CN105989287A - Method and system for judging homology of massive malicious samples - Google Patents
Method and system for judging homology of massive malicious samples Download PDFInfo
- Publication number
- CN105989287A CN105989287A CN201511012015.0A CN201511012015A CN105989287A CN 105989287 A CN105989287 A CN 105989287A CN 201511012015 A CN201511012015 A CN 201511012015A CN 105989287 A CN105989287 A CN 105989287A
- Authority
- CN
- China
- Prior art keywords
- sample
- simhash
- name
- homology
- malice sample
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Abstract
The invention discloses a method and system for judging homology of massive malicious samples. The method comprises the following steps: decompiling the malicious samples to obtain smali files and extracting class names and method names; calculating simhash fingerprints of the malicious samples by taking a combination of the class names and the method names as a characteristic dimensionality; calculating Hamming distances between the simhash fingerprints of the malicious samples on the basis of a MapReduce mode; and determining the malicious samples, the Hamming distances of which are less than or equal to a preset threshold value, as homological samples, wherein the class names are names of abstract objects in program codes and the method names are function names contained in the abstract objects in the program codes. According to the method and system disclosed in the invention, homology analysis can be carried out on massive samples, so that the processing time is shortened, and the correctness of homology judgement is improved.
Description
Technical field
The present invention relates to field of information security technology, particularly relate to a kind of magnanimity malice sample homology decision method and system.
Background technology
As far back as 2011, Ka Basiji points out in its analysis report, comprises a part of same code as foundation shaking, infer that they, from same author, have pulled open the detection of malicious code homology and the prelude judged from this in net and two, contaminated area challenge virus.But detection method in early days is that analysis efficiency is low based on a large amount of manual analyses, and the working cycle is longer;Subsequently, U.S. Charles River Analysistics company is based on technology such as linguistics and computer reverse-engineerings, develop malicious code analysis system, the homology excavated between malicious code sample by reviewing code to develop, but the method is set up based on intelligence analysis platform palantir, it is impossible to meet and be normally applied condition.2012, official was strong, Liu Xingji proposes the automatic decision technology of homology respectively in the static nature of malicious code, but their method does not all take into account the process of shell adding malice sample.2013, Man Diangte company of the U.S. proposed the methods analyst homology utilizing malicious code tracking features to attack source, but this analysis needs first target to be carried out long-term follow, and analytical cycle is longer.2015, Kang Fei proposed Behavior-based control characteristic similarity and analyzes the homology of malicious code, but it does not consider the context environmental of behavior characteristics, will be considered as having identical feature and purpose by the same behavior under varying environment, it is clear that the most reasonable.In the same year, Zhang Yongzheng proposes based on the malicious code automatization homology decision method calling custom, but the method time complexity on the method call chain resolving code is higher, is not suitable for analyzing magnanimity malicious code.
In sum, existing method has following defects that
1, homology analysis method is all built upon on the manual analysis basis deep to capturing sample earlier, it is therefore desirable to put into bigger manpower and time;
2, not taking into account shell adding sample, technology lacks versatility;
3, in current methods, the technology that magnanimity malicious code sample homology judges the most it is not applicable to.
Summary of the invention
Technical solutions according to the invention are by calculating the simhash fingerprint of each malice sample, and utilize the Hamming distances between MapReduce mode computation each malice sample, the time processed needed for large-scale malicious sample can not only be shortened, and improve the accuracy that homology judges.
The present invention adopts and realizes with the following method: a kind of magnanimity malice sample homology decision method, including:
Malice sample carries out decompiling obtain smali file and extract class name and method name;
The simhash fingerprint of each malice sample is calculated using the combination of class name and method name as characteristic dimension;
Hamming distances between simhash fingerprint based on MapReduce mode computation each malice sample;
Judge that Hamming distances belongs to homology sample less than or equal to the malice sample of predetermined threshold value;
Wherein, the title of abstract object in the entitled program code of described class, the function name comprised in abstract object in the entitled program code of described method.
Further, the described simhash fingerprint as the characteristic dimension each malice sample of calculating that combines using class name and method name is:
Using the combination of class name and method name as characteristic dimension;
Calculate the MD5 value of all characteristic dimension in malice sample;
All MD5 values are weighted, add up and generate this 64 simhash fingerprints of malice sample uniquely identified after dimensionality reduction operation.
In said method, the Hamming distances between described simhash fingerprint based on MapReduce mode computation each malice sample is:
The simhash fingerprint of each malice sample is carried out piecemeal operation;
Using each piecemeal as key, simhash fingerprint itself is stored as value;
The key of same piecemeal position is carried out polymerization process;
The simhash combination of two obtained after processing with polymerization, as key, carries out duplicate removal process;
Calculate the Hamming distances of the simhash combination of two after duplicate removal processes.
Further, described judge Hamming distances less than or equal to the malice sample of predetermined threshold value belong to homology sample as: based on K-means algorithm the Hamming distances malice sample less than or equal to 3 carried out clustering processing and judgement belongs to homology sample.
Wherein, also include before described extraction class name and method name: reject the third party library and shell adding sample packages name collected in advance.
The present invention can use following system to realize: a kind of magnanimity malice sample homology decision-making system, including:
Decompiling module, obtains smali file for malice sample is carried out decompiling and extracts class name and method name;
Simhash fingerprint generation module, for calculating the simhash fingerprint of each malice sample using the combination of class name and method name as characteristic dimension;
Hamming distances computing module, the Hamming distances between simhash fingerprint based on MapReduce mode computation each malice sample;
Homology sample determination module, for judging that Hamming distances is less than or equal to the malice sample of predetermined threshold value and belongs to homology sample;
Wherein, the title of abstract object in the entitled program code of described class, the function name comprised in abstract object in the entitled program code of described method.
Further, described simhash fingerprint generation module, specifically for:
Using the combination of class name and method name as characteristic dimension;
Calculate the MD5 value of all characteristic dimension in malice sample;
All MD5 values are weighted, add up and generate this 64 simhash fingerprints of malice sample uniquely identified after dimensionality reduction operation.
In said system, described Hamming distances computing module, specifically for:
The simhash fingerprint of each malice sample is carried out piecemeal operation;
Using each piecemeal as key, simhash fingerprint itself is stored as value;
The key of same piecemeal position is carried out polymerization process;
The simhash combination of two obtained after processing with polymerization, as key, carries out duplicate removal process;
Calculate the Hamming distances of the simhash combination of two after duplicate removal processes.
Further, described homology sample determination module, specifically for: based on K-means algorithm, the Hamming distances malice sample less than or equal to 3 is carried out clustering processing and judgement belongs to homology sample.
Wherein, also include before described extraction class name and method name: reject the third party library and shell adding sample packages name collected in advance.
To sum up, the present invention provides a kind of magnanimity malice sample homology decision method and system, by extracting class name and the method name of file after decompiling, and is combined as a characteristic dimension with class name and method name, and then calculates the simhash fingerprint of each malice sample;Hamming distances between simhash fingerprint based on MapReduce mode computation each malice sample;Final judgement Hamming distances belongs to homology sample less than or equal to the malice sample of predetermined threshold value.
Have the beneficial effect that technical scheme of the present invention, by extracting class name and method name, and using class name adding method name as the characteristic dimension of malice sample, thus inherently discloses the internal feature of malice sample, and then improves the accuracy that homology judges;Meanwhile, technical scheme of the present invention carries out parallel computation based on MapReduce pattern, is operated by piecemeal, polymerization, duplicate removal etc., finally dramatically reduces the amount of calculation of Hamming distances, thus is effectively improved the efficiency that homology judges.
Accompanying drawing explanation
In order to be illustrated more clearly that technical scheme, the accompanying drawing used required in embodiment will be briefly described below, apparently, accompanying drawing in describing below is only some embodiments described in the present invention, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
A kind of magnanimity malice sample homology decision method embodiment flow chart that Fig. 1 provides for the present invention;
A kind of magnanimity malice sample homology decision-making system example structure figure that Fig. 2 provides for the present invention.
Detailed description of the invention
The present invention gives a kind of magnanimity malice sample homology decision method and system embodiment, for the technical scheme making those skilled in the art be more fully understood that in the embodiment of the present invention, and it is understandable to enable the above-mentioned purpose of the present invention, feature and advantage to become apparent from, below in conjunction with the accompanying drawings technical scheme in the present invention is described in further detail:
Present invention firstly provides a kind of magnanimity malice sample homology decision method embodiment, as it is shown in figure 1, include:
S101 carries out decompiling and obtains smali file and extract class name and method name malice sample;
S102 calculates the simhash fingerprint of each malice sample using the combination of class name and method name as characteristic dimension;Wherein, each malice sample comprises multiple class name and the combination of method name;The character string that one characteristic dimension is one group of class name and method name is combined into;
Hamming distances between S103 simhash fingerprint based on MapReduce mode computation each malice sample;
S104 judges that Hamming distances belongs to homology sample less than or equal to the malice sample of predetermined threshold value;
Wherein, the title of abstract object in the entitled program code of described class, the function name comprised in abstract object in the entitled program code of described method.
Preferably, the described simhash fingerprint as the characteristic dimension each malice sample of calculating that combines using class name and method name is:
Using the combination of class name and method name as characteristic dimension;
Calculate the MD5 value of all characteristic dimension in malice sample;
All MD5 values are weighted, add up and generate this 64 simhash fingerprints of malice sample uniquely identified after dimensionality reduction operation.
In said method embodiment, the Hamming distances between described simhash fingerprint based on MapReduce mode computation each malice sample is:
The simhash fingerprint of each malice sample is carried out piecemeal operation;
Using each piecemeal as key, simhash fingerprint itself is stored as value;
The key of same piecemeal position is carried out polymerization process;
The simhash combination of two obtained after processing with polymerization, as key, carries out duplicate removal process;
Calculate the Hamming distances of the simhash combination of two after duplicate removal processes.
Such as: this example purpose is to illustrate above-described embodiment, and its simhash value is the most untrue;
Simhash 1:1000 1,110 1,001 0010;
Simhash 2:1000 1,010 1,001 0010;
Above-mentioned simhash fingerprint is respectively divided into four pieces;The purpose of piecemeal is to reduce amount of calculation, if a certain corresponding blocks is identical, just by this simhash combination calculation Hamming distances;
The key of same piecemeal position is carried out polymerization process:
Polymerization for the first time: for first piecemeal, finds it is all 1000, this combination is remained;
Second time polymerization: for second piecemeal, finds it is all different, does not retains;
Third time polymerization: for the 3rd piecemeal, finds it is all 1001, retains;
4th polymerization: fast for the 4th people, finds it is all 0010, retains;
The simhash combination of two obtained after processing polymerization carries out duplicate removal process: the simhash that polymerization obtains after processing needing to calculate Hamming distances remains three groups, but these three groups is all simhash1 and simhash2, only retains one group after duplicate removal;
Finally, the Hamming distances of the simhash combination of two after duplicate removal processes is calculated.
Wherein, find through substantial amounts of manual analysis and contrast, if Hamming distances is more than 15, then the relatedness between malice sample is extremely low, therefore to the similarity relationships calculated between malice sample rapidly and efficiently, the simhash fingerprint generated is carried out K+1 piecemeal operation, wherein K < 16;Thus avoid the situation appearance calculating Hamming distances more than K, dramatically reduce data amount of calculation.
It is highly preferred that described judge Hamming distances less than or equal to the malice sample of predetermined threshold value belong to homology sample as: based on K-means algorithm the Hamming distances malice sample less than or equal to 3 carried out clustering processing and judgement belongs to homology sample.Information security worker is through substantial amounts of analysis and checking, it is believed that the Hamming distances malice sample in [0,3] should belong to homology sample.
Wherein, also include before described extraction class name and method name: reject the third party library and shell adding sample packages name collected in advance.Such as: third party library is Android/support/v4;The entitled qihoo of shell adding sample packages;
Present invention also offers a kind of magnanimity malice sample homology decision-making system embodiment, as in figure 2 it is shown, include:
Decompiling module 201, obtains smali file for malice sample is carried out decompiling and extracts class name and method name;
Simhash fingerprint generation module 202, for calculating the simhash fingerprint of each malice sample using the combination of class name and method name as characteristic dimension;
Hamming distances computing module 203, the Hamming distances between simhash fingerprint based on MapReduce mode computation each malice sample;
Homology sample determination module 204, for judging that Hamming distances is less than or equal to the malice sample of predetermined threshold value and belongs to homology sample;
Wherein, the title of abstract object in the entitled program code of described class, the function name comprised in abstract object in the entitled program code of described method.
Preferably, described simhash fingerprint generation module, specifically for:
Using the combination of class name and method name as characteristic dimension;
Calculate the MD5 value of all characteristic dimension in malice sample;
All MD5 values are weighted, add up and generate this 64 simhash fingerprints of malice sample uniquely identified after dimensionality reduction operation.
In said system embodiment, described Hamming distances computing module, specifically for:
The simhash fingerprint of each malice sample is carried out piecemeal operation;
Using each piecemeal as key, simhash fingerprint itself is stored as value;
The key of same piecemeal position is carried out polymerization process;
The simhash combination of two obtained after processing with polymerization, as key, carries out duplicate removal process;
Calculate the Hamming distances of the simhash combination of two after duplicate removal processes.
It is highly preferred that described homology sample determination module, specifically for: based on K-means algorithm the Hamming distances malice sample less than or equal to 3 carried out clustering processing and judgement belongs to homology sample.
Wherein, also include before described extraction class name and method name: reject the third party library and shell adding sample packages name collected in advance.
Above-described embodiment all uses the mode gone forward one by one to describe, and between each embodiment, same or analogous part sees mutually, and what each embodiment stressed is the difference with other embodiments.In said method embodiment and system embodiment, relevant part is participated in mutually.
As mentioned above, above-described embodiment gives a kind of magnanimity malice sample homology decision method and system embodiment, obtain smali file by malice sample being carried out decompiling and extract class name and method name, wherein using class name and method name as a characteristic dimension, calculate the simhash fingerprint of each malice sample, Hamming distances between simhash fingerprint based on MapReduce mode computation each malice sample, finally judges that Hamming distances belongs to homology sample less than or equal to the malice sample of predetermined threshold value.
To sum up, embodiment described above is passed through extract the class name of malice sample and method name and generate simhash fingerprint, this simhash fingerprint the most uniquely identifies the malice sample of correspondence, and can accurately disclose the internal feature of malice sample so that final homology result of determination is more genuine and believable;Secondly, above-described embodiment utilizes the Hamming distances between the simhash fingerprint of MapReduce mode computation each malice sample, significantly reduces amount of calculation, improves the efficiency that homology judges.
Above example is in order to illustrative not limiting technical scheme.Without departing from any modification or partial replacement of spirit and scope of the invention, all should contain in the middle of scope of the presently claimed invention.
Claims (10)
1. a magnanimity malice sample homology decision method, it is characterised in that including:
Malice sample carries out decompiling obtain smali file and extract class name and method name;
The simhash fingerprint of each malice sample is calculated using the combination of class name and method name as characteristic dimension;
Hamming distances between simhash fingerprint based on MapReduce mode computation each malice sample;
Judge that Hamming distances belongs to homology sample less than or equal to the malice sample of predetermined threshold value;
Wherein, the title of abstract object in the entitled program code of described class, the function name comprised in abstract object in the entitled program code of described method.
2. the method for claim 1, it is characterised in that the described simhash fingerprint as the characteristic dimension each malice sample of calculating that combines using class name and method name is:
Using the combination of class name and method name as characteristic dimension;
Calculate the MD5 value of all characteristic dimension in malice sample;
All MD5 values are weighted, add up and generate this 64 simhash fingerprints of malice sample uniquely identified after dimensionality reduction operation.
3. method as claimed in claim 1 or 2, it is characterised in that the Hamming distances between described simhash fingerprint based on MapReduce mode computation each malice sample is:
The simhash fingerprint of each malice sample is carried out piecemeal operation;
Using each piecemeal as key, simhash fingerprint itself is stored as value;
The key of same piecemeal position is carried out polymerization process;
The simhash combination of two obtained after processing with polymerization, as key, carries out duplicate removal process;
Calculate the Hamming distances of the simhash combination of two after duplicate removal processes.
4. method as claimed in claim 3, it is characterized in that, described judge Hamming distances less than or equal to the malice sample of predetermined threshold value belong to homology sample as: based on K-means algorithm the Hamming distances malice sample less than or equal to 3 carried out clustering processing and judgement belongs to homology sample.
5. method as claimed in claim 4, it is characterised in that also include before described extraction class name and method name: reject the third party library and shell adding sample packages name collected in advance.
6. a magnanimity malice sample homology decision-making system, it is characterised in that including:
Decompiling module, obtains smali file for malice sample is carried out decompiling and extracts class name and method name;
Simhash fingerprint generation module, for calculating the simhash fingerprint of each malice sample using the combination of class name and method name as characteristic dimension;
Hamming distances computing module, the Hamming distances between simhash fingerprint based on MapReduce mode computation each malice sample;
Homology sample determination module, for judging that Hamming distances is less than or equal to the malice sample of predetermined threshold value and belongs to homology sample;
Wherein, the title of abstract object in the entitled program code of described class, the function name comprised in abstract object in the entitled program code of described method.
7. system as claimed in claim 6, it is characterised in that described simhash fingerprint generation module, specifically for:
Using the combination of class name and method name as characteristic dimension;
Calculate the MD5 value of all characteristic dimension in malice sample;
All MD5 values are weighted, add up and generate this 64 simhash fingerprints of malice sample uniquely identified after dimensionality reduction operation.
System the most as claimed in claims 6 or 7, it is characterised in that described Hamming distances computing module, specifically for:
The simhash fingerprint of each malice sample is carried out piecemeal operation;
Using each piecemeal as key, simhash fingerprint itself is stored as value;
The key of same piecemeal position is carried out polymerization process;
The simhash combination of two obtained after processing with polymerization, as key, carries out duplicate removal process;
Calculate the Hamming distances of the simhash combination of two after duplicate removal processes.
9. system as claimed in claim 8, it is characterised in that described homology sample determination module, specifically for: based on K-means algorithm the Hamming distances malice sample less than or equal to 3 carried out clustering processing and judgement belongs to homology sample.
10. system as claimed in claim 9, it is characterised in that also include before described extraction class name and method name: reject the third party library and shell adding sample packages name collected in advance.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201511012015.0A CN105989287A (en) | 2015-12-30 | 2015-12-30 | Method and system for judging homology of massive malicious samples |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201511012015.0A CN105989287A (en) | 2015-12-30 | 2015-12-30 | Method and system for judging homology of massive malicious samples |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105989287A true CN105989287A (en) | 2016-10-05 |
Family
ID=57039725
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201511012015.0A Pending CN105989287A (en) | 2015-12-30 | 2015-12-30 | Method and system for judging homology of massive malicious samples |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105989287A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107657175A (en) * | 2017-09-15 | 2018-02-02 | 北京理工大学 | A kind of homologous detection method of malice sample based on image feature descriptor |
| CN108038124A (en) * | 2017-11-06 | 2018-05-15 | 广东广业开元科技有限公司 | A kind of PDF document acquiring and processing method, system and device based on big data |
| CN108268772A (en) * | 2016-12-30 | 2018-07-10 | 武汉安天信息技术有限责任公司 | The screening technique and system of malice sample |
| CN108268773A (en) * | 2016-12-30 | 2018-07-10 | 南京理工大学 | Safety detecting method is locally stored in Android application upgrade packets |
| CN109508545A (en) * | 2018-11-09 | 2019-03-22 | 北京大学 | A kind of Android Malware classification method based on rarefaction representation and Model Fusion |
| CN110610066A (en) * | 2018-06-15 | 2019-12-24 | 武汉安天信息技术有限责任公司 | Counterfeit application detection method and related device |
| CN112232054A (en) * | 2020-10-19 | 2021-01-15 | 北京值得买科技股份有限公司 | Method for detecting massive texts in real time and repeated articles |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103679012A (en) * | 2012-09-03 | 2014-03-26 | 腾讯科技(深圳)有限公司 | Clustering method and device of portable execute (PE) files |
| CN104063318A (en) * | 2014-06-24 | 2014-09-24 | 湘潭大学 | Rapid Android application similarity detection method |
| CN104933365A (en) * | 2015-07-08 | 2015-09-23 | 中国科学院信息工程研究所 | Automatic malicious code homology judgment method and system based on calling habits |
-
2015
- 2015-12-30 CN CN201511012015.0A patent/CN105989287A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103679012A (en) * | 2012-09-03 | 2014-03-26 | 腾讯科技(深圳)有限公司 | Clustering method and device of portable execute (PE) files |
| US20150178306A1 (en) * | 2012-09-03 | 2015-06-25 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for clustering portable executable files |
| CN104063318A (en) * | 2014-06-24 | 2014-09-24 | 湘潭大学 | Rapid Android application similarity detection method |
| CN104933365A (en) * | 2015-07-08 | 2015-09-23 | 中国科学院信息工程研究所 | Automatic malicious code homology judgment method and system based on calling habits |
Non-Patent Citations (3)
| Title |
|---|
| 张敏: "海量数据的MapReduce相似度检测", 《实验室研究与探索》 * |
| 李晨等: "基于MapReduce的网络爬虫设计与实现", 《山东科学》 * |
| 邵秀丽等: "基于MapReduce检测僵尸网络的贝叶斯算法的实现", 《计算机科学》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108268772A (en) * | 2016-12-30 | 2018-07-10 | 武汉安天信息技术有限责任公司 | The screening technique and system of malice sample |
| CN108268773A (en) * | 2016-12-30 | 2018-07-10 | 南京理工大学 | Safety detecting method is locally stored in Android application upgrade packets |
| CN108268772B (en) * | 2016-12-30 | 2021-10-22 | 武汉安天信息技术有限责任公司 | Method and system for screening malicious samples |
| CN108268773B (en) * | 2016-12-30 | 2021-12-28 | 南京理工大学 | Android application upgrade package local storage security detection method |
| CN107657175A (en) * | 2017-09-15 | 2018-02-02 | 北京理工大学 | A kind of homologous detection method of malice sample based on image feature descriptor |
| CN108038124A (en) * | 2017-11-06 | 2018-05-15 | 广东广业开元科技有限公司 | A kind of PDF document acquiring and processing method, system and device based on big data |
| CN110610066A (en) * | 2018-06-15 | 2019-12-24 | 武汉安天信息技术有限责任公司 | Counterfeit application detection method and related device |
| CN109508545A (en) * | 2018-11-09 | 2019-03-22 | 北京大学 | A kind of Android Malware classification method based on rarefaction representation and Model Fusion |
| CN109508545B (en) * | 2018-11-09 | 2021-06-04 | 北京大学 | Android Malware classification method based on sparse representation and model fusion |
| CN112232054A (en) * | 2020-10-19 | 2021-01-15 | 北京值得买科技股份有限公司 | Method for detecting massive texts in real time and repeated articles |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105989287A (en) | Method and system for judging homology of massive malicious samples | |
| CN107391598B (en) | Automatic threat information generation method and system | |
| CN104598813B (en) | Computer intrusion detection method based on integrated study and semi-supervised SVM | |
| CN107241296B (en) | Webshell detection method and device | |
| Jeon et al. | Hybrid malware detection based on bi-lstm and spp-net for smart iot | |
| CN103679030B (en) | Malicious code analysis and detection method based on dynamic semantic features | |
| CN107688742B (en) | Large-scale rapid mobile application APP detection and analysis method | |
| CN110879881B (en) | Mouse track recognition method based on feature component hierarchy and semi-supervised random forest | |
| Zhu et al. | Android malware detection based on multi-head squeeze-and-excitation residual network | |
| CN108229170B (en) | Software analysis method and apparatus using big data and neural network | |
| CN104751053A (en) | Static behavior analysis method of mobile smart terminal software | |
| CN104123501A (en) | Online virus detection method based on assembly of multiple detectors | |
| CN111753290A (en) | Software type detection method and related equipment | |
| CN111259397A (en) | Malware classification method based on Markov graph and deep learning | |
| CN114915478A (en) | Multi-Agent-based network attack scene identification method for intelligent park industrial control system based on distributed correlation analysis | |
| CN102298681B (en) | Software identification method based on data stream sliced sheet | |
| CN112035345A (en) | Mixed depth defect prediction method based on code segment analysis | |
| Lian et al. | Cryptomining malware detection based on edge computing-oriented multi-modal features deep learning | |
| Liu et al. | Functions-based CFG embedding for malware homology analysis | |
| CN105808602B (en) | Method and device for detecting junk information | |
| CN113468524A (en) | RASP-based machine learning model security detection method | |
| CN112257076A (en) | Vulnerability detection method based on random detection algorithm and information aggregation | |
| CN115758362A (en) | Multi-feature-based automatic malicious software detection method | |
| CN115600211A (en) | CNN-BilSTM multi-label classification-based intelligent contract unknown vulnerability detection method | |
| CN108573148B (en) | Confusion encryption script identification method based on lexical analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161005 |