CN107330326A - A kind of malice trojan horse detection processing method and processing device - Google Patents
A kind of malice trojan horse detection processing method and processing device Download PDFInfo
- Publication number
- CN107330326A CN107330326A CN201710336118.5A CN201710336118A CN107330326A CN 107330326 A CN107330326 A CN 107330326A CN 201710336118 A CN201710336118 A CN 201710336118A CN 107330326 A CN107330326 A CN 107330326A
- Authority
- CN
- China
- Prior art keywords
- application program
- behavioral data
- trojan horse
- application
- malice
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the present invention provides a kind of malice trojan horse detection processing method and processing device.Methods described includes:The multidimensional behavioral data of application program to be detected is obtained, the multidimensional behavioral data includes application user behaviors log, communication behavior daily record and network flow data information;According to the multidimensional behavioral data, malice trojan horse detection processing is carried out to the application program to be detected by malice trojan horse detection model, the safety detection result of the application program to be detected is obtained;The malice trojan horse detection model is to be trained acquisition according to the history multidimensional behavioral data of multiple application programs.Described device is used to perform the above method.The method and device that the present invention is provided improves the accuracy of malice trojan horse detection.
Description
Technical field
The present embodiments relate to Internet technical field, more particularly to a kind of malice trojan horse detection processing method and dress
Put.
Background technology
With the popularization of mobile intelligent terminal, malice Trojan attack and malice Trojan Horse Detection on mobile intelligent terminal
Also increasingly it is valued by people.Malice trojan horse program can be stolen user and be stored in and set by hidden implantation user equipment
Standby upper privacy information, and it is sent to attacker;Meanwhile, it can also maliciously consume the resource of user equipment, such as CPU, internal memory, network
Bandwidth, battery electric quantity etc., serious privacy threats and rate consumption are brought to user.
Under the conditions of prior art, in order to resist malice Trojan attack technology, the trojan horse detection means of current main flow mainly have
It is following two:Static Detection and dynamic detection.
Stationary detection technique includes the detection technique based on signature and the detection technique based on application code;Wherein,
Detection technique based on signature by building malice Trojan characteristics storehouse, to mobile terminal install application program be scanned and
With analysis, qualified application program is reminded and unloaded;And the stationary detection technique based on application code leads to
Often refer in the case of unactual execution application program, pass through analysis program source code and binary file, extract application permission
With the detection of the information realization such as API Calls.But, the stationary detection technique based on signature is depended on according to the wooden horse being identified
Or the malice Trojan characteristics storehouse that malicious application is produced, have seriously for recognizing often for new wooden horse or malicious application
Hysteresis quality.
Dynamic detection technology needs true execution application program, obtains the information such as its output or internal state and is analyzed,
Dynamic detection is typically to be carried out among true or virtual test environment (i.e. sandbox), by various conditions to malice wooden horse sample
Originally enter line activating, monitored by all behavior patterns produced to sample in running, observe it and perform flow and data change
Change, so that its security is judged, although dynamic detection technology can effectively reduce malice trojan horse program Code obfuscation and encryption is made
Into interference, but dynamic detection needs to capture substantial amounts of data, takes memory space, and detection dimensions are single.
In summary, either current static detection or dynamic detection are all to the detection accuracy of malice wooden horse certain
Influence.Therefore, how to propose that the accuracy that a kind of malice trojan horse detection processing method improves malice trojan horse detection is current industry
Important topic urgently to be resolved hurrily.
The content of the invention
For defect of the prior art, the embodiment of the present invention provides a kind of malice trojan horse detection processing method and processing device.
On the one hand, the embodiment of the present invention provides a kind of malice trojan horse detection processing method, including:
The multidimensional behavioral data of application program to be detected is obtained, the multidimensional behavioral data includes application user behaviors log, led to
Believe user behaviors log and network flow data information;
According to the multidimensional behavioral data, malice is carried out to the application program to be detected by malice trojan horse detection model
Trojan horse detection processing, obtains the safety detection result of the application program to be detected;The malice trojan horse detection model is root
Acquisition is trained according to the history multidimensional behavioral data of multiple application programs.
On the other hand, the embodiment of the present invention provides a kind of malice trojan horse detection processing unit, including:
Acquiring unit, the multidimensional behavioral data for obtaining application program to be detected, the multidimensional behavioral data includes should
With user behaviors log, communication behavior daily record and network flow data;
Detection unit, for according to the multidimensional behavioral data, by malice trojan horse detection model to it is described it is to be detected should
Malice trojan horse detection processing is carried out with program, the safety detection result of the application program to be detected is obtained;The malice wood
Horse detection model is to be trained acquisition according to the history multidimensional behavioral data of multiple application programs.
Another aspect, the embodiment of the present invention provides a kind of electronic equipment, including processor, memory and bus, wherein:
Processor, memory completes mutual communication by bus;
Processor can call the computer program in memory, the step of to perform the above method.
Another further aspect, the embodiment of the present invention provides a kind of computer-readable recording medium, is stored thereon with computer program,
The step of program realizes the above method when being executed by processor.
Malice trojan horse detection processing method and processing device provided in an embodiment of the present invention, by according to get it is to be detected should
With the multidimensional behavioral data of program, the malice trojan horse detection model obtained using training is disliked to the application program to be detected
Trojan horse detection of anticipating is handled, and is obtained the safety detection result of the application program to be detected, is improved the standard of malice trojan horse detection
True property.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are this hairs
Some bright embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can be with root
Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is the schematic flow sheet of malice trojan horse detection processing method provided in an embodiment of the present invention;
Fig. 2 is the overall flow schematic diagram of malice trojan horse detection processing method provided in an embodiment of the present invention;
The structural representation for the malice trojan horse detection processing unit that Fig. 3 provides for one embodiment of the invention;
The structural representation for the malice trojan horse detection processing unit that Fig. 4 provides for another embodiment of the present invention;
Fig. 5 is electronic equipment entity apparatus structural representation provided in an embodiment of the present invention.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is explicitly described, it is clear that described embodiment be the present invention
A part of embodiment, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not having
The every other embodiment obtained under the premise of creative work is made, the scope of protection of the invention is belonged to.
Fig. 1 is the schematic flow sheet of malice trojan horse detection processing method provided in an embodiment of the present invention, as shown in figure 1, this
Embodiment provides a kind of malice trojan horse detection processing method, including:
S101, the multidimensional behavioral data for obtaining application program to be detected, the multidimensional behavioral data include application behavior day
Will, communication behavior daily record and network flow data information;
Specifically, malice trojan horse detection processing unit obtains the multidimensional behavior number of the application program to be detected of mobile terminal
According to the multidimensional behavioral data includes application user behaviors log, communication behavior daily record and network flow data information, can also include
The behavioral data of other dimensions, can specifically be adjusted according to actual conditions, be not specifically limited herein.It should illustrate
Be be provided with the mobile terminal for gather the application user behaviors log terminal information acquisition module, for gathering
State the base station acquisition module of communication behavior daily record and the distributed wireless local area network information for gathering network flow data information
Acquisition module;Described device can be meaning trojan horse detection processing cloud platform, if the mobile terminal connects WIFI, the cloud is put down
Platform can obtain the multidimensional behavioral data in real time.
S102, according to the multidimensional behavioral data, the application program to be detected is entered by malice trojan horse detection model
The processing of row malice trojan horse detection, obtains the safety detection result of the application program to be detected;The malice trojan horse detection mould
Type is to be trained acquisition according to the history multidimensional behavioral data of multiple application programs;
Specifically, described device inputs the multidimensional behavioral data of the application program to be detected of the mobile terminal
Malice trojan horse detection model, malice trojan horse detection processing, the malice trojan horse detection mould are carried out to the application program to be detected
Type exports the safety detection result of the application program to be detected.Wherein, the malice trojan horse detection model is according to multiple
The history multidimensional behavioral data of application program is trained acquisition.It is understood that the safety detection result is institute
State that application program to be detected is security application or the application program to be detected is malicious application.It may be appreciated
It is that described device can also send the safety detection result to the mobile terminal, to cause the terminal according to institute
Safety detection result is stated to continue to run with security application, or, malicious application is unloaded.
Malice trojan horse detection processing method provided in an embodiment of the present invention, by according to the to be checked of the mobile terminal got
The multidimensional behavioral data of application program is surveyed, the malice trojan horse detection model obtained using training is entered to the application program to be detected
Row malice trojan horse detection processing, the safety detection result for obtaining the application program to be detected improves malice trojan horse detection
Accuracy.
On the basis of above-described embodiment, further, the application user behaviors log is that mobile terminal passes through built-in end
What client information acquisition module was gathered and reported;Mobile terminal passes through built-in base station acquisition module described in the communication behavior daily record
Gather and report;The network flow data information is that the mobile terminal passes through built-in distributed wireless local area network information
What acquisition module was gathered and reported.
Specifically, the mobile terminal passes through application program to be detected described in the terminal information acquisition module of inside setting
Described device is reported to using user behaviors log, and by resource information acquisition interface;The mobile terminal is set by inside
The communication behavior daily record of application program to be detected described in the acquisition module of base station, and by resource information obtain interface report to it is described
Device;The mobile terminal passes through application program to be detected described in the distributed wireless local area network information acquisition module of inside setting
Network flow data information, and by resource information obtain interface report to described device.It is understood that described to be checked
Surveying the application user behaviors log of application program includes:The application rows such as calling record, local recording, equipment (bluetooth, camera) operation
For daily record;The communication behavior daily record includes:Call, send the daily record of the communication behaviors such as short breath or multimedia message;The net
Network data on flows information includes sending the flow of the network operation behaviors such as mail, mobile network's connection and WLAN connection
Data message, specifically can be adjusted according to actual conditions, be not specifically limited herein.
On the basis of above-described embodiment, further, methods described also includes:
Gather the history multidimensional behavioral data of multiple application programs;The multiple application program include security application and
Malicious application;
According to the history multidimensional behavioral data and the security attribute of the multiple application program, pass through machine learning algorithm
Calculating is trained to the multidimensional behavioral data, the malice trojan horse detection model is obtained.
Specifically, described device gathers the history multidimensional behavioral data of multiple application programs in advance;The multiple application journey
Sequence includes security application and malicious application, according to the history multidimensional behavioral data and the multiple application program
Security attribute, calculating is trained to the multidimensional behavioral data by machine learning algorithm, obtains the malice trojan horse detection
Model.It should be noted that for the application program history be generally behavioral data quantity, be not specifically limited herein,
But in order to improve the reliability of the malice trojan horse detection model, the history that multiple application programs should be gathered as much as possible is more
Tie up behavioral data.
It is further, described according to the history multidimensional behavioral data and the multiple on the basis of above-described embodiment
The security attribute of application program, calculating is trained by machine learning algorithm to the multidimensional behavioral data, including:
If judging to know that application program is security application, respectively by the application user behaviors log of the application program,
Communication behavior daily record and network flow data information are stored into safety behavior database;Otherwise, it is stored into malicious act database;
According to the safety behavior database and the malicious act database, by machine learning algorithm to the multidimensional
Behavioral data is trained calculating.
Specifically, if described device judges to know that the application program gathered in advance is security application, it will divide
The application user behaviors log of the application program, communication behavior daily record and network flow data information safety behavior number is not stored into
According to storehouse;If judging to know that the application program gathered in advance is malicious application, by respectively by the application program
Malicious act database, then, described device are stored into using user behaviors log, communication behavior daily record and network flow data information
According to the safety behavior database and the malicious act database, by machine learning algorithm to the multidimensional behavioral data
Calculating is trained, the malice trojan horse detection model is obtained.It should be noted that the machine learning algorithm include support to
Amount machine algorithm, NB Algorithm and deep learning algorithm, can also include other machines learning algorithm, specifically can basis
Actual conditions are adjusted, and are not specifically limited herein.
Fig. 2 is the overall flow schematic diagram of malice trojan horse detection processing method provided in an embodiment of the present invention, such as Fig. 2 institutes
Show, meaning trojan horse detection processing method provided in an embodiment of the present invention specifically includes following steps:
S201, the application user behaviors log for obtaining application program to be detected;Described device obtains the application program to be detected
Application user behaviors log, the application user behaviors log be the mobile terminal by built-in terminal information acquisition module collection simultaneously
Report;Then, step S202 is performed;
S202, the communication behavior daily record for obtaining application program to be detected;Described device obtains the application program to be detected
Communication behavior daily record, mobile terminal is gathered and reported by built-in base station acquisition module described in the communication behavior daily record
's;Then, step S203 is performed;
S203, the network flow data information for obtaining application program to be detected;Described device obtains the application to be detected
The network flow data information of program, the network flow data information is that the mobile terminal passes through built-in distributed wireless
What LAN Information acquisition module was gathered and reported;Then, step S204 is performed;
S204, input malice trojan horse detection model;Described device by the application user behaviors log of the application program to be detected,
The malice trojan horse detection model that communication behavior daily record and network flow data information input training in advance are obtained;Then, hold
Row step S205;
S205, the output application program to be detected safety detection result;The malice trojan horse detection model output
The applications security testing result to be detected, the safety detection result is that the application program to be detected is safety
Application program or the application program to be detected are malicious application;Then, step S206 is performed;
S206, the safety detection result sent to the mobile terminal;Described device is by the safety detection
As a result send to the mobile terminal, to cause the terminal to be carried out according to the safety detection result to security application
Continue to run with, or, malicious application is unloaded.
Malice trojan horse detection processing method provided in an embodiment of the present invention, by according to the to be checked of the mobile terminal got
The multidimensional behavioral data of application program is surveyed, the malice trojan horse detection model obtained using training is entered to the application program to be detected
The processing of row malice trojan horse detection, obtains the safety detection result of the application program to be detected, improves malice trojan horse detection
Accuracy.
The structural representation for the malice trojan horse detection processing unit that Fig. 3 provides for one embodiment of the invention, as shown in figure 3,
The embodiment of the present invention provides a kind of malice trojan horse detection processing unit, including:Acquiring unit 301 and detection unit 302, wherein:
Acquiring unit 301 is used for the multidimensional behavioral data for obtaining application program to be detected, and the multidimensional behavioral data includes
Using user behaviors log, communication behavior daily record and network flow data;Detection unit 302 is used for according to the multidimensional behavioral data,
Malice trojan horse detection processing is carried out to the application program to be detected by malice trojan horse detection model, obtain it is described it is to be detected should
With the safety detection result of program;The malice trojan horse detection model is the history multidimensional behavior number according to multiple application programs
According to being trained acquisition.
Specifically, acquiring unit 301 obtains the multidimensional behavioral data of the application program to be detected of mobile terminal, the multidimensional
Behavioral data includes application user behaviors log, communication behavior daily record and network flow data information, can also include other dimensions
Behavioral data, can specifically be adjusted according to actual conditions, be not specifically limited herein.Detection unit 302 is by the movement
The multidimensional behavioral data of the application program to be detected of terminal, inputs malice trojan horse detection model, to the application to be detected
Program carries out malice trojan horse detection processing, and the malice trojan horse detection model exports the security inspection of the application program to be detected
Survey result;Wherein, the malice trojan horse detection model is trained according to the history multidimensional behavioral data of multiple application programs
Obtain.
Adopted it should be noted that being provided with the mobile terminal for gathering the end message of the application user behaviors log
Collect module, the base station acquisition module for gathering the communication behavior daily record and the distribution for gathering network flow data information
Formula WLAN information acquisition module;Described device can be meaning trojan horse detection processing cloud platform, if the mobile terminal connects
WIFI is met, then the cloud platform can obtain the multidimensional behavioral data in real time.It is understood that the safety detection knot
Fruit is that the application program to be detected is security application or the application program to be detected is malicious application;The dress
Putting can also send the safety detection result to the mobile terminal, to cause the terminal to be examined according to the security
Result is surveyed to continue to run with security application, or, malicious application is unloaded.
Malice trojan horse detection processing unit provided in an embodiment of the present invention, by according to the to be checked of the mobile terminal got
The multidimensional behavioral data of application program is surveyed, the malice trojan horse detection model obtained using training is entered to the application program to be detected
Row malice trojan horse detection processing, the safety detection result for obtaining the application program to be detected improves malice trojan horse detection
Accuracy.
On the basis of above-described embodiment, further, the application user behaviors log is that mobile terminal passes through built-in end
What client information acquisition module was gathered and reported;What the base station acquisition module built in the communication behavior daily record was gathered and reported;Institute
State what the distributed wireless local area network information acquisition module built in network flow data was gathered and reported.
Specifically, the mobile terminal passes through application program to be detected described in the terminal information acquisition module of inside setting
Acquiring unit 301 is reported to using user behaviors log, and by resource information acquisition interface;The mobile terminal is set by inside
Base station acquisition module described in application program to be detected communication behavior daily record, and interface is obtained by resource information report to and obtain
Take unit 301;It is to be detected described in the distributed wireless local area network information acquisition module that the mobile terminal is set by inside to answer
With the network flow data information of program, and interface is obtained by resource information report to acquiring unit 301.It may be appreciated
It is that the application user behaviors log of the application program to be detected includes:Calling record, local recording, equipment (bluetooth, camera) behaviour
The daily record of the application behavior such as work;The communication behavior daily record includes:Call, send the day of the communication behaviors such as short breath or multimedia message
Will;The network flow data information includes sending the network operations such as mail, mobile network's connection and WLAN connection
The data on flows information of behavior, specifically can be adjusted according to actual conditions, be not specifically limited herein.
The structural representation for the malice trojan horse detection processing unit that Fig. 4 provides for another embodiment of the present invention, such as Fig. 4 institutes
Show, malice trojan horse detection processing unit provided in an embodiment of the present invention is gone back on the basis of acquiring unit 401 and detection unit 402
Including collecting unit 403 and training unit 404, acquiring unit 401 and detection unit 402 and the acquiring unit in above-described embodiment
301 is consistent with detection unit 302, wherein:
Collecting unit 403 is used for the history multidimensional behavioral data for gathering multiple application programs;The multiple application package
Include security application and malicious application;Training unit 404 is used for according to the history multidimensional behavioral data and described many
The security attribute of individual application program, calculating is trained to the multidimensional behavioral data by machine learning algorithm, obtains described
Malice trojan horse detection model.
Specifically, collecting unit 403 gathers the history multidimensional behavioral data of multiple application programs in advance;The multiple application
Program includes security application and malicious application, and training unit 404 is according to the history multidimensional behavioral data and described
The security attribute of multiple application programs, calculating is trained to the multidimensional behavioral data by machine learning algorithm, obtains institute
State malice trojan horse detection model.It should be noted that for the application program history be generally behavioral data quantity, herein
It is not specifically limited, but in order to improve the reliability of the malice trojan horse detection model, multiple answer should be gathered as much as possible
With the history multidimensional behavioral data of program.
On the basis of above-described embodiment, further, training unit 404 specifically for:
If judging to know that application program is security application, respectively by the application user behaviors log of the application program,
Communication behavior daily record and network flow data information are stored into safety behavior database;Otherwise, it is stored into malicious act database;
According to the safety behavior database and the malicious act database, by machine learning algorithm to the multidimensional
Behavioral data is trained calculating.
Specifically, will if training unit 404 judges to know that the application program gathered in advance is security application
The application user behaviors log of the application program, communication behavior daily record and network flow data information are stored into safety behavior respectively
Database;If training unit 404 judges to know that the application program gathered in advance is malicious application, by respectively by institute
Application user behaviors log, communication behavior daily record and the network flow data information for stating application program are stored into malicious act database,
Then, training unit 404 passes through machine learning algorithm pair according to the safety behavior database and the malicious act database
The multidimensional behavioral data is trained calculating, obtains the malice trojan horse detection model.It should be noted that the engineering
Practising algorithm includes algorithm of support vector machine, NB Algorithm and deep learning algorithm, can also include other machines study
Algorithm, can specifically be adjusted according to actual conditions, be not specifically limited herein.
Malice trojan horse detection processing unit provided in an embodiment of the present invention, by according to the to be checked of the mobile terminal got
The multidimensional behavioral data of application program is surveyed, the malice trojan horse detection model obtained using training is entered to the application program to be detected
The processing of row malice trojan horse detection, obtains the safety detection result of the application program to be detected, and by the safety detection
As a result send to the mobile terminal, improve the accuracy of malice trojan horse detection.
The embodiment for the device that the present invention is provided specifically can be used for the handling process for performing above-mentioned each method embodiment, its
Function will not be repeated here, and be referred to the detailed description of above method embodiment.
Fig. 5 is electronic equipment entity apparatus structural representation provided in an embodiment of the present invention, as shown in figure 5, the electronics is set
It is standby to include:Processor (processor) 501, memory (memory) 502 and bus 503, wherein, processor 501 is deposited
Reservoir 502 completes mutual communication by bus 803.Processor 501 can call the computer program in memory 802,
To perform following method:The multidimensional behavioral data of application program to be detected is obtained, the multidimensional behavioral data includes applying behavior
Daily record, communication behavior daily record and network flow data information;According to the multidimensional behavioral data, pass through malice trojan horse detection model
Malice trojan horse detection processing is carried out to the application program to be detected, the safety detection knot of the application program to be detected is obtained
Really;The malice trojan horse detection model is to be trained acquisition according to the history multidimensional behavioral data of multiple application programs.
The embodiment of the present invention discloses a kind of computer program product, and the computer program product is non-transient including being stored in
Computer program on computer-readable recording medium, the computer program includes programmed instruction, when described program instructs quilt
Computer perform when, computer is able to carry out the method that above-mentioned each method embodiment is provided, for example including:Obtain to be detected answer
With the multidimensional behavioral data of program, the multidimensional behavioral data includes application user behaviors log, communication behavior daily record and network traffics
Data message;According to the multidimensional behavioral data, the application program to be detected is disliked by malice trojan horse detection model
Trojan horse detection of anticipating is handled, and obtains the safety detection result of the application program to be detected;The malice trojan horse detection model is
Acquisition is trained according to the history multidimensional behavioral data of multiple application programs.
The embodiment of the present invention provides a kind of non-transient computer readable storage medium storing program for executing, the non-transient computer readable storage
Medium storing computer program, the computer program makes the computer perform the side that above-mentioned each method embodiment is provided
Method, for example including:The multidimensional behavioral data of application program to be detected is obtained, the multidimensional behavioral data includes application behavior day
Will, communication behavior daily record and network flow data information;According to the multidimensional behavioral data, pass through malice trojan horse detection model pair
The application program to be detected carries out malice trojan horse detection processing, obtains the safety detection knot of the application program to be detected
Really;The malice trojan horse detection model is to be trained acquisition according to the history multidimensional behavioral data of multiple application programs.
In addition, the logical order in above-mentioned memory 503 can be realized and be used as by the form of SFU software functional unit
Independent production marketing in use, can be stored in a computer read/write memory medium.Understood based on such, this
The part or the part of the technical scheme that the technical scheme of invention substantially contributes to prior art in other words can be with
The form of software product is embodied, and the computer software product is stored in a storage medium, including some instructions are used to
So that a computer equipment (can be personal computer, server, or network equipment etc.) performs each implementation of the present invention
The all or part of step of example methods described.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM,
Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD etc. it is various
Can be with the medium of store program codes.
The embodiment of device described above is only schematical, wherein the unit illustrated as separating component
It can be or may not be physically separate, the part shown as unit can be or may not be physics list
Member, you can with positioned at a place, or can also be distributed on multiple NEs.It can be selected according to the actual needs
In some or all of module realize the purpose of this embodiment scheme.Those of ordinary skill in the art are not paying creativeness
Work in the case of, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
Realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Understood based on such, on
The part that technical scheme substantially in other words contributes to prior art is stated to embody in the form of software product, should
Computer software product can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including some fingers
Order is to cause a computer equipment (can be personal computer, server, or network equipment etc.) to perform each implementation
Method described in some parts of example or embodiment.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
The present invention is described in detail with reference to the foregoing embodiments, it will be understood by those within the art that:It still may be used
To be modified to the technical scheme described in foregoing embodiments, or equivalent substitution is carried out to which part technical characteristic;
And these modification or replace, do not make appropriate technical solution essence depart from various embodiments of the present invention technical scheme spirit and
Scope.
Claims (10)
1. a kind of malice trojan horse detection processing method, it is characterised in that including:
The multidimensional behavioral data of application program to be detected is obtained, the multidimensional behavioral data includes application user behaviors log, communication row
For daily record and network flow data information;
According to the multidimensional behavioral data, malice wooden horse is carried out to the application program to be detected by malice trojan horse detection model
Detection process, obtains the safety detection result of the application program to be detected;The malice trojan horse detection model is according to many
The history multidimensional behavioral data of individual application program is trained acquisition.
2. according to the method described in claim 1, it is characterised in that the application user behaviors log passes through built-in for mobile terminal
What terminal information acquisition module was gathered and reported;Mobile terminal described in the communication behavior daily record gathers mould by built-in base station
What block was gathered and reported;The network flow data information is that the mobile terminal is believed by built-in distributed wireless local area network
Breath acquisition module is gathered and reported.
3. according to the method described in claim 1, it is characterised in that methods described also includes:
Gather the history multidimensional behavioral data of multiple application programs;The multiple application program includes security application and malice
Application program;
According to the history multidimensional behavioral data and the security attribute of the multiple application program, by machine learning algorithm to institute
State multidimensional behavioral data and be trained calculating, obtain the malice trojan horse detection model.
4. method according to claim 3, it is characterised in that described according to the history multidimensional behavioral data and described many
The security attribute of individual application program, calculating is trained by machine learning algorithm to the multidimensional behavioral data, including:
If judging to know that application program is security application, respectively by the application user behaviors log of the application program, communication
User behaviors log and network flow data information are stored into safety behavior database;Otherwise, it is stored into malicious act database;
According to the safety behavior database and the malicious act database, by machine learning algorithm to the multidimensional behavior
Data are trained calculating.
5. a kind of malice trojan horse detection processing unit, it is characterised in that including:
Acquiring unit, the multidimensional behavioral data for obtaining application program to be detected, the multidimensional behavioral data includes application and gone
For daily record, communication behavior daily record and network flow data;
Detection unit, for according to the multidimensional behavioral data, by malice trojan horse detection model to the application journey to be detected
Sequence carries out malice trojan horse detection processing, obtains the safety detection result of the application program to be detected;The malice wooden horse inspection
It is to be trained acquisition according to the history multidimensional behavioral data of multiple application programs to survey model.
6. device according to claim 5, it is characterised in that the application user behaviors log passes through built-in for mobile terminal
What terminal information acquisition module was gathered and reported;What the base station acquisition module built in the communication behavior daily record was gathered and reported;
What the distributed wireless local area network information acquisition module built in the network flow data was gathered and reported.
7. device according to claim 5, it is characterised in that described device also includes:
Collecting unit, the history multidimensional behavioral data for gathering multiple application programs;The multiple application program includes safety
Application program and malicious application;
Training unit, for the security attribute according to the history multidimensional behavioral data and the multiple application program, passes through machine
Device learning algorithm is trained calculating to the multidimensional behavioral data, obtains the malice trojan horse detection model.
8. device according to claim 7, it is characterised in that the training unit specifically for:
If judging to know that application program is security application, respectively by the application user behaviors log of the application program, communication
User behaviors log and network flow data information are stored into safety behavior database;Otherwise, it is stored into malicious act database;
According to the safety behavior database and the malicious act database, by machine learning algorithm to the multidimensional behavior
Data are trained calculating.
9. a kind of electronic equipment, it is characterised in that including processor, memory and bus, wherein:
The processor, the memory completes mutual communication by bus;
The processor can call the computer program in memory, to perform as described in claim 1-4 any one
The step of method.
10. a kind of computer-readable recording medium, is stored thereon with computer program, it is characterised in that the program is by processor
Realized during execution such as the step of claim 1-4 methods describeds.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710336118.5A CN107330326A (en) | 2017-05-12 | 2017-05-12 | A kind of malice trojan horse detection processing method and processing device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710336118.5A CN107330326A (en) | 2017-05-12 | 2017-05-12 | A kind of malice trojan horse detection processing method and processing device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107330326A true CN107330326A (en) | 2017-11-07 |
Family
ID=60192670
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710336118.5A Pending CN107330326A (en) | 2017-05-12 | 2017-05-12 | A kind of malice trojan horse detection processing method and processing device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107330326A (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108234472A (en) * | 2017-12-28 | 2018-06-29 | 北京百度网讯科技有限公司 | Detection method and device, computer equipment and the readable medium of Challenging black hole attack |
CN108881307A (en) * | 2018-08-10 | 2018-11-23 | 中国信息安全测评中心 | A kind of safety detecting method and device of facing moving terminal |
CN109840419A (en) * | 2017-11-29 | 2019-06-04 | 财团法人资讯工业策进会 | Computer installation and recognize its software container behavior whether Yi Chang method |
CN111191239A (en) * | 2019-12-30 | 2020-05-22 | 北京邮电大学 | Process detection method and system for application program |
CN111859386A (en) * | 2020-08-03 | 2020-10-30 | 深圳市联软科技股份有限公司 | Trojan horse detection method and system based on behavior analysis |
CN114491524A (en) * | 2021-12-16 | 2022-05-13 | 中国通信建设第三工程局有限公司 | Big data communication system applied to intelligent network security |
EP3918500B1 (en) * | 2019-03-05 | 2024-04-24 | Siemens Industry Software Inc. | Machine learning-based anomaly detections for embedded software applications |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103368904A (en) * | 2012-03-27 | 2013-10-23 | 百度在线网络技术(北京)有限公司 | Mobile terminal, and system and method for suspicious behavior detection and judgment |
CN105022960A (en) * | 2015-08-10 | 2015-11-04 | 济南大学 | Multi-feature mobile terminal malicious software detecting method based on network flow and multi-feature mobile terminal malicious software detecting system based on network flow |
CN105740707A (en) * | 2016-01-20 | 2016-07-06 | 北京京东尚科信息技术有限公司 | Malicious file identification method and device |
-
2017
- 2017-05-12 CN CN201710336118.5A patent/CN107330326A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103368904A (en) * | 2012-03-27 | 2013-10-23 | 百度在线网络技术(北京)有限公司 | Mobile terminal, and system and method for suspicious behavior detection and judgment |
CN105022960A (en) * | 2015-08-10 | 2015-11-04 | 济南大学 | Multi-feature mobile terminal malicious software detecting method based on network flow and multi-feature mobile terminal malicious software detecting system based on network flow |
CN105740707A (en) * | 2016-01-20 | 2016-07-06 | 北京京东尚科信息技术有限公司 | Malicious file identification method and device |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109840419A (en) * | 2017-11-29 | 2019-06-04 | 财团法人资讯工业策进会 | Computer installation and recognize its software container behavior whether Yi Chang method |
CN109840419B (en) * | 2017-11-29 | 2022-08-09 | 财团法人资讯工业策进会 | Computer device and method for identifying whether behavior of software container of computer device is abnormal |
CN108234472A (en) * | 2017-12-28 | 2018-06-29 | 北京百度网讯科技有限公司 | Detection method and device, computer equipment and the readable medium of Challenging black hole attack |
CN108881307A (en) * | 2018-08-10 | 2018-11-23 | 中国信息安全测评中心 | A kind of safety detecting method and device of facing moving terminal |
CN108881307B (en) * | 2018-08-10 | 2022-02-25 | 中国信息安全测评中心 | Security detection method and device for mobile terminal |
EP3918500B1 (en) * | 2019-03-05 | 2024-04-24 | Siemens Industry Software Inc. | Machine learning-based anomaly detections for embedded software applications |
CN111191239A (en) * | 2019-12-30 | 2020-05-22 | 北京邮电大学 | Process detection method and system for application program |
CN111859386A (en) * | 2020-08-03 | 2020-10-30 | 深圳市联软科技股份有限公司 | Trojan horse detection method and system based on behavior analysis |
CN114491524A (en) * | 2021-12-16 | 2022-05-13 | 中国通信建设第三工程局有限公司 | Big data communication system applied to intelligent network security |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107330326A (en) | A kind of malice trojan horse detection processing method and processing device | |
Arshad et al. | SAMADroid: a novel 3-level hybrid malware detection model for android operating system | |
CN107180192B (en) | Android malicious application detection method and system based on multi-feature fusion | |
CN105022960B (en) | Multiple features mobile terminal from malicious software detecting method and system based on network traffics | |
CN106951780B (en) | Beat again the static detection method and device of packet malicious application | |
CN106599686A (en) | Malware clustering method based on TLSH character representation | |
CN108092962A (en) | A kind of malice URL detection method and device | |
Li et al. | An Android malware detection method based on AndroidManifest file | |
CN107944274A (en) | A kind of Android platform malicious application off-line checking method based on width study | |
CN106599688B (en) | A kind of Android malware detection method based on applicating category | |
CN108009424A (en) | Virus behavior detection method, apparatus and system | |
CN105306495B (en) | user identification method and device | |
CN103500307A (en) | Mobile internet malignant application software detection method based on behavior model | |
CN103617393A (en) | Method for mobile internet malicious application software detection based on support vector machines | |
CN110287701A (en) | A kind of malicious file detection method, device, system and associated component | |
CN109657459A (en) | Webpage back door detection method, equipment, storage medium and device | |
Rizzo et al. | Unveiling web fingerprinting in the wild via code mining and machine learning | |
CN107368856A (en) | Clustering method and device, the computer installation and readable storage medium storing program for executing of Malware | |
US20230418943A1 (en) | Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same | |
CN107644161A (en) | Safety detecting method, device and the equipment of sample | |
CN109933977A (en) | A kind of method and device detecting webshell data | |
CN110929203A (en) | Abnormal user identification method, device, equipment and storage medium | |
CN109635993A (en) | Operation behavior monitoring method and device based on prediction model | |
CN113901465A (en) | Heterogeneous network-based Android malicious software detection method | |
CN103488947A (en) | Method and device for identifying instant messaging client-side account number stealing Trojan horse program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171107 |