CN105550583A - Random forest classification method based detection method for malicious application in Android platform - Google Patents

Random forest classification method based detection method for malicious application in Android platform Download PDF

Info

Publication number
CN105550583A
CN105550583A CN201510969901.6A CN201510969901A CN105550583A CN 105550583 A CN105550583 A CN 105550583A CN 201510969901 A CN201510969901 A CN 201510969901A CN 105550583 A CN105550583 A CN 105550583A
Authority
CN
China
Prior art keywords
app
application
random forest
api
sample
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510969901.6A
Other languages
Chinese (zh)
Other versions
CN105550583B (en
Inventor
桂盛霖
杨漫游
王沐
李多航
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN201510969901.6A priority Critical patent/CN105550583B/en
Publication of CN105550583A publication Critical patent/CN105550583A/en
Application granted granted Critical
Publication of CN105550583B publication Critical patent/CN105550583B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses a random forest classification method based detection method for a malicious application in an Android platform. The method comprises the following steps: obtaining APP samples, wherein the APP samples include malicious and good APP samples; obtaining all applicable permission lists and API information of APPs to obtain a permission set and an API set; extracting static features of the APP samples, wherein the static features include applied permissions and called APIs; based on the static features of the APP samples, the permission set and the API set, constructing a sample library, wherein the sample library comprises table items of APP identifiers, type identifiers for distinguishing the malicious and good APP samples, application identifiers for the permissions in the permission set, and calling identifiers for the APIs in the API set; based on the sample library, constructing decision trees of a random forest to obtain a random forest classifier; and based on the random forest classifier, detecting to-be-detected APPs. By implementing the detection method, the malicious APPs can be efficiently detected and the security of the Android platform can be improved.

Description

Based on the Android platform malicious application detection method of random forest classification method
Technical field
The present invention relates to mobile terminal software safe technical field, particularly relates to a kind of method sorting algorithm in machine learning field being applied to Android malicious application and detecting.
Background technology
In recent years along with intelligent terminal, the especially development of smart mobile phone, the life of people became more and more convenient.Present smart mobile phone even can complete many functions that just can must complete on PC in the past, and this has attracted the use of people more.But more and more huger smart phone user colony also result in the attention of many malicious application developers.Along with the development of smart phone user colony, the quantity of malicious application is also in continuous growth.Malicious application starts to become one of mobile phone safe and privacy of user and threatens greatly.Under these circumstances, find and a kind ofly the method for batch detection malicious application exactly can just seem very necessary.
Be in the patented claim of CN104123500A at publication number, describe a kind of Android platform malicious application detection scheme based on degree of depth study, carry out feature extraction this programme is by applying original installation file and running during to Android, then detected by degree of depth study Modling model.Because needs operationally detect, therefore its efficiency comparison detected is low, poor effect.
Summary of the invention
Goal of the invention of the present invention is: for above-mentioned Problems existing, provide a kind of detection method of Android malicious application, by using random forest classification method, achieving the differentiation that malicious application and good will are applied under Android platform, having ensured the interests of user.
Android platform malicious application detection method based on random forest classification method of the present invention, comprises the following steps:
Obtain Android and apply (hereinafter referred to as APP) sample, comprise good will application sample and malice sample;
Obtain APP all to apply for authority, allly call API, obtain authority set and API collection;
Extract the static nature of each APP sample, comprise the authority that each application sample is applied for, the API called;
Build Sample Storehouse based on the static nature of each APP sample, authority set and API collection, the list item that described Sample Storehouse comprises has: APP identifier, distinguish good will and malice type identifier, to the application identifier of authority each in authority set, the call identifier to each API that API concentrates;
According to Sample Storehouse, build every decision tree of random forest, obtain random forest sorter:
Sample based on Sample Storehouse, obtain the training dataset of different group, using the APP included by one group of training dataset as the APP under the root node of decision tree, division process is carried out to each node of decision tree, obtains a decision tree:
Based on the m under present node, (wherein m is preset value to Stochastic choice, for calculating best divisional mode, its value is less than the sum of the static nature included by Sample Storehouse) individual static nature, and calculate the information gain corresponding to each static nature respectively; Get the Split Attribute of the maximum static nature of information gain as present node, based on Split Attribute, each node is divided, the APP being about to the static nature had corresponding to Split Attribute assigns to a leaf node, the APP without the static nature corresponding to Split Attribute assigns to another leaf node, until the number of APP under present node be 1 or Split Attribute be finished; Classification belonging to each leaf node depends on the type (good will or malice) of the APP under it, if comprise two class APP simultaneously, then depends on and comprises the maximum type of APP number;
Whether extract the static nature of APP to be detected, classify based on institute's established model to APP to be detected, detecting APP to be detected is malicious application.
Owing to have employed technique scheme, the invention has the beneficial effects as follows: the present invention is by extracting the static nature of APP: authority characteristic sum API Calls feature, in conjunction with the random forest classification method in machine learning field, achieve the efficient detection to malice APP, improve the security of Android platform.
Accompanying drawing explanation
Fig. 1 is process flow diagram of the present invention;
Fig. 2 is in embodiment, preserves the exemplary plot of the file layout of characteristic information;
Fig. 3 is in embodiment, the schematic diagram of split vertexes;
Fig. 4 is in embodiment, the schematic diagram of a decision tree in random forest.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with embodiment and accompanying drawing, the present invention is described in further detail.
In order to realize batch quantity analysis exactly go out APP be malice or this difficult problem of good will, the invention provides a kind of Android platform malicious application detection method based on random forest classification method.See Fig. 1, this method mainly comprises following five steps:
S1: obtain APP sample, comprises the APP sample of malice and good will;
S2: obtain all of APP and apply for permissions list, API information, obtain authority set and API collection;
S3: the static nature extracting APP sample, the API comprise applied for authority, calling;
S4: build Sample Storehouse based on the static nature of each APP sample, authority set and API collection, the list item that described Sample Storehouse comprises has: APP identifier, distinguish good will and malice type identifier, to the application identifier of authority each in authority set, the call identifier to each API that API concentrates;
S5: based on Sample Storehouse, uses random forest sorting algorithm Modling model, namely builds every decision tree of random forest based on Sample Storehouse, obtain random forest sorter;
S6: the random forest sorter built based on S5 detects APP to be detected.
Respectively the embodiment of each step is described below, to understand the present invention better:
S1: obtain APP sample: obtain APP sample installation file from various channel, is divided into good will sample and malice sample, and preserves by the acquisition APP sample got.
S2: obtain all of APP and apply for permissions list, API information: on the Android developer website (http://developer.android.com/reference/android/Manifest.permiss ion.html) of Google, provide the entitlement limit information that Android APP can apply for, thered is provided all authorities that can apply for are saved in this locality, form a list, as complete or collected works, i.e. authority set.
Obtain all API information lists of calling of APP, step S302 operation is performed to all samples, obtains all API information that all samples call, remove duplicate contents.Preferably, after can also filtering out and differentiates with good will malice the API substantially had nothing to do based on priori, more all API information stayed are saved in this locality, form a list, as complete or collected works, i.e. API collection.
S3: the static nature extracting APP sample:
S301: the authority information extracting each APP sample:
The authority information of this step mainly by using androguard (https: //github.com/androguard/androguard) this storehouse of increasing income to obtain Android application, concrete steps are as follows:
(1) androguard storehouse is imported.
(2) using APK (AndroidPackage) the installation file path of APP as Parameter transfer to the APK class in androguard storehouse, call the get_permissions method of this class, just can obtain this application all the entitlement limit information applied for.
(3) authority set accessed by step S2, filters obtained authority information, obtains this and applies the Android permissions list used.
S302: the API Calls information extracting each APP sample:
This step is mainly by carrying out decompiling to the APK installation file of APP, and then use matching regular expressions API Calls information to carry out, concrete steps are as follows:
(1) use the APK installation file of unzip instrument to application to carry out decompress(ion), obtain " classes.dex " file in application file.
(2) dex2jar instrument is used to be jar file " classes.jar " by " classes.dex " file translations.
(3) use unzip instrument to carry out decompress(ion) to " classes.jar " file, obtain corresponding class file.
(4) javap instrument is used to carry out decompiling to class file
(5) use regular expression to mate the file after decompiling, extract API Calls information.
(6) according to the API collection that step S2 provides, obtained API information is filtered, obtain the AndroidAPI list of current APP sample.
Below be only give a kind of processing mode example extracting the static nature of APP sample, the present invention is not limited thereto, and those skilled in the art can also adopt other ways customary to obtain the static nature of each APP sample.
S4: build Sample Storehouse based on the static nature of each APP sample, authority set and API collection:
The static nature of extracted each APP sample is preserved by following form:
(1) authority information got is processed, preserve into the file that suffix is called .csv.The often row of file represents an APP.Often first of row be classified as the type identifier distinguishing good will and malice, if often first of row be classified as 0, then represent that the APP of one's own profession is good will; If often first of row be classified as 1, then represent that the APP of one's own profession is good will; Each row ensuing, represent an authority of android system, the value of row is 0, and represent do not have this authority, namely do not apply for this authority, the value of row is 1, and represent that APP employs this authority, namely application is to this authority.Separate with comma with before each numeral of a line.
(2) the API Calls message file got is processed, preserve into the file that suffix is called .csv.The often row of file represents an APP.Often first of row be classified as the type identifier distinguishing good will and malice, if often first of row be classified as 0, then represent that the APP of one's own profession is good will; If often first of row be classified as 1, then represent that the APP of one's own profession is good will; Each row ensuing, represent an API, the value of row is 0, and represent and do not call this API, the value of row is 1, represents and have invoked this API.Separate with comma between the numeral of colleague.When noting preserving, the order of APP should be identical with the preservation order of authority information.
(3) above-mentioned two matrixes are combined into one.As mentioned before, ensure that every a line corresponding same APP during generator matrix, so the first row of one of them matrix can be removed, then the matrix of the row alignment direct splicing Cheng Xin of matrix.The file content finally obtained as shown in Figure 2.Wherein, the first type being classified as APP, 0 represents good will, and 1 represents malice.Second and third is classified as API Calls information, corresponding A PI1 and API2, and the 4th is classified as APP authority information, corresponding perm1.
Namely based on extracted each APP sample static nature, obtain authority set and API collection, built by above-mentioned (1) ~ (3) and be used for the Sample Storehouse of random forest classification method modeling, the list item that this Sample Storehouse comprises has: APP identifier, distinguish good will and malice type identifier, to the application identifier of authority each in authority set, the call identifier to each API that API concentrates.
S5: based on Sample Storehouse, uses random forest sorting algorithm Modling model:
The method of building every decision tree in random forest method is: from N (representing the number of training sample) individual training cases, be made with the sampling of putting back to, sample N time, forms one group of training dataset D (i.e. bootstrap sampling).This training dataset D is used to train tree to be constructed.
Presetting a number m, for determining when making a decision on one node, can use how many variablees, wherein m should be less than M (total number of representation feature, in this application, corresponding static nature total number of the present invention).
For each node, Stochastic choice m based on the variable on this aspect.According to this m variable, calculate the divisional mode of its best, until node meets division cut-off condition, thus obtain every decision tree
Information gain: feature A is to the information gain g (D of training dataset D, A), be defined as the empirical entropy H (D) of set D and the difference of the empirical condition entropy H (D|A) of D under feature A specified criteria, that is: g (D, A)=H (D)-H (D|A).
Information entropy: the uncertainty representing stochastic variable.If X is the stochastic variable of a limited value, its probability distribution is: P (X=x i)=p i, i=1,2 ..., n, wherein n represents total number of stochastic variable X.Then the entropy of stochastic variable X is defined as: when at the bottom of logarithm being 2, the unit of entropy is bit.
Conditional entropy: be provided with stochastic variable (X, Y), its joint probability distribution is: P (X=x i, Y=y i)=p ij, i=1,2 ..., n, j=1,2 ..., n, wherein n represents total number of stochastic variable (X, Y).Conditional entropy H (Y|X) represents the uncertainty of stochastic variable Y under the condition of known stochastic variable X, the conditional entropy H (Y|X) of stochastic variable Y under the condition that stochastic variable X is given, is defined as the entropy of the conditional probability distribution of Y under X specified criteria to the mathematical expectation of X: wherein p i=P (X=x i), i=1,2 ..., n.
When the probability in information entropy and conditional entropy is obtained by data estimation (particularly Maximum-likelihood estimation), corresponding entropy and conditional entropy are called empirical entropy and empirical condition entropy.
Based on this, the present invention uses random forest sorting algorithm Modling model, and the process namely building every decision tree of random forest based on Sample Storehouse is specially:
Represent the number of training sample with N, M represents the total number of static nature.Be that example is described with N=15, M=3; Arrange and be used for decision when making a decision on one node, the variable number m that can use, based on the Sample Storehouse shown in Fig. 2, in present embodiment, the value of m is 3.
From N number of training cases, be made with the sampling of putting back to, sample N time, form one group of training dataset D.Using the APP corresponding to one group of training dataset D as the APP under the root node of decision tree.Stochastic choice based on the static nature of the m under present node, and calculates the information gain corresponding to each static nature respectively; Get the Split Attribute of the maximum static nature of information gain as present node, based on Split Attribute, each node is divided, the APP being about to the static nature had corresponding to Split Attribute assigns to a leaf node, the APP without the static nature corresponding to Split Attribute assigns to another leaf node, see Fig. 3, until the number of APP under present node be 1 or Split Attribute be finished.A fission process is wherein described below:
Calculate empirical entropy: H ( D ) = - 9 15 l o g 9 15 - 6 15 l o g 6 15 = 0.971 ;
Computing information gain:
For this feature of API1, when API1 exists (being 1), 5 samples are all malice.When API1 does not exist (being 0), in 10 samples, there are 4 malice.
So the conditional entropy of corresponding A PI1: H ( D | A a p i 1 ) = 5 15 l o g 5 5 + 10 15 ( - 4 10 l o g 4 10 - 6 10 l o g 6 10 ) = 0.647.
Therefore the information gain of corresponding A PI1 can be obtained: g (D, A api1)=H (D)-H (D|A api1)=0.324.
For this feature of API2, when API2 exists (being 1), 6 samples are all malice.When API1 does not exist (being 0), in 9 samples, there are 3 malice.
So the conditional entropy of corresponding A PI2: H ( D | A a p i 2 ) = 6 15 l o g 6 6 + 9 15 ( - 3 9 l o g 3 9 - 6 9 l o g 6 9 ) = 0.551.
Therefore the information gain of corresponding A PI2 can be obtained: g (D, A api2)=H (D)-H (D|A api2)=0.420.
For authority 1 (perm1) this feature, when authority 1 exists (being 1), in 4 samples, 1 is malice.When authority 1 does not exist (being 0), in 11 samples, there are 8 malice.
So the conditional entropy H (D|A of corresponding perm1 perm1) be:
H ( D | A p e r m 1 ) = 4 15 ( - 1 4 l o g 1 4 - 3 4 l o g 3 4 ) + 11 15 ( - 3 11 l o g 3 11 - 8 11 l o g 8 11 ) = 0.836 ;
Therefore the information gain that can obtain corresponding perm1 is: g (D, A perm1)=H (D)-H (D|A perm1)=0.135.
Therefore select the static nature that information gain is maximum, namely API2 is the attribute of split vertexes.Fission process as shown in Figure 3.
From root node, based on being above-mentioned divisional mode, division process is carried out to each node, until the number of APP under present node be 1 or Split Attribute be finished.Finally obtain a complete decision tree.The classification belonging to each leaf node of decision tree depends on the type (good will or malice) of the APP under it, if comprise two class APP simultaneously, then depends on and comprises the maximum type of APP number.Every tree all can complete growth and can not beta pruning, and namely we manually can not remove the structure of intervening tree.
The structure of repetition decision tree is formed, and obtains many decision trees, forms a random forest.
In order to improve monitoring result further, by above-mentioned steps, by information gain as when selecting the standard dividing decision tree nodes attribute, with predetermined interval 2, the accuracy rate of classifying when measuring different decision tree quantity, selects the higher scheme of accuracy rate as final mask.In this embodiment, predetermined interval is taken as 20, and the variable quantity of the quantity of the decision tree included by random forest built is namely 20.
S6: the random forest sorter built based on S5 detects APP to be detected.
To APP to be detected, extract the static nature of APP to be detected based on step S3, i.e. authority information and API Calls information.For the ease of classification process, to the static nature extracted, based on the storage mode shown in Fig. 2, (static nature extracted by each APP to be detected saves as a line, the often corresponding static nature of row, the sequence consensus of each static nature in the sequencing of each static nature and Fig. 2, consistent namely with Sample Storehouse.) static nature information is saved as the file that suffix is called .csv.In the csv of APP to be detected, there is not the type identifier distinguishing good will and malice, first row is directly the static nature of corresponding order.Based on the random forest sorter that step S5 builds, APP to be detected to be classified, detect that it is malice or good will with this.
For certain decision tree in random forest, its shape as shown in Figure 4, namely assigned in the middle of its each leaf node by this decision tree by involved training sample.Due in the csv file of the application, often occur in row that 0 represents that this static nature does not exist, 1 represents to exist, and therefore can be directly used in single decision tree based on the csv file of APP to be detected and carry out classification judgement to APP.Now be exemplified below:
Suppose that APP to be detected have invoked API2, so according to decision tree as shown in Figure 4, APP to be detected falls to the left side of root node.Because left side is leaf node, and in APP under this leaf node, malice occupies the majority (have 10 and be all malice), and therefore the classification of current APP to be detected is maliciously.
Suppose APP never call API2 to be detected, the node 2 that app so to be detected will fall on the right side of root node.Right side node is not leaf node, and according to diagram, we need to judge whether API1 calls.If API1 is called, then APP to be detected falls to figure interior joint 3.According to node 3, if authority 1 is not called, then the leaf node that falls to the right of APP to be detected.As figure, in the APP under the lobus dexter child node of node 3, non-malicious occupies the majority (only have 2 and be all non-malicious), and so current APP to be detected is then non-malicious.
Allow every decision tree in random forest all judge APP to be detected, finally just can provide the classification of final APP to be detected according to the mode of their judged results.Such as, if there are 50 decision trees in random forest, and 30 decision trees all judge that APP to be measured is as malice, so finally judge that current APP to be detected is as malice.
The above, be only the specific embodiment of the present invention, arbitrary feature disclosed in this specification, unless specifically stated otherwise, all can be replaced by other equivalences or the alternative features with similar object; Step in disclosed all features or all methods or process, except mutually exclusive feature and/or step, all can be combined in any way.

Claims (3)

1., based on the Android platform malicious application detection method of random forest classification method, it is characterized in that, comprise the following steps:
Obtain Android application sample, comprise good will application sample and malice sample;
What obtain Android application allly applies for authority, allly calls API, obtains authority set and API collection;
Extract the static nature of each Android application sample, comprise the authority that each application sample is applied for, the API called;
Build Sample Storehouse based on the static nature of each Android application sample, authority set and API collection, the list item that described Sample Storehouse comprises has: Android application identities symbol, distinguish good will and malice type identifier, to the application identifier of authority each in authority set, the call identifier to each API that API concentrates;
According to Sample Storehouse, build every decision tree of random forest, obtain random forest sorter:
Sample based on Sample Storehouse, obtain the training dataset of different group, using the Android application included by one group of training dataset as the Android application under the root node of decision tree, division process is carried out to each node of decision tree, obtains a decision tree:
Stochastic choice based on the static nature of the m under present node, and calculates the information gain corresponding to each static nature respectively, and wherein m is preset value; Get the Split Attribute of the maximum static nature of information gain as present node, based on Split Attribute, each node is divided, a leaf node is assigned in the Android application being about to the static nature had corresponding to Split Attribute, do not have the static nature corresponding to Split Attribute Android application assign to another leaf node, until under present node Android application number be 1 or Split Attribute be finished; Classification belonging to each leaf node depends on the type of the Android application under it, if comprise two class Android application simultaneously, then depends on and comprises the maximum type of Android application number;
Extract the static nature that Android to be detected applies, based on random forest sorter, Android application to be detected is classified, detect whether Android to be detected application is malicious application.
2. the method for claim 1, is characterized in that, the type identifier distinguishing good will and malice is 0 and 1, and wherein 0 represents good will, and 1 represents malice; Be 0 and 1 to the application identifier of authority each in authority set, wherein 0 represents and does not apply for this authority, and 1 represents that application is to this authority; Be 0 and 1 to the call identifier of each API that API concentrates, wherein 0 represents and does not call, and 1 represents and calls.
3. the method as shown in claim 1 or 2, is characterized in that, builds multiple random forest, and the highest random forest of selection sort accuracy rate is as random forest sorter.
CN201510969901.6A 2015-12-22 2015-12-22 Android platform malicious application detection method based on random forest classification method Expired - Fee Related CN105550583B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510969901.6A CN105550583B (en) 2015-12-22 2015-12-22 Android platform malicious application detection method based on random forest classification method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510969901.6A CN105550583B (en) 2015-12-22 2015-12-22 Android platform malicious application detection method based on random forest classification method

Publications (2)

Publication Number Publication Date
CN105550583A true CN105550583A (en) 2016-05-04
CN105550583B CN105550583B (en) 2018-02-13

Family

ID=55829770

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510969901.6A Expired - Fee Related CN105550583B (en) 2015-12-22 2015-12-22 Android platform malicious application detection method based on random forest classification method

Country Status (1)

Country Link
CN (1) CN105550583B (en)

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105975861A (en) * 2016-05-27 2016-09-28 百度在线网络技术(北京)有限公司 Application detection method and device
CN106845240A (en) * 2017-03-10 2017-06-13 西京学院 A kind of Android malware static detection method based on random forest
CN106845235A (en) * 2017-01-11 2017-06-13 中科院微电子研究所昆山分所 A kind of Android platform call back function detection method based on machine learning method
CN107092827A (en) * 2017-03-30 2017-08-25 中国民航大学 A kind of Android malware detection method based on improvement forest algorithm
CN107153789A (en) * 2017-04-24 2017-09-12 西安电子科技大学 The method for detecting Android Malware in real time using random forest grader
CN107157450A (en) * 2017-06-19 2017-09-15 中国科学院计算技术研究所 Quantitative estimation method and system are carried out for the hand exercise ability to patient Parkinson
CN107169355A (en) * 2017-04-28 2017-09-15 北京理工大学 A kind of worm homology analysis method and apparatus
CN107341401A (en) * 2017-06-21 2017-11-10 清华大学 A kind of malicious application monitoring method and equipment based on machine learning
CN107590102A (en) * 2016-07-06 2018-01-16 阿里巴巴集团控股有限公司 Random Forest model generation method and device
CN107678531A (en) * 2017-09-30 2018-02-09 广东欧珀移动通信有限公司 Using method for cleaning, device, storage medium and electronic equipment
CN107835195A (en) * 2017-12-04 2018-03-23 灵动元点信息技术(北京)有限公司 A kind of distributed network application node integrated management method
CN107894827A (en) * 2017-10-31 2018-04-10 广东欧珀移动通信有限公司 Using method for cleaning, device, storage medium and electronic equipment
CN107948149A (en) * 2017-11-21 2018-04-20 杭州安恒信息技术有限公司 Tactful self study and optimization method and device based on random forest
CN107943537A (en) * 2017-11-14 2018-04-20 广东欧珀移动通信有限公司 Using method for cleaning, device, storage medium and electronic equipment
CN108021806A (en) * 2017-11-24 2018-05-11 北京奇虎科技有限公司 A kind of recognition methods of malice installation kit and device
CN108681670A (en) * 2018-03-30 2018-10-19 中国科学院信息工程研究所 The method and device of Android malicious applications detection based on fine granularity feature
CN109241707A (en) * 2018-08-09 2019-01-18 北京邮电大学 Application program obscures method, apparatus and server
CN109753800A (en) * 2019-01-02 2019-05-14 重庆邮电大学 Merge the Android malicious application detection method and system of frequent item set and random forests algorithm
CN109830300A (en) * 2019-02-21 2019-05-31 暨南大学 Thyroid nodule analysis method, device, computer equipment and readable storage medium storing program for executing
CN110147430A (en) * 2019-04-25 2019-08-20 上海欣方智能系统有限公司 Harassing call recognition methods and system based on random forests algorithm
CN110263566A (en) * 2019-06-29 2019-09-20 西安交通大学 A kind of massive logs propose power behavioral value and classification method
CN110580171A (en) * 2019-09-17 2019-12-17 RealMe重庆移动通信有限公司 APP classification method, related device and product
CN110955606A (en) * 2019-12-16 2020-04-03 湘潭大学 C language source code static scoring method based on random forest
CN113704761A (en) * 2021-08-31 2021-11-26 上海观安信息技术股份有限公司 Malicious file detection method and device, computer equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090281981A1 (en) * 2008-05-06 2009-11-12 Chen Barry Y Discriminant Forest Classification Method and System
US8375450B1 (en) * 2009-10-05 2013-02-12 Trend Micro, Inc. Zero day malware scanner
CN103107902A (en) * 2011-11-14 2013-05-15 无锡南理工科技发展有限公司 Attack detection system based on decision-making tree
CN104125106A (en) * 2013-04-23 2014-10-29 中国银联股份有限公司 Network purity detection device and method based on classified decision tree

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090281981A1 (en) * 2008-05-06 2009-11-12 Chen Barry Y Discriminant Forest Classification Method and System
US8375450B1 (en) * 2009-10-05 2013-02-12 Trend Micro, Inc. Zero day malware scanner
CN103107902A (en) * 2011-11-14 2013-05-15 无锡南理工科技发展有限公司 Attack detection system based on decision-making tree
CN104125106A (en) * 2013-04-23 2014-10-29 中国银联股份有限公司 Network purity detection device and method based on classified decision tree

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘阳: "应用随机森林与神经网络算法检测与分析Android应用恶意代码", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105975861A (en) * 2016-05-27 2016-09-28 百度在线网络技术(北京)有限公司 Application detection method and device
CN107590102B (en) * 2016-07-06 2021-05-04 阿里巴巴集团控股有限公司 Random forest model generation method and device
CN107590102A (en) * 2016-07-06 2018-01-16 阿里巴巴集团控股有限公司 Random Forest model generation method and device
CN106845235A (en) * 2017-01-11 2017-06-13 中科院微电子研究所昆山分所 A kind of Android platform call back function detection method based on machine learning method
CN106845235B (en) * 2017-01-11 2019-09-13 中科院微电子研究所昆山分所 A kind of Android platform call back function detection method based on machine learning method
CN106845240A (en) * 2017-03-10 2017-06-13 西京学院 A kind of Android malware static detection method based on random forest
CN107092827A (en) * 2017-03-30 2017-08-25 中国民航大学 A kind of Android malware detection method based on improvement forest algorithm
CN107153789A (en) * 2017-04-24 2017-09-12 西安电子科技大学 The method for detecting Android Malware in real time using random forest grader
CN107153789B (en) * 2017-04-24 2019-08-13 西安电子科技大学 Utilize the method for random forest grader real-time detection Android Malware
CN107169355A (en) * 2017-04-28 2017-09-15 北京理工大学 A kind of worm homology analysis method and apparatus
CN107169355B (en) * 2017-04-28 2020-05-08 北京理工大学 Worm homology analysis method and device
CN107157450A (en) * 2017-06-19 2017-09-15 中国科学院计算技术研究所 Quantitative estimation method and system are carried out for the hand exercise ability to patient Parkinson
CN107341401B (en) * 2017-06-21 2019-09-20 清华大学 A kind of malicious application monitoring method and equipment based on machine learning
CN107341401A (en) * 2017-06-21 2017-11-10 清华大学 A kind of malicious application monitoring method and equipment based on machine learning
US11422831B2 (en) 2017-09-30 2022-08-23 Guangdong Oppo Mobile Telecommunications Corp., Ltd. Application cleaning method, storage medium and electronic device
CN107678531A (en) * 2017-09-30 2018-02-09 广东欧珀移动通信有限公司 Using method for cleaning, device, storage medium and electronic equipment
CN107894827A (en) * 2017-10-31 2018-04-10 广东欧珀移动通信有限公司 Using method for cleaning, device, storage medium and electronic equipment
CN107943537A (en) * 2017-11-14 2018-04-20 广东欧珀移动通信有限公司 Using method for cleaning, device, storage medium and electronic equipment
CN107948149A (en) * 2017-11-21 2018-04-20 杭州安恒信息技术有限公司 Tactful self study and optimization method and device based on random forest
CN108021806A (en) * 2017-11-24 2018-05-11 北京奇虎科技有限公司 A kind of recognition methods of malice installation kit and device
CN107835195A (en) * 2017-12-04 2018-03-23 灵动元点信息技术(北京)有限公司 A kind of distributed network application node integrated management method
CN107835195B (en) * 2017-12-04 2021-06-15 灵动元点信息技术(北京)有限公司 Distributed network application node integrated management method
CN108681670A (en) * 2018-03-30 2018-10-19 中国科学院信息工程研究所 The method and device of Android malicious applications detection based on fine granularity feature
CN109241707A (en) * 2018-08-09 2019-01-18 北京邮电大学 Application program obscures method, apparatus and server
CN109753800A (en) * 2019-01-02 2019-05-14 重庆邮电大学 Merge the Android malicious application detection method and system of frequent item set and random forests algorithm
CN109830300A (en) * 2019-02-21 2019-05-31 暨南大学 Thyroid nodule analysis method, device, computer equipment and readable storage medium storing program for executing
CN110147430A (en) * 2019-04-25 2019-08-20 上海欣方智能系统有限公司 Harassing call recognition methods and system based on random forests algorithm
CN110263566A (en) * 2019-06-29 2019-09-20 西安交通大学 A kind of massive logs propose power behavioral value and classification method
CN110580171A (en) * 2019-09-17 2019-12-17 RealMe重庆移动通信有限公司 APP classification method, related device and product
CN110955606A (en) * 2019-12-16 2020-04-03 湘潭大学 C language source code static scoring method based on random forest
CN110955606B (en) * 2019-12-16 2023-07-25 湘潭大学 C language source code static scoring method based on random forest
CN113704761A (en) * 2021-08-31 2021-11-26 上海观安信息技术股份有限公司 Malicious file detection method and device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN105550583B (en) 2018-02-13

Similar Documents

Publication Publication Date Title
CN105550583A (en) Random forest classification method based detection method for malicious application in Android platform
CN107577688B (en) Original article influence analysis system based on media information acquisition
CN102724219B (en) A network data computer processing method and a system thereof
CN102110122B (en) Method and device for establishing sample picture index table, method and device for filtering pictures and method and device for searching pictures
CN102737057B (en) Determining method and device for goods category information
Zhang et al. 5Ws model for big data analysis and visualization
CN105824813B (en) A kind of method and device for excavating core customer
Xu et al. A supervoxel approach to the segmentation of individual trees from LiDAR point clouds
CN106446124B (en) A kind of Website classification method based on cyberrelationship figure
US20200389476A1 (en) Method and arrangement for detecting anomalies in network data traffic
CN111368289B (en) Malicious software detection method and device
US20150113651A1 (en) Spammer group extraction apparatus and method
CN110647896B (en) Phishing page identification method based on logo image and related equipment
CN109284613B (en) Method, device, equipment and storage medium for identification detection and counterfeit site detection
CN109241392A (en) Recognition methods, device, system and the storage medium of target word
Young et al. Social sensing of flood impacts in India: A case study of Kerala 2018
CN103020645A (en) System and method for junk picture recognition
CN108984514A (en) Acquisition methods and device, storage medium, the processor of word
CN106301979B (en) Method and system for detecting abnormal channel
CN112437053A (en) Intrusion detection method and device
CN115632874A (en) Method, device, equipment and storage medium for detecting threat of entity object
CN110751354B (en) Abnormal user detection method and device
WO2016106944A1 (en) Method for creating virtual human on mapreduce platform
CN112822121A (en) Traffic identification method, traffic determination method and knowledge graph establishment method
CN106411704A (en) Distributed junk short message recognition method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20180213

Termination date: 20201222

CF01 Termination of patent right due to non-payment of annual fee