CN107330326A - A kind of malice trojan horse detection processing method and processing device - Google Patents

A kind of malice trojan horse detection processing method and processing device Download PDF

Info

Publication number
CN107330326A
CN107330326A CN201710336118.5A CN201710336118A CN107330326A CN 107330326 A CN107330326 A CN 107330326A CN 201710336118 A CN201710336118 A CN 201710336118A CN 107330326 A CN107330326 A CN 107330326A
Authority
CN
China
Prior art keywords
application program
behavioral data
trojan horse
application
malice
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710336118.5A
Other languages
Chinese (zh)
Inventor
朱大立
金昊
杨莹
吴荻
马宇晨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201710336118.5A priority Critical patent/CN107330326A/en
Publication of CN107330326A publication Critical patent/CN107330326A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the present invention provides a kind of malice trojan horse detection processing method and processing device.Methods described includes:The multidimensional behavioral data of application program to be detected is obtained, the multidimensional behavioral data includes application user behaviors log, communication behavior daily record and network flow data information;According to the multidimensional behavioral data, malice trojan horse detection processing is carried out to the application program to be detected by malice trojan horse detection model, the safety detection result of the application program to be detected is obtained;The malice trojan horse detection model is to be trained acquisition according to the history multidimensional behavioral data of multiple application programs.Described device is used to perform the above method.The method and device that the present invention is provided improves the accuracy of malice trojan horse detection.

Description

A kind of malice trojan horse detection processing method and processing device
Technical field
The present embodiments relate to Internet technical field, more particularly to a kind of malice trojan horse detection processing method and dress Put.
Background technology
With the popularization of mobile intelligent terminal, malice Trojan attack and malice Trojan Horse Detection on mobile intelligent terminal Also increasingly it is valued by people.Malice trojan horse program can be stolen user and be stored in and set by hidden implantation user equipment Standby upper privacy information, and it is sent to attacker;Meanwhile, it can also maliciously consume the resource of user equipment, such as CPU, internal memory, network Bandwidth, battery electric quantity etc., serious privacy threats and rate consumption are brought to user.
Under the conditions of prior art, in order to resist malice Trojan attack technology, the trojan horse detection means of current main flow mainly have It is following two:Static Detection and dynamic detection.
Stationary detection technique includes the detection technique based on signature and the detection technique based on application code;Wherein, Detection technique based on signature by building malice Trojan characteristics storehouse, to mobile terminal install application program be scanned and With analysis, qualified application program is reminded and unloaded;And the stationary detection technique based on application code leads to Often refer in the case of unactual execution application program, pass through analysis program source code and binary file, extract application permission With the detection of the information realization such as API Calls.But, the stationary detection technique based on signature is depended on according to the wooden horse being identified Or the malice Trojan characteristics storehouse that malicious application is produced, have seriously for recognizing often for new wooden horse or malicious application Hysteresis quality.
Dynamic detection technology needs true execution application program, obtains the information such as its output or internal state and is analyzed, Dynamic detection is typically to be carried out among true or virtual test environment (i.e. sandbox), by various conditions to malice wooden horse sample Originally enter line activating, monitored by all behavior patterns produced to sample in running, observe it and perform flow and data change Change, so that its security is judged, although dynamic detection technology can effectively reduce malice trojan horse program Code obfuscation and encryption is made Into interference, but dynamic detection needs to capture substantial amounts of data, takes memory space, and detection dimensions are single.
In summary, either current static detection or dynamic detection are all to the detection accuracy of malice wooden horse certain Influence.Therefore, how to propose that the accuracy that a kind of malice trojan horse detection processing method improves malice trojan horse detection is current industry Important topic urgently to be resolved hurrily.
The content of the invention
For defect of the prior art, the embodiment of the present invention provides a kind of malice trojan horse detection processing method and processing device.
On the one hand, the embodiment of the present invention provides a kind of malice trojan horse detection processing method, including:
The multidimensional behavioral data of application program to be detected is obtained, the multidimensional behavioral data includes application user behaviors log, led to Believe user behaviors log and network flow data information;
According to the multidimensional behavioral data, malice is carried out to the application program to be detected by malice trojan horse detection model Trojan horse detection processing, obtains the safety detection result of the application program to be detected;The malice trojan horse detection model is root Acquisition is trained according to the history multidimensional behavioral data of multiple application programs.
On the other hand, the embodiment of the present invention provides a kind of malice trojan horse detection processing unit, including:
Acquiring unit, the multidimensional behavioral data for obtaining application program to be detected, the multidimensional behavioral data includes should With user behaviors log, communication behavior daily record and network flow data;
Detection unit, for according to the multidimensional behavioral data, by malice trojan horse detection model to it is described it is to be detected should Malice trojan horse detection processing is carried out with program, the safety detection result of the application program to be detected is obtained;The malice wood Horse detection model is to be trained acquisition according to the history multidimensional behavioral data of multiple application programs.
Another aspect, the embodiment of the present invention provides a kind of electronic equipment, including processor, memory and bus, wherein:
Processor, memory completes mutual communication by bus;
Processor can call the computer program in memory, the step of to perform the above method.
Another further aspect, the embodiment of the present invention provides a kind of computer-readable recording medium, is stored thereon with computer program, The step of program realizes the above method when being executed by processor.
Malice trojan horse detection processing method and processing device provided in an embodiment of the present invention, by according to get it is to be detected should With the multidimensional behavioral data of program, the malice trojan horse detection model obtained using training is disliked to the application program to be detected Trojan horse detection of anticipating is handled, and is obtained the safety detection result of the application program to be detected, is improved the standard of malice trojan horse detection True property.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are this hairs Some bright embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can be with root Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is the schematic flow sheet of malice trojan horse detection processing method provided in an embodiment of the present invention;
Fig. 2 is the overall flow schematic diagram of malice trojan horse detection processing method provided in an embodiment of the present invention;
The structural representation for the malice trojan horse detection processing unit that Fig. 3 provides for one embodiment of the invention;
The structural representation for the malice trojan horse detection processing unit that Fig. 4 provides for another embodiment of the present invention;
Fig. 5 is electronic equipment entity apparatus structural representation provided in an embodiment of the present invention.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is explicitly described, it is clear that described embodiment be the present invention A part of embodiment, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not having The every other embodiment obtained under the premise of creative work is made, the scope of protection of the invention is belonged to.
Fig. 1 is the schematic flow sheet of malice trojan horse detection processing method provided in an embodiment of the present invention, as shown in figure 1, this Embodiment provides a kind of malice trojan horse detection processing method, including:
S101, the multidimensional behavioral data for obtaining application program to be detected, the multidimensional behavioral data include application behavior day Will, communication behavior daily record and network flow data information;
Specifically, malice trojan horse detection processing unit obtains the multidimensional behavior number of the application program to be detected of mobile terminal According to the multidimensional behavioral data includes application user behaviors log, communication behavior daily record and network flow data information, can also include The behavioral data of other dimensions, can specifically be adjusted according to actual conditions, be not specifically limited herein.It should illustrate Be be provided with the mobile terminal for gather the application user behaviors log terminal information acquisition module, for gathering State the base station acquisition module of communication behavior daily record and the distributed wireless local area network information for gathering network flow data information Acquisition module;Described device can be meaning trojan horse detection processing cloud platform, if the mobile terminal connects WIFI, the cloud is put down Platform can obtain the multidimensional behavioral data in real time.
S102, according to the multidimensional behavioral data, the application program to be detected is entered by malice trojan horse detection model The processing of row malice trojan horse detection, obtains the safety detection result of the application program to be detected;The malice trojan horse detection mould Type is to be trained acquisition according to the history multidimensional behavioral data of multiple application programs;
Specifically, described device inputs the multidimensional behavioral data of the application program to be detected of the mobile terminal Malice trojan horse detection model, malice trojan horse detection processing, the malice trojan horse detection mould are carried out to the application program to be detected Type exports the safety detection result of the application program to be detected.Wherein, the malice trojan horse detection model is according to multiple The history multidimensional behavioral data of application program is trained acquisition.It is understood that the safety detection result is institute State that application program to be detected is security application or the application program to be detected is malicious application.It may be appreciated It is that described device can also send the safety detection result to the mobile terminal, to cause the terminal according to institute Safety detection result is stated to continue to run with security application, or, malicious application is unloaded.
Malice trojan horse detection processing method provided in an embodiment of the present invention, by according to the to be checked of the mobile terminal got The multidimensional behavioral data of application program is surveyed, the malice trojan horse detection model obtained using training is entered to the application program to be detected Row malice trojan horse detection processing, the safety detection result for obtaining the application program to be detected improves malice trojan horse detection Accuracy.
On the basis of above-described embodiment, further, the application user behaviors log is that mobile terminal passes through built-in end What client information acquisition module was gathered and reported;Mobile terminal passes through built-in base station acquisition module described in the communication behavior daily record Gather and report;The network flow data information is that the mobile terminal passes through built-in distributed wireless local area network information What acquisition module was gathered and reported.
Specifically, the mobile terminal passes through application program to be detected described in the terminal information acquisition module of inside setting Described device is reported to using user behaviors log, and by resource information acquisition interface;The mobile terminal is set by inside The communication behavior daily record of application program to be detected described in the acquisition module of base station, and by resource information obtain interface report to it is described Device;The mobile terminal passes through application program to be detected described in the distributed wireless local area network information acquisition module of inside setting Network flow data information, and by resource information obtain interface report to described device.It is understood that described to be checked Surveying the application user behaviors log of application program includes:The application rows such as calling record, local recording, equipment (bluetooth, camera) operation For daily record;The communication behavior daily record includes:Call, send the daily record of the communication behaviors such as short breath or multimedia message;The net Network data on flows information includes sending the flow of the network operation behaviors such as mail, mobile network's connection and WLAN connection Data message, specifically can be adjusted according to actual conditions, be not specifically limited herein.
On the basis of above-described embodiment, further, methods described also includes:
Gather the history multidimensional behavioral data of multiple application programs;The multiple application program include security application and Malicious application;
According to the history multidimensional behavioral data and the security attribute of the multiple application program, pass through machine learning algorithm Calculating is trained to the multidimensional behavioral data, the malice trojan horse detection model is obtained.
Specifically, described device gathers the history multidimensional behavioral data of multiple application programs in advance;The multiple application journey Sequence includes security application and malicious application, according to the history multidimensional behavioral data and the multiple application program Security attribute, calculating is trained to the multidimensional behavioral data by machine learning algorithm, obtains the malice trojan horse detection Model.It should be noted that for the application program history be generally behavioral data quantity, be not specifically limited herein, But in order to improve the reliability of the malice trojan horse detection model, the history that multiple application programs should be gathered as much as possible is more Tie up behavioral data.
It is further, described according to the history multidimensional behavioral data and the multiple on the basis of above-described embodiment The security attribute of application program, calculating is trained by machine learning algorithm to the multidimensional behavioral data, including:
If judging to know that application program is security application, respectively by the application user behaviors log of the application program, Communication behavior daily record and network flow data information are stored into safety behavior database;Otherwise, it is stored into malicious act database;
According to the safety behavior database and the malicious act database, by machine learning algorithm to the multidimensional Behavioral data is trained calculating.
Specifically, if described device judges to know that the application program gathered in advance is security application, it will divide The application user behaviors log of the application program, communication behavior daily record and network flow data information safety behavior number is not stored into According to storehouse;If judging to know that the application program gathered in advance is malicious application, by respectively by the application program Malicious act database, then, described device are stored into using user behaviors log, communication behavior daily record and network flow data information According to the safety behavior database and the malicious act database, by machine learning algorithm to the multidimensional behavioral data Calculating is trained, the malice trojan horse detection model is obtained.It should be noted that the machine learning algorithm include support to Amount machine algorithm, NB Algorithm and deep learning algorithm, can also include other machines learning algorithm, specifically can basis Actual conditions are adjusted, and are not specifically limited herein.
Fig. 2 is the overall flow schematic diagram of malice trojan horse detection processing method provided in an embodiment of the present invention, such as Fig. 2 institutes Show, meaning trojan horse detection processing method provided in an embodiment of the present invention specifically includes following steps:
S201, the application user behaviors log for obtaining application program to be detected;Described device obtains the application program to be detected Application user behaviors log, the application user behaviors log be the mobile terminal by built-in terminal information acquisition module collection simultaneously Report;Then, step S202 is performed;
S202, the communication behavior daily record for obtaining application program to be detected;Described device obtains the application program to be detected Communication behavior daily record, mobile terminal is gathered and reported by built-in base station acquisition module described in the communication behavior daily record 's;Then, step S203 is performed;
S203, the network flow data information for obtaining application program to be detected;Described device obtains the application to be detected The network flow data information of program, the network flow data information is that the mobile terminal passes through built-in distributed wireless What LAN Information acquisition module was gathered and reported;Then, step S204 is performed;
S204, input malice trojan horse detection model;Described device by the application user behaviors log of the application program to be detected, The malice trojan horse detection model that communication behavior daily record and network flow data information input training in advance are obtained;Then, hold Row step S205;
S205, the output application program to be detected safety detection result;The malice trojan horse detection model output The applications security testing result to be detected, the safety detection result is that the application program to be detected is safety Application program or the application program to be detected are malicious application;Then, step S206 is performed;
S206, the safety detection result sent to the mobile terminal;Described device is by the safety detection As a result send to the mobile terminal, to cause the terminal to be carried out according to the safety detection result to security application Continue to run with, or, malicious application is unloaded.
Malice trojan horse detection processing method provided in an embodiment of the present invention, by according to the to be checked of the mobile terminal got The multidimensional behavioral data of application program is surveyed, the malice trojan horse detection model obtained using training is entered to the application program to be detected The processing of row malice trojan horse detection, obtains the safety detection result of the application program to be detected, improves malice trojan horse detection Accuracy.
The structural representation for the malice trojan horse detection processing unit that Fig. 3 provides for one embodiment of the invention, as shown in figure 3, The embodiment of the present invention provides a kind of malice trojan horse detection processing unit, including:Acquiring unit 301 and detection unit 302, wherein:
Acquiring unit 301 is used for the multidimensional behavioral data for obtaining application program to be detected, and the multidimensional behavioral data includes Using user behaviors log, communication behavior daily record and network flow data;Detection unit 302 is used for according to the multidimensional behavioral data, Malice trojan horse detection processing is carried out to the application program to be detected by malice trojan horse detection model, obtain it is described it is to be detected should With the safety detection result of program;The malice trojan horse detection model is the history multidimensional behavior number according to multiple application programs According to being trained acquisition.
Specifically, acquiring unit 301 obtains the multidimensional behavioral data of the application program to be detected of mobile terminal, the multidimensional Behavioral data includes application user behaviors log, communication behavior daily record and network flow data information, can also include other dimensions Behavioral data, can specifically be adjusted according to actual conditions, be not specifically limited herein.Detection unit 302 is by the movement The multidimensional behavioral data of the application program to be detected of terminal, inputs malice trojan horse detection model, to the application to be detected Program carries out malice trojan horse detection processing, and the malice trojan horse detection model exports the security inspection of the application program to be detected Survey result;Wherein, the malice trojan horse detection model is trained according to the history multidimensional behavioral data of multiple application programs Obtain.
Adopted it should be noted that being provided with the mobile terminal for gathering the end message of the application user behaviors log Collect module, the base station acquisition module for gathering the communication behavior daily record and the distribution for gathering network flow data information Formula WLAN information acquisition module;Described device can be meaning trojan horse detection processing cloud platform, if the mobile terminal connects WIFI is met, then the cloud platform can obtain the multidimensional behavioral data in real time.It is understood that the safety detection knot Fruit is that the application program to be detected is security application or the application program to be detected is malicious application;The dress Putting can also send the safety detection result to the mobile terminal, to cause the terminal to be examined according to the security Result is surveyed to continue to run with security application, or, malicious application is unloaded.
Malice trojan horse detection processing unit provided in an embodiment of the present invention, by according to the to be checked of the mobile terminal got The multidimensional behavioral data of application program is surveyed, the malice trojan horse detection model obtained using training is entered to the application program to be detected Row malice trojan horse detection processing, the safety detection result for obtaining the application program to be detected improves malice trojan horse detection Accuracy.
On the basis of above-described embodiment, further, the application user behaviors log is that mobile terminal passes through built-in end What client information acquisition module was gathered and reported;What the base station acquisition module built in the communication behavior daily record was gathered and reported;Institute State what the distributed wireless local area network information acquisition module built in network flow data was gathered and reported.
Specifically, the mobile terminal passes through application program to be detected described in the terminal information acquisition module of inside setting Acquiring unit 301 is reported to using user behaviors log, and by resource information acquisition interface;The mobile terminal is set by inside Base station acquisition module described in application program to be detected communication behavior daily record, and interface is obtained by resource information report to and obtain Take unit 301;It is to be detected described in the distributed wireless local area network information acquisition module that the mobile terminal is set by inside to answer With the network flow data information of program, and interface is obtained by resource information report to acquiring unit 301.It may be appreciated It is that the application user behaviors log of the application program to be detected includes:Calling record, local recording, equipment (bluetooth, camera) behaviour The daily record of the application behavior such as work;The communication behavior daily record includes:Call, send the day of the communication behaviors such as short breath or multimedia message Will;The network flow data information includes sending the network operations such as mail, mobile network's connection and WLAN connection The data on flows information of behavior, specifically can be adjusted according to actual conditions, be not specifically limited herein.
The structural representation for the malice trojan horse detection processing unit that Fig. 4 provides for another embodiment of the present invention, such as Fig. 4 institutes Show, malice trojan horse detection processing unit provided in an embodiment of the present invention is gone back on the basis of acquiring unit 401 and detection unit 402 Including collecting unit 403 and training unit 404, acquiring unit 401 and detection unit 402 and the acquiring unit in above-described embodiment 301 is consistent with detection unit 302, wherein:
Collecting unit 403 is used for the history multidimensional behavioral data for gathering multiple application programs;The multiple application package Include security application and malicious application;Training unit 404 is used for according to the history multidimensional behavioral data and described many The security attribute of individual application program, calculating is trained to the multidimensional behavioral data by machine learning algorithm, obtains described Malice trojan horse detection model.
Specifically, collecting unit 403 gathers the history multidimensional behavioral data of multiple application programs in advance;The multiple application Program includes security application and malicious application, and training unit 404 is according to the history multidimensional behavioral data and described The security attribute of multiple application programs, calculating is trained to the multidimensional behavioral data by machine learning algorithm, obtains institute State malice trojan horse detection model.It should be noted that for the application program history be generally behavioral data quantity, herein It is not specifically limited, but in order to improve the reliability of the malice trojan horse detection model, multiple answer should be gathered as much as possible With the history multidimensional behavioral data of program.
On the basis of above-described embodiment, further, training unit 404 specifically for:
If judging to know that application program is security application, respectively by the application user behaviors log of the application program, Communication behavior daily record and network flow data information are stored into safety behavior database;Otherwise, it is stored into malicious act database;
According to the safety behavior database and the malicious act database, by machine learning algorithm to the multidimensional Behavioral data is trained calculating.
Specifically, will if training unit 404 judges to know that the application program gathered in advance is security application The application user behaviors log of the application program, communication behavior daily record and network flow data information are stored into safety behavior respectively Database;If training unit 404 judges to know that the application program gathered in advance is malicious application, by respectively by institute Application user behaviors log, communication behavior daily record and the network flow data information for stating application program are stored into malicious act database, Then, training unit 404 passes through machine learning algorithm pair according to the safety behavior database and the malicious act database The multidimensional behavioral data is trained calculating, obtains the malice trojan horse detection model.It should be noted that the engineering Practising algorithm includes algorithm of support vector machine, NB Algorithm and deep learning algorithm, can also include other machines study Algorithm, can specifically be adjusted according to actual conditions, be not specifically limited herein.
Malice trojan horse detection processing unit provided in an embodiment of the present invention, by according to the to be checked of the mobile terminal got The multidimensional behavioral data of application program is surveyed, the malice trojan horse detection model obtained using training is entered to the application program to be detected The processing of row malice trojan horse detection, obtains the safety detection result of the application program to be detected, and by the safety detection As a result send to the mobile terminal, improve the accuracy of malice trojan horse detection.
The embodiment for the device that the present invention is provided specifically can be used for the handling process for performing above-mentioned each method embodiment, its Function will not be repeated here, and be referred to the detailed description of above method embodiment.
Fig. 5 is electronic equipment entity apparatus structural representation provided in an embodiment of the present invention, as shown in figure 5, the electronics is set It is standby to include:Processor (processor) 501, memory (memory) 502 and bus 503, wherein, processor 501 is deposited Reservoir 502 completes mutual communication by bus 803.Processor 501 can call the computer program in memory 802, To perform following method:The multidimensional behavioral data of application program to be detected is obtained, the multidimensional behavioral data includes applying behavior Daily record, communication behavior daily record and network flow data information;According to the multidimensional behavioral data, pass through malice trojan horse detection model Malice trojan horse detection processing is carried out to the application program to be detected, the safety detection knot of the application program to be detected is obtained Really;The malice trojan horse detection model is to be trained acquisition according to the history multidimensional behavioral data of multiple application programs.
The embodiment of the present invention discloses a kind of computer program product, and the computer program product is non-transient including being stored in Computer program on computer-readable recording medium, the computer program includes programmed instruction, when described program instructs quilt Computer perform when, computer is able to carry out the method that above-mentioned each method embodiment is provided, for example including:Obtain to be detected answer With the multidimensional behavioral data of program, the multidimensional behavioral data includes application user behaviors log, communication behavior daily record and network traffics Data message;According to the multidimensional behavioral data, the application program to be detected is disliked by malice trojan horse detection model Trojan horse detection of anticipating is handled, and obtains the safety detection result of the application program to be detected;The malice trojan horse detection model is Acquisition is trained according to the history multidimensional behavioral data of multiple application programs.
The embodiment of the present invention provides a kind of non-transient computer readable storage medium storing program for executing, the non-transient computer readable storage Medium storing computer program, the computer program makes the computer perform the side that above-mentioned each method embodiment is provided Method, for example including:The multidimensional behavioral data of application program to be detected is obtained, the multidimensional behavioral data includes application behavior day Will, communication behavior daily record and network flow data information;According to the multidimensional behavioral data, pass through malice trojan horse detection model pair The application program to be detected carries out malice trojan horse detection processing, obtains the safety detection knot of the application program to be detected Really;The malice trojan horse detection model is to be trained acquisition according to the history multidimensional behavioral data of multiple application programs.
In addition, the logical order in above-mentioned memory 503 can be realized and be used as by the form of SFU software functional unit Independent production marketing in use, can be stored in a computer read/write memory medium.Understood based on such, this The part or the part of the technical scheme that the technical scheme of invention substantially contributes to prior art in other words can be with The form of software product is embodied, and the computer software product is stored in a storage medium, including some instructions are used to So that a computer equipment (can be personal computer, server, or network equipment etc.) performs each implementation of the present invention The all or part of step of example methods described.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD etc. it is various Can be with the medium of store program codes.
The embodiment of device described above is only schematical, wherein the unit illustrated as separating component It can be or may not be physically separate, the part shown as unit can be or may not be physics list Member, you can with positioned at a place, or can also be distributed on multiple NEs.It can be selected according to the actual needs In some or all of module realize the purpose of this embodiment scheme.Those of ordinary skill in the art are not paying creativeness Work in the case of, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can Realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Understood based on such, on The part that technical scheme substantially in other words contributes to prior art is stated to embody in the form of software product, should Computer software product can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including some fingers Order is to cause a computer equipment (can be personal computer, server, or network equipment etc.) to perform each implementation Method described in some parts of example or embodiment.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although The present invention is described in detail with reference to the foregoing embodiments, it will be understood by those within the art that:It still may be used To be modified to the technical scheme described in foregoing embodiments, or equivalent substitution is carried out to which part technical characteristic; And these modification or replace, do not make appropriate technical solution essence depart from various embodiments of the present invention technical scheme spirit and Scope.

Claims (10)

1. a kind of malice trojan horse detection processing method, it is characterised in that including:
The multidimensional behavioral data of application program to be detected is obtained, the multidimensional behavioral data includes application user behaviors log, communication row For daily record and network flow data information;
According to the multidimensional behavioral data, malice wooden horse is carried out to the application program to be detected by malice trojan horse detection model Detection process, obtains the safety detection result of the application program to be detected;The malice trojan horse detection model is according to many The history multidimensional behavioral data of individual application program is trained acquisition.
2. according to the method described in claim 1, it is characterised in that the application user behaviors log passes through built-in for mobile terminal What terminal information acquisition module was gathered and reported;Mobile terminal described in the communication behavior daily record gathers mould by built-in base station What block was gathered and reported;The network flow data information is that the mobile terminal is believed by built-in distributed wireless local area network Breath acquisition module is gathered and reported.
3. according to the method described in claim 1, it is characterised in that methods described also includes:
Gather the history multidimensional behavioral data of multiple application programs;The multiple application program includes security application and malice Application program;
According to the history multidimensional behavioral data and the security attribute of the multiple application program, by machine learning algorithm to institute State multidimensional behavioral data and be trained calculating, obtain the malice trojan horse detection model.
4. method according to claim 3, it is characterised in that described according to the history multidimensional behavioral data and described many The security attribute of individual application program, calculating is trained by machine learning algorithm to the multidimensional behavioral data, including:
If judging to know that application program is security application, respectively by the application user behaviors log of the application program, communication User behaviors log and network flow data information are stored into safety behavior database;Otherwise, it is stored into malicious act database;
According to the safety behavior database and the malicious act database, by machine learning algorithm to the multidimensional behavior Data are trained calculating.
5. a kind of malice trojan horse detection processing unit, it is characterised in that including:
Acquiring unit, the multidimensional behavioral data for obtaining application program to be detected, the multidimensional behavioral data includes application and gone For daily record, communication behavior daily record and network flow data;
Detection unit, for according to the multidimensional behavioral data, by malice trojan horse detection model to the application journey to be detected Sequence carries out malice trojan horse detection processing, obtains the safety detection result of the application program to be detected;The malice wooden horse inspection It is to be trained acquisition according to the history multidimensional behavioral data of multiple application programs to survey model.
6. device according to claim 5, it is characterised in that the application user behaviors log passes through built-in for mobile terminal What terminal information acquisition module was gathered and reported;What the base station acquisition module built in the communication behavior daily record was gathered and reported; What the distributed wireless local area network information acquisition module built in the network flow data was gathered and reported.
7. device according to claim 5, it is characterised in that described device also includes:
Collecting unit, the history multidimensional behavioral data for gathering multiple application programs;The multiple application program includes safety Application program and malicious application;
Training unit, for the security attribute according to the history multidimensional behavioral data and the multiple application program, passes through machine Device learning algorithm is trained calculating to the multidimensional behavioral data, obtains the malice trojan horse detection model.
8. device according to claim 7, it is characterised in that the training unit specifically for:
If judging to know that application program is security application, respectively by the application user behaviors log of the application program, communication User behaviors log and network flow data information are stored into safety behavior database;Otherwise, it is stored into malicious act database;
According to the safety behavior database and the malicious act database, by machine learning algorithm to the multidimensional behavior Data are trained calculating.
9. a kind of electronic equipment, it is characterised in that including processor, memory and bus, wherein:
The processor, the memory completes mutual communication by bus;
The processor can call the computer program in memory, to perform as described in claim 1-4 any one The step of method.
10. a kind of computer-readable recording medium, is stored thereon with computer program, it is characterised in that the program is by processor Realized during execution such as the step of claim 1-4 methods describeds.
CN201710336118.5A 2017-05-12 2017-05-12 A kind of malice trojan horse detection processing method and processing device Pending CN107330326A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710336118.5A CN107330326A (en) 2017-05-12 2017-05-12 A kind of malice trojan horse detection processing method and processing device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710336118.5A CN107330326A (en) 2017-05-12 2017-05-12 A kind of malice trojan horse detection processing method and processing device

Publications (1)

Publication Number Publication Date
CN107330326A true CN107330326A (en) 2017-11-07

Family

ID=60192670

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710336118.5A Pending CN107330326A (en) 2017-05-12 2017-05-12 A kind of malice trojan horse detection processing method and processing device

Country Status (1)

Country Link
CN (1) CN107330326A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234472A (en) * 2017-12-28 2018-06-29 北京百度网讯科技有限公司 Detection method and device, computer equipment and the readable medium of Challenging black hole attack
CN108881307A (en) * 2018-08-10 2018-11-23 中国信息安全测评中心 A kind of safety detecting method and device of facing moving terminal
CN109840419A (en) * 2017-11-29 2019-06-04 财团法人资讯工业策进会 Computer installation and recognize its software container behavior whether Yi Chang method
CN111191239A (en) * 2019-12-30 2020-05-22 北京邮电大学 Process detection method and system for application program
CN111859386A (en) * 2020-08-03 2020-10-30 深圳市联软科技股份有限公司 Trojan horse detection method and system based on behavior analysis
CN114491524A (en) * 2021-12-16 2022-05-13 中国通信建设第三工程局有限公司 Big data communication system applied to intelligent network security
EP3918500B1 (en) * 2019-03-05 2024-04-24 Siemens Industry Software Inc. Machine learning-based anomaly detections for embedded software applications

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103368904A (en) * 2012-03-27 2013-10-23 百度在线网络技术(北京)有限公司 Mobile terminal, and system and method for suspicious behavior detection and judgment
CN105022960A (en) * 2015-08-10 2015-11-04 济南大学 Multi-feature mobile terminal malicious software detecting method based on network flow and multi-feature mobile terminal malicious software detecting system based on network flow
CN105740707A (en) * 2016-01-20 2016-07-06 北京京东尚科信息技术有限公司 Malicious file identification method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103368904A (en) * 2012-03-27 2013-10-23 百度在线网络技术(北京)有限公司 Mobile terminal, and system and method for suspicious behavior detection and judgment
CN105022960A (en) * 2015-08-10 2015-11-04 济南大学 Multi-feature mobile terminal malicious software detecting method based on network flow and multi-feature mobile terminal malicious software detecting system based on network flow
CN105740707A (en) * 2016-01-20 2016-07-06 北京京东尚科信息技术有限公司 Malicious file identification method and device

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109840419A (en) * 2017-11-29 2019-06-04 财团法人资讯工业策进会 Computer installation and recognize its software container behavior whether Yi Chang method
CN109840419B (en) * 2017-11-29 2022-08-09 财团法人资讯工业策进会 Computer device and method for identifying whether behavior of software container of computer device is abnormal
CN108234472A (en) * 2017-12-28 2018-06-29 北京百度网讯科技有限公司 Detection method and device, computer equipment and the readable medium of Challenging black hole attack
CN108881307A (en) * 2018-08-10 2018-11-23 中国信息安全测评中心 A kind of safety detecting method and device of facing moving terminal
CN108881307B (en) * 2018-08-10 2022-02-25 中国信息安全测评中心 Security detection method and device for mobile terminal
EP3918500B1 (en) * 2019-03-05 2024-04-24 Siemens Industry Software Inc. Machine learning-based anomaly detections for embedded software applications
CN111191239A (en) * 2019-12-30 2020-05-22 北京邮电大学 Process detection method and system for application program
CN111859386A (en) * 2020-08-03 2020-10-30 深圳市联软科技股份有限公司 Trojan horse detection method and system based on behavior analysis
CN114491524A (en) * 2021-12-16 2022-05-13 中国通信建设第三工程局有限公司 Big data communication system applied to intelligent network security

Similar Documents

Publication Publication Date Title
CN107330326A (en) A kind of malice trojan horse detection processing method and processing device
Arshad et al. SAMADroid: a novel 3-level hybrid malware detection model for android operating system
CN107180192B (en) Android malicious application detection method and system based on multi-feature fusion
CN105022960B (en) Multiple features mobile terminal from malicious software detecting method and system based on network traffics
CN106951780B (en) Beat again the static detection method and device of packet malicious application
CN106599686A (en) Malware clustering method based on TLSH character representation
CN108092962A (en) A kind of malice URL detection method and device
Li et al. An Android malware detection method based on AndroidManifest file
CN107944274A (en) A kind of Android platform malicious application off-line checking method based on width study
CN106599688B (en) A kind of Android malware detection method based on applicating category
CN108009424A (en) Virus behavior detection method, apparatus and system
CN105306495B (en) user identification method and device
CN103500307A (en) Mobile internet malignant application software detection method based on behavior model
CN103617393A (en) Method for mobile internet malicious application software detection based on support vector machines
CN110287701A (en) A kind of malicious file detection method, device, system and associated component
CN109657459A (en) Webpage back door detection method, equipment, storage medium and device
Rizzo et al. Unveiling web fingerprinting in the wild via code mining and machine learning
CN107368856A (en) Clustering method and device, the computer installation and readable storage medium storing program for executing of Malware
US20230418943A1 (en) Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same
CN107644161A (en) Safety detecting method, device and the equipment of sample
CN109933977A (en) A kind of method and device detecting webshell data
CN110929203A (en) Abnormal user identification method, device, equipment and storage medium
CN109635993A (en) Operation behavior monitoring method and device based on prediction model
CN113901465A (en) Heterogeneous network-based Android malicious software detection method
CN103488947A (en) Method and device for identifying instant messaging client-side account number stealing Trojan horse program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171107