CN108062476A - A kind of malicious code determination method and system based on call relation - Google Patents
A kind of malicious code determination method and system based on call relation Download PDFInfo
- Publication number
- CN108062476A CN108062476A CN201610983736.4A CN201610983736A CN108062476A CN 108062476 A CN108062476 A CN 108062476A CN 201610983736 A CN201610983736 A CN 201610983736A CN 108062476 A CN108062476 A CN 108062476A
- Authority
- CN
- China
- Prior art keywords
- program
- function
- detected
- node
- structure tree
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Abstract
The invention discloses a kind of malicious code determination method and system based on call relation, including:Decompiling program to be detected simultaneously obtains pseudocode;It parses the pseudocode and builds and call structure tree;The calling structure tree is traveled through, obtains the behavioral data of program to be detected, when the behavioral data of acquisition is with then judging that program to be detected has malicious code during predefined malicious act Data Matching;Wherein, the malicious act data include:Malicious act, the call relation of malicious act or calling station.Technical solution of the present invention calls the hierarchical relationship of structure tree by the way that the call relation of program is converted to, and then provides more detailed program information, the final accuracy for promoting malicious code and judging to machine.
Description
Technical field
The present invention relates to field of information security technology more particularly to a kind of malicious code determination methods based on call relation
And system.
Background technology
Internet era is moved towards comprehensively with social, the fast development of internet also improves people’s lives, however
This has also attracted many malicious application developers to attempt therefrom unlawful profit-making.Malicious application quantity is even more with unprecedented speed
Rapid growth, various new virus are spent, variant virus renewal frequency is getting faster.It can not be solved already only by artificial judgement
How these problems determine virus by more intelligent more accurate mode using machine and become the key to solve the problem.
At present to the stationary detection technique of malicious code, mainly by decompiling after, the pseudocode that is come out to decompiling
Data carry out malice judgement.I.e. according to the sensitive function of the API field decision procedures of routine call, according to the sensitive character used
String decision procedure feature and behavior that may be present.Malicious act only can not be formed by single behavior or data rule
Evidence, Detection accuracy is low.And in order to improve accuracy rate, malicious code analysis teacher is often also needed to, with reference to these data
The call relation of information and program carries out artificial further judgement.So detection efficiency is low, not only increases malice sample
The cost of detection can also miss the Best Times for intercepting virus, may make more normal user equipments(Mobile phone, computer etc.)In
Poison.
The content of the invention
It is an object of the invention to provide a kind of malicious code determination methods and system based on call relation, can be promoted
The accuracy and efficiency that malicious code judges.
To achieve these goals, the invention discloses a kind of malicious code determination method based on call relation, including:
Decompiling program to be detected simultaneously obtains pseudocode;
It parses the pseudocode and builds and call structure tree;
Travel through the calling structure tree, and with predefined malicious act Data Matching and then determining whether that there are malicious codes;
Wherein, the malicious act data include:Malicious act, the call relation of malicious act or calling station.
Further, it is described to parse the pseudocode and build calling structure tree, including:The pseudocode is parsed to obtain respectively
Functional dependence information calls structure tree based on each functional dependence information architecture.
Further, functional dependence information further includes:Mode that the function is called, function return value type, parameter value
Type;Wherein, the mode that function is called includes directly invoking or passing through API Calls.
Further, it is described that structure tree is called based on each functional dependence information architecture, be specially:
Analytic function relevant information, using not by the function of other function calls as root node;
The functional dependence information of root node is analyzed, mode, return Value Types, Parameter Value Type and the letter that extraction function is called
Attribute of the character string of parameter type in number as each node;
Extract values of the API in functional dependence information as each node;
Using the next stage function that the functional dependence information of root node is called as the tune of child node, the successively entire program of recurrence structure
With relation.
Further, the behavioral data of program to be detected is obtained, when behavioral data and the predefined malicious act number of acquisition
The method that then judging program to be detected during according to matching has malicious code includes:
The calling structure tree is traveled through using each node as entrance, obtains each node and the behavioral data of child node, by described in
Behavioral data and predefined malicious act Data Matching, if successful match, record relevant malicious act data.
Further, in decompiling program to be detected and before obtaining pseudocode, further include:Judge program to be detected
With the presence or absence of shell adding and/or encryption part, if in the presence of being shelled and/or decryption processing.
To achieve these goals, the invention also discloses a kind of malicious code decision-making system based on call relation, bags
It includes:
Pseudocode acquisition module for decompiling program to be detected and obtains pseudocode;
Structure tree structure module is called, structure tree is called for parsing the pseudocode and building;
Structure tree matching module is called, for traveling through the calling structure tree, the behavioral data of program to be detected is obtained, works as acquisition
Behavioral data and predefined malicious act Data Matching when then judge that program to be detected has malicious code, wherein, behavior number
According to including:Behavior, the call relation of behavior or calling station.
Beneficial effects of the present invention:The present invention obtains pseudocode by decompiling target program, utilizes function in pseudocode
Call relation establish and call structure tree, and then will calling structure of the machine to data mode manually be converted to the judgement of code
The judgement of tree, technical solution of the present invention call structure tree by the way that program to be detected is converted into so that by program to be detected
Information when passing to machine detection the distortion factor reduce, therefore the accuracy and efficiency of program malice sex determination can be improved.This
It invents applicable system platform and includes but not limited to Android, IOS or Windows.
Description of the drawings
In order to illustrate more clearly of technical scheme, letter will be made to attached drawing needed in the embodiment below
Singly introduce, it should be apparent that, the accompanying drawings in the following description is only some embodiments described in the present invention, for this field
For those of ordinary skill, without creative efforts, other attached drawings are can also be obtained according to these attached drawings.
Fig. 1 is a kind of flow chart of the malicious code determination method based on call relation provided by the invention.
Fig. 2 is a kind of structure diagram of the malicious code decision-making system based on call relation provided by the invention.
Fig. 3 is a kind of function structure tree certain embodiments figure based on call relation provided by the invention.
Specific embodiment
The present invention gives a kind of malicious code determination method and system embodiment based on call relation, in order to make this skill
The personnel in art field more fully understand the technical solution in the embodiment of the present invention, and make the above-mentioned purpose of the present invention, feature and excellent
Point can be more obvious understandable, and technical solution in the present invention is described in further detail below in conjunction with the accompanying drawings:
Present invention firstly provides a kind of malicious code determination method embodiment 1 based on call relation, as shown in Figure 1, including:
S11, decompiling program to be detected simultaneously obtain pseudocode.
S12 parses pseudocode and builds and calls structure tree.
Specifically, can parse pseudocode obtains each functional dependence information, called and tied based on each functional dependence information architecture
Paper mulberry.Wherein, functional dependence information include function be called mode, return Value Types, Parameter Value Type, call next stage
Function, the character string of parameter type or API etc..Such as the mode that is called of function includes directly invoking or by API Calls,
Return Value Types, the parameter type of function include void, string, byte etc.;The character string of parameter type includes fixed in function
The character string constant and some sensitive database names of justice, such as short message, contact database etc..Based on each functional dependence
Information architecture calls structure tree, is specially:
S121, analytic function relevant information, using not by the function of other function calls as root node.
It should be understood that the execution of program is needed since entrance function, other functions are by entrance function or enter
The function call of mouth function call is performed, and only entrance function will not be by other function calls of program, so will be all
It will not be by the function of other function calls as root node in function.
S122, analyzes the functional dependence information of root node, extracts functional dependence information and the parameter type in function
Attribute of the character string as each node.
S123 extracts values of the API in functional dependence information as each node.
S124, using the next stage function that the functional dependence information of root node is called as child node, recurrence structure is whole successively
The call relation of a program.
Such as:Building process based on a functions under a certain case com/phone/stop/db/a classes.It is wherein below
Three groups of representative smali codes exemplified by:
First group:
const-string v1, "have_app_jihuo"
Second group:
invoke-interface{v0},Landroid/content/SharedPreferences$Editor;->commit
()Z
3rd group:
invoke-direct{v0,p0}, com/phone/stop/db/a;-><init>(Landroid/content/
Context;)V
When parsing the function, program can be one data structure for representing the function of the function creation first, entitled
" Lcom_phone_stop_db_a-a ", and the return value of the function, Parameter Value Type are saved in structure.Wherein, first
The character string of parameter type is included in the code of group, information " have_app_jihuo " can be extracted and be saved in the data structure
In.Second group of code is the api of the function call, can extract the feature " Landroid_content_ of the api
SharedPreferences-Editor-commit " is saved in the data structure.3rd group of code is the function call
Subfunction, can extract the Function feature " Lcom_phone_stop_db_a-init " and method of calling " direct " is saved in
In data structure.All functions are parsed according to the above method, so as to obtain the database of entire program.
Using the calling structure tree of the database construction program, for example, when parsing a functions, the number of the function will be represented
According to structure name " Lcom_phone_stop_db_a-a " as node name, the called mode " direct " of the function is preserved
For " invoke " attribute, the return Value Types " void " of the function are saved as into " ret " attribute, which is included to the class of parameter
Type " string " saves as " parameter " attribute, and the character string " have_app_jihuo " of parameter type in the function is protected
" string " attribute is saved as, the function pair will be saved in and answer api characteristic values " Landroid_content_ in data structure
SharedPreferences-Editor-commit " will be saved in the function pair and answer the tune in data structure as nodal value
Subfunction " Lcom_phone_stop_db_a-init " is as child node.According to the corresponding data structure of the child node
Continue structure node.The call relation of entire program is built according to the method successively recurrence.By the calling structure tree of a construction of function
Such as Fig. 3, wherein Lcom_phone_stop_db_a-a is function node, that is, represents a corresponding function.invoke、ret、
Parameter, string are the attribute of the node, preserve the called mode of the function respectively, return to Value Types, parameter value class
The character string of type and the parameter type included.Lcom_phone_stop_db_a-init is Lcom_phone_stop_db_
The child node of a-a is expressed as the function call that Lcom_phone_stop_db_a-a is represented Lcom_phone_stop_db_
The function that a-init is represented.Other values under node represent the api that the function is called.
S13 obtains the behavioral data of program to be detected, when behavioral data and the predefined malicious act Data Matching of acquisition
When then judge program to be detected have malicious code.
Specifically, traversal calls structure tree using each node as entrance, each node and the behavioral data of child node are obtained,
By behavioral data and predefined malicious act Data Matching, if successful match, relevant malicious act data are recorded.Its
In, behavioral data includes:Behavior, the call relation of behavior or calling station.Call structure tree can be xml, json, figure or
Other relational structures of person, matched rule are unlimited.
Improved algorithm particularized below and application:
(1)According to structure tree is called, child node is matched with preset child node one by one.
(a) single sensitive character string or api matchings.
(b) it is multiple or matched there are call relation sensitivity character string with api.
(2)Reduced tree structure forms condition code
(a) bulk redundancy information in call-tree is removed, only retains and there is sensitive character string and the information of api and the calling of program
Relation.(It can carry out code optimization and form more efficient finger print data)
(b) matched according to the finger print data of formation with malicious act condition code.
(3)Program malicious act figure is established to be identified
(a) basis(1)、(2)The malicious act and its position that two ways obtains
(b) the malicious act figure of structure tree constructor is called according to malicious act and its position traversal, with intuitively being disliked
Program of anticipating family judges.
Such as:One of ordinary skill in the art will appreciate that, the ContentResolver- in Android system
Delete (API) is with " content:It is to delete short message when //sms/ " is parameter, if only passing through traditional approach matcher
Present in scattered character string, match " content://sms/ " can only illustrate that there may be the correlations to note data to grasp
Make, specifically inquire about, be inserted into, deleting and can not draw a conclusion.Api functions are similarly matched by scattered mode
ContentResolver-delete can only have in read-me to database data progress delete operation, but not can determine that tool
Which database body is.The two that will be present in by the calling structure tree of construction in scattered pseudocode is configured to have associated
Hierarchical relationship, it is exactly call relation to correspond in program." content is included in the character string for getting some node://
During sms/ ", the sensitive string matching with note data in predefined malicious act data, so retrieving the node and its son
Whether comprising database manipulation api is corresponded in node.It if, can comprising " ContentResolver-delete " corresponding API
To illustrate to have the operation for deleting short message here;It if, can be with comprising " ContentResolver-query " corresponding API
Illustrate that there are the operations of short message enquiry here.In addition, after message search is detected, the corresponding child node of the node is detected, it is right
Should be exactly the subfunction of the function call into program, if there is HttpClient-execute, URL-
The api of the corresponding networking behavior such as openConnection, Socket-getOutputStream, read-me are joined
Net behavior.I.e. program has carried out the operation that networking uploads after short message has been inquired about, and there are the malicious acts of privacy leakage for program.It is logical
It crosses this mode and more accurately determined the malicious of program.
The present invention obtains pseudocode by decompiling target program, is established and called using the call relation of function in pseudocode
Structure tree, and then judgement of the machine to the calling structure tree of data mode, skill of the present invention will be manually converted to the judgement of code
Art scheme calls structure tree by the way that program to be detected is converted into so that when the information of program to be detected is passed to machine detection
The distortion factor reduces, therefore can improve the accuracy and efficiency of program malice sex determination.Structure is also helped based on artificial intelligence
The study of change and judgment basis.
Further, since the behavioral data of program to be detected is obtained in S13 includes behavior, the call relation of behavior or calling
Position etc., it is convenient artificially to carry out secondary judgement for needing to further improve the occasion of Detection accuracy.
In some embodiments, can also be before S11, i.e. decompiling program to be detected and before obtaining pseudocode is sentenced
Program to be detected of breaking is with the presence or absence of shell adding and/or encryption part, if in the presence of being shelled and/or decryption processing.
In further embodiments, a kind of malicious code decision-making system based on call relation, as shown in Fig. 2, including:
Pseudocode acquisition module 21 for decompiling program to be detected and obtains pseudocode.
Structure tree structure module 22 is called, structure tree is called for parsing the pseudocode and building.
Specifically, structure tree structure module 22 is called, which to parse pseudocode, obtains each functional dependence information, based on each function phase
It closes information architecture and calls structure tree.Wherein, functional dependence information include call next stage function, parameter type character string or
Person API etc..Structure calls structure tree to include:Analytic function relevant information, using not by the function of other function calls as root section
Point;The functional dependence information of root node is analyzed, extracts the character string conduct of functional dependence information and the parameter type in function
The attribute of each node;Extract values of the API in functional dependence information as each node;The functional dependence information of root node is called
Next stage function as child node, recurrence builds the call relation of entire program successively.
Structure tree matching module 23 is called, for traveling through the calling structure tree, obtains the behavioral data of program to be detected,
Then judge that program to be detected has malicious code when behavioral data and the predefined malicious act Data Matching of acquisition, wherein,
Behavioral data includes:Behavior, the call relation of behavior or calling station.
Specifically, traversal calls structure tree using each node as entrance, each node and the behavioral data of child node are obtained,
By behavioral data and predefined malicious act Data Matching, if successful match, relevant malicious act data are recorded.Its
In, behavioral data includes:Behavior, the call relation of behavior or calling station.Call structure tree can be xml, json, figure or
Other relational structures of person, matched rule are unlimited.
In some embodiments, a kind of malicious code decision-making system based on call relation further includes preprocessing module 24,
For prejudge program to be detected with the presence or absence of shell adding and/or encryption part, if in the presence of, shelled and/or decryption at
Reason, then again by pseudocode acquisition module 21, decompiling program to be detected simultaneously obtains pseudocode.
Each embodiment in this specification is described by the way of progressive, the same or similar between each embodiment
Just to refer each other for part, and the highlights of each of the examples are difference from other examples.Especially for system
For embodiment, since it is substantially similar to embodiment of the method, so description is fairly simple, related part is implemented referring to method
The part explanation of example.
Above example is to illustrative and not limiting technical scheme.Appointing for spirit and scope of the invention is not departed from
What modification or local replacement, should be covered by the scope of the claims of the present invention.
Claims (11)
1. a kind of malicious code determination method based on call relation, which is characterized in that including:
Decompiling program to be detected simultaneously obtains pseudocode;
It parses the pseudocode and builds and call structure tree;
The calling structure tree is traveled through, obtains the behavioral data of program to be detected, when behavioral data and the predefined malice of acquisition
Behavioral data then judges that program to be detected has malicious code when matching, wherein, behavioral data includes:Behavior, the calling of behavior
Relation or calling station.
2. the method as described in claim 1, which is characterized in that it parses the pseudocode and builds and call structure tree, including:
It parses the pseudocode and obtains each functional dependence information, structure tree is called based on each functional dependence information architecture;Wherein, letter
Number relevant information includes:The next stage function of calling, the character string of parameter type, API.
3. method as claimed in claim 2, which is characterized in that functional dependence information further includes:Mode that the function is called,
Function return value type, Parameter Value Type;Wherein, the mode that function is called includes directly invoking or passing through API Calls.
4. method as claimed in claim 2 or claim 3, which is characterized in that described that structure is called based on each functional dependence information architecture
Tree, specially:
Analytic function relevant information, using not by the function of other function calls as root node;
The functional dependence information of root node is analyzed, mode, return Value Types, Parameter Value Type and the letter that extraction function is called
Attribute of the character string of parameter type in number as each node;
Extract values of the API in functional dependence information as each node;
Using the next stage function that the functional dependence information of root node is called as the tune of child node, the successively entire program of recurrence structure
With relation.
5. the method as described in claim 1, which is characterized in that the behavioral data of program to be detected is obtained, when the behavior of acquisition
The method that data have malicious code with then judging program to be detected during predefined malicious act Data Matching includes:
The calling structure tree is traveled through using each node as entrance, obtains each node and the behavioral data of child node, by described in
Behavioral data and predefined malicious act Data Matching, if successful match, record relevant malicious act data.
6. the method as described in claim 1-5 is any, which is characterized in that in decompiling program to be detected and obtain pseudo- generation
Before code, further include:Judge program to be detected with the presence or absence of shell adding and/or encryption part, if in the presence of, shelled and/or
Decryption processing.
7. a kind of malicious code decision-making system based on call relation, which is characterized in that including:
Pseudocode acquisition module for decompiling program to be detected and obtains pseudocode;
Structure tree structure module is called, structure tree is called for parsing the pseudocode and building;
Structure tree matching module is called, for traveling through the calling structure tree, the behavioral data of program to be detected is obtained, works as acquisition
Behavioral data and predefined malicious act Data Matching when then judge that program to be detected has malicious code, wherein, behavior number
According to including:Behavior, the call relation of behavior or calling station.
8. system as claimed in claim 7, which is characterized in that the calling structure tree structure module is used for:
It parses the pseudocode and obtains each functional dependence information, structure tree is called based on each functional dependence information architecture;Wherein, letter
Number relevant information includes:The next stage function of calling, the character string or API of parameter type.
9. system as claimed in claim 7, which is characterized in that it is described that structure tree is called based on each functional dependence information architecture,
Specially:
Analytic function relevant information, using not by the function of other function calls as root node;
The functional dependence information of root node is analyzed, extracts the character string conduct of functional dependence information and the parameter type in function
The attribute of each node;
Values of the API in functional dependence information as each node is extracted, and finally structure calls structure tree;
Using the next stage function that the functional dependence information of root node is called as the tune of child node, the successively entire program of recurrence structure
With relation.
10. system as claimed in claim 7, which is characterized in that the calling structure tree matching module is used for:
The calling structure tree is traveled through using each node as entrance, obtains each node and the behavioral data of child node, by described in
Behavioral data and predefined malicious act Data Matching, if successful match, record relevant malicious act data, based on institute
Some malicious act data judging programs to be detected whether there is malicious code.
11. the system as described in claim 7-10 is any, which is characterized in that the malicious code decision-making system further includes:In advance
Processing module, for before program to be detected enters the pseudocode acquisition module, prejudging whether program to be detected deposits
In shell adding and/or encryption part, if in the presence of being shelled and/or decryption processing.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610983736.4A CN108062476A (en) | 2016-11-08 | 2016-11-08 | A kind of malicious code determination method and system based on call relation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610983736.4A CN108062476A (en) | 2016-11-08 | 2016-11-08 | A kind of malicious code determination method and system based on call relation |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108062476A true CN108062476A (en) | 2018-05-22 |
Family
ID=62137459
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610983736.4A Pending CN108062476A (en) | 2016-11-08 | 2016-11-08 | A kind of malicious code determination method and system based on call relation |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108062476A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111046385A (en) * | 2019-11-22 | 2020-04-21 | 北京达佳互联信息技术有限公司 | Software type detection method and device, electronic equipment and storage medium |
CN114356789A (en) * | 2022-03-21 | 2022-04-15 | 大鲲智联(成都)科技有限公司 | Application program detection method and device, electronic equipment and computer readable medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102938040A (en) * | 2012-09-29 | 2013-02-20 | 中兴通讯股份有限公司 | Malicious Android application program detection method, system and device |
CN103473507A (en) * | 2013-09-25 | 2013-12-25 | 西安交通大学 | Android malicious software detection method based on method call graph |
US20160232345A1 (en) * | 2015-02-11 | 2016-08-11 | Electronics And Telecommunications Research Institute | Method of modeling behavior pattern of instruction set in n-gram manner, computing device operating with the method, and program stored in storage medium to execute the method in computing device |
-
2016
- 2016-11-08 CN CN201610983736.4A patent/CN108062476A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102938040A (en) * | 2012-09-29 | 2013-02-20 | 中兴通讯股份有限公司 | Malicious Android application program detection method, system and device |
CN103473507A (en) * | 2013-09-25 | 2013-12-25 | 西安交通大学 | Android malicious software detection method based on method call graph |
US20160232345A1 (en) * | 2015-02-11 | 2016-08-11 | Electronics And Telecommunications Research Institute | Method of modeling behavior pattern of instruction set in n-gram manner, computing device operating with the method, and program stored in storage medium to execute the method in computing device |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111046385A (en) * | 2019-11-22 | 2020-04-21 | 北京达佳互联信息技术有限公司 | Software type detection method and device, electronic equipment and storage medium |
CN111046385B (en) * | 2019-11-22 | 2022-04-22 | 北京达佳互联信息技术有限公司 | Software type detection method and device, electronic equipment and storage medium |
CN114356789A (en) * | 2022-03-21 | 2022-04-15 | 大鲲智联(成都)科技有限公司 | Application program detection method and device, electronic equipment and computer readable medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Li et al. | Android malware clustering through malicious payload mining | |
CN110737899B (en) | Intelligent contract security vulnerability detection method based on machine learning | |
CN109753800B (en) | Android malicious application detection method and system fusing frequent item set and random forest algorithm | |
US8935677B2 (en) | Automatic reverse engineering of input formats | |
CN110688456A (en) | Vulnerability knowledge base construction method based on knowledge graph | |
US10951492B2 (en) | System and a method for automatic conversion of monolithic services to micro-services | |
CN104123493A (en) | Method and device for detecting safety performance of application program | |
CN108491228B (en) | Binary vulnerability code clone detection method and system | |
CN106529294B (en) | A method of determine for mobile phone viruses and filters | |
CN110659502B (en) | Project version detection method and system based on text information incidence relation analysis | |
CN109670318B (en) | Vulnerability detection method based on cyclic verification of nuclear control flow graph | |
CN103577323A (en) | Dynamic key command sequence birthmark-based software plagiarism detecting method | |
CN104680065A (en) | Virus detection method, virus detection device and virus detection equipment | |
CN111368289A (en) | Malicious software detection method and device | |
US9600644B2 (en) | Method, a computer program and apparatus for analyzing symbols in a computer | |
CN108062476A (en) | A kind of malicious code determination method and system based on call relation | |
CN112817877B (en) | Abnormal script detection method and device, computer equipment and storage medium | |
Feichtner et al. | Obfuscation-resilient code recognition in Android apps | |
CN113468524A (en) | RASP-based machine learning model security detection method | |
CN109670317B (en) | Internet of things equipment inheritance vulnerability mining method based on atomic control flow graph | |
Hang et al. | Malware detection method of android application based on simplification instructions | |
CN116821903A (en) | Detection rule determination and malicious binary file detection method, device and medium | |
CN116471098A (en) | Method, device and storage medium for reconstructing vulnerability exploitation process based on traceability graph | |
CN115906086A (en) | Method, system and storage medium for detecting webpage backdoor based on code attribute graph | |
CN116015939A (en) | Advanced persistent threat interpretation method based on atomic technology template |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20180522 |