CN103500307A - Mobile internet malignant application software detection method based on behavior model - Google Patents

Mobile internet malignant application software detection method based on behavior model Download PDF

Info

Publication number
CN103500307A
CN103500307A CN201310444710.9A CN201310444710A CN103500307A CN 103500307 A CN103500307 A CN 103500307A CN 201310444710 A CN201310444710 A CN 201310444710A CN 103500307 A CN103500307 A CN 103500307A
Authority
CN
China
Prior art keywords
application software
section
software
malicious
model
Prior art date
Application number
CN201310444710.9A
Other languages
Chinese (zh)
Inventor
李祺
郭燕慧
徐国爱
李承泽
董航
Original Assignee
北京邮电大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京邮电大学 filed Critical 北京邮电大学
Priority to CN201310444710.9A priority Critical patent/CN103500307A/en
Publication of CN103500307A publication Critical patent/CN103500307A/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06NCOMPUTER SYSTEMS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computer systems based on biological models
    • G06N3/02Computer systems based on biological models using neural network models
    • G06N3/08Learning methods

Abstract

The invention provides a mobile internet malicious application software detection method based on a behavior model. The operation steps of the method include that (1) to-be-detected mobile internet application software is analyzed by means of a Hidden Markov Model to obtain the similarity of a basic operation type of the current software relative to each kind of software, and a similarity vector is formed; (2) arrangement is carried out on the basis of the similarity vector and a type detection vector is obtained; (3) an off-line training mode is adopted, a non-malicious behavior model is built by the method based on a neural network, and according to the well-trained model, whether the current application software is the malicious application software is judged in an on-line test mode.

Description

A kind of mobile Internet malicious application software detecting method based on behavior model

Technical field

The present invention relates to a kind of mobile Internet malicious application software detecting method, exactly, relate to a kind of mobile Internet malicious application software detecting method based on behavior model, belong to the field of information security technology of application software malice property analysis under mobile internet environment.

Background technology

Be accompanied by the arrival in mobile Internet epoch, from strength to strength, popularity is also more and more higher for the performance of mobile intelligent terminal, adds that the whole world is all promoting even 4G mobile network's development of 3G, and the mobile network provides environment for the smart mobile phone application at a high speed.The user starts to consume the application such as music, electronic product, film, map, game on mobile intelligent terminal, also utilizes the mobile intelligent terminal communication exchange, as social networks Facebook, Twitter, microblogging etc. simultaneously.But a large amount of terminal softwares and application also mean a large amount of security risks, for all kinds of attacks just appearance after 04 year of terminal device.Security threat and security risk that at present mobile intelligent terminal faces mainly comprise three aspects:: the one, and the leak of self system or software; The 2nd, Malware (virus, wooden horse etc.); The 3rd, occur illegal in perhaps the service.The potential safety hazard that specifically may exist comprises: the service application that individual privacy is revealed, personal identification is usurped, security breaches are stolen, existed to application security, location, position, mobile phone viruses, information etc.

Research for the mobile intelligent terminal security fields is a newer direction and problem, and this also will become the focus of network safety filed along with the continuous increase of mobile device user.Domestic and international research in this respect is few at present, mainly comprise the research of policy rules and technical research, technical research is divided into two parts: a part is to seek safe solution from hardware aspect, think that simple software solution can not meet all kinds of threats from complicated mobile network, all expects to carry out seeking solution from hardware aspect now both at home and abroad.And the terminal security that appears as of credible calculating provides a kind of new thinking.Aspect software, each network security business, as Symantec, this base of kappa, trend etc. all start to be devoted to the security solution of intelligent mobile terminal, and domestic Rising etc. also start to have the research of some Related products, but technology is still in the imperfection stage.

The safety problem run into traditional computer is the same, and mobile intelligent terminal has also run into same problem, virus, and rogue program, the infringement of wooden horse etc. also starts to have appeared on terminal, to the terminal user, has brought many infringements.Such as the equipment travelling speed is slack-off, even crash, the not clear increase of expense etc.And, when hand-held terminal device becomes the center of people's information, the information on equipment of being stored in is more and more and importance is increasing, if device losses or utilized by other people, consequence is by hardly imaginable.Therefore terminal security can not be ignored, and according to now, from the multiple threat of each side, it is numerous that software scenario relates to technology.

In the field of intelligent mobile terminal safety, the gordian technique that software scenario relates to comprises that critical data is secret, the renewal optimization of the detection of file access control, intelligent anti-theft, rogue program, software etc.For the safety of hand-held intelligent terminal equipment main solution both domestic and external, have at present: the Related products such as Symantec Mobile Security for Symbian, this base mobile phone version 7.0 of kappa, F-Secure Mobile Security, Trend Micro's mobile security spirit, German G-Data, Avira, Panda, McAfee Mobile Security, Qihoo, Rising Antivirus mobile phone version.

Internationally famous anti-virus mechanism for testing AV-Comparatives has issued the manual examining report of antivirus software Malware in September.Test macro and environment final updating time are August 12.This time, from German G-Data, with 99.7% high number percent, win first place, Avira, Panda is number two respectively, three, and F-Secure following closely shows slightly literary excellence, and the number percent with 99.3% is number four.Although domestic Qihoo enters the second camp, owing to using little red umbrella, BD and the engine of oneself, omit number close with AVIRA in essence, and the wrong report number, far away higher than Avira, is also to be much more slowly than little red umbrella on sweep velocity.

In these products, external Related product technology is relatively ripe, but the function imperfection, and function implementation efficiency etc. is to be improved; By these Related products, introduce knownly, these products all can provide and comprise virus, and the detection of the rogue programs such as wooden horse etc. can provide to file the protection of email message etc. simultaneously.Yet the principle of the killing rogue program that these products are used is to detect the process of virus signature, this is the method for rogue program of determining by detecting each generic attributes such as file.This detection method is the scheme that on computer, killing virus is used, its shortcoming is to detect unknown virus, and needs the renewal of virus base, and this is slower for processing speed, the terminal device of resource-constrained is a huge challenge, therefore also needs deep research.And domestic Related product is still in the free download operational phase, a lot of gordian techniquies are not yet ripe.

In sum, all the more important of the effect of mobile Internet application software in people life, and the method for mobile Internet malicious application software detection is ripe not enough.For this reason, how mobile Internet malicious application software is comprehensively and effectively detected and just become the new problem that scientific and technical personnel pay close attention in the industry.

Summary of the invention

In view of this, the purpose of this invention is to provide a kind of mobile Internet malicious application software detecting method based on behavior model, while using the method to detect mobile Internet malicious application software, we only need to be to the software action modeling of non-malice, this environmental model adopts dual nested mode, bottom is hidden Markov model, and upper strata is neural network model.Because the definition for non-malicious act under mobile internet environment is easier than the definition of malicious act, so while using the method to analyze malicious application software, more comprehensively with effective.

In order to achieve the above object, the invention provides a kind of mobile Internet malicious application software detecting method based on behavior model, it is characterized in that, described method comprises following operation steps:

(1) utilize Hidden Markov Model (HMM) to be analyzed mobile Internet application software to be detected, obtain the similarity degree of present procedure with respect to each behavior type, form similarity vector;

(2) arranged on the basis of similarity vector, obtained the type detection vector;

(3) first adopt the off-line training mode, use the method based on neural network to set up non-malicious act overall model, then, according to the model trained, by the mode of on-line testing, judge whether current application software is malicious application software.

Described step (1) further comprises following content of operation:

(11) move the mobile Internet application software of required analysis, its behavior is monitored, according to the duration of setting, carry out staging treating, the behavioral data of mobile Internet application software is divided into to a behavior section sequence;

(12) feature of each behavior section in extraction behavior section sequence: the average occupancy of section CPU, the average occupancy of section internal memory, section privacy access times, section wifi network holding time, section 2G/3G network holding time, section camera opening times, fragment position acquisition of information, section apparatus information acquiring.

(13) utilize Hidden Markov Model (HMM) to operate and carry out modeling and detection basic software: first in training process, to adopt the Baum-Welch algorithm to adjust the parameters in Hidden Markov Model (HMM), after obtaining each corresponding model, calculate and detect again the application software of current detection and the similarity degree of each model with the Viterbi algorithm, be the maximum likelihood value, form maximum likelihood value vector on the basis of maximum likelihood value.

Described step (12) further comprises following content of operation:

(121) a section CPU average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to CPU;

(122) a section internal memory average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to internal memory;

(123) section privacy access times refer to the total degree of application software calling party address list, picture and note in storage and monitoring time segment;

(124) a section network holding time refers to that application software accesses the time of wifi network in storage and monitoring time segment;

(125) a section camera opening times refers to that application software opens the number of times of mobile phone cam in storage and monitoring time segment;

(126) the fragment position acquisition of information has indicated application software whether to obtain customer position information in storage and monitoring time segment, if having, this is characterized as 1, if do not have, this is characterized as 0;

(127) the section apparatus information acquiring has indicated application software whether to obtain IMEI number, baseband version, these facility informations of kernel version in storage and monitoring time segment, if having, this is characterized as 1, if do not have, this is characterized as 0.

Described step (13) further comprises following content of operation:

(131) set and need set up altogether N kind basic software action type, the behavior of current application to be detected and the similarity degree of i type wherein, the maximum likelihood value is c i, so, the maximum likelihood value of current application to be detected vector is c=[c 1, c 2..., c n]

Described step (2) further comprises following content of operation:

(21) if be less than or equal to 1/N when former generation detects the behavior of application with the similarity degree of i kind basic operation type wherein, we think that the matching degree of current application to be detected and this action type is lower so, for subsequent analysis is simple, its similarity is modified to 0.That is:

d i = c i if c i > 1 N 0 if c i ≤ 1 N

Wherein, d ibe known as the modified value of maximum likelihood value;

(22) on the basis of maximum likelihood value modified value, internus detects vector:

Type detection vector d=[d 1, d 2..., d n]

Described step (3) further comprises following content of operation:

(31) set up non-malicious act model for application software, model representation is:

y = Σ i = 1 N w i - θ

Wherein, y means the output of this neural network, w imean between non-malicious act and various software basic operation to be mutually related weighted value, θ means abnormal threshold value.

(32) gather a large amount of non-malicious application software sample, use the mode of off-line training, after utilizing neural network to be trained non-malicious act, obtain between non-malicious act and the basic action type of each software being mutually related weighted value and the threshold value of malicious act;

(33) utilize the mode of on-line testing, the type detection of current application software vector input neural network is calculated, if the output of neural network is greater than 0, mean that current application software is not malicious application software; If the output of neural network is less than 0, mean that current application software is malicious application software.

The present invention is a kind of mobile Internet malicious application software detecting method based on behavior model, its innovation technically be mainly from by set up non-malicious act model made up in the past set up that the malicious act model causes can't Test database the problem of the malicious act that do not have, below be described in detail.

At first, the research big city of prior art selects the malicious application software action is carried out to modeling, for example, people can think and steal telex network record, steal the behavior such as user's documentum privatum and be malicious act and it is carried out to modeling, then judge whether current application to be detected belongs to these classifications.But, if predefined malicious act has occurred not have, such as revealing user geographic position etc., so existing technical scheme can't be made correct judgement.And the present invention selects non-malicious act is carried out to modeling, as everyone knows, the definition of non-malicious act and statistics are more accurate and comprehensive for malicious act, and fully can be according to people experience in daily life obtain, for example, the normal behaviour of mobile Internet application software usually only include chat on line, download file, game, video-see etc.The definition of non-malicious act also convenient than the definition of malicious act.For this reason, the present invention proposes to carry out modeling for non-malicious act, can to mobile Internet malicious application software, be detected more comprehensively and effectively.

In addition, when setting up non-malice model, existing technology is all much directly to collect non-malicious act model Direct Modeling.Because the application of software data of non-malice is also diversified, this Method Modeling can need very large training sample database usually, and in training process, easily causes model not restrained.For this reason, the present invention proposes non-malicious act is further divided, and is divided into various basic software class of operations, as, non-malicious act model is by surfing the Net, seeing what these basic software class of operations such as video, download, navigation formed.We train respectively these basic software action types, and explore these models by the neural network model on upper strata and combined in which way in software action.Do like this, do not need to gather too much sample and just can train relatively comprehensively model reliably, make the method more fast, correct and practical, can meet the growth requirement of mobile Internet malicious application software.

The accompanying drawing explanation

Fig. 1 is the operation steps process flow diagram that the present invention is based on the mobile Internet malicious application software detection of behavior model.

Fig. 2 is the process flow diagram of step (1) the similarity vector forming process in the inventive method.

Fig. 3 is the process flow diagram of the non-malicious act model training in the inventive method

Fig. 4 is that the step (3) in the inventive method judges whether current application software to be detected is the process flow diagram of malicious application software.

Embodiment

For making the purpose, technical solutions and advantages of the present invention clearer, below in conjunction with the test situation of drawings and Examples, the present invention is described in further detail.

The present invention is a kind of mobile Internet malicious application software detecting method based on behavior model, the method is first to move application software to be detected and extract the characteristic parameter in running software a period of time, the hidden Markov model that recycles these parameters and several basic software action types is compared, and tries to achieve similarity vector.Then, carry out simple process on the basis of similarity vector.Finally, utilize on this basis non-malicious act model to be analyzed, judge whether current application software to be detected is malicious application software.The present invention, when the detection of malicious application software, can overcome weak point incomplete to the malicious act definition in prior art and that training dataset is too huge.

Referring to Fig. 1, illustrate that the present invention analyzes operation steps and embodiments of the invention and the simulation scenarios of the method for malicious application software according to behavior model:

Step 1, utilize Hidden Markov Model (HMM) to be analyzed mobile Internet application software to be detected, obtain the similarity degree of present procedure with respect to each behavior type, form similarity vector;

Referring to Fig. 2, specifically introduce the following concrete operations content that this step 1 comprises:

(11) move the mobile Internet application software of required analysis, its behavior is monitored, record its behavioural characteristic within longer a period of time, according to the duration of setting, carry out staging treating, the behavioral data of mobile Internet application software is divided into to a behavior section sequence; In proof procedure, we are about 1-2 hour to total monitoring time of each application program, and in segmentation process, the time of each segmentation is 300s.

(12) feature of each behavior section in extraction behavior section sequence: the average occupancy of section CPU, the average occupancy of section internal memory, section privacy access times, section wifi network holding time, section 2G/3G network holding time, section camera opening times, fragment position acquisition of information, section apparatus information acquiring.The average occupancy of these time stage casing CPU refer to application software in storage and monitoring time segment average p.s. the occupancy to CPU; Section internal memory average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to internal memory; Section privacy access times refer to the total degree of application software calling party address list, picture and note in storage and monitoring time segment; Section network holding time refers to that application software accesses the time of wifi network in storage and monitoring time segment; Section camera opening times refers to that application software opens the number of times of mobile phone cam in storage and monitoring time segment; The fragment position acquisition of information has indicated application software whether to obtain customer position information in storage and monitoring time segment, if having, this is characterized as 1, if do not have, this is characterized as 0; The section apparatus information acquiring has indicated application software whether to obtain IMEI number, baseband version, these facility informations of kernel version in storage and monitoring time segment, if having, this is characterized as 1, if do not have, this is characterized as 0.

(13) utilize Hidden Markov Model (HMM) to operate and carry out modeling and detection basic software: first in training process, to adopt the Baum-Welch algorithm to adjust the parameters in Hidden Markov Model (HMM), after obtaining each corresponding model, calculate and detect again the application software of current detection and the similarity degree of each model with the Viterbi algorithm, be the maximum likelihood value, form maximum likelihood value vector on the basis of maximum likelihood value.

Because hidden Markov model HMM(Hidden Markov is Models) characterising parameter rule and be widely used in time dependent behavioural analysis system over time preferably.The inventive method is also to utilize Hidden Markov Model (HMM) to operate and carry out modeling and detection basic software: first in training process, adopt the Baum-Welch algorithm to adjust the parameters in Hidden Markov Model (HMM), after obtaining each corresponding model, calculate and detect again the application software of current detection and the similarity degree of each model with the Viterbi algorithm, it is the maximum likelihood value, then, the maximum likelihood value is integrated, formed the likelihood value vector.

The concrete grammar that is integrated into the likelihood value vector is:

(131) set and need set up altogether N kind basic software action type, the behavior of current application to be detected and the similarity degree of i type wherein, the maximum likelihood value is c i, so, the maximum likelihood value of current application to be detected vector is c=[c 1, c 2..., c n]

Step 2, on the basis of maximum likelihood value vector, arranged, filtering noise disturbs, and internus detects vector;

The specific practice of this step is:

(21) if be less than or equal to 1/N when former generation detects the behavior of application with the similarity degree of i kind basic operation type wherein, we think that the matching degree of current application to be detected and this action type is lower so, for subsequent analysis is simple, its similarity is modified to 0.That is:

d i = c i if c i > 1 N 0 if c i ≤ 1 N

Wherein, d ibe known as the modified value of maximum likelihood value;

(22) on the basis of maximum likelihood value modified value, internus detects vector:

Type detection vector d=[d 1, d 2..., d n]

After obtaining the type detection vector, the present invention utilizes neural network to carry out modeling to non-malicious act model, and take the mode of on-line testing and judge whether current application to be detected is malicious application software.This is also the emphasis step in the present invention: step 3.

Step 3, first adopt the off-line training mode, use the method based on neural network to set up non-malicious application software action model, then, according to the model trained, by the mode of on-line testing, judge whether current application software to be detected is malicious application software.

Referring to Fig. 3, the concrete operations content of introducing off-line training part in this step 3 is:

(31) set up non-malicious act model for application software, model representation is:

y = Σ i = 1 N w i - θ

Wherein, y means the output of this neural network, w imean between non-malicious act and various software basic operation to be mutually related weighted value, θ means abnormal threshold value.

(32) gather a large amount of non-malicious application software sample, use the mode of off-line training, after utilizing neural network to be trained non-malicious act, obtain between non-malicious act and the basic action type of each software being mutually related weighted value and the threshold value of malicious act;

As shown in Figure 4, in step 3, the main content of operation of on-line testing part is:

(33) utilize the mode of on-line testing, the type detection of current application software vector input neural network is calculated, if the output of neural network is greater than 0, mean that current application software is not malicious application software; If the output of neural network is less than 0, mean that current application software is malicious application software.

In a word, the test of emulation embodiment of the present invention is successfully, has realized goal of the invention.

Claims (7)

1. the mobile Internet malicious application software detecting method based on behavior model, is characterized in that, described method comprises following operation steps:
(1) utilize Hidden Markov Model (HMM) to be analyzed mobile Internet application software to be detected, obtain the similarity degree of present procedure with respect to the basic action type of each software, form similarity vector;
(2) arranged on the basis of similarity vector, obtained the type detection vector;
(3) first adopt the off-line training mode, use the method based on neural network to set up non-malicious application behavior model, then, according to the model trained, by the mode of on-line testing, judge whether current application software is malicious application software.
2. method according to claim 1 is characterized in that:
Described step (1) further comprises following content of operation:
(11) move the mobile Internet application software of required analysis, its behavior is monitored, according to the duration of setting, carry out staging treating, the behavioral data of mobile Internet application software is divided into to a behavior section sequence;
(12) feature of each behavior section in extraction behavior section sequence: the average occupancy of section CPU, the average occupancy of section internal memory, section privacy access times, section wifi network holding time, section 2G/3G network holding time, section camera opening times, fragment position acquisition of information, section apparatus information acquiring.
(13) utilize Hidden Markov Model (HMM) to operate and carry out modeling and detection basic software: first in training process, to adopt the Baum-Welch algorithm to adjust the parameters in Hidden Markov Model (HMM), after obtaining each corresponding model, calculate and detect again the application software of current detection and the similarity degree of each model with the Viterbi algorithm, be the maximum likelihood value, form maximum likelihood value vector on the basis of maximum likelihood value.
3. method according to claim 2 is characterized in that:
Described step (12) further comprises following content of operation:
(121) a section CPU average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to CPU;
(122) a section internal memory average occupancy refer to application software in storage and monitoring time segment average p.s. the occupancy to internal memory;
(123) section privacy access times refer to the total degree of application software calling party address list, picture and note in storage and monitoring time segment;
(124) a section network holding time refers to that application software accesses the time of wifi network in storage and monitoring time segment;
(125) a section camera opening times refers to that application software opens the number of times of mobile phone cam in storage and monitoring time segment;
(126) the fragment position acquisition of information has indicated application software whether to obtain customer position information in storage and monitoring time segment, if having, this is characterized as 1, if do not have, this is characterized as 0;
(127) the section apparatus information acquiring has indicated application software whether to obtain IMEI number, baseband version, these facility informations of kernel version in storage and monitoring time segment, if having, this is characterized as 1, if do not have, this is characterized as 0.
4. method according to claim 2 is characterized in that:
Described step (13) further comprises following content of operation:
(131) set and need set up altogether N kind basic software action type, the behavior of current application to be detected and the similarity degree of i type wherein, the maximum likelihood value is c i, so, the maximum likelihood value of current application to be detected vector is c=[c 1, c 2..., c n]
5. method according to claim 1 is characterized in that:
Described step (2) further comprises following content of operation:
(21) if be less than or equal to 1/N when former generation detects the behavior of application with the similarity degree of i kind basic operation type wherein, we think that the matching degree of current application to be detected and this action type is lower so, for subsequent analysis is simple, its similarity is modified to 0.That is:
d i = c i if c i > 1 N 0 if c i ≤ 1 N
Wherein, d ibe known as the modified value of maximum likelihood value;
(22) on the basis of maximum likelihood value modified value, internus detects vector:
Type detection vector d=[d 1, d 2..., d n]
6. method according to claim 2, it is characterized in that: the setting duration scope in described step (11) is the short time duration of 200s to 500s.
7. method according to claim 1 is characterized in that:
Described step (3) further comprises following content of operation:
(31) set up non-malicious act model for application software, model representation is:
y = Σ i = 1 N w i - θ
Wherein, y means the output of this neural network, w imean between non-malicious act and various software basic operation to be mutually related weighted value, θ means abnormal threshold value.
(32) gather a large amount of non-malicious application software sample, use the mode of off-line training, after utilizing neural network to be trained non-malicious act, obtain between non-malicious act and the basic action type of each software being mutually related weighted value and the threshold value of malicious act;
(33) utilize the mode of on-line testing, the type detection of current application software vector input neural network is calculated, if the output of neural network is greater than 0, mean that current application software is not malicious application software; If the output of neural network is less than 0, mean that current application software is malicious application software.
CN201310444710.9A 2013-09-26 2013-09-26 Mobile internet malignant application software detection method based on behavior model CN103500307A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310444710.9A CN103500307A (en) 2013-09-26 2013-09-26 Mobile internet malignant application software detection method based on behavior model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310444710.9A CN103500307A (en) 2013-09-26 2013-09-26 Mobile internet malignant application software detection method based on behavior model

Publications (1)

Publication Number Publication Date
CN103500307A true CN103500307A (en) 2014-01-08

Family

ID=49865515

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310444710.9A CN103500307A (en) 2013-09-26 2013-09-26 Mobile internet malignant application software detection method based on behavior model

Country Status (1)

Country Link
CN (1) CN103500307A (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103778372A (en) * 2014-01-13 2014-05-07 陈黎飞 Spectral method for identifying computer software action
CN104038929A (en) * 2014-05-09 2014-09-10 宇龙计算机通信科技(深圳)有限公司 Network access anomaly identification method and network access anomaly identification device
CN104239196A (en) * 2014-09-17 2014-12-24 北京金山安全软件有限公司 Detection method and device for abnormal operation of application program and mobile terminal
CN104866763A (en) * 2015-05-28 2015-08-26 天津大学 Permission-based Android malicious software hybrid detection method
CN105160248A (en) * 2015-07-02 2015-12-16 哈尔滨工程大学 Correlation pruning neural network based identification system and method for malicious process of Xen virtual machine
CN105446741A (en) * 2015-12-10 2016-03-30 北京邮电大学 API (Application Program Interface) comparison based mobile application identification method
CN105787365A (en) * 2014-12-24 2016-07-20 Tcl集团股份有限公司 Malicious application detection method and device
CN106878314A (en) * 2017-02-28 2017-06-20 南开大学 Network malicious act detection method based on confidence level
CN107392024A (en) * 2017-08-08 2017-11-24 微梦创科网络科技(中国)有限公司 A kind of recognition methods of rogue program and device
CN107707553A (en) * 2017-10-18 2018-02-16 北京启明星辰信息安全技术有限公司 Weak passwurd scan method, device and computer-readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN2651841Y (en) * 2003-10-31 2004-10-27 港湾网络有限公司 Protector of CPU external bus
GB2466120A (en) * 2008-12-11 2010-06-16 Scansafe Ltd Detecting malware by comparing files with models of normal files
CN102163427A (en) * 2010-12-20 2011-08-24 北京邮电大学 Method for detecting audio exceptional event based on environmental model

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN2651841Y (en) * 2003-10-31 2004-10-27 港湾网络有限公司 Protector of CPU external bus
GB2466120A (en) * 2008-12-11 2010-06-16 Scansafe Ltd Detecting malware by comparing files with models of normal files
CN102163427A (en) * 2010-12-20 2011-08-24 北京邮电大学 Method for detecting audio exceptional event based on environmental model

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
SHABTAI A, KANONOV U, ELOVICI Y: ""Andromaly": a behavioral malware detection framework for android devices", 《JOURNAL OF INTELLIGENT INFORMATION SYSTEMS》 *
王蕊,冯登国,杨铁,苏璞睿: "基于语义的恶意代码行为特征提取和检测方法", 《软件学报》 *

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103778372B (en) * 2014-01-13 2016-10-19 福建师范大学 A kind of spectral method identifying computer software behavior
CN103778372A (en) * 2014-01-13 2014-05-07 陈黎飞 Spectral method for identifying computer software action
CN104038929A (en) * 2014-05-09 2014-09-10 宇龙计算机通信科技(深圳)有限公司 Network access anomaly identification method and network access anomaly identification device
CN104239196A (en) * 2014-09-17 2014-12-24 北京金山安全软件有限公司 Detection method and device for abnormal operation of application program and mobile terminal
CN105787365A (en) * 2014-12-24 2016-07-20 Tcl集团股份有限公司 Malicious application detection method and device
CN104866763A (en) * 2015-05-28 2015-08-26 天津大学 Permission-based Android malicious software hybrid detection method
CN104866763B (en) * 2015-05-28 2019-02-26 天津大学 Android malware mixing detection method based on permission
CN105160248B (en) * 2015-07-02 2018-04-24 哈尔滨工程大学 A kind of Xen virtual machine malicious process identifying systems and method based on correlation beta pruning neutral net
CN105160248A (en) * 2015-07-02 2015-12-16 哈尔滨工程大学 Correlation pruning neural network based identification system and method for malicious process of Xen virtual machine
CN105446741A (en) * 2015-12-10 2016-03-30 北京邮电大学 API (Application Program Interface) comparison based mobile application identification method
CN105446741B (en) * 2015-12-10 2018-09-28 北京邮电大学 A kind of mobile applications discrimination method compared based on API
CN106878314A (en) * 2017-02-28 2017-06-20 南开大学 Network malicious act detection method based on confidence level
CN106878314B (en) * 2017-02-28 2019-12-10 南开大学 Network malicious behavior detection method based on credibility
CN107392024A (en) * 2017-08-08 2017-11-24 微梦创科网络科技(中国)有限公司 A kind of recognition methods of rogue program and device
CN107707553A (en) * 2017-10-18 2018-02-16 北京启明星辰信息安全技术有限公司 Weak passwurd scan method, device and computer-readable storage medium
CN107707553B (en) * 2017-10-18 2020-02-07 北京启明星辰信息安全技术有限公司 Weak password scanning method and device and computer storage medium

Similar Documents

Publication Publication Date Title
Aljawarneh et al. Anomaly-based intrusion detection system through feature selection analysis and building hybrid efficient model
US9369476B2 (en) System for detection of mobile applications network behavior-netwise
EP3065367B1 (en) System and method for automated phishing detection rule evolution
EP3120286B1 (en) Behavior profiling for malware detection
US9330257B2 (en) Adaptive observation of behavioral features on a mobile device
JP6239808B1 (en) Method and system for using behavior analysis for efficient continuous authentication
US9306889B2 (en) Method and device for processing messages
KR102057565B1 (en) Computing device to detect malware
US9357397B2 (en) Methods and systems for detecting malware and attacks that target behavioral security mechanisms of a mobile device
US20140150100A1 (en) Adaptive Observation of Driver and Hardware Level Behavioral Features on a Mobile Device
Palmieri et al. A distributed approach to network anomaly detection based on independent component analysis
Shabtai et al. Intrusion detection for mobile devices using the knowledge-based, temporal abstraction method
CN103617395B (en) Method, device and system for intercepting advertisement programs based on cloud security
WO2015169158A1 (en) Information protection method and system
Creech et al. A semantic approach to host-based intrusion detection systems using contiguousand discontiguous system call patterns
CN104376262B (en) A kind of Android malware detection method based on Dalvik instructions and authority combination
Sato et al. Detecting android malware by analyzing manifest files
US9081961B2 (en) System and method for analyzing malicious code using a static analyzer
Damshenas et al. M0droid: An android behavioral-based malware detection model
Peng et al. Smartphone malware and its propagation modeling: A survey
CN103309808B (en) Based on privacy disclosure of Android user black box detection method and the system of label
CN104426906A (en) Identifying malicious devices within a computer network
CN102088379B (en) Detecting method and device of client honeypot webpage malicious code based on sandboxing technology
CN103891242B (en) System and method for profile based filtering of outgoing information in a mobile environment
Tong et al. A hybrid approach of mobile malware detection in Android

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20140108