CN108920958A - Detect method, apparatus, medium and the equipment of pe file abnormal behaviour - Google Patents
Detect method, apparatus, medium and the equipment of pe file abnormal behaviour Download PDFInfo
- Publication number
- CN108920958A CN108920958A CN201810771640.0A CN201810771640A CN108920958A CN 108920958 A CN108920958 A CN 108920958A CN 201810771640 A CN201810771640 A CN 201810771640A CN 108920958 A CN108920958 A CN 108920958A
- Authority
- CN
- China
- Prior art keywords
- file
- detected
- valid data
- data
- sample
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The present invention provides a kind of method, apparatus, medium and equipment for detecting pe file abnormal behaviour.The method, including:Receive file to be detected;Extract the characteristic of the file to be detected;The characteristic is handled, valid data are obtained;According to the valid data, based on the prediction model using support vector machines ONECLASS model training, predicts whether the file to be detected is abnormal document, obtain prediction result;The prediction result is exported to user.By using the prediction model of support vector machines ONECLASS model training, 0-day attack can be recognized accurately, with the automaticity that conventional method is incomparable, timeliness, the good advantage such as validity.
Description
Technical field
The present invention relates to field of information security technology, and in particular to it is a kind of detect pe file abnormal behaviour method, apparatus,
Medium and equipment.
Background technique
With the fast development of internet, network security problem becomes increasingly conspicuous, and the continuous upgrading of virus technology is to existing anti-
Virus technology brings great challenge.In the prior art, main to detect pe file using rule or the method for dynamic sandbox
Whether abnormal, for traditional detection method there are hysteresis quality, this detection method does not have timeliness, cannot cope with the hacker increasingly changed
Attack, not can solve zero-day attacks.
Summary of the invention
For the defects in the prior art, the present invention provides a kind of method for detecting pe file abnormal behaviour, can be accurate
Identify that 0-day is attacked, with the automaticity that conventional method is incomparable, timeliness, the good advantage such as validity.
In a first aspect, the present invention provides a kind of methods for detecting pe file abnormal behaviour, including:
Receive file to be detected;
Extract the characteristic of the file to be detected;
The characteristic is handled, valid data are obtained;
Institute is predicted based on the prediction model using support vector machines ONECLASS model training according to the valid data
State whether file to be detected is abnormal document, obtains prediction result;
The prediction result is exported to user.
Optionally, described that the characteristic is handled, valid data are obtained, including:
The characteristic is standardized, standard feature data are obtained;
Dimension-reduction treatment is carried out to the standard feature data, obtains valid data.
Optionally, described that dimension-reduction treatment is carried out to the standard feature data, valid data are obtained, including:
Using principal component analytical method, dimension-reduction treatment is carried out to the standard feature data, obtains valid data.
Optionally, according to the valid data, based on the prediction mould using support vector machines ONECLASS model training
Before the step of type predicts whether the file to be detected is abnormal document, obtains prediction result, further include:
Obtain sample pe file;
Extract the sample characteristics data of the sample pe file;
The sample characteristics data are handled, sample valid data are obtained;
According to the sample valid data, the sample valid data are carried out using support vector machines ONECLASS model
Training, establishes prediction model.
Optionally, the method further includes:
When predicting the file to be detected is abnormal document, it is based on the prediction model, predicts the file to be detected
Dangerous probability, and to user's output dangerous probability.
Second aspect, the present invention provide a kind of device for detecting pe file abnormal behaviour, including:
File reception module, for receiving file to be detected;
Characteristic extracting module, for extracting the characteristic of the file to be detected;
Data processing module obtains valid data for handling the characteristic;
Prediction module is used for according to the valid data, based on using the pre- of support vector machines ONECLASS model training
Model is surveyed, predicts whether the file to be detected is abnormal document, obtains prediction result;
Output module, for exporting the prediction result to user.
The third aspect, the present invention provide a kind of computer readable storage medium, are stored thereon with computer program, the program
The method of one of first aspect detection pe file abnormal behaviour is realized when being executed by processor.
Fourth aspect, the present invention provide a kind of equipment for detecting pe file abnormal behaviour, including:Memory, processor and
The computer program that can be run on a memory and on a processor is stored, the processor realizes first when executing described program
The method of one of aspect detection pe file abnormal behaviour.
A kind of method detecting pe file abnormal behaviour provided by the invention, by predicting whether file to be detected is abnormal
File is able to use family and quickly understands whether file to be detected is abnormal document, can judge before pe running paper
Whether it is abnormal document, has foreseeability.The support vector machines ONECLASS model algorithm that the present invention uses belongs to engineering
One kind of learning method, it is only necessary to collect normal pe file characteristic, and be modeled just for normal data, be able to solve hacker
The ever-changing situation of behavior, and 0-day attack can be recognized accurately.Pe file is examined whether to have by using this method different
Chang Hangwei, with the automaticity that conventional method is incomparable, timeliness, the good advantage such as validity.The present invention is based on support
The Outlier Detection Algorithm of vector machine ONECLASS model is not necessarily to Virus Sample, need to only be trained, can identify to normal pe sample
Any virus except normal pe paper sample.
A kind of device, a kind of computer readable storage medium and one kind detecting pe file abnormal behaviour provided by the invention
Detect pe file abnormal behaviour equipment, with it is above-mentioned it is a kind of detect pe file abnormal behaviour method for identical invention structure
Think, beneficial effect having the same.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art
Embodiment or attached drawing needed to be used in the description of the prior art are briefly described.In all the appended drawings, similar element
Or part is generally identified by similar appended drawing reference.In attached drawing, each element or part might not be drawn according to actual ratio.
Fig. 1 is a kind of flow chart of method for detecting pe file abnormal behaviour provided by the invention;
Fig. 2 is a kind of schematic diagram of device for detecting pe file abnormal behaviour provided by the invention.
Specific embodiment
It is described in detail below in conjunction with embodiment of the attached drawing to technical solution of the present invention.Following embodiment is only used for
Clearly illustrate technical solution of the present invention, therefore be intended only as example, and cannot be used as a limitation and limit protection of the invention
Range.
It should be noted that unless otherwise indicated, technical term or scientific term used in this application should be this hair
The ordinary meaning that bright one of ordinary skill in the art are understood.
The present invention provides a kind of method, apparatus, medium and equipment for detecting pe file abnormal behaviour.With reference to the accompanying drawing
The embodiment of the present invention is illustrated.
Referring to FIG. 1, Fig. 1 is a kind of stream of the method for detection pe file abnormal behaviour that the specific embodiment of the invention provides
Cheng Tu, a kind of method detecting pe file abnormal behaviour provided in this embodiment, including:
Step S101:Receive file to be detected.
Step S102:Extract the characteristic of the file to be detected.
Step S103:The characteristic is handled, valid data are obtained.
Step S104:According to the valid data, based on the prediction mould using support vector machines ONECLASS model training
Type predicts whether the file to be detected is abnormal document, obtains prediction result.
Step S105:The prediction result is exported to user.
Wherein, file to be detected is the pe file that new needs detect.
Wherein, characteristic is the structural characterization data of pe file to be detected, be can specifically include:The load of pe file
DLL, the function of calling, joint number evidence, the data extracted in section table, pe file header etc..
Characteristic may include the feature of five aspects, specific as follows:
(1) the DLL sequence that collection virus is often called, the DLL feature of pe file, including:WSOCK.DLL,WS2_
81 features such as 32.DLL, WINSOCK.DLL, RSRC32.DLL, KERNEL32.DLL.
(2) the function sequence that virus is often called is collected, including:DeleteFileA,FindClose,
FindNextFileA, CryptGenKey etc. extract the total number for the function that pe file is called, and common comprising virus
Function weight sum totally 32 features.
(3) the Export table in the DATA_DIRECTORY of pe file, Import table, Resourcetable
Deng 32 features.
(4) pe file data section .TEXT .DATA .RSRC in code segment, the VirtualSize such as .RELOC,
30 features such as SizeOfRawData, Characteristics.
Machine in (5) filesize, cert_status of pe file, file header table,
NumberOfSections, NumberOfSymbols, Characteristics are extracted in optioal header table
AddressOfEntryPoint、BaseOfCode、BaseOfData、ImageBase、Subsystem、
13 features such as NumberOfRvaAndSizes, LoaderFlags.
In the present invention, characteristic is not limited to the characteristic of above-mentioned five aspects, can also include other sides
The characteristic in face, this is all within the scope of the present invention.
The support vector machines ONECLASS model algorithm that the present invention uses belongs to one kind of machine learning method, it is only necessary to receive
Collect normal pe file characteristic, and modeled just for normal data, is able to solve the ever-changing situation of hacker's behavior, and
0-day attack can be recognized accurately.It examines whether pe file has abnormal behaviour by using this method, there is conventional method not
Analogous automaticity, timeliness, the good advantage such as validity.The present invention is based on the different of support vector machines ONECLASS model
Normal detection algorithm is not necessarily to Virus Sample, need to only be trained to normal pe sample, can identify appointing except normal pe paper sample
What virus.
By predicting whether file to be detected is abnormal document, be able to use family quickly understand file to be detected whether be
Abnormal document can judge whether it is abnormal document before pe running paper, have foreseeability.
It is described that the characteristic is handled in a specific embodiment provided by the invention, obtain significant figure
According to, including:The characteristic is standardized, standard feature data are obtained;The standard feature data are carried out
Dimension-reduction treatment obtains valid data.
Since the unit dimension of the characteristic of the file to be detected extracted is different, need to be converted to characteristic together
One dimension, therefore after the characteristic for extracting file to be detected, it needs to pre-process characteristic, by characteristic
Same dimension is converted to, subsequent processing is facilitated.
After being standardized to characteristic, obtain standard feature data, due to standard feature data dimension compared with
Greatly, cause difficulty in computation larger, therefore, it is necessary to carry out dimension-reduction treatment to standard feature data.It is carried out to standard feature data
When dimension-reduction treatment, principal component analytical method (PCA) can be used, dimension-reduction treatment is carried out to standard feature data, obtains significant figure
According to.
It is by the standard feature of various dimensions when carrying out dimension-reduction treatment to standard feature data using principal component analytical method
Data are converted into the standard feature data of a few overall dimensions.Select Error is minimum, being capable of convergent most suitable dimension.
In a specific embodiment provided by the invention, according to the valid data, it is based on using support vector machines
The prediction model of ONECLASS model training predicts whether the file to be detected is abnormal document, obtains the step of prediction result
Before rapid, can also include:Obtain sample pe file;Extract the sample characteristics data of the sample pe file;To the sample
Characteristic is handled, and sample valid data are obtained;According to the sample valid data, using support vector machines ONECLASS
Model is trained the sample valid data, establishes prediction model.
Before the abnormality for predicting file to be detected, need to establish prediction model.When establishing prediction model, firstly,
Need to obtain sample pe file;Then, extract sample pe file sample characteristics data, wherein sample characteristics data with it is to be checked
The dimension for surveying the characteristic that file extracts is identical.
It after extracting sample characteristics data, needs to handle sample characteristics data, obtains sample valid data.?
It also include the standardization to sample characteristics data, with the above-mentioned feature to file to be detected when handling sample characteristics data
The course of standardization process of data is identical;Dimension-reduction treatment is carried out to sample characteristics data of the standardization after complete, and it is above-mentioned right
The dimension-reduction treatment process of the standard feature data of file to be detected is identical.
Sample valid data are obtained after dimension-reduction treatment, finally, further according to sample valid data, using support vector machines
ONECLASS model is trained sample valid data, selects optimal models, and saves corresponding model result and parameter,
Using the optimal models selected as prediction model.
The core concept of support vector machines ONECLASS model algorithm is that had by SVM (support vector machines) training
The hyperplane of maximum class interval, and then a classification problem is converted to a special two-value classification problem.Known input sample
This set D={ xi},x∈RN, 1≤i≤n, also assumed that one from former space RNTo the mapping phi of infinite dimensional space χ, and
Meet φ (xi)∈χ.Problem is converted to find such two-value classifier, so that enumerating most of normal samples
Sample point classification in the high-density region of point is denoted as "+1 ", and is located at the exceptional sample point classification except this high-density region
It is denoted as " -1 ".Then the solution procedure of the problem is as follows:
In formula, w ∈ χ and b ∈ R indicate hyperplane parameter, and vn indicates the maximum value and supporting vector number of exceptional sample points
Minimum value.Using Lagrangian:
Then to w, ξi, b minimized, is calculated:
By above-mentioned formula, Lagrangian can be simplified, obtain Wolfe dual problem:
B can be according to satisfaction in formulaThe supporting vector x of conditioniIt obtains, calculation formula is as follows:
Classification function f (x) can be obtained as a result,:
ONECLASS model is finally to solve for nonlinear programming problem of the dual problem under constraint condition, i.e., according to sample
Set D finds out the parameter a for making Wolfe dual problem reach minimum valueiAnd b, then obtain classification function f (x).
After data prediction and dimension-reduction treatment, sample matrix D={ x is obtainedi(i=1 ... n), row vector represents one
Sample.K (the x in Wolfe dual problem is calculated according to gaussian kernel function formulai,xj)。
Wherein, K (xi,xj)=exp (- | | xi-xj||2/(2*sigma2))
By K (xi,xj) bring Wolfe dual problem into, parameter a is then found out according to SMO algorithmiAnd b, then utilize classification
Function f (x) calculates each sample, represents and is positive often as f (x)=1, when f (x)=- 1 is represented as virus.
The sigma of vn and calculating kernel function in algorithm implementation in Wolfe dual problem are to belong to hyper parameter, can root
Optimal value is selected according to training error.
In a specific embodiment provided by the invention, the method can also include:When the prediction text to be detected
When part is abnormal document, it is based on the prediction model, predicts the dangerous probability of the file to be detected, and to described in user's output
Dangerous probability.
When according to classification function calculate file to be detected be abnormal document after, the danger of the abnormal document can also be calculated
Probability, its calculation formula is:
By calculating the dangerous probability of abnormal document, it is able to use the risk that family understands the abnormal document, and then judge
Whether the abnormal document can continue to execute, and avoid ignoring the lower abnormal document of risk.
More than, for a kind of method for detecting pe file abnormal behaviour provided by the invention.
It is corresponding based on inventive concept identical with a kind of above-mentioned detection method of pe file abnormal behaviour, this
Inventive embodiments additionally provide a kind of device for detecting pe file abnormal behaviour, as shown in Figure 2.Due to the basic phase of Installation practice
Like and embodiment of the method, so describing fairly simple, the relevent part can refer to the partial explaination of embodiments of method.
The present invention provides a kind of device for detecting pe file abnormal behaviour, including:
File reception module 101, for receiving file to be detected;
Characteristic extracting module 102, for extracting the characteristic of the file to be detected;
Data processing module 103 obtains valid data for handling the characteristic;
Prediction module 104 is used for according to the valid data, based on using support vector machines ONECLASS model training
Prediction model predicts whether the file to be detected is abnormal document, obtains prediction result;
Output module 105, for exporting the prediction result to user.
In a specific embodiment provided by the invention, the data processing module 103, including:
Standardization unit obtains standard feature data for being standardized to the characteristic;
Dimension-reduction treatment unit obtains valid data for carrying out dimension-reduction treatment to the standard feature data.
In a specific embodiment provided by the invention, the dimension-reduction treatment unit is specifically used for:
Using principal component analytical method, dimension-reduction treatment is carried out to the standard feature data, obtains valid data.
In a specific embodiment provided by the invention, described device further includes:
Sample acquisition module, for obtaining sample pe file;
Sample characteristics extraction module, for extracting the sample characteristics data of the sample pe file;
Sample data processing module obtains sample valid data for handling the sample characteristics data;
Model building module is used for according to the sample valid data, using support vector machines ONECLASS model to institute
It states sample valid data to be trained, establishes prediction model.
In a specific embodiment provided by the invention, described device further includes:
Probabilistic forecasting module, for being based on the prediction model, in advance when predicting the file to be detected is abnormal document
The dangerous probability of the file to be detected is surveyed, and exports the dangerous probability to user.
More than, for a kind of device for detecting pe file abnormal behaviour provided by the invention.
It is corresponding based on inventive concept identical with a kind of above-mentioned detection method of pe file abnormal behaviour, this
Inventive embodiments additionally provide a kind of computer readable storage medium, are stored thereon with computer program, and the program is by processor
A kind of above-mentioned method for detecting pe file abnormal behaviour is realized when execution.
As shown from the above technical solution, computer readable storage medium provided in this embodiment, can be in the control of processor
Under system, predict whether file to be detected is abnormal document, is able to use family and quickly understands whether file to be detected is abnormal literary
Part can judge whether it is abnormal document before pe running paper, have foreseeability.The supporting vector that the present invention uses
Machine ONECLASS model algorithm belongs to one kind of machine learning method, it is only necessary to collect normal pe file characteristic, and just for
Normal data is modeled, and the ever-changing situation of hacker's behavior is able to solve, and 0-day attack can be recognized accurately.Pass through
Examine whether pe file has abnormal behaviour using this method, the automaticity for having conventional method incomparable, timeliness, effectively
The good advantages such as property.The present invention is the Outlier Detection Algorithm based on support vector machines ONECLASS model, is not necessarily to Virus Sample, only
Normal pe sample need to be trained, can identify any virus except normal pe paper sample.
It is corresponding based on inventive concept identical with a kind of above-mentioned detection method of pe file abnormal behaviour, this
Inventive embodiments additionally provide a kind of equipment for detecting pe file abnormal behaviour, including:Memory, processor and it is stored in storage
On device and the computer program that can run on a processor, the processor realize a kind of above-mentioned detection pe when executing described program
The method of file abnormal behaviour.
As shown from the above technical solution, a kind of equipment detecting pe file abnormal behaviour provided in this embodiment, by pre-
Survey whether file to be detected is abnormal document, is able to use family and quickly understands whether file to be detected is abnormal document, in pe
It can judge whether it is abnormal document before running paper, there is foreseeability.The support vector machines that the present invention uses
ONECLASS model algorithm belongs to one kind of machine learning method, it is only necessary to collect normal pe file characteristic, and just for just
Regular data is modeled, and the ever-changing situation of hacker's behavior is able to solve, and 0-day attack can be recognized accurately.By adopting
Examine whether pe file has abnormal behaviour with this method, with the automaticity that conventional method is incomparable, timeliness, validity
Etc. good advantage.The present invention is the Outlier Detection Algorithm based on support vector machines ONECLASS model, is not necessarily to Virus Sample, only needs
Normal pe sample is trained, can identify any virus except normal pe paper sample.
In specification of the invention, numerous specific details are set forth.It is to be appreciated, however, that the embodiment of the present invention can be with
It practices without these specific details.In some instances, well known method, structure and skill is not been shown in detail
Art, so as not to obscure the understanding of this specification.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show
The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example
Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not
It must be directed to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be in office
It can be combined in any suitable manner in one or more embodiment or examples.In addition, without conflicting with each other, the skill of this field
Art personnel can tie the feature of different embodiments or examples described in this specification and different embodiments or examples
It closes and combines.
Finally it should be noted that:The above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent
Present invention has been described in detail with reference to the aforementioned embodiments for pipe, those skilled in the art should understand that:Its according to
So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into
Row equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution
The range of scheme should all cover within the scope of the claims and the description of the invention.
Claims (8)
1. a kind of method for detecting pe file abnormal behaviour, which is characterized in that including:
Receive file to be detected;
Extract the characteristic of the file to be detected;
The characteristic is handled, valid data are obtained;
According to the valid data, based on the prediction model using support vector machines ONECLASS model training, prediction it is described to
It detects whether file is abnormal document, obtains prediction result;
The prediction result is exported to user.
2. being obtained effective the method according to claim 1, wherein described handle the characteristic
Data, including:
The characteristic is standardized, standard feature data are obtained;
Dimension-reduction treatment is carried out to the standard feature data, obtains valid data.
3. according to the method described in claim 2, it is characterized in that, it is described to the standard feature data carry out dimension-reduction treatment,
Valid data are obtained, including:
Using principal component analytical method, dimension-reduction treatment is carried out to the standard feature data, obtains valid data.
4. the method according to claim 1, wherein according to the valid data, based on using supporting vector
The prediction model of machine ONECLASS model training predicts whether the file to be detected is abnormal document, obtains prediction result
Before step, further include:
Obtain sample pe file;
Extract the sample characteristics data of the sample pe file;
The sample characteristics data are handled, sample valid data are obtained;
According to the sample valid data, the sample valid data are instructed using support vector machines ONECLASS model
Practice, establishes prediction model.
5. the method according to claim 1, wherein the method, further includes:
When predicting the file to be detected is abnormal document, it is based on the prediction model, predicts the danger of the file to be detected
Dangerous probability, and the dangerous probability is exported to user.
6. a kind of device for detecting pe file abnormal behaviour, which is characterized in that including:
File reception module, for receiving file to be detected;
Characteristic extracting module, for extracting the characteristic of the file to be detected;
Data processing module obtains valid data for handling the characteristic;
Prediction module is used for according to the valid data, based on the prediction mould using support vector machines ONECLASS model training
Type predicts whether the file to be detected is abnormal document, obtains prediction result;
Output module, for exporting the prediction result to user.
7. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is held by processor
Method described in one of claim 1-5 is realized when row.
8. a kind of equipment for detecting pe file abnormal behaviour, including:Memory, processor and storage on a memory and can located
The computer program run on reason device, which is characterized in that the processor realizes one of claim 1-5 when executing described program
The method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810771640.0A CN108920958A (en) | 2018-07-13 | 2018-07-13 | Detect method, apparatus, medium and the equipment of pe file abnormal behaviour |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810771640.0A CN108920958A (en) | 2018-07-13 | 2018-07-13 | Detect method, apparatus, medium and the equipment of pe file abnormal behaviour |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108920958A true CN108920958A (en) | 2018-11-30 |
Family
ID=64411975
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810771640.0A Pending CN108920958A (en) | 2018-07-13 | 2018-07-13 | Detect method, apparatus, medium and the equipment of pe file abnormal behaviour |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108920958A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110311898A (en) * | 2019-06-13 | 2019-10-08 | 浙江工业大学 | Network Computer Numerical Control System man-in-the-middle attack detection method based on Gaussian radial basis function classifier |
| CN112685735A (en) * | 2018-12-27 | 2021-04-20 | 慧安金科(北京)科技有限公司 | Method, apparatus, and computer-readable storage medium for detecting abnormal data |
| CN112948829A (en) * | 2021-03-03 | 2021-06-11 | 深信服科技股份有限公司 | File searching and killing method, system, equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105205396A (en) * | 2015-10-15 | 2015-12-30 | 上海交通大学 | Detecting system for Android malicious code based on deep learning and method thereof |
| CN107341401A (en) * | 2017-06-21 | 2017-11-10 | 清华大学 | A kind of malicious application monitoring method and equipment based on machine learning |
| CN107590388A (en) * | 2017-09-12 | 2018-01-16 | 南方电网科学研究院有限责任公司 | Malicious code detecting method and device |
-
2018
- 2018-07-13 CN CN201810771640.0A patent/CN108920958A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105205396A (en) * | 2015-10-15 | 2015-12-30 | 上海交通大学 | Detecting system for Android malicious code based on deep learning and method thereof |
| CN107341401A (en) * | 2017-06-21 | 2017-11-10 | 清华大学 | A kind of malicious application monitoring method and equipment based on machine learning |
| CN107590388A (en) * | 2017-09-12 | 2018-01-16 | 南方电网科学研究院有限责任公司 | Malicious code detecting method and device |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112685735A (en) * | 2018-12-27 | 2021-04-20 | 慧安金科(北京)科技有限公司 | Method, apparatus, and computer-readable storage medium for detecting abnormal data |
| CN112685735B (en) * | 2018-12-27 | 2024-04-12 | 慧安金科(北京)科技有限公司 | Method, apparatus and computer readable storage medium for detecting abnormal data |
| CN110311898A (en) * | 2019-06-13 | 2019-10-08 | 浙江工业大学 | Network Computer Numerical Control System man-in-the-middle attack detection method based on Gaussian radial basis function classifier |
| CN110311898B (en) * | 2019-06-13 | 2021-08-03 | 浙江工业大学 | Man-in-the-middle attack detection method of networked numerical control system based on Gaussian radial basis function classifier |
| CN112948829A (en) * | 2021-03-03 | 2021-06-11 | 深信服科技股份有限公司 | File searching and killing method, system, equipment and storage medium |
| CN112948829B (en) * | 2021-03-03 | 2023-11-03 | 深信服科技股份有限公司 | File searching and killing method, system, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Venkatraman et al. | A hybrid deep learning image-based analysis for effective malware detection | |
| Shirani et al. | B in a rm: Scalable and efficient detection of vulnerabilities in firmware images of intelligent electronic devices | |
| CN101266550B (en) | Malicious code detection method | |
| CN110909811A (en) | OCSVM (online charging management system) -based power grid abnormal behavior detection and analysis method and system | |
| CN107451476A (en) | Webpage back door detection method, system, equipment and storage medium based on cloud platform | |
| Jeon et al. | Hybrid malware detection based on bi-lstm and spp-net for smart iot | |
| BR102015017215A2 (en) | computer-implemented method for classifying mobile applications, and computer program encoded on non-transient storage medium | |
| CN108920958A (en) | Detect method, apparatus, medium and the equipment of pe file abnormal behaviour | |
| CN109992969B (en) | Malicious file detection method and device and detection platform | |
| CN108491228A (en) | A kind of binary vulnerability Code Clones detection method and system | |
| CN112632535B (en) | Attack detection method, attack detection device, electronic equipment and storage medium | |
| RU2587429C2 (en) | System and method for evaluation of reliability of categorisation rules | |
| CN117034273A (en) | Android malicious software detection method and system based on graph rolling network | |
| Peng et al. | Micro-architectural features for malware detection | |
| CN108761250B (en) | Industrial control equipment voltage and current-based intrusion detection method | |
| CN114143074B (en) | webshell attack recognition device and method | |
| CN108509796B (en) | Method for detecting risk and server | |
| CN112367336B (en) | Webshell interception detection method, device, equipment and readable storage medium | |
| Jiang et al. | Machine learning in industrial control system security: A survey | |
| Wang | Intrusion detection technology of Internet of vehicles based on deep learning | |
| Sun et al. | Vulnerability finding and firmware association in power grid | |
| Lai et al. | Research on Software Trust Analysis Based on Behavior | |
| Zhao et al. | Software abnormal behavior detection based on Hidden Markov Model | |
| Suganya et al. | Auditing of hadoop log file for dynamic detection of threats using H-ISSM-MIM and convolutional neural network | |
| Singh et al. | Static Malware Analysis Using Machine and Deep Learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181130 |