CN105205396A - Detecting system for Android malicious code based on deep learning and method thereof - Google Patents
Detecting system for Android malicious code based on deep learning and method thereof Download PDFInfo
- Publication number
- CN105205396A CN105205396A CN201510667016.2A CN201510667016A CN105205396A CN 105205396 A CN105205396 A CN 105205396A CN 201510667016 A CN201510667016 A CN 201510667016A CN 105205396 A CN105205396 A CN 105205396A
- Authority
- CN
- China
- Prior art keywords
- vector
- degree
- apk
- mentioned
- malicious code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Abstract
The invention discloses a detecting system for an Android malicious code based on deep learning. The detecting system comprises a feature extracting module, a deep learning module and a report generating module, wherein the feature extracting module is used for taking APK (Android Package) procedure as input, combining the static extraction with the dynamic extraction and outputting 0 and 1 for forming an APK procedure feature vector; the deep learning module is used for taking a MLP (Modular Longitudinal Platform) model as a learning model, on the one hand, training and learning a sample set formed by the feature vector and a supervised value, thereby acquiring a mature learning model; on the other hand, the deep learning module is used for taking the feature vector as input, using the mature learning model for outputting a result probability and taking the result probability as the security level of the APK procedure; the report generating module is used for explaining and analyzing for lastly generating an assessment report according to the feature vector and security level of the APK procedure. According to the detecting system provided by the invention, the deep learning module is combined with the detection for the malicious code while the static feature is combined with the dynamic feature, so that the discriminating capability and detecting accuracy of the system for the unknown malicious code are promoted.
Description
Technical field
The present invention relates to Android Malicious Code Detection field, particularly relate to a kind of Android malicious code detection system based on degree of depth study and method thereof.
Background technology
The annual safety message display that JuniperNetworks is up-to-date, although not clear market on earth should have two to mobile industry, three or four operation system of smart phone, but the authors of mobile Malware have selected the target of oneself, and just swarming to Android.
Android platform is Malware " severely afflicated area ", in virus propagation, third-party application shop is still the main path that intelligent mobile terminal virus is propagated, and due to opening and the market share widely of android system, the virus in the whole world 96% is from Android platform.
Consult relative literature visible, the detection at present for Malware mainly contains two kinds of methods: a kind of is the detection method of feature based code, and it checks that whether unknown software is containing the characteristic of malware code in feature code storehouse.The malicious code of the method to compression, encryption, distortion can not process well, needs to constantly update virus investigation engine and feature database, can not detect emerging Malware.
Another kind is behavior-based detection method.What it monitored is that how movable program is, instead of the code of software.This method focuses on the behavioral trait shown in malicious code operational process, and therefore not by polymorphic, to add shell impact, the static detection method of relative feature based code has fast, feature intuitively.Usually application programming interface (ApplicationProgrammingInterface, API) calling sequence, system features is mainly utilized to count or software code to the description of software action.But these describing methods, or too coarse or easy appearance is omitted, and often have impact on final classification accuracy.
Therefore, those skilled in the art is devoted to exploitation one malicious code detection system and method thereof more accurately.
Summary of the invention
Because the above-mentioned defect of prior art, how technical matters to be solved by this invention detects Android malicious code exactly.
For achieving the above object, the invention provides a kind of Android malicious code detection system based on degree of depth study and detection method, greatly can improve the discrimination capabilities of system for unknown malicious code and the accuracy of detection.
The invention provides a kind of Android malicious code detection system based on degree of depth study, Browser/Server framework is adopted in system architecture, the core that systemic-function realizes is focused on server, simplify the exploitation of system, maintenance and use, important breakthrough is obtained again in detection method, innovatively degree of deep learning model is introduced Android malware detection field, combine static analysis and dynamic analysing method simultaneously, improve the accuracy of detection, obtain software security analysis report more comprehensively.
A kind of Android malicious code detection system based on degree of depth study of the present invention, comprising:
Characteristic extracting module, described characteristic extracting module is configured to using APK program as input, uses static nature to extract and extracts with behavioral characteristics the mode combined, export by the proper vector of 0, the 1 described APK program formed;
Degree of depth study module, described degree of depth study module is configured to use multilayer perceptron model to train the sample set be made up of described proper vector and supervision value, obtains learning ripe model; Simultaneously using described proper vector as input, use the model that described study is ripe, Output rusults probability, as the level of security of described APK program;
Report generation module, described report generation module is configured to analyze according to described proper vector and described level of security, and generates assessment report.
Further, described detection system adopts browser end/server end framework, described server end is configured to by calling described characteristic extracting module, degree of depth study module and report generation module, carries out the ripe pre-service of model of described study and the detection of described APK program; Described browser end is configured to user oriented and carries out uploading APK file, searches for sha1 and present described assessment report.
Present invention also offers a kind of Android malicious code detecting method based on degree of depth study, comprise the following steps:
(S1) using APK program as input, use characteristic extracting module to extract behavioral characteristics and the static nature of described APK program, export by the proper vector of 0, the 1 described APK program formed;
(S2) degree of deep learning model is used to carry out pre-service;
(S3) described proper vector is detected;
(S4) assessment report is generated according to the result of above-mentioned detection.
Further, the described model preprocessing in step (S2) comprises the following steps:
(S2-1) gather a large amount of described APK programs with positive and negative mark, wherein the software of safety is with just identifying, and the software of malice is with negative mark;
(S2-2) static nature of the above-mentioned APK program of batch extracting, obtains static nature vector;
(S2-3) behavioral characteristics of the above-mentioned APK program of batch extracting, obtains behavioral characteristics vector;
(S2-4) by above-mentioned static nature vector and above-mentioned behavioral characteristics Vector Groups synthetic population proper vector;
(S2-5) vectorial for input dimension with above-mentioned general characteristic, the supervision value that described in integrating step (S2-1), APK program is corresponding, is combined into sample set;
(S2-6) above-mentioned sample set is inserted into system database;
(S2-7) using above-mentioned system database as input, degree of deep learning model is trained, obtain learning ripe model.
Further, described in step (S3), the detection of the proper vector of APK program comprises the following steps:
(S3-1) preserve the APK program that user uploads, and generate the SHA1 hashed value of this APK program;
(S3-2) for above-mentioned hashed value, in system database, fingerprint matching is carried out;
(S3-3) if above-mentioned matching result exists, then enter step (S3-9), otherwise enter step (S3-4);
(S3-4) extract the static nature of the APK program that user uploads, obtain static nature vector;
(S3-5) extract the behavioral characteristics of the APK program that user uploads, obtain behavioral characteristics vector;
(S3-6) by above-mentioned static nature vector and above-mentioned behavioral characteristics Vector Groups synthetic population proper vector;
(S3-7) above-mentioned general characteristic vector is inputed in the ripe model of study, Output rusults probability;
(S3-8) above-mentioned general characteristic vector is inserted described system database with above-mentioned Output rusults probability;
(S3-9) according to record in described system database, resolve and generate safety assessment report.
Further, step (S3-4), the behavioral characteristics described in (S3-5), static nature extract and comprise the following steps:
(S3-45-1) the APK program uploaded of decompression user, obtains file: AndroidManifest.xml and classes.dex;
(S3-45-2) use AXMLPrinter2 and TinyXml tool parses AndroidManifest.xml file, obtain all authorities of above-mentioned APK program application, dimension is 120, as the Part I of static nature vector;
(S3-45-3) with disassembler baksmali decompiling classes.dex file, and search for the source code that dis-assembling obtains, what obtain API calls situation, is abstracted into the proper vector that dimension is 365, as the Part II of static nature vector;
(S3-45-4) use DroidBox as the sandbox of dynamic monitoring, by 23 API in Hook Android program, obtain 23 dimension behavioral characteristics vectors.
Further, the degree of deep learning model used has following feature:
(1) mode adopting multi-story and multi-span and multilayer perceptron model to combine constructs block mold;
(2) adopt the unfixed dynamic behaviour sequence of multi-story and multi-span treated length, after taking out behavioral characteristics, be combined into the general characteristic vector that length is fixing again with static nature
(3) multilayer perceptron model is adopted to carry out treatment classification.
Further, the parameter of described multilayer perceptron model is:
Input: the proper vector of 508 dimensions, comprises static nature and behavioral characteristics;
Export: the probability of fail-safe software, the probability of Malware;
Node in hidden layer: 80;
Hidden layer is to the connection weights of output layer: 0.001;
The threshold value of output layer: 0.7;
Study iterations: 1000;
Learning rate: 0.05.
Further, described multilayer perceptron model have employed the method stopped fast, at the end of each iteration, namely calculates the accuracy of verification msg, when above-mentioned accuracy no longer improves, with regard to deconditioning, in order to avoid overfitting.
Further, described multilayer perceptron model have employed the method that 5 folding cross validations are tested as hit rate, is divided into five parts by verification msg collection, uses wherein four parts of conduct training in turn, a as checking, the net result that the average of ten results is tested as hit rate.
Compared with prior art, Android malicious code detection system based on degree of depth study provided by the invention and detection method have following beneficial effect: use degree of deep learning model can Automatic Extraction feature mode, Level by level learning, guarantee the utilization effectively and reasonably of feature, thus ensure that the accuracy of result.
Be described further below with reference to the technique effect of accompanying drawing to design of the present invention, concrete structure and generation, to understand object of the present invention, characteristic sum effect fully.
Accompanying drawing explanation
Fig. 1 is the Android malicious code detection system general frame figure based on degree of depth study of one embodiment of the present of invention;
Fig. 2 is the model preprocessing workflow diagram of the Android malicious code detection system based on degree of depth study shown in Fig. 1;
Fig. 3 is the APK overhaul flow chart of the Android malicious code detection system based on degree of depth study shown in Fig. 1;
Fig. 4 is the degree of deep learning model figure of the Android malicious code detection system based on degree of depth study shown in Fig. 1;
Fig. 5 is the static nature extraction figure of the Android malicious code detection system based on degree of depth study shown in Fig. 1;
Fig. 6 is the behavioral characteristics extraction figure of the Android malicious code detection system based on degree of depth study shown in Fig. 1.
Embodiment
As shown in Figure 1, the Android malicious code detection system based on degree of depth study of one embodiment of the present of invention comprises:
Characteristic extracting module: using APK program as input, the mode using static extraction to combine with Dynamic Extraction, exports the vector of 0,1 composition, as the proper vector of APK program;
Degree of depth study module: use multilayer perceptron (MLP) model as learning model.The sample set formed proper vector and supervision value on the one hand carries out training and learns, and obtains learning ripe model; On the other hand using proper vector as input, use the model that study is ripe, Output rusults probability, as the level of security of APK program;
Report generation module: according to proper vector and the level of security of APK program, make an explanation and analysis, generates assessment report.
The Android malicious code detecting method based on degree of depth study of the present embodiment is adopted to comprise the steps:
(1) using APK program as input, use characteristic extracting module to extract behavioral characteristics, the static nature of APK, export the vector of 0,1 composition, as the proper vector of APK program;
(2), after degree of deep learning model carries out pre-service, (1) described proper vector is detected;
(3) report generation module generates detailed APK analysis report according to the testing result in (2).
Fig. 2 shows the model preprocessing flow process of the Android malicious code detection system based on degree of depth study shown in Fig. 1, and the model preprocessing in step (2) comprises the following steps:
(1) a large amount of APK programs with positive and negative mark (fail-safe software and Malware) is gathered;
(2) static nature of batch extracting APK program, obtains static nature vector;
(3) behavioral characteristics of batch extracting APK program, obtains behavioral characteristics vector;
(4) (2) and the vector in (3) is combined, composition general characteristic vector;
(5) vectorial for input dimension with the general characteristic in (4), in conjunction with the supervision value of corresponding A PK program in (1), composition sample set;
(6) sample set in (5) is inserted into system database;
(7) using the sample set in database as input, degree of deep learning model is trained, obtain learning complete detection model.
Fig. 3 shows the APK testing process of the Android malicious code detection system based on degree of depth study shown in Fig. 1, and testing process comprises the following steps:
(1) preserve the APK program that user uploads, and generate the SHA1 hashed value of APK program;
(2) for the hashed value generated in (1), fingerprint matching is carried out in a database;
(3) if the matching result of (2) exists, enter (9), otherwise enter (4);
(4) extract the static nature of APK program in (1), obtain static nature vector;
(5) extract the behavioral characteristics of APK program in (1), obtain behavioral characteristics vector;
(6) (4) and the vector in (5) is combined, composition general characteristic vector;
(7) general characteristic vector in (6) is inputed in the complete detection model of study, Output rusults;
(8) by general characteristic vector in (6) and output valve in (7), insertion system database;
(9) according to record in database, resolve and generate safety assessment report.
Fig. 4 shows the degree of deep learning model part of the Android malicious code detection system based on degree of depth study shown in Fig. 1, and model comprises following characteristics:
(1) mode adopting RNN (multi-story and multi-span) and MLP (multilayer perceptron) model to combine constructs block mold.
(2) use the RNN neural network unfixed dynamic behaviour sequence of treated length, take out behavioral characteristics and be combined into the fixing proper vector of length again with static nature; The internal network state of RNN can well show the behavior of dynamic time sequence, be different from feedforward neural network, RNN can utilize the memory of its inside to process the list entries of arbitrary sequence, and therefore native system uses RNN model to carry out the dynamic behaviour feature of routine analyzer.The behavioral characteristics dimension that DroidBox extracts differed, by the process of RNN model, exports the 23 dimension behavioral characteristics that dimension is fixing.
(3) carry out treatment classification with MLP model, such processing mode has carried out adequately and reasonably using to static nature and behavioral characteristics.Multilayer perceptron (MLP) based on back propagation learning is typical feedforward network, and the process direction of its information is successively carried out to input layer from input layer to each hidden layer again.MLP needs the parameter determined to have: node in hidden layer, the hidden layer connection weights to output layer, the threshold value of output layer.We, by constantly adjusting these parameters, improve the efficiency of training.MLP multilayer perceptron can parallel computation, processing speed is fast and learning functionality is powerful, easily realize Nonlinear Mapping process, and fault-tolerance is strong, local neuron can not cause tremendous influence to overall activity after damaging, and have the function of mode conversion to input signal and feature extraction, uncertain factor is contained to system and the incomplete situation of input pattern is not too responsive.The MLP multilayer perceptron sample bigger than normal to dimension in native system can be integrated fully and train, and reaches the object improving and detect precision.
The MLP model major parameter of final utilization is:
Input: the proper vector (comprising static nature and behavioral characteristics) of 508 dimensions;
Export: the probability of 0 (fail-safe software), the probability of 1 (Malware);
Node in hidden layer: 80;
Hidden layer is to the connection weights of output layer: 0.001;
The threshold value of output layer: 0.7;
Study iterations (Epoch): 1000;
Learning rate (LearningRate): 0.05;
Simultaneously, in order to maximize the efficiency of learning process, native system have employed the method for quick termination (EarlyStopping), namely at the end of each iteration, (namely an iteration takes turns traversal to one of all training datas) calculates the accuracy (accuracy) of verification msg (validationdata), when accuracy no longer improves, with regard to deconditioning.Do like this and unnecessary study both can be avoided to cause waste, also can prevent overfitting (overfitting) simultaneously.
In addition, in the process of training study model, for reaching reliable and stable result, the method that native system uses 5 folding cross validations (5-foldcrossvalidation) to test as hit rate, data set is divided into five parts, use in turn wherein four parts as training, a as checking, the net result that the average of ten results is tested as hit rate.
Fig. 5,6 shows and extracts comprise the following steps based on the behavioral characteristics contained by the Android malicious code detection system of degree of depth study, static nature:
(1) the APK program uploaded of decompression user, obtains two critical file: AndroidManifest.xml and classes.dex;
(2) use AXMLPrinter2 and TinyXml tool parses AndroidManifest.xml file, obtain all authorities of this APK program application, dimension is 120, as the Part I of static nature;
(3) with disassembler baksmali decompiling classes.dex file, cruelly search program's source code, what obtain main API calls situation, is abstracted into the proper vector that dimension is 365, as the Part II of static nature;
(4) use DroidBox as the sandbox of dynamic monitoring, by the crucial API of more than 20 in Hook Android program, via RNN model, obtain 23 dimension behavioral characteristics.
More than describe preferred embodiment of the present invention in detail.Should be appreciated that the ordinary skill of this area just design according to the present invention can make many modifications and variations without the need to creative work.Therefore, all technician in the art, all should by the determined protection domain of claims under this invention's idea on the basis of existing technology by the available technical scheme of logical analysis, reasoning, or a limited experiment.
Claims (10)
1., based on an Android malicious code detection system for degree of depth study, it is characterized in that, described detection system comprises:
Characteristic extracting module, described characteristic extracting module is configured to using APK program as input, uses static nature to extract and extracts with behavioral characteristics the mode combined, export by the proper vector of 0, the 1 described APK program formed;
Degree of depth study module, described degree of depth study module is configured to use multilayer perceptron model to train the sample set be made up of described proper vector and supervision value, obtains learning ripe model; Simultaneously using described proper vector as input, use the model that described study is ripe, Output rusults probability, as the level of security of described APK program;
Report generation module, described report generation module is configured to analyze according to described proper vector and described level of security, and generates assessment report.
2. as claimed in claim 1 based on the Android malicious code detection system of degree of depth study, it is characterized in that, described detection system adopts browser end/server end framework, described server end is configured to by calling described characteristic extracting module, degree of depth study module and report generation module, carries out the ripe pre-service of model of described study and the detection of described APK program; Described browser end is configured to user oriented and carries out uploading APK file, searches for sha1 and present described assessment report.
3., based on an Android malicious code detecting method for degree of depth study, it is characterized in that, described detection method comprises the following steps:
(S1) using APK program as input, use characteristic extracting module to extract behavioral characteristics and the static nature of described APK program, export by the proper vector of 0, the 1 described APK program formed;
(S2) degree of deep learning model is used to carry out pre-service;
(S3) described proper vector is detected;
(S4) assessment report is generated according to the result of above-mentioned detection.
4., as claimed in claim 3 based on the Android malicious code detecting method of degree of depth study, it is characterized in that, the described model preprocessing in step S2 comprises the following steps:
(S2-1) gather a large amount of described APK programs with positive and negative mark, wherein the software of safety is with just identifying, and the software of malice is with negative mark;
(S2-2) static nature of the above-mentioned APK program of batch extracting, obtains static nature vector;
(S2-3) behavioral characteristics of the above-mentioned APK program of batch extracting, obtains behavioral characteristics vector;
(S2-4) by above-mentioned static nature vector and above-mentioned behavioral characteristics Vector Groups synthetic population proper vector;
(S2-5) vectorial for input dimension with above-mentioned general characteristic, the supervision value that described in integrating step (S2-1), APK program is corresponding, is combined into sample set;
(S2-6) above-mentioned sample set is inserted into system database;
(S2-7) using above-mentioned system database as input, degree of deep learning model is trained, obtain learning ripe model.
5., as claimed in claim 3 based on the Android malicious code detecting method of degree of depth study, it is characterized in that, the detection of the proper vector of the program of APK described in step S3 comprises the following steps:
(S3-1) preserve the APK program that user uploads, and generate the SHA1 hashed value of this APK program;
(S3-2) for above-mentioned hashed value, in system database, fingerprint matching is carried out;
(S3-3) if above-mentioned matching result exists, then enter step (S3-9), otherwise enter step (S3-4);
(S3-4) extract the static nature of the APK program that user uploads, obtain static nature vector;
(S3-5) extract the behavioral characteristics of the APK program that user uploads, obtain behavioral characteristics vector;
(S3-6) by above-mentioned static nature vector and above-mentioned behavioral characteristics Vector Groups synthetic population proper vector;
(S3-7) above-mentioned general characteristic vector is inputed in the ripe model of study, Output rusults probability;
(S3-8) above-mentioned general characteristic vector is inserted described system database with above-mentioned Output rusults probability;
(S3-9) according to record in described system database, resolve and generate safety assessment report.
6. as claimed in claim 5 based on the Android malicious code detecting method of degree of depth study, it is characterized in that, step (S3-4), the behavioral characteristics described in (S3-5), static nature extract and comprise the following steps:
(S3-45-1) the APK program uploaded of decompression user, obtains file: AndroidManifest.xml and classes.dex;
(S3-45-2) use AXMLPrinter2 and TinyXml tool parses AndroidManifest.xml file, obtain all authorities of above-mentioned APK program application, dimension is 120, as the Part I of static nature vector;
(S3-45-3) with disassembler baksmali decompiling classes.dex file, and search for the source code that dis-assembling obtains, what obtain API calls situation, is abstracted into the proper vector that dimension is 365, as the Part II of static nature vector;
(S3-45-4) use DroidBox as the sandbox of dynamic monitoring, by 23 API in Hook Android program, obtain 23 dimension behavioral characteristics vectors.
7., as claimed in claim 4 based on the Android malicious code detecting method of degree of depth study, it is characterized in that, the degree of deep learning model used has following feature:
(1) mode adopting multi-story and multi-span and multilayer perceptron model to combine constructs block mold;
(2) adopt the unfixed dynamic behaviour sequence of multi-story and multi-span treated length, after taking out behavioral characteristics, be combined into the general characteristic vector that length is fixing again with static nature
(3) multilayer perceptron model is adopted to carry out treatment classification.
8., as claimed in claim 7 based on the Android malicious code detecting method of degree of depth study, it is characterized in that, the parameter of described multilayer perceptron model is:
Input: the proper vector of 508 dimensions, comprises static nature and behavioral characteristics;
Export: the probability of fail-safe software, the probability of Malware;
Node in hidden layer: 80;
Hidden layer is to the connection weights of output layer: 0.001;
The threshold value of output layer: 0.7;
Study iterations: 1000;
Learning rate: 0.05.
9. as claimed in claim 7 based on the Android malicious code detecting method of degree of depth study, it is characterized in that, described multilayer perceptron model have employed the method stopped fast, namely at the end of each iteration, calculate the accuracy of verification msg, when above-mentioned accuracy no longer improves, with regard to deconditioning, in order to avoid overfitting.
10. as claimed in claim 7 based on the Android malicious code detecting method of degree of depth study, it is characterized in that, described multilayer perceptron model have employed the method that 5 folding cross validations are tested as hit rate, five parts are divided into by verification msg collection, use wherein four parts of conduct training in turn, a as checking, the net result that the average of ten results is tested as hit rate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510667016.2A CN105205396A (en) | 2015-10-15 | 2015-10-15 | Detecting system for Android malicious code based on deep learning and method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510667016.2A CN105205396A (en) | 2015-10-15 | 2015-10-15 | Detecting system for Android malicious code based on deep learning and method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105205396A true CN105205396A (en) | 2015-12-30 |
Family
ID=54953070
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510667016.2A Pending CN105205396A (en) | 2015-10-15 | 2015-10-15 | Detecting system for Android malicious code based on deep learning and method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105205396A (en) |
Cited By (52)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105740709A (en) * | 2016-01-29 | 2016-07-06 | 博雅网信(北京)科技有限公司 | Authority combination-based Android malicious software detection method |
| CN105893848A (en) * | 2016-04-27 | 2016-08-24 | 南京邮电大学 | Precaution method for Android malicious application program based on code behavior similarity matching |
| CN105975861A (en) * | 2016-05-27 | 2016-09-28 | 百度在线网络技术(北京)有限公司 | Application detection method and device |
| CN106022127A (en) * | 2016-05-10 | 2016-10-12 | 江苏通付盾科技有限公司 | APK file security detection method and apparatus |
| CN106096415A (en) * | 2016-06-24 | 2016-11-09 | 康佳集团股份有限公司 | A kind of malicious code detecting method based on degree of depth study and system |
| CN106709290A (en) * | 2016-12-16 | 2017-05-24 | 江苏通付盾科技有限公司 | Application security analysis method and device |
| CN106778277A (en) * | 2017-01-13 | 2017-05-31 | 北京邮电大学 | Malware detection methods and device |
| CN106845235A (en) * | 2017-01-11 | 2017-06-13 | 中科院微电子研究所昆山分所 | A kind of Android platform call back function detection method based on machine learning method |
| CN106843832A (en) * | 2016-12-19 | 2017-06-13 | 曙光信息产业(北京)有限公司 | The management system of deep learning |
| CN107169351A (en) * | 2017-05-11 | 2017-09-15 | 北京理工大学 | With reference to the Android unknown malware detection methods of dynamic behaviour feature |
| CN107180191A (en) * | 2017-05-03 | 2017-09-19 | 北京理工大学 | A kind of malicious code analysis method and system based on semi-supervised learning |
| CN107392025A (en) * | 2017-08-28 | 2017-11-24 | 刘龙 | Malice Android application program detection method based on deep learning |
| CN107742079A (en) * | 2017-10-18 | 2018-02-27 | 杭州安恒信息技术有限公司 | Malware recognition methods and system |
| CN107944274A (en) * | 2017-12-18 | 2018-04-20 | 华中科技大学 | A kind of Android platform malicious application off-line checking method based on width study |
| CN108008948A (en) * | 2016-11-30 | 2018-05-08 | 上海寒武纪信息科技有限公司 | A kind of multiplexer and method, processing unit for instructing generating process |
| CN108038378A (en) * | 2017-12-28 | 2018-05-15 | 厦门服云信息科技有限公司 | High in the clouds detection function is by the method for malicious modification, terminal device and storage medium |
| CN108334781A (en) * | 2018-03-07 | 2018-07-27 | 腾讯科技(深圳)有限公司 | Method for detecting virus, device, computer readable storage medium and computer equipment |
| CN108345794A (en) * | 2017-12-29 | 2018-07-31 | 北京物资学院 | The detection method and device of Malware |
| CN108509796A (en) * | 2017-02-24 | 2018-09-07 | 中国移动通信集团公司 | A kind of detection method and server of risk |
| CN108563951A (en) * | 2018-04-13 | 2018-09-21 | 腾讯科技(深圳)有限公司 | Method for detecting virus and device |
| CN108595955A (en) * | 2018-04-25 | 2018-09-28 | 东北大学 | A kind of Android mobile phone malicious application detecting system and method |
| CN108614970A (en) * | 2018-04-03 | 2018-10-02 | 腾讯科技(深圳)有限公司 | Detection method, model training method, device and the equipment of Virus |
| CN108734010A (en) * | 2017-04-17 | 2018-11-02 | 北京京东尚科信息技术有限公司 | The method, apparatus of file detection |
| CN108764935A (en) * | 2018-04-19 | 2018-11-06 | 华东师范大学 | A kind of ranking fraud detection method of application program |
| CN108763958A (en) * | 2018-06-01 | 2018-11-06 | 中国科学院软件研究所 | Intelligent mobile terminal sensitive data authority checking defect inspection method based on deep learning |
| CN108920958A (en) * | 2018-07-13 | 2018-11-30 | 深圳市联软科技股份有限公司 | Detect method, apparatus, medium and the equipment of pe file abnormal behaviour |
| CN108985060A (en) * | 2018-07-04 | 2018-12-11 | 中共中央办公厅电子科技学院 | A kind of extensive Android Malware automated detection system and method |
| CN109002696A (en) * | 2018-06-29 | 2018-12-14 | 北京奇虎科技有限公司 | It establishes the method for installation kit identification model, identify the method and device of installation kit |
| CN109120584A (en) * | 2018-06-19 | 2019-01-01 | 上海交通大学 | Terminal security prevention method and system based on UEFI and WinPE |
| CN109271788A (en) * | 2018-08-23 | 2019-01-25 | 北京理工大学 | A kind of Android malware detection method based on deep learning |
| CN109416719A (en) * | 2016-04-22 | 2019-03-01 | 谭琳 | Method for determining the defects of software code He loophole |
| CN109558707A (en) * | 2018-11-16 | 2019-04-02 | 北京梆梆安全科技有限公司 | A kind of detection method and device, the mobile device of encryption function security level |
| CN109840417A (en) * | 2017-11-28 | 2019-06-04 | 清华大学 | A kind of malware detection method and device |
| CN110135157A (en) * | 2019-04-04 | 2019-08-16 | 国家计算机网络与信息安全管理中心 | Malware homology analysis method, system, electronic equipment and storage medium |
| KR20190102451A (en) * | 2018-02-26 | 2019-09-04 | 한국인터넷진흥원 | Method for detecting malicious application and apparatus thereof |
| CN110210216A (en) * | 2018-04-13 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of method and relevant apparatus of viral diagnosis |
| CN110263538A (en) * | 2019-05-13 | 2019-09-20 | 重庆大学 | A kind of malicious code detecting method based on system action sequence |
| CN110515654A (en) * | 2019-08-27 | 2019-11-29 | 北京电子科技学院 | A kind of Android application management system and method based on deep learning |
| CN110633197A (en) * | 2018-06-22 | 2019-12-31 | 北京京东尚科信息技术有限公司 | Method and device for detecting excessive drawing |
| CN110659483A (en) * | 2018-06-29 | 2020-01-07 | 卡巴斯基实验室股份制公司 | System and method for identifying malicious files using a learning model trained on one malicious file |
| CN110858247A (en) * | 2018-08-23 | 2020-03-03 | 北京京东尚科信息技术有限公司 | Android malicious application detection method, system, device and storage medium |
| CN110941828A (en) * | 2019-11-13 | 2020-03-31 | 辽宁大学 | Android malicious software static detection method based on android GRU |
| CN111382434A (en) * | 2018-12-28 | 2020-07-07 | 卡巴斯基实验室股份制公司 | System and method for detecting malicious files |
| CN111523117A (en) * | 2020-04-10 | 2020-08-11 | 西安电子科技大学 | Android malicious software detection and malicious code positioning system and method |
| CN111753290A (en) * | 2020-05-26 | 2020-10-09 | 郑州启明星辰信息安全技术有限公司 | Software type detection method and related equipment |
| CN112417450A (en) * | 2020-11-20 | 2021-02-26 | 复旦大学 | Malicious behavior real-time detection system based on dynamic behavior sequence and deep learning |
| CN113378171A (en) * | 2021-07-12 | 2021-09-10 | 东北大学秦皇岛分校 | Android lasso software detection method based on convolutional neural network |
| CN113536302A (en) * | 2021-07-26 | 2021-10-22 | 北京计算机技术及应用研究所 | Interface caller safety rating method based on deep learning |
| CN113935022A (en) * | 2021-12-17 | 2022-01-14 | 北京微步在线科技有限公司 | Homologous sample capturing method and device, electronic equipment and storage medium |
| CN114237630A (en) * | 2020-09-09 | 2022-03-25 | 中国电信股份有限公司 | Privacy permission detection method and device |
| CN114692148A (en) * | 2022-03-31 | 2022-07-01 | 中国舰船研究设计中心 | Malicious code detection method based on machine learning |
| CN114692148B (en) * | 2022-03-31 | 2024-04-26 | 中国舰船研究设计中心 | Malicious code detection method based on machine learning |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102411687A (en) * | 2011-11-22 | 2012-04-11 | 华北电力大学 | Deep learning detection method of unknown malicious codes |
| CN103823751A (en) * | 2013-12-13 | 2014-05-28 | 国家计算机网络与信息安全管理中心 | Counterfeit application program monitoring method based on characteristic implantation |
| CN104123500A (en) * | 2014-07-22 | 2014-10-29 | 卢永强 | Android platform malicious application detection method and device based on deep learning |
-
2015
- 2015-10-15 CN CN201510667016.2A patent/CN105205396A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102411687A (en) * | 2011-11-22 | 2012-04-11 | 华北电力大学 | Deep learning detection method of unknown malicious codes |
| CN103823751A (en) * | 2013-12-13 | 2014-05-28 | 国家计算机网络与信息安全管理中心 | Counterfeit application program monitoring method based on characteristic implantation |
| CN104123500A (en) * | 2014-07-22 | 2014-10-29 | 卢永强 | Android platform malicious application detection method and device based on deep learning |
Cited By (72)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105740709A (en) * | 2016-01-29 | 2016-07-06 | 博雅网信(北京)科技有限公司 | Authority combination-based Android malicious software detection method |
| CN105740709B (en) * | 2016-01-29 | 2018-09-28 | 博雅网信(北京)科技有限公司 | A kind of Android malware detection method based on permission combination |
| CN109416719A (en) * | 2016-04-22 | 2019-03-01 | 谭琳 | Method for determining the defects of software code He loophole |
| CN105893848A (en) * | 2016-04-27 | 2016-08-24 | 南京邮电大学 | Precaution method for Android malicious application program based on code behavior similarity matching |
| CN106022127A (en) * | 2016-05-10 | 2016-10-12 | 江苏通付盾科技有限公司 | APK file security detection method and apparatus |
| CN105975861A (en) * | 2016-05-27 | 2016-09-28 | 百度在线网络技术(北京)有限公司 | Application detection method and device |
| CN106096415B (en) * | 2016-06-24 | 2019-05-21 | 康佳集团股份有限公司 | A kind of malicious code detecting method and system based on deep learning |
| CN106096415A (en) * | 2016-06-24 | 2016-11-09 | 康佳集团股份有限公司 | A kind of malicious code detecting method based on degree of depth study and system |
| CN108008948B (en) * | 2016-11-30 | 2023-08-25 | 上海寒武纪信息科技有限公司 | Multiplexing device, multiplexing method and processing device for instruction generation process |
| CN108008948A (en) * | 2016-11-30 | 2018-05-08 | 上海寒武纪信息科技有限公司 | A kind of multiplexer and method, processing unit for instructing generating process |
| CN106709290A (en) * | 2016-12-16 | 2017-05-24 | 江苏通付盾科技有限公司 | Application security analysis method and device |
| CN106843832A (en) * | 2016-12-19 | 2017-06-13 | 曙光信息产业(北京)有限公司 | The management system of deep learning |
| CN106845235A (en) * | 2017-01-11 | 2017-06-13 | 中科院微电子研究所昆山分所 | A kind of Android platform call back function detection method based on machine learning method |
| CN106845235B (en) * | 2017-01-11 | 2019-09-13 | 中科院微电子研究所昆山分所 | A kind of Android platform call back function detection method based on machine learning method |
| CN106778277A (en) * | 2017-01-13 | 2017-05-31 | 北京邮电大学 | Malware detection methods and device |
| CN108509796B (en) * | 2017-02-24 | 2022-02-11 | 中国移动通信集团公司 | Method for detecting risk and server |
| CN108509796A (en) * | 2017-02-24 | 2018-09-07 | 中国移动通信集团公司 | A kind of detection method and server of risk |
| CN108734010A (en) * | 2017-04-17 | 2018-11-02 | 北京京东尚科信息技术有限公司 | The method, apparatus of file detection |
| CN107180191A (en) * | 2017-05-03 | 2017-09-19 | 北京理工大学 | A kind of malicious code analysis method and system based on semi-supervised learning |
| CN107169351A (en) * | 2017-05-11 | 2017-09-15 | 北京理工大学 | With reference to the Android unknown malware detection methods of dynamic behaviour feature |
| CN107392025A (en) * | 2017-08-28 | 2017-11-24 | 刘龙 | Malice Android application program detection method based on deep learning |
| CN107392025B (en) * | 2017-08-28 | 2020-06-26 | 刘龙 | Malicious android application program detection method based on deep learning |
| CN107742079B (en) * | 2017-10-18 | 2020-02-21 | 杭州安恒信息技术股份有限公司 | Malicious software identification method and system |
| CN107742079A (en) * | 2017-10-18 | 2018-02-27 | 杭州安恒信息技术有限公司 | Malware recognition methods and system |
| CN109840417A (en) * | 2017-11-28 | 2019-06-04 | 清华大学 | A kind of malware detection method and device |
| CN109840417B (en) * | 2017-11-28 | 2020-12-01 | 清华大学 | Malicious software detection method and device |
| CN107944274A (en) * | 2017-12-18 | 2018-04-20 | 华中科技大学 | A kind of Android platform malicious application off-line checking method based on width study |
| CN108038378A (en) * | 2017-12-28 | 2018-05-15 | 厦门服云信息科技有限公司 | High in the clouds detection function is by the method for malicious modification, terminal device and storage medium |
| CN108345794A (en) * | 2017-12-29 | 2018-07-31 | 北京物资学院 | The detection method and device of Malware |
| KR102058966B1 (en) * | 2018-02-26 | 2019-12-24 | 한국인터넷진흥원 | Method for detecting malicious application and apparatus thereof |
| KR20190102451A (en) * | 2018-02-26 | 2019-09-04 | 한국인터넷진흥원 | Method for detecting malicious application and apparatus thereof |
| CN108334781B (en) * | 2018-03-07 | 2020-04-14 | 腾讯科技(深圳)有限公司 | Virus detection method, device, computer readable storage medium and computer equipment |
| CN108334781A (en) * | 2018-03-07 | 2018-07-27 | 腾讯科技(深圳)有限公司 | Method for detecting virus, device, computer readable storage medium and computer equipment |
| CN108614970A (en) * | 2018-04-03 | 2018-10-02 | 腾讯科技(深圳)有限公司 | Detection method, model training method, device and the equipment of Virus |
| CN108614970B (en) * | 2018-04-03 | 2023-12-15 | 腾讯科技(深圳)有限公司 | Virus program detection method, model training method, device and equipment |
| CN110210216A (en) * | 2018-04-13 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of method and relevant apparatus of viral diagnosis |
| CN108563951A (en) * | 2018-04-13 | 2018-09-21 | 腾讯科技(深圳)有限公司 | Method for detecting virus and device |
| CN110210216B (en) * | 2018-04-13 | 2023-03-17 | 腾讯科技(深圳)有限公司 | Virus detection method and related device |
| CN108764935A (en) * | 2018-04-19 | 2018-11-06 | 华东师范大学 | A kind of ranking fraud detection method of application program |
| CN108595955A (en) * | 2018-04-25 | 2018-09-28 | 东北大学 | A kind of Android mobile phone malicious application detecting system and method |
| CN108763958A (en) * | 2018-06-01 | 2018-11-06 | 中国科学院软件研究所 | Intelligent mobile terminal sensitive data authority checking defect inspection method based on deep learning |
| CN109120584A (en) * | 2018-06-19 | 2019-01-01 | 上海交通大学 | Terminal security prevention method and system based on UEFI and WinPE |
| CN110633197B (en) * | 2018-06-22 | 2024-04-12 | 北京京东尚科信息技术有限公司 | Method and device for detecting excessive drawing |
| CN110633197A (en) * | 2018-06-22 | 2019-12-31 | 北京京东尚科信息技术有限公司 | Method and device for detecting excessive drawing |
| CN109002696A (en) * | 2018-06-29 | 2018-12-14 | 北京奇虎科技有限公司 | It establishes the method for installation kit identification model, identify the method and device of installation kit |
| CN110659483B (en) * | 2018-06-29 | 2023-04-28 | 卡巴斯基实验室股份制公司 | System and method for identifying multiple malicious files using a learning model trained on one malicious file |
| CN110659483A (en) * | 2018-06-29 | 2020-01-07 | 卡巴斯基实验室股份制公司 | System and method for identifying malicious files using a learning model trained on one malicious file |
| CN108985060A (en) * | 2018-07-04 | 2018-12-11 | 中共中央办公厅电子科技学院 | A kind of extensive Android Malware automated detection system and method |
| CN108920958A (en) * | 2018-07-13 | 2018-11-30 | 深圳市联软科技股份有限公司 | Detect method, apparatus, medium and the equipment of pe file abnormal behaviour |
| CN110858247A (en) * | 2018-08-23 | 2020-03-03 | 北京京东尚科信息技术有限公司 | Android malicious application detection method, system, device and storage medium |
| CN109271788A (en) * | 2018-08-23 | 2019-01-25 | 北京理工大学 | A kind of Android malware detection method based on deep learning |
| CN109271788B (en) * | 2018-08-23 | 2021-10-12 | 北京理工大学 | Android malicious software detection method based on deep learning |
| CN109558707B (en) * | 2018-11-16 | 2021-05-07 | 北京梆梆安全科技有限公司 | Method and device for detecting security level of encryption function and mobile device |
| CN109558707A (en) * | 2018-11-16 | 2019-04-02 | 北京梆梆安全科技有限公司 | A kind of detection method and device, the mobile device of encryption function security level |
| CN111382434A (en) * | 2018-12-28 | 2020-07-07 | 卡巴斯基实验室股份制公司 | System and method for detecting malicious files |
| CN110135157A (en) * | 2019-04-04 | 2019-08-16 | 国家计算机网络与信息安全管理中心 | Malware homology analysis method, system, electronic equipment and storage medium |
| CN110263538B (en) * | 2019-05-13 | 2021-07-09 | 重庆大学 | Malicious code detection method based on system behavior sequence |
| CN110263538A (en) * | 2019-05-13 | 2019-09-20 | 重庆大学 | A kind of malicious code detecting method based on system action sequence |
| CN110515654A (en) * | 2019-08-27 | 2019-11-29 | 北京电子科技学院 | A kind of Android application management system and method based on deep learning |
| CN110941828B (en) * | 2019-11-13 | 2023-12-15 | 深圳市凌晨知识产权运营有限公司 | Android malicious software static detection method based on android GRU |
| CN110941828A (en) * | 2019-11-13 | 2020-03-31 | 辽宁大学 | Android malicious software static detection method based on android GRU |
| CN111523117A (en) * | 2020-04-10 | 2020-08-11 | 西安电子科技大学 | Android malicious software detection and malicious code positioning system and method |
| CN111753290A (en) * | 2020-05-26 | 2020-10-09 | 郑州启明星辰信息安全技术有限公司 | Software type detection method and related equipment |
| CN114237630A (en) * | 2020-09-09 | 2022-03-25 | 中国电信股份有限公司 | Privacy permission detection method and device |
| CN112417450B (en) * | 2020-11-20 | 2022-05-20 | 复旦大学 | Malicious behavior real-time detection system based on dynamic behavior sequence and deep learning |
| CN112417450A (en) * | 2020-11-20 | 2021-02-26 | 复旦大学 | Malicious behavior real-time detection system based on dynamic behavior sequence and deep learning |
| CN113378171B (en) * | 2021-07-12 | 2022-06-21 | 东北大学秦皇岛分校 | Android lasso software detection method based on convolutional neural network |
| CN113378171A (en) * | 2021-07-12 | 2021-09-10 | 东北大学秦皇岛分校 | Android lasso software detection method based on convolutional neural network |
| CN113536302A (en) * | 2021-07-26 | 2021-10-22 | 北京计算机技术及应用研究所 | Interface caller safety rating method based on deep learning |
| CN113935022A (en) * | 2021-12-17 | 2022-01-14 | 北京微步在线科技有限公司 | Homologous sample capturing method and device, electronic equipment and storage medium |
| CN114692148A (en) * | 2022-03-31 | 2022-07-01 | 中国舰船研究设计中心 | Malicious code detection method based on machine learning |
| CN114692148B (en) * | 2022-03-31 | 2024-04-26 | 中国舰船研究设计中心 | Malicious code detection method based on machine learning |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105205396A (en) | Detecting system for Android malicious code based on deep learning and method thereof | |
| CN105989283B (en) | A kind of method and device identifying virus mutation | |
| CN107392025B (en) | Malicious android application program detection method based on deep learning | |
| CN108595955B (en) | Android mobile phone malicious application detection system and method | |
| CN105022960B (en) | Multiple features mobile terminal from malicious software detecting method and system based on network traffics | |
| CN109241711A (en) | User behavior recognition method and device based on prediction model | |
| CN105471882A (en) | Behavior characteristics-based network attack detection method and device | |
| CN105184160B (en) | A kind of method of the Android phone platform application program malicious act detection based on API object reference relational graphs | |
| CN110489964A (en) | Account detection method, device, server and storage medium | |
| CN107659570A (en) | Webshell detection methods and system based on machine learning and static and dynamic analysis | |
| CN105677574B (en) | Android application leak detection method and system based on function control stream | |
| CN107944274A (en) | A kind of Android platform malicious application off-line checking method based on width study | |
| CN110414277B (en) | Gate-level hardware Trojan horse detection method based on multi-feature parameters | |
| CN109992969B (en) | Malicious file detection method and device and detection platform | |
| CN108985061A (en) | A kind of webshell detection method based on Model Fusion | |
| CN108229170B (en) | Software analysis method and apparatus using big data and neural network | |
| CN111931179B (en) | Cloud malicious program detection system and method based on deep learning | |
| Narayanan et al. | Contextual weisfeiler-lehman graph kernel for malware detection | |
| CN111177714A (en) | Abnormal behavior detection method and device, computer equipment and storage medium | |
| CN110765459A (en) | Malicious script detection method and device and storage medium | |
| CN109657461B (en) | RTL hardware Trojan horse detection method based on gradient lifting algorithm | |
| CN109858248A (en) | Malice Word document detection method and device | |
| CN107103237A (en) | A kind of detection method and device of malicious file | |
| CN109740347A (en) | A kind of identification of the fragile hash function for smart machine firmware and crack method | |
| CN109391624A (en) | A kind of terminal access data exception detection method and device based on machine learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20151230 |