CN108268772B - Method and system for screening malicious samples - Google Patents

Method and system for screening malicious samples Download PDF

Info

Publication number
CN108268772B
CN108268772B CN201611256407.6A CN201611256407A CN108268772B CN 108268772 B CN108268772 B CN 108268772B CN 201611256407 A CN201611256407 A CN 201611256407A CN 108268772 B CN108268772 B CN 108268772B
Authority
CN
China
Prior art keywords
malicious
similarity
sample
screening
samples
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611256407.6A
Other languages
Chinese (zh)
Other versions
CN108268772A (en
Inventor
孙岩
罗成
潘宣辰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Antiy Mobile Security Co ltd
Original Assignee
Wuhan Antiy Mobile Security Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Antiy Mobile Security Co ltd filed Critical Wuhan Antiy Mobile Security Co ltd
Priority to CN201611256407.6A priority Critical patent/CN108268772B/en
Publication of CN108268772A publication Critical patent/CN108268772A/en
Application granted granted Critical
Publication of CN108268772B publication Critical patent/CN108268772B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis

Abstract

The invention provides a method for screening a malicious sample, which comprises the following steps: and (3) similarity calculation: performing feature extraction on malicious samples in a known malicious sample set, and calculating the similarity between every two malicious samples; calculating a structural hole: calculating structural holes of the malicious samples according to the similarity; screening: and selecting a malicious sample meeting the requirement according to the size of the structural hole and the actual requirement. According to the invention, the thought of the structural hole is introduced into the technical field of malicious code analysis, so that a plurality of malicious samples can be effectively subjected to sample screening, and the efficiency of analyzing the malicious samples is improved.

Description

Method and system for screening malicious samples
Technical Field
The invention relates to the technical field of mobile terminal malicious code analysis, in particular to a method and a system for screening a malicious sample.
Background
Professor of robington barton, a human university of oxford, proposed that the human brain could accommodate a stable social network of about 150 people, and once the circle of people exceeds this value, it was difficult to maintain a consolidated social relationship, an upper limit known as the magic spell of toboggan.
Through analysis, the malicious code parts of the mobile terminal have high aggregability, namely, after the highly aggregated samples are subjected to 'de-duplication', the number of the malicious codes of the mobile terminal generated by a single organization or a single individual is limited.
It can be seen that, from the perspective of human brain structures and malicious code manufacturers, the functions and the construction of the malicious code of the mobile terminal are resource-scarce, and the repeated or redundant malicious code not only consumes the strength of security analysis detection, but also enables people to know the trend of the overall malicious code and greatly reduce the scale. When the manufacturing samples of an attacker are all duplicate networks, the information obtained by the attacker is homogeneous, everyone knows the information, and other people in the network know the information, so that people find the same opportunity at the same time, and the whole network is low in efficiency.
In addition, because the number of malicious codes is huge, a representative malicious sample tends to be researched intensively in the threat situation field, and therefore, how to screen out the important malicious sample is a focus of attention.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: the method and the system for screening the malicious samples can improve the efficiency of screening the malicious samples.
The technical scheme adopted by the invention for solving the technical problems is as follows: a screening method of a malicious sample comprises the following steps:
and (3) similarity calculation: performing feature extraction on malicious samples in a known malicious sample set, and calculating the similarity between every two malicious samples;
calculating a structural hole: calculating structural holes of the malicious samples according to the similarity;
screening: and selecting a malicious sample meeting the requirement according to the size of the structural hole and the actual requirement.
According to the method, the screening comprises the following steps: when a certain malicious sample needs to be traced, and the path of the malicious sample cannot be known, the malicious sample with the smallest structural hole with the malicious sample is inquired as a homologous malicious sample, and the homologous malicious sample is traced.
According to the method, the screening comprises the following steps: and setting a structural hole threshold, and only analyzing and judging the malicious samples with structural holes larger than a preset maximum threshold.
According to the method, the analysis and screening further comprises the following steps: when a new malicious sample appears, respectively carrying out structure hole calculation on each new malicious sample; if the structure hole is larger than the new malicious sample with the preset structure hole threshold value, only the new malicious sample with the structure hole larger than the preset maximum threshold value is analyzed and judged.
According to the method, the specific method for calculating the structural hole is as follows: let i, j, q all be the malicious samples in the sample set,
definition PiqThe ratio of the similarity from i to q to the sum of all the similarities of i is:
Figure BDA0001198908770000021
in the formula (d)iqPhases of i and qSimilarity; dijSimilarity of i and j;
defining marginal strengths m of j to qjqComprises the following steps:
Figure BDA0001198908770000022
in the formula (d)jqIs the similarity of j and q, djmIs the similarity of j to m,
Figure BDA0001198908770000023
represents the maximum of all the similarities of j;
then, the structural hole Scale of the malicious sample iiComprises the following steps:
Figure BDA0001198908770000024
a screening system of malicious samples comprises a similarity calculation module, a structure hole calculation module and a screening module, wherein:
the similarity calculation module is used for extracting the characteristics of malicious samples in a known malicious sample set and calculating the similarity between every two malicious samples;
the structure hole calculation module is used for calculating the structure holes of the malicious samples according to the similarity;
and the screening module is used for selecting a malicious sample meeting the requirement according to the size of the structural hole and the actual requirement.
According to the system, the screening module comprises a source tracing screening module, and the source tracing screening module is used for querying a malicious sample with the smallest structural hole with the malicious sample as a homologous malicious sample when a certain malicious sample needs to be traced, and the path of the malicious sample cannot be known, and tracing the homologous malicious sample.
According to the system, the screening module comprises an analysis screening module which is used for setting a structural hole threshold value and only analyzing and judging the malicious samples with structural holes larger than a preset maximum threshold value.
According to the system, the analysis screening module is also used for respectively calculating the structural hole of each new malicious sample when the new malicious sample appears; if the structure hole is larger than the new malicious sample with the preset structure hole threshold value, only the new malicious sample with the structure hole larger than the preset maximum threshold value is analyzed and judged.
According to the system, the structural hole calculation module is used for calculating according to the following formula: let i, j, q all be the malicious samples in the sample set,
definition PiqThe ratio of the similarity from i to q to the sum of all the similarities of i is:
Figure BDA0001198908770000031
in the formula (d)iqSimilarity of i and q; dijSimilarity of i and j;
defining marginal strengths m of j to qjqComprises the following steps:
Figure BDA0001198908770000032
in the formula (d)jqIs the similarity of j and q, djmIs the similarity of j to m,
Figure BDA0001198908770000033
represents the maximum of all the similarities of j;
then, the structural hole Scale of the malicious sample iiComprises the following steps:
Figure BDA0001198908770000034
the invention has the beneficial effects that:
1. the thought of the structural hole is introduced into the technical field of malicious code analysis, the relationship between malicious samples is further deeply depicted, the samples can be effectively screened for numerous malicious samples, and the efficiency of screening the malicious samples is improved.
2. Aiming at different actual requirements, selecting malicious samples corresponding to structural holes with different sizes, and selecting the malicious samples with the structural holes larger than the structural hole threshold value when analyzing and judging the malicious samples; when the malicious sample needs to be subjected to route-opening tracing, for the condition that the tracing capability of a certain malicious sample is insufficient, the route-opening is performed by using other related samples, and the purpose of tracing is finally achieved.
Drawings
FIG. 1 is a schematic diagram of structure hole calculation according to an embodiment of the present invention.
FIG. 2 is a flowchart of a method according to an embodiment of the present invention.
FIG. 3 is a system block diagram of an embodiment of the present invention.
Fig. 4 is a schematic diagram of the structure of an embodiment of the present invention.
Detailed Description
The invention is further illustrated by the following specific examples and figures.
The invention provides a screening method of a malicious sample, as shown in fig. 2, the method comprises the following steps:
s01, similarity calculation: and (4) carrying out feature extraction on malicious samples in a known sample set, and calculating the similarity between every two malicious samples.
The method for calculating the similarity of the samples comprises cosine similarity, Euclidean distance, Manhattan distance and the like. Of course, the chinese patent application CN105975852A can also be referred to, and the similarity is calculated according to the requirement and the multi-dimensional extraction features of each index.
S02, structural hole calculation: and calculating the structural holes of the malicious samples according to the similarity.
The invention relates to the field of malicious sample analysis by introducing the concept of structural holes.
Structural hole: a non-duplicate relationship between two relationship samples in a network. Non-repetitive relational samples are related by a structural hole.
The structural holes have the following meanings: 1) the more structural holes of a sample, the more sparse the network structure of similar samples of the sample; 2) the larger the structural hole is, the larger the network scale formed by the indirect samples is; 3) the heterogeneity level of the obtained information of a sample is measured by the size of the structural hole of the sample, and the larger the structural hole is, the higher the heterogeneity level is; 4) the sample with large structural holes has higher utilization efficiency and more effective analysis and traceability than the sample network with small structural holes.
Assuming that for a certain mobile malicious sample i, there are n similar samples at the time scale t, and there are m sides in total between these n +1 samples (defined as set U), it is now necessary to evaluate the sample network centered on i (defined as set E,
Figure BDA0001198908770000045
) Redundancy or efficiency case. The edge is the similarity and is a numerical value between 0 and 1.
As shown in FIG. 1, to measure the redundancy centered at i, the redundancy of the edges of i-j and other relational samples is defined. The path for i to get information through j becomes redundant in the following cases: a) i pay more time and effort on another relationship sample q; b) j and q are strongly correlated.
Definition of piqThe ratio of the similarity from i to q to the sum of all the similarities of i is:
Figure BDA0001198908770000041
in the formula (d)iqSimilarity of i to q; dijIs the similarity of i to j.
Defining marginal strengths m of j to qjqComprises the following steps:
Figure BDA0001198908770000042
in the formula (d)jqIs the similarity of j to q, djmIs the similarity of j to m and,
Figure BDA0001198908770000043
represents the maximum of all the similarities of j.
By bringing all similar samples into the accumulation, the redundant relationship of i to j can be measured as the ratio of i to the sum of all other primary relationships:
Figure BDA0001198908770000044
subtracting the redundancy ratio by 1 is the non-redundancy ratio in the relationship. The sum of all non-redundant relationships of i is the magnitude of the non-redundant relationship sample of i, or the effective scale of the network with i as the center, namely the structural hole of i:
Figure BDA0001198908770000051
it can be understood that, in the specific calculation, the structural hole calculation may be performed according to the attribute of the sample itself (e.g., the sample class name, the method name, etc.), or the index construction may be performed according to the remaining information of the malicious sample (e.g., the source, the user, etc.), and then the structural hole calculation is performed.
The structural hole described above is constructed assuming 4 malicious samples A, B, C, D (which may be tens of thousands in practice, just for illustration).
1. Extracting class names and method names of the malicious samples, comparing similarity in pairs, and calculating the similarity as follows:
1) assuming that the number of the coincident class name method names of the two samples is 20, and the data of the whole class name method name related to the two samples is 40, the similarity of the two samples is 20/40-0.5.
2) If 4 samples need to calculate similarity for 6 times, the structure diagram is shown in fig. 4:
2. calculating structural holes, e.g. structural hole A
1)PAB=0.6/(0.6+0.7+0.4)=0.353
PAC=0.4/(0.6+0.7+0.4)=0.235
PAD=0.7/(0.6+0.7+0.4)=0.412
2)MDB=0.8/0.9=0.889
MDA=0.7/0.9=0.778
MDC=0.9/0.9=1
3) When j is equal to D
Structural hole Scale of A and DAD=1-0.353*0.889-0.412*0.778-0.235*1=0.130
And so on, when j ═ B and C calculate similarly
Structural hole Scale of AA=ScaleAD+ScaleAB+ScaleAC
S03, screening: and selecting a malicious sample meeting the requirement according to the size of the structural hole and the actual requirement.
The screening comprises tracing screening S301: when a certain malicious sample needs to be traced, and the path of the malicious sample cannot be known, the malicious sample with the smallest structural hole with the malicious sample is inquired as a homologous malicious sample, and the homologous malicious sample is traced.
The screening comprises analytical screening S302: and setting a structural hole threshold, and only analyzing and judging the malicious samples with structural holes larger than a preset maximum threshold. The analytical screening also includes: when a new malicious sample appears, respectively carrying out structure hole calculation on each new malicious sample; if the new malicious samples with the structural holes larger than the preset structural hole threshold value exist, only the new malicious samples with the structural holes larger than the preset maximum threshold value are analyzed, researched and judged. The method can be well applied to the fields of threat information and the like, and can quickly, efficiently and accurately screen out the malicious samples needing important analysis and judgment under the condition of a lot of malicious samples.
According to the method, the structural holes of the known malicious samples are constructed by calculating the similarity between every two malicious samples in the sample set, and the new malicious samples can be screened according to the size of the structural holes and actual requirements. The method applies the structural hole to the malicious sample relational network to evaluate the quality and the condition of the malicious sample in the whole network so as to extract the key malicious sample, can be widely applied to the fields of backtracking of the malicious sample, screening of key samples in the threat information field and the like, and has the characteristics of convenience in realization, high screening efficiency and high accuracy of screening results.
In other embodiments, a system for screening malicious samples is shown in fig. 3, and includes: similarity calculation module 01, structure hole calculation module 02, screening module 03, wherein:
and the similarity calculation module 01 is used for performing feature extraction on malicious samples in a known malicious sample set and calculating the similarity between every two malicious samples in the sample set.
And the structure hole calculation module 02 is used for calculating the structure holes of the malicious samples according to the similarity.
And the screening module 03 is used for selecting a malicious sample meeting the requirement according to the size of the structural hole and the actual requirement.
The screening module comprises a source tracing screening module 301, which is used for querying a malicious sample with the smallest structural hole as a homologous malicious sample to trace the source of the homologous malicious sample when a certain malicious sample needs to be traced and the path of the malicious sample cannot be known.
The screening module comprises an analysis screening module 302, which is used for setting a structural hole threshold value and only analyzing and judging the malicious samples with structural holes larger than a preset maximum threshold value. The analysis screening module is also used for respectively calculating the structural hole of each new malicious sample when the new malicious sample appears; if a new malicious sample with a structural hole larger than a preset structural hole threshold value exists, only the new malicious sample with the structural hole larger than a preset maximum threshold value is analyzed and judged; otherwise, analyzing and judging all new malicious samples.
The structural hole calculation module 02 is used for calculating according to the following formula: let i, j, q all be the malicious samples in the sample set,
definition PiqThe ratio of the similarity from i to q to the sum of all the similarities of i is:
Figure BDA0001198908770000061
in the formula (d)iqSimilarity of i and q; dijSimilarity of i and j;
defining marginal strengths m of j to qjqComprises the following steps:
Figure BDA0001198908770000062
in the formula (d)jqIs the similarity of j and q, djmIs the similarity of j to m,
Figure BDA0001198908770000063
represents the maximum of all the similarities of j;
then, the structural hole Scale of the malicious sample iiComprises the following steps:
Figure BDA0001198908770000071
in other embodiments, before calculating the structural hole, a correlation coefficient calculation may be added: setting a similarity threshold, wherein when the similarity is greater than or equal to the similarity threshold, the correlation coefficient between the two malicious samples is 1; otherwise, the correlation coefficient between the two malicious samples is 0. Then, the correlation coefficient is used for replacing the similarity to carry out specific calculation of the structural hole, namely:
definition PiqThe correlation coefficients from i to q account for the sum of all correlation coefficients i, i.e.:
Figure BDA0001198908770000072
in the formula, biqThe correlation coefficient of i and q; bijThe correlation coefficient of i and j;
defining marginal strengths m of j to qjqComprises the following steps:
Figure BDA0001198908770000073
in the formula (d)jqIs the correlation coefficient of j and q, djmIs the correlation coefficient of j with m,
Figure BDA0001198908770000074
represents the maximum of all correlation coefficients of j;
then, the structural hole Scale of the malicious sample iiComprises the following steps:
Figure BDA0001198908770000075
in the above, the relation number may be understood as a special case where the similarity is only 0 or 1. By adopting the system, when the external tracing product is used, only malicious samples need to be input, and tracing analysis is carried out according to the largest malicious samples close to the structural hole. When threat intelligence data is found, structural hole homology discovery is adopted for solving the problem of insufficient coverage of a single malicious sample, and the same attacker and the same attack mode are supplemented for the malicious sample. The tracing and analysis are only 2 scenes applied to the structural holes, and the malicious samples can form a non-redundant network by using the structural holes, so that the malicious samples can be screened according to the structural holes during various analysis processes, and the analysis efficiency is improved.
The above embodiments are only used for illustrating the design idea and features of the present invention, and the purpose of the present invention is to enable those skilled in the art to understand the content of the present invention and implement the present invention accordingly, and the protection scope of the present invention is not limited to the above embodiments. Therefore, all equivalent changes and modifications made in accordance with the principles and concepts disclosed herein are intended to be included within the scope of the present invention.

Claims (8)

1. A screening method of a malicious sample is characterized in that: the method comprises the following steps:
and (3) similarity calculation: performing feature extraction on malicious samples in a known malicious sample set, and calculating the similarity between every two malicious samples;
calculating a structural hole: calculating structural holes of the malicious samples according to the similarity;
screening: selecting a malicious sample meeting the requirement according to the size of the structural hole and the actual requirement;
the specific method for calculating the structural hole is as follows: let i, j, q all be the malicious samples in the sample set,
definition PiqThe ratio of the similarity from i to q to the sum of all the similarities of i is:
Figure FDA0003130645100000011
in the formula (d)iqSimilarity of i and q; dijSimilarity of i and j;
defining marginal strengths m of j to qjqComprises the following steps:
Figure FDA0003130645100000012
in the formula (d)jqIs the similarity of j and q, djmIs the similarity of j to m,
Figure FDA0003130645100000013
represents the maximum of all the similarities of j;
then, the structural hole Scale of the malicious sample iiComprises the following steps:
Figure FDA0003130645100000014
2. the screening method of a malicious sample according to claim 1, wherein: the screening comprises source tracing screening: when a certain malicious sample needs to be traced, and the path of the malicious sample cannot be known, the malicious sample with the smallest structural hole with the malicious sample is inquired as a homologous malicious sample, and the homologous malicious sample is traced.
3. The method for screening a malicious sample according to claim 1 or 2, wherein: the screening comprises the following steps: and setting a structural hole threshold value, and only analyzing and judging the malicious samples with structural holes larger than the preset structural hole threshold value.
4. The screening method of a malicious sample according to claim 3, wherein: the analysis screening further comprises: when a new malicious sample appears, respectively carrying out structure hole calculation on each new malicious sample; if the new malicious samples with the structural holes larger than the preset structural hole threshold value exist, only the new malicious samples with the structural holes larger than the preset structural hole threshold value are analyzed and judged.
5. A system for screening a malicious sample, comprising: including similarity calculation module, structure hole calculation module, screening module, wherein:
the similarity calculation module is used for extracting the characteristics of malicious samples in a known malicious sample set and calculating the similarity between every two malicious samples;
the structure hole calculation module is used for calculating the structure holes of the malicious samples according to the similarity;
the screening module is used for selecting a malicious sample meeting the requirement according to the size of the structural hole and the actual requirement;
the structural hole calculation module is used for calculating according to the following formula: let i, j, q all be the malicious samples in the sample set,
definition PiqThe ratio of the similarity from i to q to the sum of all the similarities of i is:
Figure FDA0003130645100000021
in the formula (d)iqSimilarity of i and q; dijSimilarity of i and j;
defining marginal strengths m of j to qjqComprises the following steps:
Figure FDA0003130645100000022
in the formula (d)jqIs the similarity of j and q, djmIs the similarity of j to m,
Figure FDA0003130645100000023
represents the maximum of all the similarities of j;
then, the structural hole Scale of the malicious sample iiComprises the following steps:
Figure FDA0003130645100000024
6. the system for screening a malicious sample according to claim 5, wherein: the screening module comprises a source tracing screening module, and is used for querying a malicious sample with the smallest structure hole as a homologous malicious sample to trace the source of the homologous malicious sample when a certain malicious sample needs to be traced, and the path of the malicious sample cannot be known.
7. The system for screening a malicious sample according to claim 5 or 6, wherein: the screening module comprises an analysis screening module which is used for setting a structural hole threshold value and only analyzing and judging the malicious samples of which the structural hole is larger than the preset structural hole threshold value.
8. The system for screening a malicious sample according to claim 7, wherein: the analysis screening module is also used for respectively calculating the structural hole of each new malicious sample when the new malicious sample appears; if the new malicious samples with the structural holes larger than the preset structural hole threshold value exist, only the new malicious samples with the structural holes larger than the preset structural hole threshold value are analyzed and judged.
CN201611256407.6A 2016-12-30 2016-12-30 Method and system for screening malicious samples Active CN108268772B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611256407.6A CN108268772B (en) 2016-12-30 2016-12-30 Method and system for screening malicious samples

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611256407.6A CN108268772B (en) 2016-12-30 2016-12-30 Method and system for screening malicious samples

Publications (2)

Publication Number Publication Date
CN108268772A CN108268772A (en) 2018-07-10
CN108268772B true CN108268772B (en) 2021-10-22

Family

ID=62754367

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611256407.6A Active CN108268772B (en) 2016-12-30 2016-12-30 Method and system for screening malicious samples

Country Status (1)

Country Link
CN (1) CN108268772B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116992449B (en) * 2023-09-27 2024-01-23 北京安天网络安全技术有限公司 Method and device for determining similar sample files, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013114637A (en) * 2011-12-01 2013-06-10 Mitsubishi Electric Corp Malware analyzing system
CN105488408A (en) * 2014-12-31 2016-04-13 中国信息安全认证中心 Identification method and system of malicious sample type on the basis of characteristics
CN105975852A (en) * 2015-12-31 2016-09-28 武汉安天信息技术有限责任公司 Method and system for detecting sample relevance based on label propagation
CN105989287A (en) * 2015-12-30 2016-10-05 武汉安天信息技术有限责任公司 Method and system for judging homology of massive malicious samples

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013114637A (en) * 2011-12-01 2013-06-10 Mitsubishi Electric Corp Malware analyzing system
CN105488408A (en) * 2014-12-31 2016-04-13 中国信息安全认证中心 Identification method and system of malicious sample type on the basis of characteristics
CN105989287A (en) * 2015-12-30 2016-10-05 武汉安天信息技术有限责任公司 Method and system for judging homology of massive malicious samples
CN105975852A (en) * 2015-12-31 2016-09-28 武汉安天信息技术有限责任公司 Method and system for detecting sample relevance based on label propagation

Also Published As

Publication number Publication date
CN108268772A (en) 2018-07-10

Similar Documents

Publication Publication Date Title
Yu et al. PBCNN: packet bytes-based convolutional neural network for network intrusion detection
US10324977B2 (en) Searching method and apparatus
US9705761B2 (en) Opinion information display system and method
CN110443378A (en) Feature correlation analysis method, device and readable storage medium storing program for executing in federation's study
CN106713290B (en) Method for identifying main user account and server
CN105550583A (en) Random forest classification method based detection method for malicious application in Android platform
CN105550253B (en) Method and device for acquiring type relationship
CA3152848A1 (en) User identifying method and device, and computer equipment
CN107368592B (en) Text feature model modeling method and device for network security report
CN113221032A (en) Link risk detection method, device and storage medium
CN112148305A (en) Application detection method and device, computer equipment and readable storage medium
CN111400448A (en) Method and device for analyzing incidence relation of objects
CN111553241A (en) Method, device and equipment for rejecting mismatching points of palm print and storage medium
CN115174250A (en) Network asset safety assessment method and device, electronic equipment and storage medium
CN108268772B (en) Method and system for screening malicious samples
US20160292258A1 (en) Method and apparatus for filtering out low-frequency click, computer program, and computer readable medium
CN112613576B (en) Method, device, electronic equipment and storage medium for determining alarm
CN110580304A (en) Data fusion method and device, computer equipment and computer storage medium
CN114386511A (en) Malicious software family classification method based on multi-dimensional feature fusion and model integration
Vogt Quantifying landscape fragmentation
Zhou et al. An adaptive minimum spanning tree test for detecting irregularly-shaped spatial clusters
CN106326746B (en) A kind of rogue program behavioural characteristic base construction method and device
CN115589339B (en) Network attack type identification method, device, equipment and storage medium
CN112732693A (en) Intelligent internet of things data acquisition method, device, equipment and storage medium
CN115632874A (en) Method, device, equipment and storage medium for detecting threat of entity object

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant