Mobile Internet Malware Monitoring System
Product features

  • Efficient software capabilities

    Supports a broad spectrum of black and white lists. By analyzing the relationship between domain names, application are associated to form a broad-spectrum black-and-white list database;It supports the classification of application tags. Through the clustering learning of the application's signature, publishing provider, application description and other features, it forms classification tags and associates similar applications.

    Static detection: through the authority and behavior of APK code, the risk weight is calculated and the score is determined;

    Dynamic detection: load APK program in sandbox and start running, track and analyze abnormal process of program startup, communication and invoking, and make comprehensive judgment according to the risk of ations and data sensitivity.

    Multi engine detection: integrate a variety of common malware detection engines, perform parallel detection, and judge the software. 

  • High performance hardware

    Analysis and disposal equipment is divided into equipment frame and special analysis & disposal equipment node.

    With compact structure, four independent two-way server nodes can be built into a compact 2U frame to realize intelligent horizontal expansion; hot swapping server nodes, power supplies and disk drives significantly enhance the availability and reduce maintenance costs; the use of shared redundancy and platinum grade efficient power supply and centralized installation of fan units minimize energy consumption; the use of dual server nodes, power supplies and disk drives can significantly enhance the availability and reduce maintenance costs. A maximum of four analysis & disposal equipment nodes can be installed in each 2U cabinet, which makes the density of the system double that of the standard rack server. Dpdk packet receiving technology is adopted in the bottom layer to support high-speed data acquisition and rule detection engine; 1-4 business processing cards are optional, with a maximum processing capacity of 80G. 

Product function

The analysis module is implemented by the probe, which is responsible for packet capture, protocol analysis, data aggregation, virus scanning, result sorting and other functions. It is specifically divided into packet capture layer, protocol analysis layer, preprocessing layer, anti-virus engine layer, data layer, etc.

According to the instructions of the management platform, the disposal module completes the processing page push and malicious traffic blocking by matching the interception characteristics and traffic analysis results. It is divided into traffic analysis module, interception / redirection module and page push interface module.


Product architecture

The system is divided into front-end analysis equipment and back-end analysis platform


The analysis module enables the probe to capture the data packets in the network through the packet capture platform, accurately identify the protocol in a variety of ways, and judge whether to process the data according to the protocol type. Through the analysis of the known virus attack module, we can compare and scan the data from different virus transmission engine. For all kinds of events found, the anti-virus engine will upload the detailed associated data.

The workflow of the analysis module is shown in the following figure:


The processing module is transparent to the original network, and does not change the topology, IP address, routing protocol, access control strategy, etc.; that is, it does not change the routing direction of the original data stream, does not increase nor reduce the route hops of the original data flow; it does not send a large amount of data to the existing network to achieve the purpose of controlling the flow volume, and the maximum interference data sent is not more than 0.1% of the link bandwidth. The schematic diagram of its working mode is as follows:


Customer case

TongTech brands



XML 地图 | Sitemap 地图