CN107273746A - A kind of mutation malware detection method based on APK character string features - Google Patents
A kind of mutation malware detection method based on APK character string features Download PDFInfo
- Publication number
- CN107273746A CN107273746A CN201710352331.5A CN201710352331A CN107273746A CN 107273746 A CN107273746 A CN 107273746A CN 201710352331 A CN201710352331 A CN 201710352331A CN 107273746 A CN107273746 A CN 107273746A
- Authority
- CN
- China
- Prior art keywords
- mutation
- mrow
- character string
- apk
- malware
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/564—Static detection by virus signature recognition
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
- G06F18/232—Non-hierarchical techniques
- G06F18/2321—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
- G06F18/23213—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)
Abstract
The invention discloses a kind of mutation malware detection method based on APK character string features, by being extracted to the character string used in APK;The character string extracted is converted into characteristic vector, so as to generate fuzzy hash value;The fuzzy hash value is clustered using k means algorithms, and using Hamilton distance as the similarity between measurement, sample in virus base simplified, the detection to mutation Malware is realized.This method has faster operation speed compared with traditional fuzzy hash algorithm, and the detection speed and accuracy rate of mutation sample can be greatly improved, and improves anti-interference.
Description
Technical field
The present invention relates to Malicious Code Detection research field in Android platform, and in particular to one kind is based on APK character strings
The mutation malware detection method of feature.
Background technology
Malicious code has become one of security threat of most serious in computer nowadays system.It is flat in Android movements
In platform, number and the day of Malware increase severely.
Show according to the Labs statistics of second quarter MaAfee in 2016, increase mobile terminal Malware quantity nearly 200 newly
Ten thousand, 14% is increased compared to the first quarter, and total quantity is then up to 11,000,000 [Internet security threat
report[EB/OL]http://www.mcafee.com/uk/resources/reports/rp-quarterly-threats-
sep-2016.pdf]。
Facing to so huge numeral, it is desirable to have an efficiently quick method, realize automation to substantial amounts of application
Software is scanned and detected.For traditional business security software, in order to possess higher real-time detection speed, mostly
It is to be used as condition code by extracting character string.In detection process, fail-safe software only need to directly judge its whether possess with it is known
Condition code identical character string [Ye Y, Li T, Jiang Q, et al.CIMDS:Adapting Postprocessing
Techniques of Associative Classification for Malware Detection[J].IEEE
Transactions on Systems Man&Cybernetics Part C Applications&Reviews,2010,40
(3):298-307.]。
However, this condition code extracting method based on character string has very big defect, exactly it is difficult to detect polymorphic change
Malware [the Hosmer and Polymorphic of shape
Malware[EB/OL]https://www.blackhat.com/presentations/bh-usa-08/
Hosmer/BH_US_08_Hosmer_Polymorphic_Malware.pdf]。
It is therefore desirable to be able to possess a kind of i.e. quick and accurate method to detect malicious code.
Currently, most detection method is all by judging that condition code is between sample data to be detected and known sample
The no similitude with height recognizes that this method effectively can not simultaneously be predicted to unknown malicious code.Learn part
Person proposes carries out semantic analysis to application software, graphically represents to call feelings between code in whole application software
Condition.Document [M.Fredrikson, S.Jha, M.Christodorescu, R.Sailer, and X.Yan.Synthesizing
Near-Optimal Malware Specifications from Suspicious Behaviors.In Proceedings
of the2010IEEE Symposium on Security and Privacy(Oakland’10),May2010.;
C.Kolbitsch,P.M.Comparetti,C.Kruegel,E.Kirda,X.Zhou,and X.Wang.Effective and
Efficient Malware Detection at the End Host.In Proceedings of the 18th
Conference on USENIX Security Symposium,August 2009.;K.Z.Chen,N.Johnson,V.D’
Silva,S.Dai,K.MacNamara,T.Magrino,E.X.Wu,M.Rinard,and D.Song.Contextual
Policy Enforcementin Android Applications with Permission Event Graphs.In
Proceedings of the 20th Annual Network and Distributed System Security
Symposium (NDSS ' 13), February2013.], being directly will known application software calling figure to be detected and malicious code
Calling figure is matched in storehouse, is then shown to be Malware when consistent.
However, being directly difficult to resistance Code obfuscation attack [12] using this method accurately matched, and it can not detect
Go out unknown malware.Then many scholars are improved this method on this basis, wherein, document [13] proposes a kind of
The method for measuring similarity between each API Calls figure, can effectively detect all kinds of polymorphic and metamorphic softwares.Document
[M.Christodorescu,S.Jha,S.A.Seshia,D.Song,and R.E.Bryant.Semantics-Aware
Malware Detection.In Proceedings of the 2005IEEE Symposium on Security and
Privacy(Oakland’05),May2005;Arzt S,Rasthofer S,Fritz C,et al.Flowdroid:
Precise context,flow,field,object-sensitive and lifecycle-aware taint
analysis for android apps[J].ACM SIGPLAN Notices,2014,49(6):259-269.] utilize message
The method of mark tracks the flow direction of sensitive information in application code.Document [Yang W, Xiao X, Andow B, et
al.Appcontext:Differentiating malicious and benign mobile app behaviors using
context[C]//2015IEEE/ACM 37th IEEE International Conference on Software
Engineering.IEEE,2015,1:303-313.] the context ring that is then triggered using calling figure come traceback sensitive behavior
Border.
However, the analysis method of this utilization calling figure is directly utilized, it is necessary to whole Documents Logical when detection
Analyzed, significantly reduce detection efficiency, when especially in face of complicated calling figure, its computation complexity sharp increase.Cause
This such method is not particularly suited for current huge Virus Sample.
Document [Allix K, Bissyand é T F, J é rome Q, et al.Empirical assessment of
machine learning-based malware detectors for Android[J].Empirical Software
Engineering,2016,21(1):183-211.] in institute in Android application programs is extracted using the method for machine learning
The feature of access right, and for Malicious Code Detection.In document [Zhang Y, Pang J, Yue F, et al.Fuzzy
neural network for malware detect[C]//Intelligent System Design and
Engineering Application(ISDEA),2010International Conference on.IEEE,2010,1:
780-783.] in be then that malicious code behavior is analyzed using neural network algorithm in data mining.Document [Wu D
J,Mao C H,Wei T E,et al.Droidmat:Android malware detection through manifest
and api calls tracing[C]//Information Security(Asia JCIS),2012 Seventh Asia
Joint Conference on.IEEE,2012:62-69.] based on substantial amounts of sample data, therefrom extract and disliked with known
The feature of meaning software, and using these features come for the detection to new samples.And document [Arp D, Spreitzenbarth
M,Hubner M,et al.DREBIN:Effective and Explainable Detection of Android
Malware in Your Pocket [C] //NDSS.2014.] it is then execution authority according to each application program, API Calls
The features such as flow, are classified using KNN algorithms to different types of application program.Subsequent document [Sundarkumar G
G,Ravi V,Nwogu I,et al.Malware detection via API calls,topic models and
machine learning[C]//2015IEEE International Conference on Automation Science
and Engineering(CASE).IEEE,2015:1212-1217.;Huang C Y,Tsai Y T,Hsu C
H.Performance evaluation on permission-based detection for android malware
[M]//Advances in Intelligent Systems and Applications-Volume 2.Springer
Berlin Heidelberg,2013:111-120.] realize the classification of Malware sequentially with SVM algorithm.
However, this method based on machine learning is to go to extract feature from statistical angle, it is easy to flase drop occur
Phenomenon.In order to efficiently and rapidly detect Malware Smith et al. [Michael Smith.Identifying
Malware with Byte Frequency Distribution and Context Triggered Piecewise
Hashing.James Madison University Infosec Techreport, 2008.4] using fuzzy hash algorithm come
The Malware of recognition detection identical category.[the evils of Xiao Zihang, Li Baisong, Xiao Xin the light based on fuzzy hash algorithm such as Xiao Zihang
Meaning code detection system and method:, CN102811213A [P] .2012.] and people then set using the ssdeep algorithms in fuzzy Hash
Count out the high in the clouds malware detection system of complete set.
But this method can only be detected to similar documents, once file structure changes, detection will be unable to.There is mirror
In this, the present invention proposes that, by the mutation from Malware, the present invention is directed to Android mobile platforms, utilizes institute in APK
Comprising character string information produce fuzzy hash value, and detect by calculating the mutual distance of fuzzy hash value mutation malice
Software.
The content of the invention
It is an object of the invention to overcome the deficiencies in the prior art, in order to preferably protect Android platform user
The security of information, proposes a kind of Android mutation malware detection methods based on character string feature, this method can be real
Now substantial amounts of unknown sample is quickly scanned, and effectively detects mutation sample.
The present invention is that fuzzy hash value is generated using the character string information in APK, and for mutation Malware
Detection.In APK application programs, each classification APK can have oneself distinctive character string information, herein by parsing dex
File can extract its used character string.Character string is all different used in different application, but for same
Simply small part character string is made an amendment in the mutation APK of species, they contain a large amount of identical character strings each other.Therefore, originally
The similarity degree of character string can be used as feature to realize the identification to mutation application program by invention.
Algorithm djb2 [the Mckenzie et al.Selecting a of quick calculating character string cryptographic Hash are utilized in the present invention
Hashing Algorithm,SP&E 20(2):209-224,Feb 1990].Because the hash algorithm is real with bit arithmetic
Existing, include the operator of displacement and XOR, it is possessed excellent during being specific keyword by character string maps
Performance more.And each character string is randomly mapped in a vector by the principle of combination Boolean filter, vectorial coordinate
It is exactly that corresponding character string passes through key assignments obtained from the calculating of djb2 hash algorithms above.Each in vector sits target value generation
Table is mapped to the character string quantity at this.Application program can be mapped as by above method by a characteristic vector, i.e. its mould
Paste cryptographic Hash.So that the distance between two similar fuzzy hash values of application program are smaller, variety classes application program it
Between fuzzy hash value it is in larger distance.
When to the detection of mutation Malware, first with a kind of k-means algorithms of mutation in known virus base
All fuzzy hash values are clustered, and represent the category with the central point of whole classification.This method greatly reduces disease
The capacity in malicious storehouse, so as to improve detection speed.Meanwhile, in the present invention with Hamilton distance as two fuzzy Hash of measurement
The distance between value.
Specifically, the present invention provides a kind of mutation malware detection method based on APK character string features, including it is following
Step:
Step 1, the character string used in APK is extracted;
Step 2, the character string extracted is converted into characteristic vector, so as to generate fuzzy hash value;
Step 3, using k-means algorithms the fuzzy hash value is clustered, and using Hamilton distance as measuring
Similarity each other, simplifies to sample in virus base, realizes the detection to mutation Malware.
Specifically, in the step 2, by the character string extracted, each word is calculated using hash function djb2 ()
The cryptographic Hash of string is accorded with, then the position numerical value corresponding to the cryptographic Hash of this in characteristic vector is added 1, so as to obtain the character string of the APK
Characteristic vector.
Specifically, in the step 3, the fuzzy hash value FH of sample in virus base being calculated first, is calculated using k-means
Method is clustered to fuzzy hash value, and particle of all categories after cluster is represented in the category into other institutes a little;Work as needs
When being detected to unknown Malware, the fuzzy hash value of the Malware only need to be calculated between particle of all categories
Distance, when distance is less than a certain threshold value, then illustrates that the Malware belongs to the mutation of a certain row not virus;
The virus characteristic storehouse for detecting mutation can be used for by being generated using fuzzy hash value and k-means algorithms, and algorithm is such as
Under:
Input:Mutation family number k, fuzzy hash value set { FH1, FH2..., FHN, N is sample size;
Output:Virus Sample feature database V;
1) it is μ to randomly select k cluster particle1, μ2..., μk;
2) procedure below is repeated until convergence;
To each sample i, its affiliated same clan of family is calculated;
ci:=argminjD(FHi-μj)
To each same clan j, barycenter is recalculated;
3) all particle μ are added in feature database V.
Specifically, when being detected for each new samples, need to only calculate its fuzzy hash value and each mutation family
The distance between barycenter, when distance is less than the ultimate range in the mutation family, then it represents that its new samples belongs to the family;
Recalculate the barycenter μ of the mutation family again after addition new samples;Its algorithm is realized as follows:
Input:Virus characteristic storehouse V, new samples FH;
Output:Update virus characteristic storehouse;
Compared with prior art, the invention has the advantages that:
This method utilizes the thought of fuzzy hash value, and characteristic vector is mapped as according to APK character string information
Form.The detection to mutation Malware is realized by the calculating of distance between characteristic vector again.This implementation is with making
Compared with ssdeep to calculate fuzzy hash value, anti-interference degree strong the characteristics of fast with arithmetic speed.
Brief description of the drawings
Fig. 1 is APK file text string extracting flow chart of the present invention.
Embodiment
To make the objects, technical solutions and advantages of the present invention clearer, clear and definite, referring to the drawings and embodiment of illustrating
The invention will be further described.
The invention discloses a kind of mutation malware detection method based on APK character string features, 1 is specific referring to the drawings
Comprise the following steps:
Step 1, need to extract the character string used in APK.
Wherein dex files, and being parsed to it are obtained by decompressing first, wherein dex files are actually by many
The data volume of individual different structure is spliced in end to end mode.
It is specific as follows:
DEX Header:Top of file, records the association attributes of whole dex files.
String_ids:String data is indexed, and have recorded offset of each character string in data field.
Type_ids:Similar data directory, have recorded the community string index community of each type.
Proto_ids:Prototype data is indexed, and have recorded the character string of method statement, return type character string, parameter row
Table.
Field_ids:Field data is indexed, and have recorded affiliated class, type and method name.
Method_ids:Class method is indexed, the affiliated class name of recording method, the information such as method statement and method name.
Class_defs:Class defines data directory, and record specifies class various information, including interface, superclass, class data-bias
Amount.
Data:Data field, saves the True Data of each class.
Link_data:Connect data field.
Two fields of string_ids_size, string_ids_off in DEX Header record this character respectively
The number of tandem table, and character string list plot, i.e. String_ids address.However, in String_ids
The actual shifts address of the in store each character string of each single item.Therefore by traveling through all items in String_ids, you can
All character strings into current APK.
In specific embodiment, according to the character string information index character string inside header, with foregoing
Analyzed exemplified by classes.dex files:
1) how many string item is found in String_ids according to string_ids_size.If its value is 0x14
When, then explanation has 20 character strings.
2) String_ids offset is checked according to string_ids_off, the general value is 0x70, explanation
DexStringId starting position is in 0x70.
3) 4 bytes in String_ids are read, and are translated into 16 systems.Such as the value is 6c 01 00 00, then turns
It is 0x16c into address, here it is the position of first character string.
4) read character string by being worth index value, wherein character string with ' 0 ' ending.Such as the 6c 6c 6f of 0b 48 65
20 576f 72 6c 64:Be worth for Hello World 0,0b indicate 11 characters.
Step 2, all character strings are converted into characteristic vector, so as to generate fuzzy hash value.
Here, the present invention uses hash algorithm djb2, by all character string maps in APK into a characteristic vector.So that
When two APK contain, identical characters string is more, and distance is smaller between its corresponding characteristic vector.
String assemble is in note APK:
S={ s1, s2, s3..., sn}
Hash function is H (x), meets it:
1≤djb2(si)≤m
Wherein, m is the dimension of character string characteristic vector.
By the character string extracted, the cryptographic Hash of each character string is calculated using hash function djb2 (), then by feature
Position numerical value corresponding to the cryptographic Hash of this in vector adds 1, so as to obtain the character string characteristic vector of the APK.It is implemented as follows:
Input:Initialize APK string assembles S
Output:Characteristic vector SV
Step 3, the detection using fuzzy hash value realization to mutation Malware.
The present invention calculates the fuzzy hash value FH of sample in virus base first, using k-means algorithms to fuzzy hash value
Clustered, and particle of all categories after cluster is represented into such other institutes a little.When needing to unknown Malware
When being detected, the fuzzy hash value of the Malware need to be only calculated with the distance between particle of all categories, when distance is less than
During a certain threshold value, then illustrate that the Malware belongs to the mutation of a certain row not virus.So can be without to owning in virus base
Fuzzy hash value enters the calculating of row distance, drastically increases detection speed, and the memory space of compression virus base.
The virus characteristic storehouse for detecting mutation can be used for by being generated using fuzzy hash value and k-means algorithms, and algorithm is such as
Under:
Input:Mutation family number k, fuzzy hash value set { FH1, FH2..., FHN, N is sample size;
Output:Virus Sample feature database V;
1) it is μ to randomly select k cluster particle1, μ2..., μk;
2) procedure below is repeated until convergence;
To each sample i, its affiliated same clan of family is calculated;
ci:=argminjD(FHi-μj);
To each same clan j, barycenter is recalculated;
3) all particle μ are added in feature database V.
All samples in whole sample race are represented with barycenter, the size of feature database is significantly reduced, so as to improve detection
Speed.
For the detection of each new samples, need to only calculate between the barycenter of its fuzzy hash value and each mutation family away from
From when distance is less than the ultimate range in the mutation family, then it represents that its new samples belongs to the family.In addition new samples
Recalculate the barycenter μ of the mutation family again afterwards.Its algorithm is realized as follows:
Input:Virus characteristic storehouse V, new samples FH;
Output:Update virus characteristic storehouse;
The technical solution adopted in the present invention extracts character string information in APK by parsing, and utilizes djb2 hash algorithms
It is mapped as a certain range values.In conjunction with the thought of Boolean filter, by all character string maps a to characteristic vector
In, and generating a fuzzy hash value so that the distance between two similar fuzzy hash values of application program are smaller, different
Fuzzy hash value is in larger distance between species application program.In mutation malware detection, using k-means methods to known
Fuzzy hash value produced by virus base is clustered, and particle of all categories after cluster is owned to represent other in such
Point.When needing to detect unknown Malware, the fuzzy hash value of the Malware only need to be calculated with of all categories
The distance between particle, when distance is less than a certain threshold value, then illustrates that the Malware belongs to the mutation of a certain row not virus.Should
Method has faster operation speed compared with traditional fuzzy hash algorithm, and the detection speed of mutation sample can be greatly improved
Degree and accuracy rate, and improve anti-interference.
Above-described embodiment is one embodiment of the present invention, but embodiments of the present invention are not by above-described embodiment
Limitation, other any Spirit Essences without departing from the present invention and the change made under principle, modification, replacement, combine, simplification,
Equivalent substitute mode is should be, is included within protection scope of the present invention.
Claims (4)
1. a kind of mutation malware detection method based on APK character string features, it is characterised in that:
Step 1, the character string used in APK is extracted;
Step 2, the character string extracted is converted into characteristic vector, so as to generate fuzzy hash value;
Step 3, using k-means algorithms the fuzzy hash value is clustered, and using Hamilton distance as measuring each other
Between similarity, sample in virus base is simplified, detection to mutation Malware is realized.
2. the mutation malware detection method according to claim 1 based on APK character string features, it is characterised in that:
In the step 2, by the character string extracted, the cryptographic Hash of each character string is calculated using hash function djb2 (), then
Position numerical value corresponding to the cryptographic Hash of this in characteristic vector is added 1, so as to obtain the character string characteristic vector of the APK.
3. the mutation malware detection method according to claim 1 based on APK character string features, it is characterised in that:
In the step 3, the fuzzy hash value FH of sample in virus base is calculated first, using k-means algorithms to fuzzy hash value
Clustered, and particle of all categories after cluster is represented into the category other institutes a little;It is soft to unknown malice when needing
When part is detected, the fuzzy hash value of the Malware need to be only calculated with the distance between particle of all categories, when apart from small
When a certain threshold value, then illustrate that the Malware belongs to the mutation of a certain row not virus;
The virus characteristic storehouse for detecting mutation can be used for by being generated using fuzzy hash value and k-means algorithms, and algorithm is as follows:
Input:Mutation family number k, fuzzy hash value set { FH1, FH2..., FHN, N is sample size;
Output:Virus Sample feature database V;
1) it is μ to randomly select k cluster particle1, μ2..., μk;
2) procedure below is repeated until convergence;
To each sample i, its affiliated same clan of family is calculated;
ci:=argminjD(FHi-μj);
To each same clan j, barycenter is recalculated;
<mrow>
<msub>
<mi>&mu;</mi>
<mi>j</mi>
</msub>
<mo>:</mo>
<mo>=</mo>
<mfrac>
<mrow>
<msubsup>
<mi>&Sigma;</mi>
<mrow>
<mi>i</mi>
<mo>=</mo>
<mn>1</mn>
</mrow>
<mi>m</mi>
</msubsup>
<mn>1</mn>
<mrow>
<mo>{</mo>
<mrow>
<msub>
<mi>c</mi>
<mi>i</mi>
</msub>
<mo>=</mo>
<mi>j</mi>
</mrow>
<mo>}</mo>
</mrow>
<msub>
<mi>FH</mi>
<mi>i</mi>
</msub>
</mrow>
<mrow>
<msubsup>
<mi>&Sigma;</mi>
<mrow>
<mi>i</mi>
<mo>=</mo>
<mn>1</mn>
</mrow>
<mi>m</mi>
</msubsup>
<mn>1</mn>
<mrow>
<mo>{</mo>
<mrow>
<msub>
<mi>c</mi>
<mi>i</mi>
</msub>
<mo>=</mo>
<mi>j</mi>
</mrow>
<mo>}</mo>
</mrow>
</mrow>
</mfrac>
<mo>;</mo>
</mrow>
3) all particle μ are added in feature database V.
4. the mutation malware detection method according to claim 1 based on APK character string features, it is characterised in that:
In the step 3, when being detected for each new samples, only the matter of its fuzzy hash value and each mutation family need to be calculated
The distance between heart, when distance is less than the ultimate range in the mutation family, then it represents that its new samples belongs to the family;
The barycenter μ of the mutation family is recalculated after addition new samples again;Its algorithm is realized as follows:
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710352331.5A CN107273746A (en) | 2017-05-18 | 2017-05-18 | A kind of mutation malware detection method based on APK character string features |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710352331.5A CN107273746A (en) | 2017-05-18 | 2017-05-18 | A kind of mutation malware detection method based on APK character string features |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107273746A true CN107273746A (en) | 2017-10-20 |
Family
ID=60065228
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710352331.5A Pending CN107273746A (en) | 2017-05-18 | 2017-05-18 | A kind of mutation malware detection method based on APK character string features |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107273746A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107977574A (en) * | 2017-12-19 | 2018-05-01 | 深圳豪客互联网有限公司 | Viral recognition methods and device |
CN108304719A (en) * | 2018-02-05 | 2018-07-20 | 新疆大学 | Android malicious code analysis and detection algorithm |
CN109460386A (en) * | 2018-10-29 | 2019-03-12 | 杭州安恒信息技术股份有限公司 | The matched malicious file homology analysis method and device of Hash is obscured based on various dimensions |
CN109858249A (en) * | 2019-02-18 | 2019-06-07 | 暨南大学 | The quick, intelligent comparison of mobile Malware big data and safety detection method |
CN110135155A (en) * | 2019-04-02 | 2019-08-16 | 上海大学 | A kind of Windows Malware recognition methods based on fuzzy k nearest neighbor |
CN110610084A (en) * | 2018-06-15 | 2019-12-24 | 武汉安天信息技术有限责任公司 | Dex file-based sample maliciousness determination method and related device |
CN112487427A (en) * | 2020-11-26 | 2021-03-12 | 网宿科技股份有限公司 | Method, system and server for determining system white list |
CN113434860A (en) * | 2021-07-22 | 2021-09-24 | 安天科技集团股份有限公司 | Virus detection method and device, computing equipment and storage medium |
US11436331B2 (en) | 2020-01-16 | 2022-09-06 | AVAST Software s.r.o. | Similarity hash for android executables |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103473506A (en) * | 2013-08-30 | 2013-12-25 | 北京奇虎科技有限公司 | Method and device of recognizing malicious APK files |
US20150178306A1 (en) * | 2012-09-03 | 2015-06-25 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for clustering portable executable files |
CN104978526A (en) * | 2015-06-30 | 2015-10-14 | 北京奇虎科技有限公司 | Virus signature extraction method and apparatus |
CN106228068A (en) * | 2016-07-21 | 2016-12-14 | 江西师范大学 | Android malicious code detecting method based on composite character |
-
2017
- 2017-05-18 CN CN201710352331.5A patent/CN107273746A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150178306A1 (en) * | 2012-09-03 | 2015-06-25 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for clustering portable executable files |
CN103473506A (en) * | 2013-08-30 | 2013-12-25 | 北京奇虎科技有限公司 | Method and device of recognizing malicious APK files |
CN104978526A (en) * | 2015-06-30 | 2015-10-14 | 北京奇虎科技有限公司 | Virus signature extraction method and apparatus |
CN106228068A (en) * | 2016-07-21 | 2016-12-14 | 江西师范大学 | Android malicious code detecting method based on composite character |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107977574A (en) * | 2017-12-19 | 2018-05-01 | 深圳豪客互联网有限公司 | Viral recognition methods and device |
CN108304719A (en) * | 2018-02-05 | 2018-07-20 | 新疆大学 | Android malicious code analysis and detection algorithm |
CN108304719B (en) * | 2018-02-05 | 2022-02-01 | 新疆大学 | Android malicious code analysis and detection algorithm |
CN110610084B (en) * | 2018-06-15 | 2022-05-17 | 武汉安天信息技术有限责任公司 | Dex file-based sample maliciousness determination method and related device |
CN110610084A (en) * | 2018-06-15 | 2019-12-24 | 武汉安天信息技术有限责任公司 | Dex file-based sample maliciousness determination method and related device |
CN109460386B (en) * | 2018-10-29 | 2021-01-22 | 杭州安恒信息技术股份有限公司 | Malicious file homology analysis method and device based on multi-dimensional fuzzy hash matching |
CN109460386A (en) * | 2018-10-29 | 2019-03-12 | 杭州安恒信息技术股份有限公司 | The matched malicious file homology analysis method and device of Hash is obscured based on various dimensions |
CN109858249B (en) * | 2019-02-18 | 2020-08-07 | 暨南大学 | Rapid intelligent comparison and safety detection method for mobile malicious software big data |
CN109858249A (en) * | 2019-02-18 | 2019-06-07 | 暨南大学 | The quick, intelligent comparison of mobile Malware big data and safety detection method |
CN110135155A (en) * | 2019-04-02 | 2019-08-16 | 上海大学 | A kind of Windows Malware recognition methods based on fuzzy k nearest neighbor |
CN110135155B (en) * | 2019-04-02 | 2023-02-10 | 上海大学 | Fuzzy K neighbor-based Windows malicious software identification method |
US11436331B2 (en) | 2020-01-16 | 2022-09-06 | AVAST Software s.r.o. | Similarity hash for android executables |
CN112487427A (en) * | 2020-11-26 | 2021-03-12 | 网宿科技股份有限公司 | Method, system and server for determining system white list |
CN113434860A (en) * | 2021-07-22 | 2021-09-24 | 安天科技集团股份有限公司 | Virus detection method and device, computing equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107273746A (en) | A kind of mutation malware detection method based on APK character string features | |
Li et al. | Android malware clustering through malicious payload mining | |
Zhang et al. | Familial clustering for weakly-labeled android malware using hybrid representation learning | |
Sahu et al. | Network intrusion detection system using J48 Decision Tree | |
CN109784056B (en) | Malicious software detection method based on deep learning | |
CN106228068B (en) | Android malicious code detecting method based on composite character | |
Gao et al. | Android malware detection via graphlet sampling | |
Zhao et al. | A review of computer vision methods in network security | |
CN105224600B (en) | A kind of detection method and device of Sample Similarity | |
CN109614795B (en) | Event-aware android malicious software detection method | |
CN105205397A (en) | Rogue program sample classification method and device | |
Hu | Large-scale malware analysis, detection, and signature generation | |
CN110363003A (en) | A kind of Android virus static detection method based on deep learning | |
Ge et al. | AMDroid: android malware detection using function call graphs | |
Zhong et al. | Malware-on-the-brain: Illuminating malware byte codes with images for malware classification | |
Du et al. | A static Android malicious code detection method based on multi‐source fusion | |
Li et al. | Semi-supervised two-phase familial analysis of Android malware with normalized graph embedding | |
Wolfe et al. | High precision screening for Android malware with dimensionality reduction | |
CN112329012A (en) | Detection method for malicious PDF document containing JavaScript and electronic equipment | |
Liu et al. | Multifamily classification of Android malware with a fuzzy strategy to resist polymorphic familial variants | |
Ali et al. | Deep learning methods for malware and intrusion detection: A systematic literature review | |
Roseline et al. | Android malware detection and classification using LOFO feature selection and tree-based models | |
Fang et al. | Semi-supervised malware clustering based on the weight of bytecode and api | |
Wu et al. | IoT malware classification based on reinterpreted function-call graphs | |
Kalysch et al. | Tackling androids native library malware with robust, efficient and accurate similarity measures |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171020 |