanning.
  • the existing virus detection technology based on session recombination cannot be adapted to the high- traffic virus detection.
  • a method for detecting a mobile phone vi ⁇ rus is proposed in the present invention, which can meet the detection requirement of the mobile phone virus under high traffic and can meet the high-speed processing re ⁇ quirement .
  • the present invention further provides a device for de ⁇ tecting a mobile phone virus. Therefore, a method for detecting a mobile phone virus is proposed according to one embodiment of the present inven ⁇ tion, comprising:
  • the detec ⁇ tion method in the embodiments of the present invention only detects the first M data packets of a session, when the first M data packets do not contain the suspected vi ⁇ rus, the virus scanning need not be performed on the whole session, thus the mobile phone virus detection speed is improved, the real-time detection requirement under high traffic can be met, and the requirement of high-speed pro ⁇ cessing can also be met.
  • carrying out virus scanning on the first M da ⁇ ta packets among the data packets obtained during the ses- sion comprises: carrying out virus scanning on the first M data packets among the data packets obtained during the session sequentially by using a pointer index, wherein the sequence is from the first data packet of the session to the M-th data packet of the session.
  • the session recombination need not to be performed on the memory, and the virus scanning can be performed on the first M data packets of the session only by sequentially scanning the data packets of the session us ⁇ ing a pointer.
  • the virus scanning can be performed on the first M data packets of the session only by sequentially scanning the data packets of the session us ⁇ ing a pointer.
  • carrying out virus scanning on the first M da ⁇ ta packets among the data packets obtained during the ses ⁇ sion comprises: carrying out virus scanning on the first M data packets among the data packets obtained during the session by using a preprocessing virus library, wherein the preprocessing virus library is used for storing a fragmented mobile phone virus feature, with said frag ⁇ mented mobile phone virus feature being adapted to search for the mobile phone virus contained in the first M data packets of the session.
  • the virus scanning can be performed on the first M data packets of the session by using the preproc ⁇ essing virus library, so as to examine whether or not the first M data packets contain the suspected virus.
  • the method before carrying out virus scanning on the first M data packets among the data packets obtained dur ⁇ ing the session, the method further comprises: examining the first data packet of the session in the data packets obtained during the session, and judging whether or not the session is a file download session, and if it is not, then determining that the session does not contain any mobile phone viruses, and if it is, then executing the step of carrying out virus scanning on the first M data packets among the data packets obtained during the session.
  • the virus scanning need not be performed on a non-file download session according to the first data pa- cket of the session, so that the virus detection process ⁇ ing is higher in speed.
  • the method before carrying out virus scanning on the first M data packets among the data packets obtained dur- ing the session, the method further comprises:
  • the virus scan- ning will not be performed on the first M data packets of the session, and only when the session does not belong to the white list, the virus scanning will be performed on the first M data packets of the session, so that the virus scanning is faster.
  • carrying out virus scanning on the first M da ⁇ ta packets among the data packets obtained during the ses ⁇ sion comprises: obtaining and caching the data packets of the session; recombining the first M data packets of the session in said cached data packets of the session; and carrying out virus scanning on the recombined first M data packets of the session.
  • the virus scanning can be performed on the first M data packets of the session, so that the real-time and high-speed processing requirement can be met.
  • the method further comprises: when said first M data packets contain the suspected virus, carrying out virus scanning on the remaining data packets of the ses ⁇ sion, so as to judge whether or not the session contains any mobile phone viruses. Accordingly, only when the first M data packets contain the suspected virus, the virus scanning will be continuously performed on the remaining data packets of the session.
  • An embodiment of the present invention further provides a device for detecting a mobile phone virus, said detection device comprising:
  • a preprocessing engine for carrying out virus scanning on the first M data packets in a session among the data pack ⁇ ets obtained during the session, wherein M is greater than or equal to 1 and smaller than N, and N is the total num ⁇ ber of all the data packets of the session;
  • a virus analysis module for determining that the session does not contain any mobile phone viruses when said first M data packets do not contain the suspected virus accord ⁇ ing to the scanning result of said preprocessing engine.
  • virus scanning need only be carried out on the first M data packets of the session, and when said first M data packets do not contain the sus ⁇ pected virus, the virus scanning need not be performed on the remaining data packets of the session. Therefore, the data packets which need to be scanned are greatly reduced, the performance of the detection device is greatly im ⁇ proved, and the high-speed processing requirement is met.
  • said detection device further comprises: a preprocessing virus library used for storing a fragmented mobile phone virus feature, with said fragmented mobile phone virus feature being adapted to search for the mobile phone virus contained in the first M data packets of the session; and said preprocessing engine being specifically for carrying out virus scanning on the first M data pack- ets among the data packets obtained during the session by using said preprocessing virus library.
  • the virus scanning can be performed on the first M data pack ⁇ ets of the session by using the preprocessing virus library, accelerating virus scanning speed and further im- proving the performance of the detection device.
  • said preprocessing engine comprises a prejudg ⁇ ment module and a virus scanning module, wherein said pre- judgment module is used for examining the first data pa ⁇ cket of the session in the data packets obtained during the session, and judging whether or not the session is a file download session; if it is not, then informing said virus analysis module that the session is not a file down ⁇ load session, and if it is, instructing said virus analy ⁇ sis module to perform the virus scanning on the first M data packets among the data packets obtained during the session; and said virus analysis module is used for deter- mining that the session does not contain any mobile phone viruses according to the informing by said preprocessing engine .
  • said pre- judgment module is used for examining the first data pa ⁇ cket of the session in the data packets obtained during the session, and judging whether or not the session is a file download session; if it is not, then informing said virus analysis module that the session is not a file down ⁇ load session, and if it
  • the prejudgment module will not perform the virus scanning on the non-file download session by examin ⁇ ing the first data packet of the session, accelerating the processing speed of the virus detection.
  • said preprocessing engine comprises a mode ex- amination module and a virus scanning module, wherein said mode examination module is used for performing mode examination on the first M data packets among the data packets obtained during the session, and judging whether or not the session belongs to a session on a white list; if it does, then informing said virus analysis module that the session belongs to a session on the white list, and if it does not, then instructing said virus scanning module to perform the virus scanning on the first M data packets among the data packets obtained during the session; and said virus analysis module is used for determining that the session does not contain any mobile phone viruses ac ⁇ cording to the informing by said preprocessing engine.
  • said mode examination module is used for performing mode examination on the first M data packets among the data packets obtained during the session, and judging whether or not the session belongs to a session on a white list; if it does, then informing said virus analysis module that the session belongs to a session on the white list, and if it does not, then instructing said virus
  • the mode examination module performs the mode examination on the first M data packets of the session, and when the session belongs to the white list, the virus scanning will not be performed on the first M data packets of the session, accelerating the virus scanning and further improving the performance of the detection device.
  • said preproc- essing engine comprises: a cache module for caching the data packets obtained during the session; a recombination module for recombining the first M data packets of the session in the data packets of the session cached by the cache module; and a virus scanning module for carrying out virus scanning on the first M data packets of the session recombined by the recombination module.
  • said virus analysis module is further used for carrying out virus scanning on the remaining data packets of the session when said first M data packets contain the suspected virus according to the scanning result of said preprocessing engine, so as to judge whether or not the session contains any mobile phone viruses. Accordingly, when the first M data packets of the session contain the suspected virus, the virus scanning can be continuously performed on the remaining data packets of the session, so as to detect the mobile phone virus con ⁇ tained in the session.
  • Fig. 1 schematically illustrates an application sce ⁇ nario of the present invention.
  • Fig. 2a is a flowchart showing a method for detecting a mobile phone virus provided by one embodiment of the present invention.
  • Fig. 2b is a flowchart showing a method for detecting a mobile phone virus provided by another embodi ⁇ ment of the present invention.
  • Fig. 3 is a flowchart showing a method for detecting a mobile phone virus provided by particular em ⁇ bodiments of the present invention.
  • Fig. 4a is showing a device for detecting a mobile phone virus provided by one embodiment of the present invention .
  • Fig. 4b is showing a device for detecting a mobile phone virus provided by another embodiment of the pre- sent invention.
  • Fig. 1 schematically illustrates an application scenario of the present invention.
  • the detection method of the present invention can be adapted to communication with mobile terminals, such as a Gn interface or Gi interface which can be applied in the GPRS (GPRS -General Packet Ra ⁇ dio Service) network or the other paths through which mobile phone viruses pass.
  • the detection device using the detection method of the present invention can be deployed at the Gn interface or the Gi interface or the other paths through which mobile phone viruses pass, so as to execute the detection method.
  • the detection method can be applied to the Gn interface, i.e.
  • Fig. 2a is a flowchart showing a method for detecting a mobile phone virus provided by the embodiments of the pre ⁇ sent invention, specifically comprising:
  • a step S201 carrying out virus scanning on the first M data packets in a session among the data packets obtained during the session, wherein M is greater than or equal to 1 and smaller than N, and N is the total number of all the data packets of the session;
  • data packets obtained during the session can specifically be the received data packets of the session or the captured data packets of the session;
  • the virus scanning can be directly performed on the first M data packets of session; and when the data packets of the session are disordered, the first M data packets of the session can be placed in the memory for re ⁇ combination, and the virus scanning is performed on the recombined first M data packets of the session.
  • the data packets of the session are disordered, as the recombination process needs memory copy, in order to save the memory space, improve the performance of the de ⁇ tection device, and accelerate the virus detection speed, when the virus scanning is performed on the first M data packets of the session, the zero copy technology can be used.
  • said carrying out virus scanning on the first M data packets among the data packets obtained dur ⁇ ing the session comprises: carrying out virus scanning on the first M data packets among the data packets obtained during the session by using a pointer index sequentially, wherein the sequence is from the first data packet of the session to the M-th data packet of the session.
  • the da- ta packets need not be copied into the memory for recombi ⁇ nation, and the virus scanning is sequentially performed on the first M data packets of the session according to the sequence numbers of the data packets of the session only by using a pointer, i.e. the scanning is sequentially performed from the first data packet of the session to the M-th data packet of the session by using the pointer index.
  • This method is particularly suitable for the situa- tion where the data packets obtained during the session are disordered, greatly saving the memory space, improving the performance of the detection device, and accelerating the virus detection speed.
  • carrying out virus scanning on the first M data packets of the session can be done by carrying out virus scanning on the first M data packets of the session using the virus library or by carrying out virus scanning on the first M data packets of the session using the pre- processing virus library, so as to determine whether or not the first M data packets contain the suspected virus.
  • the virus library is used for storing a mo ⁇ bile phone virus feature for searching for the mobile pho ⁇ ne virus contained in a session
  • the preprocessing vi- rus library is used for storing a fragmented mobile phone virus feature for searching for the mobile phone virus contained in the first M data packets of the session.
  • the mobile phone virus feature stored in the virus li- brary can comprise the mobile phone virus location and the mobile phone virus code, for example, the XX-th byte cor ⁇ responds to the XX-th code, so that when the virus scan ⁇ ning is performed, location and virus code matching need to be performed on the data packets of the session and the mobile phone virus feature stored in the virus library, so as to determine whether or not the suspected virus is con ⁇ tained.
  • the data corresponding to a certain location of the session is matched with the virus code corresponding to the location in the virus library, so as to determine whether or not the data at this location is the suspected virus.
  • the fragmented mobile pho ⁇ ne virus feature stored in the preprocessing virus library can be the location corresponding to the data packets of the fragment session (for example, the first M data pack ⁇ ets of the session) and the virus code corresponding to each location.
  • the fragmented mobile phone virus feature stored in the virus library can be the location corre ⁇ sponding to the data packets of the integrated session and the virus code corresponding to each location.
  • the location corresponding to the data packets can be the XX-th byte.
  • a spe- cific virus library can be used as mentioned above, and other existing virus scanning means can of course also be used .
  • M can be adjusted as required and in par ⁇ ticular according to a security policy and/or the configu- ration of the virus library used for scanning the first M data packets.
  • step S202 judging whether or not the first M data packets contain the suspected virus, if it does, then exe- cuting step S203, and if it does not, then executing step S204;
  • stepS203 performing virus scanning on the remaining data packets of the session, so as to judge whether or not the session contains any mobile phone viruses;
  • performing virus scanning on the remaining data packets of the session can specifically be: recombining the remaining data packets of the session, and carrying out virus scan ⁇ ning on the remaining data packets of the session, so as to judge whether or not the session contains any mobile phone viruses .
  • the virus scanning also can be performed on the remaining data pack- ets of the session by using the zero copy technology. That is to say, the virus scanning can be performed on the re ⁇ maining data packets of the session by using a pointer index sequentially.
  • the virus scanning need only be performed on the remaining data pa ⁇ ckets of the session in this step. Furthermore, when the virus scanning is performed, the virus scanning can be performed by using the virus library, and other existing virus scanning means can of course also be used.
  • step S204 determining that the session does not contain any mobile phone viruses.
  • the session is determined not to contain any mobile phone viruses, so that the virus scanning need not be performed on the remaining data packets of the session.
  • the method can further comprise: examining the first data packet of the session in the data packets obtained during the session, and judg ⁇ ing whether or not the session is a file download session, and if it is, then executing step S201, and if it is not, then executing step S204. Accordingly, when the first data packet of the session determines that the session is not a file download session, it is directly determined that the session does not contain any mobile phone viruses, and the virus scanning need not be performed on the other data packets of the session, further improving the mobile phone virus detection speed and meeting the high-speed process ⁇ ing requirement.
  • the method can further comprise: performing mode examination on the first M data packets among the data packets obtained during the ses ⁇ sion, and judging whether or not the session belongs to a session on a white list; if it does, then directly execut ⁇ ing step S204, and if it does not, then executing step S201.
  • mode examination is used to judge whether or not the session belongs to a session on the white list, for example, the domain name, the keyword, the data packet suffix and the like of the first M data packets of the session can be examined; certainly, other methods can also be used.
  • the first M data pa- ckets can also be recombined, and then the mode examina ⁇ tion is performed thereon; or the mode examination is performed on the first M data packets by directly using the pointer index. Accordingly, by way of carrying out primary examination on the first M data packets of the session, when the session is determined to belong to a session on the white list, the session can be directly determined not to contain any mobile phone viruses, further improving the mobile phone virus detection speed and meeting the high-speed process ⁇ ing requirement.
  • Two examinations performed before step S201 can be inde ⁇ pendently performed or can be simultaneously performed. When they are simultaneously performed, firstly, the first data packet of the session is examined, and when the ses ⁇ sion is determined to be a file download session, the mode examination is then performed on the first M data packets of the session. Accordingly, by way of the combination of the two examinations, the mobile phone virus detection speed can be further accelerated, and the detection accu ⁇ racy can be improved.
  • step S201 can specifically comprise: obtain- ing and caching the data packets of the session; recombin- ing the first M data packets of the session in said cached data packets of the session; and carrying out virus scan ⁇ ning on the recombined first M data packets of the ses- sion. Accordingly, during the process of caching the data packets of the session, the virus scanning can be performed on the first M data packets of the session, so that the real-time and high-speed processing requirement can be met .
  • Fig. 2b is a flowchart showing a method for detecting a mobile phone virus provided by another embodiment of the present invention, wherein before step S201, the method further comprises: step S201a of obtaining the data pack ⁇ ets of the session; and step S201b of caching the data packets obtained during the session.
  • the data packets from the mobile phone, the other mobile terminal or the network device or the data packets transmitted to the mobile phone, the other mobile terminal or the network device are obtained in step S201a.
  • the network device can be SGSN, GGSN, etc.
  • the steps S201-S204 are performed continuously after the steps S201a and S201b. The detailed process of the steps S201-S204 need not be repeated here.
  • the virus scanning can be directly performed on the cached first M data packets.
  • the network may not be so good; when the data pa ⁇ ckets obtained during the session are disordered, then on ⁇ ly when the obtained data packets (i.e. the cached data packets) already include the first M data packets of the session, the recombination and the virus scanning is per- formed on the obtained first M data packets.
  • the M-th data packet of the ses ⁇ sion may be obtained only when the (M+K) -th data packet is obtained, therefore, only when the (M+K) -th data packet is obtained, can the recombination and the virus scanning be performed on the first M data packets of the session.
  • the virus scanning can also be performed on the cached first M data packets of the session by using the pointer index sequentially, wherein the sequence is from the first data packet of the session to the M-th data packet of the session.
  • the mobile phone vi ⁇ rus detection can be performed on the data packets of the session, meeting the real-time processing requirement.
  • the following can also be in ⁇ cluded between step S201b and step S201: when the first data packet of the session is cached in step S201b, exam ⁇ ining the first data packet, and judging whether or not the session is a file download session; if it is, then continuously obtaining and caching the data packets of the session and executing step S201, and if it is not, then directly executing step S204.
  • the first data packet of the session can be examined in a timely manner, and when the first data packet of the session is not a file download session, the session can be directly deter ⁇ mined not to contain any mobile phone viruses, further im ⁇ proving the mobile phone virus detection speed and meeting the real-time and high-speed processing requirement.
  • step S201b after the first M data packets of the session are cached in step S201b, performing the mode examination on the first M data packets of the ses ⁇ sion in the cached data packets of the session, and judg- ing whether or not the session belongs to a session on the white list; if it does, then directly executing step S204, and if it does not, then continuously obtaining and cach ⁇ ing the data packets of the session and executing step S201. Accordingly, during the cache process, the mode ex ⁇ amination is performed in a timely manner on the first M data packets of the session, further improving the mobile phone virus detection speed and meeting the real-time and high-speed processing requirement.
  • the method described in the above method embodiments can be executed by the detection device or the network device deployed at the path through which the mobile phone virus passes, so as to detect the mobile phone virus.
  • Fig. 3 is a flowchart showing a method for detecting a mobile phone virus provided by particular embodiments of the pre ⁇ sent invention, specifically comprising:
  • step S301 receiving the data packets of the session of the GTP (GPRS Tunnel Protocol) data;
  • step S302 caching the data packets of the session, and when the first data packet of the session is cached, examining the first data packet, and judging whether or not the session is a file download session; if it is, then executing a step S303, and if it is not, then executing a step S307;
  • judging whether or not the first data packet is a file download session can be done according to the session identifier, the session protocol and the like carried in the first data packet. If it is not a file download session, then the session su ⁇ rely does not contain any mobile phone virus files, thus the session is directly determined to be a normal session, and the virus detection will not be performed. Further in Fig. 3 in the step S303, continuously caching the data packets of the session;
  • step S304 performing the mode examination on the first M data packets of the session in the cached data pa ⁇ ckets of the session, and judging whether or not the session belongs to a session on the white list; if it does, then executing the step S307, and if it does not, then executing step a S305;
  • M is greater than or equal to 1 and smaller than N, and N is the total number of all the data packets of the session;
  • step S305 carrying out virus scanning on the first M data packets of the session in the cached data packets of the session, and judging whether or not the first M data packets of the session contain the suspected virus; if they do, then executing step S306, and if they do not, then executing step S307.
  • step S201 for carrying out virus scanning on the first M data packets of the session, reference can be made to the description of step S201, which need not be described here.
  • step S306 carrying out virus scanning on the remaining data packets of the session, so as to judge whether or not the session contains any mobile phone viruses. Further in Fig. 3 in the step S307, stopping detecting the virus .
  • Fig. 4a is showing a device for detecting a mobile phone virus provided by one embodiment of the present invention, the detection device particularly comprising:
  • a preprocessing engine 41 for carrying out virus scanning on the first M data packets of the session among the data packets obtained during the session, wherein M is greater than or equal to 1 and smaller than N, and N is the total number of all the data packets of the session;
  • carrying out virus scanning on the first M data packets of the session among the data packets ob ⁇ tained during the session can comprise: recombining the first M data packets of the session among the data packets obtained during the session, carrying out virus scanning on the recombined first M data packets of the session, or carrying out virus scanning on the first M data packets of the session among the data packets obtained during the session by using a pointer index sequentially, wherein the sequence is from the first data packet of the session to the Mth data packet of the session.
  • step S201 For the specific me- thod, reference can be made to the description of step S201, which need not be described here.
  • a virus analysis module 42 is used for determining that the session does not contain any mobile phone viruses when said first M data packets do not contain the suspected vi ⁇ rus according to the scanning result of said preprocessing engine 41.
  • said virus analysis module 42 is further used for carrying out virus scanning on the remaining data packets of the session when said first M data packets con ⁇ tain the suspected virus according to the scan result of said preprocessing engine 41, so as to judge whether or not the session contains any mobile phone viruses.
  • the detection device further comprises a pre ⁇ processing virus library 43 for storing a fragmented mobile phone virus feature, with the fragment mobile phone viruses being adapted to search for the mobile phone virus contained in the first M data packets of the session; and said preprocessing engine 41 being specifically for carrying out virus scanning on the first M data packets among the data packets obtained during the session by using said preprocessing virus library 43.
  • a pre ⁇ processing virus library 43 for storing a fragmented mobile phone virus feature, with the fragment mobile phone viruses being adapted to search for the mobile phone virus contained in the first M data packets of the session; and said preprocessing engine 41 being specifically for carrying out virus scanning on the first M data packets among the data packets obtained during the session by using said preprocessing virus library 43.
  • said preprocessing engine 41 can comprise a virus scanning module 412, wherein the virus scanning mod- ule 412 is used for carrying out virus scanning on the first M data packets among the data packets obtained dur ⁇ ing the session.
  • said preprocessing engine 41 further com- prises:
  • a prejudgment module 414 for examining the first data pa ⁇ cket of the session in the data packets obtained during the session, and judging whether or not the session is a file download session; if it is not, then informing said virus analysis module 42 that the session is not a file download session, wherein said virus analysis module 42 determines that the session does not contain any mobile phone viruses according to the informing, and if it is, then instructing said virus analysis module 412 to perform the virus scanning on the first M data packets among the data packets obtained during the session.
  • the processing engine can comprise a cache module 411, a recombination module 418 and a virus scanning module 412.
  • the cache module 411 is used for caching the data packets obtained during the session;
  • the recombination module 418 is used for recombining the first M data packets of the session in the data packets of the session cached by the cache module 411;
  • the virus scanning module 412 is used for carrying out virus scanning on the first M data packets of the session recombined by the recombination mo ⁇ dule 418.
  • the virus scanning module 412 can be used for carrying out virus scanning on the first M data packets of the session by using the preprocessing virus li- brary 43, so as to determine whether or not the first M data packets of the session contain the suspected virus. Certainly, the virus scanning can further be performed on the first M data packets of the session by using the other virus scanning means.
  • the prejudgment module 414 is connected between the cache module 411 and the vi ⁇ rus scanning module 412 and at the same time is connected to the virus analysis module 42.
  • the detection device further comprises a virus library 44 connected to the virus analysis module 42, and the virus analysis module 42 can carry out virus scanning on the remaining data packets of the session by using the virus library 44, so as to judge whether or not the ses ⁇ sion contains any mobile phone viruses.
  • a virus library 44 connected to the virus analysis module 42, and the virus analysis module 42 can carry out virus scanning on the remaining data packets of the session by using the virus library 44, so as to judge whether or not the ses ⁇ sion contains any mobile phone viruses.
  • the detection device further comprises an alarm module 45, and the virus analysis module 42 can transmit the detection result to the alarm module 45 after detecting that the session contains a mobile phone virus.
  • Fig. 4b is showing a device for detecting a mobile phone virus provided by another embodiment of the present inven ⁇ tion; the difference from the embodiment of the device shown in Fig. 4a lies in that the prejudgment module 414 is replaced by a mode examination module 413, then the preprocessing engine 41 comprises the mode examination mo- dule 413 and the virus scanning module 412.
  • the mode ex ⁇ amination module 413 is used for performing mode examina ⁇ tion on the first M data packets among the data packets obtained during the session, and judging whether or not the session belongs to a session on a white list; if it does, then informing the virus analysis module 42 that the session belongs to a session on the white list, and the virus analysis module 42 determines that the session does not contain any mobile phone viruses, and if it does not, then instructing the virus scanning module 412 to perform the virus scanning on the first M data packets among the data packets obtained during the session.
  • the preprocessing engine 41 can also comprise the above prejudgment module 414 and the mode examination module 413 at the same time.
  • the vi- rus examination only needs to be performed on the first M data packets of the session, and it is decided whether or not to perform the virus examination on the remainder of the session. Therefore, the data which needs to be scanned together with the whole virus library will be greatly re- prised, the performance of the detection device will be greatly improved, and the high-speed processing require ⁇ ment will be met.
  • the method comprises: carrying out virus scanning on the first M data packets in a session among the data packets obtained during the ses ⁇ sion, wherein M is greater than or equal to 1 and smaller than N, and N is the total number of all the data packets of the session; and when said first M data packets do not contain the suspected virus, determining that the session does not contain any mobile phone viruses.
  • M is greater than or equal to 1 and smaller than N
  • N is the total number of all the data packets of the session
  • the detection requirement of the mobile phone virus under high traffic can be met, and the requirement of high-speed processing can be met.

Abstract

Disclosed in the present invention are a method and device for detecting a mobile phone virus. The method includes: carrying out virus scanning on the first M data packets in a session among the data packets obtained during the session, wherein M is greater than or equal to 1 and smaller than N, and N is the total number of all the data packets of the session (S201); and determining that the session does not contain any mobile phone viruses when said first M data packets do not contain a suspected virus [(S202), (S204) ]. By using the virus detection method according to the present invention, the detection requirement on the mobile phone virus under high traffic can be met, thus meeting the requirement for high-speed processing.

Description

Description
Method and device for detecting mobile phone virus The present invention relates to the field of information security, and in particular, to a method and device for detecting a mobile phone virus.
With the development of the mobile phone, many viruses which aim at smart phones are spreading among smart pho¬ nes. If a smart phone is unfortunately infected with a mo¬ bile phone virus, the mobile phone virus can spread to other smart phones via MMS (MMS-Multimedia Messaging Ser¬ vice) and then many smart phones will be infected within a short time period. On the other hand, some mobile phone viruses are actively connected to certain malicious con¬ trol servers deployed in the network, and the malicious control servers can provide a control command or preset an attack target for downloading the viruses. Some viruses transmit imposturous SMS (SMS-Short Message Service) or
MMS to other smart phones, and the imposturous SMS or MMS can lead the user to download the viruses from certain servers over the network. Some mobile phone viruses aim at secretly stealing user information or using the billing service, while the user does not know that his smart phone has been infected with the mobile phone virus. On the other hand, as it is very inconvenient to install anti¬ virus software in smart phones, even if the user has known that his smart phone works abnormally, it is still hard to install the anti-virus software in the smart phone.
Most mobile phone viruses spread in a mobile network by MMS, WAP, HTTP (HTTP-HyperText Transfer protocol) and the like, so that a mobile phone virus detection system can be deployed at some locations (such as Gn interface, Gi and WAP gateways and MMSC) (WAP- Wireless Access Protocol, MMSC- Multimedia Messaging Service Center) in the network so as to monitor the virus attack. However, the network speed of the mobile interface is generally gigabit, and the conventional detection technology based on session re¬ combination has to recombine and carry out virus scanning on the whole session, thus the high-traffic virus detec- tion cannot be met.
Snort is an open-source network-based invasion detection system, and can carry out real-time traffic analysis and message log over the IP network. Snort performs protocol analysis, content searching and content matching. Snort further can be used for detecting probing and attack, including but not limited to, operating system fingerprint attempt, universal gateway interface, buffer zone over¬ flow, server message block probe and port scanning. The early version of Snort only needs to carry out stateless protocol processing according to the attack feature information based on single-packet scanning network traffic. However, the early version of Snort cannot recombine the session or perform virus scanning.
Therefore, the existing virus detection technology based on session recombination cannot be adapted to the high- traffic virus detection. Hence it is an objective to provide a method and a device for detecting a mobile phone virus that meet a detection requirement of the mobile phone virus under high traffic and a high-speed processing requirement. In view of this, a method for detecting a mobile phone vi¬ rus is proposed in the present invention, which can meet the detection requirement of the mobile phone virus under high traffic and can meet the high-speed processing re¬ quirement .
The present invention further provides a device for de¬ tecting a mobile phone virus. Therefore, a method for detecting a mobile phone virus is proposed according to one embodiment of the present inven¬ tion, comprising:
carrying out virus scanning on first M data packets in a session among the data packets obtained during the ses¬ sion, wherein M is greater than or equal to 1 and smaller than N, and N is the total number of all the data packets of the session; and
determining that the session does not contain any mobile phone viruses when said first M data packets do not con¬ tain a suspected virus.
It can be seen from the above solution that as the detec¬ tion method in the embodiments of the present invention only detects the first M data packets of a session, when the first M data packets do not contain the suspected vi¬ rus, the virus scanning need not be performed on the whole session, thus the mobile phone virus detection speed is improved, the real-time detection requirement under high traffic can be met, and the requirement of high-speed pro¬ cessing can also be met.
Preferably, carrying out virus scanning on the first M da¬ ta packets among the data packets obtained during the ses- sion comprises: carrying out virus scanning on the first M data packets among the data packets obtained during the session sequentially by using a pointer index, wherein the sequence is from the first data packet of the session to the M-th data packet of the session.
Accordingly, when the data packets of the session are dis¬ ordered, the session recombination need not to be performed on the memory, and the virus scanning can be performed on the first M data packets of the session only by sequentially scanning the data packets of the session us¬ ing a pointer. Thus memory space is saved and detection performance is improved. Preferably, carrying out virus scanning on the first M da¬ ta packets among the data packets obtained during the ses¬ sion comprises: carrying out virus scanning on the first M data packets among the data packets obtained during the session by using a preprocessing virus library, wherein the preprocessing virus library is used for storing a fragmented mobile phone virus feature, with said frag¬ mented mobile phone virus feature being adapted to search for the mobile phone virus contained in the first M data packets of the session.
Accordingly, the virus scanning can be performed on the first M data packets of the session by using the preproc¬ essing virus library, so as to examine whether or not the first M data packets contain the suspected virus.
Preferably, before carrying out virus scanning on the first M data packets among the data packets obtained dur¬ ing the session, the method further comprises: examining the first data packet of the session in the data packets obtained during the session, and judging whether or not the session is a file download session, and if it is not, then determining that the session does not contain any mobile phone viruses, and if it is, then executing the step of carrying out virus scanning on the first M data packets among the data packets obtained during the session.
Accordingly, the virus scanning need not be performed on a non-file download session according to the first data pa- cket of the session, so that the virus detection process¬ ing is higher in speed.
Preferably, before carrying out virus scanning on the first M data packets among the data packets obtained dur- ing the session, the method further comprises:
performing mode examination on the first M data packets among the data packets obtained during the session, and judging whether or not the session belongs to a session on a white list; if it does, then determining that the ses¬ sion does not contain the mobile phone virus, and if it does not, then executing the step of carrying out virus scanning on the first M data packets among the data pack- ets obtained during the session.
Accordingly, only the mode examination is performed on the first M data packets of the session, and when the session is determined to belong to the white list, the virus scan- ning will not be performed on the first M data packets of the session, and only when the session does not belong to the white list, the virus scanning will be performed on the first M data packets of the session, so that the virus scanning is faster.
Preferably, carrying out virus scanning on the first M da¬ ta packets among the data packets obtained during the ses¬ sion comprises: obtaining and caching the data packets of the session; recombining the first M data packets of the session in said cached data packets of the session; and carrying out virus scanning on the recombined first M data packets of the session.
Accordingly, during the caching, the virus scanning can be performed on the first M data packets of the session, so that the real-time and high-speed processing requirement can be met.
Preferably, the method further comprises: when said first M data packets contain the suspected virus, carrying out virus scanning on the remaining data packets of the ses¬ sion, so as to judge whether or not the session contains any mobile phone viruses. Accordingly, only when the first M data packets contain the suspected virus, the virus scanning will be continuously performed on the remaining data packets of the session. An embodiment of the present invention further provides a device for detecting a mobile phone virus, said detection device comprising:
a preprocessing engine for carrying out virus scanning on the first M data packets in a session among the data pack¬ ets obtained during the session, wherein M is greater than or equal to 1 and smaller than N, and N is the total num¬ ber of all the data packets of the session; and
a virus analysis module for determining that the session does not contain any mobile phone viruses when said first M data packets do not contain the suspected virus accord¬ ing to the scanning result of said preprocessing engine.
By using the detection device, virus scanning need only be carried out on the first M data packets of the session, and when said first M data packets do not contain the sus¬ pected virus, the virus scanning need not be performed on the remaining data packets of the session. Therefore, the data packets which need to be scanned are greatly reduced, the performance of the detection device is greatly im¬ proved, and the high-speed processing requirement is met.
Preferably, said detection device further comprises: a preprocessing virus library used for storing a fragmented mobile phone virus feature, with said fragmented mobile phone virus feature being adapted to search for the mobile phone virus contained in the first M data packets of the session; and said preprocessing engine being specifically for carrying out virus scanning on the first M data pack- ets among the data packets obtained during the session by using said preprocessing virus library. Accordingly, the virus scanning can be performed on the first M data pack¬ ets of the session by using the preprocessing virus library, accelerating virus scanning speed and further im- proving the performance of the detection device.
Preferably, said preprocessing engine comprises a prejudg¬ ment module and a virus scanning module, wherein said pre- judgment module is used for examining the first data pa¬ cket of the session in the data packets obtained during the session, and judging whether or not the session is a file download session; if it is not, then informing said virus analysis module that the session is not a file down¬ load session, and if it is, instructing said virus analy¬ sis module to perform the virus scanning on the first M data packets among the data packets obtained during the session; and said virus analysis module is used for deter- mining that the session does not contain any mobile phone viruses according to the informing by said preprocessing engine .
Accordingly, the prejudgment module will not perform the virus scanning on the non-file download session by examin¬ ing the first data packet of the session, accelerating the processing speed of the virus detection.
Preferably, said preprocessing engine comprises a mode ex- amination module and a virus scanning module, wherein said mode examination module is used for performing mode examination on the first M data packets among the data packets obtained during the session, and judging whether or not the session belongs to a session on a white list; if it does, then informing said virus analysis module that the session belongs to a session on the white list, and if it does not, then instructing said virus scanning module to perform the virus scanning on the first M data packets among the data packets obtained during the session; and said virus analysis module is used for determining that the session does not contain any mobile phone viruses ac¬ cording to the informing by said preprocessing engine.
Accordingly, the mode examination module performs the mode examination on the first M data packets of the session, and when the session belongs to the white list, the virus scanning will not be performed on the first M data packets of the session, accelerating the virus scanning and further improving the performance of the detection device.
In one embodiment of the present invention, said preproc- essing engine comprises: a cache module for caching the data packets obtained during the session; a recombination module for recombining the first M data packets of the session in the data packets of the session cached by the cache module; and a virus scanning module for carrying out virus scanning on the first M data packets of the session recombined by the recombination module.
Preferably, said virus analysis module is further used for carrying out virus scanning on the remaining data packets of the session when said first M data packets contain the suspected virus according to the scanning result of said preprocessing engine, so as to judge whether or not the session contains any mobile phone viruses. Accordingly, when the first M data packets of the session contain the suspected virus, the virus scanning can be continuously performed on the remaining data packets of the session, so as to detect the mobile phone virus con¬ tained in the session.
In order to make the above and other features and advan¬ tages of the present invention more apparent to those skilled in the art, preferred embodiments of the present invention will be described in detail hereinafter by re- ferring to the accompanying drawings, in which:
Fig. 1 schematically illustrates an application sce¬ nario of the present invention. Fig. 2a is a flowchart showing a method for detecting a mobile phone virus provided by one embodiment of the present invention. Fig. 2b is a flowchart showing a method for detecting a mobile phone virus provided by another embodi¬ ment of the present invention.
Fig. 3 is a flowchart showing a method for detecting a mobile phone virus provided by particular em¬ bodiments of the present invention.
Fig. 4a is showing a device for detecting a mobile phone virus provided by one embodiment of the present invention .
Fig. 4b is showing a device for detecting a mobile phone virus provided by another embodiment of the pre- sent invention.
In order to make the object, technical solutions and ad¬ vantages of the present invention more apparent, the pre¬ sent invention will be further described in detail herein- after by way of embodiments. Elements with same function and effect are labeled by the same reference sign.
Fig. 1 schematically illustrates an application scenario of the present invention. The detection method of the present invention can be adapted to communication with mobile terminals, such as a Gn interface or Gi interface which can be applied in the GPRS ( GPRS -General Packet Ra¬ dio Service) network or the other paths through which mobile phone viruses pass. The detection device using the detection method of the present invention can be deployed at the Gn interface or the Gi interface or the other paths through which mobile phone viruses pass, so as to execute the detection method. As shown in Fig. 1, the detection method can be applied to the Gn interface, i.e. the method of the present invention is implemented among the inter¬ faces between the SGSN (Service GPRS Supporting Node) and the GGSN (Gateway GPRS Support Node) . Fig. 2a is a flowchart showing a method for detecting a mobile phone virus provided by the embodiments of the pre¬ sent invention, specifically comprising:
In a step S201, carrying out virus scanning on the first M data packets in a session among the data packets obtained during the session, wherein M is greater than or equal to 1 and smaller than N, and N is the total number of all the data packets of the session;
wherein the data packets obtained during the session can specifically be the received data packets of the session or the captured data packets of the session; and
wherein when the data packets of the session are in a normal sequence, the virus scanning can be directly performed on the first M data packets of session; and when the data packets of the session are disordered, the first M data packets of the session can be placed in the memory for re¬ combination, and the virus scanning is performed on the recombined first M data packets of the session. When the data packets of the session are disordered, as the recombination process needs memory copy, in order to save the memory space, improve the performance of the de¬ tection device, and accelerate the virus detection speed, when the virus scanning is performed on the first M data packets of the session, the zero copy technology can be used. Therefore, said carrying out virus scanning on the first M data packets among the data packets obtained dur¬ ing the session comprises: carrying out virus scanning on the first M data packets among the data packets obtained during the session by using a pointer index sequentially, wherein the sequence is from the first data packet of the session to the M-th data packet of the session.
Accordingly, when the virus scanning is performed, the da- ta packets need not be copied into the memory for recombi¬ nation, and the virus scanning is sequentially performed on the first M data packets of the session according to the sequence numbers of the data packets of the session only by using a pointer, i.e. the scanning is sequentially performed from the first data packet of the session to the M-th data packet of the session by using the pointer index. This method is particularly suitable for the situa- tion where the data packets obtained during the session are disordered, greatly saving the memory space, improving the performance of the detection device, and accelerating the virus detection speed. In this case, carrying out virus scanning on the first M data packets of the session can be done by carrying out virus scanning on the first M data packets of the session using the virus library or by carrying out virus scanning on the first M data packets of the session using the pre- processing virus library, so as to determine whether or not the first M data packets contain the suspected virus. In this case, the virus library is used for storing a mo¬ bile phone virus feature for searching for the mobile pho¬ ne virus contained in a session, and the preprocessing vi- rus library is used for storing a fragmented mobile phone virus feature for searching for the mobile phone virus contained in the first M data packets of the session.
As the mobile phone virus feature stored in the virus li- brary can comprise the mobile phone virus location and the mobile phone virus code, for example, the XX-th byte cor¬ responds to the XX-th code, so that when the virus scan¬ ning is performed, location and virus code matching need to be performed on the data packets of the session and the mobile phone virus feature stored in the virus library, so as to determine whether or not the suspected virus is con¬ tained. In particular, the data corresponding to a certain location of the session is matched with the virus code corresponding to the location in the virus library, so as to determine whether or not the data at this location is the suspected virus. For example, the data of the nth byte of the session is matched with the virus code with the lo¬ cation thereof in the virus library being the nth byte, so as to determine whether or not the data packets contain the suspected virus. Therefore, the fragmented mobile pho¬ ne virus feature stored in the preprocessing virus library can be the location corresponding to the data packets of the fragment session (for example, the first M data pack¬ ets of the session) and the virus code corresponding to each location. The fragmented mobile phone virus feature stored in the virus library can be the location corre¬ sponding to the data packets of the integrated session and the virus code corresponding to each location. For example, the location corresponding to the data packets can be the XX-th byte.
Certainly, when the virus scanning is performed, a spe- cific virus library can be used as mentioned above, and other existing virus scanning means can of course also be used .
In this case, M can be adjusted as required and in par¬ ticular according to a security policy and/or the configu- ration of the virus library used for scanning the first M data packets.
In a step S202, judging whether or not the first M data packets contain the suspected virus, if it does, then exe- cuting step S203, and if it does not, then executing step S204; and
in a stepS203, performing virus scanning on the remaining data packets of the session, so as to judge whether or not the session contains any mobile phone viruses;
performing virus scanning on the remaining data packets of the session can specifically be: recombining the remaining data packets of the session, and carrying out virus scan¬ ning on the remaining data packets of the session, so as to judge whether or not the session contains any mobile phone viruses .
Certainly, in order to save the memory space, the virus scanning also can be performed on the remaining data pack- ets of the session by using the zero copy technology. That is to say, the virus scanning can be performed on the re¬ maining data packets of the session by using a pointer index sequentially.
As the virus scanning has been performed on the first M data packets of the session in the above steps, the virus scanning need only be performed on the remaining data pa¬ ckets of the session in this step. Furthermore, when the virus scanning is performed, the virus scanning can be performed by using the virus library, and other existing virus scanning means can of course also be used.
In the step S204, determining that the session does not contain any mobile phone viruses.
The session is determined not to contain any mobile phone viruses, so that the virus scanning need not be performed on the remaining data packets of the session.
In this case, before step S201, the method can further comprise: examining the first data packet of the session in the data packets obtained during the session, and judg¬ ing whether or not the session is a file download session, and if it is, then executing step S201, and if it is not, then executing step S204. Accordingly, when the first data packet of the session determines that the session is not a file download session, it is directly determined that the session does not contain any mobile phone viruses, and the virus scanning need not be performed on the other data packets of the session, further improving the mobile phone virus detection speed and meeting the high-speed process¬ ing requirement. In this case, before step S201, the method can further comprise: performing mode examination on the first M data packets among the data packets obtained during the ses¬ sion, and judging whether or not the session belongs to a session on a white list; if it does, then directly execut¬ ing step S204, and if it does not, then executing step S201. When the mode examination is used to judge whether or not the session belongs to a session on the white list, for example, the domain name, the keyword, the data packet suffix and the like of the first M data packets of the session can be examined; certainly, other methods can also be used. When the mode examination is performed on the first M data packets of the session, the first M data pa- ckets can also be recombined, and then the mode examina¬ tion is performed thereon; or the mode examination is performed on the first M data packets by directly using the pointer index. Accordingly, by way of carrying out primary examination on the first M data packets of the session, when the session is determined to belong to a session on the white list, the session can be directly determined not to contain any mobile phone viruses, further improving the mobile phone virus detection speed and meeting the high-speed process¬ ing requirement.
Two examinations performed before step S201 can be inde¬ pendently performed or can be simultaneously performed. When they are simultaneously performed, firstly, the first data packet of the session is examined, and when the ses¬ sion is determined to be a file download session, the mode examination is then performed on the first M data packets of the session. Accordingly, by way of the combination of the two examinations, the mobile phone virus detection speed can be further accelerated, and the detection accu¬ racy can be improved.
In this case, step S201 can specifically comprise: obtain- ing and caching the data packets of the session; recombin- ing the first M data packets of the session in said cached data packets of the session; and carrying out virus scan¬ ning on the recombined first M data packets of the ses- sion. Accordingly, during the process of caching the data packets of the session, the virus scanning can be performed on the first M data packets of the session, so that the real-time and high-speed processing requirement can be met .
Fig. 2b is a flowchart showing a method for detecting a mobile phone virus provided by another embodiment of the present invention, wherein before step S201, the method further comprises: step S201a of obtaining the data pack¬ ets of the session; and step S201b of caching the data packets obtained during the session.
In this case, the data packets from the mobile phone, the other mobile terminal or the network device or the data packets transmitted to the mobile phone, the other mobile terminal or the network device are obtained in step S201a. For example, the network device can be SGSN, GGSN, etc. The steps S201-S204 are performed continuously after the steps S201a and S201b. The detailed process of the steps S201-S204 need not be repeated here.
In this case, when the network is very good and the data packets obtained during the session are in a normal se¬ quence, then after the first M data packets are obtained, the virus scanning can be directly performed on the cached first M data packets. However, the network may not be so good; when the data pa¬ ckets obtained during the session are disordered, then on¬ ly when the obtained data packets (i.e. the cached data packets) already include the first M data packets of the session, the recombination and the virus scanning is per- formed on the obtained first M data packets. For example, assuming that the obtained first M-l data packets are in a normal sequence, however, the M-th data packet of the ses¬ sion may be obtained only when the (M+K) -th data packet is obtained, therefore, only when the (M+K) -th data packet is obtained, can the recombination and the virus scanning be performed on the first M data packets of the session. When the obtained data packets are disordered, the virus scanning can also be performed on the cached first M data packets of the session by using the pointer index sequentially, wherein the sequence is from the first data packet of the session to the M-th data packet of the session.
By way of the above steps S201a-S204, the mobile phone vi¬ rus detection can be performed on the data packets of the session, meeting the real-time processing requirement. In this case, preferably, the following can also be in¬ cluded between step S201b and step S201: when the first data packet of the session is cached in step S201b, exam¬ ining the first data packet, and judging whether or not the session is a file download session; if it is, then continuously obtaining and caching the data packets of the session and executing step S201, and if it is not, then directly executing step S204. Accordingly, the first data packet of the session can be examined in a timely manner, and when the first data packet of the session is not a file download session, the session can be directly deter¬ mined not to contain any mobile phone viruses, further im¬ proving the mobile phone virus detection speed and meeting the real-time and high-speed processing requirement. In this case, the following can also be included between step S201b and step S201: after the first M data packets of the session are cached in step S201b, performing the mode examination on the first M data packets of the ses¬ sion in the cached data packets of the session, and judg- ing whether or not the session belongs to a session on the white list; if it does, then directly executing step S204, and if it does not, then continuously obtaining and cach¬ ing the data packets of the session and executing step S201. Accordingly, during the cache process, the mode ex¬ amination is performed in a timely manner on the first M data packets of the session, further improving the mobile phone virus detection speed and meeting the real-time and high-speed processing requirement.
The method described in the above method embodiments can be executed by the detection device or the network device deployed at the path through which the mobile phone virus passes, so as to detect the mobile phone virus.
The method of the present invention will be illustrated in detail by one particular embodiment hereinafter, and Fig. 3 is a flowchart showing a method for detecting a mobile phone virus provided by particular embodiments of the pre¬ sent invention, specifically comprising:
in a step S301, receiving the data packets of the session of the GTP (GPRS Tunnel Protocol) data; and
in a step S302, caching the data packets of the session, and when the first data packet of the session is cached, examining the first data packet, and judging whether or not the session is a file download session; if it is, then executing a step S303, and if it is not, then executing a step S307;
in this case, judging whether or not the first data packet is a file download session can be done according to the session identifier, the session protocol and the like carried in the first data packet. If it is not a file download session, then the session su¬ rely does not contain any mobile phone virus files, thus the session is directly determined to be a normal session, and the virus detection will not be performed. Further in Fig. 3 in the step S303, continuously caching the data packets of the session;
when the session is a file download session, continuously caching the received data packets of the session; in the step S304, performing the mode examination on the first M data packets of the session in the cached data pa¬ ckets of the session, and judging whether or not the session belongs to a session on the white list; if it does, then executing the step S307, and if it does not, then executing step a S305;
in this case, M is greater than or equal to 1 and smaller than N, and N is the total number of all the data packets of the session; and
in the step S305, carrying out virus scanning on the first M data packets of the session in the cached data packets of the session, and judging whether or not the first M data packets of the session contain the suspected virus; if they do, then executing step S306, and if they do not, then executing step S307.
In this case, for carrying out virus scanning on the first M data packets of the session, reference can be made to the description of step S201, which need not be described here.
S306, carrying out virus scanning on the remaining data packets of the session, so as to judge whether or not the session contains any mobile phone viruses. Further in Fig. 3 in the step S307, stopping detecting the virus .
By way of the method according to the embodiments of the present invention, in most instances, as the session is preproces sed, that is to say, only the first M data pack¬ ets of the session are scanned, so that when the mobile phone virus detection is performed based on the session recombination, the data to be recombined is greatly re¬ duced; therefore, the data which needs to be scanned to- gether with the whole virus library will be greatly re¬ duced, and the requirement of real-time detection under high traffic can be met. Fig. 4a is showing a device for detecting a mobile phone virus provided by one embodiment of the present invention, the detection device particularly comprising:
a preprocessing engine 41 for carrying out virus scanning on the first M data packets of the session among the data packets obtained during the session, wherein M is greater than or equal to 1 and smaller than N, and N is the total number of all the data packets of the session; and
in this case, carrying out virus scanning on the first M data packets of the session among the data packets ob¬ tained during the session can comprise: recombining the first M data packets of the session among the data packets obtained during the session, carrying out virus scanning on the recombined first M data packets of the session, or carrying out virus scanning on the first M data packets of the session among the data packets obtained during the session by using a pointer index sequentially, wherein the sequence is from the first data packet of the session to the Mth data packet of the session. For the specific me- thod, reference can be made to the description of step S201, which need not be described here.
A virus analysis module 42 is used for determining that the session does not contain any mobile phone viruses when said first M data packets do not contain the suspected vi¬ rus according to the scanning result of said preprocessing engine 41.
In this case, said virus analysis module 42 is further used for carrying out virus scanning on the remaining data packets of the session when said first M data packets con¬ tain the suspected virus according to the scan result of said preprocessing engine 41, so as to judge whether or not the session contains any mobile phone viruses.
Preferably, the detection device further comprises a pre¬ processing virus library 43 for storing a fragmented mobile phone virus feature, with the fragment mobile phone viruses being adapted to search for the mobile phone virus contained in the first M data packets of the session; and said preprocessing engine 41 being specifically for carrying out virus scanning on the first M data packets among the data packets obtained during the session by using said preprocessing virus library 43.
In this case, said preprocessing engine 41 can comprise a virus scanning module 412, wherein the virus scanning mod- ule 412 is used for carrying out virus scanning on the first M data packets among the data packets obtained dur¬ ing the session.
Preferably, said preprocessing engine 41 further com- prises:
a prejudgment module 414 for examining the first data pa¬ cket of the session in the data packets obtained during the session, and judging whether or not the session is a file download session; if it is not, then informing said virus analysis module 42 that the session is not a file download session, wherein said virus analysis module 42 determines that the session does not contain any mobile phone viruses according to the informing, and if it is, then instructing said virus analysis module 412 to perform the virus scanning on the first M data packets among the data packets obtained during the session.
In one embodiment of the present invention, the processing engine can comprise a cache module 411, a recombination module 418 and a virus scanning module 412. In this case, the cache module 411 is used for caching the data packets obtained during the session; the recombination module 418 is used for recombining the first M data packets of the session in the data packets of the session cached by the cache module 411; and the virus scanning module 412 is used for carrying out virus scanning on the first M data packets of the session recombined by the recombination mo¬ dule 418. In this case, the virus scanning module 412 can be used for carrying out virus scanning on the first M data packets of the session by using the preprocessing virus li- brary 43, so as to determine whether or not the first M data packets of the session contain the suspected virus. Certainly, the virus scanning can further be performed on the first M data packets of the session by using the other virus scanning means.
When the processing engine comprises the cache module 411 and the virus scanning module 412, the prejudgment module 414 is connected between the cache module 411 and the vi¬ rus scanning module 412 and at the same time is connected to the virus analysis module 42.
Preferably, the detection device further comprises a virus library 44 connected to the virus analysis module 42, and the virus analysis module 42 can carry out virus scanning on the remaining data packets of the session by using the virus library 44, so as to judge whether or not the ses¬ sion contains any mobile phone viruses.
Preferably, the detection device further comprises an alarm module 45, and the virus analysis module 42 can transmit the detection result to the alarm module 45 after detecting that the session contains a mobile phone virus.
Fig. 4b is showing a device for detecting a mobile phone virus provided by another embodiment of the present inven¬ tion; the difference from the embodiment of the device shown in Fig. 4a lies in that the prejudgment module 414 is replaced by a mode examination module 413, then the preprocessing engine 41 comprises the mode examination mo- dule 413 and the virus scanning module 412. The mode ex¬ amination module 413 is used for performing mode examina¬ tion on the first M data packets among the data packets obtained during the session, and judging whether or not the session belongs to a session on a white list; if it does, then informing the virus analysis module 42 that the session belongs to a session on the white list, and the virus analysis module 42 determines that the session does not contain any mobile phone viruses, and if it does not, then instructing the virus scanning module 412 to perform the virus scanning on the first M data packets among the data packets obtained during the session. Certainly, the preprocessing engine 41 can also comprise the above prejudgment module 414 and the mode examination module 413 at the same time.
By way of the detection device of this embodiment, the vi- rus examination only needs to be performed on the first M data packets of the session, and it is decided whether or not to perform the virus examination on the remainder of the session. Therefore, the data which needs to be scanned together with the whole virus library will be greatly re- duced, the performance of the detection device will be greatly improved, and the high-speed processing require¬ ment will be met.
Disclosed in the present invention are a method and device for detecting a mobile phone virus. The method comprises: carrying out virus scanning on the first M data packets in a session among the data packets obtained during the ses¬ sion, wherein M is greater than or equal to 1 and smaller than N, and N is the total number of all the data packets of the session; and when said first M data packets do not contain the suspected virus, determining that the session does not contain any mobile phone viruses. By way of the method for detecting the mobile phone virus in the present invention, the detection requirement of the mobile phone virus under high traffic can be met, and the requirement of high-speed processing can be met. What are described above are merely preferred embodiments of the present invention, and are not intended to limit the present invention, and any modifications, equivalents and improvements within the spirit and principle of the present invention should be covered by the protection sco¬ pe of the present invention.

Claims

Claims
1. A method for detecting a mobile phone virus, said me¬ thod comprising:
carrying out virus scanning on the first M data packets in a session among the data packets obtained during the ses¬ sion, wherein M is greater than or equal to 1 and smaller than N, and N is the total number of all the data packets in the session (S201); and
determining that the session does not contain any mobile phone viruses when said first M data packets do not con¬ tain a suspected virus (S202, S204) .
2. The method as claimed in claim 1, wherein said carry- ing out virus scanning on the first M data packets in the session among the data packets obtained during the session comprises :
carrying out virus scanning on the first M data packets in the session among the data packets obtained during the session sequentially by using a pointer index, wherein the sequence is from the first data packet in the session to the Mth data packet in the session.
3. The method as claimed in claim 1, wherein said carry- ing out virus scanning on the first M data packets in the session among the data packets obtained during the session comprises :
carrying out virus scanning on the first M data packets in the session among the data packets obtained during the session by using a preprocessing virus library, wherein said preprocessing virus library is used for storing a fragmented mobile phone virus feature, with said frag¬ mented mobile phone virus feature being adapted to search for the mobile phone virus contained in the first M data packets in the session.
4. The method as claimed in claim 1, wherein before said carrying out virus scanning on the first M data packets in the session among the data packets obtained during the session, said method further comprises:
examining the first data packet in the session among the data packets obtained during the session, and judging whether or not the session is a file download session, if it is not, then determining that the session does not contain any mobile phone viruses, and if it is, then execut- ing the step of carrying out virus scanning on the first M data packets in the session among the data packets ob¬ tained during the session.
5. The method as claimed in any one of claims 1 to 4, wherein before said carrying out virus scanning on the first M data packets in the session among the data packets obtained during the session, said method further comprises :
performing mode examination on the first M data packets in the session among the data packets obtained during the session, and judging whether or not the session belongs to a session on a white list; if it does, then determining that the session does not contain any mobile phone vi¬ ruses, and if it does not, then executing the step of car- rying out virus scanning on the first M data packets in the session among the data packets obtained during the session .
6. The method as claimed in any one of claims 1 to 4, wherein said carrying out virus scanning on the first M data packets in the session among the data packets ob¬ tained during the session comprises:
obtaining and caching the data packets of the session;
recombining the first M data packets in the session among said cached data packets of the session; and
carrying out virus scanning on the recombined first M data packets of the session.
7. The method as claimed in any one of claims 1 to 4, wherein said method further comprises:
when said first M data packets contain the suspected vi- rus, carrying out virus scanning on the remaining data packets of the session, so as to judge whether or not the session contains any mobile phone viruses (S202, S203) .
8. A device for detecting a mobile phone virus, said de- tection device comprising:
a preprocessing engine (41) for carrying out virus scanning on the first M data packets in a session among the data packets obtained during the session, wherein M is greater than or equal to 1 and smaller than N, and N is the total number of all the data packets of the session; and
a virus analysis module (42) for determining, according to the scanning result of said preprocessing engine (41), that the session does not contain any mobile phone viruses when said first M data packets do not contain the sus¬ pected virus .
9. The detection device as claimed in claim 8, wherein said detection device further comprises a preprocessing virus library (43) for storing a fragmented mobile phone virus feature, with said fragmented mobile phone virus feature being adapted to search for the mobile phone virus contained in the first M data packets in the session; and said preprocessing engine (41) is specifically used for carrying out virus scanning on the first M data packets in the session among the data packets obtained during the session by using said preprocessing virus library (43) .
10. The detection device as claimed in claim 8, wherein said preprocessing engine (41) comprises a prejudgment mo¬ dule (414) and a virus scanning module (412), wherein said prejudgment module (414) is used for examining the first data packet in the session among the data packets obtained during the session, and judging whether or not the session is a file download session; if it is not, then said virus analysis module (42) is informed that the session is not a file download session, and if it is, then said virus scan¬ ning module (412) is instructed to carry out virus scan¬ ning on the first M data packets in the session among the data packets obtained during the session; and
said virus analysis module (42) is used for determining that the session does not contain any mobile phone viruses according to the informing by said preprocessing engine (41) .
11. The detection device as claimed in claim 8, wherein said preprocessing engine (41) comprises a mode examina¬ tion module (413) and a virus scanning module (412), wherein the mode examination module (413) is used for performing mode examination on the first M data packets in the session among the data packets obtained during the session, and judging whether or not the session belongs to a session on a white list; if it does, then said virus analysis module (42) is informed that the session belongs to a session on the white list, and if it does not, then said virus scanning module (412) is instructed to carry out virus scanning on the first M data packets in the ses¬ sion among the data packets obtained during the session; and
said virus analysis module (42) is used for determining that the session does not contain any mobile phone viruses according to the informing by said preprocessing engine (41) .
12. The detection device as claimed in claim 8, wherein said preprocessing engine (41) comprises:
a cache module (411) for caching the data packets obtained during the session; a recombination module (418) for recombining the first M data packets in the session among the data packets of the session cached by said cache module (411); and
a virus scanning module (412) for carrying out virus scanning on the first M data packets of the session as recom- bined by said recombination module (418) .
13. The detection device as claimed in any one of claims 8 to 12, wherein said virus analysis module (42) is fur¬ ther used for carrying out virus scanning, according to the scanning result of said preprocessing engine (41), on the remaining data packets of the session when said first M data packets contain the suspected virus, so as to judge whether or not the session contains any mobile phone vi¬ ruses .
PCT/EP2012/064009 2011-07-26 2012-07-17 Method and device for detecting mobile phone virus WO2013014033A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110210313.6 2011-07-26
CN201110210313.6A CN102905269B (en) 2011-07-26 2011-07-26 The detection method and device of a kind of mobile phone viruses

Publications (1)

Publication Number Publication Date
WO2013014033A1 true WO2013014033A1 (en) 2013-01-31

Family

ID=46548442

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2012/064009 WO2013014033A1 (en) 2011-07-26 2012-07-17 Method and device for detecting mobile phone virus

Country Status (3)

Country Link
CN (1) CN102905269B (en)
TW (1) TW201316198A (en)
WO (1) WO2013014033A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016120328A1 (en) * 2015-01-30 2016-08-04 International Business Machines Corporation File integrity preservation
JP2017121013A (en) * 2015-12-28 2017-07-06 株式会社ナカヨ Gateway device with extension setting change function
US9954873B2 (en) 2015-09-30 2018-04-24 The Mitre Corporation Mobile device-based intrusion prevention system
US10762207B2 (en) 2015-04-22 2020-09-01 Baidu Online Network Technology (Beijing) Co., Ltd. Method and device for scanning virus

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103442360A (en) * 2013-09-09 2013-12-11 北京网秦天下科技有限公司 Method for detecting safety of mobile application, and mobile terminal

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002019639A1 (en) * 2000-08-29 2002-03-07 Netrake Corporation Content processor
GB2421142A (en) * 2004-12-09 2006-06-14 Agilent Technologies Inc Detecting malicious traffic in a communications network
US20070006293A1 (en) * 2005-06-30 2007-01-04 Santosh Balakrishnan Multi-pattern packet content inspection mechanisms employing tagged values
US20070266436A1 (en) * 2006-05-11 2007-11-15 Eacceleration Corporation Accelerated data scanning
US7835361B1 (en) * 2004-10-13 2010-11-16 Sonicwall, Inc. Method and apparatus for identifying data patterns in a file

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB426971A (en) * 1933-11-07 1935-04-12 Sidney Samuel Warshawer Improvements in or connected with latches and locks
US6981280B2 (en) * 2001-06-29 2005-12-27 Mcafee, Inc. Intelligent network scanning system and method
CN101119373B (en) * 2007-09-04 2010-09-08 北京大学 Gateway stream type virus scanning method and system
CN101304426A (en) * 2008-07-10 2008-11-12 腾讯科技(深圳)有限公司 Method and device for recognizing and reporting questionable document

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002019639A1 (en) * 2000-08-29 2002-03-07 Netrake Corporation Content processor
US7835361B1 (en) * 2004-10-13 2010-11-16 Sonicwall, Inc. Method and apparatus for identifying data patterns in a file
GB2421142A (en) * 2004-12-09 2006-06-14 Agilent Technologies Inc Detecting malicious traffic in a communications network
US20070006293A1 (en) * 2005-06-30 2007-01-04 Santosh Balakrishnan Multi-pattern packet content inspection mechanisms employing tagged values
US20070266436A1 (en) * 2006-05-11 2007-11-15 Eacceleration Corporation Accelerated data scanning

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
LOTHAR BRAUN ET AL: "Packet sampling for worm and botnet detection in TCP connections", NETWORK OPERATIONS AND MANAGEMENT SYMPOSIUM (NOMS), 2010 IEEE, IEEE, PISCATAWAY, NJ, USA, 19 April 2010 (2010-04-19), pages 264 - 271, XP031691990, ISBN: 978-1-4244-5366-5 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016120328A1 (en) * 2015-01-30 2016-08-04 International Business Machines Corporation File integrity preservation
US10902120B2 (en) 2015-01-30 2021-01-26 International Business Machines Corporation File integrity preservation
US10762207B2 (en) 2015-04-22 2020-09-01 Baidu Online Network Technology (Beijing) Co., Ltd. Method and device for scanning virus
US9954873B2 (en) 2015-09-30 2018-04-24 The Mitre Corporation Mobile device-based intrusion prevention system
JP2017121013A (en) * 2015-12-28 2017-07-06 株式会社ナカヨ Gateway device with extension setting change function

Also Published As

Publication number Publication date
CN102905269A (en) 2013-01-30
TW201316198A (en) 2013-04-16
CN102905269B (en) 2017-06-13

Similar Documents

Publication Publication Date Title
US11916933B2 (en) Malware detector
US8887278B2 (en) Restricting a processing system being compromised with a threat
US9430646B1 (en) Distributed systems and methods for automatically detecting unknown bots and botnets
JP5497060B2 (en) System and method for classifying unwanted or malicious software
JP5878560B2 (en) System and method for detecting malicious PDF network content
US8010685B2 (en) Method and apparatus for content classification
US8997231B2 (en) Preventive intrusion device and method for mobile devices
US8375120B2 (en) Domain name system security network
US8966630B2 (en) Generating and distributing a malware countermeasure
US7954161B1 (en) Mechanism for characterizing soft failures in systems under attack
US20100011029A1 (en) Malware detection
KR20060013491A (en) Network attack signature generation
JP2012533104A (en) Antivirus scan
JP2005134974A (en) Worm deciding program, computer-readable storage medium stored with worm deciding program, and method and device for deciding worm
KR20140061459A (en) Dynamic cleaning for malware using cloud technology
WO2013014033A1 (en) Method and device for detecting mobile phone virus
US20140344573A1 (en) Decrypting Files for Data Leakage Protection in an Enterprise Network
CN113168473A (en) Network utilization-based network security vulnerability classification and repair
US8539581B2 (en) Efficient distribution of a malware countermeasure
WO2018076697A1 (en) Method and apparatus for detecting zombie feature
US10027693B2 (en) Method, device and system for alerting against unknown malicious codes within a network environment
JP5980968B2 (en) Information processing apparatus, information processing method, and program
Li et al. TuDoor Attack: Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed Packets
CN115102781B (en) Network attack processing method, device, electronic equipment and medium
CN115633359A (en) PFCP session security detection method, device, electronic equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12737783

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12737783

Country of ref document: EP

Kind code of ref document: A1