CN105426762A - Static detection method for malice of android application programs - Google Patents
Static detection method for malice of android application programs Download PDFInfo
- Publication number
- CN105426762A CN105426762A CN201510999378.1A CN201510999378A CN105426762A CN 105426762 A CN105426762 A CN 105426762A CN 201510999378 A CN201510999378 A CN 201510999378A CN 105426762 A CN105426762 A CN 105426762A
- Authority
- CN
- China
- Prior art keywords
- authority
- malicious
- application program
- ori
- variable
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Abstract
The invention relates to a static detection method for malice of android application programs and belongs to the technical field of safety detection of application programs on an Android platform. According to the method, firstly, correlation analysis of permission characteristic attributes of the Android application programs is performed through calculation of a partial correlation coefficient, so that dimensionality reduction preprocessing of permission feature sets is realized; secondly, the permission feature sets after dimensionality reduction are subjected to correlation cluster redundancy removal through mutual information with a Cartesian product method, a threshold value is set, an overfitting phenomenon is avoided, a set Xnew of new classification permission feature sets is obtained, and accordingly, the permission feature sets after permission clustering are almost mutually independent; finally, a naive bayes classifier is established on the basis of permission clustering and is improved, so that correlation of classification decisions of the application programs is high, and the reliability of malice detection of the Android application programs is further improved.
Description
Technical field
The invention belongs to applications security detection technique field under Android platform, relate to the static detection method that a kind of android application program is malicious.
Background technology
Modern times are life and work rhythm fast, and make people have higher requirement to obtaining real-time information from network with service, mobile Internet arises at the historic moment.The safety problem of mobile Internet directly has influence on user and uses and trust to mobile Internet, is more related to the release of mobile Internet production capacity and the normal performance of positive value, more relates to the security industry of our country and whole Folk Information.So we will pay close attention to the new features of mobile Internet safety the moment in this information age, understand the most detailed mobile Internet Safety actuality, a series of contradictions that the moment is grasped and process in time causes because of mobile Internet safety problem.Want continuous Improvement and perfection mobile Internet safety overall architecture and for preventing safety problem from occurring the deployment done, analyze and monitoring the mobile Internet moment appearance flow malicious attack, the unhealthy unscientific information of disseminating.The safety of mobile Internet is guaranteed through measures such as continuous technical renovation, safe design improvement, mobile Internet security deployments, and appoint special messenger to monitor in real time, and adopt the technological means such as content information filtration, ensure the safety of mobile Internet, guarantee to bring a clean healthy development environment to mobile Internet.By means of the development of mobile Internet, the thing that computer must be used just can to accomplish before just can accomplishing with mobile phone now, makes people have great lifting to smart mobile phone demand.In mobile Internet safety, the secure communication problem of Android is also more and more concerned, and in November, 2007, Google has issued the intelligent mobile operating system Android that increases income based on linux kernel.This system has huge number of users and application market: from the display of Gartner statistics, and the third quarter in 2013, the sales volume of whole world smart mobile phone was 2.5 hundred million multiple stage, and wherein android system occupies 81.9%; And the number of applications of ending on Jin Android official application market GooglePlay January 8 in 2014 just reaches 1,030,000.
Data show, use the ratio of smart mobile phone also lower people in 2011, used the ratio of smart mobile phone just to reach 46% by 2012.According to the information displaying of HIS statistics, estimate that the share smart mobile phone in 2013 is shared in the market will reach 55%, the bright smart mobile phone of these tables of data is changing people's daily life style, becomes the competent assistant of a lot of people's live and work.
Smart mobile phone function is constantly improved and development, for people's daily life brings a lot of facilities, but also becomes the main target of various mobile phone viruses and malware attacks simultaneously.The fast development of smart mobile phone, the virus for smart mobile phone also increases with the quantity of vast scale.First Virus in Smart Phone Cabir is born in NOKIA base camp, and through the development of a few years, the virus for intelligent terminal has just occurred thousands of kinds.The operation system of smart phone of current main-stream has: SymbianOS, the iOS of apple, the Android of the Windowsphone of Microsoft, Google.Each system has self safe precaution measure a set of, because people are to the attention of mobile phone privacy information safety, analyzes existing operation system of smart phone safety standard, improves intelligent mobile phone system and takes precautions against the emphasis that virus behavior becomes research.
Summary of the invention
In view of this, the object of the present invention is to provide the static detection method that a kind of android application program is malicious, first the method carries out correlation analysis by calculating partial correlation coefficient to Android application program authority characteristic attribute, reaches and carries out the pretreated object of dimensionality reduction to authority feature set; Next utilizes mutual information and cartesian product method, carries out correlativity cluster de-redundancy, and sets threshold value, avoid the phenomenon of over-fitting to the authority feature set after dimensionality reduction, obtains the set X of new classification authority feature set with this
new, reaching between the authority feature set after authority cluster is almost the object of separate relation; Finally, on the basis after authority cluster, build Naive Bayes Classifier, and make improvements, reach and application program categorised decision correlativity can be made high, and then improve the reliability of the malicious detection of Android application program.
For achieving the above object, the invention provides following technical scheme:
The static detection method that a kind of android application program is malicious, in the method, decompiling is carried out to selected sample program and obtains AndroidManifest.xml file, extract the authority feature of this file, and dimensionality reduction pre-service is carried out to it, then authority cluster de-redundancy is carried out to the authority feature set mutual information after dimensionality reduction and cartesian product method, finally build Naive Bayes Classification Model on this basis, and the division of malicious grade is carried out to detected malicious application program.
Further, the method specifically comprises the following steps:
Step one: collect and create the Sample Storehouse of malicious application program and non-malicious application program, respectively decompiling process being carried out to its APK sample and obtain AndroidManifest.xml file, then extract the authority feature of this file, obtaining authority feature set;
Step 2: utilize the correlative relationship between Android authority characteristic attribute variable, correlativity wherein arbitrarily between Two Variables may be because the existence of the 3rd variable shows, the method of based on partial correlation coefficient, authority characteristic attribute being carried out to correlation analysis is adopted to this, dimensionality reduction pre-service is carried out to authority feature set;
Step 3: utilize based on Mutual Information Theory and cartesian product method, adopts the Naive Bayes Classification Model method of the improvement based on mutual information and cartesian product, carries out cluster de-redundancy to the authority feature set obtained after the pre-service of authority feature set dimensionality reduction;
Step 4: based on the set X of categorical attribute collection
newbuild Naive Bayes Classifier, prior probability is obtained by sample training, then judging whether detected Android application program has malicious with test set sample by calculating posterior probability, carrying out grade classification to having malicious Android application program by probabilistic method.
Further, in step 2, describedly based on partial correlation coefficient, the method that authority characteristic attribute carries out correlation analysis specifically to be comprised:
The method is first by the simple correlation coefficient between calculating two authority characteristic attribute variablees
wherein Cov (x
i, x
j) be x
iwith x
jbetween covariance,
x
iwith x
jbetween standard deviation, making correlation matrix R by calculating the simple correlation coefficient of gained, calculating | r in R| determinant
ii, r
ij, r
jjalgebraic complement A
ii, A
ij, A
jj, then bring the partial correlation coefficient between feature permission attribute variable into
Formula calculates, according to the partial correlation coefficient obtained | ρ | value judge between authority characteristic attribute correlativity size, remove the authority characteristic attribute that correlativity is low, obtain the pretreated authority feature set of dimensionality reduction.
Further, in step 3, utilize based on Mutual Information Theory and cartesian product method, adopt the Naive Bayes Classification Model method of the improvement based on mutual information and cartesian product, carry out cluster de-redundancy to the authority feature set obtained after the pre-service of authority feature set dimensionality reduction, cluster de-redundancy model is as follows:
Wherein Cor (X
i, C) and represent authority characteristic attribute variable X
iand the degree of correlation between category attribute variable C, Cor (X
i, X
j) represent authority characteristic attribute variable X
iand X
jbetween the degree of correlation, account form is as follows:
1) authority characteristic attribute variable X after calculating pre-service
iwith the degree of correlation Cor (X of class variable C
i, C), form primitive attribute collection X-ori by order arrangement from big to small;
2) first attribute variable X-ori (1) in calculating X-ori and degree of correlation Cor (X-ori (1), the X of other attribute variable
j);
3) to other variable X in X-ori except X-ori (1)
jif, Cor (X-ori (1), X
j) > Cor (X
j, C), then think and this variable and X-ori (1) height correlation are added the relevant set of X-ori (1);
4) the cartesian product X of front m variable of X-ori (1) and relevant set thereof
new1x is added as new property set
new, from X-ori, delete all variablees of X-ori (1) and relevant set thereof simultaneously;
5) 2 are repeated) to 4), until
till.
Further, in step 4, based on the set X of categorical attribute collection
newbuilding Naive Bayes Classifier, obtain prior probability by sample training, then judging whether detected Android application program has malicious, based on the set X of authority categorical attribute collection with test set sample by calculating posterior probability
newthe model building naive Bayesian with classification C is as follows:
Wherein,
count (X
k| C
i) represent at classification C
iauthority characteristic attribute X in sample
kthe number of times occurred, count (X
k) represent authority characteristic attribute X in sample
kthe number of times occurred, count (X) presentation class authority set set X
newthe number of middle authority feature set, α represents the influence degree of different rights characteristic attribute to classification, and has quantized the relation between authority characteristic attribute and its category attribute, X
newfor the set of the authority characteristic attribute collection of Android application program, C
ithe classification of Android application program, i.e. non-malicious application program and malicious application program two class, P (X
new) be constant for all classes, therefore comparing posterior probability is only need p (X
new| C
i) P (C
i)
αit is maximum that can to judge whether application program has malicious;
To the authority feature set with malicious Android application program of gained, malicious grade classification is carried out to malicious Android application program, calculates malicious grade as follows:
Wherein, P
vrepresent the probability that this sample to be tested application occurs in malicious program; P
mrepresent the probability that this sample to be tested application occurs in non-malicious program; P
v(X
i) represent the probability that i-th authority feature set occur in malicious program; P
n(X
i) represent the probability that i-th authority feature set occur in non-malicious program.
Beneficial effect of the present invention is: the present invention obtains its associated rights used by carrying out decompiling to Android application program sample, in order to the foundation of model-naive Bayesian below, present invention employs partial correlation coefficient and Controlling UEP is carried out to Android application program authority characteristic attribute, dimensionality reduction pre-service is carried out to authority characteristic attribute, then mutual information and cartesian product method is utilized to carry out correlativity cluster de-redundancy to the authority feature set after dimensionality reduction, obtain new classification authority feature set, because between the authority set after cluster, correlativity is very low, it is almost separate relation, therefore the condition that naive Bayesian attribute is separate is met, build Naive Bayes Classifier on this basis, application program categorised decision correlativity can be made high, in addition to naive Bayesian do to improve and improve further the malicious verification and measurement ratio of Android application program, the phenomenon that threshold value also can avoid over-fitting is set in cluster process, grade classification is carried out to malicious, this improves application program security when mounted in practical application, security before the present invention is used for the installation of following Android application software detects, reminding user application program whether can have malicious and malicious intensity and grade, the safety research that this application programs uses has profound significance and wide research.
Accompanying drawing explanation
In order to make object of the present invention, technical scheme and beneficial effect clearly, the invention provides following accompanying drawing and being described:
Fig. 1 is the schematic flow sheet of the method for the invention;
Fig. 2 carries out the pretreated schematic diagram of dimensionality reduction to authority feature;
Fig. 3 is the schematic diagram to dimensionality reduction pretreated authority feature clustering de-redundancy.
Embodiment
Below in conjunction with accompanying drawing, the preferred embodiments of the present invention are described in detail.
Fig. 1 is the schematic flow sheet of the method for the invention, as shown in the figure, the malicious static detection method of android application program of the present invention mainly comprises following four steps: step one: collect and create the Sample Storehouse of malicious application program and non-malicious application program, respectively decompiling process is carried out to its APK sample and obtain AndroidManifest.xml file, then extract the authority feature of this file, obtain authority feature set; Step 2: utilize the correlative relationship between Android authority characteristic attribute variable, correlativity wherein arbitrarily between Two Variables may be because the existence of the 3rd variable shows, a kind of method of based on partial correlation coefficient, authority characteristic attribute being carried out to correlation analysis is proposed to this, carry out dimensionality reduction pre-service to authority feature set, the method is first by the simple correlation coefficient between calculating two authority characteristic attribute variablees
wherein Cov (x
i, x
j) be x
iwith x
jbetween covariance,
x
iwith x
jbetween standard deviation, making correlation matrix R by calculating the simple correlation coefficient of gained, calculating | r in R| determinant
ii, r
ij, r
jjalgebraic complement A
ii, A
ij, A
jj, then bring the partial correlation coefficient between feature permission attribute variable into
Formula calculates, according to the partial correlation coefficient obtained | ρ | value judge between authority characteristic attribute correlativity size, remove the authority characteristic attribute that correlativity is low, obtain the pretreated authority feature set of dimensionality reduction; Step 3: utilize based on Mutual Information Theory and cartesian product method, the Naive Bayes Classification Model method of a kind of improvement based on mutual information and cartesian product proposed, cluster de-redundancy is carried out to the authority feature set obtained after the pre-service of authority feature set dimensionality reduction, authority characteristic attribute variable X after (1) calculating pre-service
iwith the degree of correlation Cor (X of class variable C
i, C), form primitive attribute collection X-ori by order arrangement from big to small; (2) first attribute variable X-ori (1) in calculating X-ori and degree of correlation Cor (X-ori (1), the X of other attribute variable
j); (3) to other variable X in X-ori except X-ori (1)
jif, Cor (X-ori (1), X
j) > Cor (X
j, C), then think and this variable and X-ori (1) height correlation are added the relevant set of X-ori (1); (4) the cartesian product X of front m variable of X-ori (1) and relevant set thereof
new1x is added as new property set
new, from X-ori, delete all variablees of X-ori (1) and relevant set thereof simultaneously; (5) (2)-(4) are repeated, until
till; Step 4: based on the set X of categorical attribute collection
newbuild Naive Bayes Classifier, prior probability is obtained by sample training, then judging whether detected Android application program has malicious with test set sample by calculating posterior probability, carrying out grade classification to having malicious Android application program by probabilistic method.
In step one, to collect and the Sample Storehouse of the malicious application program created and non-malicious application program carries out decompiling process respectively obtains AndroidManifest.xml file, extract its authority feature, obtain authority feature set;
Fig. 2 carries out the pretreated schematic diagram of dimensionality reduction to authority feature, in step 2, the method is analyzed the correlative relationship between authority characteristic attribute variable based on partial correlation coefficient by utilizing, carry out dimensionality reduction pre-service to authority characteristic attribute, the method model analyzing correlativity between authority characteristic attribute is as follows:
A
ij=(-1)
i+jM
ij
Wherein r (x
i, x
j) be simple correlation coefficient; Cov (x
i, x
j) be x
iwith x
jbetween covariance;
x
iwith x
jbetween standard deviation; A
ii, A
ij, A
jjfor to be made matrix R by simple correlation coefficient | r in R| determinant
ii, r
ij, r
jjalgebraic complement; M
ijn rank determinants | the complementary minor of R|, namely remove n rank determinant | in R|, after the i-th row jth row, remaining n-1 rank determinant is M
ij.By calculating the simple correlation coefficient between two authority characteristic attribute variablees
the simple correlation coefficient calculating gained is made correlation matrix R, calculates | r in R| determinant
ii, r
ij, r
jjalgebraic complement A
ii, A
ij, A
jj, then bring the partial correlation coefficient between feature permission attribute variable into
Formula calculates, according to the partial correlation coefficient obtained | ρ | value judge between authority characteristic attribute correlativity size, remove the authority characteristic attribute that correlativity is low, obtain the pretreated authority feature set of dimensionality reduction.
Fig. 3 is the schematic diagram to dimensionality reduction pretreated authority feature clustering de-redundancy, in step 3, utilize based on Mutual Information Theory and cartesian product method, the Naive Bayes Classification Model method of a kind of improvement based on mutual information and cartesian product proposed, carry out cluster de-redundancy to the authority feature set obtained after the pre-service of authority feature set dimensionality reduction, cluster de-redundancy model is as follows:
Wherein Cor (X
i, C) and represent authority characteristic attribute variable X
iand the degree of correlation between category attribute variable C, Cor (X
i, X
j) represent authority characteristic attribute variable X
iand X
jbetween the degree of correlation, account form is as follows:
1) each authority characteristic attribute variable X is calculated
iwith the degree of correlation Cor (X of class variable C
i, C), form primitive attribute collection X-ori by order arrangement from big to small;
2) first attribute variable X-ori (1) in calculating X-ori and degree of correlation Cor (X-ori (1), the X of other attribute variable
j);
3) to other variable X in X-ori except X-ori (1)
jif, Cor (X-ori (1), X
j) > Cor (X
j, C), then think and this variable and X-ori (1) height correlation are added the relevant set of X-ori (1);
4) the cartesian product X of front m variable of X-ori (1) and relevant set thereof
new1x is added as new property set
new, from X-ori, delete all variablees of X-ori (1) and relevant set thereof simultaneously;
5) (2)-(4) are repeated, until
till.
In step 4, based on the set X of categorical attribute collection
newbuilding Naive Bayes Classifier, obtain prior probability by sample training, then judging whether detected Android application program has malicious, based on the set X of categorical attribute collection with test set sample by calculating posterior probability
newthe model building naive Bayesian with classification C is as follows:
Wherein,
count (X
k| C
i) represent at classification c
iauthority characteristic attribute X in sample
kthe number of times occurred, count (X
k) represent authority characteristic attribute X in sample
kthe number of times occurred, count (X) presentation class authority set set X
newthe number of middle authority feature set, α represents the influence degree of different rights characteristic attribute to classification, and has quantized the relation between authority characteristic attribute and its category attribute, X
newfor the set of the authority characteristic attribute collection of Android application program, C
ithe classification of Android application program, i.e. non-malicious application program and malicious application program two class, P (X
new) be constant for all classes, therefore comparing posterior probability is only need P (X
new| C
i) P (C
i)
αit is maximum that can to judge whether application program has malicious.
To the authority feature set with malicious Android application program of gained, malicious grade classification is carried out to malicious Android application program, calculates malicious grade as follows:
Wherein, P
vrepresent the probability that this sample to be tested application occurs in malicious program; P
mrepresent the probability that this sample to be tested application occurs in non-malicious program; P
v(X
i) represent the probability that i-th authority feature set occur in malicious program; P
n(X
i) represent the probability that i-th authority feature set occur in non-malicious program.
What finally illustrate is, above preferred embodiment is only in order to illustrate technical scheme of the present invention and unrestricted, although by above preferred embodiment to invention has been detailed description, but those skilled in the art are to be understood that, various change can be made to it in the form and details, and not depart from claims of the present invention limited range.
Claims (5)
1. the static detection method that an android application program is malicious, it is characterized in that: in the method, decompiling is carried out to selected sample program and obtains AndroidManifest.xml file, extract the authority feature of this file, and dimensionality reduction pre-service is carried out to it, then authority cluster de-redundancy is carried out to the authority feature set mutual information after dimensionality reduction and cartesian product method, finally build Naive Bayes Classification Model on this basis, and the division of malicious grade is carried out to detected malicious application program.
2. the static detection method that a kind of android application program according to claim 1 is malicious, is characterized in that: the method specifically comprises the following steps:
Step one: collect and create the Sample Storehouse of malicious application program and non-malicious application program, respectively decompiling process being carried out to its APK sample and obtain AndroidManifest.xml file, then extract the authority feature of this file, obtaining authority feature set;
Step 2: utilize the correlative relationship between Android authority characteristic attribute variable, correlativity wherein arbitrarily between Two Variables may be because the existence of the 3rd variable shows, the method of based on partial correlation coefficient, authority characteristic attribute being carried out to correlation analysis is adopted to this, dimensionality reduction pre-service is carried out to authority feature set;
Step 3: utilize based on Mutual Information Theory and cartesian product method, adopts the Naive Bayes Classification Model method of the improvement based on mutual information and cartesian product, carries out cluster de-redundancy to the authority feature set obtained after the pre-service of authority feature set dimensionality reduction;
Step 4: the set Xnew based on categorical attribute collection builds Naive Bayes Classifier, prior probability is obtained by sample training, then judging whether detected Android application program has malicious with test set sample by calculating posterior probability, carrying out grade classification to having malicious Android application program by probabilistic method.
3. the static detection method that a kind of android application program according to claim 2 is malicious, is characterized in that: in step 2, describedly specifically comprises the method that authority characteristic attribute carries out correlation analysis based on partial correlation coefficient:
The method is first by the simple correlation coefficient between calculating two authority characteristic attribute variablees
wherein Cov (x
i, x
j) be x
iwith x
jbetween covariance,
x
iwith x
jbetween standard deviation, making correlation matrix R by calculating the simple correlation coefficient of gained, calculating | r in R| determinant
ii, r
ij, r
jjseveral complementary minor A
ii, A
ij, A
jjthen the partial correlation coefficient between feature permission attribute variable is brought into
Formula calculates, according to the partial correlation coefficient obtained | ρ | value judge between authority characteristic attribute correlativity size, remove the authority characteristic attribute that correlativity is low, obtain the pretreated authority feature set of dimensionality reduction.
4. the static detection method that a kind of android application program according to claim 2 is malicious, it is characterized in that: in step 3, utilize based on Mutual Information Theory and cartesian product method, adopt the Naive Bayes Classification Model method of the improvement based on mutual information and cartesian product, carry out cluster de-redundancy to the authority feature set obtained after the pre-service of authority feature set dimensionality reduction, cluster de-redundancy model is as follows:
Wherein Cor (X
i, C) and represent authority characteristic attribute variable X
iand the degree of correlation between category attribute variable c, Cor (X
i, X
j) represent authority characteristic attribute variable X
iand X
jbetween the degree of correlation, account form is as follows:
1) authority characteristic attribute variable X after calculating pre-service
iwith the degree of correlation Cor (X of class variable C
i, C), form primitive attribute collection X-ori by order arrangement from big to small;
2) first attribute variable X-ori (1) in calculating X-ori and degree of correlation Cor (X-ori (1), the X of other attribute variable
j);
3) to other variable X in X-ori except X-ori (1)
jif, Cor (X-ori (1), X
j) > Cor (X
j, C), then think and this variable and X-ori (1) height correlation are added the relevant set of X-ori (1);
4) the cartesian product X of front m variable of X-ori (1) and relevant set thereof
newx is added as new property set
new, from X-ori, delete all variablees of X-ori (1) and relevant set thereof simultaneously;
5) 2 are repeated) to 4), until
till.
5. the static detection method that a kind of android application program according to claim 2 is malicious, is characterized in that: in step 4, based on the set X of categorical attribute collection
newbuilding Naive Bayes Classifier, obtain prior probability by sample training, then judging whether detected Android application program has malicious, based on the set X of authority categorical attribute collection with test set sample by calculating posterior probability
newthe model building naive Bayesian with classification C is as follows:
Wherein,
count (X
k| C
i) represent at classification C
iauthority characteristic attribute X in sample
kthe number of times occurred, count (X
k) represent authority characteristic attribute X in sample
kthe number of times occurred, count (X) presentation class authority set set X
newthe number of middle authority feature set, α represents the influence degree of different rights characteristic attribute to classification, and has quantized the relation between authority characteristic attribute and its category attribute, X
newfor the set of the authority characteristic attribute collection of Android application program, C
ithe classification of Android application program, i.e. non-malicious application program and malicious application program two class, P (X
new) be constant for all classes, therefore comparing posterior probability is only need P (X
new| C
i) P (C
i)
αit is maximum that can to judge whether application program has malicious;
To the authority feature set with malicious Android application program of gained, malicious grade classification is carried out to malicious Android application program, calculates malicious grade as follows:
Wherein, P
vrepresent the probability that this sample to be tested application occurs in malicious program; P
mrepresent the probability that this sample to be tested application occurs in non-malicious program; P
v(X
i) represent the probability that i-th authority feature set occur in malicious program; P
n(X
i) represent the probability that i-th authority feature set occur in non-malicious program.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510999378.1A CN105426762B (en) | 2015-12-28 | 2015-12-28 | A kind of static detection method that android application programs are malicious |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510999378.1A CN105426762B (en) | 2015-12-28 | 2015-12-28 | A kind of static detection method that android application programs are malicious |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105426762A true CN105426762A (en) | 2016-03-23 |
CN105426762B CN105426762B (en) | 2018-08-14 |
Family
ID=55504966
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510999378.1A Active CN105426762B (en) | 2015-12-28 | 2015-12-28 | A kind of static detection method that android application programs are malicious |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105426762B (en) |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106778241A (en) * | 2016-11-28 | 2017-05-31 | 东软集团股份有限公司 | The recognition methods of malicious file and device |
CN107392021A (en) * | 2017-07-20 | 2017-11-24 | 中南大学 | A kind of Android malicious application detection methods based on multiclass feature |
CN107491691A (en) * | 2017-08-08 | 2017-12-19 | 东北大学 | A kind of long-range forensic tools Safety Analysis System based on machine learning |
CN107506646A (en) * | 2017-09-28 | 2017-12-22 | 努比亚技术有限公司 | Detection method, device and the computer-readable recording medium of malicious application |
CN107832609A (en) * | 2017-09-25 | 2018-03-23 | 暨南大学 | Android malware detection method and system based on authority feature |
CN108491719A (en) * | 2018-03-15 | 2018-09-04 | 重庆邮电大学 | A kind of Android malware detection methods improving NB Algorithm |
CN108491718A (en) * | 2018-02-13 | 2018-09-04 | 北京兰云科技有限公司 | A kind of method and device for realizing information classification |
CN108959922A (en) * | 2018-05-31 | 2018-12-07 | 北京大学 | A kind of malice document detection method and device based on Bayesian network |
CN109995549A (en) * | 2017-12-29 | 2019-07-09 | 中国移动通信集团陕西有限公司 | A kind of method and device for assessing Flow Value |
CN110401649A (en) * | 2019-07-17 | 2019-11-01 | 湖北央中巨石信息技术有限公司 | Information Security Risk Assessment Methods and system based on Situation Awareness study |
CN110710984A (en) * | 2019-10-18 | 2020-01-21 | 福州大学 | Ankle moment prediction method of recursion cerebellum model based on surface electromyogram signal |
CN111079141A (en) * | 2018-10-19 | 2020-04-28 | 财团法人资讯工业策进会 | Malicious software identification device and method |
CN111444502A (en) * | 2019-12-02 | 2020-07-24 | 武汉科技大学 | Population-oriented android malicious software detection model library method |
CN111586046A (en) * | 2020-05-08 | 2020-08-25 | 武汉思普崚技术有限公司 | Network traffic analysis method and system combining threat intelligence and machine learning |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109784047B (en) * | 2018-12-07 | 2021-03-30 | 中国人民解放军战略支援部队航天工程大学 | Program detection method based on multiple features |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5485575A (en) * | 1994-11-21 | 1996-01-16 | International Business Machines Corporation | Automatic analysis of a computer virus structure and means of attachment to its hosts |
CN103106365A (en) * | 2013-01-25 | 2013-05-15 | 北京工业大学 | Detection method for malicious application software on mobile terminal |
CN104866763A (en) * | 2015-05-28 | 2015-08-26 | 天津大学 | Permission-based Android malicious software hybrid detection method |
-
2015
- 2015-12-28 CN CN201510999378.1A patent/CN105426762B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5485575A (en) * | 1994-11-21 | 1996-01-16 | International Business Machines Corporation | Automatic analysis of a computer virus structure and means of attachment to its hosts |
CN103106365A (en) * | 2013-01-25 | 2013-05-15 | 北京工业大学 | Detection method for malicious application software on mobile terminal |
CN104866763A (en) * | 2015-05-28 | 2015-08-26 | 天津大学 | Permission-based Android malicious software hybrid detection method |
Non-Patent Citations (2)
Title |
---|
张悦等: "基于权限相关性的Android 恶意软件检测", 《计算机应用》 * |
陈敏琼等: "关于偏相关系数的计算公式的一点注记", 《滁州学院学报》 * |
Cited By (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106778241B (en) * | 2016-11-28 | 2020-12-25 | 东软集团股份有限公司 | Malicious file identification method and device |
CN106778241A (en) * | 2016-11-28 | 2017-05-31 | 东软集团股份有限公司 | The recognition methods of malicious file and device |
CN107392021B (en) * | 2017-07-20 | 2019-06-07 | 中南大学 | A kind of Android malicious application detection method based on multiclass feature |
CN107392021A (en) * | 2017-07-20 | 2017-11-24 | 中南大学 | A kind of Android malicious application detection methods based on multiclass feature |
CN107491691A (en) * | 2017-08-08 | 2017-12-19 | 东北大学 | A kind of long-range forensic tools Safety Analysis System based on machine learning |
CN107832609A (en) * | 2017-09-25 | 2018-03-23 | 暨南大学 | Android malware detection method and system based on authority feature |
CN107832609B (en) * | 2017-09-25 | 2020-11-13 | 暨南大学 | Android malicious software detection method and system based on authority characteristics |
CN107506646A (en) * | 2017-09-28 | 2017-12-22 | 努比亚技术有限公司 | Detection method, device and the computer-readable recording medium of malicious application |
CN107506646B (en) * | 2017-09-28 | 2021-08-10 | 努比亚技术有限公司 | Malicious application detection method and device and computer readable storage medium |
CN109995549A (en) * | 2017-12-29 | 2019-07-09 | 中国移动通信集团陕西有限公司 | A kind of method and device for assessing Flow Value |
CN109995549B (en) * | 2017-12-29 | 2021-11-30 | 中国移动通信集团陕西有限公司 | Method and device for evaluating flow value |
CN108491718B (en) * | 2018-02-13 | 2022-03-04 | 北京兰云科技有限公司 | Method and device for realizing information classification |
CN108491718A (en) * | 2018-02-13 | 2018-09-04 | 北京兰云科技有限公司 | A kind of method and device for realizing information classification |
CN108491719A (en) * | 2018-03-15 | 2018-09-04 | 重庆邮电大学 | A kind of Android malware detection methods improving NB Algorithm |
CN108959922A (en) * | 2018-05-31 | 2018-12-07 | 北京大学 | A kind of malice document detection method and device based on Bayesian network |
CN108959922B (en) * | 2018-05-31 | 2021-11-02 | 北京大学 | Malicious document detection method and device based on Bayesian network |
CN111079141A (en) * | 2018-10-19 | 2020-04-28 | 财团法人资讯工业策进会 | Malicious software identification device and method |
CN111079141B (en) * | 2018-10-19 | 2022-05-27 | 财团法人资讯工业策进会 | Malicious software identification device and method |
CN110401649A (en) * | 2019-07-17 | 2019-11-01 | 湖北央中巨石信息技术有限公司 | Information Security Risk Assessment Methods and system based on Situation Awareness study |
CN110710984B (en) * | 2019-10-18 | 2021-11-02 | 福州大学 | Ankle moment prediction method of recursion cerebellum model based on surface electromyogram signal |
CN110710984A (en) * | 2019-10-18 | 2020-01-21 | 福州大学 | Ankle moment prediction method of recursion cerebellum model based on surface electromyogram signal |
CN111444502A (en) * | 2019-12-02 | 2020-07-24 | 武汉科技大学 | Population-oriented android malicious software detection model library method |
CN111444502B (en) * | 2019-12-02 | 2023-05-02 | 武汉科技大学 | Population-oriented android malicious software detection model library method |
CN111586046A (en) * | 2020-05-08 | 2020-08-25 | 武汉思普崚技术有限公司 | Network traffic analysis method and system combining threat intelligence and machine learning |
Also Published As
Publication number | Publication date |
---|---|
CN105426762B (en) | 2018-08-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105426762A (en) | Static detection method for malice of android application programs | |
CN109525595B (en) | Black product account identification method and equipment based on time flow characteristics | |
CN107395590B (en) | A kind of intrusion detection method classified based on PCA and random forest | |
CN104915327B (en) | A kind of processing method and processing device of text information | |
CN107547555A (en) | A kind of web portal security monitoring method and device | |
CN105471882A (en) | Behavior characteristics-based network attack detection method and device | |
CN111045847B (en) | Event auditing method, device, terminal equipment and storage medium | |
Zargari et al. | Feature Selection in the Corrected KDD-dataset | |
Chen et al. | Anomaly detection based on enhanced DBScan algorithm | |
Rattá et al. | Improved feature selection based on genetic algorithms for real time disruption prediction on JET | |
WO2021135919A1 (en) | Machine learning-based sql statement security testing method and apparatus, device, and medium | |
CN107392021B (en) | A kind of Android malicious application detection method based on multiclass feature | |
CN106599688A (en) | Application category-based Android malicious software detection method | |
CN107895122A (en) | A kind of special sensitive information active defense method, apparatus and system | |
CN116366374B (en) | Security assessment method, system and medium for power grid network management based on big data | |
CN111695597A (en) | Credit fraud group recognition method and system based on improved isolated forest algorithm | |
KR102259760B1 (en) | System for providing whitelist based abnormal process analysis service | |
CN107220557A (en) | A kind of detection method and system of the sensitive data behavior of user's unauthorized access | |
CN110750710A (en) | Wind control protocol early warning method and device, computer equipment and storage medium | |
CN104598595A (en) | Fraud webpage detection method and corresponding device | |
Tao et al. | The improvement and application of a K-means clustering algorithm | |
CN111191720B (en) | Service scene identification method and device and electronic equipment | |
CN106603538A (en) | Invasion detection method and system | |
YANG et al. | Phishing website detection using C4. 5 decision tree | |
Al-Ghaili et al. | A Review of anomaly detection techniques in advanced metering infrastructure |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |