CN107169351A - With reference to the Android unknown malware detection methods of dynamic behaviour feature - Google Patents
With reference to the Android unknown malware detection methods of dynamic behaviour feature Download PDFInfo
- Publication number
- CN107169351A CN107169351A CN201710331198.5A CN201710331198A CN107169351A CN 107169351 A CN107169351 A CN 107169351A CN 201710331198 A CN201710331198 A CN 201710331198A CN 107169351 A CN107169351 A CN 107169351A
- Authority
- CN
- China
- Prior art keywords
- software
- feature
- android
- dynamic behaviour
- dynamic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
Abstract
The present invention relates to a kind of Android unknown malware detection methods of combination dynamic behaviour feature, belong to computer and information science technical field.Detected software is input in system by the present invention first;Then, system can be decompressed and decompiling to software kit, and extract the static nature in destination file;Simultaneously, system can run the software kit in Android simulator, use the dynamic behaviour of the Behavior Monitor System monitoring software based on LKM (Loadable Kernel Module, UV-Vis spectra), and log, the dynamic behaviour feature of software is extracted in daily record;Finally, the dynamic static nature extracted is normalized, is input to and trains in sorting algorithm classification and Detection module, the module can go out whether detected software is Malware according to the sound state characteristic automatic decision of input.The present invention has in higher detection efficiency and accuracy rate, the safety detection that can be applied to the software platforms such as Android application markets.
Description
Technical field
The present invention relates to a kind of Android unknown malware detection methods of combination dynamic behaviour feature, belong to calculating
Machine and information science technology field.
Background technology
Since in March, 1999 Symbian5.0 systems birth, between the more than ten years, operation system of smart phone has been obtained vigorously
Development.In recent years, the operating system of new generation such as Android, Windows Phone, iOS gradually occupies smart mobile phone
Most of market of operating system.Wherein, android system is with the fastest developing speed as a open source operating system.
The fast-developing of android system is not only that vast smart phone user brings facility, its huge market and
Commercial value is even more the sight for having attracted global hackers.According to Tengxun's Mobile safety laboratory《The mobile phone safe report of the first half of the year in 2016
Accuse》Show that the first half of the year in 2016 increases Android viruses bag 918.25 ten thousand newly, increase by 53.90% on a year-on-year basis, be 2014 annual new
Increase 9.15 times of virus bag (100.33 ten thousand).Wherein increase newly and pay virus bag 32.33 ten thousand, increase by 986.14%, branch on a year-on-year basis
Pay virus form severe.First half of the year mobile phone viruses infection number of users surpasses 200,000,000 within 2016, is 3.12 times of Britain's total number of people, together
Than increasing by 42.35%.Virus infection number of users 1670.33 ten thousand is wherein paid, increases by 45.82% on a year-on-year basis.
Existing malware detection method is taken a broad view of, commonly used approach has:
1. feature database matching process
This method generally first carries out feature extraction to Malware, then the characteristic of malware data with having had built up
Storehouse is matched, so as to detect whether software is Malware.This method needs to enter with known characteristic of malware storehouse
Row compares, so that unknown Malware can not be detected.
2. machine learning method
It is more and more because the method for machine learning achieves good effect in the detection of PC platforms unknown malware
Research this kind of method is applied to android system.Traditional feature database matching process can not detect unknown malware, existing
The Android malware detection method based on machine learning having, improves to some extent compared with feature database matching method, can detect unknown dislike
Meaning software, but only with the determinant attribute of the single more difficult comprehensive representation Malware of static nature or behavioral characteristics, easily make
Know into knowing or leaking by mistake, cause Detection results to decline, detection efficiency can equally be impacted if the intrinsic dimensionality extracted is too high.
Meanwhile, in terms of test data, if with more and quantity negative sample, positive negative sample is tried one's best, and holding is quantitative to be put down
Weighing apparatus, can further lift Detection accuracy.
In summary, existing detection method can not efficiently, Malware is accurately and comprehensively detected, so the present invention is carried
Go out a kind of Android unknown malware detection methods of combination dynamic behaviour feature.
The content of the invention
The purpose of the present invention is the accuracy rate to improve detection Android unknown malwares and reduces feature extraction dimension
Degree, proposes a kind of Android unknown malware detection methods of combination dynamic behaviour feature.
The present invention design principle be:The present invention can carry out dynamic behaviour feature to Android software to be detected and carry
Take with static file feature extraction, and classified with sorting algorithm, whether judge the software is Malware.First, will
Detected software is input in system.Then, system can be decompressed and decompiling to software kit, and be extracted in destination file
Static nature;Meanwhile, system can run the software kit in Android simulator, using based on LKM, (Linux can load interior
Core module) application software behavior monitoring method monitoring software dynamic behaviour, and log extracts software in daily record
Dynamic behaviour feature.Finally, the dynamic static nature extracted is normalized, is input to and trains sorting algorithm classification
In detection module, the module can go out whether detected software is that malice is soft according to the sound state characteristic automatic decision of input
Part.
The technical scheme is that be achieved by the steps of:
Step 1, the apk bags of Android software are extracted into its static file feature as input.
Step 2, using the application software behavior monitoring method monitoring software based on LKM (Linux UV-Vis spectras)
Dynamic behaviour, extract the dynamic behaviour feature of software, its concrete methods of realizing is:
Step 2.1, when monitored software attempts to produce malicious act, system can kidnap and replace monitored software first
The corresponding linux system of behavior of generation is called.
Step 2.2, the system after replacement is called in handling routine, and the parameter that system is called is parsed, judged
Which kind of behavior what is monitored is.
Step 2.3, the malicious act daily record of monitored software is recorded, daily record is analyzed, the dynamic behaviour feature of software is extracted.
Step 3, it regard the union of both step 1 and step 2 result as initial characteristicses collection.
Step 4, the feature to most worthy of classifying is selected in initial characteristicses collection using feature selecting algorithm, reduction is special
The dimension levied, filters out essential signature sets.
Step 5, essential signature sets will be selected as input, classifier training is carried out using sorting algorithm, ultimately generated
Malware detection model, and sample to be detected is detected.
Beneficial effect
Compared to traditional feature database matching process, the present invention can detect unknown malware.
Compared to the existing Android malware detection method based on machine learning, the present invention is using based on LKM's
The dynamic behaviour of application software behavior monitoring method monitoring software, analysis monitoring daily record extracts dynamic behaviour feature, with higher
Software action monitoring accuracy rate, preferably characterize the essence of sample with reference to the dynamic behaviour feature of malicious code, lifting inspection
The accuracy rate of survey.Meanwhile, characteristic dimension is reduced, detection efficiency is lifted.
Brief description of the drawings
Fig. 1 is the Android unknown malware detection method schematic diagrams of combination dynamic behaviour feature proposed by the present invention;
Fig. 2 is static in the Android unknown malware detection methods of combination dynamic behaviour feature proposed by the present invention
Feature extraction schematic diagram;
Fig. 3 is dynamic in the Android unknown malware detection methods of combination dynamic behaviour feature proposed by the present invention
Feature extraction schematic diagram;
Fig. 4 is dynamic in the Android unknown malware detection methods of combination dynamic behaviour feature proposed by the present invention
Behavior monitoring schematic diagram.
Embodiment
In order to better illustrate objects and advantages of the present invention, with reference to embodiment of the embodiment to the inventive method
It is described in further details.Here, the schematic implementation use-case of the present invention and wherein illustrating to be used to explain the present invention, but do not make
For limitation of the invention.Idiographic flow is:
Step 1, software static nature is extracted.
Step 1.1, static nature extraction module is decompressed and decompiling simultaneously to being detected software.
Step 1.2, feature extraction is carried out respectively to dex, so file that decompression is obtained.Wherein, dex files are mainly carried
Take following characteristics:Dex File header informations, character string deviant and number, type offset value and number, method prototype deviant and
Number, fields offset value and number and class define deviant and number;Following characteristics are mainly extracted to so files:ELF file headers
Information, system call information, paragraph header information, symbol table, global offset table, program segment, dynamic segment, dynamic symbol section and reorientation
Section.
Step 1.3, samli, the xml document obtained to decompiling carries out feature extraction respectively.Wherein, to smali files
Extract following characteristics:Class name, parent name, resource name, method information (title, parameter, return value) and function call information;It is right
Xml document extract feature be:Software version information, software package informatin, software authority application information and program assembly information (bag
Containing receiver, activity, service and provider).
Step 1.4, by the input form that the feature normalization extracted is sorting algorithm, 69 dimensions are extracted altogether static special
Levy.
Step 2, the software behavioral characteristics of the application software behavior monitoring method based on LKM are extracted.
Step 2.1, detected software is run in Android simulator environment, meanwhile, inputted with Monkey instruments pseudo-
Streams of Random Events, triggers the behavior of software.
Step 2.2, when monitored software produces malicious act, system, which is called, to be realized by traps swi instructions.
The address of swi instructions is located at the 0x08 skews of exception vector table, and the ArmV7 series processors that Android is used are used
High address pattern, so swi address is 0xFFFF0008.And the entry address of the corresponding Interrupt Service Routines of swi is swi
At the position of 2 bytes of address offset.Afterwards, the entry- checked under kernel source code/arch/arm/kernel/ catalogues
Common.S files, find in ENTRY (vector_swi) code block after zero_fp instructions, continue to search downwards, until looking for
To " the corresponding condition code of adr tbl, sys_call_table " sentences, just can calculate sys_call_table ground afterwards
Location, gets behind the entry address of subsystem call table, just can replace corresponding system and call.
Step 2.3, the parameter called by system may determine that what is monitored is which kind of behavior of software, and method is main
Monitoring obtains system service (including send short message, call, obtain telephone number etc.), network connection and the class of privilege-escalation three
Behavior.
Step 2.4, by the behavior record daily record monitored.
Step 2.5, monitoring daily record is analyzed, extracts the network data of turnover, file read-write operations, backstage and open
It is dynamic/to close service, information leakage (including network and short message) and the short message sent and the class dynamic behaviour feature of phone 5 dialed,
Behavioral characteristics collection is built, 32 are extracted altogether and ties up behavioral characteristics.
Step 3, it regard the union of extract 69 dimension static natures and 32 dimension behavioral characteristics as initial characteristicses collection.
Step 4, Feature Dimension Reduction.
Step 4.1, χ is chosen using filtration method2The feature that value, information gain, information gain-ratio are all higher than 0 68 is tieed up totally.
Step 4.2, subset is evaluated using pack, experimental result is:Merit of best subset
found:0.963, the feature elected 37 is tieed up totally.
Step 4.3, the common factor of two methods is taken to build essential signature sets:Totally 33 dimensional feature, wherein static nature 21 is tieed up, and is moved
State feature 12 is tieed up.
Step 5, detected using random forests algorithm.
Step 5.1, essential signature sets are tieed up as the input of random forests algorithm using select 33.
Step 5.2, classifier training is carried out using random forests algorithm, detection is trained with the method for ten folding cross validations
Model, and parameter is adjusted, wherein, the individual numerical value of tree generally takes square of characteristic, and the characteristic selected at random is 15
When, Detection accuracy highest.
Step 5.3, sample to be detected is detected.
Test result
Test the Malware stood to North Carolina in YanJinzhou team of university Malware Sample Storehouse
Detected, 1260 Malware samples are had in Sample Storehouse, be divided into 49 families, the present invention can be disliked so that effective detection is unknown
Meaning software sample, rate of accuracy reached to 97.5%.
Above-described to specifically describe, purpose, technical scheme and beneficial effect to invention have been carried out further specifically
It is bright, it should be understood that the specific embodiment that the foregoing is only the present invention, the protection model being not intended to limit the present invention
Enclose, within the spirit and principles of the invention, any modification, equivalent substitution and improvements done etc. should be included in the present invention
Protection domain within.
Claims (3)
1. combine the Android unknown malware detection methods of dynamic behaviour feature, it is characterised in that methods described is included such as
Lower step:
Step 1, the apk bags of Android software are extracted into its static file feature as input;
Step 2, using the dynamic of the application software behavior monitoring method monitoring software based on LKM (Linux UV-Vis spectras)
State behavior, extracts the dynamic behaviour feature of software;
Step 3, it regard the union of both step 1 and step 2 result as initial characteristicses collection;
Step 4, the feature to most worthy of classifying is selected in initial characteristicses collection using feature selecting algorithm, reduction feature
Dimension, filters out essential signature sets;
Step 5, essential signature sets will be selected as input, classifier training is carried out using sorting algorithm, malice is ultimately generated
Software detection model, and sample to be detected is detected.
2. a kind of Android unknown malware detection methods of combination dynamic behaviour feature according to claim 1, its
It is characterised by, the specific steps bag of the application software behavior monitoring method based on LKM (Linux UV-Vis spectras)
Include:
Step 2.1, when monitored software attempts to produce malicious act, system can kidnap and replace monitored software and produce first
The corresponding linux system of behavior call;
Step 2.2, the system after replacement is called in handling routine, and the parameter that system is called is parsed, and judges monitoring
To be which kind of behavior;
Step 2.3, the malicious act daily record of monitored software is recorded, daily record is analyzed, the dynamic behaviour feature of software is extracted.
3. a kind of Android unknown malware detection methods of combination dynamic behaviour feature according to claim 1, its
It is characterised by, it is described to be combined software static file feature and dynamic software feature, unknown malice can be effectively improved soft
The accuracy of part detection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710331198.5A CN107169351A (en) | 2017-05-11 | 2017-05-11 | With reference to the Android unknown malware detection methods of dynamic behaviour feature |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710331198.5A CN107169351A (en) | 2017-05-11 | 2017-05-11 | With reference to the Android unknown malware detection methods of dynamic behaviour feature |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107169351A true CN107169351A (en) | 2017-09-15 |
Family
ID=59814994
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710331198.5A Pending CN107169351A (en) | 2017-05-11 | 2017-05-11 | With reference to the Android unknown malware detection methods of dynamic behaviour feature |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107169351A (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107659570A (en) * | 2017-09-29 | 2018-02-02 | 杭州安恒信息技术有限公司 | Webshell detection methods and system based on machine learning and static and dynamic analysis |
| CN108038374A (en) * | 2017-12-26 | 2018-05-15 | 郑州云海信息技术有限公司 | It is a kind of to detect the method threatened in real time |
| CN108280350A (en) * | 2018-02-05 | 2018-07-13 | 南京航空航天大学 | A kind of mobile network's terminal Malware multiple features detection method towards Android |
| CN108345794A (en) * | 2017-12-29 | 2018-07-31 | 北京物资学院 | The detection method and device of Malware |
| CN108345793A (en) * | 2017-12-29 | 2018-07-31 | 北京物资学院 | A kind of extracting method and device of software detection feature |
| CN108734012A (en) * | 2018-05-21 | 2018-11-02 | 上海戎磐网络科技有限公司 | Malware recognition methods, device and electronic equipment |
| CN109255241A (en) * | 2018-08-31 | 2019-01-22 | 国鼎网络空间安全技术有限公司 | Android privilege-escalation leak detection method and system based on machine learning |
| CN109818945A (en) * | 2019-01-11 | 2019-05-28 | 中国科学院信息工程研究所 | Application behavior feature selection approach and device |
| CN110210215A (en) * | 2018-03-21 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of method and relevant apparatus of viral diagnosis |
| CN110263538A (en) * | 2019-05-13 | 2019-09-20 | 重庆大学 | A kind of malicious code detecting method based on system action sequence |
| CN110619210A (en) * | 2019-08-27 | 2019-12-27 | 苏宁云计算有限公司 | Simulator detection method and system |
| CN110795734A (en) * | 2019-10-12 | 2020-02-14 | 南京信息职业技术学院 | Malicious mobile application detection method |
| CN110941828A (en) * | 2019-11-13 | 2020-03-31 | 辽宁大学 | Android malicious software static detection method based on android GRU |
| CN112583773A (en) * | 2019-09-30 | 2021-03-30 | 奇安信安全技术(珠海)有限公司 | Unknown sample detection method and device, storage medium and electronic device |
| CN113127870A (en) * | 2021-04-08 | 2021-07-16 | 重庆电子工程职业学院 | Rapid intelligent comparison and safety detection method for mobile malicious software big data |
| CN114186229A (en) * | 2020-09-15 | 2022-03-15 | 中国电信股份有限公司 | Classification detection model training method and device and classification detection method and device |
| EP3918500B1 (en) * | 2019-03-05 | 2024-04-24 | Siemens Industry Software Inc. | Machine learning-based anomaly detections for embedded software applications |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104363240A (en) * | 2014-11-26 | 2015-02-18 | 国家电网公司 | Unknown threat comprehensive detection method based on information flow behavior validity detection |
| CN104361285A (en) * | 2014-11-20 | 2015-02-18 | 工业和信息化部电信研究院 | Method and device for detecting security of application programs of mobile devices |
| CN104462973A (en) * | 2014-12-18 | 2015-03-25 | 上海斐讯数据通信技术有限公司 | System and method for detecting dynamic malicious behaviors of application program in mobile terminal |
| CN104598823A (en) * | 2015-01-21 | 2015-05-06 | 华东师范大学 | Kernel level rootkit detection method and system in Andriod system |
| CN105069354A (en) * | 2015-07-31 | 2015-11-18 | 天津大学 | Attack tree model based Android software hybrid detection method |
| CN105205396A (en) * | 2015-10-15 | 2015-12-30 | 上海交通大学 | Detecting system for Android malicious code based on deep learning and method thereof |
| CN105426760A (en) * | 2015-11-05 | 2016-03-23 | 工业和信息化部电信研究院 | Detection method and apparatus for malicious android application |
| CN105447388A (en) * | 2015-12-17 | 2016-03-30 | 福建六壬网安股份有限公司 | Android malicious code detection system and method based on weight |
| CN105893848A (en) * | 2016-04-27 | 2016-08-24 | 南京邮电大学 | Precaution method for Android malicious application program based on code behavior similarity matching |
| CN105897807A (en) * | 2015-01-14 | 2016-08-24 | 江苏博智软件科技有限公司 | Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics |
| CN105956468A (en) * | 2016-04-22 | 2016-09-21 | 中国科学院信息工程研究所 | Method and system for detecting Android malicious application based on file access dynamic monitoring |
| CN106341282A (en) * | 2016-11-10 | 2017-01-18 | 广东电网有限责任公司电力科学研究院 | Malicious code behavior analyzer |
-
2017
- 2017-05-11 CN CN201710331198.5A patent/CN107169351A/en active Pending
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104361285A (en) * | 2014-11-20 | 2015-02-18 | 工业和信息化部电信研究院 | Method and device for detecting security of application programs of mobile devices |
| CN104363240A (en) * | 2014-11-26 | 2015-02-18 | 国家电网公司 | Unknown threat comprehensive detection method based on information flow behavior validity detection |
| CN104462973A (en) * | 2014-12-18 | 2015-03-25 | 上海斐讯数据通信技术有限公司 | System and method for detecting dynamic malicious behaviors of application program in mobile terminal |
| CN105897807A (en) * | 2015-01-14 | 2016-08-24 | 江苏博智软件科技有限公司 | Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics |
| CN104598823A (en) * | 2015-01-21 | 2015-05-06 | 华东师范大学 | Kernel level rootkit detection method and system in Andriod system |
| CN105069354A (en) * | 2015-07-31 | 2015-11-18 | 天津大学 | Attack tree model based Android software hybrid detection method |
| CN105205396A (en) * | 2015-10-15 | 2015-12-30 | 上海交通大学 | Detecting system for Android malicious code based on deep learning and method thereof |
| CN105426760A (en) * | 2015-11-05 | 2016-03-23 | 工业和信息化部电信研究院 | Detection method and apparatus for malicious android application |
| CN105447388A (en) * | 2015-12-17 | 2016-03-30 | 福建六壬网安股份有限公司 | Android malicious code detection system and method based on weight |
| CN105956468A (en) * | 2016-04-22 | 2016-09-21 | 中国科学院信息工程研究所 | Method and system for detecting Android malicious application based on file access dynamic monitoring |
| CN105893848A (en) * | 2016-04-27 | 2016-08-24 | 南京邮电大学 | Precaution method for Android malicious application program based on code behavior similarity matching |
| CN106341282A (en) * | 2016-11-10 | 2017-01-18 | 广东电网有限责任公司电力科学研究院 | Malicious code behavior analyzer |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107659570A (en) * | 2017-09-29 | 2018-02-02 | 杭州安恒信息技术有限公司 | Webshell detection methods and system based on machine learning and static and dynamic analysis |
| CN108038374A (en) * | 2017-12-26 | 2018-05-15 | 郑州云海信息技术有限公司 | It is a kind of to detect the method threatened in real time |
| CN108345794A (en) * | 2017-12-29 | 2018-07-31 | 北京物资学院 | The detection method and device of Malware |
| CN108345793A (en) * | 2017-12-29 | 2018-07-31 | 北京物资学院 | A kind of extracting method and device of software detection feature |
| CN108280350A (en) * | 2018-02-05 | 2018-07-13 | 南京航空航天大学 | A kind of mobile network's terminal Malware multiple features detection method towards Android |
| CN108280350B (en) * | 2018-02-05 | 2021-09-28 | 南京航空航天大学 | Android-oriented mobile network terminal malicious software multi-feature detection method |
| CN110210215A (en) * | 2018-03-21 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of method and relevant apparatus of viral diagnosis |
| CN108734012A (en) * | 2018-05-21 | 2018-11-02 | 上海戎磐网络科技有限公司 | Malware recognition methods, device and electronic equipment |
| CN109255241A (en) * | 2018-08-31 | 2019-01-22 | 国鼎网络空间安全技术有限公司 | Android privilege-escalation leak detection method and system based on machine learning |
| CN109255241B (en) * | 2018-08-31 | 2022-04-22 | 国鼎网络空间安全技术有限公司 | Android permission promotion vulnerability detection method and system based on machine learning |
| CN109818945A (en) * | 2019-01-11 | 2019-05-28 | 中国科学院信息工程研究所 | Application behavior feature selection approach and device |
| EP3918500B1 (en) * | 2019-03-05 | 2024-04-24 | Siemens Industry Software Inc. | Machine learning-based anomaly detections for embedded software applications |
| CN110263538A (en) * | 2019-05-13 | 2019-09-20 | 重庆大学 | A kind of malicious code detecting method based on system action sequence |
| CN110263538B (en) * | 2019-05-13 | 2021-07-09 | 重庆大学 | Malicious code detection method based on system behavior sequence |
| CN110619210A (en) * | 2019-08-27 | 2019-12-27 | 苏宁云计算有限公司 | Simulator detection method and system |
| CN112583773A (en) * | 2019-09-30 | 2021-03-30 | 奇安信安全技术(珠海)有限公司 | Unknown sample detection method and device, storage medium and electronic device |
| CN112583773B (en) * | 2019-09-30 | 2023-01-06 | 奇安信安全技术(珠海)有限公司 | Unknown sample detection method and device, storage medium and electronic device |
| CN110795734A (en) * | 2019-10-12 | 2020-02-14 | 南京信息职业技术学院 | Malicious mobile application detection method |
| CN110941828A (en) * | 2019-11-13 | 2020-03-31 | 辽宁大学 | Android malicious software static detection method based on android GRU |
| CN110941828B (en) * | 2019-11-13 | 2023-12-15 | 深圳市凌晨知识产权运营有限公司 | Android malicious software static detection method based on android GRU |
| CN114186229A (en) * | 2020-09-15 | 2022-03-15 | 中国电信股份有限公司 | Classification detection model training method and device and classification detection method and device |
| CN113127870A (en) * | 2021-04-08 | 2021-07-16 | 重庆电子工程职业学院 | Rapid intelligent comparison and safety detection method for mobile malicious software big data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107169351A (en) | With reference to the Android unknown malware detection methods of dynamic behaviour feature | |
| CN103136471B (en) | A kind of malice Android application program detection method and system | |
| CN109753800A (en) | Merge the Android malicious application detection method and system of frequent item set and random forests algorithm | |
| CN109271788B (en) | Android malicious software detection method based on deep learning | |
| CN109684840A (en) | Based on the sensitive Android malware detection method for calling path | |
| CN107180192A (en) | Android malicious application detection method and system based on multi-feature fusion | |
| CN108959924A (en) | A kind of Android malicious code detecting method of word-based vector sum deep neural network | |
| CN105956180B (en) | A kind of filtering sensitive words method | |
| CN105229661B (en) | Method, computing device and the storage medium for determining Malware are marked based on signal | |
| CN108280350A (en) | A kind of mobile network's terminal Malware multiple features detection method towards Android | |
| Mercaldo et al. | Mobile malware detection in the real world | |
| CN107273752B (en) | Vulnerability automatic classification method based on word frequency statistics and naive Bayes fusion model | |
| CN104601556A (en) | Attack detection method and system for WEB | |
| RU91213U1 (en) | SYSTEM OF AUTOMATIC COMPOSITION OF DESCRIPTION AND CLUSTERING OF VARIOUS, INCLUDING AND MALIMENTAL OBJECTS | |
| CN103679030B (en) | Malicious code analysis and detection method based on dynamic semantic features | |
| CN106529294B (en) | A method of determine for mobile phone viruses and filters | |
| CN108694319B (en) | Malicious code family judgment method and device | |
| CN107273746A (en) | A kind of mutation malware detection method based on APK character string features | |
| CN105224600A (en) | A kind of detection method of Sample Similarity and device | |
| CN109255241A (en) | Android privilege-escalation leak detection method and system based on machine learning | |
| US20200344261A1 (en) | Method of application malware detection based on dynamic api extraction, and readable medium and apparatus for performing the method | |
| CN109614795A (en) | A kind of Android malware detection method of event perception | |
| CN108090360A (en) | The Android malicious application sorting technique and system of a kind of Behavior-based control feature | |
| CN111651768B (en) | Method and device for identifying link library function name of computer binary program | |
| CN111881300A (en) | Third-party library dependency-oriented knowledge graph construction method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170915 |