CN107273746A - A kind of mutation malware detection method based on APK character string features - Google Patents

A kind of mutation malware detection method based on APK character string features Download PDF

Info

Publication number
CN107273746A
CN107273746A CN201710352331.5A CN201710352331A CN107273746A CN 107273746 A CN107273746 A CN 107273746A CN 201710352331 A CN201710352331 A CN 201710352331A CN 107273746 A CN107273746 A CN 107273746A
Authority
CN
China
Prior art keywords
mutation
mrow
character string
apk
malware
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710352331.5A
Other languages
Chinese (zh)
Inventor
凌捷
王文冲
杨育斌
柳毅
覃晓宁
谢锐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong University of Technology
Original Assignee
Guangdong University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong University of Technology filed Critical Guangdong University of Technology
Priority to CN201710352331.5A priority Critical patent/CN107273746A/en
Publication of CN107273746A publication Critical patent/CN107273746A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • G06F18/232Non-hierarchical techniques
    • G06F18/2321Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
    • G06F18/23213Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)

Abstract

The invention discloses a kind of mutation malware detection method based on APK character string features, by being extracted to the character string used in APK;The character string extracted is converted into characteristic vector, so as to generate fuzzy hash value;The fuzzy hash value is clustered using k means algorithms, and using Hamilton distance as the similarity between measurement, sample in virus base simplified, the detection to mutation Malware is realized.This method has faster operation speed compared with traditional fuzzy hash algorithm, and the detection speed and accuracy rate of mutation sample can be greatly improved, and improves anti-interference.

Description

A kind of mutation malware detection method based on APK character string features
Technical field
The present invention relates to Malicious Code Detection research field in Android platform, and in particular to one kind is based on APK character strings The mutation malware detection method of feature.
Background technology
Malicious code has become one of security threat of most serious in computer nowadays system.It is flat in Android movements In platform, number and the day of Malware increase severely.
Show according to the Labs statistics of second quarter MaAfee in 2016, increase mobile terminal Malware quantity nearly 200 newly Ten thousand, 14% is increased compared to the first quarter, and total quantity is then up to 11,000,000 [Internet security threat report[EB/OL]http://www.mcafee.com/uk/resources/reports/rp-quarterly-threats- sep-2016.pdf]。
Facing to so huge numeral, it is desirable to have an efficiently quick method, realize automation to substantial amounts of application Software is scanned and detected.For traditional business security software, in order to possess higher real-time detection speed, mostly It is to be used as condition code by extracting character string.In detection process, fail-safe software only need to directly judge its whether possess with it is known Condition code identical character string [Ye Y, Li T, Jiang Q, et al.CIMDS:Adapting Postprocessing Techniques of Associative Classification for Malware Detection[J].IEEE Transactions on Systems Man&Cybernetics Part C Applications&Reviews,2010,40 (3):298-307.]。
However, this condition code extracting method based on character string has very big defect, exactly it is difficult to detect polymorphic change Malware [the Hosmer and Polymorphic of shape
Malware[EB/OL]https://www.blackhat.com/presentations/bh-usa-08/ Hosmer/BH_US_08_Hosmer_Polymorphic_Malware.pdf]。
It is therefore desirable to be able to possess a kind of i.e. quick and accurate method to detect malicious code.
Currently, most detection method is all by judging that condition code is between sample data to be detected and known sample The no similitude with height recognizes that this method effectively can not simultaneously be predicted to unknown malicious code.Learn part Person proposes carries out semantic analysis to application software, graphically represents to call feelings between code in whole application software Condition.Document [M.Fredrikson, S.Jha, M.Christodorescu, R.Sailer, and X.Yan.Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors.In Proceedings of the2010IEEE Symposium on Security and Privacy(Oakland’10),May2010.; C.Kolbitsch,P.M.Comparetti,C.Kruegel,E.Kirda,X.Zhou,and X.Wang.Effective and Efficient Malware Detection at the End Host.In Proceedings of the 18th Conference on USENIX Security Symposium,August 2009.;K.Z.Chen,N.Johnson,V.D’ Silva,S.Dai,K.MacNamara,T.Magrino,E.X.Wu,M.Rinard,and D.Song.Contextual Policy Enforcementin Android Applications with Permission Event Graphs.In Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS ' 13), February2013.], being directly will known application software calling figure to be detected and malicious code Calling figure is matched in storehouse, is then shown to be Malware when consistent.
However, being directly difficult to resistance Code obfuscation attack [12] using this method accurately matched, and it can not detect Go out unknown malware.Then many scholars are improved this method on this basis, wherein, document [13] proposes a kind of The method for measuring similarity between each API Calls figure, can effectively detect all kinds of polymorphic and metamorphic softwares.Document [M.Christodorescu,S.Jha,S.A.Seshia,D.Song,and R.E.Bryant.Semantics-Aware Malware Detection.In Proceedings of the 2005IEEE Symposium on Security and Privacy(Oakland’05),May2005;Arzt S,Rasthofer S,Fritz C,et al.Flowdroid: Precise context,flow,field,object-sensitive and lifecycle-aware taint analysis for android apps[J].ACM SIGPLAN Notices,2014,49(6):259-269.] utilize message The method of mark tracks the flow direction of sensitive information in application code.Document [Yang W, Xiao X, Andow B, et al.Appcontext:Differentiating malicious and benign mobile app behaviors using context[C]//2015IEEE/ACM 37th IEEE International Conference on Software Engineering.IEEE,2015,1:303-313.] the context ring that is then triggered using calling figure come traceback sensitive behavior Border.
However, the analysis method of this utilization calling figure is directly utilized, it is necessary to whole Documents Logical when detection Analyzed, significantly reduce detection efficiency, when especially in face of complicated calling figure, its computation complexity sharp increase.Cause This such method is not particularly suited for current huge Virus Sample.
Document [Allix K, Bissyand é T F, J é rome Q, et al.Empirical assessment of machine learning-based malware detectors for Android[J].Empirical Software Engineering,2016,21(1):183-211.] in institute in Android application programs is extracted using the method for machine learning The feature of access right, and for Malicious Code Detection.In document [Zhang Y, Pang J, Yue F, et al.Fuzzy neural network for malware detect[C]//Intelligent System Design and Engineering Application(ISDEA),2010International Conference on.IEEE,2010,1: 780-783.] in be then that malicious code behavior is analyzed using neural network algorithm in data mining.Document [Wu D J,Mao C H,Wei T E,et al.Droidmat:Android malware detection through manifest and api calls tracing[C]//Information Security(Asia JCIS),2012 Seventh Asia Joint Conference on.IEEE,2012:62-69.] based on substantial amounts of sample data, therefrom extract and disliked with known The feature of meaning software, and using these features come for the detection to new samples.And document [Arp D, Spreitzenbarth M,Hubner M,et al.DREBIN:Effective and Explainable Detection of Android Malware in Your Pocket [C] //NDSS.2014.] it is then execution authority according to each application program, API Calls The features such as flow, are classified using KNN algorithms to different types of application program.Subsequent document [Sundarkumar G G,Ravi V,Nwogu I,et al.Malware detection via API calls,topic models and machine learning[C]//2015IEEE International Conference on Automation Science and Engineering(CASE).IEEE,2015:1212-1217.;Huang C Y,Tsai Y T,Hsu C H.Performance evaluation on permission-based detection for android malware [M]//Advances in Intelligent Systems and Applications-Volume 2.Springer Berlin Heidelberg,2013:111-120.] realize the classification of Malware sequentially with SVM algorithm.
However, this method based on machine learning is to go to extract feature from statistical angle, it is easy to flase drop occur Phenomenon.In order to efficiently and rapidly detect Malware Smith et al. [Michael Smith.Identifying Malware with Byte Frequency Distribution and Context Triggered Piecewise Hashing.James Madison University Infosec Techreport, 2008.4] using fuzzy hash algorithm come The Malware of recognition detection identical category.[the evils of Xiao Zihang, Li Baisong, Xiao Xin the light based on fuzzy hash algorithm such as Xiao Zihang Meaning code detection system and method:, CN102811213A [P] .2012.] and people then set using the ssdeep algorithms in fuzzy Hash Count out the high in the clouds malware detection system of complete set.
But this method can only be detected to similar documents, once file structure changes, detection will be unable to.There is mirror In this, the present invention proposes that, by the mutation from Malware, the present invention is directed to Android mobile platforms, utilizes institute in APK Comprising character string information produce fuzzy hash value, and detect by calculating the mutual distance of fuzzy hash value mutation malice Software.
The content of the invention
It is an object of the invention to overcome the deficiencies in the prior art, in order to preferably protect Android platform user The security of information, proposes a kind of Android mutation malware detection methods based on character string feature, this method can be real Now substantial amounts of unknown sample is quickly scanned, and effectively detects mutation sample.
The present invention is that fuzzy hash value is generated using the character string information in APK, and for mutation Malware Detection.In APK application programs, each classification APK can have oneself distinctive character string information, herein by parsing dex File can extract its used character string.Character string is all different used in different application, but for same Simply small part character string is made an amendment in the mutation APK of species, they contain a large amount of identical character strings each other.Therefore, originally The similarity degree of character string can be used as feature to realize the identification to mutation application program by invention.
Algorithm djb2 [the Mckenzie et al.Selecting a of quick calculating character string cryptographic Hash are utilized in the present invention Hashing Algorithm,SP&E 20(2):209-224,Feb 1990].Because the hash algorithm is real with bit arithmetic Existing, include the operator of displacement and XOR, it is possessed excellent during being specific keyword by character string maps Performance more.And each character string is randomly mapped in a vector by the principle of combination Boolean filter, vectorial coordinate It is exactly that corresponding character string passes through key assignments obtained from the calculating of djb2 hash algorithms above.Each in vector sits target value generation Table is mapped to the character string quantity at this.Application program can be mapped as by above method by a characteristic vector, i.e. its mould Paste cryptographic Hash.So that the distance between two similar fuzzy hash values of application program are smaller, variety classes application program it Between fuzzy hash value it is in larger distance.
When to the detection of mutation Malware, first with a kind of k-means algorithms of mutation in known virus base All fuzzy hash values are clustered, and represent the category with the central point of whole classification.This method greatly reduces disease The capacity in malicious storehouse, so as to improve detection speed.Meanwhile, in the present invention with Hamilton distance as two fuzzy Hash of measurement The distance between value.
Specifically, the present invention provides a kind of mutation malware detection method based on APK character string features, including it is following Step:
Step 1, the character string used in APK is extracted;
Step 2, the character string extracted is converted into characteristic vector, so as to generate fuzzy hash value;
Step 3, using k-means algorithms the fuzzy hash value is clustered, and using Hamilton distance as measuring Similarity each other, simplifies to sample in virus base, realizes the detection to mutation Malware.
Specifically, in the step 2, by the character string extracted, each word is calculated using hash function djb2 () The cryptographic Hash of string is accorded with, then the position numerical value corresponding to the cryptographic Hash of this in characteristic vector is added 1, so as to obtain the character string of the APK Characteristic vector.
Specifically, in the step 3, the fuzzy hash value FH of sample in virus base being calculated first, is calculated using k-means Method is clustered to fuzzy hash value, and particle of all categories after cluster is represented in the category into other institutes a little;Work as needs When being detected to unknown Malware, the fuzzy hash value of the Malware only need to be calculated between particle of all categories Distance, when distance is less than a certain threshold value, then illustrates that the Malware belongs to the mutation of a certain row not virus;
The virus characteristic storehouse for detecting mutation can be used for by being generated using fuzzy hash value and k-means algorithms, and algorithm is such as Under:
Input:Mutation family number k, fuzzy hash value set { FH1, FH2..., FHN, N is sample size;
Output:Virus Sample feature database V;
1) it is μ to randomly select k cluster particle1, μ2..., μk
2) procedure below is repeated until convergence;
To each sample i, its affiliated same clan of family is calculated;
ci:=argminjD(FHij)
To each same clan j, barycenter is recalculated;
3) all particle μ are added in feature database V.
Specifically, when being detected for each new samples, need to only calculate its fuzzy hash value and each mutation family The distance between barycenter, when distance is less than the ultimate range in the mutation family, then it represents that its new samples belongs to the family; Recalculate the barycenter μ of the mutation family again after addition new samples;Its algorithm is realized as follows:
Input:Virus characteristic storehouse V, new samples FH;
Output:Update virus characteristic storehouse;
Compared with prior art, the invention has the advantages that:
This method utilizes the thought of fuzzy hash value, and characteristic vector is mapped as according to APK character string information Form.The detection to mutation Malware is realized by the calculating of distance between characteristic vector again.This implementation is with making Compared with ssdeep to calculate fuzzy hash value, anti-interference degree strong the characteristics of fast with arithmetic speed.
Brief description of the drawings
Fig. 1 is APK file text string extracting flow chart of the present invention.
Embodiment
To make the objects, technical solutions and advantages of the present invention clearer, clear and definite, referring to the drawings and embodiment of illustrating The invention will be further described.
The invention discloses a kind of mutation malware detection method based on APK character string features, 1 is specific referring to the drawings Comprise the following steps:
Step 1, need to extract the character string used in APK.
Wherein dex files, and being parsed to it are obtained by decompressing first, wherein dex files are actually by many The data volume of individual different structure is spliced in end to end mode.
It is specific as follows:
DEX Header:Top of file, records the association attributes of whole dex files.
String_ids:String data is indexed, and have recorded offset of each character string in data field.
Type_ids:Similar data directory, have recorded the community string index community of each type.
Proto_ids:Prototype data is indexed, and have recorded the character string of method statement, return type character string, parameter row Table.
Field_ids:Field data is indexed, and have recorded affiliated class, type and method name.
Method_ids:Class method is indexed, the affiliated class name of recording method, the information such as method statement and method name.
Class_defs:Class defines data directory, and record specifies class various information, including interface, superclass, class data-bias Amount.
Data:Data field, saves the True Data of each class.
Link_data:Connect data field.
Two fields of string_ids_size, string_ids_off in DEX Header record this character respectively The number of tandem table, and character string list plot, i.e. String_ids address.However, in String_ids The actual shifts address of the in store each character string of each single item.Therefore by traveling through all items in String_ids, you can All character strings into current APK.
In specific embodiment, according to the character string information index character string inside header, with foregoing Analyzed exemplified by classes.dex files:
1) how many string item is found in String_ids according to string_ids_size.If its value is 0x14 When, then explanation has 20 character strings.
2) String_ids offset is checked according to string_ids_off, the general value is 0x70, explanation DexStringId starting position is in 0x70.
3) 4 bytes in String_ids are read, and are translated into 16 systems.Such as the value is 6c 01 00 00, then turns It is 0x16c into address, here it is the position of first character string.
4) read character string by being worth index value, wherein character string with ' 0 ' ending.Such as the 6c 6c 6f of 0b 48 65 20 576f 72 6c 64:Be worth for Hello World 0,0b indicate 11 characters.
Step 2, all character strings are converted into characteristic vector, so as to generate fuzzy hash value.
Here, the present invention uses hash algorithm djb2, by all character string maps in APK into a characteristic vector.So that When two APK contain, identical characters string is more, and distance is smaller between its corresponding characteristic vector.
String assemble is in note APK:
S={ s1, s2, s3..., sn}
Hash function is H (x), meets it:
1≤djb2(si)≤m
Wherein, m is the dimension of character string characteristic vector.
By the character string extracted, the cryptographic Hash of each character string is calculated using hash function djb2 (), then by feature Position numerical value corresponding to the cryptographic Hash of this in vector adds 1, so as to obtain the character string characteristic vector of the APK.It is implemented as follows:
Input:Initialize APK string assembles S
Output:Characteristic vector SV
Step 3, the detection using fuzzy hash value realization to mutation Malware.
The present invention calculates the fuzzy hash value FH of sample in virus base first, using k-means algorithms to fuzzy hash value Clustered, and particle of all categories after cluster is represented into such other institutes a little.When needing to unknown Malware When being detected, the fuzzy hash value of the Malware need to be only calculated with the distance between particle of all categories, when distance is less than During a certain threshold value, then illustrate that the Malware belongs to the mutation of a certain row not virus.So can be without to owning in virus base Fuzzy hash value enters the calculating of row distance, drastically increases detection speed, and the memory space of compression virus base.
The virus characteristic storehouse for detecting mutation can be used for by being generated using fuzzy hash value and k-means algorithms, and algorithm is such as Under:
Input:Mutation family number k, fuzzy hash value set { FH1, FH2..., FHN, N is sample size;
Output:Virus Sample feature database V;
1) it is μ to randomly select k cluster particle1, μ2..., μk
2) procedure below is repeated until convergence;
To each sample i, its affiliated same clan of family is calculated;
ci:=argminjD(FHij);
To each same clan j, barycenter is recalculated;
3) all particle μ are added in feature database V.
All samples in whole sample race are represented with barycenter, the size of feature database is significantly reduced, so as to improve detection Speed.
For the detection of each new samples, need to only calculate between the barycenter of its fuzzy hash value and each mutation family away from From when distance is less than the ultimate range in the mutation family, then it represents that its new samples belongs to the family.In addition new samples Recalculate the barycenter μ of the mutation family again afterwards.Its algorithm is realized as follows:
Input:Virus characteristic storehouse V, new samples FH;
Output:Update virus characteristic storehouse;
The technical solution adopted in the present invention extracts character string information in APK by parsing, and utilizes djb2 hash algorithms It is mapped as a certain range values.In conjunction with the thought of Boolean filter, by all character string maps a to characteristic vector In, and generating a fuzzy hash value so that the distance between two similar fuzzy hash values of application program are smaller, different Fuzzy hash value is in larger distance between species application program.In mutation malware detection, using k-means methods to known Fuzzy hash value produced by virus base is clustered, and particle of all categories after cluster is owned to represent other in such Point.When needing to detect unknown Malware, the fuzzy hash value of the Malware only need to be calculated with of all categories The distance between particle, when distance is less than a certain threshold value, then illustrates that the Malware belongs to the mutation of a certain row not virus.Should Method has faster operation speed compared with traditional fuzzy hash algorithm, and the detection speed of mutation sample can be greatly improved Degree and accuracy rate, and improve anti-interference.
Above-described embodiment is one embodiment of the present invention, but embodiments of the present invention are not by above-described embodiment Limitation, other any Spirit Essences without departing from the present invention and the change made under principle, modification, replacement, combine, simplification, Equivalent substitute mode is should be, is included within protection scope of the present invention.

Claims (4)

1. a kind of mutation malware detection method based on APK character string features, it is characterised in that:
Step 1, the character string used in APK is extracted;
Step 2, the character string extracted is converted into characteristic vector, so as to generate fuzzy hash value;
Step 3, using k-means algorithms the fuzzy hash value is clustered, and using Hamilton distance as measuring each other Between similarity, sample in virus base is simplified, detection to mutation Malware is realized.
2. the mutation malware detection method according to claim 1 based on APK character string features, it is characterised in that: In the step 2, by the character string extracted, the cryptographic Hash of each character string is calculated using hash function djb2 (), then Position numerical value corresponding to the cryptographic Hash of this in characteristic vector is added 1, so as to obtain the character string characteristic vector of the APK.
3. the mutation malware detection method according to claim 1 based on APK character string features, it is characterised in that: In the step 3, the fuzzy hash value FH of sample in virus base is calculated first, using k-means algorithms to fuzzy hash value Clustered, and particle of all categories after cluster is represented into the category other institutes a little;It is soft to unknown malice when needing When part is detected, the fuzzy hash value of the Malware need to be only calculated with the distance between particle of all categories, when apart from small When a certain threshold value, then illustrate that the Malware belongs to the mutation of a certain row not virus;
The virus characteristic storehouse for detecting mutation can be used for by being generated using fuzzy hash value and k-means algorithms, and algorithm is as follows:
Input:Mutation family number k, fuzzy hash value set { FH1, FH2..., FHN, N is sample size;
Output:Virus Sample feature database V;
1) it is μ to randomly select k cluster particle1, μ2..., μk
2) procedure below is repeated until convergence;
To each sample i, its affiliated same clan of family is calculated;
ci:=argminjD(FHij);
To each same clan j, barycenter is recalculated;
<mrow> <msub> <mi>&amp;mu;</mi> <mi>j</mi> </msub> <mo>:</mo> <mo>=</mo> <mfrac> <mrow> <msubsup> <mi>&amp;Sigma;</mi> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>m</mi> </msubsup> <mn>1</mn> <mrow> <mo>{</mo> <mrow> <msub> <mi>c</mi> <mi>i</mi> </msub> <mo>=</mo> <mi>j</mi> </mrow> <mo>}</mo> </mrow> <msub> <mi>FH</mi> <mi>i</mi> </msub> </mrow> <mrow> <msubsup> <mi>&amp;Sigma;</mi> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>m</mi> </msubsup> <mn>1</mn> <mrow> <mo>{</mo> <mrow> <msub> <mi>c</mi> <mi>i</mi> </msub> <mo>=</mo> <mi>j</mi> </mrow> <mo>}</mo> </mrow> </mrow> </mfrac> <mo>;</mo> </mrow>
3) all particle μ are added in feature database V.
4. the mutation malware detection method according to claim 1 based on APK character string features, it is characterised in that: In the step 3, when being detected for each new samples, only the matter of its fuzzy hash value and each mutation family need to be calculated The distance between heart, when distance is less than the ultimate range in the mutation family, then it represents that its new samples belongs to the family; The barycenter μ of the mutation family is recalculated after addition new samples again;Its algorithm is realized as follows:
CN201710352331.5A 2017-05-18 2017-05-18 A kind of mutation malware detection method based on APK character string features Pending CN107273746A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710352331.5A CN107273746A (en) 2017-05-18 2017-05-18 A kind of mutation malware detection method based on APK character string features

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710352331.5A CN107273746A (en) 2017-05-18 2017-05-18 A kind of mutation malware detection method based on APK character string features

Publications (1)

Publication Number Publication Date
CN107273746A true CN107273746A (en) 2017-10-20

Family

ID=60065228

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710352331.5A Pending CN107273746A (en) 2017-05-18 2017-05-18 A kind of mutation malware detection method based on APK character string features

Country Status (1)

Country Link
CN (1) CN107273746A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107977574A (en) * 2017-12-19 2018-05-01 深圳豪客互联网有限公司 Viral recognition methods and device
CN108304719A (en) * 2018-02-05 2018-07-20 新疆大学 Android malicious code analysis and detection algorithm
CN109460386A (en) * 2018-10-29 2019-03-12 杭州安恒信息技术股份有限公司 The matched malicious file homology analysis method and device of Hash is obscured based on various dimensions
CN109858249A (en) * 2019-02-18 2019-06-07 暨南大学 The quick, intelligent comparison of mobile Malware big data and safety detection method
CN110135155A (en) * 2019-04-02 2019-08-16 上海大学 A kind of Windows Malware recognition methods based on fuzzy k nearest neighbor
CN110610084A (en) * 2018-06-15 2019-12-24 武汉安天信息技术有限责任公司 Dex file-based sample maliciousness determination method and related device
CN112487427A (en) * 2020-11-26 2021-03-12 网宿科技股份有限公司 Method, system and server for determining system white list
CN113434860A (en) * 2021-07-22 2021-09-24 安天科技集团股份有限公司 Virus detection method and device, computing equipment and storage medium
US11436331B2 (en) 2020-01-16 2022-09-06 AVAST Software s.r.o. Similarity hash for android executables

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103473506A (en) * 2013-08-30 2013-12-25 北京奇虎科技有限公司 Method and device of recognizing malicious APK files
US20150178306A1 (en) * 2012-09-03 2015-06-25 Tencent Technology (Shenzhen) Company Limited Method and apparatus for clustering portable executable files
CN104978526A (en) * 2015-06-30 2015-10-14 北京奇虎科技有限公司 Virus signature extraction method and apparatus
CN106228068A (en) * 2016-07-21 2016-12-14 江西师范大学 Android malicious code detecting method based on composite character

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150178306A1 (en) * 2012-09-03 2015-06-25 Tencent Technology (Shenzhen) Company Limited Method and apparatus for clustering portable executable files
CN103473506A (en) * 2013-08-30 2013-12-25 北京奇虎科技有限公司 Method and device of recognizing malicious APK files
CN104978526A (en) * 2015-06-30 2015-10-14 北京奇虎科技有限公司 Virus signature extraction method and apparatus
CN106228068A (en) * 2016-07-21 2016-12-14 江西师范大学 Android malicious code detecting method based on composite character

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107977574A (en) * 2017-12-19 2018-05-01 深圳豪客互联网有限公司 Viral recognition methods and device
CN108304719A (en) * 2018-02-05 2018-07-20 新疆大学 Android malicious code analysis and detection algorithm
CN108304719B (en) * 2018-02-05 2022-02-01 新疆大学 Android malicious code analysis and detection algorithm
CN110610084B (en) * 2018-06-15 2022-05-17 武汉安天信息技术有限责任公司 Dex file-based sample maliciousness determination method and related device
CN110610084A (en) * 2018-06-15 2019-12-24 武汉安天信息技术有限责任公司 Dex file-based sample maliciousness determination method and related device
CN109460386B (en) * 2018-10-29 2021-01-22 杭州安恒信息技术股份有限公司 Malicious file homology analysis method and device based on multi-dimensional fuzzy hash matching
CN109460386A (en) * 2018-10-29 2019-03-12 杭州安恒信息技术股份有限公司 The matched malicious file homology analysis method and device of Hash is obscured based on various dimensions
CN109858249B (en) * 2019-02-18 2020-08-07 暨南大学 Rapid intelligent comparison and safety detection method for mobile malicious software big data
CN109858249A (en) * 2019-02-18 2019-06-07 暨南大学 The quick, intelligent comparison of mobile Malware big data and safety detection method
CN110135155A (en) * 2019-04-02 2019-08-16 上海大学 A kind of Windows Malware recognition methods based on fuzzy k nearest neighbor
CN110135155B (en) * 2019-04-02 2023-02-10 上海大学 Fuzzy K neighbor-based Windows malicious software identification method
US11436331B2 (en) 2020-01-16 2022-09-06 AVAST Software s.r.o. Similarity hash for android executables
CN112487427A (en) * 2020-11-26 2021-03-12 网宿科技股份有限公司 Method, system and server for determining system white list
CN113434860A (en) * 2021-07-22 2021-09-24 安天科技集团股份有限公司 Virus detection method and device, computing equipment and storage medium

Similar Documents

Publication Publication Date Title
CN107273746A (en) A kind of mutation malware detection method based on APK character string features
Li et al. Android malware clustering through malicious payload mining
Zhang et al. Familial clustering for weakly-labeled android malware using hybrid representation learning
Sahu et al. Network intrusion detection system using J48 Decision Tree
CN109784056B (en) Malicious software detection method based on deep learning
CN106228068B (en) Android malicious code detecting method based on composite character
Gao et al. Android malware detection via graphlet sampling
Zhao et al. A review of computer vision methods in network security
CN105224600B (en) A kind of detection method and device of Sample Similarity
CN109614795B (en) Event-aware android malicious software detection method
CN105205397A (en) Rogue program sample classification method and device
Hu Large-scale malware analysis, detection, and signature generation
CN110363003A (en) A kind of Android virus static detection method based on deep learning
Ge et al. AMDroid: android malware detection using function call graphs
Zhong et al. Malware-on-the-brain: Illuminating malware byte codes with images for malware classification
Du et al. A static Android malicious code detection method based on multi‐source fusion
Li et al. Semi-supervised two-phase familial analysis of Android malware with normalized graph embedding
Wolfe et al. High precision screening for Android malware with dimensionality reduction
CN112329012A (en) Detection method for malicious PDF document containing JavaScript and electronic equipment
Liu et al. Multifamily classification of Android malware with a fuzzy strategy to resist polymorphic familial variants
Ali et al. Deep learning methods for malware and intrusion detection: A systematic literature review
Roseline et al. Android malware detection and classification using LOFO feature selection and tree-based models
Fang et al. Semi-supervised malware clustering based on the weight of bytecode and api
Wu et al. IoT malware classification based on reinterpreted function-call graphs
Kalysch et al. Tackling androids native library malware with robust, efficient and accurate similarity measures

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171020