| 主权项 |
1. A system for analyzing mobile cyber incidents, the system comprising:
a mobile incident collection server, comprising one or more hardware processor, collecting text messages sent through communication company servers to produce text message detection information, collecting Uniform Resource Locator, URL, information based on real-time search words provided by search portals to produce URL detection information, and collecting basic information of application files being sold in application market servers to produce Android Application Package, APK, detection information; a mobile incident analysis server, comprising one or more hardware processor, having a URL analysis module checking whether codes attacking the weaknesses of mobile users are inserted into collected URLs or checking whether applications are downloaded and automatically executed, without the agreement of users, on the basis of the URL detection information collected by the mobile incident collection server to produce and provide URL analysis information and an application analysis module determining whether malicious behaviors exist on the basis of the APK detection information collected by the mobile incident collection server to produce and provide application analysis information; and an analysis information database receiving the URL analysis information and the application analysis information produced by the mobile incident analysis server and storing and managing the information therein; wherein the URL analysis module comprises: a URL call module receiving a URL list to be collected from the mobile incident collection server and, if collected URLs exist, analyzing the collected URLs; a crawler and header setting call module checking the terminal information approaching the URLs by using user agent information of header information of operating system, OS, and calling pages different from each other; a URL web source crawling module crawling the URL web sources called by the crawler and header setting call module; a URL link extraction module detecting the URL link information of the web page sources crawled and performing the in-depth crawling for the corresponding URLs; an obfuscation checking and scoring module checking the maximum length of a single string, frequencies and entropy of specific characters, and the entropy of the whole function name and variable name, calculating the scores of the checked items, determining that the corresponding URLs are obfuscated if the corresponding page exceeds a critical value, setting the URL obfuscated as drive-by download page, and performing the dynamic checking for the URL; a hidden URL detection and extraction module detecting hidden URL as features of the drive-by download page attack; and an APK URL detection module analyzing whether the APK file downloaded by the visit to the corresponding URL through the web page source analysis exists, extracting the corresponding URL, analyzing the extracted URL information, extracting the corresponding URL if the final extension of the corresponding URL is APK, managing the corresponding URL in an URL index table, and managing the association relation of the corresponding URL with the original web page URL; wherein the hidden URL detection and extraction module detects that a portion on which the URL link is displayed has a size of 0 or width times depth<=10 or that the connected window is not displayed. |
