CN108595955B - Android mobile phone malicious application detection system and method - Google Patents

Android mobile phone malicious application detection system and method Download PDF

Info

Publication number
CN108595955B
CN108595955B CN201810377452.XA CN201810377452A CN108595955B CN 108595955 B CN108595955 B CN 108595955B CN 201810377452 A CN201810377452 A CN 201810377452A CN 108595955 B CN108595955 B CN 108595955B
Authority
CN
China
Prior art keywords
neural network
android
sample
extraction module
static
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201810377452.XA
Other languages
Chinese (zh)
Other versions
CN108595955A (en
Inventor
朱潜
薛旸
杜晓凡
付奎源
王伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northeastern University China
Original Assignee
Northeastern University China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northeastern University China filed Critical Northeastern University China
Priority to CN201810377452.XA priority Critical patent/CN108595955B/en
Publication of CN108595955A publication Critical patent/CN108595955A/en
Application granted granted Critical
Publication of CN108595955B publication Critical patent/CN108595955B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

A malicious application detection system for an android mobile phone belongs to the technical field of mobile phone detection. The android mobile phone malicious application detection system comprises a positive and negative sample collection module, a static feature extraction module, a dynamic feature extraction module, a neural network module and a monitoring result output module, static analysis based on software codes and dynamic monitoring based on software behaviors are combined, so that the detection method is not static analysis based on a signature technology, and whether software is malicious software is judged by analyzing the codes of the software and the behaviors of the software after running.

Description

Android mobile phone malicious application detection system and method
Technical Field
The invention relates to the technical field of mobile phone detection, in particular to a system and a method for detecting malicious applications of an android mobile phone.
Background
The latest ranking condition of the smart phone market in the global scope by one quarter of 2017 is formally published by Kantar woroldpanel, which is a recent market research company abroad, and the occupancy of the android phone market is increased from 76.4% to 86.4% in the last year and is promoted by 10% by taking the domestic market as an example. The domestic mobile phone manufacturing industry is developed vigorously, the operating system used by the domestic mobile phone manufacturing industry is Android, malicious applications of the Android are increased along with the increase of Android mobile phone users, according to the report of the tiger 360, the 360-year internet security center accumulatively intercepts 1403.3 thousands of newly-increased malicious program samples of the Android platform in 2016 all years, and 3.8 million malicious program samples are additionally arranged on average every day. Android users are infected with malicious programs 2.53 hundred million, and the infection amount of the malicious programs is about 70 million persons per day on average. The malicious applications steal private data of android mobile phone users, damage mobile phone functions and influence normal use of the mobile phones.
The user group of the android mobile phone is so large, the malicious applications of the android mobile phone are so abused, and whether the application of the android mobile phone is safe or not is particularly important. Most data show that the existing detection methods for malicious applications mainly comprise two types, one is signature-based detection, and the other is software behavior-based detection. Signature-based detection is when a first suspicious software activity is discovered and analyzed, a signature is generated for the malware. The signatures are spread apart and the antivirus software eventually captures the malware through signature matching. Signature-based detection suffers from the following problems: first, the period from the start of the spread of malware to the verification is typically long, often weeks or even months, during which many systems have been harmed; secondly, the detection method based on the signature can only capture malicious software with the signature, and has no defense capability to unknown attacks; third, signature-based detection does not make a correct judgment of compressed, encrypted, and morphed malicious code. The detection method based on software behavior is better and more accurate than the monitoring based on signature, but is also single and incomplete.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a detection system for malicious applications of an android mobile phone. The android mobile phone malicious application detection system comprises a positive and negative sample collection module, a static feature extraction module, a dynamic feature extraction module, a neural network module and a monitoring result output module;
the positive and negative sample collection module comprises a positive sample set and a negative sample set;
the static feature extraction module comprises an android manifest.xml file and a class.dex file, a system permission list is obtained by analyzing the android manifest.xml file, a calling API list is obtained by analyzing the class.dex file, and the permission list and the API list are used as static feature vectors;
the dynamic characteristic extraction module is used for putting the android application package into a DroidBox sandbox for operation, checking a log file after operation through operation, and obtaining the frequency of a software calling Application Programming Interface (API) in a fixed time period as a dynamic characteristic vector matrix;
the neural network module comprises an MLP neural network and an RNN neural network, the MLP neural network comprises a plurality of neurons, each neuron of each layer is used for transmitting a vector input after weighted summation to each neuron of the next layer through an activation function output, the MLP neural network is used for introducing static feature vectors, the RNN neural network is used for processing sequence data, the structure is the mutual combination of single-layer sensors of the sequence length, the output of each single-layer sensor is used as the input of the next single-layer sensor together with the next input vector of the sequence, the RNN neural network is used for introducing dynamic feature vectors, and the training of the MLP neural network and the RNN neural network both use a back propagation algorithm;
the monitoring result output module transmits the characteristic vectors and the characteristic matrix into a trained neural network after passing through a static characteristic extraction module and a dynamic characteristic extraction module, weights and sums the results to calculate the probability, calculates the possibility that the application is malicious application, and outputs the results.
The android manifest.xml file and the class.dex file are components of an installation package, and the installation package comprises a Lib folder, an assets folder, a NETA-INT folder, an android manifest.xml file, a class.dex file and a resource.arsc file.
Setting the 177-dimensional 0-1 vector, setting the software limited weight to be 1, setting the software infinite weight to be 0, and taking the 177-dimensional vector as a static feature.
The running time of each APP is set to 15S, and the statistical number of 11 operations per second is taken as a 15 × 11 dimensional dynamic feature matrix.
In the training of the MLP neural network and the RNN neural network, 80% of samples are randomly selected as a training set, and the rest 20% are verification sets or test sets.
The back propagation algorithm is characterized in that a loss function is used as a sample, the deviation of the equation about each model parameter is calculated through the sum of the difference values between the output value and the predicted value of the model to obtain a gradient, the learning rate of the parameter is adjusted to the opposite direction of the gradient, iteration is carried out continuously until the loss function of the whole model begins to converge to the minimum value, the model training is finished, and the test is carried out on a prediction set.
The application method of the android mobile phone malicious application detection system comprises the following steps:
step 1, collecting two sample libraries from different sources to respectively form a negative sample set of a malicious android application sample library and a positive sample set of a benign android application sample library;
step 2, all applications in the two sample libraries pass through the static feature extraction module, a system permission list applied by the android application is obtained through android manifest.xml files, the API list is called through class.dex files, 177-dimensional 0-1 static feature vectors are generated, and whether a certain permission or API is applied or called is represented;
step 3, training the MLP neural network by all the characteristics extracted from the android positive sample and the android negative sample in the step 2 through a back propagation algorithm, finally confirming that the MLP neural network is divided into three layers, the dropout rate is 0.2, the learning iteration times are 200, and determining the model parameter with the highest accuracy rate through a five-fold cross-over inspection method;
step 4, all applications in the two sample libraries pass through the dynamic feature extraction module and obtain log files through DroidBox, so that the frequency of a software calling Application Programming Interface (API) in a fixed time period is obtained, and a feature matrix of each application in 15 x 11 dimensions is obtained;
step 5, training the RNN neural network by all the characteristic matrixes obtained in the step 4 through a back propagation algorithm, finally confirming that the RNN neural network has 15 layers, the learning rate is 0.01, the learning iteration times are 200, and determining the model parameters with the highest accuracy rate through a five-fold cross inspection method;
step 6, passing the sample to be detected through a static feature extraction module to obtain 177-dimensional static feature vectors;
step 7, importing 177-dimensional feature vectors into the MLP neural network trained in the step 3 to obtain prediction probability of static classification as output;
8, passing the sample to be detected through a dynamic feature extraction module to obtain a 15 x 11 dimensional feature matrix;
step 9, importing the 15-by-11 dimensional feature matrix into the RNN neural network trained in the step 5 to obtain the prediction probability of dynamic classification as output;
and 10, carrying out weighted summation on the results of the step 7 and the step 9 to calculate the probability, wherein the probability is used as the probability that the sample to be detected is malicious application.
Has the beneficial effects that: the invention combines the static analysis based on the software code and the dynamic monitoring based on the software behavior, so that the detection method is not the pure static analysis based on the signature technology any more, and judges whether the software is the malicious software or not by analyzing the code of the software and the behavior of the software after running.
Drawings
FIG. 1 is a schematic diagram of a module structure provided by the present invention;
FIG. 2 is a schematic view of a monitoring process provided by the present invention;
FIG. 3 is a diagram of a structure of the content of a file in an android application installation package provided by the present invention;
fig. 4 is a structural diagram of an android application installation package android manifest.xml provided by the present invention;
fig. 5 is a structural diagram of a class.dex file of an android application installation package provided by the present invention;
FIG. 6 is a schematic diagram illustrating a monitoring result output of a secure android application provided by the present invention;
fig. 7 is a schematic diagram illustrating output of a malicious android application monitoring result provided by the present invention.
Detailed Description
The technical solution in the embodiments of the invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the invention,
as shown in fig. 1 to 7, the present invention provides an android phone malicious application detection system, which includes a positive and negative sample collection module 1, a static feature extraction module 2, a dynamic feature extraction module 3, a neural network module 4, and a monitoring result output module 5;
the positive and negative sample collection module 1 comprises a positive sample set and a negative sample set, wherein the positive sample set is a safety software sample set, and the negative sample set is a malicious software sample set;
the static feature extraction module 2 comprises an android manifest.xml file 201 and a class.dex file 202, wherein the android manifest.xml file 201 is used for specially introducing functions of the android application and system permissions 203 required by using the software functions, the class.dex file 202 is used for converting JAVA codes into byte code files capable of running on an android Dalvik virtual machine, a list of calling APIs 204 is obtained through analysis, a system permission 203 list is obtained through analysis of the android manifest.xml file 201, the calling API204 list is obtained through analysis of the class.dex file 202, and the permission list and the API list are used as static feature vectors;
the dynamic feature extraction module 3 is used for placing an android application package into a DroidBox sandbox to run 301, the DroidBox is a dynamic analysis tool and is used for displaying the action of software during running, and a running log file 302 is checked through running of the software to obtain the frequency of a software calling application programming interface API in a fixed time period and is used as a dynamic feature vector matrix;
the neural network module 4 includes an MLP neural network 206 and an RNN neural network 304, the MLP neural network 206 is a multi-layer perceptron network, and the RNN neural network 304 is a recurrent neural network, the MLP neural network 206 includes a plurality of neurons, each neuron in each layer is used to transfer a vector input after weighted summation to each neuron in the next layer through an activation function output, so as to map a nonlinear relationship between a set of input vectors and a set of output vectors and find out a rule between data, the MLP neural network 206 is used to introduce static feature vectors, the RNN neural network 304 is used to process sequence data, that is, a classification result of current data has a close relationship with upper and lower sequence data, the structure is a mutual combination between single-layer perceptrons of sequence length, an output of each single-layer perceptron will be together with the next input vector of sequence, the next single-layer perceptron is used as an input of the next single-layer perceptron, so that the memory and persistence of the previous data by the neural network are realized, the RNN neural network is used for importing dynamic feature vectors, and the training of the MLP neural network and the RNN neural network both use a back propagation algorithm;
the monitoring result output module 5 transmits the feature vectors and the feature matrix into a trained neural network after passing through the static feature extraction module 2 and the dynamic feature extraction module 3, calculates the probability 7 by weighting and summing the results, calculates the possibility that the application is malicious application, and outputs a result 8, and a user judges whether to install the application according to the percentage value.
Xml file 201 and class, dex file 202 are components of an installation package, and the installation package comprises a Lib folder 601, an assets folder 602, a NETA-INT folder 603, an android xml file 201, a class, dex file 202 and a resource, arsc file 604.
Setting the 177-dimensional 0-1 vector, setting the software limited weight to be 1, setting the software infinite weight to be 0, and taking the 177-dimensional vector as a static feature.
The running time of each APP is set to 15S, and the statistical number of 11 operations per second is taken as the dynamic characteristic.
In the training of the MLP neural network 206 and the RNN neural network 304, 80% of samples are randomly selected as a training set, and the remaining 20% are verification sets or test sets, and through continuous training, a better accuracy on the verification sets is obtained, and model parameters are saved.
The back propagation algorithm is to use a loss function as a sample, calculate partial derivatives of the equation about each model parameter through the sum of differences between an output value and a predicted value of the model to obtain a gradient, adjust the learning rate of the parameter in the opposite direction of the gradient, continuously iterate until the loss function of the whole model starts to converge to a minimum value, finish training the model, test on a prediction set, and realize training of the MLP neural network 206 and the RNN neural network 304 through a back propagation algorithm.
The method of the android mobile phone malicious application detection system comprises the following steps:
step 1, collecting two sample libraries from different sources to respectively form a negative sample set of a malicious android application sample library and a positive sample set of a benign android application sample library;
step 2, all applications in the two sample libraries pass through the static feature extraction module 2, a system permission 203 list applied by the android application is obtained through an android manifest. xml file 201, an API204 list is called through a class. dex file 202, and 177-dimensional 0-1 static feature vectors are generated to represent whether a certain permission or API is applied or called;
step 3, training the MLP neural network 206 by all the characteristics extracted from the android positive sample and the android negative sample in the step 2 through a back propagation algorithm, finally confirming that the MLP neural network 206 is divided into three layers, the dropout rate is 0.2, the learning iteration times are 200, and determining the model parameters with the highest accuracy rate through a five-fold cross-over inspection method;
step 4, all applications in the two sample libraries pass through the dynamic feature extraction module 3, log files are obtained through DroidBox, the frequency of a software calling Application Programming Interface (API) in a fixed time period is obtained, and therefore a feature matrix 303 of each application in 15 x 11 dimensions is obtained;
step 5, training the RNN neural network 304 by using all the characteristic matrixes obtained in the step 4 through a back propagation algorithm, finally confirming that the RNN neural network 304 has 15 layers, the learning rate is 0.01, the learning iteration times are 200, and determining the model parameter with the highest accuracy by using a five-fold cross inspection method;
step 6, passing the sample to be tested through a static feature extraction module 2 to obtain 177-dimensional static feature vectors 205;
step 7, importing 177-dimensional feature vectors into the MLP neural network 206 trained in the step 3 to obtain prediction probability of static classification as output;
step 8, passing the sample to be detected through the dynamic feature extraction module 3 to obtain a 15 × 11 dimensional feature matrix 303;
step 9, introducing the 15 × 11 dimensional feature matrix 303 into the RNN neural network 304 trained in step 5 to obtain a dynamically classified prediction probability as an output;
and 10, carrying out weighted summation on the results of the step 7 and the step 9 to calculate the probability 304, wherein the probability is used as the probability that the sample to be detected is malicious application.
The working principle is as follows: the method comprises the steps of firstly collecting malicious android application samples and benign android application samples through a positive and negative sample collection module 1, then obtaining a system authority 203 list through an android manifest (xml) file 201 in an installation package APK6, calling an API204 list through a class dex file 202 in an installation package APK6, generating the system authority 203 list and the API list 204 into 177-dimensional static feature vectors 205, introducing the 177-dimensional static feature vectors into an MLP neural network 206 trained through a back propagation algorithm, determining model parameters with the highest accuracy through a five-fold cross inspection method, obtaining the prediction probability of static classification as output, then passing all applications in the positive and negative sample collection module 1 through a dynamic feature extraction module to obtain a 15-fold 11-dimensional feature matrix 303 of each application, passing the 15-fold 11-dimensional feature matrix 303 through an RNN neural network 304 trained through the back propagation algorithm through the five-fold cross inspection method, and finally, carrying out weighted summation on the prediction output probability of the static classification and the prediction output probability of the dynamic classification to calculate the probability 7, and calculating the probability that the sample to be detected is maliciously applied.

Claims (6)

1. A use method of a malicious application detection system of an android mobile phone is characterized by specifically comprising the following steps:
step 1, collecting two sample libraries from different sources to respectively form a negative sample set of a malicious android application sample library and a positive sample set of a benign android application sample library;
step 2, all applications in the two sample libraries pass through a static feature extraction module, a system permission list applied by the android application is obtained through an android manifest.
Step 3, training the MLP neural network by all the characteristics extracted from the android positive sample and the android negative sample in the step 2 through a back propagation algorithm, finally confirming that the MLP neural network is divided into three layers, the dropout rate is 0.2, the learning iteration times are 200, and determining the model parameter with the highest accuracy rate through a five-fold cross-over inspection method;
step 4, all applications in the two sample libraries pass through a dynamic feature extraction module and obtain log files through DroidBox, so that the frequency of a software calling Application Programming Interface (API) in a fixed time period is obtained, and a feature matrix of each application in 15 x 11 dimensions is obtained;
step 5, training the RNN neural network by all the characteristic matrixes obtained in the step 4 through a back propagation algorithm, finally confirming that the RNN neural network has 15 layers, the learning rate is 0.01, the learning iteration times are 200, and determining the model parameters with the highest accuracy rate through a five-fold cross inspection method;
step 6, passing the sample to be detected through a static feature extraction module to obtain 177-dimensional static feature vectors;
step 7, importing 177-dimensional feature vectors into the MLP neural network trained in the step 3 to obtain prediction probability of static classification as output;
8, passing the sample to be detected through a dynamic feature extraction module to obtain a 15 x 11 dimensional feature matrix;
step 9, importing the 15-by-11 dimensional feature matrix into the RNN neural network trained in the step 5 to obtain the prediction probability of dynamic classification as output;
step 10, carrying out weighted summation on the results of the step 7 and the step 9 to calculate the probability, and taking the probability as a sample to be detected as a malicious application
The probability of (d);
the android mobile phone malicious application detection system comprises a positive and negative sample collection module, a static feature extraction module, a dynamic feature extraction module, a neural network module and a monitoring result output module;
the positive and negative sample collection module comprises a positive sample set and a negative sample set;
the static feature extraction module comprises an android manifest.xml file and a class.dex file, a system permission list is obtained by analyzing the android manifest.xml file, a system call API list is obtained by analyzing the class.dex file, and the permission list and the API list are used as static feature vectors;
the dynamic characteristic extraction module is used for putting the android application installation package into a DroidBox sandbox for operation, checking a log file after operation through operation, and obtaining the frequency of a software calling Application Programming Interface (API) in a fixed time period as a dynamic characteristic vector matrix;
the neural network module comprises an MLP neural network and an RNN neural network, the MLP neural network comprises a plurality of neurons, each neuron of each layer is used for transmitting a vector input after weighted summation to each neuron of the next layer through an activation function output, the MLP neural network is used for introducing static feature vectors, the RNN neural network is used for processing sequence data, the structure is the mutual combination of single-layer sensors of the sequence length, the output of each single-layer sensor is used as the input of the next single-layer sensor together with the next input vector of the sequence, the RNN neural network is used for introducing dynamic feature vectors, and the training of the MLP neural network and the RNN neural network both use a back propagation algorithm;
the monitoring result output module transmits the static characteristic vectors and the dynamic characteristic matrix into a trained neural network after passing through the static characteristic extraction module and the dynamic characteristic extraction module, weights and sums the results to calculate the probability, calculates the possibility that the application is malicious application, and outputs the results.
2. The method as claimed in claim 1, wherein the android phone malicious application detection system is a component of an installation package, and the installation package includes Lib folder, assets folder, NETA-INT folder, android phone malicious application detection system, class.
3. The method as claimed in claim 1, wherein the 177-dimensional 0-1 vector is set, the software limited weight is set to 1, the software unlimited weight is set to 0, and the 177-dimensional vector is taken as the static feature.
4. The use method of the malicious application detection system for android phones, according to claim 1, characterized in that the running time of each APP is set to 15S, and the statistical number of 11 operations per second is used as a dynamic feature.
5. The method as claimed in claim 1, wherein in the training of the MLP neural network and the RNN neural network, 80% of samples are randomly selected as a training set, and the remaining 20% are a verification set or a test set.
6. The method as claimed in claim 1, wherein the back propagation algorithm is based on a loss function as a sample, the sum of differences between an output value and a predicted value of a model is used, a bias is calculated for each model parameter to obtain a gradient, the learning rate of the parameter is adjusted in a reverse direction to the gradient, iteration is performed continuously until the loss function of the whole model starts to converge to a minimum value, the model training is completed, and a test is performed on a prediction set.
CN201810377452.XA 2018-04-25 2018-04-25 Android mobile phone malicious application detection system and method Expired - Fee Related CN108595955B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810377452.XA CN108595955B (en) 2018-04-25 2018-04-25 Android mobile phone malicious application detection system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810377452.XA CN108595955B (en) 2018-04-25 2018-04-25 Android mobile phone malicious application detection system and method

Publications (2)

Publication Number Publication Date
CN108595955A CN108595955A (en) 2018-09-28
CN108595955B true CN108595955B (en) 2022-05-24

Family

ID=63609097

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810377452.XA Expired - Fee Related CN108595955B (en) 2018-04-25 2018-04-25 Android mobile phone malicious application detection system and method

Country Status (1)

Country Link
CN (1) CN108595955B (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109359439B (en) * 2018-10-26 2019-12-13 北京天融信网络安全技术有限公司 software detection method, device, equipment and storage medium
CN109543409B (en) * 2018-11-09 2021-06-08 腾讯科技(深圳)有限公司 Method, device and equipment for detecting malicious application and training detection model
CN109614795B (en) * 2018-11-30 2023-04-28 武汉大学 Event-aware android malicious software detection method
CN109753794A (en) * 2018-11-30 2019-05-14 北京奇虎科技有限公司 A kind of recognition methods of malicious application, system, training method, equipment and medium
CN109753801B (en) * 2019-01-29 2022-04-22 重庆邮电大学 Intelligent terminal malicious software dynamic detection method based on system call
CN109858250B (en) * 2019-02-20 2023-01-03 哈尔滨工程大学 Android malicious code detection model method based on cascade classifier
CN110008700B (en) * 2019-03-20 2020-12-22 北京大学 Android malicious application detection method and device based on naive Bayes
CN109992514B (en) * 2019-04-01 2023-04-07 国家计算机网络与信息安全管理中心 Mobile application dynamic analysis method based on visual content
CN111382783A (en) * 2020-02-28 2020-07-07 广州大学 Malicious software identification method and device and storage medium
CN111639337B (en) * 2020-04-17 2023-04-07 中国科学院信息工程研究所 Unknown malicious code detection method and system for massive Windows software
CN112182571A (en) * 2020-07-21 2021-01-05 浙江工商大学 Android malicious application detection system based on neural network invariants
CN112464233B (en) * 2020-11-21 2023-04-07 西北工业大学 RNN-based malicious software detection method on cloud platform
CN113761529B (en) * 2020-12-01 2024-04-26 北京卫达信息技术有限公司 Android malicious software detection system and method based on heterogram learning
CN113127872B (en) * 2021-04-16 2022-07-12 国家计算机网络与信息安全管理中心浙江分中心 Malicious application detection method and system for discriminating countermeasure network
CN113312621B (en) * 2021-06-02 2024-03-26 深圳市凌晨知识产权运营有限公司 Simulated android malicious software dynamic detection method based on enhanced deep learning
CN113868660B (en) * 2021-12-01 2022-03-08 北京华云安信息技术有限公司 Training method, device and equipment for malicious software detection model
CN113935022A (en) * 2021-12-17 2022-01-14 北京微步在线科技有限公司 Homologous sample capturing method and device, electronic equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105205396A (en) * 2015-10-15 2015-12-30 上海交通大学 Detecting system for Android malicious code based on deep learning and method thereof

Also Published As

Publication number Publication date
CN108595955A (en) 2018-09-28

Similar Documents

Publication Publication Date Title
CN108595955B (en) Android mobile phone malicious application detection system and method
Yuan et al. Droiddetector: android malware characterization and detection using deep learning
CN109165510B (en) Android malicious application program detection method based on two-channel convolutional neural network
Lin et al. Identifying android malicious repackaged applications by thread-grained system call sequences
CN110263538B (en) Malicious code detection method based on system behavior sequence
Saif et al. Deep Belief Networks-based framework for malware detection in Android systems
Ficco Detecting IoT malware by Markov chain behavioral models
CN112417439A (en) Account detection method, device, server and storage medium
CN105205396A (en) Detecting system for Android malicious code based on deep learning and method thereof
CN105447388B (en) A kind of Android malicious code detection system based on weight and method
CN111107096A (en) Web site safety protection method and device
Bibi et al. An effective Android ransomware detection through multi-factor feature filtration and recurrent neural network
CN106599688A (en) Application category-based Android malicious software detection method
CN107944270B (en) Verifiable android malicious software detection system and method
CN112163222A (en) Malicious software detection method and device
CN115484112B (en) Payment big data safety protection method, system and cloud platform
Sanz et al. Instance-based anomaly method for Android malware detection
Bernardi et al. A fuzzy-based process mining approach for dynamic malware detection
CN113468524B (en) RASP-based machine learning model security detection method
Waheed et al. Evolving trees for detecting android malware using evolutionary learning
Wang et al. Malware detection using cnn via word embedding in cloud computing infrastructure
Amrutha et al. Multimodal deep learning method for detection of malware in android using static and dynamic features
Chen et al. Research on android application detection based on static permission and random forest
CN113434826A (en) Detection method and system for counterfeit mobile application and related products
Zefferer et al. Power consumption-based application classification and malware detection on android using machine-learning techniques

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20220524

CF01 Termination of patent right due to non-payment of annual fee