CN103617393A - Method for mobile internet malicious application software detection based on support vector machines - Google Patents

Method for mobile internet malicious application software detection based on support vector machines Download PDF

Info

Publication number
CN103617393A
CN103617393A CN201310616988.XA CN201310616988A CN103617393A CN 103617393 A CN103617393 A CN 103617393A CN 201310616988 A CN201310616988 A CN 201310616988A CN 103617393 A CN103617393 A CN 103617393A
Authority
CN
China
Prior art keywords
application software
section
software
mobile internet
malicious
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201310616988.XA
Other languages
Chinese (zh)
Inventor
张程鹏
李承泽
杨昕雨
董航
徐国爱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN201310616988.XA priority Critical patent/CN103617393A/en
Publication of CN103617393A publication Critical patent/CN103617393A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention relates to a method for mobile internet malicious application software detection based on support vector machines and belongs to the technical field of information safety. Currently, mobile internet application software plays a more and more important role in daily life of people; however, the method for mobile internet malicious application software detection is not mature enough. According to the method, the monitored mobile internet application software is analyzed according to a hidden Markov model so that the similarity level of each software basic operation type relative to current software can be obtained and a similarity vector can be formed; the similarity vector is input to five SVM models trained according to different kernel functions and whether an output result shows that the monitored mobile internet application software is a malicious application or not is judged by a voting system. According to the method, the shortages that a malicious behavior is defined imperfectly and a training dataset is overlarge in the prior art are overcome, effective detection on the malicious application software is achieved, and the reliability is high.

Description

A kind of mobile Internet malicious application software detecting method based on support vector machine
Technical field
The present invention relates to a kind of mobile Internet malicious application software detecting method, exactly, relate to a kind of mobile Internet malicious application software detecting method based on support vector machine, belong to the field of information security technology that under mobile internet environment, application software malice property is analyzed.
Background technology
Be accompanied by the arrival in mobile Internet epoch, from strength to strength, popularity is also more and more higher for the performance of mobile intelligent terminal, adds that the whole world is all promoting even 4G mobile network's development of 3G, and mobile network applies environment is provided for smart mobile phone at a high speed.User starts to consume the application such as music, electronic product, film, map, game on mobile intelligent terminal, also utilizes mobile intelligent terminal communication exchange, as social networks Facebook, Twitter, microblogging etc. simultaneously.But a large amount of terminal softwares and application also mean a large amount of security risks, for all kinds of attacks just appearance after 2004 of terminal device.Security threat and security risk that at present mobile intelligent terminal faces mainly comprise three aspects:: the one, and the leak of self system or software; The 2nd, Malware (virus, wooden horse etc.); The 3rd, occur illegal in perhaps service.The potential safety hazard that specifically may exist comprises: the service application that individual privacy is revealed, personal identification is usurped, security breaches are stolen, existed to application security, location, position, mobile phone viruses, information etc.
Research for mobile intelligent terminal security fields is a newer direction and problem, and this also will become the focus of network safety filed along with the continuous increase of mobile device user.Domestic and international research is in this respect few at present, mainly comprise the research of policy rules and technical research, technical research is divided into two parts: a part is to seek safe solution from hardware aspect, think that simple software solution can not meet all kinds of threats from complicated mobile network, all expects to carry out seeking solution from hardware aspect now both at home and abroad.And the terminal security that appears as of credible calculating provides a kind of new thinking.,Ru Symantec of ,Ge network security manufacturer aspect software, this base of kappa, Trend Micros etc. all start to be devoted to the security solution of intelligent mobile terminal, and domestic Rising etc. also start to have the research of some Related products, but technology is still in the imperfection stage.
The safety problem running into traditional computer is the same, and mobile intelligent terminal has also run into same problem, and the infringement of virus, rogue program, wooden horse etc. also starts to have appeared in terminal, to terminal user, has brought many infringements.Such as equipment travelling speed is slack-off, even crash, the not clear increase of expense etc.And when hand-held terminal device becomes the center of people's information, the information on equipment of being stored in is more and more and importance is increasing, if device losses or utilized by other people, consequence is by hardly imaginable.Therefore terminal security can not be ignored, and according to now, from the multiple threat of each side, it is numerous that software scenario relates to technology.
In the field of intelligent mobile terminal safety, the gordian technique that software scenario relates to comprises that critical data is secret, the renewal optimization of the detection of file access control, intelligent anti-theft, rogue program, software etc.Safety main solution both domestic and external for hand-held intelligent terminal equipment has at present: the Related products such as Symantec Mobile Security for Symbian, this base mobile phone version 7.0 of kappa, F-Secure Mobile Security, Trend Micro's mobile security spirit, German G-Data, Avira, Panda, McAfee Mobile Security, the safe house keeper of Qihoo's 360 mobile phone, Rising Antivirus mobile phone version.
Internationally famous anti-virus mechanism for testing AV-Comparatives has issued the manual examining report of in September, 2011 antivirus software Malware.Test macro and environment final updating time are August 12.This time, from German G-Data, with 99.7% high number percent, win first place, Avira, Panda is number two respectively, three, and F-Secure following closely shows slightly literary excellence, and the number percent with 99.3% is number four.Although domestic Qihoo enters the second camp, owing to using little red umbrella, BD and the engine of oneself, omit number close with AVIRA in essence, and wrong report number, far away higher than Avira, is to be also much more slowly than little red umbrella in sweep velocity.
In these products, external Related product technology is relatively ripe, but function imperfection, and function implementation efficiency etc. is to be improved; By these Related products, introduce knownly, these products all can provide the detection of rogue programs such as comprising virus, wooden horse etc., and the protection of email message etc. can be provided file simultaneously.Yet the principle of the killing rogue program that these products are used is to detect the process of virus signature, this is the method for rogue program of determining by detecting each generic attributes such as file.This detection method is the scheme that on computer, killing virus is used, its shortcoming is to detect unknown virus, and needs the renewal of virus base, and this is slower for processing speed, the terminal device of resource-constrained is a huge challenge, therefore also needs deep research.And domestic most of Related product is still in free download operational phase, a lot of gordian techniquies are not yet ripe.
In sum, all the more important of the effect of mobile Internet application software in people life, and the method for mobile Internet malicious application software detection is ripe not enough.For this reason, how mobile Internet malicious application software is comprehensively and effectively detected and just becomes the new problem that scientific and technical personnel pay close attention in the industry.
Summary of the invention
In view of this, the object of this invention is to provide a kind of mobile Internet malicious application software detecting method based on support vector machine, while using the method to detect mobile Internet malicious application software, we only need to be to non-malice software action modeling, this environmental model adopts dual nested mode, bottom is hidden Markov model, and upper strata is supporting vector machine model.Because the definition for non-malicious act under mobile internet environment is easier than the definition of malicious act, so while using the method to analyze malicious application software, more comprehensively with effective.
In order to achieve the above object, the invention provides a kind of mobile Internet malicious application software detecting method based on support vector machine, it is characterized in that, described method comprises following operation steps:
(1) utilize Hidden Markov Model (HMM) to analyze monitored mobile Internet application software, obtain present procedure with respect to the similarity degree of each behavior type, form similarity vector;
(2) first adopt five kinds of different kernel functions respectively training sample set up SVM model, again according to the model training, input the similarity vector of current application software to be measured, the judged result of output SVM model, finally judges according to voting system whether this software is malicious application software.
Described step (1) further comprises following content of operation:
(11) move the mobile Internet application software of required analysis, its behavior is monitored, according to the duration of setting, carry out staging treating, the behavioral data of mobile Internet application software is divided into a behavior section sequence;
(12) feature of each behavior section in extraction behavior section sequence: the average occupancy of section CPU, the average occupancy of section internal memory, section privacy access times, section wifi network holding time, section 2G/3G network holding time, section camera opening times, fragment position acquisition of information, section apparatus information acquiring;
(13) utilize Hidden Markov Model (HMM) to operate and carry out modeling and detection basic software: first in training process, to adopt Baum-Welch algorithm to adjust the parameters in Hidden Markov Model (HMM), obtain after each corresponding model, with Viterbi algorithm, calculate and detect again the application software of current detection and the similarity degree of each model, be maximum likelihood value, on the basis of maximum likelihood value, form maximum likelihood value vector.
Described step (12) further comprises following content of operation:
(121) a section CPU average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to CPU;
(122) a section internal memory average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to internal memory;
(123) section privacy access times refer to the total degree of application software calling party address list, picture and note in storage and monitoring time segment;
(124) section network holding time refers to the time of application software accesses network in storage and monitoring time segment;
(125) a section camera opening times refers to that application software opens the number of times of mobile phone camera in storage and monitoring time segment;
(126) fragment position acquisition of information has indicated application software in storage and monitoring time segment, whether to obtain customer position information, if had, this is characterized as 1, if do not had, this is characterized as 0;
(127) section apparatus information acquiring has indicated application software in storage and monitoring time segment, whether to obtain IMEI number, baseband version, these facility informations of kernel version, if had, this is characterized as 1, if do not had, this is characterized as 0.
Described step (13) further comprises following content of operation:
(131) set and need set up altogether N kind basic software action type, the behavior of current application to be detected and the wherein similarity degree of i type, maximum likelihood value is c i, so, the maximum likelihood value of current application to be detected vector is c={c 1, c 2..., c n.
Described step (2) further comprises following content of operation:
(21) for specifying sample to select respectively linear kernel function, polynomial kernel function, radial basis function, Sigmoid kernel function and compound nucleus function to set up SVM model, be labeled as SVM i, i=1 wherein, 2,3,4,5;
(22) according to the SVM model training, the similarity vector of current application software to be measured is inputted to SVM successively i, Output rusults C iif, wherein this software be Malware Output rusults be 1, otherwise be 0, i=1,2,3,4,5;
(23) calculate
Figure BDA0000424227840000051
if R>=0, judges that this software is as malicious application software, otherwise is non-malicious application software.
The present invention is a kind of mobile Internet malicious application software detecting method based on support vector machine, its innovation be technically mainly from by set up that non-malice support vector machine made up that foundation malice support vector machine in the past causes cannot Test database the problem of the malicious act that do not have, be described in detail below.
First, the research big city of prior art selects malicious application software action to carry out modeling, for example, people can think and steal telex network record, steal the behaviors such as user's documentum privatum and be malicious act and it is carried out to modeling, then judge whether current application to be detected belongs to these classifications.But if there is not have predefined malicious act, such as revealing user geographic position etc., so existing technical scheme cannot be made correct judgement.And the present invention selects non-malicious act to carry out modeling, as everyone knows, the definition of non-malicious act and statistics are more accurate and comprehensive for malicious act, and can obtain according to people's experience in daily life completely, for example, the normal behaviour of mobile Internet application software conventionally only include chat on line, download file, game, video-see etc.The definition of non-malicious act also convenient than the definition of malicious act.For this reason, the present invention proposes to carry out modeling for non-malicious act, can to mobile Internet malicious application software, detect more comprehensively and effectively.
In addition, when setting up non-malice model, existing technology is all much directly to collect non-malice support vector machine Direct Modeling.Because the application of software data of non-malice is also diversified, this Method Modeling can need very large training sample database conventionally, and in training process, easily causes model not restrained.For this reason, the present invention proposes non-malicious act further to divide, and is divided into various basic software class of operations, as, non-malice support vector machine is by surfing the Net, seeing what these basic software class of operations such as video, download, navigation formed.We train respectively these basic software action types, and by the supporting vector machine model on upper strata, explore these models and combine in which way in software action.Do like this, do not need to gather too much sample and just can train relatively comprehensively model reliably, make the method more fast, correct and practical, can meet the growth requirement of mobile Internet malicious application software.
Accompanying drawing explanation
Fig. 1 is the operation steps process flow diagram that the present invention is based on the mobile Internet malicious application software detection of support vector machine.
Fig. 2 is the process flow diagram of step (1) the similarity vector forming process in the inventive method.
Fig. 3 is non-malicious act in the inventive method and the process flow diagram of malicious act disaggregated model training.
Fig. 4 is that the step (3) in the inventive method judges whether current application software to be detected is the process flow diagram of malicious application software.
Embodiment
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with the test situation of drawings and Examples, the present invention is described in further detail.
The present invention is a kind of mobile Internet malicious application software detecting method based on support vector machine, the method is first to move application software to be detected and extract the characteristic parameter of running software in a period of time, the hidden Markov model that recycles these parameters and several basic software action types is compared, and tries to achieve similarity vector.Finally, utilize on this basis the analysis of putting to the vote of 5 SVM models, judge whether current application software to be detected is malicious application software.The present invention, when detection of malicious application software, can overcome weak point incomplete to malicious act definition in prior art and that training dataset is too huge.
Referring to Fig. 1, illustrate that the present invention analyzes operation steps and embodiments of the invention and the simulation scenarios of the method for malicious application software according to support vector machine:
Step 1, utilize Hidden Markov Model (HMM) to analyze monitored mobile Internet application software, obtain present procedure with respect to the similarity degree of each behavior type, form similarity vector;
Referring to Fig. 2, specifically introduce the following concrete operations content that this step 1 comprises:
(11) move the mobile Internet application software of required analysis, its behavior is monitored, record its behavioural characteristic within longer a period of time, according to the duration of setting, carry out staging treating, the behavioral data of mobile Internet application software is divided into a behavior section sequence; In proof procedure, we are about 1-2 hour to total monitoring period of each application program, and in segmentation process, the time of each segmentation is 300s.
(12) feature of each behavior section in extraction behavior section sequence: the average occupancy of section CPU, the average occupancy of section internal memory, section privacy access times, section wifi network holding time, section 2G/3G network holding time, section camera opening times, fragment position acquisition of information, section apparatus information acquiring.The average occupancy of these time stage casing CPU refer to application software in storage and monitoring time segment average p.s. the occupancy to CPU; Section internal memory average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to internal memory; Section privacy access times refer to the total degree of application software calling party address list, picture and note in storage and monitoring time segment; Section network holding time refers to that application software accesses the time of wifi network in storage and monitoring time segment; Section camera opening times refers to that application software opens the number of times of mobile phone camera in storage and monitoring time segment; Fragment position acquisition of information has indicated application software in storage and monitoring time segment, whether to obtain customer position information, if had, this is characterized as 1, if do not had, this is characterized as 0; Section apparatus information acquiring has indicated application software in storage and monitoring time segment, whether to obtain IMEI number, baseband version, these facility informations of kernel version, if had, this is characterized as 1, if do not had, this is characterized as 0.
(13) utilize Hidden Markov Model (HMM) to operate and carry out modeling and detection basic software: first in training process, to adopt Baum-Welch algorithm to adjust the parameters in Hidden Markov Model (HMM), obtain after each corresponding model, with Viterbi algorithm, calculate and detect again the application software of current detection and the similarity degree of each model, be maximum likelihood value, on the basis of maximum likelihood value, form maximum likelihood value vector.
Because hidden Markov model HMM(Hidden Markov is Models) characterising parameter rule and be widely used in time dependent behavioural analysis system over time preferably.The inventive method is also to utilize Hidden Markov Model (HMM) to operate and carry out modeling and detection basic software: first in training process, adopt Baum-Welch algorithm to adjust the parameters in Hidden Markov Model (HMM), obtain after each corresponding model, with Viterbi algorithm, calculate and detect again the application software of current detection and the similarity degree of each model, it is maximum likelihood value, then, maximum likelihood value is integrated, formed likelihood value vector.
The concrete grammar that is integrated into likelihood value vector is:
(131) set and need set up altogether N kind basic software action type, the behavior of current application to be detected and the wherein similarity degree of i type, maximum likelihood value is c i, so, the maximum likelihood value of current application to be detected vector is c={c 1, c 2..., c n.
Obtain after similarity vector, the present invention utilizes support vector machine to carry out modeling to non-malice support vector machine, and take the mode of on-line testing and judge whether current application to be detected is malicious application software.This is also the emphasis step in the present invention: step 2.
Step 2, first adopt five kinds of different kernel functions respectively training sample set up SVM model, again according to the model training, input the similarity vector of current application software to be measured, the judged result of output SVM model, finally judges according to voting system whether this software is malicious application software.
Referring to Fig. 3, the concrete operations content of introducing off-line training part in this step 2 is:
(21) for specifying sample to select respectively linear kernel function, polynomial kernel function, radial basis function, Sigmoid kernel function and compound nucleus function to set up SVM model, be labeled as SVM i, i=1 wherein, 2,3,4,5.
(22) according to the SVM model training, the similarity vector of current application software to be measured is inputted to SVM successively i, Output rusults C iif, wherein this software be Malware Output rusults be 1, otherwise be 0, i=1,2,3,4,5.
(23) calculate if R>=0, judges that this software is as malicious application software, otherwise is non-malicious application software.
In a word, the test of emulation embodiment of the present invention is successfully, has realized goal of the invention.

Claims (6)

1. the mobile Internet malicious application software detecting method based on support vector machine, is characterized in that, described method comprises following operation steps:
(1) utilize Hidden Markov Model (HMM) to analyze monitored mobile Internet application software, obtain present procedure with respect to the similarity degree of the basic action type of each software, form similarity vector;
(2) first adopt five kinds of different kernel functions respectively training sample set up supporting vector machine model, again according to the model training, input the similarity vector of current application software to be measured, the judged result of output supporting vector machine model, finally judges according to voting system whether this software is malicious application software.
2. method according to claim 1, is characterized in that:
Described step (1) further comprises following content of operation:
(11) move the mobile Internet application software of required analysis, its behavior is monitored, according to the duration of setting, carry out staging treating, the behavioral data of mobile Internet application software is divided into a behavior section sequence;
(12) feature of each behavior section in extraction behavior section sequence: the average occupancy of section CPU, the average occupancy of section internal memory, section privacy access times, section wifi network holding time, section 2G/3G network holding time, section camera opening times, fragment position acquisition of information, section apparatus information acquiring;
(13) utilize Hidden Markov Model (HMM) to operate and carry out modeling and detection basic software: first in training process, to adopt Baum-Welch algorithm to adjust the parameters in Hidden Markov Model (HMM), obtain after each corresponding model, with Viterbi algorithm, calculate and detect again the application software of current detection and the similarity degree of each model, be maximum likelihood value, on the basis of maximum likelihood value, form maximum likelihood value vector.
3. method according to claim 2, is characterized in that:
Described step (12) further comprises following content of operation:
(121) a section CPU average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to CPU;
(122) a section internal memory average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to internal memory;
(123) section privacy access times refer to the total degree of application software calling party address list, picture and note in storage and monitoring time segment;
(124) section network holding time refers to the time of application software accesses network in storage and monitoring time segment;
(125) a section camera opening times refers to that application software opens the number of times of mobile phone camera in storage and monitoring time segment;
(126) fragment position acquisition of information has indicated application software in storage and monitoring time segment, whether to obtain customer position information, if had, this is characterized as 1, if do not had, this is characterized as 0;
(127) section apparatus information acquiring has indicated application software in storage and monitoring time segment, whether to obtain IMEI number, baseband version, these facility informations of kernel version, if had, this is characterized as 1, if do not had, this is characterized as 0.
4. method according to claim 2, is characterized in that:
Described step (13) further comprises following content of operation:
(131) set and need set up altogether N kind basic software action type, the behavior of current application to be detected and the wherein similarity degree of i type, maximum likelihood value is c i, so, the similarity vector of current application to be detected is c={c 1, c 2..., c n.
5. method according to claim 2, is characterized in that: the setting duration scope in described step (11) is recommended as the short time duration of 200s to 500s.
6. method according to claim 1, is characterized in that:
Described step (2) further comprises following content of operation:
(21) for specifying sample to select respectively linear kernel function, polynomial kernel function, radial basis function, Sigmoid kernel function and compound nucleus function to set up supporting vector machine model, and these models are labeled as respectively to SVM i, i=1 wherein, 2,3,4,5;
(22) according to the supporting vector machine model training, the similarity vector of current application software to be measured is inputted to 5 models successively, obtain Output rusults.If SVM ioutput rusults show that current software is that Malware makes C i=1, otherwise C i=0, i=1 wherein, 2,3,4,5;
(23) calculate if R>=0, judges that this software is as malicious application software, otherwise is non-malicious application software.
CN201310616988.XA 2013-11-28 2013-11-28 Method for mobile internet malicious application software detection based on support vector machines Pending CN103617393A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310616988.XA CN103617393A (en) 2013-11-28 2013-11-28 Method for mobile internet malicious application software detection based on support vector machines

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310616988.XA CN103617393A (en) 2013-11-28 2013-11-28 Method for mobile internet malicious application software detection based on support vector machines

Publications (1)

Publication Number Publication Date
CN103617393A true CN103617393A (en) 2014-03-05

Family

ID=50168096

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310616988.XA Pending CN103617393A (en) 2013-11-28 2013-11-28 Method for mobile internet malicious application software detection based on support vector machines

Country Status (1)

Country Link
CN (1) CN103617393A (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104317574A (en) * 2014-09-30 2015-01-28 北京金山安全软件有限公司 Method and device for identifying application program type
CN104866763A (en) * 2015-05-28 2015-08-26 天津大学 Permission-based Android malicious software hybrid detection method
CN105138916A (en) * 2015-08-21 2015-12-09 中国人民解放军信息工程大学 Multi-track malicious program feature detecting method based on data mining
CN106250765A (en) * 2016-08-05 2016-12-21 黄新勇 Program monitoring method in broadcast system and system
CN106570401A (en) * 2016-12-27 2017-04-19 哈尔滨安天科技股份有限公司 Method and system for detecting malicious code based on time variation
CN106598710A (en) * 2016-10-28 2017-04-26 努比亚技术有限公司 Application management device and method, and mobile terminal
WO2018023708A1 (en) * 2016-08-05 2018-02-08 黄新勇 Method and system for monitoring program in broadcast system
WO2018023711A1 (en) * 2016-08-05 2018-02-08 黄新勇 Real-time monitoring method and system in audio broadcasting network
CN108563950A (en) * 2018-03-20 2018-09-21 南京邮电大学 Android malware detection method based on SVM
CN109657452A (en) * 2018-12-20 2019-04-19 广东电网有限责任公司 A kind of mobile application behavior dynamic credible appraisal procedure and device
CN110968887A (en) * 2018-09-28 2020-04-07 第四范式(北京)技术有限公司 Method and system for executing machine learning under data privacy protection
CN111382430A (en) * 2018-12-28 2020-07-07 卡巴斯基实验室股份制公司 System and method for classifying objects of a computer system
CN113094709A (en) * 2021-04-15 2021-07-09 中国工商银行股份有限公司 Detection method and device for risk application and server

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101477798A (en) * 2009-02-17 2009-07-08 北京邮电大学 Method for analyzing and extracting audio data of set scene
CN102163427A (en) * 2010-12-20 2011-08-24 北京邮电大学 Method for detecting audio exceptional event based on environmental model

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101477798A (en) * 2009-02-17 2009-07-08 北京邮电大学 Method for analyzing and extracting audio data of set scene
CN102163427A (en) * 2010-12-20 2011-08-24 北京邮电大学 Method for detecting audio exceptional event based on environmental model

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ASAF SHABTAI等: "《"Andromaly":a behavioral malware detection framework for android devices》", 《JOURNAL OF INTELLIGENT INFORMATION SYSTEMS》 *
赵静: "《网络协议异常检测模型的研究与应用》", 《中国博士学位论文全文数据库(信息科技辑)》 *

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104317574B (en) * 2014-09-30 2018-03-30 北京金山安全软件有限公司 Method and device for identifying application program type
CN104317574A (en) * 2014-09-30 2015-01-28 北京金山安全软件有限公司 Method and device for identifying application program type
CN104866763A (en) * 2015-05-28 2015-08-26 天津大学 Permission-based Android malicious software hybrid detection method
CN104866763B (en) * 2015-05-28 2019-02-26 天津大学 Android malware mixing detection method based on permission
CN105138916A (en) * 2015-08-21 2015-12-09 中国人民解放军信息工程大学 Multi-track malicious program feature detecting method based on data mining
CN105138916B (en) * 2015-08-21 2018-02-02 中国人民解放军信息工程大学 Multi-trace rogue program characteristic detection method based on data mining
CN106250765A (en) * 2016-08-05 2016-12-21 黄新勇 Program monitoring method in broadcast system and system
WO2018023708A1 (en) * 2016-08-05 2018-02-08 黄新勇 Method and system for monitoring program in broadcast system
WO2018023711A1 (en) * 2016-08-05 2018-02-08 黄新勇 Real-time monitoring method and system in audio broadcasting network
CN106598710A (en) * 2016-10-28 2017-04-26 努比亚技术有限公司 Application management device and method, and mobile terminal
CN106570401B (en) * 2016-12-27 2019-07-26 哈尔滨安天科技股份有限公司 A kind of malicious code detecting method and system based on time change
CN106570401A (en) * 2016-12-27 2017-04-19 哈尔滨安天科技股份有限公司 Method and system for detecting malicious code based on time variation
CN108563950A (en) * 2018-03-20 2018-09-21 南京邮电大学 Android malware detection method based on SVM
CN108563950B (en) * 2018-03-20 2022-03-15 南京邮电大学 Android malicious software detection method based on SVM
CN110968887A (en) * 2018-09-28 2020-04-07 第四范式(北京)技术有限公司 Method and system for executing machine learning under data privacy protection
CN110968887B (en) * 2018-09-28 2022-04-05 第四范式(北京)技术有限公司 Method and system for executing machine learning under data privacy protection
CN109657452A (en) * 2018-12-20 2019-04-19 广东电网有限责任公司 A kind of mobile application behavior dynamic credible appraisal procedure and device
CN111382430A (en) * 2018-12-28 2020-07-07 卡巴斯基实验室股份制公司 System and method for classifying objects of a computer system
CN111382430B (en) * 2018-12-28 2023-06-30 卡巴斯基实验室股份制公司 System and method for classifying objects of a computer system
CN113094709A (en) * 2021-04-15 2021-07-09 中国工商银行股份有限公司 Detection method and device for risk application and server
CN113094709B (en) * 2021-04-15 2024-04-05 中国工商银行股份有限公司 Detection method, device and server for risk application

Similar Documents

Publication Publication Date Title
CN103617393A (en) Method for mobile internet malicious application software detection based on support vector machines
CN103500307A (en) Mobile internet malignant application software detection method based on behavior model
KR101767454B1 (en) Method and apparatus of fraud detection for analyzing behavior pattern
US9832211B2 (en) Computing device to detect malware
Liu et al. A novel approach for detecting browser-based silent miner
WO2017071148A1 (en) Cloud computing platform-based intelligent defense system
Liu et al. Maddroid: Characterizing and detecting devious ad contents for android apps
KR101743269B1 (en) Method and apparatus of fraud detection by analysis of PC information and modeling of behavior pattern
CN107659570A (en) Webshell detection methods and system based on machine learning and static and dynamic analysis
CN109787943A (en) A kind of method and apparatus of resisting abnegation service aggression
WO2018084912A1 (en) Methods and systems for anomaly detection using function specifications derived from server input/output (i/o) behavior
Ding et al. DeepPower: Non-intrusive and deep learning-based detection of IoT malware using power side channels
KR20180006380A (en) Methods and systems for behavior-specific actuation for real-time whitelisting
Li et al. An Android malware detection method based on AndroidManifest file
CN104685510A (en) Identifying whether application is malicious
Agrawal et al. A survey on android malware and their detection techniques
CN103401845B (en) A kind of detection method of website safety, device
CN107332804B (en) Method and device for detecting webpage bugs
ES2946062T3 (en) Systems and methods for the detection of behavioral threats
Li et al. Research of android malware detection based on network traffic monitoring
CN103297267A (en) Method and system for network behavior risk assessment
CN104978523A (en) Malicious sample capture method and system based on network hot word recognition
Burgess et al. Manic: Multi-step assessment for crypto-miners
CN116932381A (en) Automatic evaluation method for security risk of applet and related equipment
Congyi et al. Method for detecting Android malware based on ensemble learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20140305