CN108595955A - A kind of Android mobile phone malicious application detecting system and method - Google Patents
A kind of Android mobile phone malicious application detecting system and method Download PDFInfo
- Publication number
- CN108595955A CN108595955A CN201810377452.XA CN201810377452A CN108595955A CN 108595955 A CN108595955 A CN 108595955A CN 201810377452 A CN201810377452 A CN 201810377452A CN 108595955 A CN108595955 A CN 108595955A
- Authority
- CN
- China
- Prior art keywords
- neural networks
- sample
- mobile phone
- extraction module
- files
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims description 17
- 238000013528 artificial neural network Methods 0.000 claims abstract description 68
- 230000003068 static effect Effects 0.000 claims abstract description 43
- 239000013598 vector Substances 0.000 claims abstract description 35
- 238000000605 extraction Methods 0.000 claims abstract description 32
- 230000003542 behavioural effect Effects 0.000 claims abstract description 26
- 238000012544 monitoring process Methods 0.000 claims abstract description 13
- 239000011159 matrix material Substances 0.000 claims abstract description 9
- 238000012549 training Methods 0.000 claims description 19
- 239000010410 layer Substances 0.000 claims description 13
- 238000009434 installation Methods 0.000 claims description 12
- 230000006870 function Effects 0.000 claims description 9
- 239000002356 single layer Substances 0.000 claims description 9
- 210000002569 neuron Anatomy 0.000 claims description 7
- 238000012360 testing method Methods 0.000 claims description 4
- 238000012795 verification Methods 0.000 claims description 4
- 244000035744 Hura crepitans Species 0.000 claims description 3
- 230000004913 activation Effects 0.000 claims description 3
- 210000005036 nerve Anatomy 0.000 claims description 3
- 230000008676 import Effects 0.000 claims description 2
- 238000012545 processing Methods 0.000 claims 1
- 238000001514 detection method Methods 0.000 abstract description 14
- 238000004458 analytical method Methods 0.000 abstract description 8
- 238000005516 engineering process Methods 0.000 abstract description 4
- 230000006399 behavior Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000001524 infective effect Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 210000004218 nerve net Anatomy 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 230000000306 recurrent effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
A kind of Android mobile phone malicious application detecting system, belongs to mobile phone detection technique field.The Android mobile phone malicious application detecting system includes positive and negative sample collection module, static nature extraction module, behavioral characteristics extraction module, neural network module and monitoring result output module, static analysis based on software code and the dynamic monitoring based on software action are combined by the present invention, it is the static analysis for being based purely on signature technology to make detection method no longer, and the behavior after the code and running software for passing through analysis software judges whether software is Malware, this detection method is more accurate, so we are by collecting Malware sample and security software sample, obtain static nature vector sum behavioral characteristics matrix, and two kinds of neural networks of MLP neural networks and RNN neural networks are trained by great amount of samples, automatically learn and detect, efficiency and accuracy rate is set to greatly promote.
Description
Technical field
The present invention relates to mobile phone detection technique field, more particularly to a kind of Android mobile phone malicious application detecting system and side
Method.
Background technology
External marketing data research company Kantar woroldpanel are formally disclosed by the end of 2017 one recently
Season, the latest rank situation in smart mobile phone market in global range, by taking domestic market as an example, Android mobile phone occupation rate of market from
The 76.4% of last year has increased to 86.4%, improves 10%.Domestic home-made cellphone manufacturing industry flourishes, and the behaviour used in it
It is exactly Android as system, with increasing for Android mobile phone user, Android malicious application also increases, according to the report of Qihoo 360
It accuses it is known that whole year in 2016, the accumulative Android platform of intercepting and capturing in 360 internet security centers increase rogue program sample newly
1403.3 ten thousand, average 3.8 ten thousand rogue program samples newly-increased daily.Android user infects rogue program 2.53 hundred million, average every
Its rogue program infective dose is about 700,000 person-times.These malicious applications steal the private data of Android mobile phone user, destroy mobile phone
Function influences the normal use of mobile phone.
The user group of Android mobile phone is so big, and Android mobile phone malicious application is so spread unchecked, a Android mobile phone application
Whether safety is particularly important.Most of data shows, the detection method of existing malicious application is mainly two classes, one
It is the detection based on signature, another kind is the detection based on software action.Detection based on signature is when suspicious for the first time soft
After part behavior is found and obtains analysis, a signature will produce for this Malware.Signature is spread, anti-virus
Software captures Malware eventually by signatures match.Detection based on signature has the following problems:First, from Malware
Propagation start it is generally very long to the period of inspection, usual several weeks even the several months, during this period many systems come to harm;
Second, the detection method based on signature can only capture the existing Malware of signature, be not defend energy for unknown attack
Power;Third cannot make accurate judgment for compression, encryption and the malicious code deformed based on the detection of signature.Based on soft
The detection method of part behavior is more preferably more accurate than the monitoring based on signature, but also relatively simple, not comprehensively.
Invention content
Of the existing technology in order to solve the problems, such as, the present invention provides a kind of Android mobile phone malicious application detecting systems.
The Android mobile phone malicious application detecting system includes that positive and negative sample collection module, static nature extraction module, behavioral characteristics carry
Modulus block, neural network module and monitoring result output module;
The positive and negative sample collection module includes positive sample collection and negative sample collection;
The static nature extraction module includes AndroidManifest.xml files and class.dex files, by dividing
The AndroidManifest.xml file acquisitions system permission list is analysed, is called by analyzing class.dex file acquisitions
API list, using the permissions list and the API list as static nature vector;
The behavioral characteristics extraction module is that Android is put into the operation of DroidBox sandboxs using packet to check by operation
Journal file after operation, obtain software transfer application programming interface API fixed time period frequency, as behavioral characteristics
Vector matrix;
The neural network module includes MLP neural networks and RNN neural networks, and the MLP neural networks include multiple
Neuron, every layer of each neuron are used for be transferred to down by activation primitive output after a vectorial weighted input summation
One layer of each neuron, the MLP neural networks are used for importing static nature vector, and the RNN neural networks are used for handling
Sequence data, structure are the intercombinations between each single-layer perceptron of sequence length, and the output of each single-layer perceptron will
Together, as the input of next single-layer perceptron, the RNN neural networks are used for leading next input vector of meeting and sequence
Enter behavioral characteristics vector, the training of the MLP neural networks and RNN neural networks all uses back-propagation algorithm;
The monitoring result output module is after via static nature extraction module and behavioral characteristics extraction module, by institute
It states feature vector and the eigenmatrix is passed in trained neural network, result weighted sum is calculated into probability, calculates it
Using the possibility for malicious application, and export result.
The AndroidManifest.xml files and class.dex files are installation kit component part, and installation kit includes
Lib files, assets files, NETA-INT files, AndroidManifest.xml files, class.dex files and
Resource.arsc files.
The 177 dimension 0-1 vectors are set, and software finite weight is set as 1, and what software was infinitely weighed be set as 0, and by described 177
The vector of dimension is as static nature.
The run time that each APP is arranged is 15S, and the quantity for the statistics that 11 kinds per second are operated ties up dynamic as 15*11
Eigenmatrix.
In the training of the MLP neural networks and RNN neural networks, 80% sample of random selection is remained as training set
20% is remaininged for verification collection or test set.
The back-propagation algorithm is the difference using loss function as sample, and between the output valve and predicted value for passing through model
The sum of value asks local derviation to obtain gradient the formula, the parameter is adjusted to the gradient negative direction about each model parameter
The size of learning rate, continuous iteration, until the loss function of entire model starts to converge to minimum value, model training is complete
Finish, and is tested on forecast set.
The application method of the Android mobile phone malicious application detecting system, the method includes:
Step 1 collects two sample databases from separate sources, separately constitute the negative sample sets of malice Android application sample database with
The benign positive sample sets of Android application sample database;
Step 2, by application all in two sample databases by the static nature extraction module, pass through
AndroidManifest.xml file acquisition Androids apply apllied system permission list, and pass through class.dex file tune
With the API list, 177 dimension 0-1 static nature vectors are generated, representing some permission, either whether API is applied or calls;
Step 3 trains all features extracted from Android positive sample and negative sample in step 2 by back-propagation algorithm
MLP neural networks finally confirm that MLP neural networks are divided into three layers, and dropout rates are 0.2, learn iterations 200, pass through five
Crosscheck method is rolled over, determines the highest model parameter of accuracy rate;
Step 4, by all applications in two sample databases by the behavioral characteristics extraction module, and obtained by DroidBox
Journal file is taken, software transfer application programming interface API is obtained in the frequency of fixed time period, is each applied to obtain
The eigenmatrix of 15*11 dimensions;
Step 5, all eigenmatrixes for obtaining step 4 train RNN neural networks by back-propagation algorithm, last true
It is 15 layers to recognize RNN neural networks, learning rate 0.01, learns iterations 200, and cross-check method by five foldings, it is accurate to determine
The highest model parameter of rate;
Sample to be tested is passed through static nature extraction module, 177 dimension static natures vector of acquisition by step 6;
In step 7, the MLP neural networks for finishing the training of 177 dimensional feature vector steps for importing 3, static point is obtained
The prediction probability of class is as output;
Sample to be tested is passed through behavioral characteristics extraction module, acquisition 15*11 dimensional feature matrixes by step 8;
Step 9 trains 15*11 dimensional feature matrixes steps for importing 5 in the RNN neural networks finished, obtains dynamic
The prediction probability of classification is as output;
The result of step 7 and step 9 is weighted read group total probability by step 10, is that malice is answered as sample to be tested
Probability.
Advantageous effect:The present invention mutually ties the static analysis based on software code with the dynamic monitoring based on software action
It closes, it is the simple static analysis based on signature technology to make detection method no longer, and is transported by the code of analysis software and software
Behavior after row judges whether software is Malware, and this detection method is more accurate, disliked so we pass through to collect
Meaning software prototyping and security software sample obtain static nature vector sum behavioral characteristics matrix, and are trained by great amount of samples
Two kinds of neural networks of MLP neural networks and RNN neural networks automatically learn and monitor, make efficiency and accuracy rate significantly
It is promoted.
Description of the drawings
Fig. 1 is modular structure schematic diagram provided by the invention;
Fig. 2 is monitoring flow diagram provided by the invention;
Fig. 3 is DCA document content architecture figure in Android application installation package provided by the invention;
Fig. 4 is the structure chart of Android application installation package AndroidManifest.xml provided by the invention;
Fig. 5 is the structure chart of Android application installation package class.dex files provided by the invention;
Fig. 6 is safe Android application monitoring result output schematic diagram provided by the invention;
Fig. 7 is malice Android application monitoring result output schematic diagram provided by the invention.
Specific implementation mode
Below in conjunction with the attached drawing in inventive embodiments, the technical solution in inventive embodiments is carried out clearly and completely
Description,
As shown in Figures 1 to 7, the present invention provides a kind of Android mobile phone malicious application detecting system, the Android mobile phones
Malicious application detecting system includes positive and negative sample collection module 1, static nature extraction module 2, behavioral characteristics extraction module 3, god
Through network module 4 and monitoring result output module 5;
The positive and negative sample collection module 1 includes positive sample collection and negative sample collection, and positive sample integrates as security software sample set,
Negative sample integrates as Malware sample set;
The static nature extraction module 2 includes AndroidManifest.xml files 201 and class.dex files
202, the AndroidManifest.xml files 201 are for specially introducing the function and use the software that the Android is applied
The system permission 203 that function needs, it is Android Dalvik virtual machine that the class.dex files 202, which are by JAVA code conversions,
On the byte code files that can run, analysis obtains its list for calling API204, described in analysis
AndroidManifest.xml files 201 obtain 203 list of system permission, and tune is obtained by analyzing class.dex files 202
It is with API204 lists, the permissions list and the API list is vectorial as static nature;
The behavioral characteristics extraction module 3 is that Android is put into 301, DroidBox of DroidBox sandboxs operation using packet to be
One Dynamic analysis tools, for showing action that a software is waited at runtime, by the operation to software, after checking operation
Journal file 302, obtain software transfer application programming interface API fixed time period frequency, as behavioral characteristics to
Moment matrix;
The neural network module 4 includes MLP neural networks 206 and RNN neural networks 304, and MLP neural networks 206 are
Multi-Layer Perceptron Neural Network, and RNN neural networks 304 are Recognition with Recurrent Neural Network, the MLP neural networks 206 include multiple nerves
Member, every layer of each neuron are used for that next layer will be transferred to by activation primitive output after a vectorial weighted input summation
Each neuron, so as to map one group of input vector to the non-linear relation between one group of output vector, find out data it
Between rule, the MLP neural networks 206 be used for import static nature vector, the RNN neural networks 304 be used for handle sequence
It is each single layer perception of sequence length that column data, the i.e. classification results of current data have substantial connection, structure with upper and lower sequence data
Intercombination between device, the output of each single-layer perceptron will with next input vector of sequence together, as
The input of next single-layer perceptron, to realize memory and persistence of the neural network for data before, the RNN nerves
Network is used for importing behavioral characteristics vector, and the training of the MLP neural networks and RNN neural networks is all calculated using backpropagation
Method;
The monitoring result output module 5 be after via static nature extraction module 2 and behavioral characteristics extraction module 3,
Described eigenvector and the eigenmatrix are passed in trained neural network, result weighted sum is calculated into probability 7, is calculated
Go out its application and be the possibility of malicious application, and export result 8, user will judge whether that installing this answers according to the numerical value of percentage
With.
The AndroidManifest.xml files 201 and class.dex files 202 are installation kit component part, installation
Include Lib files 601, assets files 602, NETA-INT files 603, AndroidManifest.xml files
201, class.dex files 202 and resource.arsc files 604.
The 177 dimension 0-1 vectors are set, and software finite weight is set as 1, and what software was infinitely weighed be set as 0, and by described 177
The vector of dimension is as static nature.
The run time that each APP is arranged is 15S, and the quantity for the statistics that 11 kinds per second are operated is as behavioral characteristics.
In the training of the MLP neural networks 206 and RNN neural networks 304,80% sample of random selection is as training
Collection, residue 20% are that verification collection or test set obtain the upper preferable accuracy rate of verification collection, preserve mould by constantly training
Shape parameter.
The back-propagation algorithm is the difference using loss function as sample, and between the output valve and predicted value for passing through model
The sum of value asks local derviation to obtain gradient the formula, the parameter is adjusted to the gradient negative direction about each model parameter
The size of learning rate, continuous iteration, until the loss function of entire model starts to converge to minimum value, model training is complete
Finish, and tested on forecast set, by the algorithm of backpropagation, to realize to MLP neural networks 206 and RNN nerve nets
The training of network 304.
The method of Android mobile phone malicious application detecting system in the present invention includes:
Step 1 collects two sample databases from separate sources, separately constitute the negative sample sets of malice Android application sample database with
The benign positive sample sets of Android application sample database;
Step 2, by application all in two sample databases by the static nature extraction module 2, pass through
AndroidManifest.xml files 201 obtain Android and apply 203 list of apllied system permission, and pass through class.dex
File 202 calls API204 lists, generates 177 dimension 0-1 static nature vectors, represents some permission or whether API is applied
Or it calls;
Step 3 trains all features extracted from Android positive sample and negative sample in step 2 by back-propagation algorithm
MLP neural networks 206, it is three layers finally to confirm that MLP neural networks 206 are divided, and dropout rates are 0.2, learn iterations 200,
Method is cross-checked by five foldings, determines the highest model parameter of accuracy rate;
Step 4, by all applications in two sample databases by the behavioral characteristics extraction module 3, and pass through DroidBox
Journal file is obtained, software transfer application programming interface API is obtained in the frequency of fixed time period, is each answered to obtain
The eigenmatrix 303 tieed up with 15*11;
Step 5, all eigenmatrixes for obtaining step 4 train RNN neural networks 304 by back-propagation algorithm, most
Confirm that RNN neural networks 304 are 15 layers afterwards, learning rate 0.01 learns iterations 200, and cross-checks method by five foldings, really
Determine the highest model parameter of accuracy rate;
Sample to be tested is passed through static nature extraction module 2,177 dimension static nature vectors 205 of acquisition by step 6;
In step 7, the MLP neural networks 206 for finishing the training of 177 dimensional feature vector steps for importing 3, static state is obtained
The prediction probability of classification is as output;
Sample to be tested is passed through behavioral characteristics extraction module 3, acquisition 15*11 dimensional features matrix 303 by step 8;
In step 9, the RNN neural networks 304 for finishing the training of 303 steps for importing 5 of 15*11 dimensional features matrix, obtain
Prediction probability to dynamic cataloging is used as output;
The result of step 7 and step 9 is weighted read group total probability 304 by step 10, is malice as sample to be tested
The probability of application.
Operation principle:The present invention is first by positive and negative sample collection module 1 come to malice Android application sample and benign peace
Zhuo Yingyong samples are collected, and then obtain system by the AndroidManifest.xml files 201 in installation kit APK6
203 list of permission by the class.dex files 202 in installation kit APK6 to call API204 lists, and the system is weighed
It limits 203 lists and API list 204 is generated as the MLP that 177 dimension static nature vectors 205 are directed through back-propagation algorithm training
In neural network 206, method is cross-checked via five foldings, the highest model parameter of accuracy rate is determined, obtains the prediction of static classification
Probability is used as output, then by all applications in positive and negative sample collection module 1 by behavioral characteristics extraction module, every to obtain
The 15*11 dimensional features matrix 303 of a application, and the RNN god that 15*11 dimensional features matrix 303 is trained by back-propagation algorithm
Through in network 304, cross-checking method via five foldings, determining that the highest model parameter of accuracy rate, the prediction for obtaining dynamic cataloging are general
The prediction output probability of the prediction output probability of static classification and dynamic cataloging is finally weighted summation meter by rate as output
Probability 7 is calculated, the probability that sample to be tested is malicious application is calculated.
Claims (7)
1. a kind of Android mobile phone malicious application detecting system, it is characterised in that:The Android mobile phone malicious application detecting system packet
It is defeated to include positive and negative sample collection module, static nature extraction module, behavioral characteristics extraction module, neural network module and monitoring result
Go out module;
The positive and negative sample collection module includes positive sample collection and negative sample collection;
The static nature extraction module includes AndroidManifest.xml files and class.dex files, by analyzing institute
AndroidManifest.xml file acquisition system permission lists are stated, are called by analyzing class.dex file acquisition systems
API list, using the permissions list and the API list as static nature vector;
The behavioral characteristics extraction module is that Android application installation package is put into the operation of DroidBox sandboxs to check by operation
Journal file after operation, obtain software transfer application programming interface API fixed time period frequency, as behavioral characteristics
Vector matrix;
The neural network module includes MLP neural networks and RNN neural networks, and the MLP neural networks include multiple nerves
Member, every layer of each neuron are used for that next layer will be transferred to by activation primitive output after a vectorial weighted input summation
Each neuron, the MLP neural networks be used for import static nature vector, the RNN neural networks be used for processing sequence
Data, structure are the intercombinations between each single-layer perceptron of sequence length, and the output of each single-layer perceptron will be with
Together, as the input of next single-layer perceptron, the RNN neural networks are used for importing dynamic next input vector of sequence
The training of state feature vector, the MLP neural networks and RNN neural networks all uses back-propagation algorithm;
The monitoring result output module is after via static nature extraction module and behavioral characteristics extraction module, by the spy
Eigenmatrix is passed in trained neural network described in sign vector sum, and result weighted sum is calculated probability, calculates its application
For the possibility of malicious application, and export result.
2. a kind of Android mobile phone malicious application detecting system according to claim 1, which is characterized in that described
AndroidManifest.xml files and class.dex files are installation kit component part, and installation kit includes Lib files,
Assets files, NETA-INT files, AndroidManifest.xml files, class.dex files and
Resource.arsc files.
3. a kind of Android mobile phone malicious application detecting system according to claim 1, which is characterized in that setting described 177
0-1 vectors are tieed up, software finite weight is set as 1, and what software was infinitely weighed is set as 0, and the vector that described 177 are tieed up is as static special
Sign.
4. a kind of Android mobile phone malicious application detecting system according to claim 1, which is characterized in that each APP is arranged
Run time be 15S, using 11 kinds per second operate statistics quantity as behavioral characteristics.
5. a kind of Android mobile phone malicious application detecting system according to claim 1, which is characterized in that in MLP god
In training through network and RNN neural networks, for 80% sample of random selection as training set, residue 20% is verification collection or test
Collection.
6. a kind of Android mobile phone malicious application detecting system according to claim 1, which is characterized in that the backpropagation
Algorithm is the sum of the difference using loss function as sample, and between the output valve and predicted value for passing through model, to the formula about
Each model parameter asks local derviation to obtain gradient, by the parameter to the size of the gradient negative direction regularized learning algorithm rate, constantly
Iteration, until the loss function of entire model starts to converge to minimum value, model training finishes, and is carried out on forecast set
Test.
7. a kind of application method of Android mobile phone malicious application detecting system described in claim 1, which is characterized in that the side
Method includes:
Step 1 collects two sample databases from separate sources, separately constitutes the negative sample sets of malice Android application sample database and benign
The positive sample sets of Android application sample database;
Step 2, by application all in two sample databases by the static nature extraction module, pass through
AndroidManifest.xml file acquisition Androids apply apllied system permission list, and are obtained by class.dex files
Calling API list is taken, generates 177 dimension 0-1 static nature vectors, representing some permission, either whether API is applied or calls;
All features extracted from Android positive sample and negative sample in step 2 are trained MLP by step 3 by back-propagation algorithm
Neural network finally confirms that MLP neural networks are divided into three layers, and dropout rates are 0.2, learn iterations 200, pass through five foldings
Crosscheck method determines the highest model parameter of accuracy rate;
Step 4, by all applications in two sample databases by the behavioral characteristics extraction module, and day is obtained by DroidBox
Will file obtains software transfer application programming interface API in the frequency of fixed time period, 15* is each applied to obtain
The eigenmatrix of 11 dimensions;
Step 5, all eigenmatrixes for obtaining step 4 train RNN neural networks by back-propagation algorithm, finally confirm
RNN neural networks are 15 layers, learning rate 0.01, learn iterations 200, and cross-check method by five foldings, determine accuracy rate
Highest model parameter;
Sample to be tested is passed through static nature extraction module, 177 dimension static natures vector of acquisition by step 6;
In step 7, the MLP neural networks for finishing the training of 177 dimensional feature vector steps for importing 3, static classification is obtained
Prediction probability is as output;
Sample to be tested is passed through behavioral characteristics extraction module, acquisition 15*11 dimensional feature matrixes by step 8;
Step 9 trains 15*11 dimensional feature matrixes steps for importing 5 in the RNN neural networks finished, obtains dynamic cataloging
Prediction probability as output;
The result of step 7 and step 9 is weighted read group total probability by step 10, is malicious application as sample to be tested
Probability.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810377452.XA CN108595955B (en) | 2018-04-25 | 2018-04-25 | Android mobile phone malicious application detection system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810377452.XA CN108595955B (en) | 2018-04-25 | 2018-04-25 | Android mobile phone malicious application detection system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108595955A true CN108595955A (en) | 2018-09-28 |
| CN108595955B CN108595955B (en) | 2022-05-24 |
Family
ID=63609097
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810377452.XA Expired - Fee Related CN108595955B (en) | 2018-04-25 | 2018-04-25 | Android mobile phone malicious application detection system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108595955B (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109359439A (en) * | 2018-10-26 | 2019-02-19 | 北京天融信网络安全技术有限公司 | Software detecting method, device, equipment and storage medium |
| CN109543409A (en) * | 2018-11-09 | 2019-03-29 | 腾讯科技(深圳)有限公司 | For detecting the method, device and equipment of malicious application and training detection model |
| CN109614795A (en) * | 2018-11-30 | 2019-04-12 | 武汉大学 | A kind of Android malware detection method of event perception |
| CN109753794A (en) * | 2018-11-30 | 2019-05-14 | 北京奇虎科技有限公司 | A kind of recognition methods of malicious application, system, training method, equipment and medium |
| CN109753801A (en) * | 2019-01-29 | 2019-05-14 | 重庆邮电大学 | The intelligent terminal Malware dynamic testing method called based on system |
| CN109858250A (en) * | 2019-02-20 | 2019-06-07 | 哈尔滨工程大学 | A kind of Android Malicious Code Detection model method based on cascade classifier |
| CN109992514A (en) * | 2019-04-01 | 2019-07-09 | 国家计算机网络与信息安全管理中心 | Mobile application dynamic analysing method based on visual content |
| CN110008700A (en) * | 2019-03-20 | 2019-07-12 | 北京大学 | A kind of detection method and device of the Android malicious application based on naive Bayesian |
| CN111382783A (en) * | 2020-02-28 | 2020-07-07 | 广州大学 | Malicious software identification method and device and storage medium |
| CN111639337A (en) * | 2020-04-17 | 2020-09-08 | 中国科学院信息工程研究所 | Unknown malicious code detection method and system for massive Windows software |
| CN112182571A (en) * | 2020-07-21 | 2021-01-05 | 浙江工商大学 | Android malicious application detection system based on neural network invariants |
| CN112464233A (en) * | 2020-11-21 | 2021-03-09 | 西北工业大学 | RNN-based malicious software detection method on cloud platform |
| CN113127872A (en) * | 2021-04-16 | 2021-07-16 | 国家计算机网络与信息安全管理中心浙江分中心 | Malicious application detection method and system for discriminating countermeasure network |
| CN113312621A (en) * | 2021-06-02 | 2021-08-27 | 沈阳航空航天大学 | Simulated android malicious software dynamic detection method based on enhanced deep learning |
| CN113761529A (en) * | 2020-12-01 | 2021-12-07 | 北京卫达信息技术有限公司 | Android malicious software detection system and method based on heteromorphic graph learning |
| CN113868660A (en) * | 2021-12-01 | 2021-12-31 | 北京华云安信息技术有限公司 | Training method, device and equipment for malicious software detection model |
| CN113935022A (en) * | 2021-12-17 | 2022-01-14 | 北京微步在线科技有限公司 | Homologous sample capturing method and device, electronic equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105205396A (en) * | 2015-10-15 | 2015-12-30 | 上海交通大学 | Detecting system for Android malicious code based on deep learning and method thereof |
-
2018
- 2018-04-25 CN CN201810377452.XA patent/CN108595955B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105205396A (en) * | 2015-10-15 | 2015-12-30 | 上海交通大学 | Detecting system for Android malicious code based on deep learning and method thereof |
Non-Patent Citations (1)
| Title |
|---|
| 贾蕴哲等: "《基于静态特征的Android恶意代码检测》", 《通信技术》 * |
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109359439A (en) * | 2018-10-26 | 2019-02-19 | 北京天融信网络安全技术有限公司 | Software detecting method, device, equipment and storage medium |
| CN109359439B (en) * | 2018-10-26 | 2019-12-13 | 北京天融信网络安全技术有限公司 | software detection method, device, equipment and storage medium |
| CN109543409B (en) * | 2018-11-09 | 2021-06-08 | 腾讯科技(深圳)有限公司 | Method, device and equipment for detecting malicious application and training detection model |
| CN109543409A (en) * | 2018-11-09 | 2019-03-29 | 腾讯科技(深圳)有限公司 | For detecting the method, device and equipment of malicious application and training detection model |
| CN109614795A (en) * | 2018-11-30 | 2019-04-12 | 武汉大学 | A kind of Android malware detection method of event perception |
| CN109753794A (en) * | 2018-11-30 | 2019-05-14 | 北京奇虎科技有限公司 | A kind of recognition methods of malicious application, system, training method, equipment and medium |
| CN109753801B (en) * | 2019-01-29 | 2022-04-22 | 重庆邮电大学 | Intelligent terminal malicious software dynamic detection method based on system call |
| CN109753801A (en) * | 2019-01-29 | 2019-05-14 | 重庆邮电大学 | The intelligent terminal Malware dynamic testing method called based on system |
| CN109858250A (en) * | 2019-02-20 | 2019-06-07 | 哈尔滨工程大学 | A kind of Android Malicious Code Detection model method based on cascade classifier |
| CN109858250B (en) * | 2019-02-20 | 2023-01-03 | 哈尔滨工程大学 | Android malicious code detection model method based on cascade classifier |
| CN110008700A (en) * | 2019-03-20 | 2019-07-12 | 北京大学 | A kind of detection method and device of the Android malicious application based on naive Bayesian |
| CN110008700B (en) * | 2019-03-20 | 2020-12-22 | 北京大学 | Android malicious application detection method and device based on naive Bayes |
| CN109992514A (en) * | 2019-04-01 | 2019-07-09 | 国家计算机网络与信息安全管理中心 | Mobile application dynamic analysing method based on visual content |
| CN109992514B (en) * | 2019-04-01 | 2023-04-07 | 国家计算机网络与信息安全管理中心 | Mobile application dynamic analysis method based on visual content |
| CN111382783A (en) * | 2020-02-28 | 2020-07-07 | 广州大学 | Malicious software identification method and device and storage medium |
| CN111639337A (en) * | 2020-04-17 | 2020-09-08 | 中国科学院信息工程研究所 | Unknown malicious code detection method and system for massive Windows software |
| CN111639337B (en) * | 2020-04-17 | 2023-04-07 | 中国科学院信息工程研究所 | Unknown malicious code detection method and system for massive Windows software |
| CN112182571A (en) * | 2020-07-21 | 2021-01-05 | 浙江工商大学 | Android malicious application detection system based on neural network invariants |
| CN112464233B (en) * | 2020-11-21 | 2023-04-07 | 西北工业大学 | RNN-based malicious software detection method on cloud platform |
| CN112464233A (en) * | 2020-11-21 | 2021-03-09 | 西北工业大学 | RNN-based malicious software detection method on cloud platform |
| CN113761529A (en) * | 2020-12-01 | 2021-12-07 | 北京卫达信息技术有限公司 | Android malicious software detection system and method based on heteromorphic graph learning |
| CN113761529B (en) * | 2020-12-01 | 2024-04-26 | 北京卫达信息技术有限公司 | Android malicious software detection system and method based on heterogram learning |
| CN113127872A (en) * | 2021-04-16 | 2021-07-16 | 国家计算机网络与信息安全管理中心浙江分中心 | Malicious application detection method and system for discriminating countermeasure network |
| CN113312621A (en) * | 2021-06-02 | 2021-08-27 | 沈阳航空航天大学 | Simulated android malicious software dynamic detection method based on enhanced deep learning |
| CN113312621B (en) * | 2021-06-02 | 2024-03-26 | 深圳市凌晨知识产权运营有限公司 | Simulated android malicious software dynamic detection method based on enhanced deep learning |
| CN113868660A (en) * | 2021-12-01 | 2021-12-31 | 北京华云安信息技术有限公司 | Training method, device and equipment for malicious software detection model |
| CN113935022A (en) * | 2021-12-17 | 2022-01-14 | 北京微步在线科技有限公司 | Homologous sample capturing method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108595955B (en) | 2022-05-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108595955A (en) | A kind of Android mobile phone malicious application detecting system and method | |
| Ren et al. | End-to-end malware detection for android IoT devices using deep learning | |
| CN105205396A (en) | Detecting system for Android malicious code based on deep learning and method thereof | |
| Xing et al. | Employing latent dirichlet allocation for fraud detection in telecommunications | |
| CN107103235A (en) | A kind of Android malware detection method based on convolutional neural networks | |
| CN106548343B (en) | Illegal transaction detection method and device | |
| CN110362999B (en) | Method and device for detecting account use abnormity | |
| CN111107096A (en) | Web site safety protection method and device | |
| CN107273747A (en) | The method for extorting software detection | |
| Tabash et al. | Intrusion detection model using naive bayes and deep learning technique. | |
| CN104348827A (en) | Feature based three stage neural networks intrusion detection method and system | |
| CN109271780A (en) | Method, system and the computer-readable medium of machine learning malware detection model | |
| CN109117634A (en) | Malware detection method and system based on network flow multi-view integration | |
| CN110263538A (en) | A kind of malicious code detecting method based on system action sequence | |
| CN111614599A (en) | Webshell detection method and device based on artificial intelligence | |
| CN112149124B (en) | Android malicious program detection method and system based on heterogeneous information network | |
| Demertzis et al. | SAME: an intelligent anti-malware extension for android ART virtual machine | |
| CN105959316A (en) | Network security authentication system | |
| CN109858248A (en) | Malice Word document detection method and device | |
| Sood et al. | Deep learning-based detection of fake task injection in mobile crowdsensing | |
| CN112163222A (en) | Malicious software detection method and device | |
| Wu | A systematical study for deep learning based android malware detection | |
| Lee et al. | Detecting online game chargeback fraud based on transaction sequence modeling using recurrent neural network | |
| CN111598568B (en) | Abnormal transaction identification method based on multi-transaction object multi-dimensional credit management | |
| Shakya et al. | Intrusion detection system using back propagation algorithm and compare its performance with self organizing map |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20220524 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |