CN106230772A - Industry internet Deviant Behavior excavates scheme - Google Patents

Industry internet Deviant Behavior excavates scheme Download PDF

Info

Publication number
CN106230772A
CN106230772A CN201610527355.5A CN201610527355A CN106230772A CN 106230772 A CN106230772 A CN 106230772A CN 201610527355 A CN201610527355 A CN 201610527355A CN 106230772 A CN106230772 A CN 106230772A
Authority
CN
China
Prior art keywords
behavior
network
classification
deviant
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610527355.5A
Other languages
Chinese (zh)
Inventor
俞海国
刘文泉
马先
张洪平
张海宁
刘世良
苏生平
尚西元
李楠芳
刘忠魁
赵明明
林亮成
任凤伟
王迎鹤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Middle Electricity Runs (beijing) Information Technology Co Ltd
State Grid Qinghai Electric Power Co Ltd
Original Assignee
Middle Electricity Runs (beijing) Information Technology Co Ltd
State Grid Qinghai Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Middle Electricity Runs (beijing) Information Technology Co Ltd, State Grid Qinghai Electric Power Co Ltd filed Critical Middle Electricity Runs (beijing) Information Technology Co Ltd
Priority to CN201610527355.5A priority Critical patent/CN106230772A/en
Publication of CN106230772A publication Critical patent/CN106230772A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

According to data behavioral characteristic in industrial control network under mobile interchange environment, there is provided a kind of improvement mixes classify NB Algorithm and mass data Incremental Learning Algorithm based on two steps screenings more, and the Deviant Behavior being applied to mobile industrial control system is excavated and in analysis.This Deviant Behavior is excavated scheme and is designed by Deviant Behavior classification and mining algorithm: the method for questionable conduct classification and the process of data mining, under mobile interchange environment in industrial control network, the excavation of behavioral data is divided into two stages: grader study stage and network behavior monitor the stage;After obtaining each class behavior grader, the data mining of Malware behavior enters second stage, network behavior monitoring stage.Naive Bayes Classification Algorithm, on the premise of class categories is independent, has calculating speed fast, the features such as classification accuracy height is good with vigorousness, and is used widely.

Description

Industry internet Deviant Behavior excavates scheme
Technical field
The present invention relates to a kind of excavation scheme, particularly relate to the excavation scheme of a kind of industry internet Deviant Behavior.
Background technology
Mainly including two aspects for the security protection of industrial control system Deviant Behavior under mobile interchange environment, network side is prevented Protect and protect with end side.
1, network side protection
Network side protection typically refers to utilize characteristic matching engine to the network of industrial control system under mobile interchange environment Flow is analyzed, and is primarily referred to as Industry Control specific protocol, such as OPC, DNP3 etc., also includes the exception to various mobile terminals Behavior, sample file etc. are analyzed.The Intrusion Detection Technique of industrial control system utilizes bypass mode to achieve industry control The monitoring of Deviant Behavior in network processed.
2, end side protection
The protection of end side is main by the safety detection of mobile terminal in industry control network is stoped aggressive behavior.At present Conventional safety analysis technique includes:
To malicious act mark scanning.This protection method can detect known abnormal malice row with high accurancy and precision For, but for unknown or new abnormal malicious act then cannot detect.
Static Sampling analysis principle.This principle is being fixed sampling analysis to the application on mobile terminal, is used for Judge whether this behavior applied is abnormal malicious act.The safety choosing that this sampling analysis to set in advance based on user Item is carried out.For the Deviant Behavior in mobile industry control network, the newest Deviant Behavior, also cannot take precautions against in time.
Dynamic behaviour analytical technology.This technology calculates resource to save mobile terminal, it is proposed that shifting based on cloud Dynamic rogue program safety detecting system, detects by disposing a cloud rogue program detection server in mobile Internet The mobile rogue program passed.The method is equivalent to utilize bandwidth to exchange mobile terminal for and calculates the saving of resource.
Under mobile interchange environment in industrial control network, although traditional characteristic matching technique etc. can to known exception behavior To obtain preferable Detection results, but due to the intelligentized lifting of mobile terminal, the business carried on mobile terminals, spy Not being Industry Control business, also increasing rapidly, the various novel attacks for mobile terminal and deformation attack emerge in an endless stream.
Summary of the invention
Goal of the invention: the mixing inventing a kind of improvement according to the behavioral characteristic of industrial control network under mobile interchange environment is many Classification NB Algorithm and mass data Incremental Learning Algorithm based on two step screenings, give under mobile interchange environment The Deviant Behavior monitoring system of industrial control network and handling process.I.e. introduce data mining algorithm and carry out Deviant Behavior analysis.
The present invention is achieved in that industry internet Deviant Behavior excavates scheme, Deviant Behavior classification and mining algorithm Design:
1, questionable conduct classification method and the process of data mining, industrial control network under mobile interchange environment In, the excavation of behavioral data is divided into two stages: grader study stage and network behavior monitor the stage.Obtaining each class behavior After grader, the data mining of Malware behavior enters second stage, network behavior monitoring stage.
2, network behavior mining analysis, the TCP of the existing network behavioral data of acquisition connects and application layer protocol part chooses pass The feature that the header field of key, traffic statistics and key content field are analyzed as Deviant Behavior.
3, Deviant Behavior mining algorithm design, mixing many classification NB Algorithm and two steps screening incremental learning side Method;The normal behaviour for incremental learning is obtained first with white list scanning engine scanning existing network behavioral data;Utilize known The output of abnormal behavior coupling engine obtains Deviant Behavior.Thus obtain the original increasing including Deviant Behavior and normal behaviour Amount training set DT, joins incremental training concentration and is trained existing model after then carrying out two step screenings.
The present invention has the active effect that the data mining algorithm network at conventional internet compared to what prior art had Behavior analysis and intrusion detection can preferably detect Deviant Behavior.Chandrashekhar etc. utilize clustering algorithm to carry out net The mining analysis of network intrusion detection data, Modi etc. is applied to invasion based on cloud computing platform inspection Bayesian Classification Arithmetic Survey.Naive Bayes Classification Algorithm, on the premise of class categories is independent, has calculating speed fast, and classification accuracy is high and healthy and strong Property the feature such as good, and be used widely.
Accompanying drawing explanation
Fig. 1 is that inventive network behavior grader learns phase flow schematic diagram.
Fig. 2 is inventive network behavior monitoring phase flow schematic diagram.
Detailed description of the invention
Under mobile interchange environment, the Malware of industrial control network has different spies in the behavior of each infective stage Point, therefore the classification to its behavior is favorably improved the degree of accuracy of monitoring.Under mobile interchange environment, industrial control network moves The Deviant Behavior of dynamic terminal may include that
The rogue programs such as mobile terminal corpse, wooden horse and virus to the attack of mobile industrial control system and artificial for The attack of mobile industrial control system.The features such as it is big that these malicious attacks have harm, weight losses.Assailant can be by malice Instruction controls the core operation of mobile industrial control system, or by the confidential information malicious downloading etc. in industrial control system.
Malicious code is diffused into other-end by infected terminal in several ways.Owing to mobile terminal has stronger Communication capacity, infected terminal can be propagated, by short message mode, the rogue program that deception is downloaded, and be linked to other-end; Can also utilize bluetooth, the mode such as infrared that rogue program travels to other terminal.
Equipped with the mobile terminal accessing malicious websites of industry Mobile solution, the confidential information of industrial control system is uploaded, enters And leak the confidential information third party to malice;Or download the Malwares such as virus, wooden horse from malicious websites, and by being subject to The mobile terminal infected initiates the attack etc. to industrial control system.
Milligan etc. summarize the safety hazard of mobile rogue program, steal including information leakage, confidential data, Malicious attack, network fraud attack and network Denial of Service attack etc..
Owing to mobile terminal and commercial Application are closely related with user, therefore Deviant Behavior often with mobile terminal style, Client-side program type, user profile etc. are associated, and the agreement variation transmitted, attack pattern is the most varied.Therefore, The Deviant Behavior analysis in industrial control network under mobile interchange environment, should consider end message, user profile, also to examine Consider the correlated characteristic attribute of every aspect host-host protocol.
According to the analysis of industrial control network Deviant Behavior under mobile interchange environment, can be by the infection period of Malware Between be divided into three phases: diffusion phase, the stage accessing malicious server and phase of the attack.In diffusion phase, by multimedia message, The mode such as HTTP, FTP and Email, Malware can be sent to other mobile terminal.End is moved at malware infection After end, it is by connecting malicious server down loading updating file, control instruction or the system information that terminal obtains being uploaded To malicious websites.Finally, Malware utilizes infected terminal industrial control system can be initiated various attacks, including From industrial control system malicious downloading data, issue illegal control instruction attacking system, privacy secret is arbitrarily sent to other Terminal or website etc..
According to above three process, the behavior of Malware is divided three classes: dispersal behavior, accesses malicious websites behavior and attacks Hit behavior.This three class behavior is respectively adopted different graders and carries out classification process, to improve the resolution of malicious act.
Deviant Behavior classification and mining algorithm design:
1, questionable conduct classification method and the process of data mining, industrial control network under mobile interchange environment In, the excavation of behavioral data is divided into two stages: grader study stage and network behavior monitor the stage.Wherein, behavior classification Device data mining is learning the process in stage as shown in Figure 1.In the study stage, this model is by known mobile Malware and just Normal network accesses the learning data being used as behavior grader.Wherein, the Malware as learning data has three phases Behavior: dispersal behavior, malicious access behavior and aggressive behavior.Same, proper network accesses data also similar type Behavior, the behavior such as communication for information normal between mobile terminal, downloading file, the behavior accessing system and normal control refer to Order is published to the behavior etc. of control system.Learning data is divided into three row according to the feature of data behavior by behavior classifier modules For subset: dispersal behavior subset, malicious access behavior subset and aggressive behavior subset.Then, the data of these three behavior subset It is respectively used to the study of three different Naive Bayes Classifiers.These three grader is respectively: dispersal behavior grader F1, malicious access behavior grader F2 and aggressive behavior grader F3.
After obtaining each class behavior grader, the data mining of Malware behavior enters second stage, network behavior The monitoring stage, as shown in Figure 2.In the monitoring stage, the truthful data in mobile network is input to the behavior of first stage acquisition and divides In class device.Network data, according to the behavior characteristics of network data, is divided into three subsets by behavior sort module.Then, these three The behavioral data of subset is separately input in the behavior grader of correspondence be analyzed classification, in order to judge these network behavior numbers According to whether being malicious act data.
2, network behavior mining analysis, traditional network intrusions Behavior mining analysis generally uses KDD ' 99 intrusion detection number According to carrying out mining analysis, KDD ' 99 network intrusions behavior is gathered by DARPA ' 98 intruding detection system project, including refusing Service absolutely, carry power attack, long-range attack and scanning attack.Each in data connect through 41 features and describe, including basic Connection features, traffic statistics feature, content characteristic and host-based network traffic statistics feature etc..Due to mobile interchange environment Aggressive behavior and legacy network in lower industrial control network are otherwise varied, and the high speed acquisition probe that therefore native system utilizes is to existing The Deviant Behavior flow on mobile industry control network and normal behaviour flow is had to be acquired;Utilize known mobile interchange industry control network Attack signature mates, it is thus achieved that the Deviant Behavior data of tape label;White list scanning engine is utilized to be scanned, it is thus achieved that band mark The normal behaviour data signed.With reference to the network behavior feature description of KDD ' 99, the present invention is by the TCP of the existing network behavioral data of acquisition Connect and application layer protocol part is chosen crucial header field, traffic statistics and key content field and divided as Deviant Behavior The feature of analysis.Such as, if there is the attack of information stealth class, then key content field would generally include some special words Symbol string.
3, Deviant Behavior mining algorithm design, mixes NB Algorithm of classifying more
If X={x1, x2..., xkIt is data tuple, it is by k attribute { A1, A2..., AkBe described;If D It it is the set (training set) of training tuple and the class label being associated.Assuming that there is n+1 generic attribute value C for given tuple X ={ C0, C1..., Cn, naive Bayes classifier prediction X belongs to class C under the conditions of maximum probabilityiProbability, and if only if
P(Ci| X) > P (Cj| X), (0≤j≤n, i ≠ j) (1)
Owing to being fixed constant for all classes, according to Bayes theorem (formula 2),
P ( C i | X ) = P ( X | C i ) P ( C i ) P ( X ) - - - ( 2 )
Have only to determine P (X | Ci)P(Ci) maximum: i.e. in order to predict the class label of X, to each class Ci, calculating P (X | Ci)P(Ci)。
It is separate between the property value chosen in mobile interchange industry computer network request, therefore can be based on respectively Probit P (the x of individual attribute independent1|Ci), P (x2|Ci) ..., P (xk|Ci), carry out probability calculation:
P ( X | C i ) = Π j = 1 k P ( x j | C i ) - - - ( 3 )
Classify malicious act if, with two classification NB Algorithms, then n is equal to 1, and total classification number is 2, I.e. classification only has normal behaviour and Deviant Behavior.Owing to Deviant Behavior may be caused by multiple rogue program and behavior not phase With, use one mixing many classification NB Algorithm to be analyzed the most here.Use different classes of modeling when The behavior of rogue program join training set D and carry out many classification based trainings;Detect by two classification when of detection.For n+ 1 kind of category set C, defines C0For normal behaviour classification, C ' is Deviant Behavior classification, comprise n kind rogue program behavior subset C '= {C1, C2..., Cn, then C={C0, C ' }.
The when of carrying out classification and Detection for network behavior X, mixing many classification NB Algorithm is output as formula 4.For network behavior X, when normal behaviour class C0Class conditional probability P (C0| X) more than Deviant Behavior class conditional probability maximum Time, it is determined that X is normal behaviour, is otherwise Deviant Behavior.
C (X)=arg max (max (P (C1| X)), P (C2| X) ..., P (Cn| X)), P (C0|X) (4)
Two step screening Increment Learning Algorithms:
Under mobile interchange environment, the detection of the network behavior in industrial control network is directed to sea with model incremental study Amount data process, it is therefore desirable to the of a relatively high data of probability are for incremental learning to select the class contributing to correction model to support. In actual detection, obtain the normal row for incremental learning first with white list scanning engine scanning existing network behavioral data For;The output utilizing known exception behavior characteristics coupling engine obtains Deviant Behavior.Thus obtain and include that Deviant Behavior is with normal The original incremental training collection DT of behavior, joins incremental training concentration and instructs existing model after then carrying out two step screenings Practice.
The first step is screened, and is to utilize existing model to carry out classifying to original incremental training collection DT Naive Bayes Classification more Detection, output result is divided into two kinds of situations:
The first situation, if the classification of the abnormal network behavior of original incremental training concentration belongs in detection model A certain classification, such as belongs to the behavior of a certain class rogue program in original training pattern, then utilizes existing model to detect Calculate, and judge that classification is the most accurate according to formula (1).If classification is accurately, then carry out incremental learning without using these data. Inaccurate if classified, the situation occurring Deviant Behavior being judged into normal behaviour is further determined whether according to formula (4).As Fruit has, and illustrates that these data and original model exist relatively large deviation, therefore can not add and carry out incremental learning.
The second situation, if the classification of the abnormal network behavior of original incremental training concentration is not belonging in detection model A certain classification, then directly utilize formula (4) and judge whether classification accurately, if accurately, screen for next step.
Second step screens, then calculate relative class for the remaining data in training set DT and support probability P S, it is assumed that
P(Cm| X)=max (P (C1| X), P (C2| X) ..., P (Cn| X)), P (C0|X) 0≤m≤n (5)
Class relatively supports that probability P S is:
P S = P ( C m | X ) Π i = 0 , i ≠ m n P ( C i | X ) - - - ( 6 )
Set a data screening thresholding TH, only support that the training data of probability P S > TH just can be added to relative to class Afterwards in the training set DT ' of incremental computations, utilize equation below that training set carries out incremental training:
P ′ ( C i ) = 1 + c o u n t ( C i ) + count ′ ( C i ) | C | + | D | + | DT ′ | - - - ( 7 )
Wherein:
·count(Ci) it is that in training set D, classification is CiNetwork behavior number;
·count′(Ci) integrate the middle classification of DT ' as C for newly-increased incremental trainingiNetwork behavior number;
Network behavior classification sum in | C | training set D;
Network behavior classification sum in | D | training set D;
Incremental training newly-increased for | DT | concentrates network behavior sum;
·count(Ci∧xj) it is that in training set D, classification is CiAnd attribute AiValue is XjNetwork behavior number;
·count′(Ci∧xj) integrate the middle classification of DT ' as C for newly-increased incremental trainingiAnd attribute AiValue is XjNetwork behavior Number;
·|Ai| represent attribute AiValue number.

Claims (3)

1. industry internet Deviant Behavior excavates scheme, it is characterised in that: described Deviant Behavior excavates scheme by Deviant Behavior Classification and mining algorithm design: the method for questionable conduct classification and the process of data mining, under mobile interchange environment In industrial control network, the excavation of behavioral data is divided into two stages: grader study stage and network behavior monitor the stage;? After obtaining each class behavior grader, the data mining of Malware behavior enters second stage, network behavior monitoring stage.
2. Deviant Behavior as claimed in claim 1 excavates scheme, it is characterised in that: described network behavior mining analysis, obtains The TCP of the existing network behavioral data taken connects and application layer protocol part chooses crucial header field, traffic statistics and key The feature that content field is analyzed as Deviant Behavior.
3. Deviant Behavior as claimed in claim 1 excavates scheme, it is characterised in that: described Deviant Behavior mining algorithm sets Meter, mixing many classification NB Algorithm and two steps screening Increment Learning Algorithm;Scan first with white list scanning engine Existing network behavioral data obtains the normal behaviour for incremental learning;The output utilizing known exception behavior characteristics coupling engine obtains Deviant Behavior.Thus obtain the original incremental training collection DT including Deviant Behavior and normal behaviour, after then carrying out two step screenings Join incremental training concentration existing model is trained.
CN201610527355.5A 2016-07-07 2016-07-07 Industry internet Deviant Behavior excavates scheme Pending CN106230772A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610527355.5A CN106230772A (en) 2016-07-07 2016-07-07 Industry internet Deviant Behavior excavates scheme

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610527355.5A CN106230772A (en) 2016-07-07 2016-07-07 Industry internet Deviant Behavior excavates scheme

Publications (1)

Publication Number Publication Date
CN106230772A true CN106230772A (en) 2016-12-14

Family

ID=57519949

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610527355.5A Pending CN106230772A (en) 2016-07-07 2016-07-07 Industry internet Deviant Behavior excavates scheme

Country Status (1)

Country Link
CN (1) CN106230772A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789359A (en) * 2017-02-15 2017-05-31 广东工业大学 A kind of net flow assorted method and device based on grey wolf algorithm
CN107220557A (en) * 2017-05-02 2017-09-29 广东电网有限责任公司信息中心 A kind of detection method and system of the sensitive data behavior of user's unauthorized access
CN107544470A (en) * 2017-09-29 2018-01-05 杭州安恒信息技术有限公司 A kind of controller guard technology based on white list
CN108600258A (en) * 2018-05-09 2018-09-28 华东师范大学 A kind of method for auditing safely towards Integrated Electronic System self-generating white list
CN108737410A (en) * 2018-05-14 2018-11-02 辽宁大学 A kind of feature based is associated limited to know industrial communication protocol anomaly detection method
CN109784052A (en) * 2018-12-29 2019-05-21 360企业安全技术(珠海)有限公司 The management method and server-side, terminal, system of software action detection
CN110809009A (en) * 2019-12-12 2020-02-18 江苏亨通工控安全研究院有限公司 Two-stage intrusion detection system applied to industrial control network
CN111935085A (en) * 2020-06-30 2020-11-13 物耀安全科技(杭州)有限公司 Method and system for detecting and protecting abnormal network behaviors of industrial control network
CN113098892A (en) * 2021-04-19 2021-07-09 恒安嘉新(北京)科技股份公司 Data leakage prevention system and method based on industrial Internet

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789359A (en) * 2017-02-15 2017-05-31 广东工业大学 A kind of net flow assorted method and device based on grey wolf algorithm
CN106789359B (en) * 2017-02-15 2019-12-13 广东工业大学 Network traffic classification method and device based on wolf algorithm
CN107220557A (en) * 2017-05-02 2017-09-29 广东电网有限责任公司信息中心 A kind of detection method and system of the sensitive data behavior of user's unauthorized access
CN107544470A (en) * 2017-09-29 2018-01-05 杭州安恒信息技术有限公司 A kind of controller guard technology based on white list
CN108600258A (en) * 2018-05-09 2018-09-28 华东师范大学 A kind of method for auditing safely towards Integrated Electronic System self-generating white list
CN108737410A (en) * 2018-05-14 2018-11-02 辽宁大学 A kind of feature based is associated limited to know industrial communication protocol anomaly detection method
CN108737410B (en) * 2018-05-14 2021-04-13 辽宁大学 Limited knowledge industrial communication protocol abnormal behavior detection method based on feature association
CN109784052A (en) * 2018-12-29 2019-05-21 360企业安全技术(珠海)有限公司 The management method and server-side, terminal, system of software action detection
CN110809009A (en) * 2019-12-12 2020-02-18 江苏亨通工控安全研究院有限公司 Two-stage intrusion detection system applied to industrial control network
CN111935085A (en) * 2020-06-30 2020-11-13 物耀安全科技(杭州)有限公司 Method and system for detecting and protecting abnormal network behaviors of industrial control network
CN113098892A (en) * 2021-04-19 2021-07-09 恒安嘉新(北京)科技股份公司 Data leakage prevention system and method based on industrial Internet

Similar Documents

Publication Publication Date Title
CN106230772A (en) Industry internet Deviant Behavior excavates scheme
Mercaldo et al. Deep learning for image-based mobile malware detection
Fan et al. Malicious sequential pattern mining for automatic malware detection
AU2015380394B2 (en) Methods and systems for identifying potential enterprise software threats based on visual and non-visual data
US10375143B2 (en) Learning indicators of compromise with hierarchical models
Masri et al. Automated malicious advertisement detection using virustotal, urlvoid, and trendmicro
US20150096024A1 (en) Advanced persistent threat (apt) detection center
Vatamanu et al. A practical approach on clustering malicious PDF documents
CN106529294B (en) A method of determine for mobile phone viruses and filters
KR102120200B1 (en) Malware Crawling Method and System
CN106599688A (en) Application category-based Android malicious software detection method
US20220200959A1 (en) Data collection system for effectively processing big data
CN113935033A (en) Feature-fused malicious code family classification method and device and storage medium
Visu et al. Software-defined forensic framework for malware disaster management in Internet of Thing devices for extreme surveillance
Kheir Analyzing http user agent anomalies for malware detection
CN108959930A (en) Malice PDF detection method, system, data storage device and detection program
Deore et al. Mdfrcnn: Malware detection using faster region proposals convolution neural network
US20160028746A1 (en) Malicious code detection
Hu et al. Single-shot black-box adversarial attacks against malware detectors: A causal language model approach
CN114003910A (en) Malicious variant real-time detection method based on dynamic graph contrast learning
Alshamrani Design and analysis of machine learning based technique for malware identification and classification of portable document format files
Zheng et al. Cryptocurrency malware detection in real-world environment: Based on multi-results stacking learning
CN110647747A (en) False mobile application detection method based on multi-dimensional similarity
Chen et al. Detecting mobile application malicious behaviors based on data flow of source code
CN116208356A (en) Virtual currency mining flow detection method based on deep learning

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20161214

WD01 Invention patent application deemed withdrawn after publication