CN106650445A - Malicious program recognition method - Google Patents
Malicious program recognition method Download PDFInfo
- Publication number
- CN106650445A CN106650445A CN201611167528.3A CN201611167528A CN106650445A CN 106650445 A CN106650445 A CN 106650445A CN 201611167528 A CN201611167528 A CN 201611167528A CN 106650445 A CN106650445 A CN 106650445A
- Authority
- CN
- China
- Prior art keywords
- program
- property
- sample
- rogue program
- rogue
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
- Stored Programmes (AREA)
Abstract
The invention relates to a malicious program recognition method. Based on temporal property detection, the method comprises the following steps of the training step, wherein by conducting automatic temporal property mining on a sample program and comparing properties of a normal program sample and a malicious program sample, the part special for the malicious program is screened out, and therefore a malicious program property database is established; the recognition step, wherein property verification is conducted on a target program to be identified on the basis of the malicious program property database obtained in the training step, and whether the target program is a malicious program or not is judged by judging whether the target program has the malicious program property or not. Then, the program identified in the operation process can serve as a sample for further property mining to update and expand the malicious program property database, and therefore the malicious program identification capacity is automatically enhanced step by step.
Description
Technical field
The invention belongs to computer security detection technique field, and in particular to a kind of self-evolution based on tense nature examination
Rogue program recognition methodss.
Background technology
With the popularization of the growing and computer of information technology, from personal computer, smart mobile phone, to various intelligence
Family product, increasing computing device occurs in people by the side of.Computer is providing many facilities for the mankind, greatly
While improving social running efficiency, the safety issue of many is also brought.The evil that wherein most problems stems from
The propagation of meaning program and execution.Common rogue program has virus, anthelmintic, wooden horse, background program, and they can be to department of computer science
System is controlled, information stealth or even destruction, and can carry out automatic copy propagation, and this greatly compromises numerous computer users
Personal secrets, property safety, so have influence on society, nation's security.
Traditional rogue program detection recognizes that specific two included in it enter mainly by being scanned to rogue program
Characteristic sequence processed, so as to whether determining program is rogue program.For example, Chinese Patent Application No. be 201610134408.7 send out
Bright patent application, discloses a kind of unknown malicious code detecting method of flush bonding processor, including creates embedded system certainly
The step of body collection, generation detector collection, detection unknown malicious code;In instruction of the processor instruction level to normal procedure in system
Sequence information is acquired coding and generates binary string set as autologous collection, and the random binary string that generates is used as couple candidate detection
Device, and itself and the element of autologous concentration are carried out into Negative Selection generation detector collection;Using the binary string in detector collection with
The behavioural information binary string of the code to be detected collected from instruction-level is matched;Carried out using extra large people's rule of dual threshold
The binary string of autologous collection, the fuzzy matching between detector binary string and binary string to be detected, to improve to unknown
The verification and measurement ratio of malicious code, reduces the resource consumption of detecting system.
This detection method, although with detection speed it is fast the characteristics of, but need to constantly update property data base maintaining
Identification ability to rogue program, with hysteresis quality.
In addition, with the employing of the various obfuscations such as rogue program kind self-modifying, dead code insertion, this traditional detection
Method usually can fail.In the face of the situation that rogue program constantly makes a variation, traditional rogue program detection program is often in Passive Defence
Status.
The proposition of model inspection technology, originally for checking whether software model meets the property described in requirement documents
Matter, if using malicious act feature as property to be verified, model inspection can be naturally also applied to the detection of rogue program.
For example, Chinese Patent Application No. is 200810089576.4 application for a patent for invention, discloses a kind of based on semantic malice generation
Code detection method, the inventive method includes the finite state automata for a) obtaining known malicious code;B) to be detected two are obtained
The pushdown automata of system suspect program;C) using the described pushdown automata of Model Checking detection and the finite state
With the presence or absence of the input character string that can be received by both simultaneously between automat, if so, then judge above-mentioned to be detected suspicious
Program is rogue program.
Tense nature examination is a branch of model inspection technology, and it focuses mainly on whether possessing time phase in model
The property of pass, can describe certain sequential relationship, and generally in rogue program, in order to complete certain class malicious act, must
Possess the property according to certain order executing instruction operations, therefore, it is possible to introduce temporal logic be described, it is natural, it is possible to
Carry out the checking of property.At present, with the development of research field, the more tense property method for digging automatically of research are needed.
The content of the invention
For traditional rogue program characteristic sequence detection method, binding model detection technique, the present invention proposes one kind
Self-evolution rogue program recognition methodss based on tense nature examination.By Binary analysis instrument, program sample is passed
Return the dis-assembling of descent method, abolish the impact of the obfuscations such as effects of overlapping, self-modifying, and generate corresponding procedural model,
On the basis of this, tense property excavation, screening and collection are carried out, initial rogue program tense property data storehouse is constructed, at it
In rogue program identification process afterwards, only need to treat recognizer carries out Property Verification, so as to whether determining program possesses malice
Property.And property collection can be carried out as new samples using it, to expand rogue program tense property data storehouse, it is automatically completed
The enhancing of rogue program power of test.
Specifically, the invention provides a kind of rogue program recognition methodss, the method comprising the steps of:
Training step, according to sample program rogue program property data storehouse is built;
Identification step, treating recognizer using model checking method carries out Property Verification, determines whether rogue program.
Preferably, the training step is by carrying out tense property excavation to the sample program and normal by contrast
Program sample and the property of rogue program sample, filter out part specific to rogue program, so as to set up the rogue program
Property data storehouse.
Preferably, the identification step is on the basis of the rogue program property data storehouse, to target journey to be identified
Sequence carries out Property Verification, whether possesses rogue program property according to target program to judge whether target program is rogue program.
Preferably, methods described uses following two data bases:Normal procedure tense property data storehouse, stores normal procedure
Property obtained by sample excavation;Rogue program tense property data storehouse, stores the property obtained by rogue program sample excavation.
It is furthermore preferred that methods described further includes following steps:Test sample program is carried out according to judged result
Mark, to carry out the expansion in tense property data storehouse.
It is furthermore preferred that the training step includes following sub-step:
(1) a known malicious whether sample program, is read from sample program storehouse, recurrence is used using I DA Pro
Descent method carries out dis-assembling, library function call identification, corresponding controlling stream map generalization to the object code of the sample program;
(2), the controlling stream graph of sample program is converted to into migratory system model;
(3) tense property mining algorithm, is run on migratory system model, with common tense property as template, excavation refers to
Make tense property present in path;
(4) whether it is, rogue program according to the sample program, the tense property excavated is stored in into respectively normal procedure
Tense property data storehouse or rogue program tense property data storehouse;
(5), whether there is program sample in judgment sample program library;If no longer possessing program sample in sample program storehouse,
Next step (6) is then jumped to, step (1) is otherwise returned to;
(6) normal procedure property data storehouse and the property in rogue program property data storehouse, are contrasted, is filtered out and is only belonged to dislike
The property of meaning routine data, updates rogue program property data storehouse.
It is furthermore preferred that the identification step includes following sub-step:
(1), program to be identified is read, treating the object code of recognizer carries out dis-assembling, Library function recognition and control
System stream map generalization;
(2), the controlling stream graph of program to be identified is converted to into migratory system model;
(3), check in migratory system model whether there is rogue program property data using temporal logic model checker
Tense property in storehouse;
(4), judge whether migratory system model possesses a certain rogue program property;If migratory system model possesses a certain
Rogue program property, represents that it possesses malice feature with regard to output result, otherwise, then regards as normal procedure.
Beneficial effects of the present invention are as follows:The present invention can effectively recognize rogue program, while can be by running
The program for identifying carries out further property excavation as sample, and to update rogue program property data storehouse is expanded, so as to
Automatically progressively strengthen rogue program identification ability.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of description, and in order to allow the above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of the drawings
By the detailed description for reading hereafter preferred implementation, various other advantages and benefit is common for this area
Technical staff will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred implementation, and is not considered as to the present invention
Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings:
Fig. 1 is a kind of flow chart of self-evolution rogue program recognition methodss based on tense nature examination of the present invention;
Fig. 2 is the method flow diagram of the training step of the present invention;
Fig. 3 is the method flow diagram of the identification step of the present invention.
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure and should not be by embodiments set forth here
Limited.On the contrary, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.
As shown in figure 1, the present invention discloses a kind of self-evolution rogue program recognition methodss based on tense nature examination, it is described
Method is comprised the following steps:
Training step S110, according to sample program rogue program property data storehouse is built.By carrying out to sample program certainly
Dynamic tense property is excavated, and by contrasting the property of normal procedure sample and rogue program sample, filters out rogue program institute
Distinctive part, so as to set up rogue program property data storehouse.For example, the specific part of the rogue program can be malice
Specific binary features sequence included in program.
Identification step S120, treating recognizer using model checking method carries out Property Verification, determines whether malice
Program.On the basis of the rogue program property data storehouse that training step draws, to target program progressive to be identified
Matter is verified, whether possesses rogue program property according to target program to judge whether target program is rogue program.
Rogue program recognition methodss of the present invention, possess self-evolution ability:In use, according to judged result,
Test program is labeled, to carry out the expansion in tense property data storehouse.Preferably, one of the invention preferred reality
Example is applied, methods described also uses following two data bases:Normal procedure tense property data storehouse DB1:Storage normal procedure sample
Property obtained by excavation;Rogue program tense property data storehouse DB2:Property obtained by storage rogue program sample excavation.Maliciously
Procedure identification method can also carry out further property excavation using the program identified in running as sample, with more
It is new to expand rogue program property data storehouse, so as to automatically progressively enhanced rogue program identification ability.
As shown in Fig. 2 the training step in the present invention includes following flow process:
Step A1:A sample program is read from sample program storehouse, i.e., one known malicious whether program is adopted
IDA Pro carry out dis-assembling, library function call identification, corresponding control to the object code of the sample program using recursive descendent method
Stream map generalization;The purpose of the step is to abolish the impact of the obfuscations such as effects of overlapping, self-modifying.
IDA Pro, are interactive disassembler professional version (Interactive Disassembler Professional)
Abbreviation, or referred to as IDA is a MS-DOS application program based on control station.
IDA is a kind of recursive decrease disassembler.But, in order to improve the efficiency of recursive decrease process, IDA is distinguishing number
While according to code, also seek to determine the type of these data.Although it is seen that the generation of assembler language form in IDA
One of code, but the main target of IDA, it is that the code as close possible to source code is presented.Additionally, IDA not only uses data class
Type information, and the variable and function name by deriving to try one's best annotates the dis-assembling code of generation.These annotations
The quantity of original hexadecimal code is minimized, and significantly increases the quantity of the encoding information for providing a user with.
Step A2:The controlling stream graph of sample program is converted to into migratory system model;
Step A3:Tense property mining algorithm is run on migratory system model, with some common tense properties as mould
Plate, excavates tense property present in command path;
Step A4:Whether it is rogue program according to the sample program, the tense property excavated is stored in respectively normally
Program tense property data storehouse and rogue program tense property data storehouse;
Step A5:If no longer possessing program sample in sample program storehouse, next step A6 is jumped to, otherwise return to step
A1;
Step A6:Property in contrast normal procedure property data storehouse DB1 and rogue program property data storehouse DB2, screening
Go out those properties for only belonging to rogue program data, update rogue program property data storehouse DB2, will DB2 content updates be
The difference set of DB2-DB1.
As shown in figure 3, the identification step in the present invention includes following flow process:
Step B1:Read program to be identified, treat the object code of recognizer carry out dis-assembling, Library function recognition and
Controlling stream map generalization;
Step B2:The controlling stream graph of program to be identified is converted to into migratory system model;
Step B3:Check in migratory system model whether there is rogue program property number using temporal logic model checker
According to the tense property in the DB2 of storehouse;
Step B4:If migratory system model possesses a certain rogue program property, with regard to output result, represent that it possesses malice
Feature, otherwise, then regards as normal procedure.
The present invention carries out the dis-assembling of recursive descendent method by Binary analysis appliance id A Pro to program sample, abolishes
The impact of the obfuscations such as effects of overlapping, self-modifying, and corresponding procedural model is generated, on this basis, carry out tense property
Excavate, screen and collection, construct initial rogue program tense property data storehouse, the rogue program identification process after
In, treating recognizer carries out Property Verification, so as to whether determining program possesses malice property.And can be using it as new samples
Property collection is carried out, to expand rogue program tense property data storehouse, the enhancing of rogue program power of test is automatically completed.
It should be noted that:
Provided herein algorithm and display be not inherently related to any certain computer, virtual bench or miscellaneous equipment.
Various fexible units can also be used together based on teaching in this.As described above, construct required by this kind of device
Structure be obvious.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use it is various
Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this
Bright preferred forms.
In description mentioned herein, a large amount of details are illustrated.It is to be appreciated, however, that the enforcement of the present invention
Example can be put into practice in the case of without these details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help understand one or more in each inventive aspect, exist
Above in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
The more features of feature that the application claims ratio of shield is expressly recited in each claim.More precisely, such as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
All as the separate embodiments of the present invention.
Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Unit or component are combined into a module or unit or component, and can be divided in addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit is excluded each other, can adopt any
Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification is (including adjoint power
Profit is required, summary and accompanying drawing) disclosed in each feature can it is identical by offers, be equal to or the alternative features of similar purpose carry out generation
Replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection appoint
One of meaning can in any combination mode using.
The present invention all parts embodiment can be realized with hardware, or with one or more processor operation
Software module realize, or with combinations thereof realization.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor (DSP) are come in the creating device for realizing virtual machine according to embodiments of the present invention
The some or all functions of a little or whole parts.The present invention is also implemented as performing method as described herein
Some or all equipment or program of device (for example, computer program and computer program).Such realization
The program of the present invention can be stored on a computer-readable medium, or can have the form of one or more signal.This
The signal of sample can be downloaded from internet website and obtained, or be provided on carrier signal, or be carried in any other form
For.
It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability
Field technique personnel can design without departing from the scope of the appended claims alternative embodiment.In the claims,
Any reference markss between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not
Element listed in the claims or step.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer
It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and be run after fame
Claim.
Obviously, those skilled in the art can carry out the essence of various changes and modification without deviating from the present invention to the present invention
God and scope.So, if these modifications and modification to the present invention belong to the model of the claims in the present invention and its equivalent technology
Within enclosing, then the present invention is also intended to comprising these changes and modification.
Claims (7)
1. a kind of rogue program recognition methodss, it is characterised in that:
The method comprising the steps of:
Training step, according to sample program rogue program property data storehouse is built;
Identification step, treating recognizer using model checking method carries out Property Verification, determines whether rogue program.
2. a kind of rogue program recognition methodss as claimed in claim 1, it is characterised in that:
The training step by contrast normal procedure sample and is disliked by carrying out tense property excavation to the sample program
The property of meaning program sample, filters out part specific to rogue program, so as to set up the rogue program property data storehouse.
3. a kind of rogue program recognition methodss as claimed in claim 1, it is characterised in that:
The identification step carries out property and tests on the basis of the rogue program property data storehouse to target program to be identified
Whether card, possess rogue program property according to target program to judge whether target program is rogue program.
4. a kind of rogue program recognition methodss as claimed in claim 1, it is characterised in that:
Methods described uses following two data bases:Normal procedure tense property data storehouse, storage normal procedure sample excavates institute
The property for obtaining;Rogue program tense property data storehouse, stores the property obtained by rogue program sample excavation.
5. a kind of rogue program recognition methodss as described in claim 1-4 any one, it is characterised in that:
Methods described further includes following steps:Test sample program is labeled according to judged result, during carrying out
The expansion in state property data storehouse.
6. a kind of rogue program recognition methodss as described in claim 1-4 any one, it is characterised in that:
The training step includes following sub-step:
(1) a known malicious whether sample program, is read from sample program storehouse, recursive decrease is used using IDA Pro
Method carries out dis-assembling, library function call identification, corresponding controlling stream map generalization to the object code of the sample program;
(2), the controlling stream graph of sample program is converted to into migratory system model;
(3) tense property mining algorithm, is run on migratory system model, with common tense property as template, instruction road is excavated
Tense property present in footpath;
(4) whether it is, rogue program according to the sample program, the tense property excavated is stored in into respectively normal procedure tense
Property data storehouse or rogue program tense property data storehouse;
(5), whether there is program sample in judgment sample program library;If no longer possessing program sample in sample program storehouse, jump
To next step (6), step (1) is otherwise returned to;
(6) normal procedure property data storehouse and the property in rogue program property data storehouse, are contrasted, is filtered out and is only belonged to malice journey
The property of ordinal number evidence, updates rogue program property data storehouse.
7. a kind of rogue program recognition methodss as described in claim 1-4 any one, it is characterised in that:
The identification step includes following sub-step:
(1), program to be identified is read, treating the object code of recognizer carries out dis-assembling, Library function recognition and controlling stream
Map generalization;
(2), the controlling stream graph of program to be identified is converted to into migratory system model;
(3), check in migratory system model whether have in rogue program property data storehouse using temporal logic model checker
Tense property;
(4), judge whether migratory system model possesses a certain rogue program property;If migratory system model possesses a certain malice
Program property, represents that it possesses malice feature with regard to output result, otherwise, then regards as normal procedure.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611167528.3A CN106650445B (en) | 2016-12-16 | 2016-12-16 | A kind of rogue program recognition methods |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611167528.3A CN106650445B (en) | 2016-12-16 | 2016-12-16 | A kind of rogue program recognition methods |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106650445A true CN106650445A (en) | 2017-05-10 |
| CN106650445B CN106650445B (en) | 2019-05-28 |
Family
ID=58822865
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611167528.3A Active CN106650445B (en) | 2016-12-16 | 2016-12-16 | A kind of rogue program recognition methods |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106650445B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101266550B (en) * | 2007-12-21 | 2011-02-16 | 北京大学 | Malicious code detection method |
| CN103177215A (en) * | 2013-03-05 | 2013-06-26 | 四川电力科学研究院 | Computer malicious software detection novel method based on software control flow features |
| CN105138916A (en) * | 2015-08-21 | 2015-12-09 | 中国人民解放军信息工程大学 | Multi-track malicious program feature detecting method based on data mining |
| CN105446881A (en) * | 2015-11-26 | 2016-03-30 | 福建工程学院 | Automatic detection method for program unaccessible paths |
| CN105760762A (en) * | 2016-03-10 | 2016-07-13 | 华中科技大学 | Unknown malicious code detection method for embedded processor |
| CN103902911B (en) * | 2014-04-16 | 2016-09-14 | 南京大学 | A kind of malware detection methods based on program structure feature |
-
2016
- 2016-12-16 CN CN201611167528.3A patent/CN106650445B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101266550B (en) * | 2007-12-21 | 2011-02-16 | 北京大学 | Malicious code detection method |
| CN103177215A (en) * | 2013-03-05 | 2013-06-26 | 四川电力科学研究院 | Computer malicious software detection novel method based on software control flow features |
| CN103902911B (en) * | 2014-04-16 | 2016-09-14 | 南京大学 | A kind of malware detection methods based on program structure feature |
| CN105138916A (en) * | 2015-08-21 | 2015-12-09 | 中国人民解放军信息工程大学 | Multi-track malicious program feature detecting method based on data mining |
| CN105446881A (en) * | 2015-11-26 | 2016-03-30 | 福建工程学院 | Automatic detection method for program unaccessible paths |
| CN105760762A (en) * | 2016-03-10 | 2016-07-13 | 华中科技大学 | Unknown malicious code detection method for embedded processor |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106650445B (en) | 2019-05-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111639337B (en) | Unknown malicious code detection method and system for massive Windows software | |
| CN104123493B (en) | The safety detecting method and device of application program | |
| CN111611586B (en) | Software vulnerability detection method and device based on graph convolution network | |
| CN103761475B (en) | Method and device for detecting malicious code in intelligent terminal | |
| CN103473506B (en) | For the method and apparatus identifying malice APK file | |
| CN109753800A (en) | Merge the Android malicious application detection method and system of frequent item set and random forests algorithm | |
| CN105184160B (en) | A kind of method of the Android phone platform application program malicious act detection based on API object reference relational graphs | |
| CN103902910B (en) | Detect method and the device of malicious code in intelligent terminal | |
| CN102567661B (en) | Program recognition method and device based on machine learning | |
| CN103106365B (en) | The detection method of the malicious application software on a kind of mobile terminal | |
| EP3695310A1 (en) | Blackbox matching engine | |
| CN117951701A (en) | Method for determining flaws and vulnerabilities in software code | |
| CN106874180A (en) | Detection System And Method Thereof | |
| CN109543410B (en) | Malicious code detection method based on semantic mapping association | |
| CN111753290B (en) | Software type detection method and related equipment | |
| CN101751530B (en) | Method for detecting loophole aggressive behavior and device | |
| Rabin et al. | Syntax-guided program reduction for understanding neural code intelligence models | |
| CN111324893B (en) | Detection method and background system for android malicious software based on sensitive mode | |
| CN101901184B (en) | Method, device and system for inspecting vulnerability of application program | |
| CN106886417A (en) | A kind of universal parallel method for digging of linear temporal specification | |
| CN117435480A (en) | Binary file detection method and device, electronic equipment and storage medium | |
| CN115292674A (en) | Fraud application detection method and system based on user comment data | |
| CN106845224A (en) | A kind of rogue program identifying system | |
| Naeem et al. | Identifying vulnerable IoT applications using deep learning | |
| CN113971283A (en) | Malicious application program detection method and device based on features |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210823 Address after: Room 801, no.6, Lane 600, Yunling West Road, Putuo District, Shanghai 200062 Patentee after: SHANGHAI FORMAL TECH INFORMATION TECHNOLOGY Co.,Ltd. Address before: 200062 No. 3663, Putuo District, Shanghai, Zhongshan North Road Patentee before: EAST CHINA NORMAL University |