CN103617393A - Method for mobile internet malicious application software detection based on support vector machines - Google Patents
Method for mobile internet malicious application software detection based on support vector machines Download PDFInfo
- Publication number
- CN103617393A CN103617393A CN201310616988.XA CN201310616988A CN103617393A CN 103617393 A CN103617393 A CN 103617393A CN 201310616988 A CN201310616988 A CN 201310616988A CN 103617393 A CN103617393 A CN 103617393A
- Authority
- CN
- China
- Prior art keywords
- application software
- section
- software
- mobile internet
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention relates to a method for mobile internet malicious application software detection based on support vector machines and belongs to the technical field of information safety. Currently, mobile internet application software plays a more and more important role in daily life of people; however, the method for mobile internet malicious application software detection is not mature enough. According to the method, the monitored mobile internet application software is analyzed according to a hidden Markov model so that the similarity level of each software basic operation type relative to current software can be obtained and a similarity vector can be formed; the similarity vector is input to five SVM models trained according to different kernel functions and whether an output result shows that the monitored mobile internet application software is a malicious application or not is judged by a voting system. According to the method, the shortages that a malicious behavior is defined imperfectly and a training dataset is overlarge in the prior art are overcome, effective detection on the malicious application software is achieved, and the reliability is high.
Description
Technical field
The present invention relates to a kind of mobile Internet malicious application software detecting method, exactly, relate to a kind of mobile Internet malicious application software detecting method based on support vector machine, belong to the field of information security technology that under mobile internet environment, application software malice property is analyzed.
Background technology
Be accompanied by the arrival in mobile Internet epoch, from strength to strength, popularity is also more and more higher for the performance of mobile intelligent terminal, adds that the whole world is all promoting even 4G mobile network's development of 3G, and mobile network applies environment is provided for smart mobile phone at a high speed.User starts to consume the application such as music, electronic product, film, map, game on mobile intelligent terminal, also utilizes mobile intelligent terminal communication exchange, as social networks Facebook, Twitter, microblogging etc. simultaneously.But a large amount of terminal softwares and application also mean a large amount of security risks, for all kinds of attacks just appearance after 2004 of terminal device.Security threat and security risk that at present mobile intelligent terminal faces mainly comprise three aspects:: the one, and the leak of self system or software; The 2nd, Malware (virus, wooden horse etc.); The 3rd, occur illegal in perhaps service.The potential safety hazard that specifically may exist comprises: the service application that individual privacy is revealed, personal identification is usurped, security breaches are stolen, existed to application security, location, position, mobile phone viruses, information etc.
Research for mobile intelligent terminal security fields is a newer direction and problem, and this also will become the focus of network safety filed along with the continuous increase of mobile device user.Domestic and international research is in this respect few at present, mainly comprise the research of policy rules and technical research, technical research is divided into two parts: a part is to seek safe solution from hardware aspect, think that simple software solution can not meet all kinds of threats from complicated mobile network, all expects to carry out seeking solution from hardware aspect now both at home and abroad.And the terminal security that appears as of credible calculating provides a kind of new thinking.,Ru Symantec of ,Ge network security manufacturer aspect software, this base of kappa, Trend Micros etc. all start to be devoted to the security solution of intelligent mobile terminal, and domestic Rising etc. also start to have the research of some Related products, but technology is still in the imperfection stage.
The safety problem running into traditional computer is the same, and mobile intelligent terminal has also run into same problem, and the infringement of virus, rogue program, wooden horse etc. also starts to have appeared in terminal, to terminal user, has brought many infringements.Such as equipment travelling speed is slack-off, even crash, the not clear increase of expense etc.And when hand-held terminal device becomes the center of people's information, the information on equipment of being stored in is more and more and importance is increasing, if device losses or utilized by other people, consequence is by hardly imaginable.Therefore terminal security can not be ignored, and according to now, from the multiple threat of each side, it is numerous that software scenario relates to technology.
In the field of intelligent mobile terminal safety, the gordian technique that software scenario relates to comprises that critical data is secret, the renewal optimization of the detection of file access control, intelligent anti-theft, rogue program, software etc.Safety main solution both domestic and external for hand-held intelligent terminal equipment has at present: the Related products such as Symantec Mobile Security for Symbian, this base mobile phone version 7.0 of kappa, F-Secure Mobile Security, Trend Micro's mobile security spirit, German G-Data, Avira, Panda, McAfee Mobile Security, the safe house keeper of Qihoo's 360 mobile phone, Rising Antivirus mobile phone version.
Internationally famous anti-virus mechanism for testing AV-Comparatives has issued the manual examining report of in September, 2011 antivirus software Malware.Test macro and environment final updating time are August 12.This time, from German G-Data, with 99.7% high number percent, win first place, Avira, Panda is number two respectively, three, and F-Secure following closely shows slightly literary excellence, and the number percent with 99.3% is number four.Although domestic Qihoo enters the second camp, owing to using little red umbrella, BD and the engine of oneself, omit number close with AVIRA in essence, and wrong report number, far away higher than Avira, is to be also much more slowly than little red umbrella in sweep velocity.
In these products, external Related product technology is relatively ripe, but function imperfection, and function implementation efficiency etc. is to be improved; By these Related products, introduce knownly, these products all can provide the detection of rogue programs such as comprising virus, wooden horse etc., and the protection of email message etc. can be provided file simultaneously.Yet the principle of the killing rogue program that these products are used is to detect the process of virus signature, this is the method for rogue program of determining by detecting each generic attributes such as file.This detection method is the scheme that on computer, killing virus is used, its shortcoming is to detect unknown virus, and needs the renewal of virus base, and this is slower for processing speed, the terminal device of resource-constrained is a huge challenge, therefore also needs deep research.And domestic most of Related product is still in free download operational phase, a lot of gordian techniquies are not yet ripe.
In sum, all the more important of the effect of mobile Internet application software in people life, and the method for mobile Internet malicious application software detection is ripe not enough.For this reason, how mobile Internet malicious application software is comprehensively and effectively detected and just becomes the new problem that scientific and technical personnel pay close attention in the industry.
Summary of the invention
In view of this, the object of this invention is to provide a kind of mobile Internet malicious application software detecting method based on support vector machine, while using the method to detect mobile Internet malicious application software, we only need to be to non-malice software action modeling, this environmental model adopts dual nested mode, bottom is hidden Markov model, and upper strata is supporting vector machine model.Because the definition for non-malicious act under mobile internet environment is easier than the definition of malicious act, so while using the method to analyze malicious application software, more comprehensively with effective.
In order to achieve the above object, the invention provides a kind of mobile Internet malicious application software detecting method based on support vector machine, it is characterized in that, described method comprises following operation steps:
(1) utilize Hidden Markov Model (HMM) to analyze monitored mobile Internet application software, obtain present procedure with respect to the similarity degree of each behavior type, form similarity vector;
(2) first adopt five kinds of different kernel functions respectively training sample set up SVM model, again according to the model training, input the similarity vector of current application software to be measured, the judged result of output SVM model, finally judges according to voting system whether this software is malicious application software.
Described step (1) further comprises following content of operation:
(11) move the mobile Internet application software of required analysis, its behavior is monitored, according to the duration of setting, carry out staging treating, the behavioral data of mobile Internet application software is divided into a behavior section sequence;
(12) feature of each behavior section in extraction behavior section sequence: the average occupancy of section CPU, the average occupancy of section internal memory, section privacy access times, section wifi network holding time, section 2G/3G network holding time, section camera opening times, fragment position acquisition of information, section apparatus information acquiring;
(13) utilize Hidden Markov Model (HMM) to operate and carry out modeling and detection basic software: first in training process, to adopt Baum-Welch algorithm to adjust the parameters in Hidden Markov Model (HMM), obtain after each corresponding model, with Viterbi algorithm, calculate and detect again the application software of current detection and the similarity degree of each model, be maximum likelihood value, on the basis of maximum likelihood value, form maximum likelihood value vector.
Described step (12) further comprises following content of operation:
(121) a section CPU average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to CPU;
(122) a section internal memory average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to internal memory;
(123) section privacy access times refer to the total degree of application software calling party address list, picture and note in storage and monitoring time segment;
(124) section network holding time refers to the time of application software accesses network in storage and monitoring time segment;
(125) a section camera opening times refers to that application software opens the number of times of mobile phone camera in storage and monitoring time segment;
(126) fragment position acquisition of information has indicated application software in storage and monitoring time segment, whether to obtain customer position information, if had, this is characterized as 1, if do not had, this is characterized as 0;
(127) section apparatus information acquiring has indicated application software in storage and monitoring time segment, whether to obtain IMEI number, baseband version, these facility informations of kernel version, if had, this is characterized as 1, if do not had, this is characterized as 0.
Described step (13) further comprises following content of operation:
(131) set and need set up altogether N kind basic software action type, the behavior of current application to be detected and the wherein similarity degree of i type, maximum likelihood value is c
i, so, the maximum likelihood value of current application to be detected vector is c={c
1, c
2..., c
n.
Described step (2) further comprises following content of operation:
(21) for specifying sample to select respectively linear kernel function, polynomial kernel function, radial basis function, Sigmoid kernel function and compound nucleus function to set up SVM model, be labeled as SVM
i, i=1 wherein, 2,3,4,5;
(22) according to the SVM model training, the similarity vector of current application software to be measured is inputted to SVM successively
i, Output rusults C
iif, wherein this software be Malware Output rusults be 1, otherwise be 0, i=1,2,3,4,5;
(23) calculate
if R>=0, judges that this software is as malicious application software, otherwise is non-malicious application software.
The present invention is a kind of mobile Internet malicious application software detecting method based on support vector machine, its innovation be technically mainly from by set up that non-malice support vector machine made up that foundation malice support vector machine in the past causes cannot Test database the problem of the malicious act that do not have, be described in detail below.
First, the research big city of prior art selects malicious application software action to carry out modeling, for example, people can think and steal telex network record, steal the behaviors such as user's documentum privatum and be malicious act and it is carried out to modeling, then judge whether current application to be detected belongs to these classifications.But if there is not have predefined malicious act, such as revealing user geographic position etc., so existing technical scheme cannot be made correct judgement.And the present invention selects non-malicious act to carry out modeling, as everyone knows, the definition of non-malicious act and statistics are more accurate and comprehensive for malicious act, and can obtain according to people's experience in daily life completely, for example, the normal behaviour of mobile Internet application software conventionally only include chat on line, download file, game, video-see etc.The definition of non-malicious act also convenient than the definition of malicious act.For this reason, the present invention proposes to carry out modeling for non-malicious act, can to mobile Internet malicious application software, detect more comprehensively and effectively.
In addition, when setting up non-malice model, existing technology is all much directly to collect non-malice support vector machine Direct Modeling.Because the application of software data of non-malice is also diversified, this Method Modeling can need very large training sample database conventionally, and in training process, easily causes model not restrained.For this reason, the present invention proposes non-malicious act further to divide, and is divided into various basic software class of operations, as, non-malice support vector machine is by surfing the Net, seeing what these basic software class of operations such as video, download, navigation formed.We train respectively these basic software action types, and by the supporting vector machine model on upper strata, explore these models and combine in which way in software action.Do like this, do not need to gather too much sample and just can train relatively comprehensively model reliably, make the method more fast, correct and practical, can meet the growth requirement of mobile Internet malicious application software.
Accompanying drawing explanation
Fig. 1 is the operation steps process flow diagram that the present invention is based on the mobile Internet malicious application software detection of support vector machine.
Fig. 2 is the process flow diagram of step (1) the similarity vector forming process in the inventive method.
Fig. 3 is non-malicious act in the inventive method and the process flow diagram of malicious act disaggregated model training.
Fig. 4 is that the step (3) in the inventive method judges whether current application software to be detected is the process flow diagram of malicious application software.
Embodiment
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with the test situation of drawings and Examples, the present invention is described in further detail.
The present invention is a kind of mobile Internet malicious application software detecting method based on support vector machine, the method is first to move application software to be detected and extract the characteristic parameter of running software in a period of time, the hidden Markov model that recycles these parameters and several basic software action types is compared, and tries to achieve similarity vector.Finally, utilize on this basis the analysis of putting to the vote of 5 SVM models, judge whether current application software to be detected is malicious application software.The present invention, when detection of malicious application software, can overcome weak point incomplete to malicious act definition in prior art and that training dataset is too huge.
Referring to Fig. 1, illustrate that the present invention analyzes operation steps and embodiments of the invention and the simulation scenarios of the method for malicious application software according to support vector machine:
Referring to Fig. 2, specifically introduce the following concrete operations content that this step 1 comprises:
(11) move the mobile Internet application software of required analysis, its behavior is monitored, record its behavioural characteristic within longer a period of time, according to the duration of setting, carry out staging treating, the behavioral data of mobile Internet application software is divided into a behavior section sequence; In proof procedure, we are about 1-2 hour to total monitoring period of each application program, and in segmentation process, the time of each segmentation is 300s.
(12) feature of each behavior section in extraction behavior section sequence: the average occupancy of section CPU, the average occupancy of section internal memory, section privacy access times, section wifi network holding time, section 2G/3G network holding time, section camera opening times, fragment position acquisition of information, section apparatus information acquiring.The average occupancy of these time stage casing CPU refer to application software in storage and monitoring time segment average p.s. the occupancy to CPU; Section internal memory average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to internal memory; Section privacy access times refer to the total degree of application software calling party address list, picture and note in storage and monitoring time segment; Section network holding time refers to that application software accesses the time of wifi network in storage and monitoring time segment; Section camera opening times refers to that application software opens the number of times of mobile phone camera in storage and monitoring time segment; Fragment position acquisition of information has indicated application software in storage and monitoring time segment, whether to obtain customer position information, if had, this is characterized as 1, if do not had, this is characterized as 0; Section apparatus information acquiring has indicated application software in storage and monitoring time segment, whether to obtain IMEI number, baseband version, these facility informations of kernel version, if had, this is characterized as 1, if do not had, this is characterized as 0.
(13) utilize Hidden Markov Model (HMM) to operate and carry out modeling and detection basic software: first in training process, to adopt Baum-Welch algorithm to adjust the parameters in Hidden Markov Model (HMM), obtain after each corresponding model, with Viterbi algorithm, calculate and detect again the application software of current detection and the similarity degree of each model, be maximum likelihood value, on the basis of maximum likelihood value, form maximum likelihood value vector.
Because hidden Markov model HMM(Hidden Markov is Models) characterising parameter rule and be widely used in time dependent behavioural analysis system over time preferably.The inventive method is also to utilize Hidden Markov Model (HMM) to operate and carry out modeling and detection basic software: first in training process, adopt Baum-Welch algorithm to adjust the parameters in Hidden Markov Model (HMM), obtain after each corresponding model, with Viterbi algorithm, calculate and detect again the application software of current detection and the similarity degree of each model, it is maximum likelihood value, then, maximum likelihood value is integrated, formed likelihood value vector.
The concrete grammar that is integrated into likelihood value vector is:
(131) set and need set up altogether N kind basic software action type, the behavior of current application to be detected and the wherein similarity degree of i type, maximum likelihood value is c
i, so, the maximum likelihood value of current application to be detected vector is c={c
1, c
2..., c
n.
Obtain after similarity vector, the present invention utilizes support vector machine to carry out modeling to non-malice support vector machine, and take the mode of on-line testing and judge whether current application to be detected is malicious application software.This is also the emphasis step in the present invention: step 2.
Referring to Fig. 3, the concrete operations content of introducing off-line training part in this step 2 is:
(21) for specifying sample to select respectively linear kernel function, polynomial kernel function, radial basis function, Sigmoid kernel function and compound nucleus function to set up SVM model, be labeled as SVM
i, i=1 wherein, 2,3,4,5.
(22) according to the SVM model training, the similarity vector of current application software to be measured is inputted to SVM successively
i, Output rusults C
iif, wherein this software be Malware Output rusults be 1, otherwise be 0, i=1,2,3,4,5.
(23) calculate
if R>=0, judges that this software is as malicious application software, otherwise is non-malicious application software.
In a word, the test of emulation embodiment of the present invention is successfully, has realized goal of the invention.
Claims (6)
1. the mobile Internet malicious application software detecting method based on support vector machine, is characterized in that, described method comprises following operation steps:
(1) utilize Hidden Markov Model (HMM) to analyze monitored mobile Internet application software, obtain present procedure with respect to the similarity degree of the basic action type of each software, form similarity vector;
(2) first adopt five kinds of different kernel functions respectively training sample set up supporting vector machine model, again according to the model training, input the similarity vector of current application software to be measured, the judged result of output supporting vector machine model, finally judges according to voting system whether this software is malicious application software.
2. method according to claim 1, is characterized in that:
Described step (1) further comprises following content of operation:
(11) move the mobile Internet application software of required analysis, its behavior is monitored, according to the duration of setting, carry out staging treating, the behavioral data of mobile Internet application software is divided into a behavior section sequence;
(12) feature of each behavior section in extraction behavior section sequence: the average occupancy of section CPU, the average occupancy of section internal memory, section privacy access times, section wifi network holding time, section 2G/3G network holding time, section camera opening times, fragment position acquisition of information, section apparatus information acquiring;
(13) utilize Hidden Markov Model (HMM) to operate and carry out modeling and detection basic software: first in training process, to adopt Baum-Welch algorithm to adjust the parameters in Hidden Markov Model (HMM), obtain after each corresponding model, with Viterbi algorithm, calculate and detect again the application software of current detection and the similarity degree of each model, be maximum likelihood value, on the basis of maximum likelihood value, form maximum likelihood value vector.
3. method according to claim 2, is characterized in that:
Described step (12) further comprises following content of operation:
(121) a section CPU average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to CPU;
(122) a section internal memory average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to internal memory;
(123) section privacy access times refer to the total degree of application software calling party address list, picture and note in storage and monitoring time segment;
(124) section network holding time refers to the time of application software accesses network in storage and monitoring time segment;
(125) a section camera opening times refers to that application software opens the number of times of mobile phone camera in storage and monitoring time segment;
(126) fragment position acquisition of information has indicated application software in storage and monitoring time segment, whether to obtain customer position information, if had, this is characterized as 1, if do not had, this is characterized as 0;
(127) section apparatus information acquiring has indicated application software in storage and monitoring time segment, whether to obtain IMEI number, baseband version, these facility informations of kernel version, if had, this is characterized as 1, if do not had, this is characterized as 0.
4. method according to claim 2, is characterized in that:
Described step (13) further comprises following content of operation:
(131) set and need set up altogether N kind basic software action type, the behavior of current application to be detected and the wherein similarity degree of i type, maximum likelihood value is c
i, so, the similarity vector of current application to be detected is c={c
1, c
2..., c
n.
5. method according to claim 2, is characterized in that: the setting duration scope in described step (11) is recommended as the short time duration of 200s to 500s.
6. method according to claim 1, is characterized in that:
Described step (2) further comprises following content of operation:
(21) for specifying sample to select respectively linear kernel function, polynomial kernel function, radial basis function, Sigmoid kernel function and compound nucleus function to set up supporting vector machine model, and these models are labeled as respectively to SVM
i, i=1 wherein, 2,3,4,5;
(22) according to the supporting vector machine model training, the similarity vector of current application software to be measured is inputted to 5 models successively, obtain Output rusults.If SVM
ioutput rusults show that current software is that Malware makes C
i=1, otherwise C
i=0, i=1 wherein, 2,3,4,5;
(23) calculate
if R>=0, judges that this software is as malicious application software, otherwise is non-malicious application software.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310616988.XA CN103617393A (en) | 2013-11-28 | 2013-11-28 | Method for mobile internet malicious application software detection based on support vector machines |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310616988.XA CN103617393A (en) | 2013-11-28 | 2013-11-28 | Method for mobile internet malicious application software detection based on support vector machines |
Publications (1)
Publication Number | Publication Date |
---|---|
CN103617393A true CN103617393A (en) | 2014-03-05 |
Family
ID=50168096
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310616988.XA Pending CN103617393A (en) | 2013-11-28 | 2013-11-28 | Method for mobile internet malicious application software detection based on support vector machines |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103617393A (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104317574A (en) * | 2014-09-30 | 2015-01-28 | 北京金山安全软件有限公司 | Method and device for identifying application program type |
CN104866763A (en) * | 2015-05-28 | 2015-08-26 | 天津大学 | Permission-based Android malicious software hybrid detection method |
CN105138916A (en) * | 2015-08-21 | 2015-12-09 | 中国人民解放军信息工程大学 | Multi-track malicious program feature detecting method based on data mining |
CN106250765A (en) * | 2016-08-05 | 2016-12-21 | 黄新勇 | Program monitoring method in broadcast system and system |
CN106570401A (en) * | 2016-12-27 | 2017-04-19 | 哈尔滨安天科技股份有限公司 | Method and system for detecting malicious code based on time variation |
CN106598710A (en) * | 2016-10-28 | 2017-04-26 | 努比亚技术有限公司 | Application management device and method, and mobile terminal |
WO2018023708A1 (en) * | 2016-08-05 | 2018-02-08 | 黄新勇 | Method and system for monitoring program in broadcast system |
WO2018023711A1 (en) * | 2016-08-05 | 2018-02-08 | 黄新勇 | Real-time monitoring method and system in audio broadcasting network |
CN108563950A (en) * | 2018-03-20 | 2018-09-21 | 南京邮电大学 | Android malware detection method based on SVM |
CN109657452A (en) * | 2018-12-20 | 2019-04-19 | 广东电网有限责任公司 | A kind of mobile application behavior dynamic credible appraisal procedure and device |
CN110968887A (en) * | 2018-09-28 | 2020-04-07 | 第四范式(北京)技术有限公司 | Method and system for executing machine learning under data privacy protection |
CN111382430A (en) * | 2018-12-28 | 2020-07-07 | 卡巴斯基实验室股份制公司 | System and method for classifying objects of a computer system |
CN113094709A (en) * | 2021-04-15 | 2021-07-09 | 中国工商银行股份有限公司 | Detection method and device for risk application and server |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101477798A (en) * | 2009-02-17 | 2009-07-08 | 北京邮电大学 | Method for analyzing and extracting audio data of set scene |
CN102163427A (en) * | 2010-12-20 | 2011-08-24 | 北京邮电大学 | Method for detecting audio exceptional event based on environmental model |
-
2013
- 2013-11-28 CN CN201310616988.XA patent/CN103617393A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101477798A (en) * | 2009-02-17 | 2009-07-08 | 北京邮电大学 | Method for analyzing and extracting audio data of set scene |
CN102163427A (en) * | 2010-12-20 | 2011-08-24 | 北京邮电大学 | Method for detecting audio exceptional event based on environmental model |
Non-Patent Citations (2)
Title |
---|
ASAF SHABTAI等: "《"Andromaly":a behavioral malware detection framework for android devices》", 《JOURNAL OF INTELLIGENT INFORMATION SYSTEMS》 * |
赵静: "《网络协议异常检测模型的研究与应用》", 《中国博士学位论文全文数据库(信息科技辑)》 * |
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104317574B (en) * | 2014-09-30 | 2018-03-30 | 北京金山安全软件有限公司 | Method and device for identifying application program type |
CN104317574A (en) * | 2014-09-30 | 2015-01-28 | 北京金山安全软件有限公司 | Method and device for identifying application program type |
CN104866763A (en) * | 2015-05-28 | 2015-08-26 | 天津大学 | Permission-based Android malicious software hybrid detection method |
CN104866763B (en) * | 2015-05-28 | 2019-02-26 | 天津大学 | Android malware mixing detection method based on permission |
CN105138916A (en) * | 2015-08-21 | 2015-12-09 | 中国人民解放军信息工程大学 | Multi-track malicious program feature detecting method based on data mining |
CN105138916B (en) * | 2015-08-21 | 2018-02-02 | 中国人民解放军信息工程大学 | Multi-trace rogue program characteristic detection method based on data mining |
CN106250765A (en) * | 2016-08-05 | 2016-12-21 | 黄新勇 | Program monitoring method in broadcast system and system |
WO2018023708A1 (en) * | 2016-08-05 | 2018-02-08 | 黄新勇 | Method and system for monitoring program in broadcast system |
WO2018023711A1 (en) * | 2016-08-05 | 2018-02-08 | 黄新勇 | Real-time monitoring method and system in audio broadcasting network |
CN106598710A (en) * | 2016-10-28 | 2017-04-26 | 努比亚技术有限公司 | Application management device and method, and mobile terminal |
CN106570401B (en) * | 2016-12-27 | 2019-07-26 | 哈尔滨安天科技股份有限公司 | A kind of malicious code detecting method and system based on time change |
CN106570401A (en) * | 2016-12-27 | 2017-04-19 | 哈尔滨安天科技股份有限公司 | Method and system for detecting malicious code based on time variation |
CN108563950A (en) * | 2018-03-20 | 2018-09-21 | 南京邮电大学 | Android malware detection method based on SVM |
CN108563950B (en) * | 2018-03-20 | 2022-03-15 | 南京邮电大学 | Android malicious software detection method based on SVM |
CN110968887A (en) * | 2018-09-28 | 2020-04-07 | 第四范式(北京)技术有限公司 | Method and system for executing machine learning under data privacy protection |
CN110968887B (en) * | 2018-09-28 | 2022-04-05 | 第四范式(北京)技术有限公司 | Method and system for executing machine learning under data privacy protection |
CN109657452A (en) * | 2018-12-20 | 2019-04-19 | 广东电网有限责任公司 | A kind of mobile application behavior dynamic credible appraisal procedure and device |
CN111382430A (en) * | 2018-12-28 | 2020-07-07 | 卡巴斯基实验室股份制公司 | System and method for classifying objects of a computer system |
CN111382430B (en) * | 2018-12-28 | 2023-06-30 | 卡巴斯基实验室股份制公司 | System and method for classifying objects of a computer system |
CN113094709A (en) * | 2021-04-15 | 2021-07-09 | 中国工商银行股份有限公司 | Detection method and device for risk application and server |
CN113094709B (en) * | 2021-04-15 | 2024-04-05 | 中国工商银行股份有限公司 | Detection method, device and server for risk application |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103617393A (en) | Method for mobile internet malicious application software detection based on support vector machines | |
CN103500307A (en) | Mobile internet malignant application software detection method based on behavior model | |
KR101767454B1 (en) | Method and apparatus of fraud detection for analyzing behavior pattern | |
US9832211B2 (en) | Computing device to detect malware | |
Liu et al. | A novel approach for detecting browser-based silent miner | |
WO2017071148A1 (en) | Cloud computing platform-based intelligent defense system | |
Liu et al. | Maddroid: Characterizing and detecting devious ad contents for android apps | |
KR101743269B1 (en) | Method and apparatus of fraud detection by analysis of PC information and modeling of behavior pattern | |
CN107659570A (en) | Webshell detection methods and system based on machine learning and static and dynamic analysis | |
CN109787943A (en) | A kind of method and apparatus of resisting abnegation service aggression | |
WO2018084912A1 (en) | Methods and systems for anomaly detection using function specifications derived from server input/output (i/o) behavior | |
Ding et al. | DeepPower: Non-intrusive and deep learning-based detection of IoT malware using power side channels | |
KR20180006380A (en) | Methods and systems for behavior-specific actuation for real-time whitelisting | |
Li et al. | An Android malware detection method based on AndroidManifest file | |
CN104685510A (en) | Identifying whether application is malicious | |
Agrawal et al. | A survey on android malware and their detection techniques | |
CN103401845B (en) | A kind of detection method of website safety, device | |
CN107332804B (en) | Method and device for detecting webpage bugs | |
ES2946062T3 (en) | Systems and methods for the detection of behavioral threats | |
Li et al. | Research of android malware detection based on network traffic monitoring | |
CN103297267A (en) | Method and system for network behavior risk assessment | |
CN104978523A (en) | Malicious sample capture method and system based on network hot word recognition | |
Burgess et al. | Manic: Multi-step assessment for crypto-miners | |
CN116932381A (en) | Automatic evaluation method for security risk of applet and related equipment | |
Congyi et al. | Method for detecting Android malware based on ensemble learning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140305 |