CN105138916A - Multi-track malicious program feature detecting method based on data mining - Google Patents
Multi-track malicious program feature detecting method based on data mining Download PDFInfo
- Publication number
- CN105138916A CN105138916A CN201510516268.5A CN201510516268A CN105138916A CN 105138916 A CN105138916 A CN 105138916A CN 201510516268 A CN201510516268 A CN 201510516268A CN 105138916 A CN105138916 A CN 105138916A
- Authority
- CN
- China
- Prior art keywords
- track
- program
- feature
- mining
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
The invention relates to a multi-track malicious program feature detecting method based on data mining. The multi-track malicious program feature detecting method comprises the step of behavior track acquiring, the step of zone partitioning, the step of feature extracting and feature library establishing and the step of magnanimity detecting. In the step of behavior track acquiring, a dynamically-operating system calling sequence of a program is obtained; in the step of zone partitioning, zone portioning is carried out on obtained software behavior tracks so as to adapt to the needs of the mining process; in the step of feature extracting and feature library establishing, a sequence mode mining algorithm improved in data mining is adopted for acquiring a data flow, network flow and resource flow behavior frequent subsequence set, removing normal program behavior track fragments and structure a malicious behavior feature library; in the step of magnanimity detecting, magnanimity detecting is carried out on a program operating in real time according to the structured three-dimensional feature library. The multi-track malicious program feature detecting method based on data mining is high in detection accuracy.
Description
(1), technical field:
The present invention relates to a kind of rogue program characteristic detection method, particularly relate to a kind of multi-trace rogue program characteristic detection method based on data mining.
(2), background technology:
At present, be difficult to based on the detection method that static state is reverse the anti-dis-assembling technology breaking through malicious code, malicious code feature cannot be extracted and examinations; The renewal of the virus base of the commercial antivirus software of feature based code match strategy exists serious delayed.But the malicious act of malicious code and mutation thereof is constant, so performance analysis is carried out in behavior when will run from it feature extraction of malicious code.
1. Malicious Code Detection:
Malicious code detecting method can be divided into based on the detection method of heuristic (heuristic.based) and the large class of the detection method two of feature based (signature.based).Hiding file, process and registry information is identified by comparison system upper layer information and the system state taking from kernel based on didactic detection method, heuristic detection can find unknown rogue program, but the generation of its rule depends on the experience of analyst, easily there is high wrong report and rate of failing to report in the application, therefore, particularly apply in commercial antivirus software in the detection system less.The detection method of feature based is according to being detected by the feature extracted in malicious code, compared with Heuristic detection method, it has the advantage that detection efficiency is high, rate of false alarm is low, is therefore widely used in Malicious Code Detection instrument, is also the main stream approach of current Malicious Code Detection.
The detection method of feature based is divided into static nature to detect and behavioral characteristics detects.Static nature detection method refers to the PE structure by static analysis file, scale-of-two bytecode, the means such as the code after dis-assembling, the feature obtaining malicious code detects, detection based on static nature does not need actual motion malicious code program, realize relatively simple, research at present based on static nature detection is many, Static Detection is based upon on the basis of PE file static analysis, its advantage to perform malicious code, can not damage system, but current many Malwares all adopt and add shell, obfuscation interference dis-assembling, if shelling or decompress(ion) unsuccessful, the static analysis of PE file also just cannot complete, to cause detecting unsuccessfully, and, the temporal information of API sequence is tampered and also can escapes from trace routine.Detection method based on behavioral characteristics malicious code program is placed in virtual environment to perform, and monitor its behavior and obtain its behavioural characteristic, some rogue program can detect the virtual environment in virtual virus killing, by adding special instruction or construct special construction thus walk around trace routine in code, antivirus software is caused rogue program to be detected, in virtual detection of dynamic, there is program perform multipath problem, rogue program can perform different paths because of input data difference in actual moving process, the malicious act of Dynamic Acquisition program cannot obtain its whole malicious act, thus cause occurring failing to report situation in detection.
2. based on the malicious code detecting method of data mining:
The discovery (namely finding out all Frequent Subsequences in sequence library) of sequence pattern is the active research branch of Data Mining one.In data mining, sequence pattern algorithm has good application in Malicious Code Detection.The existing elongated N-gram of byte sequence of machine code that adopts is as feature extracting method at present, with weighted information gain as feature selection approach, uses the Various Classifiers on Regionals such as decision tree, support vector machine, naive Bayesian to carry out Malicious Code Detection; Also have and adopt class Apriori algorithm in data mining to realize the detection to malicious code.But said method is all static extraction behavioural characteristic, still cannot overcome the defect of Static Detection.
(3), summary of the invention:
The technical problem to be solved in the present invention is: provide the multi-trace rogue program characteristic detection method based on data mining that a kind of Detection accuracy is high.
Technical scheme of the present invention: a kind of multi-trace rogue program characteristic detection method based on data mining, containing action trail obtaining step, segmenting step, feature extraction and feature database construction step, measures detecting step;
Action trail obtaining step obtains the system call sequence of program dynamic operation, is the basis of model;
Segmenting step carries out burst to the software action track got, to adapt to the needs of mining process;
It is Frequent Subsequence collection that feature extraction and feature database construction step adopt the Sequential Pattern Mining Algorithm (prefixspan-x algorithm) improved in data mining to obtain document flow, network flow and asset popularity, and reject normal procedure action trail fragment, structure malicious act feature database;
Tolerance detecting step carries out tolerance according to the three-dimensional feature storehouse built to the program of real time execution and detects.
Action trail obtaining step adopts Linux system instrument strace dynamically to follow the tracks of program, and obtains execution track when it runs.
The action trail obtained in training set need carry out burst process, and the size of burst determines efficiency and the accuracy of this system.
In feature extraction and feature database construction step:
The Sequential Pattern Mining Algorithm (prefixspan-x algorithm) improved is by being optimized with AC automat when searching for and meeting the sequence of minimum support, and give up the Frequent episodes not meeting minimum length in the process of structure data for projection storehouse, thus optimize the space-time expense in mining process;
Feature database (SignatureDatabase, SD) is by the database of the structural feature of a series of performance rogue program;
In data mining, the algorithm of sequential mode mining can solve very well and excavate software action Characteristic Problem in huge sequence library, the present invention adopts the Sequential Pattern Mining Algorithm Prefixspan-x of improvement to carry out sequential mining, and the normal behaviour fragment rejected with normal behaviour track training set in the Frequent episodes excavated, construction feature storehouse;
In Sequential Pattern Mining Algorithm, prefixspan has good performance compared with other algorithm, and the Sequential Pattern Mining Algorithm prefixspan-x efficiency of improvement is higher, can adapt to a large amount of sequential mode mining and extract malicious code characteristic sequence.
Feature database is made up of three-dimensional feature vector space: document flow characteristic vector space, NetFlow characteristic vector space and resource flow characteristic vector space;
In formula (1)
representation file stream characteristic vector space,
represent network flow feature database vector space,
represent resource flow characteristic vector space.
Feature database builds and is divided into two stages, and the stage one is the excavation of Frequent Subsequence based on the Sequential Pattern Mining Algorithm (Prefixspan-x algorithm) improved, and the stage two be simplify the Frequent Subsequence collection of stage one extraction;
The detailed process in stage one is as follows: to the rogue program in given training set, obtain document flow action trail, network flow action trail, the resources control Flow Behavior track of rogue program, and difference initialization files Flow Behavior track training set, network flow action trail training set, resources control Flow Behavior track training set; The Sequential Pattern Mining Algorithm (Prefixspan-x algorithm) improved is adopted to excavate Frequent Subsequence collection;
Stage two is the filtrations to normal action trail fragment, the Frequent Subsequence extracted in the stage one concentrates the fragment not only containing malicious act track, also contains the fragment of normal behaviour track, filter out normal behaviour path segment, malicious act characteristic vector space can be generated; The data set of normal behaviour track adopts the normal postrun action trail of program in starter operating system.
Tolerance detecting step adopts multi-trace metric algorithm, file operation track when running according to program, network access track and memory source use track to the behavior sequence real-time metrics got, according to measurement results, assess according to evaluation criteria and the real-time behavior of criterion to program, assessment result feeds back to system management and control process, realizes the detection of dynamic for rogue program.
Beneficial effect of the present invention:
The present invention is directed to the detection of current rogue program behavioural characteristic and there is the problems such as accuracy rate is low, rate of false alarm is high, according to the behavioural characteristic of rogue program, adopt multi-trace crossing detection method, build three-dimensional malicious act feature database by the behavioural characteristic of file operation, network access, memory source access, improve the degree of accuracy of coupling; Efficiency and accuracy problems is built for feature database, devise data mining modified hydrothermal process--prefixspan-x, Frequent episodes inquiry is optimized in conjunction with AC automat in the process of structure data for projection storehouse, and cast out and do not meet minimum length Frequent episodes, thus optimize malicious act feature mining efficiency; The present invention adopts Dynamic Extraction Malware behavioural characteristic storehouse, and carries out threshold value coupling, can overcome static disassembly mode and obtain software shelling in software action track, obscures the detection difficult brought, thus obtains higher accuracy rate.The program that the present invention can realize running in linux system implements dynamic monitoring, ensures system and data security.
(4), accompanying drawing illustrates:
Fig. 1 is the schematic flow sheet of the multi-trace rogue program characteristic detection method based on data mining.
(5), embodiment:
Based on the multi-trace rogue program characteristic detection method (as shown in Figure 1) of data mining containing action trail obtaining step, segmenting step, feature extraction and feature database construction step, measure detecting step;
Action trail obtaining step obtains the system call sequence of program dynamic operation, is the basis of model;
Segmenting step carries out burst to the software action track got, to adapt to the needs of mining process;
It is Frequent Subsequence collection that feature extraction and feature database construction step adopt the Sequential Pattern Mining Algorithm (prefixspan-x algorithm) improved in data mining to obtain document flow, network flow and asset popularity, and reject normal procedure action trail fragment, structure malicious act feature database;
Tolerance detecting step carries out tolerance according to the three-dimensional feature storehouse built to the program of real time execution and detects.
Action trail obtaining step adopts Linux system instrument strace dynamically to follow the tracks of program, and obtains execution track when it runs.
The action trail obtained in training set need carry out burst process, and the size of burst determines efficiency and the accuracy of this system.
In feature extraction and feature database construction step:
The Sequential Pattern Mining Algorithm (prefixspan-x algorithm) improved is by being optimized with AC automat when searching for and meeting the sequence of minimum support, and give up the Frequent episodes not meeting minimum length in the process of structure data for projection storehouse, thus optimize the space-time expense in mining process;
Feature database (SignatureDatabase, SD) is by the database of the structural feature of a series of performance rogue program;
In data mining, the algorithm of sequential mode mining can solve very well and excavate software action Characteristic Problem in huge sequence library, the present invention adopts the Sequential Pattern Mining Algorithm Prefixspan-x of improvement to carry out sequential mining, and the normal behaviour fragment rejected with normal behaviour track training set in the Frequent episodes excavated, construction feature storehouse;
In Sequential Pattern Mining Algorithm, prefixspan has good performance compared with other algorithm, and the Sequential Pattern Mining Algorithm prefixspan-x efficiency of improvement is higher, can adapt to a large amount of sequential mode mining and extract malicious code characteristic sequence.
Feature database is made up of three-dimensional feature vector space: document flow characteristic vector space, NetFlow characteristic vector space and resource flow characteristic vector space;
In formula (1)
representation file stream characteristic vector space,
represent network flow feature database vector space,
represent resource flow characteristic vector space.
Tolerance detecting step adopts multi-trace metric algorithm, file operation track when running according to program, network access track and memory source use track to the behavior sequence real-time metrics got, according to measurement results, assess according to evaluation criteria and the real-time behavior of criterion to program, assessment result feeds back to system management and control process, realizes the detection of dynamic for rogue program.
In order to understand the multi-trace rogue program characteristic detection method based on data mining more thoroughly, more intuitively, below it is further described in more detail:
1. the Sequential Pattern Mining Algorithm Prefixspan-x improved:
PrefixSpan algorithm does not produce candidate sequence in mining process, and relative to original sequence library, the scale in data for projection storehouse constantly reduces.But the expense in structure data for projection storehouse is huge, can not solve the Mining Problems of ciphertext data collection or long pattern well.Recursively building in a large amount of data for projection storehouse and algorithm implementation scanning projection database is repeatedly the major cost of algorithm.Reduce the scale in data for projection storehouse and optimize the main path that sweep time is improvement PrefixSpas algorithm.Prefixspan-x algorithm by being optimized with AC automat when searching for and meeting the sequence of minimum support, and gives up the Frequent episodes not meeting minimum length in the process of structure data for projection storehouse, thus optimizes the space-time expense in mining process.
Prefixspan-x algorithm is as follows:
Input: input (S, min_sup, L_min) //S is sequence library, and min_sup is minimum support threshold, and L_min is Frequent episodes minimum length
Export: output (M1) //M1 meets minimum support and minimum length Frequent episodes collection
Method: prefixspan-x (<>, 0, S, L_min)
Subroutine: prefixspan-x (a, l (a), S|
a, L_min) and //a is sequence, l (a) is the length of sequence a, S|
a 'it is data for projection storehouse
prefixspan-x():
1) AC (S, min_sup) | 1//use AC scan database S once, be met minimum support sequence
2) S|
a=creatsuffix (S, a) // structure data for projection storehouse
3) b ∈ S|
a// generate new sequence according to data for projection storehouse
4)foreach(b≠null)
5){
6) a'=a+b; // collating sequence pattern
7)if(l(a')≥L_min)
8)geta';
9)else
10) deletea; // construct new sequence pattern
11)}
12)S|
a'=creatsuffix(S|
a,a');
13)prefixspan-x(a',l(a)+1,S|
a',L_min);
14) output (M1); // obtain Frequent episodes collection
Such as given following sequence library also sets that minimum support is 2, Frequent episodes minimum length is 1:
<(read,write)(read,lseek)>
<(lseek,dup)(dup2,pread,close)>
<(read,lseek)(fsync)(close)>
<(fsync)>
Find out the frequent individual event that support is greater than 1: read, lseek, fsync, close; Then remove non-individual event frequently, generate database:
<(read)(read,lseek)>
<(lseek)(fsync)>
<(read,lseek)(fsync)(close)>
<(fsync)>
Be respectively frequent individual event read, lseek, fsync, close, generate data for projection storehouse and remove the Frequent episodes that length is less than 1:
<(read,lseek)>
<(lseek)(fsync)(close)>
<(fsync)(close)>。
In superincumbent data for projection storehouse, frequent individual event lseek is also had in the data for projection storehouse of prefix < (read) >, frequent individual event close is also had in the data for projection storehouse of prefix < (lseek) >, generate frequent write sequence < (read, lseek) >, < (lseek) (close) >, then for it generates data for projection storehouse < (fsync) (fsync) >.Wherein do not have frequent item, algorithm stops.
2. feature database form builds:
The problem concerning study of malicious act property data base can be described as:
1) given rogue program training set θ and minimum support min_sup;
2) rogue program action trail is obtained, i.e. document flow action trail, network flow action trail, resources control Flow Behavior track;
3) Prefixspan-x algorithm is adopted to excavate the Frequent Subsequence collection M1 meeting minimum support and minimum length;
4) given normal software action trail collection, removes normal behaviour path segment from M1;
5) malicious act feature database SD is generated;
Feature database builds and is divided into two stages, and the stage one is the excavation of Frequent Subsequence based on the Sequential Pattern Mining Algorithm (Prefixspan-x algorithm) improved, and the stage two be simplify the Frequent Subsequence collection of stage one extraction;
The detailed process in stage one is as follows: to the rogue program in given training set, obtain document flow action trail, network flow action trail, the resources control Flow Behavior track of rogue program, and difference initialization files Flow Behavior track training set, network flow action trail training set, resources control Flow Behavior track training set; The Sequential Pattern Mining Algorithm (Prefixspan-x algorithm) improved is adopted to excavate Frequent Subsequence collection;
Stage two is the filtrations to normal action trail fragment, the Frequent Subsequence extracted in the stage one concentrates the fragment not only containing malicious act track, also contains the fragment of normal behaviour track, filter out normal behaviour path segment, malicious act characteristic vector space can be generated; The data set of normal behaviour track adopts the normal postrun action trail of program in starter operating system.Specific algorithm is as follows:
Algorithm 3 rejects normal behaviour algorithm
Input: M1//fuzzy frequent itemsets
Export: M2//malicious act pattern
Method: eliminate (M1, D
n) //D
nit is the set of normal behaviour track
1) the every bar of for frequent behavior pattern t ∈ M1do
2) for each normal behaviour path segment ∈ D
ndo
3) ifsMATCHt; If frequent in // M1
Subsequence and normal behaviour? coupling
4) DeletetFromM1; // from M1, reject t
5)Endfor
6)Endfor
7) M2 is exported; // obtain malicious act result
3. the multi-trace of Behavior-based control feature detects:
Testing flow process is:
Obtain this program action trail based on resource operations such as file stream operation, network operation and internal memories in monitoring period respectively.If the action trail obtained is for being respectively R
f, R
n, R
s,
wherein r, m, q are respectively R
f, R
n, R
scorresponding system call sequence length,
represent action trail i (i=f, n, a s) kth path segment (1≤k≤l (R in system call sequence
i)).If class (S)=0 is sequence S coupling weights, it is initialized as 0.With lower part only for file stream operation action trail;
To R
fcarry out burst, obtain N number of path segment S
1, S
2, S
3... S
n, S
iwith s
k(N < k < l (R
f)) be respectively l (1), l (2), l (3) for the N number of length of composition of terminal ... the system call sequence of l (N);
To this N number of path segment S
1, S
2, S
3... S
n, to compare with feature database file stream part (file-sign) according to the order from N to 1 and do following calculating: if there is characteristic matching success in some fragments and feature database, then class (S
i)=1, otherwise class (S
i)=0; Weights sequence can be obtained through above computing:
(class(S
1),class(S
2),class(S
3)...class(S
m))
According to weights sequence (class (S
1), class (S
2), class (S
3) ... class (S
m)) calculate decision value, then decision making according to decision value and the behavior of decision threshold λ to present procedure preset;
Ask judgement component: sign
f=class (S
1) ∨ class (S
2) ∨ ... class (S
m)
Aforesaid operations is performed to the action trail of network flow and memory source stream simultaneously, obtains sign
nand sign
svalue.
Obtain decision value sign=sign
f+ sign
n+ sign
s.And judge:
If sign> λ λ ≠ 0, be then judged to be malicious act;
If sign≤λ, be judged to be normal behaviour.
λ is user from the decision threshold of setting, the level of security that different value representative settings is different, and value is less, and to represent level of security higher, and value is larger, and to represent level of security higher.
Claims (5)
1. based on a multi-trace rogue program characteristic detection method for data mining, it is characterized in that: containing action trail obtaining step, segmenting step, feature extraction and feature database construction step, measure detecting step; Action trail obtaining step obtains the system call sequence of program dynamic operation;
Segmenting step carries out burst to the software action track got, to adapt to the needs of mining process;
It is Frequent Subsequence collection that feature extraction and feature database construction step adopt the Sequential Pattern Mining Algorithm improved in data mining to obtain document flow, network flow and asset popularity, and rejects normal procedure action trail fragment, structure malicious act feature database;
Tolerance detecting step carries out tolerance according to the three-dimensional feature storehouse built to the program of real time execution and detects.
2. the multi-trace rogue program characteristic detection method based on data mining according to claim 1; it is characterized in that: described action trail obtaining step adopts Linux system instrument strace dynamically to follow the tracks of program, and obtains execution track when it runs.
3. the multi-trace rogue program characteristic detection method based on data mining according to claim 1, it is characterized in that: in described feature extraction and feature database construction step: the Sequential Pattern Mining Algorithm of improvement is by being optimized with AC automat when searching for the sequence meeting minimum support, and give up the Frequent episodes not meeting minimum length in the process of structure data for projection storehouse, thus optimize the space-time expense in mining process;
Feature database is that feature database is made up of three-dimensional feature vector space by the database of the structural feature of a series of performance rogue program: document flow characteristic vector space, NetFlow characteristic vector space and resource flow characteristic vector space.
4. the multi-trace rogue program characteristic detection method based on data mining according to claim 3, it is characterized in that: described feature database builds and is divided into two stages, stage one is the excavation of Frequent Subsequence based on the Sequential Pattern Mining Algorithm improved, and the stage two be simplify the Frequent Subsequence collection of stage one extraction;
The detailed process in stage one is as follows: to the rogue program in given training set, obtain document flow action trail, network flow action trail, the resources control Flow Behavior track of rogue program, and difference initialization files Flow Behavior track training set, network flow action trail training set, resources control Flow Behavior track training set; The Sequential Pattern Mining Algorithm improved is adopted to excavate Frequent Subsequence collection;
Stage two is the filtrations to normal action trail fragment, the Frequent Subsequence extracted in the stage one concentrates the fragment not only containing malicious act track, also contains the fragment of normal behaviour track, filter out normal behaviour path segment, malicious act characteristic vector space can be generated; The data set of normal behaviour track adopts the normal postrun action trail of program in starter operating system.
5. the multi-trace rogue program characteristic detection method based on data mining according to claim 1, it is characterized in that: described tolerance detecting step adopts multi-trace metric algorithm, file operation track when running according to program, network access track and memory source use track to the behavior sequence real-time metrics got, according to measurement results, assess according to evaluation criteria and the real-time behavior of criterion to program, assessment result feeds back to system management and control process, realizes the detection of dynamic for rogue program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510516268.5A CN105138916B (en) | 2015-08-21 | 2015-08-21 | Multi-trace rogue program characteristic detection method based on data mining |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510516268.5A CN105138916B (en) | 2015-08-21 | 2015-08-21 | Multi-trace rogue program characteristic detection method based on data mining |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105138916A true CN105138916A (en) | 2015-12-09 |
| CN105138916B CN105138916B (en) | 2018-02-02 |
Family
ID=54724261
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510516268.5A Active CN105138916B (en) | 2015-08-21 | 2015-08-21 | Multi-trace rogue program characteristic detection method based on data mining |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105138916B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105868626A (en) * | 2016-03-25 | 2016-08-17 | 中国人民解放军信息工程大学 | A method of monitoring software business activity based on control flow coarseness integrity |
| CN106650445A (en) * | 2016-12-16 | 2017-05-10 | 华东师范大学 | Malicious program recognition method |
| CN106845224A (en) * | 2016-12-16 | 2017-06-13 | 华东师范大学 | A kind of rogue program identifying system |
| CN107844540A (en) * | 2017-10-25 | 2018-03-27 | 电子科技大学 | A kind of time series method for digging for electric power data |
| CN109450942A (en) * | 2018-12-25 | 2019-03-08 | 北京戴纳实验科技有限公司 | A kind of safety detection method and its detection device of laboratory management system for internet of things |
| CN109753800A (en) * | 2019-01-02 | 2019-05-14 | 重庆邮电大学 | Merge the Android malicious application detection method and system of frequent item set and random forests algorithm |
| CN110362995A (en) * | 2019-05-31 | 2019-10-22 | 电子科技大学成都学院 | It is a kind of based on inversely with the malware detection of machine learning and analysis system |
| CN110704773A (en) * | 2018-06-25 | 2020-01-17 | 顺丰科技有限公司 | Abnormal behavior detection method and system based on frequent behavior sequence mode |
| CN110728583A (en) * | 2019-10-11 | 2020-01-24 | 支付宝(杭州)信息技术有限公司 | Method and system for identifying cheating claim behaviors |
| CN112035836A (en) * | 2019-06-04 | 2020-12-04 | 四川大学 | Malicious code family API sequence mining method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101359351A (en) * | 2008-09-25 | 2009-02-04 | 中国人民解放军信息工程大学 | Multilayer semantic annotation and detection method against malignancy |
| CN102054149A (en) * | 2009-11-06 | 2011-05-11 | 中国科学院研究生院 | Method for extracting malicious code behavior characteristic |
| CN103617393A (en) * | 2013-11-28 | 2014-03-05 | 北京邮电大学 | Method for mobile internet malicious application software detection based on support vector machines |
| US20150143521A1 (en) * | 2013-06-28 | 2015-05-21 | Kaspersky Lab Zao | System and method for detecting malicious software using malware trigger scenarios in a modified computer environment |
-
2015
- 2015-08-21 CN CN201510516268.5A patent/CN105138916B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101359351A (en) * | 2008-09-25 | 2009-02-04 | 中国人民解放军信息工程大学 | Multilayer semantic annotation and detection method against malignancy |
| CN102054149A (en) * | 2009-11-06 | 2011-05-11 | 中国科学院研究生院 | Method for extracting malicious code behavior characteristic |
| US20150143521A1 (en) * | 2013-06-28 | 2015-05-21 | Kaspersky Lab Zao | System and method for detecting malicious software using malware trigger scenarios in a modified computer environment |
| CN103617393A (en) * | 2013-11-28 | 2014-03-05 | 北京邮电大学 | Method for mobile internet malicious application software detection based on support vector machines |
Non-Patent Citations (4)
| Title |
|---|
| ANDREAS MOSER 等: "Exploring Multiple Execution Paths for Malware Analysis", 《2007 IEEE SYMPOSIUM ON SECURITY AND PRIVACY》 * |
| 刘琳爽 等: "Linux系统中基于多路径的恶意行为规范挖掘", 《计算机系统应用》 * |
| 李飞兵: "主机行为分析系统设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑(月刊)》 * |
| 王丽娜 等: "恶意代码检测中的PrefixSpan算法应用", 《计算机工程》 * |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105868626A (en) * | 2016-03-25 | 2016-08-17 | 中国人民解放军信息工程大学 | A method of monitoring software business activity based on control flow coarseness integrity |
| CN105868626B (en) * | 2016-03-25 | 2018-10-02 | 中国人民解放军信息工程大学 | The method of monitoring software business conduct based on control stream coarseness integrality |
| CN106650445A (en) * | 2016-12-16 | 2017-05-10 | 华东师范大学 | Malicious program recognition method |
| CN106845224A (en) * | 2016-12-16 | 2017-06-13 | 华东师范大学 | A kind of rogue program identifying system |
| CN107844540A (en) * | 2017-10-25 | 2018-03-27 | 电子科技大学 | A kind of time series method for digging for electric power data |
| CN110704773A (en) * | 2018-06-25 | 2020-01-17 | 顺丰科技有限公司 | Abnormal behavior detection method and system based on frequent behavior sequence mode |
| CN109450942B (en) * | 2018-12-25 | 2019-09-13 | 北京戴纳实验科技有限公司 | A kind of safety detection method and its detection device of laboratory management system for internet of things |
| CN109450942A (en) * | 2018-12-25 | 2019-03-08 | 北京戴纳实验科技有限公司 | A kind of safety detection method and its detection device of laboratory management system for internet of things |
| CN109753800A (en) * | 2019-01-02 | 2019-05-14 | 重庆邮电大学 | Merge the Android malicious application detection method and system of frequent item set and random forests algorithm |
| CN109753800B (en) * | 2019-01-02 | 2023-04-07 | 重庆邮电大学 | Android malicious application detection method and system fusing frequent item set and random forest algorithm |
| CN110362995A (en) * | 2019-05-31 | 2019-10-22 | 电子科技大学成都学院 | It is a kind of based on inversely with the malware detection of machine learning and analysis system |
| CN112035836A (en) * | 2019-06-04 | 2020-12-04 | 四川大学 | Malicious code family API sequence mining method |
| CN110728583A (en) * | 2019-10-11 | 2020-01-24 | 支付宝(杭州)信息技术有限公司 | Method and system for identifying cheating claim behaviors |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105138916B (en) | 2018-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105138916A (en) | Multi-track malicious program feature detecting method based on data mining | |
| Ding et al. | Asm2vec: Boosting static representation robustness for binary clone search against code obfuscation and compiler optimization | |
| Alasmary et al. | Analyzing and detecting emerging Internet of Things malware: A graph-based approach | |
| Alrabaee et al. | Oba2: An onion approach to binary code authorship attribution | |
| Alasmary et al. | Soteria: Detecting adversarial examples in control flow graph-based malware classifiers | |
| Murtaza et al. | A host-based anomaly detection approach by representing system calls as states of kernel modules | |
| CN103136471B (en) | A kind of malice Android application program detection method and system | |
| CN106411921B (en) | Multi-step attack prediction technique based on causal Bayesian network | |
| EP2975873A1 (en) | A computer implemented method for classifying mobile applications and computer programs thereof | |
| CN109753800A (en) | Merge the Android malicious application detection method and system of frequent item set and random forests algorithm | |
| CN103577323B (en) | Based on the software plagiarism detection method of dynamic keyword instruction sequence birthmark | |
| Sun et al. | Hybrid firmware analysis for known mobile and iot security vulnerabilities | |
| Lin et al. | Dimsum: Discovering semantic data of interest from un-mappable memory with confidence | |
| Zhu et al. | Android malware detection based on multi-head squeeze-and-excitation residual network | |
| CN107315956A (en) | A kind of Graph-theoretical Approach for being used to quick and precisely detect Malware on the zero | |
| Imran et al. | Using hidden markov model for dynamic malware analysis: First impressions | |
| CN105760762B (en) | A kind of unknown malicious code detecting method of embeded processor | |
| Narayanan et al. | Contextual weisfeiler-lehman graph kernel for malware detection | |
| Nguyen et al. | Detecting repackaged android applications using perceptual hashing | |
| CN104598820A (en) | Trojan virus detection method based on feature behavior activity | |
| Gülmez et al. | Graph-based malware detection using opcode sequences | |
| Li et al. | A consistently-executing graph-based approach for malware packer identification | |
| Yang et al. | {PROGRAPHER}: An Anomaly Detection System based on Provenance Graph Embedding | |
| Bai et al. | Dynamic k-gram based software birthmark | |
| Guerra-Manzanares et al. | Differences in android behavior between real device and emulator: a malware detection perspective |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |