CN105138916B - Multi-trace rogue program characteristic detection method based on data mining - Google Patents
Multi-trace rogue program characteristic detection method based on data mining Download PDFInfo
- Publication number
- CN105138916B CN105138916B CN201510516268.5A CN201510516268A CN105138916B CN 105138916 B CN105138916 B CN 105138916B CN 201510516268 A CN201510516268 A CN 201510516268A CN 105138916 B CN105138916 B CN 105138916B
- Authority
- CN
- China
- Prior art keywords
- track
- program
- feature
- trace
- mining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The present invention relates to a kind of multi-trace rogue program characteristic detection method based on data mining, the multi-trace rogue program characteristic detection method contains action trail obtaining step, segmenting step, feature extraction and feature database construction step, measurement detecting step;Action trail obtaining step obtains the system call sequence of program dynamic operation;Segmenting step carries out burst to the software action track got, to adapt to the needs of mining process;Feature extraction uses improved Sequential Pattern Mining Algorithm in data mining to obtain file stream, network flow and asset popularity as Frequent Subsequence collection with feature database construction step, and rejects normal procedure action trail fragment, constructs malicious act feature database;Measurement detecting step carries out measurement detection according to the three-dimensional feature storehouse of structure to the program of real time execution;The invention provides a kind of high multi-trace rogue program characteristic detection method based on data mining of Detection accuracy.
Description
Technical field
The present invention relates to a kind of rogue program characteristic detection method, more particularly to a kind of multi-trace based on data mining
Rogue program characteristic detection method.
Background technology
At present, the anti-dis-assembling technology for breaking through malicious code is difficult to based on static reverse detection method, can not be extracted
Malicious code feature and examinations;The renewal of the virus base of the commercial antivirus software of feature based code match strategy exists serious
Hysteresis.But malicious code and its malicious act of mutation are constant, so the feature extraction to malicious code will be from its fortune
Behavior during row carries out dynamic analysis.
1. Malicious Code Detection:
Malicious code detecting method can be divided into detection method based on heuristic (heuristic.based) and based on spy
Levy the major class of detection method two of (signature.based).Comparison system upper layer information is passed through based on didactic detection method
Hiding file, process and registry information are identified with the system mode that is derived from kernel, heuristic detection is it can be found that unknown
Rogue program, high wrong report and rate of failing to report in the application easily be present in but the experience of the generation of its rule dependent on analysis personnel, because
This, in the detection system using less in particularly commercial antivirus software.The detection method of feature based is according to by malice generation
The feature extracted in code is detected, and compared with Heuristic detection method, it has the advantages of detection efficiency is high, rate of false alarm is low,
Therefore it is widely used in Malicious Code Detection instrument, and the main stream approach of Malicious Code Detection at present.
The detection method of feature based is divided into static nature detection and behavioral characteristics detection.Static nature detection method refers to
By means such as the codes after the PE structures of static analysis file, binary system byte code, dis-assembling, the feature of malicious code is obtained
Detected, the detection based on static nature is not required to actual motion malicious code program, realizes relatively simple, is currently based on
The research of static nature detection is relatively more, and Static Detection is established on the basis of to PE file static analyses, and its advantage is not
With malicious code is performed, system will not be damaged, but many Malwares are all disturbed using shell adding, obfuscation at present
Dis-assembling, if shelling or decompressing unsuccessful, the static analysis of PE files also can not just be completed, and detection will be caused to fail, moreover,
The temporal information of API sequences, which is tampered, can also escape from detection program.Detection method based on behavioral characteristics is by malicious code
Program is placed in virtual environment and performed, and monitors its behavior and obtain its behavioural characteristic, and some rogue programs, which can detect, virtually to kill
Virtual environment in poison, by adding special instruction or construction special construction in code so as to bypass detection program, cause to kill
Malicious software can not detect rogue program, that program performs multipath in virtual dynamic detection be present, rogue program is in reality
Different paths can be performed in the running of border because input data is different, it is complete that the malicious act of dynamic access program can not obtain its
The malicious act in portion, so as to cause occur failing to report situation in detection.
2. the malicious code detecting method based on data mining:
The discovery (all Frequent Subsequences are found out in sequence library) of sequence pattern is Data Mining one
Individual active research branch.Sequence pattern algorithm has good application in Malicious Code Detection in data mining.At present
Selected using the elongated N-gram of byte sequence of machine code as feature extracting method by the use of weighted information gain as feature
Selection method, Malicious Code Detection is carried out using Various Classifiers on Regional such as decision tree, SVMs, naive Bayesians;Also there is use
Class Apriori algorithm realizes the detection to malicious code in data mining.But the above method is all static extraction behavioural characteristic,
The defects of Static Detection can not still be overcome.
The content of the invention
The technical problem to be solved in the present invention is:A kind of high multi-trace based on data mining of Detection accuracy is provided to dislike
Meaning performance of program detection method.
Technical scheme:A kind of multi-trace rogue program characteristic detection method based on data mining, contains row
For track obtaining step, segmenting step, feature extraction and feature database construction step, measurement detecting step;
Action trail obtaining step obtains the system call sequence of program dynamic operation, is the basis of model;
Segmenting step carries out burst to the software action track got, to adapt to the needs of mining process;
Feature extraction uses improved Sequential Pattern Mining Algorithm in data mining with feature database construction step
It is Frequent Subsequence collection that (prefixspan-x algorithms), which obtains file stream, network flow and asset popularity, and rejects normal procedure row
For path segment, malicious act feature database is constructed;
Measurement detecting step carries out measurement detection according to the three-dimensional feature storehouse of structure to the program of real time execution.
Action trail obtaining step enters Mobile state tracking to program using Linux system instrument strace, and obtains its fortune
Perform track during row.
The action trail obtained in training set need to carry out burst processing, and the size of burst determines the efficiency of this system and accurate
Property.
In feature extraction and feature database construction step:
Improved Sequential Pattern Mining Algorithm (prefixspan-x algorithms) is by searching for the sequence for meeting minimum support
Optimized during row with AC automatic machines, and give up the Frequent episodes for being unsatisfactory for minimum length during construction data for projection storehouse,
So as to optimize the space-time expense in mining process;
Feature database (Signature Database, SD) is the data being made up of a series of feature of performance rogue programs
Storehouse;
The algorithm of sequential mode mining can solve to excavate software in huge sequence library very well in data mining
Behavioural characteristic problem, the present invention carry out sequential mining using improved Sequential Pattern Mining Algorithm Prefixspan-x, and with just
Normal action trail training set rejects the normal behaviour fragment in the Frequent episodes excavated, construction feature storehouse;
In Sequential Pattern Mining Algorithm, prefixspan has preferable performance, improved sequence compared with other algorithms
Pattern mining algorithm prefixspan-x is more efficient, adapts to a large amount of sequential mode mining extraction malicious code characteristic sequences.
Feature database is made up of three-dimensional feature vector space:File stream characteristic vector space, NetFlow characteristic vector space and
Resource flow characteristic vector space;
In formula (1)File stream characteristic vector space is represented,Network flow feature database vector space is represented,Represent money
Source stream characteristic vector space.
Feature database structure is divided into two stages, and the stage one is to be based on improved Sequential Pattern Mining Algorithm (Prefixspan-
X algorithms) Frequent Subsequence excavation, the stage two be to the stage one extract Frequent Subsequence collection simplify;
The detailed process in stage one is as follows:To giving the rogue program in training set, the file for obtaining rogue program is popular
For track, network flow action trail, resources control Flow Behavior track, and initialization files Flow Behavior track training set, net respectively
Network Flow Behavior track training set, resources control Flow Behavior track training set;Using improved Sequential Pattern Mining Algorithm
(Prefixspan-x algorithms) excavates Frequent Subsequence collection;
Stage two is the filtering to normal action trail fragment, and the Frequent Subsequence extracted in the stage one is concentrated and not only wrapped
The fragment of malicious act track is contained, also contains the fragment of normal behaviour track, filtered out normal behaviour path segment, can give birth to
Into malicious act characteristic vector space;The data set of normal behaviour track is used in starter operating system after normal program operation
Action trail.
Measurement detecting step uses multi-trace metric algorithm, file operation track, network access when being run according to program
Track and memory source using track to the behavior sequence real-time metrics that get, according to measurement results, according to evaluation criteria with
Real-time behavior of the criterion to program is assessed, and assessment result feeds back to system management and control process, is realized for the dynamic of rogue program
State detects.
Beneficial effects of the present invention:
There is the problems such as accuracy rate is low, rate of false alarm is high in the present invention, for the detection of current rogue program behavioural characteristic according to evil
The behavioural characteristic for program of anticipating, using multi-trace crossing detection method, the row accessed with file operation, network access, memory source
The three-dimensional malicious act feature database of structure is characterized, improves the accuracy of matching;Efficiency and accuracy problems are built for feature database,
Devise data mining modified hydrothermal process -- prefixspan-x, the optimization of AC automatic machines is combined during construction data for projection storehouse
Frequent episodes are inquired about, and are cast out and be unsatisfactory for minimum length Frequent episodes, so as to optimize malicious act feature mining efficiency;The present invention
Using Dynamic Extraction Malware behavioural characteristic storehouse, and threshold value matching is carried out, static disassembly mode can be overcome to obtain software
The detection difficult that software shelling, mictium come in action trail, so as to obtain higher accuracy rate.The present invention can realize
The program run in linux system is implemented dynamic and monitored, and ensures system and data safety.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of the multi-trace rogue program characteristic detection method based on data mining.
Embodiment
Multi-trace rogue program characteristic detection method based on data mining is (as shown in Figure 1) to obtain step containing action trail
Suddenly, segmenting step, feature extraction and feature database construction step, measurement detecting step;
Action trail obtaining step obtains the system call sequence of program dynamic operation, is the basis of model;
Segmenting step carries out burst to the software action track got, to adapt to the needs of mining process;
Feature extraction uses improved Sequential Pattern Mining Algorithm in data mining with feature database construction step
It is Frequent Subsequence collection that (prefixspan-x algorithms), which obtains file stream, network flow and asset popularity, and rejects normal procedure row
For path segment, malicious act feature database is constructed;
Measurement detecting step carries out measurement detection according to the three-dimensional feature storehouse of structure to the program of real time execution.
Action trail obtaining step enters Mobile state tracking to program using Linux system instrument strace, and obtains its fortune
Perform track during row.
The action trail obtained in training set need to carry out burst processing, and the size of burst determines the efficiency of this system and accurate
Property.
In feature extraction and feature database construction step:
Improved Sequential Pattern Mining Algorithm (prefixspan-x algorithms) is by searching for the sequence for meeting minimum support
Optimized during row with AC automatic machines, and give up the Frequent episodes for being unsatisfactory for minimum length during construction data for projection storehouse,
So as to optimize the space-time expense in mining process;
Feature database (Signature Database, SD) is the data being made up of a series of feature of performance rogue programs
Storehouse;
The algorithm of sequential mode mining can solve to excavate software in huge sequence library very well in data mining
Behavioural characteristic problem, the present invention carry out sequential mining using improved Sequential Pattern Mining Algorithm Prefixspan-x, and with just
Normal action trail training set rejects the normal behaviour fragment in the Frequent episodes excavated, construction feature storehouse;
In Sequential Pattern Mining Algorithm, prefixspan has preferable performance, improved sequence compared with other algorithms
Pattern mining algorithm prefixspan-x is more efficient, adapts to a large amount of sequential mode mining extraction malicious code characteristic sequences.
Feature database is made up of three-dimensional feature vector space:File stream characteristic vector space, NetFlow characteristic vector space and
Resource flow characteristic vector space;
In formula (1)File stream characteristic vector space is represented,Network flow feature database vector space is represented,Represent money
Source stream characteristic vector space.
Measurement detecting step uses multi-trace metric algorithm, file operation track, network access when being run according to program
Track and memory source using track to the behavior sequence real-time metrics that get, according to measurement results, according to evaluation criteria with
Real-time behavior of the criterion to program is assessed, and assessment result feeds back to system management and control process, is realized for the dynamic of rogue program
State detects.
In order to it is more thorough, more intuitively understand the multi-trace rogue program characteristic detection method based on data mining, below
It is further described in more detail:
1. improved Sequential Pattern Mining Algorithm Prefixspan-x:
PrefixSpan algorithms do not produce candidate sequence in mining process, and relative to original sequence library, throw
The scale of shadow database constantly reduces.But the expense in construction data for projection storehouse is huge, it is impossible to solve well ciphertext data collection or
The Mining Problems of long pattern.Recursively build and be repeatedly scanned with data for projection storehouse during a large amount of data for projection storehouses and algorithm performs and be
The major cost of algorithm.It is the main way for improving PrefixSpas algorithms to reduce the scale in data for projection storehouse and optimization sweep time
Footpath.Prefixspan-x algorithms when search meets the sequence of minimum support by being optimized with AC automatic machines, and in structure
Make and give up the Frequent episodes for being unsatisfactory for minimum length during data for projection storehouse, so as to optimize the space-time expense in mining process.
Prefixspan-x algorithms are as follows:
Input:Input (S, min_sup, L_min) //S is sequence library, and min_sup is minimum support threshold, L_
Min is Frequent episodes minimum length
Output:Output (M1) //M1 is to meet minimum support and minimum length Frequent episodes collection
Method:prefixspan-x(<>,0,S,L_min)
Subprogram:prefixspan-x(a,l(a),S|a, L_min) and //a is sequence, l (a) is sequence a length, S |a’
It is data for projection storehouse
prefixspan-x():
1) AC (S, min_sup) | 1 // use AC scan databases S once, it is met minimum support sequence
Row
2)S|a=creatsuffix (S, a) // construction data for projection storehouse
3)b∈S|a// according to the new sequence of data for projection storehouse generation
4)foreach(b≠null)
5){
6) a'=a+b;// collating sequence pattern
7)if(l(a')≥L_min)
8)get a';
9)else
10)delete a;The new sequence pattern of // construction
11)}
12)S|a'=creatsuffix (S |a,a');
13)prefixspan-x(a',l(a)+1,S|a',L_min);
14)output(M1);// obtain Frequent episodes collection
Such as the sequence library that is given below and set minimum support as 2, Frequent episodes minimum length be 1:
<(read,write)(read,lseek)>
<(lseek,dup)(dup2,pread,close)>
<(read,lseek)(fsync)(close)>
<(fsync)>
Find out the frequent individual event that support is more than 1:Read, lseek, fsync, close;Then remove non-frequently single
, generate database:
<(read)(read,lseek)>
<(lseek)(fsync)>
<(read,lseek)(fsync)(close)>
<(fsync)>
Respectively frequent individual event read, lseek, fsync, close, generate data for projection storehouse and remove length less than 1
Frequent episodes:
<(read,lseek)>
<(lseek)(fsync)(close)>
<(fsync)(close)>。
In superincumbent data for projection storehouse, prefix<(read)>Data for projection storehouse in also have frequent individual event lseek, prefix
<(lseek)>Data for projection storehouse in also have frequent individual event close, generate frequent write sequences<(read,lseek)>,<
(lseek)(close)>, then generate data for projection storehouse for it<(fsync)(fsync)>.Without frequent item, algorithm
Terminate.
2. feature library format is built:
The problem concerning study of malicious act property data base can be described as:
1) rogue program training set θ and minimum support min_sup is given;
2) rogue program action trail, i.e. file Flow Behavior track, network flow action trail, resources control Flow Behavior are obtained
Track;
3) excavated using Prefixspan-x algorithms and meet minimum support and the Frequent Subsequence collection M1 of minimum length;
4) normal software action trail collection is given, normal behaviour path segment is removed from M1;
5) malicious act feature database SD is generated;
Feature database structure is divided into two stages, and the stage one is to be based on improved Sequential Pattern Mining Algorithm (Prefixspan-
X algorithms) Frequent Subsequence excavation, the stage two be to the stage one extract Frequent Subsequence collection simplify;
The detailed process in stage one is as follows:To giving the rogue program in training set, the file for obtaining rogue program is popular
For track, network flow action trail, resources control Flow Behavior track, and initialization files Flow Behavior track training set, net respectively
Network Flow Behavior track training set, resources control Flow Behavior track training set;Using improved Sequential Pattern Mining Algorithm
(Prefixspan-x algorithms) excavates Frequent Subsequence collection;
Stage two is the filtering to normal action trail fragment, and the Frequent Subsequence extracted in the stage one is concentrated and not only wrapped
The fragment of malicious act track is contained, also contains the fragment of normal behaviour track, filtered out normal behaviour path segment, can give birth to
Into malicious act characteristic vector space;The data set of normal behaviour track is used in starter operating system after normal program operation
Action trail.Specific algorithm is as follows:
Algorithm 3 rejects normal behaviour algorithm
Input:M1//fuzzy frequent itemsets
Output:M2//malicious act pattern
Method:Eliminate (M1, Dn)//DnIt is the set of normal behaviour track
1) the frequent behavior pattern t ∈ M1 do of for every
2) each normal behaviour path segment ∈ D of forn do
3)if s MATCH t;It is if frequent in // M1
Subsequence and normal behaviourMatching
4)Delete t From M1;// t is rejected from M1
5)End for
6)End for
7) M2 is exported;// obtain malicious act result
3. the multi-trace detection of Behavior-based control feature:
Detecting workflow is:
Respectively obtain row of the program based on resource operations such as file stream operation, network operation and internal memories in monitoring period
For track.If the action trail obtained is respectively Rf,Rn,Rs, Wherein r, m, q are respectively Rf,Rn,RsCorresponding system call sequence length,Represent action trail i (i=f, n, s) k-th of path segment (1≤k≤l (R in system call sequencei)).If class
(S) weights=0 are matched for sequence S, it is initialized as 0.By lower part only by taking file stream operation action trail as an example;
To RfBurst is carried out, obtains N number of path segment S1,S2,S3...SN,SiIt is with sk(N < k < l (Rf)) it is terminal
It is respectively l (1), l (2), l (3) ... l (N) system call sequence to form N number of length;
To this N number of path segment S1,S2,S3...SN, according to the order from N to 1 and file stream part in feature database
(file-sign) it is compared and is calculated as below:It is successful if there is characteristic matching in some fragment and feature database, then
class(Si)=1, otherwise class (Si)=0;Weights sequence is can obtain by above computing:
(class(S1),class(S2),class(S3)...class(Sm))
According to weights sequence (class (S1),class(S2),class(S3)...class(Sm)) decision value is calculated, then
Decision making according to the behavior of decision value and decision threshold λ set in advance to present procedure;
Seek judgement component:signf=class (S1)∨class(S2)∨...class(Sm)
Aforesaid operations are performed simultaneously to the action trail of network flow and memory source stream, obtain signnAnd signsValue.
Obtain decision value sign=signf+signn+signs.And judged:
If sign>λ λ ≠ 0, then be determined as malicious act;
If sign≤λ, it is determined as normal behaviour.
λ is decision threshold of the user from setting, and different values, which represents, sets different level of securitys, and value is smaller to represent safety
Rank is higher, and value is bigger, and to represent level of security higher.
Claims (5)
1. a kind of multi-trace rogue program characteristic detection method based on data mining, it is characterized in that:Obtained containing action trail
Step, segmenting step, feature extraction and feature database construction step, measurement detecting step;Action trail obtaining step obtains program
The system call sequence of dynamic operation;
Segmenting step carries out burst to the program behavior track got, to adapt to the needs of mining process;
Feature extraction uses improved Sequential Pattern Mining Algorithm in data mining to obtain file stream, net with feature database construction step
Network stream and asset popularity are Frequent Subsequence collection, and reject normal procedure action trail fragment, construct malicious act feature database;Change
The Sequential Pattern Mining Algorithm entered when search meets the sequence of minimum support by being optimized with AC automatic machines, and in structure
Make and give up the Frequent episodes for being unsatisfactory for minimum length during data for projection storehouse, so as to optimize the space-time expense in mining process;
Measurement detecting step carries out measurement detection according to the three-dimensional feature storehouse of structure to the program of real time execution.
2. the multi-trace rogue program characteristic detection method according to claim 1 based on data mining, it is characterized in that:Institute
When stating action trail obtaining step and enter Mobile state tracking to program using Linux system instrument strace, and obtaining its operation
Perform track.
3. the multi-trace rogue program characteristic detection method according to claim 1 based on data mining, it is characterized in that:Institute
State in feature extraction and feature database construction step:Feature database is the database being made up of a series of feature of performance rogue programs,
Feature database is made up of three-dimensional feature vector space:File stream characteristic vector space, NetFlow characteristic vector space and resource flow are special
Levy vector space.
4. the multi-trace rogue program characteristic detection method according to claim 3 based on data mining, it is characterized in that:Institute
State feature database structure and be divided into two stages, the stage one is the digging of the Frequent Subsequence based on improved Sequential Pattern Mining Algorithm
Pick, stage two are that the Frequent Subsequence collection extracted to the stage one is simplified;
The detailed process in stage one is as follows:To giving the rogue program in training set, the file Flow Behavior rail of rogue program is obtained
Mark, network flow action trail, resources control Flow Behavior track, and initialization files Flow Behavior track training set, network flow respectively
Action trail training set, resources control Flow Behavior track training set;Excavated frequently using improved Sequential Pattern Mining Algorithm
Son sequence set;
Stage two is the filtering to normal action trail fragment, and the Frequent Subsequence extracted in the stage one is concentrated and not only contained
The fragment of malicious act track, the fragment of normal behaviour track is also contains, filter out normal behaviour path segment, evil can be generated
Meaning behavioural characteristic vector space;The data set of normal behaviour track uses the postrun row of normal program in starter operating system
For track.
5. the multi-trace rogue program characteristic detection method according to claim 1 based on data mining, it is characterized in that:Institute
State measurement detecting step and use multi-trace metric algorithm, file operation track, network access track when being run according to program and
Memory source using track to the behavior sequence real-time metrics that get, according to measurement results, according to evaluation criteria and criterion pair
The real-time behavior of program is assessed, and assessment result feeds back to system management and control process, realizes the dynamic detection for rogue program.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510516268.5A CN105138916B (en) | 2015-08-21 | 2015-08-21 | Multi-trace rogue program characteristic detection method based on data mining |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510516268.5A CN105138916B (en) | 2015-08-21 | 2015-08-21 | Multi-trace rogue program characteristic detection method based on data mining |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105138916A CN105138916A (en) | 2015-12-09 |
CN105138916B true CN105138916B (en) | 2018-02-02 |
Family
ID=54724261
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510516268.5A Active CN105138916B (en) | 2015-08-21 | 2015-08-21 | Multi-trace rogue program characteristic detection method based on data mining |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105138916B (en) |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105868626B (en) * | 2016-03-25 | 2018-10-02 | 中国人民解放军信息工程大学 | The method of monitoring software business conduct based on control stream coarseness integrality |
CN106845224A (en) * | 2016-12-16 | 2017-06-13 | 华东师范大学 | A kind of rogue program identifying system |
CN106650445B (en) * | 2016-12-16 | 2019-05-28 | 华东师范大学 | A kind of rogue program recognition methods |
CN107844540A (en) * | 2017-10-25 | 2018-03-27 | 电子科技大学 | A kind of time series method for digging for electric power data |
CN110704773B (en) * | 2018-06-25 | 2022-06-03 | 顺丰科技有限公司 | Abnormal behavior detection method and system based on frequent behavior sequence mode |
CN109450942B (en) * | 2018-12-25 | 2019-09-13 | 北京戴纳实验科技有限公司 | A kind of safety detection method and its detection device of laboratory management system for internet of things |
CN109753800B (en) * | 2019-01-02 | 2023-04-07 | 重庆邮电大学 | Android malicious application detection method and system fusing frequent item set and random forest algorithm |
CN110362995B (en) * | 2019-05-31 | 2022-12-02 | 电子科技大学成都学院 | Malicious software detection and analysis system based on reverse direction and machine learning |
CN112035836B (en) * | 2019-06-04 | 2023-04-14 | 四川大学 | Malicious code family API sequence mining method |
CN110728583A (en) * | 2019-10-11 | 2020-01-24 | 支付宝(杭州)信息技术有限公司 | Method and system for identifying cheating claim behaviors |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101359351A (en) * | 2008-09-25 | 2009-02-04 | 中国人民解放军信息工程大学 | Multilayer semantic annotation and detection method against malignancy |
CN102054149A (en) * | 2009-11-06 | 2011-05-11 | 中国科学院研究生院 | Method for extracting malicious code behavior characteristic |
CN103617393A (en) * | 2013-11-28 | 2014-03-05 | 北京邮电大学 | Method for mobile internet malicious application software detection based on support vector machines |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9230106B2 (en) * | 2013-06-28 | 2016-01-05 | Kaspersky Lab Ao | System and method for detecting malicious software using malware trigger scenarios in a modified computer environment |
-
2015
- 2015-08-21 CN CN201510516268.5A patent/CN105138916B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101359351A (en) * | 2008-09-25 | 2009-02-04 | 中国人民解放军信息工程大学 | Multilayer semantic annotation and detection method against malignancy |
CN102054149A (en) * | 2009-11-06 | 2011-05-11 | 中国科学院研究生院 | Method for extracting malicious code behavior characteristic |
CN103617393A (en) * | 2013-11-28 | 2014-03-05 | 北京邮电大学 | Method for mobile internet malicious application software detection based on support vector machines |
Non-Patent Citations (4)
Title |
---|
Exploring Multiple Execution Paths for Malware Analysis;Andreas Moser 等;《2007 IEEE Symposium on Security and Privacy》;20071231;全文 * |
Linux系统中基于多路径的恶意行为规范挖掘;刘琳爽 等;《计算机系统应用》;20101231;第19卷(第9期);正文第168-172页 * |
主机行为分析系统设计与实现;李飞兵;《中国优秀硕士学位论文全文数据库信息科技辑(月刊)》;20130715(第07期);全文 * |
恶意代码检测中的PrefixSpan算法应用;王丽娜 等;《计算机工程》;20100430;第36卷(第7期);正文第119-121页 * |
Also Published As
Publication number | Publication date |
---|---|
CN105138916A (en) | 2015-12-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105138916B (en) | Multi-trace rogue program characteristic detection method based on data mining | |
Liu et al. | Host-based intrusion detection system with system calls: Review and future trends | |
Martín et al. | CANDYMAN: Classifying Android malware families by modelling dynamic traces with Markov chains | |
Alrabaee et al. | Oba2: An onion approach to binary code authorship attribution | |
Wang et al. | Review of android malware detection based on deep learning | |
Alasmary et al. | Soteria: Detecting adversarial examples in control flow graph-based malware classifiers | |
Cen et al. | A probabilistic discriminative model for android malware detection with decompiled source code | |
Jerome et al. | Using opcode-sequences to detect malicious Android applications | |
CN100444075C (en) | Virus characteristics extraction and detection system and method for mobile/intelligent terminal | |
Singh et al. | Dynamic behavior analysis of android applications for malware detection | |
Wu et al. | A survey of android malware static detection technology based on machine learning | |
US20160021174A1 (en) | Computer implemented method for classifying mobile applications and computer programs thereof | |
CN101924761A (en) | Method for detecting malicious program according to white list | |
KR101716564B1 (en) | Malware Detection Method and System Based on Hadoop | |
Lin et al. | Dimsum: Discovering semantic data of interest from un-mappable memory with confidence | |
Apvrille et al. | Identifying unknown android malware with feature extractions and classification techniques | |
Eskandari et al. | To incorporate sequential dynamic features in malware detection engines | |
Odat et al. | A novel machine learning approach for android malware detection based on the co-existence of features | |
Chaulagain et al. | Hybrid analysis of android apps for security vetting using deep learning | |
Casolare et al. | Dynamic Mobile Malware Detection through System Call-based Image representation. | |
McGahagan et al. | A comprehensive evaluation of webpage content features for detecting malicious websites | |
CN108959930A (en) | Malice PDF detection method, system, data storage device and detection program | |
Shafin et al. | Detection of android malware using tree-based ensemble stacking model | |
Yamany et al. | Ransomware clustering and classification using similarity matrix | |
Guerra-Manzanares et al. | Differences in android behavior between real device and emulator: a malware detection perspective |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |