CN104331436A - Rapid classification method of malicious codes based on family genetic codes - Google Patents

Rapid classification method of malicious codes based on family genetic codes Download PDF

Info

Publication number
CN104331436A
CN104331436A CN201410571621.5A CN201410571621A CN104331436A CN 104331436 A CN104331436 A CN 104331436A CN 201410571621 A CN201410571621 A CN 201410571621A CN 104331436 A CN104331436 A CN 104331436A
Authority
CN
China
Prior art keywords
malicious code
sample
malicious
behavior
code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410571621.5A
Other languages
Chinese (zh)
Other versions
CN104331436B (en
Inventor
沈超
程颢
张泽华
管晓宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xian Jiaotong University
Original Assignee
Xian Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xian Jiaotong University filed Critical Xian Jiaotong University
Priority to CN201410571621.5A priority Critical patent/CN104331436B/en
Publication of CN104331436A publication Critical patent/CN104331436A/en
Application granted granted Critical
Publication of CN104331436B publication Critical patent/CN104331436B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a rapid classification method of malicious codes based on family genetic codes. The method comprises performing character representation on the malicious codes by using behavior appearance frequencies on multiple behavioral aspects, generating the family genetic codes based on aggregation and difference among massive malicious code samples, and exactly and rapidly classifying the malicious codes by using the direct match between the family genetic codes and the added malicious code feature vectors. The method has the advantages that the action information of the malicious codes is described from multiple behavioral aspects, the family genetic codes are generated by using the aggregation and difference among similar malicious code samples, the exactness and universality for representing the malicious code family can be obviously improved; simultaneously, through the method of directly matching the malicious code feature vectors and the family genetic codes, the comparison and classification speed of the malicious codes can be effectively improved; furthermore, the algorithm of the whole process is highly automatic without human intervention; the stability and accuracy of the method are increased.

Description

The quick classifying method of malicious code based on family gene code
Technical field
The present invention relates to computer security technology, particularly a kind of computer malevolence code classifying method.
Background technology
Along with the progress of society and the development of science and technology, computing machine has penetrated into the every aspect of people's life, and increasing personal information (as picture, video, chat record etc.) and sensitive information (as Bank Account Number, business material etc.) are stored among computing machine.Meanwhile, sharply increase to usurp, to destroy the malicious code quantity that these information are fundamental purpose in recent years, and present many, the intelligentized features of mutation, this makes the identification of computer malevolence code and classification problem cause the very big attention of national governments and the common people.
Existing malicious code classifying method is mainly from malicious code static nature or behavioral characteristics, mostly concentrate on the Cluster Classification to known malicious code, poor to the classifying quality of newly-increased malicious code, the signature analysis form of simultaneously malicious code behavior is single and sample size is less, lacks accuracy and universality.
Summary of the invention
The object of this invention is to provide a kind of can fast and accurately to the method that computer malevolence code is sorted out, particularly a kind of malicious code family gene code utilizing magnanimity malicious code sample to obtain after cluster realizes the method quick and precisely sorted out newly-increased malicious code.
For reaching above object, the present invention takes following technical scheme to realize:
The quick classifying method of malicious code based on family gene code, is characterized in that, comprises following two large steps:
The first step, the generation of malicious code family gene code, comprises step by step following:
(1) obtain the malicious code sample collection be made up of M malicious code sample, wherein, M is at least 1,000 ten thousand;
(2) from malicious code sample, behavioural information is extracted;
(3) sort method is carried out to the frequency that the various actions of all malicious code samples occur, select frequency summation to be not less than the behavior of 3 as the behavior vector portraying malicious code sample;
(4) frequency that each element of usage behavior vector occurs in malicious code behavioural information forms the proper vector of this malicious code sample;
(5) adopt the distance between manhatton distance algorithm calculating malicious code sample proper vector, form the Distance matrix D={ d of malicious code sample collection ij} m × M, wherein, d ijrepresent the distance of malicious code sample i to malicious code sample j, matrix D is symmetrical about diagonal line;
(6) based on the Distance matrix D of malicious code sample collection, concentrate from malicious code sample and extract malicious code family gene code, generate malicious code family to facilitate.
Second step, malicious code is sorted out fast, comprises step by step following:
(1) for newly-increased malicious code sample, extract its behavioural information, compare with concentrating the behavior vector obtained at malicious code sample, the frequency occurred in the behavioural information of newly-increased malicious code sample by element each in behavior vector is as the proper vector of this sample;
(2) proper vector of newly-increased malicious code sample is mated with malicious code family gene code, the classification belonging to newly-increased malicious code is judged.
In said method, the behavioural information of malicious code described in the first step (2) refers to malicious code in the process of implementation to the access behavior of computer resource, comprises the access behavior of API importing table, file operation behavior, process operation behavior, registry operations behavior, the behavior of dynamic link library call, Hook Function call behavior.
Select frequency summation to be not less than the behavior of 3 as the behavior vector portraying malicious code sample described in the first step (3), its concrete steps are:
(1) concentrate the behavioural information of each sample to carry out statistical study to malicious code sample, utilize all behaviors occurred to form initial characteristics collection;
(2) calculating initial characteristics concentrates each element in the behavioural information of all samples, occur the summation of frequency, and sorting and removing occurs that frequency summation is the element of 1 and 2, uses remaining element as the feature of portraying malicious code sample.
The concrete grammar extracting malicious code family gene code described in the first step (6) from sample set is:
1) by the distance d between malicious code sample ij(i<j) carrying out descending sort, getting the intermediate value of rank results as blocking distance d c;
2) gaussian kernel function is adopted to calculate the concentration class ρ of each malicious code sample i, represent that this sample is by the parcel degree of its neighbours' sample, computing formula is:
&rho; i = &Sigma; j &Element; I D \ { i } e - ( d ij d c ) 2 ;
3) the descending sort subscript sequence of malicious code sample concentration class is generated
4) diversity factor of each malicious code sample is calculated represent the distance between this malicious code sample and the large malicious code sample of other concentration class, computing formula is:
&delta; s i = min s j , j < i { d s i s j } , i &GreaterEqual; 2 ; min j &GreaterEqual; 2 { &delta; s j } i = 1 . ;
5) for each malicious code sample, calculate the decision value of this malicious code sample as family gene code, this decision value is the concentration class of this malicious code sample and the product of diversity factor;
6) decision value of each malicious code sample as family gene code is compared with the threshold epsilon preset, if be greater than this threshold value, then judge that this sample is as a family gene code, and be stored in database.
The concrete grammar carrying out newly-increased malicious code sample kind judging according to proper vector and the matching result of malicious code family gene code described in second step (2) is: newly-increased malicious code sample proper vector mated with each malicious code family gene code in database, obtain the Similarity value with this malicious code family gene code, if there is the situation that Similarity value is greater than predetermined threshold value, this malicious code sample is classified as the malicious code family that maximum similarity value is corresponding; If there is not the situation that Similarity value is greater than predetermined threshold value, this malicious code sample is classified as newly-increased malicious code family.
The malicious code sample proper vector formed in the first step (4), its storage means is: use index matrix to store, in index matrix, be only greater than 0 element position being less than 10 in recording feature vector.
Compared with the conventional method, classification technology based on malicious code family gene code has significant advantage: first, the malicious code sample enormous amount analyzed, and adopt the mode of dynamic and static state integrate features from multiple behavior layer in the face of malicious code behavior is described and portrays, aggregation between similar malicious code and otherness is utilized to generate family gene code, the representative and universality of the malicious code family gene code of generation; Secondly, the mode of malicious code proper vector and family gene code directly being mated is adopted effectively can to increase the speed of malicious code comparison and classification; In addition, the algorithm of whole process is all increasingly automated, without the need to human intervention, adds stability and the accuracy of this method.
Accompanying drawing explanation
Fig. 1 is the overall procedure schematic diagram of the inventive method.
Fig. 2 is the generation family gene code step idiographic flow schematic diagram in the first step of Fig. 1.
Fig. 3 is the idiographic flow schematic diagram of second largest step in Fig. 1.
Embodiment
See Fig. 1, the present invention relates to the quick classifying method of a kind of malicious code based on family gene code, can be used for identifying fast family's information of newly-increased malicious code, realize sorting out fast and accurately magnanimity malicious code.The present invention comprises the generation of family gene code and quick classification two parts of malicious code, and concrete implementation step is as follows:
1) generating portion of family gene code comprises the steps:
(1) malicious code sample collection (comprising M malicious code sample) is obtained.
(2) dis-assembling is carried out to each malicious code sample, analyze dis-assembling result and obtain the static behavior information of malicious code, comprise API importing table and call behavior, then this malicious code sample is placed in sandbox runs, monitor its dynamic operation behavior to host computer simultaneously, obtain the dynamic behaviour information of malicious code, comprise file operation behavior, process operation behavior, registry operations behavior, the behavior of dynamic link library call, Hook Function calls behavior.Concentrate the behavioural information of each sample to carry out statistical study to malicious code sample, utilize all behaviors occurred to form initial characteristics collection.
(3) concentrate at initial characteristics, sort method is carried out to the frequency that the various actions of all malicious code samples occur, remove and occur that frequency is the element of 1 and 2, use remaining P element formation to portray the behavior vector C of malicious code sample.Wherein element refers to the access behavior of each class behavior to the specific objective resource of malicious code host computer, comprise and behavior is called to specific objective api function, to the operation behavior of specific file, to the operation behavior of specific process, to the operation behavior of specific registration table, to the behavior of calling of specific dynamic chained library and call behavior to specific Hook Function.
(4) frequency occurred in malicious code behavioural information by each element in behavior vector C is as the proper vector of this malicious code sample, the each malicious code sample concentrated for malicious code sample all generates the proper vector of a P dimension, total M proper vector, each proper vector is expressed as V j=[S 1, S 2, S 3..., S p], wherein S irepresent the frequency that i-th element occurs in the behavior vector of sample j;
(5) employing manhatton distance calculates the distance between two between malicious code sample, and generate the Distance matrix D of malicious code sample collection, D is the matrix of M × M.Wherein d ijrepresent the distance of sample i to sample j, wherein D inner opposite angle line element is 0, and D is symmetrical about diagonal line;
(6) based on the Distance matrix D of malicious code sample collection, from sample set, family gene code is extracted its concrete implementation step is:
1) by the distance d between malicious code sample ij(i<j) carrying out descending sort, getting the intermediate value of rank results as blocking distance d c;
2) gaussian kernel function is adopted to calculate the concentration class ρ of each malicious code sample i, represent that this sample is by the parcel degree of its neighbours' sample, computing formula is:
3) the descending sort subscript sequence of malicious code sample concentration class is generated
4) diversity factor of each malicious code sample is calculated represent the distance between this sample and the large sample of other concentration class, computing formula is &delta; s i = min s j , j < i { d s i s j } , i &GreaterEqual; 2 ; min j &GreaterEqual; 2 { &delta; s j } i = 1 . ;
5) for each malicious code sample, calculating this sample as the decision value of family gene code is the concentration class of this sample and the product γ of diversity factor iiδ i;
6) using the decision value γ of each malicious code sample as family gene code icompare with the threshold epsilon preset, if be greater than this threshold value, then judge that this sample is as a family gene code, and be stored in database.
(7) for the malicious code sample of non-malicious code family gene code, the distance between each sample and all family gene codes is extracted from distance matrix, principle according to minimum distance is sorted out each sample, forms malicious code family, and is stored in database.
2) the quick classification part of malicious code, comprises the steps:
(1) for newly-increased malicious code sample B, carry out dis-assembling to B, obtain its static nature, the API importing table extracting B calls behavior; In sandbox, run B, and monitor its dynamic operation behavior to host computer, obtain its behavioral characteristics, extraction document operation behavior, process operation behavior, registry operations behavior, the behavior of dynamic link library call, Hook Function calls behavior;
(2) based on the behavior vector C obtaining malicious code in gene code generative process, carry out feature extraction to the behavioural information of obtained malicious code sample B, the frequency occurred in the behavioural information of B by each element in behavior vector C is as the proper vector of B;
(3) proper vector of malicious code sample B is mated with the gene code of each family in database, calculate the manhatton distance between them, as the similarity of B and this family, if there is the situation that Similarity value is greater than predetermined threshold value, this malicious code sample is classified as family corresponding to maximum similarity value; If there is not the situation that Similarity value is greater than predetermined threshold value, this malicious code sample is classified as newly-increased family, and the proper vector of B to be inserted in database and to be designated as newly-increased family.

Claims (6)

1. based on the quick classifying method of malicious code of family gene code, it is characterized in that, comprise following two large steps:
The first step, the generation of malicious code family gene code, comprises step by step following:
(1) obtain the malicious code sample collection be made up of M malicious code sample, wherein, M is at least 1,000 ten thousand;
(2) from malicious code sample, behavioural information is extracted;
(3) sort method is carried out to the frequency that the various actions of all malicious code samples occur, select frequency summation to be not less than the behavior of 3 as the behavior vector portraying malicious code sample;
(4) frequency that each element of usage behavior vector occurs in malicious code behavioural information forms the proper vector of this malicious code sample;
(5) adopt the distance between manhatton distance algorithm calculating malicious code sample proper vector, form the Distance matrix D={ d of malicious code sample collection ij} m × M, wherein, d ijrepresent the distance of malicious code sample i to malicious code sample j, matrix D is symmetrical about diagonal line;
(6) based on the Distance matrix D of malicious code sample collection, concentrate from malicious code sample and extract malicious code family gene code, generate malicious code family to facilitate;
Second step, malicious code is sorted out fast, comprises step by step following:
(1) for newly-increased malicious code sample, extract its behavioural information, compare with concentrating the behavior vector obtained at malicious code sample, the frequency occurred in the behavioural information of newly-increased malicious code sample by element each in behavior vector is as the proper vector of this sample;
(2) proper vector of newly-increased malicious code sample is mated with malicious code family gene code, the classification belonging to newly-increased malicious code is judged.
2. the quick classifying method of the malicious code based on family gene code according to claim 1, it is characterized in that, the behavioural information of malicious code described in the first step (2) refers to malicious code in the process of implementation to the access behavior of computer resource, comprises the access behavior of API importing table, file operation behavior, process operation behavior, registry operations behavior, the behavior of dynamic link library call, Hook Function call behavior.
3. the quick classifying method of the malicious code based on family gene code according to claim 1, it is characterized in that, select frequency summation to be not less than the behavior of 3 as the behavior vector portraying malicious code sample described in the first step (3), its concrete steps are:
(1) concentrate the behavioural information of each sample to carry out statistical study to malicious code sample, utilize all behaviors occurred to form initial characteristics collection;
(2) calculating initial characteristics concentrates each element in the behavioural information of all samples, occur the summation of frequency, and sorting and removing occurs that frequency summation is the element of 1 and 2, uses remaining element as the feature of portraying malicious code sample.
4. the quick classifying method of the malicious code based on family gene code according to claim 1, is characterized in that, the concrete grammar extracting malicious code family gene code described in the first step (6) from sample set is:
1) by the distance d between malicious code sample ij(i<j) carrying out descending sort, getting the intermediate value of rank results as blocking distance d c;
2) gaussian kernel function is adopted to calculate the concentration class ρ of each malicious code sample i, represent that this sample is by the parcel degree of its neighbours' sample, computing formula is:
wherein I dfor the set of the sequence number of all malice samples;
3) the descending sort subscript sequence of malicious code sample concentration class is generated
4) diversity factor of each malicious code sample is calculated , represent the distance between this malicious code sample and the large malicious code sample of other concentration class, computing formula is:
&delta; S i = min s j , j < i { d s i s j } , i &GreaterEqual; 2 min j &GreaterEqual; 2 { &delta; s j } , i = 1 . ;
5) for each malicious code sample, calculate the decision value of this malicious code sample as family gene code, this decision value is the concentration class of this malicious code sample and the product of diversity factor;
6) decision value of each malicious code sample as family gene code is compared with the threshold epsilon preset, if be greater than this threshold value, then judge that this sample is as a family gene code, and be stored in database.
5. the quick classifying method of the malicious code based on family gene code according to claim 1, it is characterized in that, the concrete grammar carrying out newly-increased malicious code sample kind judging according to proper vector and the matching result of malicious code family gene code described in second step (2) is: newly-increased malicious code sample proper vector mated with each malicious code family gene code in database, obtain the Similarity value with this malicious code family gene code, if there is the situation that Similarity value is greater than predetermined threshold value, this malicious code sample is classified as the malicious code family that maximum similarity value is corresponding, if there is not the situation that Similarity value is greater than predetermined threshold value, this malicious code sample is classified as newly-increased malicious code family.
6. the quick classifying method of the malicious code based on family gene code according to claim 1, it is characterized in that, the malicious code sample proper vector formed in the first step (4), its storage means is: use index matrix to store, in index matrix, be only greater than 0 element position being less than 10 in recording feature vector.
CN201410571621.5A 2014-10-23 2014-10-23 The quick classifying method of malicious code based on family gene code Active CN104331436B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410571621.5A CN104331436B (en) 2014-10-23 2014-10-23 The quick classifying method of malicious code based on family gene code

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410571621.5A CN104331436B (en) 2014-10-23 2014-10-23 The quick classifying method of malicious code based on family gene code

Publications (2)

Publication Number Publication Date
CN104331436A true CN104331436A (en) 2015-02-04
CN104331436B CN104331436B (en) 2017-06-06

Family

ID=52406163

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410571621.5A Active CN104331436B (en) 2014-10-23 2014-10-23 The quick classifying method of malicious code based on family gene code

Country Status (1)

Country Link
CN (1) CN104331436B (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105205397A (en) * 2015-10-13 2015-12-30 北京奇虎科技有限公司 Rogue program sample classification method and device
CN105279434A (en) * 2015-10-13 2016-01-27 北京奇虎科技有限公司 Naming method and device of malicious program sample family
CN106355090A (en) * 2015-07-15 2017-01-25 重庆达特科技有限公司 Malicious code DNA family collection, analysis and classification platform
CN106453320A (en) * 2016-10-14 2017-02-22 北京奇虎科技有限公司 Malicious sample identification method and device
CN106682515A (en) * 2016-12-15 2017-05-17 中国人民解放军国防科学技术大学 Method for measuring behavior competence during malicious code analysis
CN106709349A (en) * 2016-12-15 2017-05-24 中国人民解放军国防科学技术大学 Multi-dimension behavior characteristic-based malicious code classification method
CN106713335A (en) * 2016-12-30 2017-05-24 山石网科通信技术有限公司 Malicious software identification method and device
CN106803039A (en) * 2016-12-30 2017-06-06 北京神州绿盟信息安全科技股份有限公司 The homologous decision method and device of a kind of malicious file
CN106951780A (en) * 2017-02-08 2017-07-14 中国科学院信息工程研究所 Beat again the static detection method and device of bag malicious application
CN107392019A (en) * 2017-07-05 2017-11-24 北京金睛云华科技有限公司 A kind of training of malicious code family and detection method and device
CN107590388A (en) * 2017-09-12 2018-01-16 南方电网科学研究院有限责任公司 Malicious code detecting method and device
CN108063768A (en) * 2017-12-26 2018-05-22 河南信息安全研究院有限公司 The recognition methods of network malicious act and device based on network gene technology
CN108108616A (en) * 2017-12-19 2018-06-01 努比亚技术有限公司 Malicious act detection method, mobile terminal and storage medium
CN108932430A (en) * 2018-07-02 2018-12-04 北京大学 A kind of malware detection method based on software gene technology
CN109190653A (en) * 2018-07-09 2019-01-11 四川大学 Malicious code family homology analysis technology based on semi-supervised Density Clustering
CN110046501A (en) * 2019-03-09 2019-07-23 中国人民解放军战略支援部队信息工程大学 A kind of malicious code detecting method inspired by biological gene
CN111222136A (en) * 2018-11-23 2020-06-02 中兴通讯股份有限公司 Malicious application classification method, device, equipment and computer readable storage medium
CN114254317A (en) * 2021-11-29 2022-03-29 上海戎磐网络科技有限公司 Software processing method and device based on software gene and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080184369A1 (en) * 2007-01-31 2008-07-31 Samsung Electronics Co., Ltd. Apparatus for detecting intrusion code and method using the same
CN101604363A (en) * 2009-07-10 2009-12-16 珠海金山软件股份有限公司 Computer rogue program categorizing system and sorting technique based on the file instruction frequency
CN102054149A (en) * 2009-11-06 2011-05-11 中国科学院研究生院 Method for extracting malicious code behavior characteristic

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080184369A1 (en) * 2007-01-31 2008-07-31 Samsung Electronics Co., Ltd. Apparatus for detecting intrusion code and method using the same
CN101604363A (en) * 2009-07-10 2009-12-16 珠海金山软件股份有限公司 Computer rogue program categorizing system and sorting technique based on the file instruction frequency
CN102054149A (en) * 2009-11-06 2011-05-11 中国科学院研究生院 Method for extracting malicious code behavior characteristic

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
方志鹤: "恶意代码分类的研究与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106355090A (en) * 2015-07-15 2017-01-25 重庆达特科技有限公司 Malicious code DNA family collection, analysis and classification platform
CN105279434A (en) * 2015-10-13 2016-01-27 北京奇虎科技有限公司 Naming method and device of malicious program sample family
CN105205397A (en) * 2015-10-13 2015-12-30 北京奇虎科技有限公司 Rogue program sample classification method and device
CN106453320B (en) * 2016-10-14 2019-06-18 北京奇虎科技有限公司 The recognition methods of malice sample and device
CN106453320A (en) * 2016-10-14 2017-02-22 北京奇虎科技有限公司 Malicious sample identification method and device
CN106682515A (en) * 2016-12-15 2017-05-17 中国人民解放军国防科学技术大学 Method for measuring behavior competence during malicious code analysis
CN106709349A (en) * 2016-12-15 2017-05-24 中国人民解放军国防科学技术大学 Multi-dimension behavior characteristic-based malicious code classification method
CN106709349B (en) * 2016-12-15 2019-10-29 中国人民解放军国防科学技术大学 A kind of malicious code classification method based on various dimensions behavioural characteristic
CN106682515B (en) * 2016-12-15 2019-10-18 中国人民解放军国防科学技术大学 The measure of capacity in malicious code analysis
CN106803039B (en) * 2016-12-30 2019-09-17 北京神州绿盟信息安全科技股份有限公司 A kind of homologous determination method and device of malicious file
CN106713335A (en) * 2016-12-30 2017-05-24 山石网科通信技术有限公司 Malicious software identification method and device
CN106803039A (en) * 2016-12-30 2017-06-06 北京神州绿盟信息安全科技股份有限公司 The homologous decision method and device of a kind of malicious file
CN106951780B (en) * 2017-02-08 2019-09-10 中国科学院信息工程研究所 Beat again the static detection method and device of packet malicious application
CN106951780A (en) * 2017-02-08 2017-07-14 中国科学院信息工程研究所 Beat again the static detection method and device of bag malicious application
CN107392019A (en) * 2017-07-05 2017-11-24 北京金睛云华科技有限公司 A kind of training of malicious code family and detection method and device
CN107590388A (en) * 2017-09-12 2018-01-16 南方电网科学研究院有限责任公司 Malicious code detecting method and device
CN108108616A (en) * 2017-12-19 2018-06-01 努比亚技术有限公司 Malicious act detection method, mobile terminal and storage medium
CN108063768A (en) * 2017-12-26 2018-05-22 河南信息安全研究院有限公司 The recognition methods of network malicious act and device based on network gene technology
CN108063768B (en) * 2017-12-26 2020-11-10 河南信息安全研究院有限公司 Network malicious behavior identification method and device based on network gene technology
CN108932430A (en) * 2018-07-02 2018-12-04 北京大学 A kind of malware detection method based on software gene technology
CN109190653A (en) * 2018-07-09 2019-01-11 四川大学 Malicious code family homology analysis technology based on semi-supervised Density Clustering
CN109190653B (en) * 2018-07-09 2020-06-05 四川大学 Malicious code family homology analysis method based on semi-supervised density clustering
CN111222136A (en) * 2018-11-23 2020-06-02 中兴通讯股份有限公司 Malicious application classification method, device, equipment and computer readable storage medium
CN110046501B (en) * 2019-03-09 2020-09-29 中国人民解放军战略支援部队信息工程大学 Malicious code detection method inspired by biological genes
CN110046501A (en) * 2019-03-09 2019-07-23 中国人民解放军战略支援部队信息工程大学 A kind of malicious code detecting method inspired by biological gene
CN114254317A (en) * 2021-11-29 2022-03-29 上海戎磐网络科技有限公司 Software processing method and device based on software gene and storage medium
CN114254317B (en) * 2021-11-29 2023-06-16 上海戎磐网络科技有限公司 Software processing method and device based on software genes and storage medium

Also Published As

Publication number Publication date
CN104331436B (en) 2017-06-06

Similar Documents

Publication Publication Date Title
CN104331436A (en) Rapid classification method of malicious codes based on family genetic codes
CN106202032B (en) A kind of sentiment analysis method and its system towards microblogging short text
Ye et al. CIMDS: adapting postprocessing techniques of associative classification for malware detection
Almomani et al. An automated vision-based deep learning model for efficient detection of android malware attacks
CN106709349B (en) A kind of malicious code classification method based on various dimensions behavioural characteristic
CN109271788B (en) Android malicious software detection method based on deep learning
CN107577942A (en) A kind of composite character screening technique for Android malware detection
CN103995876A (en) Text classification method based on chi square statistics and SMO algorithm
CN112883378B (en) Android malicious software detection method integrating graph embedding and deep neural network
CN108446559A (en) A kind of recognition methods of APT tissue and device
Rasheed et al. Urdu text classification: a comparative study using machine learning techniques
CN107392021A (en) A kind of Android malicious application detection methods based on multiclass feature
CN110287311A (en) File classification method and device, storage medium, computer equipment
CN109376235B (en) Feature selection method based on document layer word frequency reordering
CN115577357A (en) Android malicious software detection method based on stacking integration technology
CN111753299A (en) Unbalanced malicious software detection method based on packet integration
More et al. An experimental assessment of random Forest classification performance improvisation with sampling and stage wise success rate calculation
Naeem et al. Visual malware classification using local and global malicious pattern
Sivakumar et al. Malware Detection Using The Machine Learning Based Modified Partial Swarm Optimization Approach
Naeem et al. Digital forensics for malware classification: An approach for binary code to pixel vector transition
CN112001424A (en) Malicious software open set family classification method and device based on countermeasure training
Dass et al. Cyberbullying detection on social networks using LSTM model
CN115829712A (en) Data information security classification method and device
Gopal et al. Content based image retrieval using enhanced surf
Ambai et al. SPADE: scalar product accelerator by integer decomposition for object detection

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant