CN104834857A - Method and device for detecting Android malicious software in batch - Google Patents
Method and device for detecting Android malicious software in batch Download PDFInfo
- Publication number
- CN104834857A CN104834857A CN201510142665.0A CN201510142665A CN104834857A CN 104834857 A CN104834857 A CN 104834857A CN 201510142665 A CN201510142665 A CN 201510142665A CN 104834857 A CN104834857 A CN 104834857A
- Authority
- CN
- China
- Prior art keywords
- application program
- malware detection
- record
- contribution margin
- feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Stored Programmes (AREA)
Abstract
The invention relates to a method for detecting Android malicious software in batch, comprising the following steps: A, respectively extracting and calculating a system permissions characteristic, a process control flow chart characteristic of an application program and frequency vectors of a system call characteristic, and combining and splicing the frequency vectors to form comprehensive characteristic vectors; B, using sorting algorithms in the data mining to classify the comprehensive characteristic vectors; C, calculating contribution values of electric quantity record to malicious software detection and intent record to malicious software detection; D, carrying out weighting calculation to the numerical value of classification result and contribution values of electric quantity record and intent record to malicious software detection, judging as the malicious software if the calculating result exceeds a set threshold value, otherwise judging as normal software. The invention has the following advantages: the method and device of the invention can be used for mixing system permissions, a system call and a program control flow chart to form a new feature vector, and detecting the malicious software by using the sorting algorithms with high accuracy and little omission.
Description
Technical field
The present invention relates to a kind of batch Android malware detection method and device, belong to Android platform application safety analysis technical field.
Technical background
Along with developing rapidly of mobile Internet, the smart mobile phone with Mobile operating system obtains widespread adoption.No longer be confined to common communication function, smart mobile phone has independently operating system, and thus people can use smart mobile phone to carry out receiving and dispatching mail, shopping, transaction etc. whenever and wherever possible, and mobile Internet market has manifested its huge value.And security risk is in this context also following: Malware, fishing website get more and more, and the risk application scenarios of public wifi and so on also gets more and more.Compared to other operating system, along with the market share of the Android smartphone operating system based on linux kernel gets more and more, Android mobile phone has become the most important target of attack of current Malware.
Android system is a kind of operating system of increasing income, and application program directly can be uploaded to market for user without the need to through any examination by developer.Conveniently development scheme excites emerging in large numbers of the application program of various function, also further promotes the development of Android operation system and popularizes, but also making it be faced with larger risk.The growth of mobile device memory space, makes to which stores a large amount of personal information and business data; Smart mobile phone can support payment transaction, supplier, dealer, wholesale dealer, content supplier, and mobile operator and bank are all creating new mobile payment service.These all make mobile device etc. become the target of public criticism of assailants.Increasing rogue program utilizes mobile device to obtain subscriber data, carries out malice and deducts fees and system destruction.Rogue program utilizes mobile device malice to call, and send refuse messages, reveal user certificate, and the example destroying mobile phone software and hardware is of common occurrence.
Static Detection and detection of dynamic two kinds of methods are mainly divided into the malware detection method in Android device.What time following the target of static analysis is mainly, apk listed files, Manifest file, dex file, binary file, resource file, authority, four large assemblies, sensitive API, especially LoadLibrary, dexClassLoader, Reflection etc.The file signature of Android application program is also often used as detection feature.Static Detection is under the prerequisite do not run application, and by analyzing decompiling application program, obtain the source code of program, or the surface of routine analyzer such as file signature etc. detects to Malware.Detection of dynamic is then application program operated in sandbox or Android system, in the process that program is run, the running orbit of routine analyzer, program of checking, to the signal intelligence of system sensitive resource and service condition, detects that the leakage of program to subscriber data or system sensitive resource is to be judged to be Malware or virus.
System Privileges is an important element of Android malware detection.In Android system, application program needs application authority to visit valuable source.When application program will likely cause elevation of privilege to attack than needed for it during more authority.And due to the bad habit of some developers, the situation of the too much authority of application program also often occurs, therefore simple rights of using are not enough to the unique detection feature as malware detection.
Program control flow chart shows all execution routes of application program, the rogue program of same virus family has great similarity in the structure of program control flow chart, and therefore program control flow chart is also frequently used to the foundation as the mutation of detection of malicious software.
System call reflects the practical operation that application program is carried out in actual moving process, and tracing system calls the malicious act that can reflect rogue program in real time.And traditional stain labeling method needs to add in application program inside stain mark, and define the transmission method of stain, amendment android source code, complexity is too high, can not detect large batch of Malware.
Static analysis is rapidly convenient, can isolate environment for use analysis, but cannot detect the malware attacks beyond its model bank.And performance analysis can the malicious act of snatching at application program in real time, but cannot all execution routes of overlay program, may normal software be mistaken for for the rogue program not performing malicious act.Therefore, static nature and behavioral characteristics being combined can solve the problem to the method that Malware detects, and improves the verification and measurement ratio of rogue program.
Several typical prior art:
The scheme of prior art one and the shortcoming of prior art one: scheme described in patent 201310388742.1, extract the feature string of resolving in text by the executable file of resolving in apk paper sample, feature string is utilized to build rogue program condition code list and the list of non-malicious performance of program code, apk paper sample characteristic of correspondence character string and the list of rogue program condition code and the list of non-malicious performance of program code are compared, obtain the character string proper vector of this apk paper sample, and according to character string proper vector and the recognition feature vector of this apk paper sample to this apk file of permission build of system application, the recognition feature vector of multiple apk paper sample is trained, generate the disaggregated model for identifying malice apk file, the apk file of this disaggregated model to UNKNOWN TYPE is utilized to identify.But in this detection model, based on the character string mainly occurred in application program, model creation feature goes to detect, direct not and accurate to the detection of rogue program.
The scheme of prior art two and the shortcoming of prior art two: scheme described in patent 201410250514.2, to apk application program to be detected, first according to the smali file generated after decompiling, the fundamental block of routine analyzer obtains its process flow diagram, delete not containing the node of invoke instruction, and connect remaining node, obtain the new program flow diagram only comprising API Calls relation, figure fingerprint API complete trails Hash encoded radio and its annexation formed is as malicious act feature, then Subgraph Isomorphism theory is utilized to mate with the every bar malicious act record in malicious act feature database, carry out the behavior coupling of Malware.The detection of this detection method to the malicious virus occurred and mutation thereof is simply effective, but will lose its detection effect for emerging malicious virus.
The scheme of prior art three and the shortcoming of prior art three: scheme described in patent 201310127940.2, software to be detected is performed in Android system simulator, the pitching pile monitor code of at least one predefined function or order is provided with in advance in Android system simulator, described pitching pile monitor code invokedly calls status data for intercepting and capturing described predefined function or ordering, wherein, described predefined function comprises telephonymanager in AndroidSDK, SmsManager, BroadcastReceiver, NotificationManager, at least one function of at least one class in PhoneStateListener and PackageManager, described predetermined command comprises su power user fame and gain, monitor data analyzer, for the described predefined function intercepted and captured or order and invokedly call status data analysis, to determine whether software to be detected comprises malicious code.This detection method can obtain the leakage behavior of application program to sensitive information timely to the monitoring of described predefined function, but needs the transformation carrying out to a certain degree to Android system, and implementation is too complicated.
The scheme of prior art four and the shortcoming of prior art four: scheme described in patent 201310598132.4, code analysis is carried out for the entrance function in software, determine the functional module that each entrance function calls and call order accordingly, search and determine that the sensory system in each system call is called, generate sensory system calling sequence, according to predefined characteristic of malware storehouse, described sensory system calling sequence is mated, and obtain malware detection result.This detection method reduces the sequence matching process of program control flow chart just being detected to sensory system and call, but described feature is abundant not, can not detect Malware efficiently.
Summary of the invention
The object of the present invention is to provide a kind of batch Android malware detection method and device, overcome the deficiency of existing malware detection method.
For this reason, the present invention proposes a kind of batch Android malware detection method, comprise the steps: A, respectively extraction and the 3rd frequency vector of the second frequency vector sum system call feature of the first frequency vector of the System Privileges feature of computing application program, program control flow chart feature, calculate multi-feature vector by the 3rd frequency vector described in described first frequency vector, described second frequency vector sum; Sorting algorithm during B, usage data excavate is classified to described multi-feature vector, obtains classification results numerical value; C, calculating electricity record be the second contribution margin to malware detection to the first contribution margin of malware detection and intent record; D, described classification results numerical value, described first contribution margin and described second contribution margin to be weighted, if described weighing computation results exceedes setting threshold value, then described application program is judged to be Malware, otherwise described application program is judged to be normal software.
The present invention also proposes a kind of batch Android malware detection device, it is characterized in that adopting said method to carry out batch Android malware detection.
The present invention has following advantage: System Privileges, system call, program control flow chart etc. are mixed the new proper vector of composition one by the present invention, and use sorting algorithm to detect Malware, and accuracy is high, omits few.
Accompanying drawing explanation
Fig. 1 is the malware detection process flow diagram of the embodiment of the present invention.
Fig. 2 is the characteristic extracting module schematic flow sheet of the embodiment of the present invention.
Fig. 2 a is the text string generation instance graph of a program control flow chart of the embodiment of the present invention.
Fig. 3 is the classifier modules schematic flow sheet of the embodiment of the present invention.
Fig. 4 is the comprehensive evaluation block process schematic diagram of the embodiment of the present invention.
Embodiment
The malware detection process flow diagram of the embodiment of the present invention as shown in Figure 1.This process flow diagram is mainly divided into three modules: characteristic extracting module, AROW (a kind of online classification algorithm) classifier modules, comprehensive evaluation module.
Characteristic extracting module extracts System Privileges feature, the program control flow chart characteristic sum system call feature of application program, calculate the frequency vector (being respectively first frequency vector, second frequency vector, the 3rd frequency vector) of each feature, combined and spliced one-tenth multi-feature vector, then AROW algorithm is utilized to classify, and classification results and electricity record are recorded the first contribution margin of malware detection and intent the second contribution margin of malware detection is weighted, carry out application programs and judge.
First the static nature of each application program is extracted: System Privileges characteristic sum program control flow chart feature in characteristic extracting module.To extract and the method calculating the first frequency vector of the System Privileges feature of described application program is: the System Privileges extracting described application program; The modular system authority set in described Android system is obtained from the official website of Android system corresponding to described application program, calculate the frequency that each System Privileges in described modular system authority set occurs in described application program, the described frequency calculated is defined as described first frequency vector.
To extract and the method calculating the second frequency vector of the program control flow chart feature of described application program is: the program control flow chart extracting described application program, (program control flow chart that each application program extracts is made up of many character strings to use character string hash algorithm the character string forms of described program control flow chart to be converted to digital form, each character string represents the program control flow chart of a function, uses character string hash algorithm (blizzard algorithm) that character string is hashed into digital form); Feature selection approach (this example is use information entropy method) is used to extract program control flow chart detection of malicious software to appreciable impact; All program control flow charts with appreciable impact in the described application program of set sufficient amount, as the regular set of program control flow chart, calculate the frequency that the program control flow chart in regular set occurs in described application program, the described frequency calculated is defined as described second frequency vector.
Then the behavioral characteristics of each application program is extracted: to extract and the method calculating the 3rd frequency vector of the system call feature of described application program is: dissimilar multiple random occurrences are contained to described application triggers, record all system calls of described application program to this multiple random occurrence, the modular system downloading Android system calls collection, calculate modular system and call the concentrated frequency of occurrences of each system call in this application program, the described frequency calculated is defined as described 3rd frequency vector.Application program is arranged in Android device by this example, and triggering contains 1000 dissimilar random occurrences, records application program is in the system call of these 1000 random occurrences, the system call collection of download standard, calculate modular system and call the concentrated frequency of occurrences of each system call in this application program, the described frequency calculated is defined as described 3rd frequency vector.
The electricity record of records application program and intent record while extraction system is called.Wherein calculating intent record to the computing method of the second contribution margin of malware detection is: when comprising the API carrying out conversational communication (as directly sent note or calling) in intent record, by described intent record to the second contribution margin of malware detection be defined as 10 or be greater than 10 value, guarantee that described application program is bound to be detected as Malware; When not comprising the API carrying out conversational communication in described intent record, then when comprising sensitive API in intent record, intent record is 1 to the second contribution margin of malware detection; When not comprising sensitive API in intent record, intent record is 0 to the second contribution margin of malware detection.Calculating the method for electricity record to the first contribution margin of malware detection is: when the electricity record display of described application program exceedes certain threshold value to the service condition of electricity, then first contribution margin of electricity record to malware detection is 1, otherwise is 0.
Comprehensive proper vector is generated to above-mentioned three frequency vectors: the frequency vector of System Privileges feature, program control flow chart feature, system call feature is become multi-feature vector according to certain sequential concatenation.
In AROW classifier modules: use above-mentioned multi-feature vector but be not limited to use and classify based on the online classification AROW algorithm of trusting power more accurately to two category classifications.Online classification AROW algorithm is used to train the data in training set in this example, for improving training precision, the repetitive learning process of many wheels can be repeated, until training error narrows down to certain threshold value, the standard deviation being traditionally arranged to be training error is less than 0.1, then classifies to test set data.
Below modules and step are further described:
One, characteristic extracting module (Fig. 2), comprises the steps: in its workflow
1. extract the System Privileges feature of application program:
Extract the System Privileges feature of Android application program, and be first frequency vector by the System Privileges feature abstraction of Android, specific practice is: the modular system authority set downloading Android system, calculates the frequency f that each System Privileges occurs in the application.
N is the System Privileges number of this application program.
2. extract the program control flow chart feature of application program
(1) program control flow chart of application program is extracted.Each function in application program is expressed as a control flow chart, each program control flow chart is by a string representation, be the text string generation example of a program control flow chart as shown in Figure 2 a, the corresponding relation of the logical organization of the character function in this character string is defined as shown in following corresponding table:
(2) program control flow chart that each application program comprises can reach hundreds of, and the string representation of program control flow chart also may comprise tens to up to a hundred characters.For convenience of subsequent treatment, character string hash algorithm is used to be digital form by the program control flow chart string representation index of application program.
Such as can use but be not limited to use blizzard hash algorithm by character string:
B[SP1{Landroid/content/Context;getSystemService(Ljava/lang/String;)Ljava/lang/Object;}P1{Landroid/telephony/TelephonyManager;getSimOperator()Ljava/lang/String;}I]B[SP1I]B[SP1I]B[F0]B[R]B[SP1I]B[F0G]B[SP1I]B[F0G]
Hash is that the integer of 6,895,743 1 classes carries out compression expression.
(3) some total program control flow chart and some exclusive program control flow charts can be comprised in single application program, when all program control flow charts of whole data centralization being gathered the regular set forming program control flow chart, the program control flow chart quantity contained by regular set will be huger.Therefore can excavate correlation technique and from regular set, delete some to the less program control flow charts of classifying quality impact by usage data, and only retain those larger program control flow chart of classifying quality impact is used as subsequent characteristics.
Can use but be not limited to card side's method to extract important program control flow chart.
Card side distributes the error be used at first between etection theory value and actual value, and in feature extraction, and the distribution of card side is used to calculate the significance level that a certain feature is classified for certain.Its computing formula is as follows:
Wherein A, B, C, D define in following form:
| Feature selecting | Malware | Normal software | Summation |
| ω (comprising this feature) | A | B | A+B |
| ω (not comprising this feature) | C | D | C+D |
| Summation | M | O | N |
A represents that data centralization comprises the Malware number of feature ω, and B represents that data centralization comprises the normal software number of feature ω, and C represents that data centralization does not comprise the Malware number of feature ω, and D represents that data centralization comprises the normal software number of feature ω.
After the chi-square value calculating each feature, chi-square value is sorted, select chi-square value sequence front 10% feature as the feature of program control flow chart.
(4) the second frequency vector of calculation procedure control flow chart.
F=M/N
F: represent the frequency that each program control flow chart in regular set occurs in described application program.
M: represent the number of times that this program control flow chart occurs in the application
N: represent the occurrence number of program control flow chart in this application program in regular set
3. extract the system call feature of application program:
(1) application program is arranged on Android platform, automatically starts and trigger 1000 dissimilar random occurrences, the system call of records application program in these 1000 random occurrences.
(2) frequency vector that calls of computing system:
The modular system collecting Android system calls collection, calculates the frequency of occurrences F of each system call.
F=M/N
M: the number of times that this system call occurs
N: the system call sum that described application program triggers in 1000 random occurrences.
4. generate multi-feature vector
Above-mentioned three kinds of frequency vectors are stitched together, form the proper vector of application program.
5. extract the electricity record of application program
(1) while extraction system is called, record the electricity record of this application program
(2) electricity calculating rogue program uses mean value
(3) to the application program making power consumption exceed electricity use mean value, it is set the first contribution margin of malware detection is 1. otherwise is set to 0.
6. extract the intent record of application program
(1) while extraction system is called, record the event redirect record of this application program
(2) retrieve in intent record and whether comprise sensitive API such as sending note, call
(3) if comprise the function sending note and call, then by by described intent record to the second contribution margin of malware detection be defined as 10 or the value that is greater than 10 be directly judged to be rogue program, otherwise when not comprising the API carrying out conversational communication in described intent record, if comprise other sensitive API, intent record is set to 1 to the second contribution margin of this rogue program, if otherwise when not comprising sensitive API in intent record, intent record is set to 0 to the second contribution margin of this rogue program, enters subsequent step.
Two, classifier modules (Fig. 3), its workflow comprises the steps:
1. Data Collection: download the normal software of some as normal software collection, collects the dissimilar Android virus of equivalent amount as Malware collection.
2. feature generates: use said method to generate multi-feature vector.
3. train: the sorting algorithm during usage data excavates is classified to this multi-feature vector.Can use but be not limited to use and two category classifications are classified based on the online classification AROW algorithm of trusting power more accurately.Arow algorithm is initially set to for once learning process, the present embodiment by the learning process of AROW algorithm repeat 50 to 100 this to improve training precision, the standard deviation being traditionally arranged to be training error is less than 0.1.
Three, comprehensive evaluation module (Fig. 4), comprises the steps: in its workflow
The classification results of classifier modules and electricity record are recorded the first contribution margin of malware detection and intent and gives certain weight computing result to the second contribution margin of malware detection, if result is more than or equal to 0.5, then be judged to be Malware, otherwise be judged to be normal software.According to actual result with predict the outcome, adjustment p1, p2, p3 value.Wherein comprehensive evaluation mode is as follows:
R=p1*C+p2*I+p3*B。
Wherein C presentation class result value, if classification result is out described application program is Malware, then C is 1, otherwise C is 0; P1 represents the weight of giving described classification results numerical value.I represents the first contribution margin that the electricity record of application program detects rogue program; P2 represents the weight of giving described first contribution margin.B represents the second contribution margin that the intent record of application program detects rogue program, and p3 represents the weight of giving to described second contribution margin; Described R represents result of calculation.
Mode is adjusted to p1, p2, p3 as follows:
Being set to 0.5, p2 at the beginning of 1.p1 is that 0.2, p3 is set to 0.3;
2. if classification results is lower than the False Rate of comprehensive evaluation result to Malware, then improve p1, reduce p2 and p3; Otherwise reduce p1, improve p2 and p3.
In sum, the present invention has following features:
1. extraction procedure control flow chart is classified: the program control flow chart of static structure is used to the mutation of detection of malicious software more, program control flow chart is introduced a subvector of characteristic of division vector, can improve the precision of malware detection.
2. use the quantization characteristic of blizzard algorithm research program control flow chart: by each program control flow chart of program control flow chart integrally unit usually study, in batch detection Malware, rapidly and efficiently modeling can be carried out to Malware.
3. multi-feature vector: to System Privileges, program control flow chart, system call three feature mixing, both can grasp the static nature of rogue program, also with reference to the practical operation situation of Malware, the accuracy rate of malware detection can be improved.
4. on-line study function: by final proper vector, use to two category classification algorithms more accurately AROW algorithm carry out on-line study classification, and repeatedly fully to learn, the parameter of Optimum Classification device, make the judged result of this sorter more accurate.
5. record as reference element using electricity record and intent: after disaggregated model provides classification results, the electricity of application programs and intent record improve the verification and measurement ratio to Malware as second reference element.
Claims (9)
1. a batch Android malware detection method, comprises the steps:
A, to extract and the 3rd frequency vector of second frequency vector sum system call feature of the first frequency vector of the System Privileges feature of computing application program, program control flow chart feature respectively, calculate multi-feature vector by the 3rd frequency vector described in described first frequency vector, described second frequency vector sum;
Sorting algorithm during B, usage data excavate is classified to described multi-feature vector, obtains classification results numerical value;
C, calculating electricity record be the second contribution margin to malware detection to the first contribution margin of malware detection and intent record;
D, described classification results numerical value, described first contribution margin and described second contribution margin to be weighted, if described weighing computation results exceedes setting threshold value, then described application program is judged to be Malware, otherwise described application program is judged to be normal software.
2. batch Android malware detection method as claimed in claim 1, is characterized in that: extract and the method calculating the first frequency vector of the System Privileges feature of described application program is:
Extract the System Privileges of described application program;
The modular system authority set in described Android system is obtained from the official website of Android system corresponding to described application program;
Calculate the frequency that each System Privileges in described modular system authority set occurs in described application program, the described frequency calculated is defined as described first frequency vector.
3. batch Android malware detection method as claimed in claim 1, is characterized in that: extract and the method calculating the second frequency vector of the program control flow chart feature of described application program is:
Extract the program control flow chart of described application program, use character string hash algorithm that the character string forms of described program control flow chart is converted to digital form;
Feature selection approach is used to extract program control flow chart detection of malicious software to appreciable impact;
All program control flow charts with appreciable impact in the described application program of set sufficient amount, as the regular set of program control flow chart, calculate the frequency that the program control flow chart in regular set occurs in described application program, the described frequency calculated is defined as described second frequency vector.
4. batch Android malware detection method as claimed in claim 1, it is characterized in that: to extract and the method calculating the 3rd frequency vector of the system call feature of described application program is: dissimilar multiple random occurrences are contained to described application triggers, record all system calls of described application program to this multiple random occurrence, the modular system downloading Android system calls collection, calculate modular system and call the concentrated frequency of occurrences of each system call in this application program, the described frequency calculated is defined as described 3rd frequency vector.
5. batch Android malware detection method as claimed in claim 1, it is characterized in that: calculating described intent record to the computing method of the second contribution margin of malware detection is: when comprising the API carrying out conversational communication in described intent record, by described intent record to the second contribution margin of malware detection be defined as 10 or be greater than 10 value, guarantee that described application program is bound to be detected as Malware; When not comprising the API carrying out conversational communication in described intent record, then when comprising sensitive API in described intent record, described intent record is 1 to the second contribution margin of malware detection; When not comprising sensitive API in described intent record, described intent record is 0 to the second contribution margin of malware detection.
6. batch Android malware detection method as claimed in claim 1, it is characterized in that: calculating the method for described electricity record to the first contribution margin of malware detection is: when the electricity record display of described application program exceedes certain threshold value to the service condition of electricity, then first contribution margin of electricity record to malware detection is 1, otherwise is 0.
7. batch Android malware detection method as claimed in claim 1, is characterized in that: the sorting algorithm in described step B in usage data excavation is classified to described multi-feature vector and comprised the steps: to use described multi-feature vector to classify based on the online classification AROW algorithm of trusting power more accurately to two category classifications.
8. batch Android malware detection method as claimed in claim 1, is characterized in that: in described step D to the method that described classification results numerical value, described first contribution margin and described second contribution margin are weighted be:
R=p1*C+p2*I+p3*B;
Wherein, described C represents described classification results numerical value, if classification results is described application program is Malware, then C is 1, otherwise C is 0; P1 represents the weight of giving described classification results numerical value; Described I represents first contribution margin of electricity record to malware detection; P2 represents the weight of giving described first contribution margin; Described B represents second contribution margin of intent record to malware detection, and p3 represents the weight of giving to described second contribution margin; Described R represents result of calculation.
9. a batch Android malware detection device, is characterized in that: adopt the method as described in claim arbitrary in claim 1 to 8 to carry out batch Android malware detection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510142665.0A CN104834857B (en) | 2015-03-27 | batch Android malware detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510142665.0A CN104834857B (en) | 2015-03-27 | batch Android malware detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104834857A true CN104834857A (en) | 2015-08-12 |
| CN104834857B CN104834857B (en) | 2018-02-09 |
Family
ID=
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106685963A (en) * | 2016-12-29 | 2017-05-17 | 济南大学 | Method and system of establishing malicious network flow lexicon |
| CN106682516A (en) * | 2016-12-23 | 2017-05-17 | 宇龙计算机通信科技(深圳)有限公司 | Detection method, detection device and server of application programs |
| WO2017084451A1 (en) * | 2015-11-18 | 2017-05-26 | 腾讯科技(深圳)有限公司 | Method and apparatus for identifying malicious software |
| CN106778241A (en) * | 2016-11-28 | 2017-05-31 | 东软集团股份有限公司 | The recognition methods of malicious file and device |
| CN106790025A (en) * | 2016-12-15 | 2017-05-31 | 微梦创科网络科技(中国)有限公司 | A kind of method and device that malicious detection is carried out to link |
| CN106845220A (en) * | 2015-12-07 | 2017-06-13 | 深圳先进技术研究院 | A kind of Android malware detecting system and method |
| CN108197471A (en) * | 2017-12-19 | 2018-06-22 | 北京神州绿盟信息安全科技股份有限公司 | A kind of malware detection method and device |
| CN109446809A (en) * | 2018-10-31 | 2019-03-08 | 北斗智谷(北京)安全技术有限公司 | A kind of recognition methods of rogue program and electronic equipment |
| CN109614795A (en) * | 2018-11-30 | 2019-04-12 | 武汉大学 | A kind of Android malware detection method of event perception |
| CN105224870B (en) * | 2015-09-15 | 2019-04-26 | 百度在线网络技术(北京)有限公司 | The method and apparatus that suspected virus application uploads |
| CN110543765A (en) * | 2019-08-28 | 2019-12-06 | 南京市晨枭软件技术有限公司 | malicious software detection method |
| CN110837638A (en) * | 2019-11-08 | 2020-02-25 | 鹏城实验室 | Method, device and equipment for detecting lasso software and storage medium |
| CN112364349A (en) * | 2020-11-30 | 2021-02-12 | 江苏极鼎网络科技有限公司 | Cell-phone APP intellectual detection system equipment |
| CN112632538A (en) * | 2020-12-25 | 2021-04-09 | 北京工业大学 | Android malicious software detection method and system based on mixed features |
| CN112632548A (en) * | 2020-12-30 | 2021-04-09 | 北京天融信网络安全技术有限公司 | Malicious android program detection method and device, electronic device and storage medium |
| CN113392399A (en) * | 2021-06-23 | 2021-09-14 | 绿盟科技集团股份有限公司 | Malicious software classification method, device, equipment and medium |
| CN114065199A (en) * | 2021-11-18 | 2022-02-18 | 山东省计算中心(国家超级计算济南中心) | Cross-platform malicious code detection method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102034042A (en) * | 2010-12-13 | 2011-04-27 | 四川大学 | Novel unwanted code detecting method based on characteristics of function call relationship graph |
| CN103177215A (en) * | 2013-03-05 | 2013-06-26 | 四川电力科学研究院 | Computer malicious software detection novel method based on software control flow features |
| CN103473504A (en) * | 2013-09-25 | 2013-12-25 | 西安交通大学 | Android malicious code detection method based on class analysis |
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102034042A (en) * | 2010-12-13 | 2011-04-27 | 四川大学 | Novel unwanted code detecting method based on characteristics of function call relationship graph |
| CN103177215A (en) * | 2013-03-05 | 2013-06-26 | 四川电力科学研究院 | Computer malicious software detection novel method based on software control flow features |
| CN103473504A (en) * | 2013-09-25 | 2013-12-25 | 西安交通大学 | Android malicious code detection method based on class analysis |
Non-Patent Citations (2)
| Title |
|---|
| 杨欢 等: "基于多类特征的Android应用恶意行为检测系统", 《计算机学报》 * |
| 薛立宏 等: "移动应用安全批量化检测关键问题探讨", 《电信科学》 * |
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105224870B (en) * | 2015-09-15 | 2019-04-26 | 百度在线网络技术(北京)有限公司 | The method and apparatus that suspected virus application uploads |
| WO2017084451A1 (en) * | 2015-11-18 | 2017-05-26 | 腾讯科技(深圳)有限公司 | Method and apparatus for identifying malicious software |
| US10635812B2 (en) | 2015-11-18 | 2020-04-28 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for identifying malicious software |
| CN106845220B (en) * | 2015-12-07 | 2020-08-25 | 深圳先进技术研究院 | Android malicious software detection system and method |
| CN106845220A (en) * | 2015-12-07 | 2017-06-13 | 深圳先进技术研究院 | A kind of Android malware detecting system and method |
| CN106778241B (en) * | 2016-11-28 | 2020-12-25 | 东软集团股份有限公司 | Malicious file identification method and device |
| CN106778241A (en) * | 2016-11-28 | 2017-05-31 | 东软集团股份有限公司 | The recognition methods of malicious file and device |
| CN106790025B (en) * | 2016-12-15 | 2020-03-10 | 微梦创科网络科技(中国)有限公司 | Method and device for detecting link maliciousness |
| CN106790025A (en) * | 2016-12-15 | 2017-05-31 | 微梦创科网络科技(中国)有限公司 | A kind of method and device that malicious detection is carried out to link |
| CN106682516A (en) * | 2016-12-23 | 2017-05-17 | 宇龙计算机通信科技(深圳)有限公司 | Detection method, detection device and server of application programs |
| CN106685963B (en) * | 2016-12-29 | 2020-10-30 | 济南大学 | Establishment method and establishment system of malicious network traffic word stock |
| CN106685963A (en) * | 2016-12-29 | 2017-05-17 | 济南大学 | Method and system of establishing malicious network flow lexicon |
| CN108197471A (en) * | 2017-12-19 | 2018-06-22 | 北京神州绿盟信息安全科技股份有限公司 | A kind of malware detection method and device |
| CN108197471B (en) * | 2017-12-19 | 2020-07-10 | 北京神州绿盟信息安全科技股份有限公司 | Malicious software detection method and device |
| CN109446809A (en) * | 2018-10-31 | 2019-03-08 | 北斗智谷(北京)安全技术有限公司 | A kind of recognition methods of rogue program and electronic equipment |
| CN109614795A (en) * | 2018-11-30 | 2019-04-12 | 武汉大学 | A kind of Android malware detection method of event perception |
| CN110543765A (en) * | 2019-08-28 | 2019-12-06 | 南京市晨枭软件技术有限公司 | malicious software detection method |
| CN110837638B (en) * | 2019-11-08 | 2020-09-01 | 鹏城实验室 | Method, device and equipment for detecting lasso software and storage medium |
| CN110837638A (en) * | 2019-11-08 | 2020-02-25 | 鹏城实验室 | Method, device and equipment for detecting lasso software and storage medium |
| CN112364349A (en) * | 2020-11-30 | 2021-02-12 | 江苏极鼎网络科技有限公司 | Cell-phone APP intellectual detection system equipment |
| CN112632538A (en) * | 2020-12-25 | 2021-04-09 | 北京工业大学 | Android malicious software detection method and system based on mixed features |
| CN112632548A (en) * | 2020-12-30 | 2021-04-09 | 北京天融信网络安全技术有限公司 | Malicious android program detection method and device, electronic device and storage medium |
| CN112632548B (en) * | 2020-12-30 | 2024-01-23 | 北京天融信网络安全技术有限公司 | Malicious android program detection method and device, electronic equipment and storage medium |
| CN113392399A (en) * | 2021-06-23 | 2021-09-14 | 绿盟科技集团股份有限公司 | Malicious software classification method, device, equipment and medium |
| CN114065199A (en) * | 2021-11-18 | 2022-02-18 | 山东省计算中心(国家超级计算济南中心) | Cross-platform malicious code detection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107659570A (en) | Webshell detection methods and system based on machine learning and static and dynamic analysis | |
| CN107944274A (en) | A kind of Android platform malicious application off-line checking method based on width study | |
| Liu et al. | Identifying and analyzing the privacy of apps for kids | |
| CN111639337B (en) | Unknown malicious code detection method and system for massive Windows software | |
| CN103927483B (en) | The detection method of decision model and rogue program for detecting rogue program | |
| CN105893848A (en) | Precaution method for Android malicious application program based on code behavior similarity matching | |
| CN109753801A (en) | The intelligent terminal Malware dynamic testing method called based on system | |
| Urooj et al. | Malware detection: a framework for reverse engineered android applications through machine learning algorithms | |
| CN106778266A (en) | A kind of Android Malware dynamic testing method based on machine learning | |
| CN107169351A (en) | With reference to the Android unknown malware detection methods of dynamic behaviour feature | |
| CN104123493A (en) | Method and device for detecting safety performance of application program | |
| CN110795732A (en) | SVM-based dynamic and static combination detection method for malicious codes of Android mobile network terminal | |
| CN108009425A (en) | File detects and threat level decision method, apparatus and system | |
| CN103106365A (en) | Detection method for malicious application software on mobile terminal | |
| CN109271788A (en) | A kind of Android malware detection method based on deep learning | |
| CN104158828B (en) | The method and system of suspicious fishing webpage are identified based on cloud content rule base | |
| CN106599688A (en) | Application category-based Android malicious software detection method | |
| CN111931047B (en) | Artificial intelligence-based black product account detection method and related device | |
| Daoudi et al. | A deep dive inside drebin: An explorative analysis beyond android malware detection scores | |
| CN109933977A (en) | A kind of method and device detecting webshell data | |
| CN106874760A (en) | A kind of Android malicious code sorting techniques based on hierarchy type SimHash | |
| CN107665164A (en) | Secure data detection method and device | |
| CN111967503A (en) | Method for constructing multi-type abnormal webpage classification model and abnormal webpage detection method | |
| CN112688966A (en) | Webshell detection method, device, medium and equipment | |
| CN116186716A (en) | Security analysis method and device for continuous integrated deployment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |