CN106557695A - A kind of malicious application detection method and system - Google Patents
A kind of malicious application detection method and system Download PDFInfo
- Publication number
- CN106557695A CN106557695A CN201510621631.XA CN201510621631A CN106557695A CN 106557695 A CN106557695 A CN 106557695A CN 201510621631 A CN201510621631 A CN 201510621631A CN 106557695 A CN106557695 A CN 106557695A
- Authority
- CN
- China
- Prior art keywords
- application
- malicious
- application program
- storehouse
- labeled
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Abstract
The present invention relates to a kind of malicious application detection method and system.Methods described includes:S1, the application program to be detected to receiving carry out static code scanning, based on authority application, function call, the dimensional analysis of information output three application programs with the presence or absence of the arbitrary malicious act information met in malicious act information bank malicious act, if there is malicious act, the application program is labeled as into doubtful malicious application then, if there is no malicious act, the application program is labeled as into normal use;S2, by carry out between the malicious application sample being labeled as in the application program and malicious application Sample Storehouse of doubtful malicious application based on Apply Names, bag name, signing certificate, bibliographic structure, text, image file similarity analysis, and the application program that similarity meets setting value is labeled as into malicious application.Present invention, avoiding and the performance bottleneck that application is performed and analyzed is loaded by virtual machine, effectively reduce rate of false alarm, lift the accuracy of identification.
Description
Technical field
The present invention relates to development of Mobile Internet technology, more particularly, it relates to a kind of malicious application detection method and
System.
Background technology
As the popularization of mobile intelligent terminal, mobile Internet business flourish, Mobile solution software
Quantity is presented rapid growth trend.The subversiveness that mobile intelligent terminal causes is changed and has opened mobile Internet product
The prelude of industry development, intelligent terminal changes the Working Life mode of people, and the safety of Mobile solution software
Also face severe situation.
The rapid growth of Mobile solution software, brings the big rule of the applications such as various piracies, malicious application, virus
Mould spreads unchecked.Relative to traditional PC terminals, the malicious application feature of mobile terminal becomes apparent from, malicious application
Mutation speed it is very fast, have substantial amounts of mutation malicious application to occur daily.
Ended for the end of the year 2014, Android platform application software quantity breaks through 2,000,000, becomes application software
Most system platforms, and because the application and development pattern of Android platform is determined, relative to tradition
PC terminals, the mutation of malicious application mostly are publisher's self-developing and propagate, and the mutation cycle is longer, and because
It is easy to carry out reverse engineering for Android applications, malicious code is formed after being easy to be recompiled packing
Mutation is issued again, so the mutation of malicious application is more prone to, so as to cause mutation frequently, the cycle is very short.
Therefore for the malicious application of mobile terminal is prevented and treated, the mutation identification for how effectively solving malicious application seems
It is particularly important.
In traditional PC terminals, the identification for mutation mainly employs three kinds of methods:
1st, based on broad spectral features code:Also gene expression characteristicses code, gene code detection is made to summarize certain class malicious application
Feature, gene code can one big class malicious application of correspondence.In addition, gene code can also be effectively
Mutation malicious application is tackled, compensate for what condition code killing was had no way out to unknown malicious application to a certain extent
Awkward situation.
But, following limitation is had based on the technology of identification of broad spectral features code:
(1) increased the probability of wrong report.The killing of gene expression characteristicses code easily just will carry some feature codes
Often software is judged to threaten, and some normal softwares can be reported by mistake.
(2) gene expression characteristicses code division analysis extracts difficulty greatly, needs very professional technical staff, and special
The extraction quality for levying code greatly affects final malicious application judgement, therefore the man's activity of this method
Factor is very big, and its effect depends on the quality of safe professional and technical personnel.
(3) need substantial amounts of sample to be analyzed, gene expression characteristicses code is analyzed extract before, it is impossible to
The propagation of reply malicious application, it is fast for mobile terminal from malicious application mutation, the characteristics of propagate cycle is short, this
Kind of method cannot effectively solving malicious application killing problem.
2nd, trigger-initiated scanning technology:Also known as the malicious application scanning technique of Behavior-based control analysis, it is to analyze
Malicious application is distinguished with the characteristics of the different rows of malicious application and normal software, so also just effectively can be sent out
The various mutation of existing unknown malicious application and malicious application.In security expert's eye, malicious application and general
The behavior of logical program is made a world of difference, and such as ordinary procedure will not generate file in system core catalogue, will not be
System hangs up hook everywhere, will not register service topsy-turvy etc..Inspirational education is by the one of security expert
Whether a little analytical mathematics are realized using computer automatic analysis technology, are judged to apply according to the behavior applied and deposited
In malicious act.
The limitation of trigger-initiated scanning technology is as follows:
(1) rate of false alarm is very high.The software for having same behavior might not all be malicious application, for example, read
The behavior that address list is sent to specified address, is not necessarily and steals user profile, it is also possible to be data backup
Software.
(2) operational efficiency is low.Since it is desired that malicious application is run in virtual machine, and dislike while collecting
The behavioral data of meaning application is analyzed, and the operational efficiency of this mode is low, more suitable in background service
Device runs, and for the anti-virus tools for having user mutual, Consumer's Experience is bad.
3rd, based on artificial intelligence (AI) technology:Artificial intelligence technology is comprehensive by the behavior to malicious application
Analysis, study are closed, constantly voluntarily optimizes the malicious application behavior characteristicss storehouse of oneself, while automatically extracting feature
Code.From most initial malicious application behavior characteristicss code, through continuing to optimize, increasing, ultimately form and more optimize
Behavior characteristicss code storehouse, to tackle various unknown malicious applications and malicious application mutation;Simultaneously by carrying automatically
Malicious application condition code is taken, to strengthen the killing efficiency to known malicious application.
Artificial intelligence technology subject matter is as follows:
(1) artificial intelligence is a process for needing constantly study, only when malicious application sample is enough
When, artificial intelligence engine can complete the learning process of oneself, so as to improve behavior characteristicss code, institute
With this technological lag in the propagation of malicious application.
(2) algorithm model of artificial intelligence is extremely complex, while the feature of malicious application is again changeable, design
One good learning model is extremely difficult, and often a kind of model can not meet the needs of all application scenarios.
(3) on mobile terminals, malicious application mutation is characterized in that quantity is more, change is fast, the propagation time
Short, a mutation may only be propagated several days and will be disappeared, and other mutation occurs, use under this feature
Artificial intelligence's efficiency is very low.
In a word, in mobile Internet business under the new situation, the quantity of mobile terminal has substantially exceeded PC
The quantity of terminal, Mobile solution become following topmost application form, using the malicious application in PC epoch
Detection method, cannot meet needs, only seek a kind of brand-new solution, could ensure user
Interests, ensure user information security, promote industrial chain sustainable development.
The content of the invention
The technical problem to be solved in the present invention is, for the drawbacks described above of prior art, there is provided a kind of malice
Applying detection method and system, detects automatization level with the mutation malicious application for improving Mobile solution, reduces
False Rate, lifts the discovery efficiency to unknown mutation.
The technical solution adopted for the present invention to solve the technical problems is:Propose a kind of malicious application detection side
Method, comprises the steps:
S1, the application program to be detected to receiving carry out static code scanning, based on authority application,
Function call, the dimensional analysis of information output three application programs are with the presence or absence of meeting in malicious act information bank
Arbitrary malicious act information malicious act, if there is malicious act, the application program is labeled as doubting
Like malicious application, if there is no malicious act, the application program is labeled as into normal use;
S2, the malicious application that will be labeled as in the application program and malicious application Sample Storehouse of doubtful malicious application
Carry out between sample based on Apply Names, bag name, signing certificate, bibliographic structure, text, image text
The similarity analysis of part, and the application program that similarity meets setting value is labeled as into malicious application.
According to one embodiment of present invention, methods described also includes:
S3, the application program that malicious application is not labeled as in step S2 is stored in into erroneous judgement information bank;
S4, based on manual analyses judge by accident information bank in application program result by it is described erroneous judgement information bank in not
It is that the application program of malicious application is labeled as normal use and is stored in normal use storehouse, and by the letter of the normal use
Breath is stored in white list storehouse;
S5, the result based on application program in manual analyses erroneous judgement information bank will in the erroneous judgement information bank be
The application program of malicious application is labeled as malicious application and is stored in malicious application storehouse, and the malicious application is stored in evil
Meaning applies Sample Storehouse.
According to one embodiment of present invention, step S1 is further included:
S11, the application program decompiling to be detected for receiving is formed into code file and corresponding authority is matched somebody with somebody
File, resource file are put, and parses the Apply Names of application program, bag name, signing certificate and catalogue knot
Structure;
S12, reachability matrix model is called, swept from authority application, function call, three dimensions of information output
Dislike with the presence or absence of meeting in retouching and analyzing code file, competence profile and the resource file of decompiling formation
The malicious act of the arbitrary malicious act information in meaning behavioural information storehouse, wherein, the reachability matrix model is
Previously generated based on malicious act information bank and white list storehouse;
S13, the application program that there will be malicious act are labeled as doubtful malicious application and are stored in doubtful malice should
With storehouse, the application program that there will be no malicious act is labeled as normal use and is stored in normal use storehouse.
According to one embodiment of present invention, step S2 is further included:
S21, will be labeled as in the signing certificate and malicious application Sample Storehouse of the application program of doubtful malicious application
Malicious application sample matched, if the signing certificate is present in malicious application Sample Storehouse, directly will
The application program is labeled as malicious application and is stored in malicious application storehouse;
If S22, the signing certificate are not present in malicious application Sample Storehouse, the application program is further carried out
Apply Names, the similarity analysis of bag name, find out from malicious application Sample Storehouse and the Apply Names, bag
Sample set as famous prime minister;
If the sample set is found in S23, step S22, by the sample in the sample set respectively with treat point
The application program of analysis carries out the similarity analysis of bibliographic structure, text, image file, calculates similarity
Value, and when there is similarity of the sample with application program to be analyzed to meet setting value, by the application program mark
Note as malicious application and be stored in malicious application storehouse;
If do not find in S24, step S22 in the sample set or step S23 no sample with it is to be analyzed
When the similarity of application program meets setting value, by the whole samples in malicious application Sample Storehouse with it is to be analyzed
Application program carries out the similarity analysis of bibliographic structure, text, image file, calculates Similarity value,
And when there is similarity of the sample with application program to be analyzed to meet setting value, the application program is labeled as
Malicious application is simultaneously stored in malicious application storehouse.
According to one embodiment of present invention, Apply Names, the similarity analysis of bag name adopt editing distance
Algorithm, bibliographic structure similarity analysis adopt catalogue Comparison Method, text similarity analysis using editor away from
From algorithm, image file similarity analysis are using perception hash algorithm.
The present invention also proposes a kind of malicious application detecting system to solve its technical problem, including:
Malicious act information bank, for preserving according to authority application, function call, three dimensions of information output
Various malicious act information;
Malicious application Sample Storehouse, for storing the information of various malicious application samples;
Static inspirational education subsystem, carries out static code for the application program to be detected to receiving
Scanning, whether there is based on authority application, function call, the dimensional analysis of information output three application programs
Meet the malicious act of the arbitrary malicious act information in malicious act information bank, if there is malicious act,
The application program is labeled as into doubtful malicious application, if there is no malicious act, the application program is marked
For normal use;
Similarity analysis subsystem, for doubtful malice will be labeled as by the static inspirational education subsystem
Using application program and malicious application Sample Storehouse in malicious application sample between carry out based on Apply Names,
Bag name, signing certificate, bibliographic structure, text, the similarity analysis of image file, and by similarity
The application program for meeting setting value is labeled as malicious application.
According to one embodiment of present invention, the system also includes:
Doubtful malicious application storehouse, is labeled as doubtful malice by the static inspirational education subsystem for preserving
Using application program;
Erroneous judgement information bank, for preserving the application that malicious application is not labeled as by the similarity analysis subsystem
Program;
Normal use storehouse, is labeled as the answering of normal use by the static inspirational education subsystem for preserving
The result that application program in information bank is judged by accident with program and based on manual analyses is labeled as answering for normal use
Use program;
White list storehouse, is just labeled as preserving the result for judging application program in information bank by accident based on manual analyses
The information of the application program often applied;
Malicious application storehouse, for preserving the application journey that malicious application is labeled as by the similarity analysis subsystem
Sequence.
According to one embodiment of present invention, the static inspirational education subsystem is further included:
Reachability matrix algorithm assembly, previously generates based on power for loading malicious act information bank and white list storehouse
Limit application, function call, the reachability matrix model of three dimensions of information output;
Decompiling component, for the application program decompiling to be detected for receiving is formed code file and phase
The competence profile answered, resource file, and parse the Apply Names of application program, bag name, signature card
Book and bibliographic structure;
Malicious act analytic unit, for calling reachability matrix model, from authority application, function call, letter
Code file, competence profile and resource file that three dimensional searches of breath output and analysis decompiling are formed
In with the presence or absence of the malicious act for meeting arbitrary malicious act information in malicious act information bank;
Scheduling component, the application program for there will be malicious act are labeled as doubtful malicious application and are stored in doubtful
Like malicious application storehouse, the application program that there will be no malicious act is labeled as normal use and is stored in normal use
Storehouse.
According to one embodiment of present invention, the similarity analysis subsystem is further included:
Signing certificate matching component, for the label of application program to be analyzed are obtained from doubtful malicious application storehouse
Name certificate is matched with the malicious application sample in malicious application Sample Storehouse, if the signing certificate is present in evil
The application program is then directly labeled as malicious application and is stored in malicious application storehouse using in Sample Storehouse by meaning;
First similarity analysis component, for being not present in malice in the signing certificate of application program to be analyzed
During using in Sample Storehouse, Apply Names, the similarity analysis of bag name of the application program are further carried out, from
Find out in malicious application Sample Storehouse and the Apply Names, sample set as bag famous prime minister;
Second similarity analysis component, for finding the sample set in the first similarity analysis component
When, the sample in the sample set is carried out with application program to be analyzed respectively bibliographic structure, text,
The similarity analysis of image file, calculate Similarity value, and in the phase for having sample and application program to be analyzed
When meeting setting value like degree, the application program is labeled as into malicious application and is stored in malicious application storehouse;
Third phase seemingly spends analytic unit, for not finding the sample set in the first similarity analysis component
When or the second similarity analysis component do not find the similarity of sample and application program to be analyzed
When meeting setting value, the whole samples in malicious application Sample Storehouse and application program to be analyzed are entered into column catalogue
Structure, text, the similarity analysis of image file, calculate Similarity value, and are having sample and treating point
When the similarity of the application program of analysis meets setting value, the application program is labeled as into malicious application and evil is stored in
In meaning application library.
According to one embodiment of present invention, the first similarity analysis component is carried out using editing distance algorithm
Apply Names, bag name similarity analysis;The second similarity analysis component and third phase seemingly spend analytic unit
Catalogue Comparison Method is respectively adopted carries out bibliographic structure similarity analysis, carries out text text using editing distance algorithm
Part similarity analysis, carry out image file similarity analysis using hash algorithm is perceived.
The malicious application detection method and system of the present invention, based on inspirational education, sweeps for heuristic
The low problem of operational efficiency is retouched, and proposes scanning technique to be analyzed using static behavior, so as to avoid by virtual
The performance bottleneck that machine loading application is performed and analyzed;By, on the basis of inspirational education, increasing similarity point
Analysis process, the high problem of effectively solving inspirational education rate of false alarm;By similarity analysis, to the label applied
Name certificate, title, bag name carry out fuzzy matching, then fit applications code, resource file, bibliographic structure
The various analysis such as similarity are combined, and effectively reduce rate of false alarm, lift the accuracy of identification.
Description of the drawings
Below in conjunction with drawings and Examples, the invention will be further described, in accompanying drawing:
Fig. 1 is the structural representation of the malicious application detecting system of one embodiment of the invention;
Fig. 2 is the flow chart of the malicious application detection method of one embodiment of the invention;
Fig. 3 is the flow chart of a specific embodiment of step S210 in Fig. 2;
Fig. 4 is the flow chart of a specific embodiment of step S220 in Fig. 2.
Specific embodiment
In order that the objects, technical solutions and advantages of the present invention become more apparent, below in conjunction with accompanying drawing and reality
Example is applied, the present invention will be described in further detail.It should be appreciated that specific embodiment described herein is only
Only to explain the present invention, it is not intended to limit the present invention.
Fig. 1 shows the structural representation of malicious application detecting system according to an embodiment of the invention 100
Figure.As shown in figure 1, malicious application detecting system 100 it is main by static inspirational education subsystem 110,
Similarity analysis subsystem 120, malicious act information bank 130, white list storehouse 140, erroneous judgement information bank 150,
Malicious application Sample Storehouse 160, normal use storehouse 170, doubtful malicious application storehouse 180 and malicious application storehouse 190
Constitute.Wherein, static inspirational education subsystem 110 and similarity analysis subsystem 120 are systems 100
Core.The application program to be detected that static inspirational education subsystem 110 pairs is received carries out static generation
Whether code scanning, deposited based on authority application, function call, the dimensional analysis of information output three application programs
The malicious act of the arbitrary malicious act information in malicious act information bank 130 is met, if there is malice row
The application program to be labeled as doubtful malicious application then, if there is no malicious act, this being applied journey
Sequence is labeled as normal use.The doubtful malicious application detected by static inspirational education subsystem 110, enters
Enter similarity analysis subsystem 120.Similarity analysis subsystem 120 will be by static inspirational education subsystem
110 are labeled as the malicious application sample in the application program and malicious application Sample Storehouse 160 of doubtful malicious application
Between carry out based on Apply Names, bag name, signing certificate, bibliographic structure, text, image file
Similarity analysis, and the application program that similarity meets setting value is labeled as into malicious application.Wherein, malice
Behavioural information storehouse 130 is for according to authority application, function call, the various evils of three dimensions preservations of information output
Meaning behavioural information;Malicious application Sample Storehouse 160 is used for the information for storing various malicious application samples;Doubtful evil
Meaning application library 180 is used for preservation and is labeled as answering for doubtful malicious application by static inspirational education subsystem 110
Use program;Erroneous judgement information bank 150 is used for preservation and is not labeled as malicious application by similarity analysis subsystem 120
Application program;Normal use storehouse 170 is used for preservation and is just labeled as by static inspirational education subsystem 110
Often the application program of application and the result for judging application program in information bank 150 by accident based on manual analyses are marked
For the application program of normal use;White list storehouse 140 is used to preserve judges information bank 150 by accident based on manual analyses
The result of interior application program is labeled as the information of the application program of normal use;Malicious application storehouse 190 is used to protect
Deposit the application program that malicious application is labeled as by similarity analysis subsystem 120.
Further as shown in figure 1, static inspirational education subsystem 110 by reachability matrix algorithm assembly 111,
Decompiling component 112, malicious act analytic unit 113 and scheduling component 114 are constituted.Reachability matrix algorithm
Component 111 for when static inspirational education subsystem 110 starts, loading malicious act information bank 130
With white list storehouse 140 previously generate based on authority application, function call, three dimensions of information output it is reachable
Matrix model.Decompiling component 112 is to be detected for what is received static inspirational education subsystem 110
Application program carry out APK decompilings, formed Smali code files and corresponding competence profile,
Resource file, and parse the Apply Names of application program, bag name, signing certificate and bibliographic structure.Then,
Malicious act analytic unit 113 calls the reachability matrix model that reachability matrix algorithm assembly 111 is generated, from power
Limit application, function call, three dimensional searches of information output and 112 decompiling of analysis decompiling component are formed
Code file, competence profile and resource file, judge in application program with the presence or absence of meeting malice row
The malicious act of the arbitrary malicious act information in for information bank 130.Meet a certain when existing in application program
During the situation of malicious act, scheduling component 114 labels it as doubtful malicious application and is stored in doubtful malice should
With storehouse 180.When there is no the situation for meeting malicious act in malicious act information bank 130 in application program,
Scheduling component 114 labels it as normal use and is stored in normal use storehouse 170.
Similarity analysis subsystem 120 is for entering traveling one to the application program in doubtful malicious application storehouse 180
Step screening.After similarity analysis subsystem 120 starts, the sample in malicious application Sample Storehouse 160 can be loaded
Information, then obtaining application program to be analyzed from doubtful malicious application storehouse 180 carries out similarity analysis.
Specifically as shown in figure 1, similarity analysis subsystem 120 is similar by signing certificate matching component 121, first
Degree analytic unit 122, the second similarity analysis component 123 and third phase are constituted like analytic unit 124 is spent.
Signing certificate matching component 121 obtains the signing certificate of doubtful malicious application to be analyzed, with malicious application sample
Malicious application sample in this storehouse 160 carries out signing certificate matching.If it find that the doubtful malicious application is made
Signing certificate is present in malicious application Sample Storehouse 160, then directly be labeled as disliking by the application program
Meaning is applied and is stored in malicious application storehouse 190, and detection terminates.If signing certificate matching is unsatisfactory for, by
First similarity analysis component 122 further carries out answering for the application program using such as editing distance algorithm
With title, the similarity analysis of bag name, find out from malicious application Sample Storehouse 160 and the Apply Names, bag
Sample set as famous prime minister.If the sample set is present, by the second similarity analysis component 123 with this
Sample set is analyst coverage, and sample in the sample set is carried out mesh with application program to be analyzed respectively
Directory structures, text, the similarity analysis of image file, calculate Similarity value.In specific embodiment,
Second similarity analysis component 123 is respectively adopted catalogue Comparison Method and carries out bibliographic structure similarity analysis, adopts
Editing distance algorithm carries out text similarity analysis, carries out image file using perception hash algorithm similar
Degree analysis.When the similarity for sending out available sample and application program to be analyzed meets setting value, then should by this
Malicious application is labeled as with program and malicious application storehouse 190 is stored in.If the first similarity component 122 does not have
Find sample set, or the second similarity analysis component 123 without find to have in the sample set sample with
When the similarity of application program to be analyzed meets setting value, then will be disliked like analytic unit 124 is spent by third phase
Whole samples in anticipating using Sample Storehouse carry out bibliographic structure, text, figure with application program to be analyzed
As the similarity analysis of file, Similarity value is calculated.Similarly, in specific embodiment, third phase is like degree point
Analysis component 124 is respectively adopted catalogue Comparison Method carries out bibliographic structure similarity analysis, using editing distance algorithm
Text similarity analysis are carried out, and image file similarity analysis are carried out using hash algorithm is perceived.When
Three available samples of similarity analytic unit 124 meet setting value with the similarity of application program to be analyzed
When, the application program is labeled as into malicious application and malicious application storehouse 190 is stored in.If Jing third phases are like degree
The analysis of analytic unit 124 is not labeled as malicious application, then corresponding application program is stored in erroneous judgement information bank
150, further artificial treatment is carried out by operation maintenance personnel 300.Application program in erroneous judgement information bank 150
After artificial treatment, according to the result of manual analyses, it is not that the application program of malicious application is just noted as
Often application is stored in normal use storehouse 170, and also the information of the normal use is stored in white list storehouse 140.
If Jing manual analyses belong to new malicious application, the application program is noted as malicious application and is stored in malice
Application library 190, while the application program is stored in malicious application Sample Storehouse 160.Operation maintenance personnel 300 this
Part work belongs to daily maintenance work, is carried out for a long time, with the renewal in maintenance knowledge storehouse.
Malicious application detecting system described above 100 based on inspirational education, for inspirational education
The low problem of operational efficiency, analyzes scanning technique using static behavior, so as to avoid loading by virtual machine
Using the performance bottleneck for performing and analyze, Smali codes will be formed after ARIXTRA application decompiling first, with quiet
The form of state code analysis is analyzed to the authority application applied, function call, information output etc., so as to
It was found that there is the application of malicious act.In order to solve the problems, such as that rate of false alarm is high in trigger-initiated scanning technology, malice should
With detecting system 100 in the doubtful malicious application having found, by similarity analysis, by Apply Names,
The various analysis such as bag name, signing certificate, bibliographic structure, text, image file similarity are combined,
Rate of false alarm is effectively reduced, the accuracy of identification is lifted.
Based on the malicious application detecting system of the present invention described above, the present invention also proposes that a kind of malice should
Use detection method.Fig. 2 shows the stream of malicious application detection method according to an embodiment of the invention 200
Cheng Tu.As shown in Fig. 2 the malicious application detection method 200 comprises the steps:
In step S210, the application program to be detected to receiving carries out static code scanning, based on power
Limit apply, function call, the dimensional analysis of information output three application programs whether there is and meet malicious act
The malicious act of the arbitrary malicious act information in information bank, if there is malicious act, by the application program
Doubtful malicious application is labeled as, if there is no malicious act, the application program normal use is labeled as into.
In step S220, will be labeled as in the application program and malicious application Sample Storehouse of doubtful malicious application
Carry out between malicious application sample based on Apply Names, bag name, signing certificate, bibliographic structure, text,
The similarity analysis of image file, and the application program that similarity meets setting value is labeled as into malicious application.
In step S230, the application program that malicious application is not labeled as in step S220 is stored in
Erroneous judgement information bank.
In step S240, the result of application program in information bank is judged by accident based on manual analyses, by the erroneous judgement
It is not that the application program of malicious application is labeled as normal use and is stored in normal use storehouse in information bank, and by this just
Often the information of application is stored in white list storehouse.
In step S250, the result of application program in information bank is judged by accident based on manual analyses, by the erroneous judgement
It is that the application program of malicious application is labeled as malicious application and is stored in malicious application storehouse in information bank, and by the malice
Using being stored in malicious application Sample Storehouse.
The above-mentioned malicious application detection method of the present invention combines two kinds of static inspirational education and similarity analysis
Technology carries out malicious application detection, it is to avoid load the performance bottleneck that application is performed and analyzed by virtual machine,
Rate of false alarm is effectively reduced, the accuracy of identification is lifted.
Fig. 3 shows of static inspirational education step S210 in above-mentioned malicious application detection method 200
The flow chart of individual specific embodiment.As shown in figure 3, step S210 specifically includes following steps:
In step S211, the application program decompiling to be detected for receiving is formed into Smali code files
With corresponding competence profile, resource file, and parse the Apply Names of application program, bag name, sign
Name certificate and bibliographic structure.
In later step S212, reachability matrix model is called, it is defeated from authority application, function call, information
Go out code file, competence profile and resource file that three dimensional searches and analysis decompiling are formed, sentence
Whether there is the malice row of the arbitrary malicious act information met in malicious act information bank in disconnected application program
For.Wherein, reachability matrix model loads malicious act information bank and the pre- Mr. in white list storehouse in system start-up
Into.Individual in one specific example, the specific algorithm for being scanned by reachability matrix model and being analyzed is as follows:
The first step, structure foundation behavioural information table:Construction authority configuration, function call, information output information
Table, by malicious act corresponding authority application, function call, information output three from malicious act information bank
The content of individual dimension is taken out respectively, and unified basic behavioural information table is configured to after duplicate removal.
Second step, constructs malicious act information matrix:The length of behavioural information table based on the number of the rectangular array
Degree, capable number are the number of malicious act information, and matrix element is 0,1 composition.
3rd step, constructs scanning result matrix:The matrix is one-column matrix, behavior letter based on capable length
The length of breath table, by the competence profile of scanning application to be detected, Smali code files, resource text
Part, and being matched with basic behavioural information table, when matching with a certain in the table, matrix correspondence row is just
For 1, it is otherwise 0.
4th step, constructs malicious act trip current:By malicious act information matrix and scanning result matrix
Multiplication operation, obtains malicious act trip current, and the matrix is row vector, and the number of row is malicious act
The number of information.
When the value of certain string in malicious act trip current is 1, that is, represent that the application program has met the row
, that is, there is malicious act in corresponding malicious act rule.
In later step S213, the application program that there will be malicious act is labeled as doubtful malicious application and deposits
Enter doubtful malicious application storehouse, the application program that there will be no malicious act is labeled as normal use and is stored in normal
Application library.
Fig. 4 shows a tool of similarity analysis step S220 in above-mentioned malicious application detection method 200
The flow chart of body embodiment.As shown in figure 4, step S220 specifically includes following steps:
In step S221, application program to be analyzed is obtained from doubtful malicious application storehouse.
In later step S222, in the signing certificate and malicious application Sample Storehouse of the application program being analysed to
Malicious application sample matched.
In later step S223, judge signing certificate that application program to be analyzed used with the presence or absence of in
In malicious application Sample Storehouse.If the signing certificate is present in malicious application Sample Storehouse, execution step
The application program is directly labeled as malicious application and is stored in malicious application storehouse by S224, and flow process terminates, no
Then execution step S225.
In step S225, Apply Names, the similarity analysis of bag name of the application program are further carried out,
Search from malicious application Sample Storehouse and the Apply Names, sample set as bag famous prime minister.
In later step S226, judge whether to find and the Apply Names, sample set as bag famous prime minister,
If finding, execution step S227, otherwise execution step S228.
In step S227, the sample in the sample set for finding is carried out with application program to be analyzed respectively
Bibliographic structure, text, the similarity analysis of image file, calculate Similarity value, and have sample with
When the similarity of application program to be analyzed meets setting value, the application program is labeled as into malicious application and is deposited
Enter in malicious application storehouse.Further, if there is no sample with application to be analyzed in the sample set for finding
The similarity of program meets setting value, then with the whole samples in Sample Storehouse to gather performing above-mentioned similarity
Analysis.
In step S228, for do not find and application program Apply Names, bag famous prime minister as sample set
Whole samples in malicious application Sample Storehouse and application program to be analyzed are entered column catalogue knot by the situation of conjunction
Structure, text, the similarity analysis of image file, calculate Similarity value, and have sample with it is to be analyzed
The similarity of application program when meeting setting value, the application program is labeled as into malicious application and malice is stored in
In application library.The application program of the malicious application not being marked in step S228, then be stored into erroneous judgement information
In storehouse, further artificial treatment is carried out by operation maintenance personnel.
In a specific example of the invention, the decision rule of similarity analysis is:
1st, code similarity more than 85%;
2nd, text similarity more than 60%;
3rd, image file similarity more than 75%;
4th, bibliographic structure similarity more than 70%.
Meet above rule, be then judged to malicious application, above parameter can be according to adjustment after operation data analysis.
In a specific example of the invention, the similarity analysis of bibliographic structure adopt catalogue matching type,
Algorithm is relatively simple, based on the bibliographic structure of malicious application sample, ties with the catalogue of application to be analyzed
Structure is contrasted by directory hierarchy, calculates the same directory between application to be analyzed and sample application
Number, divided by the percentage ratio obtained by total directories, obtains final product bibliographic structure Similarity value.
In a specific example of the invention, text similarity analysis adopt editing distance algorithm,
I.e. source string, at least needs through how many edit operations, you can be deformed into target string, and this value is less,
Supporting paper is more similar.Finally calculating formula of similarity is:(1- editing distances/file size) * 100%.
The Similarity value of each file is calculated respectively, meansigma methodss are finally calculated again, you can draw final two applications
Similarity value.
In a specific example of the invention, image file similarity analysis are adopted and perceive hash algorithm,
The to be compared picture of the same name to two respectively generates " fingerprint " of one 64 (fingerprint) character string,
Then compare the fingerprint of two pictures.As a result closer to just explanation picture is more similar." fingerprint " character string
Comparison adopt Hamming distance method, do not differentiate between character position, 64 characters be compared, found
Kinds of characters number is Hamming distance value.Hamming distance value with 10 as maximum, more than 10 explanatory diagram pictures
It is completely dissimilar, less than 5 explanation image similarities.Finally all of image is analyzed, the Chinese is drawn
Prescribed distance value, calculates average Hamming distance value, Jing this calculating the similarity of image resource.Final similarity
Computing formula is:(average Hamming distance value/10 of 1-) * 100%.
Presently preferred embodiments of the present invention is the foregoing is only, it is not to limit the present invention, all at this
Any modification, equivalent and improvement for being made within bright spirit and principle etc., should be included in the present invention
Protection domain within.
Claims (10)
1. a kind of malicious application detection method, it is characterised in that comprise the steps:
S1, the application program to be detected to receiving carry out static code scanning, based on authority application,
Function call, the dimensional analysis of information output three application programs are with the presence or absence of meeting in malicious act information bank
Arbitrary malicious act information malicious act, if there is malicious act, the application program is labeled as doubting
Like malicious application, if there is no malicious act, the application program is labeled as into normal use;
S2, the malicious application that will be labeled as in the application program and malicious application Sample Storehouse of doubtful malicious application
Carry out between sample based on Apply Names, bag name, signing certificate, bibliographic structure, text, image text
The similarity analysis of part, and the application program that similarity meets setting value is labeled as into malicious application.
2. malicious application detection method according to claim 1, it is characterised in that methods described is also
Including:
S3, the application program that malicious application is not labeled as in step S2 is stored in into erroneous judgement information bank;
S4, based on manual analyses judge by accident information bank in application program result by it is described erroneous judgement information bank in not
It is that the application program of malicious application is labeled as normal use and is stored in normal use storehouse, and by the letter of the normal use
Breath is stored in white list storehouse;
S5, the result based on application program in manual analyses erroneous judgement information bank will in the erroneous judgement information bank be
The application program of malicious application is labeled as malicious application and is stored in malicious application storehouse, and the malicious application is stored in evil
Meaning applies Sample Storehouse.
3. malicious application detection method according to claim 2, it is characterised in that step S1
Further include:
S11, the application program decompiling to be detected for receiving is formed into code file and corresponding authority is matched somebody with somebody
File, resource file are put, and parses the Apply Names of application program, bag name, signing certificate and catalogue knot
Structure;
S12, reachability matrix model is called, swept from authority application, function call, three dimensions of information output
Dislike with the presence or absence of meeting in retouching and analyzing code file, competence profile and the resource file of decompiling formation
The malicious act of the arbitrary malicious act information in meaning behavioural information storehouse, wherein, the reachability matrix model is
Previously generated based on malicious act information bank and white list storehouse;
S13, the application program that there will be malicious act are labeled as doubtful malicious application and are stored in doubtful malice should
With storehouse, the application program that there will be no malicious act is labeled as normal use and is stored in normal use storehouse.
4. malicious application detection method according to claim 2, it is characterised in that step S2
Further include:
S21, will be labeled as in the signing certificate and malicious application Sample Storehouse of the application program of doubtful malicious application
Malicious application sample matched, if the signing certificate is present in malicious application Sample Storehouse, directly will
The application program is labeled as malicious application and is stored in malicious application storehouse;
If S22, the signing certificate are not present in malicious application Sample Storehouse, the application program is further carried out
Apply Names, the similarity analysis of bag name, find out from malicious application Sample Storehouse and the Apply Names, bag
Sample set as famous prime minister;
If the sample set is found in S23, step S22, by the sample in the sample set respectively with treat point
The application program of analysis carries out the similarity analysis of bibliographic structure, text, image file, calculates similarity
Value, and when there is similarity of the sample with application program to be analyzed to meet setting value, by the application program mark
Note as malicious application and be stored in malicious application storehouse;
If do not find in S24, step S22 in the sample set or step S23 no sample with it is to be analyzed
When the similarity of application program meets setting value, by the whole samples in malicious application Sample Storehouse with it is to be analyzed
Application program carries out the similarity analysis of bibliographic structure, text, image file, calculates Similarity value,
And when there is similarity of the sample with application program to be analyzed to meet setting value, the application program is labeled as
Malicious application is simultaneously stored in malicious application storehouse.
5. malicious application detection method according to claim 4, it is characterised in that Apply Names,
The similarity analysis of bag name adopt editing distance algorithm, bibliographic structure similarity analysis to adopt catalogue Comparison Method,
Text similarity analysis adopt editing distance algorithm, image file similarity analysis to calculate using Hash is perceived
Method.
6. a kind of malicious application detecting system, it is characterised in that include:
Malicious act information bank, for preserving according to authority application, function call, three dimensions of information output
Various malicious act information;
Malicious application Sample Storehouse, for storing the information of various malicious application samples;
Static inspirational education subsystem, carries out static code for the application program to be detected to receiving
Scanning, whether there is based on authority application, function call, the dimensional analysis of information output three application programs
Meet the malicious act of the arbitrary malicious act information in malicious act information bank, if there is malicious act,
The application program is labeled as into doubtful malicious application, if there is no malicious act, the application program is marked
For normal use;
Similarity analysis subsystem, for doubtful malice will be labeled as by the static inspirational education subsystem
Using application program and malicious application Sample Storehouse in malicious application sample between carry out based on Apply Names,
Bag name, signing certificate, bibliographic structure, text, the similarity analysis of image file, and by similarity
The application program for meeting setting value is labeled as malicious application.
7. malicious application detecting system according to claim 6, it is characterised in that the system is also
Including:
Doubtful malicious application storehouse, is labeled as doubtful malice by the static inspirational education subsystem for preserving
Using application program;
Erroneous judgement information bank, for preserving the application that malicious application is not labeled as by the similarity analysis subsystem
Program;
Normal use storehouse, is labeled as the answering of normal use by the static inspirational education subsystem for preserving
The result that application program in information bank is judged by accident with program and based on manual analyses is labeled as answering for normal use
Use program;
White list storehouse, is just labeled as preserving the result for judging application program in information bank by accident based on manual analyses
The information of the application program often applied;
Malicious application storehouse, for preserving the application journey that malicious application is labeled as by the similarity analysis subsystem
Sequence.
8. malicious application detecting system according to claim 7, it is characterised in that the static state is opened
Hairdo scanning subsystem is further included:
Reachability matrix algorithm assembly, previously generates based on power for loading malicious act information bank and white list storehouse
Limit application, function call, the reachability matrix model of three dimensions of information output;
Decompiling component, for the application program decompiling to be detected for receiving is formed code file and phase
The competence profile answered, resource file, and parse the Apply Names of application program, bag name, signature card
Book and bibliographic structure;
Malicious act analytic unit, for calling reachability matrix model, from authority application, function call, letter
Code file, competence profile and resource file that three dimensional searches of breath output and analysis decompiling are formed
In with the presence or absence of the malicious act for meeting arbitrary malicious act information in malicious act information bank;
Scheduling component, the application program for there will be malicious act are labeled as doubtful malicious application and are stored in doubtful
Like malicious application storehouse, the application program that there will be no malicious act is labeled as normal use and is stored in normal use
Storehouse.
9. malicious application detecting system according to claim 7, it is characterised in that the similarity
Analyzing subsystem is further included:
Signing certificate matching component, for the label of application program to be analyzed are obtained from doubtful malicious application storehouse
Name certificate is matched with the malicious application sample in malicious application Sample Storehouse, if the signing certificate is present in evil
The application program is then directly labeled as malicious application and is stored in malicious application storehouse using in Sample Storehouse by meaning;
First similarity analysis component, for being not present in malice in the signing certificate of application program to be analyzed
During using in Sample Storehouse, Apply Names, the similarity analysis of bag name of the application program are further carried out, from
Find out in malicious application Sample Storehouse and the Apply Names, sample set as bag famous prime minister;
Second similarity analysis component, for finding the sample set in the first similarity analysis component
When, the sample in the sample set is carried out with application program to be analyzed respectively bibliographic structure, text,
The similarity analysis of image file, calculate Similarity value, and in the phase for having sample and application program to be analyzed
When meeting setting value like degree, the application program is labeled as into malicious application and is stored in malicious application storehouse;
Third phase seemingly spends analytic unit, for not finding the sample set in the first similarity analysis component
When or the second similarity analysis component do not find the similarity of sample and application program to be analyzed
When meeting setting value, the whole samples in malicious application Sample Storehouse and application program to be analyzed are entered into column catalogue
Structure, text, the similarity analysis of image file, calculate Similarity value, and are having sample and treating point
When the similarity of the application program of analysis meets setting value, the application program is labeled as into malicious application and evil is stored in
In meaning application library.
10. malicious application detecting system according to claim 1, it is characterised in that the first similarity
Analytic unit carries out Apply Names, bag name similarity analysis using editing distance algorithm;Second similarity
Analytic unit and third phase are respectively adopted catalogue Comparison Method like degree analytic unit carries out bibliographic structure similarity point
Analysis, carries out text similarity analysis using editing distance algorithm, carries out image using hash algorithm is perceived
File similarity is analyzed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510621631.XA CN106557695B (en) | 2015-09-25 | 2015-09-25 | A kind of malicious application detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510621631.XA CN106557695B (en) | 2015-09-25 | 2015-09-25 | A kind of malicious application detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106557695A true CN106557695A (en) | 2017-04-05 |
| CN106557695B CN106557695B (en) | 2019-05-10 |
Family
ID=58414474
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510621631.XA Active CN106557695B (en) | 2015-09-25 | 2015-09-25 | A kind of malicious application detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106557695B (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107341401A (en) * | 2017-06-21 | 2017-11-10 | 清华大学 | A kind of malicious application monitoring method and equipment based on machine learning |
| CN108416192A (en) * | 2018-03-01 | 2018-08-17 | 中国工商银行股份有限公司 | A kind of device and method of detection personation enterprise application |
| CN109214182A (en) * | 2017-07-03 | 2019-01-15 | 阿里巴巴集团控股有限公司 | To the processing method for extorting software in virtual machine operation under cloud platform |
| CN109639884A (en) * | 2018-11-21 | 2019-04-16 | 惠州Tcl移动通信有限公司 | A kind of method, storage medium and terminal device based on Android monitoring sensitive permission |
| CN109670304A (en) * | 2017-10-13 | 2019-04-23 | 北京安天网络安全技术有限公司 | Recognition methods, device and the electronic equipment of malicious code family attribute |
| CN109714296A (en) * | 2017-10-26 | 2019-05-03 | 中国电信股份有限公司 | Threaten intelligence analysis method and apparatus |
| TWI668592B (en) * | 2017-07-28 | 2019-08-11 | 中華電信股份有限公司 | Method for automatically determining the malicious degree of Android App by using multiple dimensions |
| CN110222511A (en) * | 2019-06-21 | 2019-09-10 | 杭州安恒信息技术股份有限公司 | The recognition methods of Malware family, device and electronic equipment |
| CN110414236A (en) * | 2019-07-26 | 2019-11-05 | 北京神州绿盟信息安全科技股份有限公司 | A kind of detection method and device of malicious process |
| CN110826068A (en) * | 2019-11-01 | 2020-02-21 | 海南车智易通信息技术有限公司 | Safety detection method and safety detection system |
| CN111124486A (en) * | 2019-12-05 | 2020-05-08 | 任子行网络技术股份有限公司 | Method, system and storage medium for discovering android application to refer to third-party tool |
| CN111310181A (en) * | 2020-02-21 | 2020-06-19 | 广州欢网科技有限责任公司 | Application program processing method, device and system in application store system |
| CN111556042A (en) * | 2020-04-23 | 2020-08-18 | 杭州安恒信息技术股份有限公司 | Malicious URL detection method and device, computer equipment and storage medium |
| CN111859381A (en) * | 2019-04-29 | 2020-10-30 | 深信服科技股份有限公司 | File detection method, device, equipment and medium |
| CN112016606A (en) * | 2020-08-20 | 2020-12-01 | 恒安嘉新(北京)科技股份公司 | Detection method, device and equipment for application program APP and storage medium |
| CN112487420A (en) * | 2019-09-11 | 2021-03-12 | 卡巴斯基实验室股份制公司 | System and method for reducing the number of false positives in document classification |
| CN112632548A (en) * | 2020-12-30 | 2021-04-09 | 北京天融信网络安全技术有限公司 | Malicious android program detection method and device, electronic device and storage medium |
| CN113435177A (en) * | 2021-07-14 | 2021-09-24 | 上海浦东发展银行股份有限公司 | Target code file package comparison method, device, equipment, medium and system |
| CN113779583A (en) * | 2021-11-10 | 2021-12-10 | 北京微步在线科技有限公司 | Behavior detection method and device, storage medium and electronic equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101140611A (en) * | 2007-09-18 | 2008-03-12 | 北京大学 | Malevolence code automatic recognition method |
| CN101373501A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Method for capturing dynamic behavior aiming at computer virus |
| CN102779257A (en) * | 2012-06-28 | 2012-11-14 | 奇智软件(北京)有限公司 | Security detection method and system of Android application program |
| US20140082729A1 (en) * | 2012-09-19 | 2014-03-20 | Estsecurity Co., Ltd. | System and method for analyzing repackaged application through risk calculation |
| CN103793650A (en) * | 2013-12-02 | 2014-05-14 | 北京邮电大学 | Static analysis method and static analysis device for Android application program |
| CN104331662A (en) * | 2013-07-22 | 2015-02-04 | 深圳市腾讯计算机系统有限公司 | Method and device for detecting Android malicious application |
| CN104866763A (en) * | 2015-05-28 | 2015-08-26 | 天津大学 | Permission-based Android malicious software hybrid detection method |
-
2015
- 2015-09-25 CN CN201510621631.XA patent/CN106557695B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101140611A (en) * | 2007-09-18 | 2008-03-12 | 北京大学 | Malevolence code automatic recognition method |
| CN101373501A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Method for capturing dynamic behavior aiming at computer virus |
| CN102779257A (en) * | 2012-06-28 | 2012-11-14 | 奇智软件(北京)有限公司 | Security detection method and system of Android application program |
| US20140082729A1 (en) * | 2012-09-19 | 2014-03-20 | Estsecurity Co., Ltd. | System and method for analyzing repackaged application through risk calculation |
| CN104331662A (en) * | 2013-07-22 | 2015-02-04 | 深圳市腾讯计算机系统有限公司 | Method and device for detecting Android malicious application |
| CN103793650A (en) * | 2013-12-02 | 2014-05-14 | 北京邮电大学 | Static analysis method and static analysis device for Android application program |
| CN104866763A (en) * | 2015-05-28 | 2015-08-26 | 天津大学 | Permission-based Android malicious software hybrid detection method |
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107341401A (en) * | 2017-06-21 | 2017-11-10 | 清华大学 | A kind of malicious application monitoring method and equipment based on machine learning |
| CN107341401B (en) * | 2017-06-21 | 2019-09-20 | 清华大学 | A kind of malicious application monitoring method and equipment based on machine learning |
| CN109214182B (en) * | 2017-07-03 | 2022-04-15 | 阿里巴巴集团控股有限公司 | Method for processing Lesox software in running of virtual machine under cloud platform |
| CN109214182A (en) * | 2017-07-03 | 2019-01-15 | 阿里巴巴集团控股有限公司 | To the processing method for extorting software in virtual machine operation under cloud platform |
| TWI668592B (en) * | 2017-07-28 | 2019-08-11 | 中華電信股份有限公司 | Method for automatically determining the malicious degree of Android App by using multiple dimensions |
| CN109670304A (en) * | 2017-10-13 | 2019-04-23 | 北京安天网络安全技术有限公司 | Recognition methods, device and the electronic equipment of malicious code family attribute |
| CN109670304B (en) * | 2017-10-13 | 2020-12-22 | 北京安天网络安全技术有限公司 | Malicious code family attribute identification method and device and electronic equipment |
| CN109714296A (en) * | 2017-10-26 | 2019-05-03 | 中国电信股份有限公司 | Threaten intelligence analysis method and apparatus |
| CN108416192A (en) * | 2018-03-01 | 2018-08-17 | 中国工商银行股份有限公司 | A kind of device and method of detection personation enterprise application |
| CN109639884A (en) * | 2018-11-21 | 2019-04-16 | 惠州Tcl移动通信有限公司 | A kind of method, storage medium and terminal device based on Android monitoring sensitive permission |
| CN111859381A (en) * | 2019-04-29 | 2020-10-30 | 深信服科技股份有限公司 | File detection method, device, equipment and medium |
| CN110222511A (en) * | 2019-06-21 | 2019-09-10 | 杭州安恒信息技术股份有限公司 | The recognition methods of Malware family, device and electronic equipment |
| CN110414236B (en) * | 2019-07-26 | 2021-04-16 | 北京神州绿盟信息安全科技股份有限公司 | Malicious process detection method and device |
| CN110414236A (en) * | 2019-07-26 | 2019-11-05 | 北京神州绿盟信息安全科技股份有限公司 | A kind of detection method and device of malicious process |
| CN112487420A (en) * | 2019-09-11 | 2021-03-12 | 卡巴斯基实验室股份制公司 | System and method for reducing the number of false positives in document classification |
| CN110826068B (en) * | 2019-11-01 | 2022-03-18 | 海南车智易通信息技术有限公司 | Safety detection method and safety detection system |
| CN110826068A (en) * | 2019-11-01 | 2020-02-21 | 海南车智易通信息技术有限公司 | Safety detection method and safety detection system |
| CN111124486A (en) * | 2019-12-05 | 2020-05-08 | 任子行网络技术股份有限公司 | Method, system and storage medium for discovering android application to refer to third-party tool |
| CN111310181A (en) * | 2020-02-21 | 2020-06-19 | 广州欢网科技有限责任公司 | Application program processing method, device and system in application store system |
| CN111556042A (en) * | 2020-04-23 | 2020-08-18 | 杭州安恒信息技术股份有限公司 | Malicious URL detection method and device, computer equipment and storage medium |
| CN111556042B (en) * | 2020-04-23 | 2022-12-20 | 杭州安恒信息技术股份有限公司 | Malicious URL detection method and device, computer equipment and storage medium |
| CN112016606A (en) * | 2020-08-20 | 2020-12-01 | 恒安嘉新(北京)科技股份公司 | Detection method, device and equipment for application program APP and storage medium |
| CN112632548A (en) * | 2020-12-30 | 2021-04-09 | 北京天融信网络安全技术有限公司 | Malicious android program detection method and device, electronic device and storage medium |
| CN112632548B (en) * | 2020-12-30 | 2024-01-23 | 北京天融信网络安全技术有限公司 | Malicious android program detection method and device, electronic equipment and storage medium |
| CN113435177A (en) * | 2021-07-14 | 2021-09-24 | 上海浦东发展银行股份有限公司 | Target code file package comparison method, device, equipment, medium and system |
| CN113779583A (en) * | 2021-11-10 | 2021-12-10 | 北京微步在线科技有限公司 | Behavior detection method and device, storage medium and electronic equipment |
| CN113779583B (en) * | 2021-11-10 | 2022-02-22 | 北京微步在线科技有限公司 | Behavior detection method and device, storage medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106557695B (en) | 2019-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106557695A (en) | A kind of malicious application detection method and system | |
| CN108259494B (en) | Network attack detection method and device | |
| US20200097601A1 (en) | Identification of an entity representation in unstructured data | |
| Ceschin et al. | The need for speed: An analysis of brazilian malware classifiers | |
| Liang et al. | A behavior-based malware variant classification technique | |
| CN109391706A (en) | Domain name detection method, device, equipment and storage medium based on deep learning | |
| US20090287641A1 (en) | Method and system for crawling the world wide web | |
| CN111737692B (en) | Application program risk detection method and device, equipment and storage medium | |
| CN108229170B (en) | Software analysis method and apparatus using big data and neural network | |
| CN112989348B (en) | Attack detection method, model training method, device, server and storage medium | |
| CN113901465A (en) | Heterogeneous network-based Android malicious software detection method | |
| CN113076538A (en) | Method for extracting embedded privacy policy of mobile application APK file | |
| CN112580331A (en) | Method and system for establishing knowledge graph of policy text | |
| CN110532776B (en) | Android malicious software efficient detection method, system and medium based on runtime data analysis | |
| CN115658080A (en) | Method and system for identifying open source code components of software | |
| CN113468524B (en) | RASP-based machine learning model security detection method | |
| CN109284590A (en) | Access method, equipment, storage medium and the device of behavior safety protection | |
| CN113918936A (en) | SQL injection attack detection method and device | |
| CN113742785A (en) | Webpage classification method and device, electronic equipment and storage medium | |
| CN110472416A (en) | A kind of web virus detection method and relevant apparatus | |
| CN110012013A (en) | A kind of virtual platform threat behavior analysis method and system based on KNN | |
| CN113688346A (en) | Illegal website identification method, device, equipment and storage medium | |
| CN113935022A (en) | Homologous sample capturing method and device, electronic equipment and storage medium | |
| CN113407495A (en) | SIMHASH-based file similarity determination method and system | |
| CN112597498A (en) | Webshell detection method, system and device and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |