CN105138916B - Multi-trace rogue program characteristic detection method based on data mining - Google Patents

Multi-trace rogue program characteristic detection method based on data mining Download PDF

Info

Publication number
CN105138916B
CN105138916B CN201510516268.5A CN201510516268A CN105138916B CN 105138916 B CN105138916 B CN 105138916B CN 201510516268 A CN201510516268 A CN 201510516268A CN 105138916 B CN105138916 B CN 105138916B
Authority
CN
China
Prior art keywords
track
program
feature
trace
mining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510516268.5A
Other languages
Chinese (zh)
Other versions
CN105138916A (en
Inventor
单征
赵荣彩
庞建明
李男
范超
蔡洪波
赵炳麟
王银浩
龚雪容
蔡国明
薛飞
闫丽景
贾珣
徐晓燕
王洋
陈鹏
魏亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PLA Information Engineering University
Original Assignee
PLA Information Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PLA Information Engineering University filed Critical PLA Information Engineering University
Priority to CN201510516268.5A priority Critical patent/CN105138916B/en
Publication of CN105138916A publication Critical patent/CN105138916A/en
Application granted granted Critical
Publication of CN105138916B publication Critical patent/CN105138916B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The present invention relates to a kind of multi-trace rogue program characteristic detection method based on data mining, the multi-trace rogue program characteristic detection method contains action trail obtaining step, segmenting step, feature extraction and feature database construction step, measurement detecting step;Action trail obtaining step obtains the system call sequence of program dynamic operation;Segmenting step carries out burst to the software action track got, to adapt to the needs of mining process;Feature extraction uses improved Sequential Pattern Mining Algorithm in data mining to obtain file stream, network flow and asset popularity as Frequent Subsequence collection with feature database construction step, and rejects normal procedure action trail fragment, constructs malicious act feature database;Measurement detecting step carries out measurement detection according to the three-dimensional feature storehouse of structure to the program of real time execution;The invention provides a kind of high multi-trace rogue program characteristic detection method based on data mining of Detection accuracy.

Description

Multi-trace rogue program characteristic detection method based on data mining
Technical field
The present invention relates to a kind of rogue program characteristic detection method, more particularly to a kind of multi-trace based on data mining Rogue program characteristic detection method.
Background technology
At present, the anti-dis-assembling technology for breaking through malicious code is difficult to based on static reverse detection method, can not be extracted Malicious code feature and examinations;The renewal of the virus base of the commercial antivirus software of feature based code match strategy exists serious Hysteresis.But malicious code and its malicious act of mutation are constant, so the feature extraction to malicious code will be from its fortune Behavior during row carries out dynamic analysis.
1. Malicious Code Detection:
Malicious code detecting method can be divided into detection method based on heuristic (heuristic.based) and based on spy Levy the major class of detection method two of (signature.based).Comparison system upper layer information is passed through based on didactic detection method Hiding file, process and registry information are identified with the system mode that is derived from kernel, heuristic detection is it can be found that unknown Rogue program, high wrong report and rate of failing to report in the application easily be present in but the experience of the generation of its rule dependent on analysis personnel, because This, in the detection system using less in particularly commercial antivirus software.The detection method of feature based is according to by malice generation The feature extracted in code is detected, and compared with Heuristic detection method, it has the advantages of detection efficiency is high, rate of false alarm is low, Therefore it is widely used in Malicious Code Detection instrument, and the main stream approach of Malicious Code Detection at present.
The detection method of feature based is divided into static nature detection and behavioral characteristics detection.Static nature detection method refers to By means such as the codes after the PE structures of static analysis file, binary system byte code, dis-assembling, the feature of malicious code is obtained Detected, the detection based on static nature is not required to actual motion malicious code program, realizes relatively simple, is currently based on The research of static nature detection is relatively more, and Static Detection is established on the basis of to PE file static analyses, and its advantage is not With malicious code is performed, system will not be damaged, but many Malwares are all disturbed using shell adding, obfuscation at present Dis-assembling, if shelling or decompressing unsuccessful, the static analysis of PE files also can not just be completed, and detection will be caused to fail, moreover, The temporal information of API sequences, which is tampered, can also escape from detection program.Detection method based on behavioral characteristics is by malicious code Program is placed in virtual environment and performed, and monitors its behavior and obtain its behavioural characteristic, and some rogue programs, which can detect, virtually to kill Virtual environment in poison, by adding special instruction or construction special construction in code so as to bypass detection program, cause to kill Malicious software can not detect rogue program, that program performs multipath in virtual dynamic detection be present, rogue program is in reality Different paths can be performed in the running of border because input data is different, it is complete that the malicious act of dynamic access program can not obtain its The malicious act in portion, so as to cause occur failing to report situation in detection.
2. the malicious code detecting method based on data mining:
The discovery (all Frequent Subsequences are found out in sequence library) of sequence pattern is Data Mining one Individual active research branch.Sequence pattern algorithm has good application in Malicious Code Detection in data mining.At present Selected using the elongated N-gram of byte sequence of machine code as feature extracting method by the use of weighted information gain as feature Selection method, Malicious Code Detection is carried out using Various Classifiers on Regional such as decision tree, SVMs, naive Bayesians;Also there is use Class Apriori algorithm realizes the detection to malicious code in data mining.But the above method is all static extraction behavioural characteristic, The defects of Static Detection can not still be overcome.
The content of the invention
The technical problem to be solved in the present invention is:A kind of high multi-trace based on data mining of Detection accuracy is provided to dislike Meaning performance of program detection method.
Technical scheme:A kind of multi-trace rogue program characteristic detection method based on data mining, contains row For track obtaining step, segmenting step, feature extraction and feature database construction step, measurement detecting step;
Action trail obtaining step obtains the system call sequence of program dynamic operation, is the basis of model;
Segmenting step carries out burst to the software action track got, to adapt to the needs of mining process;
Feature extraction uses improved Sequential Pattern Mining Algorithm in data mining with feature database construction step It is Frequent Subsequence collection that (prefixspan-x algorithms), which obtains file stream, network flow and asset popularity, and rejects normal procedure row For path segment, malicious act feature database is constructed;
Measurement detecting step carries out measurement detection according to the three-dimensional feature storehouse of structure to the program of real time execution.
Action trail obtaining step enters Mobile state tracking to program using Linux system instrument strace, and obtains its fortune Perform track during row.
The action trail obtained in training set need to carry out burst processing, and the size of burst determines the efficiency of this system and accurate Property.
In feature extraction and feature database construction step:
Improved Sequential Pattern Mining Algorithm (prefixspan-x algorithms) is by searching for the sequence for meeting minimum support Optimized during row with AC automatic machines, and give up the Frequent episodes for being unsatisfactory for minimum length during construction data for projection storehouse, So as to optimize the space-time expense in mining process;
Feature database (Signature Database, SD) is the data being made up of a series of feature of performance rogue programs Storehouse;
The algorithm of sequential mode mining can solve to excavate software in huge sequence library very well in data mining Behavioural characteristic problem, the present invention carry out sequential mining using improved Sequential Pattern Mining Algorithm Prefixspan-x, and with just Normal action trail training set rejects the normal behaviour fragment in the Frequent episodes excavated, construction feature storehouse;
In Sequential Pattern Mining Algorithm, prefixspan has preferable performance, improved sequence compared with other algorithms Pattern mining algorithm prefixspan-x is more efficient, adapts to a large amount of sequential mode mining extraction malicious code characteristic sequences.
Feature database is made up of three-dimensional feature vector space:File stream characteristic vector space, NetFlow characteristic vector space and Resource flow characteristic vector space;
In formula (1)File stream characteristic vector space is represented,Network flow feature database vector space is represented,Represent money Source stream characteristic vector space.
Feature database structure is divided into two stages, and the stage one is to be based on improved Sequential Pattern Mining Algorithm (Prefixspan- X algorithms) Frequent Subsequence excavation, the stage two be to the stage one extract Frequent Subsequence collection simplify;
The detailed process in stage one is as follows:To giving the rogue program in training set, the file for obtaining rogue program is popular For track, network flow action trail, resources control Flow Behavior track, and initialization files Flow Behavior track training set, net respectively Network Flow Behavior track training set, resources control Flow Behavior track training set;Using improved Sequential Pattern Mining Algorithm (Prefixspan-x algorithms) excavates Frequent Subsequence collection;
Stage two is the filtering to normal action trail fragment, and the Frequent Subsequence extracted in the stage one is concentrated and not only wrapped The fragment of malicious act track is contained, also contains the fragment of normal behaviour track, filtered out normal behaviour path segment, can give birth to Into malicious act characteristic vector space;The data set of normal behaviour track is used in starter operating system after normal program operation Action trail.
Measurement detecting step uses multi-trace metric algorithm, file operation track, network access when being run according to program Track and memory source using track to the behavior sequence real-time metrics that get, according to measurement results, according to evaluation criteria with Real-time behavior of the criterion to program is assessed, and assessment result feeds back to system management and control process, is realized for the dynamic of rogue program State detects.
Beneficial effects of the present invention:
There is the problems such as accuracy rate is low, rate of false alarm is high in the present invention, for the detection of current rogue program behavioural characteristic according to evil The behavioural characteristic for program of anticipating, using multi-trace crossing detection method, the row accessed with file operation, network access, memory source The three-dimensional malicious act feature database of structure is characterized, improves the accuracy of matching;Efficiency and accuracy problems are built for feature database, Devise data mining modified hydrothermal process -- prefixspan-x, the optimization of AC automatic machines is combined during construction data for projection storehouse Frequent episodes are inquired about, and are cast out and be unsatisfactory for minimum length Frequent episodes, so as to optimize malicious act feature mining efficiency;The present invention Using Dynamic Extraction Malware behavioural characteristic storehouse, and threshold value matching is carried out, static disassembly mode can be overcome to obtain software The detection difficult that software shelling, mictium come in action trail, so as to obtain higher accuracy rate.The present invention can realize The program run in linux system is implemented dynamic and monitored, and ensures system and data safety.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of the multi-trace rogue program characteristic detection method based on data mining.
Embodiment
Multi-trace rogue program characteristic detection method based on data mining is (as shown in Figure 1) to obtain step containing action trail Suddenly, segmenting step, feature extraction and feature database construction step, measurement detecting step;
Action trail obtaining step obtains the system call sequence of program dynamic operation, is the basis of model;
Segmenting step carries out burst to the software action track got, to adapt to the needs of mining process;
Feature extraction uses improved Sequential Pattern Mining Algorithm in data mining with feature database construction step It is Frequent Subsequence collection that (prefixspan-x algorithms), which obtains file stream, network flow and asset popularity, and rejects normal procedure row For path segment, malicious act feature database is constructed;
Measurement detecting step carries out measurement detection according to the three-dimensional feature storehouse of structure to the program of real time execution.
Action trail obtaining step enters Mobile state tracking to program using Linux system instrument strace, and obtains its fortune Perform track during row.
The action trail obtained in training set need to carry out burst processing, and the size of burst determines the efficiency of this system and accurate Property.
In feature extraction and feature database construction step:
Improved Sequential Pattern Mining Algorithm (prefixspan-x algorithms) is by searching for the sequence for meeting minimum support Optimized during row with AC automatic machines, and give up the Frequent episodes for being unsatisfactory for minimum length during construction data for projection storehouse, So as to optimize the space-time expense in mining process;
Feature database (Signature Database, SD) is the data being made up of a series of feature of performance rogue programs Storehouse;
The algorithm of sequential mode mining can solve to excavate software in huge sequence library very well in data mining Behavioural characteristic problem, the present invention carry out sequential mining using improved Sequential Pattern Mining Algorithm Prefixspan-x, and with just Normal action trail training set rejects the normal behaviour fragment in the Frequent episodes excavated, construction feature storehouse;
In Sequential Pattern Mining Algorithm, prefixspan has preferable performance, improved sequence compared with other algorithms Pattern mining algorithm prefixspan-x is more efficient, adapts to a large amount of sequential mode mining extraction malicious code characteristic sequences.
Feature database is made up of three-dimensional feature vector space:File stream characteristic vector space, NetFlow characteristic vector space and Resource flow characteristic vector space;
In formula (1)File stream characteristic vector space is represented,Network flow feature database vector space is represented,Represent money Source stream characteristic vector space.
Measurement detecting step uses multi-trace metric algorithm, file operation track, network access when being run according to program Track and memory source using track to the behavior sequence real-time metrics that get, according to measurement results, according to evaluation criteria with Real-time behavior of the criterion to program is assessed, and assessment result feeds back to system management and control process, is realized for the dynamic of rogue program State detects.
In order to it is more thorough, more intuitively understand the multi-trace rogue program characteristic detection method based on data mining, below It is further described in more detail:
1. improved Sequential Pattern Mining Algorithm Prefixspan-x:
PrefixSpan algorithms do not produce candidate sequence in mining process, and relative to original sequence library, throw The scale of shadow database constantly reduces.But the expense in construction data for projection storehouse is huge, it is impossible to solve well ciphertext data collection or The Mining Problems of long pattern.Recursively build and be repeatedly scanned with data for projection storehouse during a large amount of data for projection storehouses and algorithm performs and be The major cost of algorithm.It is the main way for improving PrefixSpas algorithms to reduce the scale in data for projection storehouse and optimization sweep time Footpath.Prefixspan-x algorithms when search meets the sequence of minimum support by being optimized with AC automatic machines, and in structure Make and give up the Frequent episodes for being unsatisfactory for minimum length during data for projection storehouse, so as to optimize the space-time expense in mining process.
Prefixspan-x algorithms are as follows:
Input:Input (S, min_sup, L_min) //S is sequence library, and min_sup is minimum support threshold, L_ Min is Frequent episodes minimum length
Output:Output (M1) //M1 is to meet minimum support and minimum length Frequent episodes collection
Method:prefixspan-x(<>,0,S,L_min)
Subprogram:prefixspan-x(a,l(a),S|a, L_min) and //a is sequence, l (a) is sequence a length, S |a’ It is data for projection storehouse
prefixspan-x():
1) AC (S, min_sup) | 1 // use AC scan databases S once, it is met minimum support sequence Row
2)S|a=creatsuffix (S, a) // construction data for projection storehouse
3)b∈S|a// according to the new sequence of data for projection storehouse generation
4)foreach(b≠null)
5){
6) a'=a+b;// collating sequence pattern
7)if(l(a')≥L_min)
8)get a';
9)else
10)delete a;The new sequence pattern of // construction
11)}
12)S|a'=creatsuffix (S |a,a');
13)prefixspan-x(a',l(a)+1,S|a',L_min);
14)output(M1);// obtain Frequent episodes collection
Such as the sequence library that is given below and set minimum support as 2, Frequent episodes minimum length be 1:
<(read,write)(read,lseek)>
<(lseek,dup)(dup2,pread,close)>
<(read,lseek)(fsync)(close)>
<(fsync)>
Find out the frequent individual event that support is more than 1:Read, lseek, fsync, close;Then remove non-frequently single , generate database:
<(read)(read,lseek)>
<(lseek)(fsync)>
<(read,lseek)(fsync)(close)>
<(fsync)>
Respectively frequent individual event read, lseek, fsync, close, generate data for projection storehouse and remove length less than 1 Frequent episodes:
<(read,lseek)>
<(lseek)(fsync)(close)>
<(fsync)(close)>。
In superincumbent data for projection storehouse, prefix<(read)>Data for projection storehouse in also have frequent individual event lseek, prefix <(lseek)>Data for projection storehouse in also have frequent individual event close, generate frequent write sequences<(read,lseek)>,< (lseek)(close)>, then generate data for projection storehouse for it<(fsync)(fsync)>.Without frequent item, algorithm Terminate.
2. feature library format is built:
The problem concerning study of malicious act property data base can be described as:
1) rogue program training set θ and minimum support min_sup is given;
2) rogue program action trail, i.e. file Flow Behavior track, network flow action trail, resources control Flow Behavior are obtained Track;
3) excavated using Prefixspan-x algorithms and meet minimum support and the Frequent Subsequence collection M1 of minimum length;
4) normal software action trail collection is given, normal behaviour path segment is removed from M1;
5) malicious act feature database SD is generated;
Feature database structure is divided into two stages, and the stage one is to be based on improved Sequential Pattern Mining Algorithm (Prefixspan- X algorithms) Frequent Subsequence excavation, the stage two be to the stage one extract Frequent Subsequence collection simplify;
The detailed process in stage one is as follows:To giving the rogue program in training set, the file for obtaining rogue program is popular For track, network flow action trail, resources control Flow Behavior track, and initialization files Flow Behavior track training set, net respectively Network Flow Behavior track training set, resources control Flow Behavior track training set;Using improved Sequential Pattern Mining Algorithm (Prefixspan-x algorithms) excavates Frequent Subsequence collection;
Stage two is the filtering to normal action trail fragment, and the Frequent Subsequence extracted in the stage one is concentrated and not only wrapped The fragment of malicious act track is contained, also contains the fragment of normal behaviour track, filtered out normal behaviour path segment, can give birth to Into malicious act characteristic vector space;The data set of normal behaviour track is used in starter operating system after normal program operation Action trail.Specific algorithm is as follows:
Algorithm 3 rejects normal behaviour algorithm
Input:M1//fuzzy frequent itemsets
Output:M2//malicious act pattern
Method:Eliminate (M1, Dn)//DnIt is the set of normal behaviour track
1) the frequent behavior pattern t ∈ M1 do of for every
2) each normal behaviour path segment ∈ D of forn do
3)if s MATCH t;It is if frequent in // M1
Subsequence and normal behaviourMatching
4)Delete t From M1;// t is rejected from M1
5)End for
6)End for
7) M2 is exported;// obtain malicious act result
3. the multi-trace detection of Behavior-based control feature:
Detecting workflow is:
Respectively obtain row of the program based on resource operations such as file stream operation, network operation and internal memories in monitoring period For track.If the action trail obtained is respectively Rf,Rn,Rs, Wherein r, m, q are respectively Rf,Rn,RsCorresponding system call sequence length,Represent action trail i (i=f, n, s) k-th of path segment (1≤k≤l (R in system call sequencei)).If class (S) weights=0 are matched for sequence S, it is initialized as 0.By lower part only by taking file stream operation action trail as an example;
To RfBurst is carried out, obtains N number of path segment S1,S2,S3...SN,SiIt is with sk(N < k < l (Rf)) it is terminal It is respectively l (1), l (2), l (3) ... l (N) system call sequence to form N number of length;
To this N number of path segment S1,S2,S3...SN, according to the order from N to 1 and file stream part in feature database (file-sign) it is compared and is calculated as below:It is successful if there is characteristic matching in some fragment and feature database, then class(Si)=1, otherwise class (Si)=0;Weights sequence is can obtain by above computing:
(class(S1),class(S2),class(S3)...class(Sm))
According to weights sequence (class (S1),class(S2),class(S3)...class(Sm)) decision value is calculated, then Decision making according to the behavior of decision value and decision threshold λ set in advance to present procedure;
Seek judgement component:signf=class (S1)∨class(S2)∨...class(Sm)
Aforesaid operations are performed simultaneously to the action trail of network flow and memory source stream, obtain signnAnd signsValue.
Obtain decision value sign=signf+signn+signs.And judged:
If sign>λ λ ≠ 0, then be determined as malicious act;
If sign≤λ, it is determined as normal behaviour.
λ is decision threshold of the user from setting, and different values, which represents, sets different level of securitys, and value is smaller to represent safety Rank is higher, and value is bigger, and to represent level of security higher.

Claims (5)

1. a kind of multi-trace rogue program characteristic detection method based on data mining, it is characterized in that:Obtained containing action trail Step, segmenting step, feature extraction and feature database construction step, measurement detecting step;Action trail obtaining step obtains program The system call sequence of dynamic operation;
Segmenting step carries out burst to the program behavior track got, to adapt to the needs of mining process;
Feature extraction uses improved Sequential Pattern Mining Algorithm in data mining to obtain file stream, net with feature database construction step Network stream and asset popularity are Frequent Subsequence collection, and reject normal procedure action trail fragment, construct malicious act feature database;Change The Sequential Pattern Mining Algorithm entered when search meets the sequence of minimum support by being optimized with AC automatic machines, and in structure Make and give up the Frequent episodes for being unsatisfactory for minimum length during data for projection storehouse, so as to optimize the space-time expense in mining process;
Measurement detecting step carries out measurement detection according to the three-dimensional feature storehouse of structure to the program of real time execution.
2. the multi-trace rogue program characteristic detection method according to claim 1 based on data mining, it is characterized in that:Institute When stating action trail obtaining step and enter Mobile state tracking to program using Linux system instrument strace, and obtaining its operation Perform track.
3. the multi-trace rogue program characteristic detection method according to claim 1 based on data mining, it is characterized in that:Institute State in feature extraction and feature database construction step:Feature database is the database being made up of a series of feature of performance rogue programs, Feature database is made up of three-dimensional feature vector space:File stream characteristic vector space, NetFlow characteristic vector space and resource flow are special Levy vector space.
4. the multi-trace rogue program characteristic detection method according to claim 3 based on data mining, it is characterized in that:Institute State feature database structure and be divided into two stages, the stage one is the digging of the Frequent Subsequence based on improved Sequential Pattern Mining Algorithm Pick, stage two are that the Frequent Subsequence collection extracted to the stage one is simplified;
The detailed process in stage one is as follows:To giving the rogue program in training set, the file Flow Behavior rail of rogue program is obtained Mark, network flow action trail, resources control Flow Behavior track, and initialization files Flow Behavior track training set, network flow respectively Action trail training set, resources control Flow Behavior track training set;Excavated frequently using improved Sequential Pattern Mining Algorithm Son sequence set;
Stage two is the filtering to normal action trail fragment, and the Frequent Subsequence extracted in the stage one is concentrated and not only contained The fragment of malicious act track, the fragment of normal behaviour track is also contains, filter out normal behaviour path segment, evil can be generated Meaning behavioural characteristic vector space;The data set of normal behaviour track uses the postrun row of normal program in starter operating system For track.
5. the multi-trace rogue program characteristic detection method according to claim 1 based on data mining, it is characterized in that:Institute State measurement detecting step and use multi-trace metric algorithm, file operation track, network access track when being run according to program and Memory source using track to the behavior sequence real-time metrics that get, according to measurement results, according to evaluation criteria and criterion pair The real-time behavior of program is assessed, and assessment result feeds back to system management and control process, realizes the dynamic detection for rogue program.
CN201510516268.5A 2015-08-21 2015-08-21 Multi-trace rogue program characteristic detection method based on data mining Active CN105138916B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510516268.5A CN105138916B (en) 2015-08-21 2015-08-21 Multi-trace rogue program characteristic detection method based on data mining

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510516268.5A CN105138916B (en) 2015-08-21 2015-08-21 Multi-trace rogue program characteristic detection method based on data mining

Publications (2)

Publication Number Publication Date
CN105138916A CN105138916A (en) 2015-12-09
CN105138916B true CN105138916B (en) 2018-02-02

Family

ID=54724261

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510516268.5A Active CN105138916B (en) 2015-08-21 2015-08-21 Multi-trace rogue program characteristic detection method based on data mining

Country Status (1)

Country Link
CN (1) CN105138916B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105868626B (en) * 2016-03-25 2018-10-02 中国人民解放军信息工程大学 The method of monitoring software business conduct based on control stream coarseness integrality
CN106845224A (en) * 2016-12-16 2017-06-13 华东师范大学 A kind of rogue program identifying system
CN106650445B (en) * 2016-12-16 2019-05-28 华东师范大学 A kind of rogue program recognition methods
CN107844540A (en) * 2017-10-25 2018-03-27 电子科技大学 A kind of time series method for digging for electric power data
CN110704773B (en) * 2018-06-25 2022-06-03 顺丰科技有限公司 Abnormal behavior detection method and system based on frequent behavior sequence mode
CN109450942B (en) * 2018-12-25 2019-09-13 北京戴纳实验科技有限公司 A kind of safety detection method and its detection device of laboratory management system for internet of things
CN109753800B (en) * 2019-01-02 2023-04-07 重庆邮电大学 Android malicious application detection method and system fusing frequent item set and random forest algorithm
CN110362995B (en) * 2019-05-31 2022-12-02 电子科技大学成都学院 Malicious software detection and analysis system based on reverse direction and machine learning
CN112035836B (en) * 2019-06-04 2023-04-14 四川大学 Malicious code family API sequence mining method
CN110728583A (en) * 2019-10-11 2020-01-24 支付宝(杭州)信息技术有限公司 Method and system for identifying cheating claim behaviors

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101359351A (en) * 2008-09-25 2009-02-04 中国人民解放军信息工程大学 Multilayer semantic annotation and detection method against malignancy
CN102054149A (en) * 2009-11-06 2011-05-11 中国科学院研究生院 Method for extracting malicious code behavior characteristic
CN103617393A (en) * 2013-11-28 2014-03-05 北京邮电大学 Method for mobile internet malicious application software detection based on support vector machines

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9230106B2 (en) * 2013-06-28 2016-01-05 Kaspersky Lab Ao System and method for detecting malicious software using malware trigger scenarios in a modified computer environment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101359351A (en) * 2008-09-25 2009-02-04 中国人民解放军信息工程大学 Multilayer semantic annotation and detection method against malignancy
CN102054149A (en) * 2009-11-06 2011-05-11 中国科学院研究生院 Method for extracting malicious code behavior characteristic
CN103617393A (en) * 2013-11-28 2014-03-05 北京邮电大学 Method for mobile internet malicious application software detection based on support vector machines

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Exploring Multiple Execution Paths for Malware Analysis;Andreas Moser 等;《2007 IEEE Symposium on Security and Privacy》;20071231;全文 *
Linux系统中基于多路径的恶意行为规范挖掘;刘琳爽 等;《计算机系统应用》;20101231;第19卷(第9期);正文第168-172页 *
主机行为分析系统设计与实现;李飞兵;《中国优秀硕士学位论文全文数据库信息科技辑(月刊)》;20130715(第07期);全文 *
恶意代码检测中的PrefixSpan算法应用;王丽娜 等;《计算机工程》;20100430;第36卷(第7期);正文第119-121页 *

Also Published As

Publication number Publication date
CN105138916A (en) 2015-12-09

Similar Documents

Publication Publication Date Title
CN105138916B (en) Multi-trace rogue program characteristic detection method based on data mining
Liu et al. Host-based intrusion detection system with system calls: Review and future trends
Martín et al. CANDYMAN: Classifying Android malware families by modelling dynamic traces with Markov chains
Alrabaee et al. Oba2: An onion approach to binary code authorship attribution
Wang et al. Review of android malware detection based on deep learning
Alasmary et al. Soteria: Detecting adversarial examples in control flow graph-based malware classifiers
Cen et al. A probabilistic discriminative model for android malware detection with decompiled source code
Jerome et al. Using opcode-sequences to detect malicious Android applications
CN100444075C (en) Virus characteristics extraction and detection system and method for mobile/intelligent terminal
Singh et al. Dynamic behavior analysis of android applications for malware detection
Wu et al. A survey of android malware static detection technology based on machine learning
US20160021174A1 (en) Computer implemented method for classifying mobile applications and computer programs thereof
CN101924761A (en) Method for detecting malicious program according to white list
KR101716564B1 (en) Malware Detection Method and System Based on Hadoop
Lin et al. Dimsum: Discovering semantic data of interest from un-mappable memory with confidence
Apvrille et al. Identifying unknown android malware with feature extractions and classification techniques
Eskandari et al. To incorporate sequential dynamic features in malware detection engines
Odat et al. A novel machine learning approach for android malware detection based on the co-existence of features
Chaulagain et al. Hybrid analysis of android apps for security vetting using deep learning
Casolare et al. Dynamic Mobile Malware Detection through System Call-based Image representation.
McGahagan et al. A comprehensive evaluation of webpage content features for detecting malicious websites
CN108959930A (en) Malice PDF detection method, system, data storage device and detection program
Shafin et al. Detection of android malware using tree-based ensemble stacking model
Yamany et al. Ransomware clustering and classification using similarity matrix
Guerra-Manzanares et al. Differences in android behavior between real device and emulator: a malware detection perspective

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant