CN107958154A - A kind of malware detection device and method - Google Patents

A kind of malware detection device and method Download PDF

Info

Publication number
CN107958154A
CN107958154A CN201610902851.4A CN201610902851A CN107958154A CN 107958154 A CN107958154 A CN 107958154A CN 201610902851 A CN201610902851 A CN 201610902851A CN 107958154 A CN107958154 A CN 107958154A
Authority
CN
China
Prior art keywords
api
files
decompiling
tag
random forest
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610902851.4A
Other languages
Chinese (zh)
Inventor
蔡芷铃
赵鹤
张巍
姜青山
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Institute of Advanced Technology of CAS
Original Assignee
Shenzhen Institute of Advanced Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Institute of Advanced Technology of CAS filed Critical Shenzhen Institute of Advanced Technology of CAS
Priority to CN201610902851.4A priority Critical patent/CN107958154A/en
Publication of CN107958154A publication Critical patent/CN107958154A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The present invention relates to safety detection technology field, more particularly to a kind of malware detection device and method.The malware detection device includes:Decompiling module:For carrying out decompiling to the application software installation kit of input, Smali files are obtained;Characteristic extracting module:For extracting API tag files from the smali files;Characteristic format module:For the API extracted tag files to be formatted as to the file format of setting;Model training and detection module:For training random forest disaggregated model by formatted API tag files, the detection of Malware is carried out by random forest disaggregated model.The present invention will not be abused authority be subject to application software and be disturbed, and whole training and detection process realize automation, without hand picking API;And distributed random forest is introduced, model training when successfully managing magnanimity Malware as sample, improves model training efficiency.

Description

A kind of malware detection device and method
Technical field
The present invention relates to safety detection technology field, more particularly to a kind of malware detection device and method.
Background technology
In recent years, mobile intelligent terminal is quickly grown, and greatly changes the custom that people use mobile phone, mobile phone is no longer only It is only used for taking phone, but more penetrates into the every aspect of personal lifestyle.At the same time, also stored in mobile phone more next More individual privacies, once mobile phone is invaded by Malware, may be faced with cellphone information be stolen, account, password It is stolen to wait harm, cause the loss of personal property or interests, or the illegal operation due to backstage rogue program so that mobile phone work( It can be abnormal, influence user's normal use.
Android has a high occupation rate of market as one of operation system of smart phone currently popular, but due to The opening of its own, makes the main object of malware attacks.The issue of 360 company of Qihoo《National champion in 2015 Machine safe condition is reported》[1] the Android phone Malware sample size that display is intercepted and captured still is being continuously increased, and quantity is up to 1874.0 ten thousand, number of the infected has also increased compared with the first two years, up to 3.7 hundred million person-times.With the development of technology, Android is put down The rogue program cost of manufacture of platform gradually reduces, and can Mass production rogue program, cause the attack for mobile terminal Gradual scale, not only threatens the individual interest of user, also puts major security firm among huge challenge.What magnanimity occurred Malware and increasingly huge malice feature database considerably increase security firm and are intercepted and captured, in terms of processing in Malware sample Difficulty, traditional detection mode cannot timely and effectively handle this mass data.
With the rapid development of artificial intelligence, the sorting algorithm of data mining is applied to malice by many researchs existing at present In software detection.The method of data mining carries out Malware by the feature of " study " Malware to build disaggregated model Detection, the detection methods of various data minings are all the combinations using different feature or feature, with reference to relevant classification algorithm into Row detection.Therefore, the malware detection effect based on data mining is dependent on the expression of feature and the selection of model. The security mechanism requirement of Android, in calling, some may influence other applications, operating system or use to application program Family, such as read and write the private data of user, using network connection, the API (Application of holding mobile phone wake-up states Programming Interface, application programming interface) when, to apply for corresponding authority, only obtain after authorizing These API can be called, therefore authority can describe to apply behavior to a certain extent.Compared to authority, the more direct reactive applications of API Behavior, therefore, the authority and API features of the detection method of existing data mining mainly for Android application software.
Used by detection method based on data mining although authority feature is easy to extract, but since application program is stated Authority may not have use in practice, and some researches show that exist to widely apply software abuse authority, therefore directly use Authority as feature to describe to apply behavior, less reliable, and API substantial amounts be faced with using API features the problem of, Need not realizing that full automation detects as feature by artificial selected part API.In addition, the malice of the prior art is soft Part detection method is mostly based on standalone version realization, can not tackle the software sample of substantial amounts.
The content of the invention
The present invention provides a kind of malware detection device and method, it is intended to solves existing skill at least to a certain extent One of above-mentioned technical problem in art.
To solve the above-mentioned problems, the present invention provides following technical solution:
A kind of malware detection device, including:
Decompiling module:For carrying out decompiling to the application software installation kit of input, decompiling file is obtained;
Characteristic extracting module:For extracting API tag files from the decompiling file;
Characteristic format module:For the API extracted tag files to be formatted as to the file format of setting;
Model training and detection module:For training random forest disaggregated model by formatted API tag files, The detection of Malware is carried out by random forest disaggregated model.
The technical solution that the embodiment of the present invention is taken further includes:The decompiling module uses Apktool decompiling instruments Decompiling is carried out to the application software installation kit of input, the decompiling file is Smali files.
The technical solution that the embodiment of the present invention is taken further includes:The characteristic extracting module extraction API tag files carry The mode is taken to be:Smali files are traveled through, find Dalvik instructions relevant with API Calls;Subsequent parameter is instructed according to Dalvik The API that application program is called is obtained, and string matching is carried out to API, will if the API is the API by protection of usage right This is stored in the corresponding API tag files of the application program by the API of protection of usage right.
The technical solution that the embodiment of the present invention is taken further includes:The characteristic format module carries out API tag files The method of formatting is:One numbering is set for each API in API tag files, if having used the API in application software The corresponding numbering entry value of the API stored in tag file, the API is 1, if without literary using the API features in application software The API stored in part, then the corresponding numbering entry value of the API is 0.
The technical solution that the embodiment of the present invention is taken further includes:Model training and detection module the training random forest point The mode of class model is:Formatted API tag files are input to the random forest disaggregated model that Spark MLlib provide Teaching interface, training obtain distributed random forest classified model.
Another technical solution that the embodiment of the present invention is taken is:A kind of malware detection method, including:
Step a:Decompiling is carried out to the application software installation kit of input, obtains decompiling file;
Step b:API tag files are extracted from the decompiling file;
Step c:The API tag files extracted are formatted as to the file format of setting;
Step d:Random forest disaggregated model is trained by formatted API tag files, is classified by random forest Model carries out the detection of Malware.
The technical solution that the embodiment of the present invention is taken further includes:In the step a, described pair application software installation bag into Row decompiling is specially:Decompiling, the anti-volume carry out the application software installation kit of input using Apktool decompiling instruments Translation part is Smali files.
The technical solution that the embodiment of the present invention is taken further includes:In the step b, the extraction of the API tag files Mode is:Smali files are traveled through, find Dalvik instructions relevant with API Calls;Subsequent parameter is instructed to obtain according to Dalvik The API that application program is called is taken, and string matching is carried out to API, should if the API is the API by protection of usage right It is stored in by the API of protection of usage right in the corresponding API tag files of the application program.
The technical solution that the embodiment of the present invention is taken further includes:It is described that API tag files are carried out in the step c The method of formatting is:One numbering is set for each API in API tag files, if having used the API in application software The corresponding numbering entry value of the API stored in tag file, the API is 1, if without literary using the API features in application software The API stored in part, then the corresponding numbering entry value of the API is 0.
The technical solution that the embodiment of the present invention is taken further includes:In the step d, the trained random forest classification mould The mode of type is:Formatted API tag files are input to the random forest disaggregated model training that Spark MLlib provide Interface, training obtain distributed random forest classified model.
Relative to the prior art, the beneficial effect that the embodiment of the present invention produces is:The Malware of the embodiment of the present invention Detection device and method are direct compared to traditional by using features of the API by protection of usage right as malware detection Access right will not be abused authority be subject to application software and be disturbed, whole training and detection process realize automatically as feature Change, without hand picking API;And distributed random forest is introduced, when successfully managing magnanimity Malware as sample Model training, improve model training efficiency.
Brief description of the drawings
Fig. 1 is the structure diagram of the malware detection device of the embodiment of the present invention;
Fig. 2 is the detection framework figure of the malware detection device of the embodiment of the present invention;
Fig. 3 is the flow chart of the malware detection method of the embodiment of the present invention;
Fig. 4 is the accuracy rate comparison diagram of two kinds of features;
Fig. 5 is the accurate rate comparison diagram of two kinds of features;
Fig. 6 is the recall rate comparison diagram of two kinds of features.
Embodiment
In order to make the purpose , technical scheme and advantage of the present invention be clearer, with reference to the accompanying drawings and embodiments, it is right The present invention is further elaborated.It should be appreciated that specific embodiment described herein is only to explain the present invention, not For limiting the present invention.
Referring to Fig. 1, it is the structure diagram of the malware detection device of the embodiment of the present invention.The embodiment of the present invention Malware detection device includes decompiling module, characteristic extracting module, characteristic format module and model training and detection mould Block.Decompiling module is used for decompiling application software installation kit (APK, AndroidPackage), obtains smali texts therein Part;Characteristic extracting module is used to extract API tag files from smali files;Characteristic format module is used to each to apply The API tag files extracted in software installation bag are formatted into the file format of setting;Model training and detection module are used to lead to Formatted API tag files training random forest disaggregated model is crossed, Malware is carried out by random forest disaggregated model Detection (judge that software is malice or normal), and export testing result.
It is the detection framework figure of the malware detection device of the embodiment of the present invention also referring to Fig. 2.Decompiling mould Block, characteristic extracting module, characteristic format module and model training and detection module represent with round rectangle respectively, each module Input be a upper module output, the output of each module represents with orthogonal rectangle.The input of the frame is applied for Android Software installation bag, exports as the testing result to the application software.
Specifically, in the embodiment of the present invention, application software of the decompiling module using Apktool decompiling instruments to input Installation kit carries out decompiling, obtains Smali files, and Smali files contain Dalvik instructions and API information;The present invention its In his embodiment, can also other decompiling instruments be used to carry out decompiling, such as dex2jar etc..
Characteristic extracting module extraction API tag files extracting mode be:Smali files are traveled through, are found and API Calls phase The Dalvik instructions of pass, as shown in table 1 below, the API called further according to the subsequent parameter acquiring application program of Dalvik instructions, Which includes API class names and method name, and string matching is carried out to API, will if the API is the API by protection of usage right This is stored in the corresponding API tag files of the application program by the API of protection of usage right.So far, each application program corresponds to one A API tag files, API tag files store the API by protection of usage right of all application calls.
Table 1 is instructed with the relevant Dalvik of API Calls
Before using API tag files, it is also necessary to which API tag files are converted into model training and detection module to connect The form received, the method that characteristic format module is formatted API tag files are:For in each API tag files Each API sets a numbering, if having used the API stored in the API tag files in application software, the API is corresponding Numbering entry value is 1, and otherwise the corresponding numbering entry value of the API is 0.Finally, each application software is expressed as feature vector Form, the data line in corresponding A PI tag files.In embodiments of the present invention, characteristic format module is by API tag files LIBSVM formatted files are formatted as, specific form can be set according to practical application.
After formatting API tag files, model training and detection module be entered into Spark MLlib offers with Machine forest classified model training interface, training obtain distributed random forest classified model, pass through the random forest disaggregated model Carry out the malware detection of intelligent terminal.
Referring to Fig. 3, it is the flow chart of the malware detection method of the embodiment of the present invention.The malice of the embodiment of the present invention Software detecting method comprises the following steps:
Step 100:Decompiling is carried out to the application software installation kit of input, obtains Smali files;
In step 100, the embodiment of the present invention carries out decompiling using Apktool decompiling instruments, can also use Other decompiling instruments such as dex2jar carry out decompiling, and the Smali files of acquisition contain Dalvik instructions and API information.
Step 200:API tag files are extracted from smali files;
In step 200, the extracting mode of API tag files is:Smali files are traveled through, are found relevant with API Calls Dalvik is instructed, as shown in table 1 below, the API called further according to the subsequent parameter acquiring application program of Dalvik instructions, wherein Include API class names and method name, to API carry out string matching, if the API is the API by protection of usage right, by this by The API of protection of usage right is stored in the corresponding API tag files of the application program.So far, each application program corresponds to an API Tag file, API tag files store the API by protection of usage right of all application calls.
Table 1 is instructed with the relevant Dalvik of API Calls
Step 300:The API tag files extracted in each application software installation kit are formatted into the tray of setting Formula;
In step 300, the method being formatted to API tag files is:To be each in each API tag files API sets a numbering, if having used the API stored in the API tag files in application software, the corresponding numberings of the API Entry value is 1, and otherwise the corresponding numbering entry value of the API is 0.Finally, each application software is expressed as the form of a feature vector, Data line in corresponding A PI tag files.In embodiments of the present invention, characteristic format module is by API tag file forms LIBSVM formatted files are turned to, specific form can be set according to practical application.
Step 400:Random forest disaggregated model is trained by formatted API tag files, passes through random forest point Class model carries out the detection of Malware, and exports testing result;
In step 400, the method for training random forest disaggregated model is:Formatted API tag files are inputted The random forest disaggregated model teaching interface provided to Spark MLlib, training obtain distributed random forest classified model.
It was proved that the malware detection device and method of the embodiment of the present invention is by using by protection of usage right The feature that API is detected as Android malware, compared to traditional direct access right as feature, there is more preferable inspection Survey effect.Specifically as shown in Figures 4 to 6, Fig. 4 is the accuracy rate comparison diagram of two kinds of features, and Fig. 5 is the accurate rate pair of two kinds of features Than figure, Fig. 6 is the recall rate comparison diagram of two kinds of features.Under identical experiment condition, with the number set in Random Forest model Mesh increase, classification accuracy, accurate rate when using the API by protection of usage right as feature and access right as feature respectively Also changing with recall rate.When the number of tree reaches 30, each index is basicly stable, uses at this time by protection of usage right API is as the accuracy rate of the testing result of feature, accurate rate and recall rate respectively than using testing result of the authority as feature It is higher by 2%, 1% and 4%.
The malware detection device and method of the embodiment of the present invention is soft as malice by using the API by protection of usage right Part detection feature, compared to traditional direct access right be used as feature, will not be subject to application software abuse authority be disturbed, Whole training and detection process realize automation, without hand picking API;And distributed random forest is introduced, is had Effect to magnanimity Malware as sample when model training, improve model training efficiency.
The foregoing description of the disclosed embodiments, enables professional and technical personnel in the field to realize or use the present invention. A variety of modifications to these embodiments will be apparent for those skilled in the art, as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, it is of the invention The embodiments shown herein is not intended to be limited to, and is to fit to and the principles and novel features disclosed herein phase one The most wide scope caused.

Claims (10)

  1. A kind of 1. malware detection device, it is characterised in that including:
    Decompiling module:For carrying out decompiling to the application software installation kit of input, decompiling file is obtained;
    Characteristic extracting module:For extracting API tag files from the decompiling file;
    Characteristic format module:For the API extracted tag files to be formatted as to the file format of setting;
    Model training and detection module:For training random forest disaggregated model by formatted API tag files, pass through Random forest disaggregated model carries out the detection of Malware.
  2. 2. malware detection device according to claim 1, it is characterised in that the decompiling module uses Apktool decompiling instruments carry out decompiling to the application software installation kit of input, and the decompiling file is Smali files.
  3. 3. malware detection device according to claim 2, it is characterised in that the characteristic extracting module extracts API The extracting mode of tag file is:Smali files are traveled through, find Dalvik instructions relevant with API Calls;Referred to according to Dalvik The API for making subsequent parameter acquiring application program be called, and string matching is carried out to API, if the API is protected by authority This, then be stored in the corresponding API tag files of the application program by the API of shield by the API of protection of usage right.
  4. 4. malware detection device according to claim 3, it is characterised in that the characteristic format module is to API The method that tag file is formatted is:One numbering is set for each API in API tag files, if application software Middle to have used the API stored in the API tag files, the corresponding numbering entry value of the API is 1, if do not made in application software With the API stored in the API tag files, then the corresponding numbering entry value of the API is 0.
  5. 5. malware detection device according to claim 4, it is characterised in that model training and the detection module instruction The mode for practicing random forest disaggregated model is:By formatted API tag files be input to Spark MLlib provide it is random Forest classified model training interface, training obtain distributed random forest classified model.
  6. A kind of 6. malware detection method, it is characterised in that including:
    Step a:Decompiling is carried out to the application software installation kit of input, obtains decompiling file;
    Step b:API tag files are extracted from the decompiling file;
    Step c:The API tag files extracted are formatted as to the file format of setting;
    Step d:Random forest disaggregated model is trained by formatted API tag files, passes through random forest disaggregated model Carry out the detection of Malware.
  7. 7. malware detection method according to claim 6, it is characterised in that in the step a, described pair of application Software installation bag carries out decompiling:The application software installation kit of input is carried out using Apktool decompiling instruments anti- Compiling, the decompiling file is Smali files.
  8. 8. malware detection method according to claim 7, it is characterised in that in the step b, the API is special The extracting mode of part of soliciting articles is:Smali files are traveled through, find Dalvik instructions relevant with API Calls;Instructed according to Dalvik The API that subsequent parameter acquiring application program is called, and string matching is carried out to API, if the API is by protection of usage right API, then this is stored in the corresponding API tag files of the application program by the API of protection of usage right.
  9. 9. malware detection method according to claim 8, it is characterised in that described to API in the step c The method that tag file is formatted is:One numbering is set for each API in API tag files, if application software Middle to have used the API stored in the API tag files, the corresponding numbering entry value of the API is 1, if do not made in application software With the API stored in the API tag files, then the corresponding numbering entry value of the API is 0.
  10. 10. malware detection method according to claim 9, it is characterised in that in the step d, the training The mode of random forest disaggregated model is:By formatted API tag files be input to Spark MLlib provide it is random gloomy Standing forest class model teaching interface, training obtain distributed random forest classified model.
CN201610902851.4A 2016-10-17 2016-10-17 A kind of malware detection device and method Pending CN107958154A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610902851.4A CN107958154A (en) 2016-10-17 2016-10-17 A kind of malware detection device and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610902851.4A CN107958154A (en) 2016-10-17 2016-10-17 A kind of malware detection device and method

Publications (1)

Publication Number Publication Date
CN107958154A true CN107958154A (en) 2018-04-24

Family

ID=61954393

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610902851.4A Pending CN107958154A (en) 2016-10-17 2016-10-17 A kind of malware detection device and method

Country Status (1)

Country Link
CN (1) CN107958154A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108664792A (en) * 2018-05-21 2018-10-16 中国科学技术大学 A kind of source tracing method of Android malware
CN109145605A (en) * 2018-08-23 2019-01-04 北京理工大学 A kind of Android malware family clustering method based on SinglePass algorithm
CN110826006A (en) * 2019-11-22 2020-02-21 支付宝(杭州)信息技术有限公司 Abnormal collection behavior identification method and device based on privacy data protection
WO2021030593A1 (en) * 2019-08-14 2021-02-18 Mcafee, Llc Methods and apparatus for malware detection using jar file decompilation
CN112446026A (en) * 2019-09-03 2021-03-05 中移(苏州)软件技术有限公司 Malicious software detection method and device and storage medium
CN112948816A (en) * 2019-12-10 2021-06-11 北京一起教育信息咨询有限责任公司 System authority determination method and device, storage medium and electronic equipment
CN113641363A (en) * 2021-10-18 2021-11-12 北京邮电大学 Third-party library detection method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103793650A (en) * 2013-12-02 2014-05-14 北京邮电大学 Static analysis method and static analysis device for Android application program
CN104376262A (en) * 2014-12-08 2015-02-25 中国科学院深圳先进技术研究院 Android malware detecting method based on Dalvik command and authority combination
CN105631325A (en) * 2014-11-03 2016-06-01 中国移动通信集团公司 Malicious application detection method and apparatus

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103793650A (en) * 2013-12-02 2014-05-14 北京邮电大学 Static analysis method and static analysis device for Android application program
CN105631325A (en) * 2014-11-03 2016-06-01 中国移动通信集团公司 Malicious application detection method and apparatus
CN104376262A (en) * 2014-12-08 2015-02-25 中国科学院深圳先进技术研究院 Android malware detecting method based on Dalvik command and authority combination

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘阳: "应用随机森林与神经网络算法检测与分析Android应用恶意代码", 《中国优秀硕士学位论文全文库》 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108664792A (en) * 2018-05-21 2018-10-16 中国科学技术大学 A kind of source tracing method of Android malware
CN109145605A (en) * 2018-08-23 2019-01-04 北京理工大学 A kind of Android malware family clustering method based on SinglePass algorithm
WO2021030593A1 (en) * 2019-08-14 2021-02-18 Mcafee, Llc Methods and apparatus for malware detection using jar file decompilation
US11435990B2 (en) 2019-08-14 2022-09-06 Mcafee, Llc Methods and apparatus for malware detection using jar file decompilation
CN112446026A (en) * 2019-09-03 2021-03-05 中移(苏州)软件技术有限公司 Malicious software detection method and device and storage medium
CN110826006A (en) * 2019-11-22 2020-02-21 支付宝(杭州)信息技术有限公司 Abnormal collection behavior identification method and device based on privacy data protection
CN110826006B (en) * 2019-11-22 2021-03-19 支付宝(杭州)信息技术有限公司 Abnormal collection behavior identification method and device based on privacy data protection
CN112948816A (en) * 2019-12-10 2021-06-11 北京一起教育信息咨询有限责任公司 System authority determination method and device, storage medium and electronic equipment
CN113641363A (en) * 2021-10-18 2021-11-12 北京邮电大学 Third-party library detection method and device

Similar Documents

Publication Publication Date Title
CN107958154A (en) A kind of malware detection device and method
CN105022960B (en) Multiple features mobile terminal from malicious software detecting method and system based on network traffics
CN105184160B (en) A kind of method of the Android phone platform application program malicious act detection based on API object reference relational graphs
CN109753800A (en) Merge the Android malicious application detection method and system of frequent item set and random forests algorithm
CN105205397B (en) Rogue program sample sorting technique and device
CN109598124A (en) A kind of webshell detection method and device
CN108985064B (en) Method and device for identifying malicious document
CN105224600B (en) A kind of detection method and device of Sample Similarity
CN107169351A (en) With reference to the Android unknown malware detection methods of dynamic behaviour feature
CN108712453A (en) Detection method for injection attack, device and the server of logic-based regression algorithm
CN104700033A (en) Virus detection method and virus detection device
CN103679012A (en) Clustering method and device of portable execute (PE) files
WO2016082568A1 (en) Short message safe processing method and apparatus
CN103500307A (en) Mobile internet malignant application software detection method based on behavior model
CN107368592B (en) Text feature model modeling method and device for network security report
CN103617393A (en) Method for mobile internet malicious application software detection based on support vector machines
CN107341399A (en) Assess the method and device of code file security
CN106713579A (en) Telephone number identification method and device
CN108985061A (en) A kind of webshell detection method based on Model Fusion
CN103136372A (en) Method of quick location, classification and filtration of universal resource locator (URL) in network credibility behavior management
CN107451819A (en) A kind of auth method and device based on user's operation behavior feature
CN107239694A (en) A kind of Android application permissions inference method and device based on user comment
CN112968872B (en) Malicious flow detection method, system and terminal based on natural language processing
CN110362995A (en) It is a kind of based on inversely with the malware detection of machine learning and analysis system
CN106845220A (en) A kind of Android malware detecting system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180424

RJ01 Rejection of invention patent application after publication