CN104331436A - Rapid classification method of malicious codes based on family genetic codes - Google Patents
Rapid classification method of malicious codes based on family genetic codes Download PDFInfo
- Publication number
- CN104331436A CN104331436A CN201410571621.5A CN201410571621A CN104331436A CN 104331436 A CN104331436 A CN 104331436A CN 201410571621 A CN201410571621 A CN 201410571621A CN 104331436 A CN104331436 A CN 104331436A
- Authority
- CN
- China
- Prior art keywords
- malicious code
- sample
- malicious
- behavior
- code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Data Mining & Analysis (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a rapid classification method of malicious codes based on family genetic codes. The method comprises performing character representation on the malicious codes by using behavior appearance frequencies on multiple behavioral aspects, generating the family genetic codes based on aggregation and difference among massive malicious code samples, and exactly and rapidly classifying the malicious codes by using the direct match between the family genetic codes and the added malicious code feature vectors. The method has the advantages that the action information of the malicious codes is described from multiple behavioral aspects, the family genetic codes are generated by using the aggregation and difference among similar malicious code samples, the exactness and universality for representing the malicious code family can be obviously improved; simultaneously, through the method of directly matching the malicious code feature vectors and the family genetic codes, the comparison and classification speed of the malicious codes can be effectively improved; furthermore, the algorithm of the whole process is highly automatic without human intervention; the stability and accuracy of the method are increased.
Description
Technical field
The present invention relates to computer security technology, particularly a kind of computer malevolence code classifying method.
Background technology
Along with the progress of society and the development of science and technology, computing machine has penetrated into the every aspect of people's life, and increasing personal information (as picture, video, chat record etc.) and sensitive information (as Bank Account Number, business material etc.) are stored among computing machine.Meanwhile, sharply increase to usurp, to destroy the malicious code quantity that these information are fundamental purpose in recent years, and present many, the intelligentized features of mutation, this makes the identification of computer malevolence code and classification problem cause the very big attention of national governments and the common people.
Existing malicious code classifying method is mainly from malicious code static nature or behavioral characteristics, mostly concentrate on the Cluster Classification to known malicious code, poor to the classifying quality of newly-increased malicious code, the signature analysis form of simultaneously malicious code behavior is single and sample size is less, lacks accuracy and universality.
Summary of the invention
The object of this invention is to provide a kind of can fast and accurately to the method that computer malevolence code is sorted out, particularly a kind of malicious code family gene code utilizing magnanimity malicious code sample to obtain after cluster realizes the method quick and precisely sorted out newly-increased malicious code.
For reaching above object, the present invention takes following technical scheme to realize:
The quick classifying method of malicious code based on family gene code, is characterized in that, comprises following two large steps:
The first step, the generation of malicious code family gene code, comprises step by step following:
(1) obtain the malicious code sample collection be made up of M malicious code sample, wherein, M is at least 1,000 ten thousand;
(2) from malicious code sample, behavioural information is extracted;
(3) sort method is carried out to the frequency that the various actions of all malicious code samples occur, select frequency summation to be not less than the behavior of 3 as the behavior vector portraying malicious code sample;
(4) frequency that each element of usage behavior vector occurs in malicious code behavioural information forms the proper vector of this malicious code sample;
(5) adopt the distance between manhatton distance algorithm calculating malicious code sample proper vector, form the Distance matrix D={ d of malicious code sample collection
ij}
m × M, wherein, d
ijrepresent the distance of malicious code sample i to malicious code sample j, matrix D is symmetrical about diagonal line;
(6) based on the Distance matrix D of malicious code sample collection, concentrate from malicious code sample and extract malicious code family gene code, generate malicious code family to facilitate.
Second step, malicious code is sorted out fast, comprises step by step following:
(1) for newly-increased malicious code sample, extract its behavioural information, compare with concentrating the behavior vector obtained at malicious code sample, the frequency occurred in the behavioural information of newly-increased malicious code sample by element each in behavior vector is as the proper vector of this sample;
(2) proper vector of newly-increased malicious code sample is mated with malicious code family gene code, the classification belonging to newly-increased malicious code is judged.
In said method, the behavioural information of malicious code described in the first step (2) refers to malicious code in the process of implementation to the access behavior of computer resource, comprises the access behavior of API importing table, file operation behavior, process operation behavior, registry operations behavior, the behavior of dynamic link library call, Hook Function call behavior.
Select frequency summation to be not less than the behavior of 3 as the behavior vector portraying malicious code sample described in the first step (3), its concrete steps are:
(1) concentrate the behavioural information of each sample to carry out statistical study to malicious code sample, utilize all behaviors occurred to form initial characteristics collection;
(2) calculating initial characteristics concentrates each element in the behavioural information of all samples, occur the summation of frequency, and sorting and removing occurs that frequency summation is the element of 1 and 2, uses remaining element as the feature of portraying malicious code sample.
The concrete grammar extracting malicious code family gene code described in the first step (6) from sample set is:
1) by the distance d between malicious code sample
ij(i<j) carrying out descending sort, getting the intermediate value of rank results as blocking distance d
c;
2) gaussian kernel function is adopted to calculate the concentration class ρ of each malicious code sample
i, represent that this sample is by the parcel degree of its neighbours' sample, computing formula is:
3) the descending sort subscript sequence of malicious code sample concentration class is generated
4) diversity factor of each malicious code sample is calculated
represent the distance between this malicious code sample and the large malicious code sample of other concentration class, computing formula is:
5) for each malicious code sample, calculate the decision value of this malicious code sample as family gene code, this decision value is the concentration class of this malicious code sample and the product of diversity factor;
6) decision value of each malicious code sample as family gene code is compared with the threshold epsilon preset, if be greater than this threshold value, then judge that this sample is as a family gene code, and be stored in database.
The concrete grammar carrying out newly-increased malicious code sample kind judging according to proper vector and the matching result of malicious code family gene code described in second step (2) is: newly-increased malicious code sample proper vector mated with each malicious code family gene code in database, obtain the Similarity value with this malicious code family gene code, if there is the situation that Similarity value is greater than predetermined threshold value, this malicious code sample is classified as the malicious code family that maximum similarity value is corresponding; If there is not the situation that Similarity value is greater than predetermined threshold value, this malicious code sample is classified as newly-increased malicious code family.
The malicious code sample proper vector formed in the first step (4), its storage means is: use index matrix to store, in index matrix, be only greater than 0 element position being less than 10 in recording feature vector.
Compared with the conventional method, classification technology based on malicious code family gene code has significant advantage: first, the malicious code sample enormous amount analyzed, and adopt the mode of dynamic and static state integrate features from multiple behavior layer in the face of malicious code behavior is described and portrays, aggregation between similar malicious code and otherness is utilized to generate family gene code, the representative and universality of the malicious code family gene code of generation; Secondly, the mode of malicious code proper vector and family gene code directly being mated is adopted effectively can to increase the speed of malicious code comparison and classification; In addition, the algorithm of whole process is all increasingly automated, without the need to human intervention, adds stability and the accuracy of this method.
Accompanying drawing explanation
Fig. 1 is the overall procedure schematic diagram of the inventive method.
Fig. 2 is the generation family gene code step idiographic flow schematic diagram in the first step of Fig. 1.
Fig. 3 is the idiographic flow schematic diagram of second largest step in Fig. 1.
Embodiment
See Fig. 1, the present invention relates to the quick classifying method of a kind of malicious code based on family gene code, can be used for identifying fast family's information of newly-increased malicious code, realize sorting out fast and accurately magnanimity malicious code.The present invention comprises the generation of family gene code and quick classification two parts of malicious code, and concrete implementation step is as follows:
1) generating portion of family gene code comprises the steps:
(1) malicious code sample collection (comprising M malicious code sample) is obtained.
(2) dis-assembling is carried out to each malicious code sample, analyze dis-assembling result and obtain the static behavior information of malicious code, comprise API importing table and call behavior, then this malicious code sample is placed in sandbox runs, monitor its dynamic operation behavior to host computer simultaneously, obtain the dynamic behaviour information of malicious code, comprise file operation behavior, process operation behavior, registry operations behavior, the behavior of dynamic link library call, Hook Function calls behavior.Concentrate the behavioural information of each sample to carry out statistical study to malicious code sample, utilize all behaviors occurred to form initial characteristics collection.
(3) concentrate at initial characteristics, sort method is carried out to the frequency that the various actions of all malicious code samples occur, remove and occur that frequency is the element of 1 and 2, use remaining P element formation to portray the behavior vector C of malicious code sample.Wherein element refers to the access behavior of each class behavior to the specific objective resource of malicious code host computer, comprise and behavior is called to specific objective api function, to the operation behavior of specific file, to the operation behavior of specific process, to the operation behavior of specific registration table, to the behavior of calling of specific dynamic chained library and call behavior to specific Hook Function.
(4) frequency occurred in malicious code behavioural information by each element in behavior vector C is as the proper vector of this malicious code sample, the each malicious code sample concentrated for malicious code sample all generates the proper vector of a P dimension, total M proper vector, each proper vector is expressed as V
j=[S
1, S
2, S
3..., S
p], wherein S
irepresent the frequency that i-th element occurs in the behavior vector of sample j;
(5) employing manhatton distance calculates the distance between two between malicious code sample, and generate the Distance matrix D of malicious code sample collection, D is the matrix of M × M.Wherein d
ijrepresent the distance of sample i to sample j, wherein D inner opposite angle line element is 0, and D is symmetrical about diagonal line;
(6) based on the Distance matrix D of malicious code sample collection, from sample set, family gene code is extracted
its concrete implementation step is:
1) by the distance d between malicious code sample
ij(i<j) carrying out descending sort, getting the intermediate value of rank results as blocking distance d
c;
2) gaussian kernel function is adopted to calculate the concentration class ρ of each malicious code sample
i, represent that this sample is by the parcel degree of its neighbours' sample, computing formula is:
3) the descending sort subscript sequence of malicious code sample concentration class is generated
4) diversity factor of each malicious code sample is calculated
represent the distance between this sample and the large sample of other concentration class, computing formula is
5) for each malicious code sample, calculating this sample as the decision value of family gene code is the concentration class of this sample and the product γ of diversity factor
i=ρ
iδ
i;
6) using the decision value γ of each malicious code sample as family gene code
icompare with the threshold epsilon preset, if be greater than this threshold value, then judge that this sample is as a family gene code, and be stored in database.
(7) for the malicious code sample of non-malicious code family gene code, the distance between each sample and all family gene codes is extracted from distance matrix, principle according to minimum distance is sorted out each sample, forms malicious code family, and is stored in database.
2) the quick classification part of malicious code, comprises the steps:
(1) for newly-increased malicious code sample B, carry out dis-assembling to B, obtain its static nature, the API importing table extracting B calls behavior; In sandbox, run B, and monitor its dynamic operation behavior to host computer, obtain its behavioral characteristics, extraction document operation behavior, process operation behavior, registry operations behavior, the behavior of dynamic link library call, Hook Function calls behavior;
(2) based on the behavior vector C obtaining malicious code in gene code generative process, carry out feature extraction to the behavioural information of obtained malicious code sample B, the frequency occurred in the behavioural information of B by each element in behavior vector C is as the proper vector of B;
(3) proper vector of malicious code sample B is mated with the gene code of each family in database, calculate the manhatton distance between them, as the similarity of B and this family, if there is the situation that Similarity value is greater than predetermined threshold value, this malicious code sample is classified as family corresponding to maximum similarity value; If there is not the situation that Similarity value is greater than predetermined threshold value, this malicious code sample is classified as newly-increased family, and the proper vector of B to be inserted in database and to be designated as newly-increased family.
Claims (6)
1. based on the quick classifying method of malicious code of family gene code, it is characterized in that, comprise following two large steps:
The first step, the generation of malicious code family gene code, comprises step by step following:
(1) obtain the malicious code sample collection be made up of M malicious code sample, wherein, M is at least 1,000 ten thousand;
(2) from malicious code sample, behavioural information is extracted;
(3) sort method is carried out to the frequency that the various actions of all malicious code samples occur, select frequency summation to be not less than the behavior of 3 as the behavior vector portraying malicious code sample;
(4) frequency that each element of usage behavior vector occurs in malicious code behavioural information forms the proper vector of this malicious code sample;
(5) adopt the distance between manhatton distance algorithm calculating malicious code sample proper vector, form the Distance matrix D={ d of malicious code sample collection
ij}
m × M, wherein, d
ijrepresent the distance of malicious code sample i to malicious code sample j, matrix D is symmetrical about diagonal line;
(6) based on the Distance matrix D of malicious code sample collection, concentrate from malicious code sample and extract malicious code family gene code, generate malicious code family to facilitate;
Second step, malicious code is sorted out fast, comprises step by step following:
(1) for newly-increased malicious code sample, extract its behavioural information, compare with concentrating the behavior vector obtained at malicious code sample, the frequency occurred in the behavioural information of newly-increased malicious code sample by element each in behavior vector is as the proper vector of this sample;
(2) proper vector of newly-increased malicious code sample is mated with malicious code family gene code, the classification belonging to newly-increased malicious code is judged.
2. the quick classifying method of the malicious code based on family gene code according to claim 1, it is characterized in that, the behavioural information of malicious code described in the first step (2) refers to malicious code in the process of implementation to the access behavior of computer resource, comprises the access behavior of API importing table, file operation behavior, process operation behavior, registry operations behavior, the behavior of dynamic link library call, Hook Function call behavior.
3. the quick classifying method of the malicious code based on family gene code according to claim 1, it is characterized in that, select frequency summation to be not less than the behavior of 3 as the behavior vector portraying malicious code sample described in the first step (3), its concrete steps are:
(1) concentrate the behavioural information of each sample to carry out statistical study to malicious code sample, utilize all behaviors occurred to form initial characteristics collection;
(2) calculating initial characteristics concentrates each element in the behavioural information of all samples, occur the summation of frequency, and sorting and removing occurs that frequency summation is the element of 1 and 2, uses remaining element as the feature of portraying malicious code sample.
4. the quick classifying method of the malicious code based on family gene code according to claim 1, is characterized in that, the concrete grammar extracting malicious code family gene code described in the first step (6) from sample set is:
1) by the distance d between malicious code sample
ij(i<j) carrying out descending sort, getting the intermediate value of rank results as blocking distance d
c;
2) gaussian kernel function is adopted to calculate the concentration class ρ of each malicious code sample
i, represent that this sample is by the parcel degree of its neighbours' sample, computing formula is:
wherein I
dfor the set of the sequence number of all malice samples;
3) the descending sort subscript sequence of malicious code sample concentration class is generated
4) diversity factor of each malicious code sample is calculated
, represent the distance between this malicious code sample and the large malicious code sample of other concentration class, computing formula is:
5) for each malicious code sample, calculate the decision value of this malicious code sample as family gene code, this decision value is the concentration class of this malicious code sample and the product of diversity factor;
6) decision value of each malicious code sample as family gene code is compared with the threshold epsilon preset, if be greater than this threshold value, then judge that this sample is as a family gene code, and be stored in database.
5. the quick classifying method of the malicious code based on family gene code according to claim 1, it is characterized in that, the concrete grammar carrying out newly-increased malicious code sample kind judging according to proper vector and the matching result of malicious code family gene code described in second step (2) is: newly-increased malicious code sample proper vector mated with each malicious code family gene code in database, obtain the Similarity value with this malicious code family gene code, if there is the situation that Similarity value is greater than predetermined threshold value, this malicious code sample is classified as the malicious code family that maximum similarity value is corresponding, if there is not the situation that Similarity value is greater than predetermined threshold value, this malicious code sample is classified as newly-increased malicious code family.
6. the quick classifying method of the malicious code based on family gene code according to claim 1, it is characterized in that, the malicious code sample proper vector formed in the first step (4), its storage means is: use index matrix to store, in index matrix, be only greater than 0 element position being less than 10 in recording feature vector.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410571621.5A CN104331436B (en) | 2014-10-23 | 2014-10-23 | The quick classifying method of malicious code based on family gene code |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410571621.5A CN104331436B (en) | 2014-10-23 | 2014-10-23 | The quick classifying method of malicious code based on family gene code |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104331436A true CN104331436A (en) | 2015-02-04 |
CN104331436B CN104331436B (en) | 2017-06-06 |
Family
ID=52406163
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410571621.5A Active CN104331436B (en) | 2014-10-23 | 2014-10-23 | The quick classifying method of malicious code based on family gene code |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104331436B (en) |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105205397A (en) * | 2015-10-13 | 2015-12-30 | 北京奇虎科技有限公司 | Rogue program sample classification method and device |
CN105279434A (en) * | 2015-10-13 | 2016-01-27 | 北京奇虎科技有限公司 | Naming method and device of malicious program sample family |
CN106355090A (en) * | 2015-07-15 | 2017-01-25 | 重庆达特科技有限公司 | Malicious code DNA family collection, analysis and classification platform |
CN106453320A (en) * | 2016-10-14 | 2017-02-22 | 北京奇虎科技有限公司 | Malicious sample identification method and device |
CN106682515A (en) * | 2016-12-15 | 2017-05-17 | 中国人民解放军国防科学技术大学 | Method for measuring behavior competence during malicious code analysis |
CN106709349A (en) * | 2016-12-15 | 2017-05-24 | 中国人民解放军国防科学技术大学 | Multi-dimension behavior characteristic-based malicious code classification method |
CN106713335A (en) * | 2016-12-30 | 2017-05-24 | 山石网科通信技术有限公司 | Malicious software identification method and device |
CN106803039A (en) * | 2016-12-30 | 2017-06-06 | 北京神州绿盟信息安全科技股份有限公司 | The homologous decision method and device of a kind of malicious file |
CN106951780A (en) * | 2017-02-08 | 2017-07-14 | 中国科学院信息工程研究所 | Beat again the static detection method and device of bag malicious application |
CN107392019A (en) * | 2017-07-05 | 2017-11-24 | 北京金睛云华科技有限公司 | A kind of training of malicious code family and detection method and device |
CN107590388A (en) * | 2017-09-12 | 2018-01-16 | 南方电网科学研究院有限责任公司 | Malicious code detecting method and device |
CN108063768A (en) * | 2017-12-26 | 2018-05-22 | 河南信息安全研究院有限公司 | The recognition methods of network malicious act and device based on network gene technology |
CN108108616A (en) * | 2017-12-19 | 2018-06-01 | 努比亚技术有限公司 | Malicious act detection method, mobile terminal and storage medium |
CN108932430A (en) * | 2018-07-02 | 2018-12-04 | 北京大学 | A kind of malware detection method based on software gene technology |
CN109190653A (en) * | 2018-07-09 | 2019-01-11 | 四川大学 | Malicious code family homology analysis technology based on semi-supervised Density Clustering |
CN110046501A (en) * | 2019-03-09 | 2019-07-23 | 中国人民解放军战略支援部队信息工程大学 | A kind of malicious code detecting method inspired by biological gene |
CN111222136A (en) * | 2018-11-23 | 2020-06-02 | 中兴通讯股份有限公司 | Malicious application classification method, device, equipment and computer readable storage medium |
CN114254317A (en) * | 2021-11-29 | 2022-03-29 | 上海戎磐网络科技有限公司 | Software processing method and device based on software gene and storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080184369A1 (en) * | 2007-01-31 | 2008-07-31 | Samsung Electronics Co., Ltd. | Apparatus for detecting intrusion code and method using the same |
CN101604363A (en) * | 2009-07-10 | 2009-12-16 | 珠海金山软件股份有限公司 | Computer rogue program categorizing system and sorting technique based on the file instruction frequency |
CN102054149A (en) * | 2009-11-06 | 2011-05-11 | 中国科学院研究生院 | Method for extracting malicious code behavior characteristic |
-
2014
- 2014-10-23 CN CN201410571621.5A patent/CN104331436B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080184369A1 (en) * | 2007-01-31 | 2008-07-31 | Samsung Electronics Co., Ltd. | Apparatus for detecting intrusion code and method using the same |
CN101604363A (en) * | 2009-07-10 | 2009-12-16 | 珠海金山软件股份有限公司 | Computer rogue program categorizing system and sorting technique based on the file instruction frequency |
CN102054149A (en) * | 2009-11-06 | 2011-05-11 | 中国科学院研究生院 | Method for extracting malicious code behavior characteristic |
Non-Patent Citations (1)
Title |
---|
方志鹤: "恶意代码分类的研究与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (27)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106355090A (en) * | 2015-07-15 | 2017-01-25 | 重庆达特科技有限公司 | Malicious code DNA family collection, analysis and classification platform |
CN105279434A (en) * | 2015-10-13 | 2016-01-27 | 北京奇虎科技有限公司 | Naming method and device of malicious program sample family |
CN105205397A (en) * | 2015-10-13 | 2015-12-30 | 北京奇虎科技有限公司 | Rogue program sample classification method and device |
CN106453320B (en) * | 2016-10-14 | 2019-06-18 | 北京奇虎科技有限公司 | The recognition methods of malice sample and device |
CN106453320A (en) * | 2016-10-14 | 2017-02-22 | 北京奇虎科技有限公司 | Malicious sample identification method and device |
CN106682515A (en) * | 2016-12-15 | 2017-05-17 | 中国人民解放军国防科学技术大学 | Method for measuring behavior competence during malicious code analysis |
CN106709349A (en) * | 2016-12-15 | 2017-05-24 | 中国人民解放军国防科学技术大学 | Multi-dimension behavior characteristic-based malicious code classification method |
CN106709349B (en) * | 2016-12-15 | 2019-10-29 | 中国人民解放军国防科学技术大学 | A kind of malicious code classification method based on various dimensions behavioural characteristic |
CN106682515B (en) * | 2016-12-15 | 2019-10-18 | 中国人民解放军国防科学技术大学 | The measure of capacity in malicious code analysis |
CN106803039B (en) * | 2016-12-30 | 2019-09-17 | 北京神州绿盟信息安全科技股份有限公司 | A kind of homologous determination method and device of malicious file |
CN106713335A (en) * | 2016-12-30 | 2017-05-24 | 山石网科通信技术有限公司 | Malicious software identification method and device |
CN106803039A (en) * | 2016-12-30 | 2017-06-06 | 北京神州绿盟信息安全科技股份有限公司 | The homologous decision method and device of a kind of malicious file |
CN106951780B (en) * | 2017-02-08 | 2019-09-10 | 中国科学院信息工程研究所 | Beat again the static detection method and device of packet malicious application |
CN106951780A (en) * | 2017-02-08 | 2017-07-14 | 中国科学院信息工程研究所 | Beat again the static detection method and device of bag malicious application |
CN107392019A (en) * | 2017-07-05 | 2017-11-24 | 北京金睛云华科技有限公司 | A kind of training of malicious code family and detection method and device |
CN107590388A (en) * | 2017-09-12 | 2018-01-16 | 南方电网科学研究院有限责任公司 | Malicious code detecting method and device |
CN108108616A (en) * | 2017-12-19 | 2018-06-01 | 努比亚技术有限公司 | Malicious act detection method, mobile terminal and storage medium |
CN108063768A (en) * | 2017-12-26 | 2018-05-22 | 河南信息安全研究院有限公司 | The recognition methods of network malicious act and device based on network gene technology |
CN108063768B (en) * | 2017-12-26 | 2020-11-10 | 河南信息安全研究院有限公司 | Network malicious behavior identification method and device based on network gene technology |
CN108932430A (en) * | 2018-07-02 | 2018-12-04 | 北京大学 | A kind of malware detection method based on software gene technology |
CN109190653A (en) * | 2018-07-09 | 2019-01-11 | 四川大学 | Malicious code family homology analysis technology based on semi-supervised Density Clustering |
CN109190653B (en) * | 2018-07-09 | 2020-06-05 | 四川大学 | Malicious code family homology analysis method based on semi-supervised density clustering |
CN111222136A (en) * | 2018-11-23 | 2020-06-02 | 中兴通讯股份有限公司 | Malicious application classification method, device, equipment and computer readable storage medium |
CN110046501B (en) * | 2019-03-09 | 2020-09-29 | 中国人民解放军战略支援部队信息工程大学 | Malicious code detection method inspired by biological genes |
CN110046501A (en) * | 2019-03-09 | 2019-07-23 | 中国人民解放军战略支援部队信息工程大学 | A kind of malicious code detecting method inspired by biological gene |
CN114254317A (en) * | 2021-11-29 | 2022-03-29 | 上海戎磐网络科技有限公司 | Software processing method and device based on software gene and storage medium |
CN114254317B (en) * | 2021-11-29 | 2023-06-16 | 上海戎磐网络科技有限公司 | Software processing method and device based on software genes and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN104331436B (en) | 2017-06-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104331436A (en) | Rapid classification method of malicious codes based on family genetic codes | |
CN106202032B (en) | A kind of sentiment analysis method and its system towards microblogging short text | |
Ye et al. | CIMDS: adapting postprocessing techniques of associative classification for malware detection | |
Almomani et al. | An automated vision-based deep learning model for efficient detection of android malware attacks | |
CN106709349B (en) | A kind of malicious code classification method based on various dimensions behavioural characteristic | |
CN109271788B (en) | Android malicious software detection method based on deep learning | |
CN107577942A (en) | A kind of composite character screening technique for Android malware detection | |
CN103995876A (en) | Text classification method based on chi square statistics and SMO algorithm | |
CN112883378B (en) | Android malicious software detection method integrating graph embedding and deep neural network | |
CN108446559A (en) | A kind of recognition methods of APT tissue and device | |
Rasheed et al. | Urdu text classification: a comparative study using machine learning techniques | |
CN107392021A (en) | A kind of Android malicious application detection methods based on multiclass feature | |
CN110287311A (en) | File classification method and device, storage medium, computer equipment | |
CN109376235B (en) | Feature selection method based on document layer word frequency reordering | |
CN115577357A (en) | Android malicious software detection method based on stacking integration technology | |
CN111753299A (en) | Unbalanced malicious software detection method based on packet integration | |
More et al. | An experimental assessment of random Forest classification performance improvisation with sampling and stage wise success rate calculation | |
Naeem et al. | Visual malware classification using local and global malicious pattern | |
Sivakumar et al. | Malware Detection Using The Machine Learning Based Modified Partial Swarm Optimization Approach | |
Naeem et al. | Digital forensics for malware classification: An approach for binary code to pixel vector transition | |
CN112001424A (en) | Malicious software open set family classification method and device based on countermeasure training | |
Dass et al. | Cyberbullying detection on social networks using LSTM model | |
CN115829712A (en) | Data information security classification method and device | |
Gopal et al. | Content based image retrieval using enhanced surf | |
Ambai et al. | SPADE: scalar product accelerator by integer decomposition for object detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |