Reducing the Threat Scenarios of Mobile Internet Extortion Viruses
I. Status of Mobile Security Management
The mobile internet has become a breeding ground for extortion viruses, with ransomware attacks affecting network users, especially those who rely heavily on mobile devices. Although security vendors responded promptly to the ransomware threat, the cybersecurity war has left them worried, and it is time to rethink traditional application security management methods to withstand the next virus attack.
In the context of rapid network development and interconnection, network security is largely data security. The essence of network security operations lies in the asymmetry of information, where the party that masters more comprehensive data information has the initiative in network security. With the mobile internet changing the convenience of information transmission and hiding thousands of security loopholes, detecting, hardening, or monitoring applications alone is far from winning.
II. The Need for a Comprehensive Response Mechanism
To address the mobile internet threat, we need to establish a comprehensive response mechanism, including public opinion monitoring and open threat intelligence, as well as the ability to restore threat attack scenarios. This requires a highly-driven data flow and response-driven system, with threat information fed back from the platform having high requirements on timeliness, complexity of data association, and diversity of threat information.
III. The Mobile Internet Threat Information Management Platform
The traditional application security management platform mainly focuses on threat identification and limited data processing capabilities, relying on manual analysis and insufficient threat countermeasures. To address this, we propose a mobile internet threat information management platform with intelligent analysis capabilities based on big data technology.
IV. Data Source and Data Processing
The platform achieves basic coverage of mobile data across the entire network through real-time collection of file application data from more than 300 channels, including mobile phone manufacturers’ stores, carrier stores, third-party stores, mobile forums, download websites, and web disks. The collected data is further processed, with the support of distributed file servers, to store and query data in real-time.
V. Data Labeling
To reflect the full value of the data, we use large data processing modes with data tagging. We build applications on the application portrait of stored information, using “paste” from multi-dimensional labels to build application “clues” relationship maps. By using vulnerability detection engines, multi-dimensional virus detection engines, and content violation detection analysis engines, we achieve known threat, suspected threat identification information.
VI. Threat Information Mining: TBS Virus Mining Model
To enhance the ability to dig deep threat information and emergency response capabilities for threat incidents, we propose the introduction of TBS virus mining models (referred to as TBS model; Target-Behavior-Source, abbreviation: TBS). The TBS virus mining model is based on existing data tag application, purpose-built from the attack, malicious behavior, and modes of transmission of malicious program features three multi-mining models, to achieve recognition from threat to threat perception, threatening to upgrade the system of traceability.
VII. TBS Virus Mining Model Single-Layer Structure
The TBS virus mining model is based on the three important characteristics of malicious programs: purposeful, spreading, and destructive. The model is used to identify known threats and has the function of security management platform. We have achieved to identify known threats and enhance the ability to dig deep threat information and emergency response capabilities for threat incidents.
VIII. TBS Virus Mining Model Multi-Layer Iterative Process
The TBS virus mining model is based on multilayer iterative search, with the virus samples obtained in the n-1 layer being used to expand the source set to which the samples obtained in the n-1 layer belong. Through this sample expansion method, more variant virus samples can be mined while maintaining the reliability of the model.
IX. Validation of TBS Virus Mining Model
We conducted a network-wide situation analysis of ransomware and used the TBS virus mining model to search for ransomware malicious applications. Through a three-layer detection process, more than 50,000 ransomware samples and 30,000 potentially malicious applications were captured.
X. The Value of the Landing: From Threat to Threat Perception Identification and Traceability
The ultimate goal is to build a platform for the effective use of threat data and outputs time-sensitive, complex data associated with a high degree of threat information. High coverage and high value sample data also enhance the credibility of the threat perception from threat identification and traceability.
XI. Multi-Angle Alarm, Hidden Danger Can be Prevented
On the premise of using data correlation analysis to restore threat events, we pre-judge threat trends, analyze threat trends from different angles of attack methods, attack regions, and attack purposes, and target mobile attackers and attack events to mobile network users personally, enterprises issue warning signals and provide professional and comprehensive protection measures to form decision-making threat intelligence.
XII. Summary
Poor source tracing is a major issue in network security threats, which mainly include three factors: technical risks, weak network security management links, and human attacks. The rapid development of machine learning and the Internet of Things technology has provided more ideas for mobile security management. Manufacturers and virus researchers continue to overcome difficulties and evade threats technically.