CN108959930A - Malice PDF detection method, system, data storage device and detection program - Google Patents
Malice PDF detection method, system, data storage device and detection program Download PDFInfo
- Publication number
- CN108959930A CN108959930A CN201810832905.3A CN201810832905A CN108959930A CN 108959930 A CN108959930 A CN 108959930A CN 201810832905 A CN201810832905 A CN 201810832905A CN 108959930 A CN108959930 A CN 108959930A
- Authority
- CN
- China
- Prior art keywords
- pdf document
- malice
- comentropy
- apocrypha
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/565—Static detection by checking file integrity
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Devices For Executing Special Programs (AREA)
- Debugging And Monitoring (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of malice PDF detection method, system, data storage device and detection programs, belong to field of information security technology;Malice PDF detection method are as follows: pdf document to be checked is converted into byte sequence, calculates the comentropy of each PDF part;According to maximum value, minimum value and the average value of the information entropy of the malice pdf document of statistics and benign pdf document and empirical value, threshold alpha is set, by the comentropy of each pdf document compared with threshold alpha, pdf document using comentropy higher than α is as normal file, and the pdf document using comentropy lower than α is as apocrypha;The JavaScript and structure feature for extracting and being usually used in malicious attack in apocrypha are analyzed using Origami;Classified using C5.0 decision Tree algorithms.The present invention is able to solve the problems such as detection range is small, and model inspection time loss is higher.
Description
Technical field
The present invention is applied to the detection field of the malice pdf document in information security.It is examined more particularly to a kind of malice PDF
Survey method, system, data storage device and detection program.
Background technique
Portable document format (PDF) is a kind of electronic file form, is issued by Adobe system house in 1993.By
In PDF pouplarity height, flexible structure, vdiverse in function, more and more network crime molecules carry out information by pdf document
It steals, the maliciously network crimes behavior such as extortion.And in recent years, the advanced duration of establishment and government organs is threatened
(APT) attack happens occasionally, and malice pdf document is the important carrier of APT attack, and the evil of file internal is embedded in by executing
Code of anticipating completes attack process.Although software vendor effort is prevented, solved, PDF software is still often subject to zero
Day attack, especially this attack is using pdf document format and third party technology (such as JavaScript or Flash), to make
At creation, temporary patch becomes more and more difficult.In addition, the architecture due to pdf document is complicated, attacker uses various generations
Code obfuscation makes anti-virus software be difficult to provide for the detection of novel malicious pdf document.
By the analysis to malice pdf document, for existing PDF loophole, primary challenge mode is to be based on
The attack of JavaScript and attack based on non-JavaScript.Attack pattern based on JavaScript is read using PDF
The loophole of device will execute process and be transferred in the malice JavaScript code of insertion.It is main based on non-JavaScript attack
Utilize many PDF functions: such as "/Launch ", "/Go To " and "/URl " automatically opens remote resource, increases internet pair
The threat of client.
Major part antivirus software, which is used, at present carries out killing virus, but these based on heuristic or string matching method
Mode can not effectively handle the problem of polymorphic attack.In order to solve this problem, nearest research is concentrated mainly on two aspects:
(1) using the JavaScript being embedded in pdf document, its JavaScript spy is extracted by static, dynamic analysis
Sign, classifies using machine learning.Such methods can cope with the attack based on malice JavaScript, but vulnerable to code
The influence obscured.
(2) malice pdf document is detected using the structural information of pdf document, its main feature is that not analyzing the attack of its carrying
Code or loophole, and to be that they are able to detect that non-the advantages of this method is analyzed relative to JavaScript
JavaScript attack, and will not be influenced by Code obfuscation.But the robustness for how enhancing model is believed based on structure
The big challenge that the malicious file detection method of breath is faced.
The detection of malice pdf document is carried out based on above method, is typically only capable to detect the malicious attack based on single mode,
And model time consumption is higher.
Summary of the invention
To solve the above-mentioned problems, the purpose of the present invention is to provide a kind of malice PDF detection method, system, data to deposit
Store up equipment and detection program.
In order to achieve the above object, the technical solution of the present invention is as follows:
A kind of malice PDF detection method includes at least following steps:
Step 1: pdf document to be checked is converted into byte sequence, the comentropy of each PDF part is calculated;
Step 2: according to the maximum value of the information entropy of the malice pdf document of statistics and benign pdf document, minimum value and
Threshold alpha is arranged in average value and empirical value, by the comentropy of each pdf document compared with threshold alpha, comentropy is higher than the PDF of α
File is as normal file, and the pdf document using comentropy lower than α is as apocrypha;
Step 3: analyzing the JavaScript and structure for extracting and being usually used in malicious attack in apocrypha using Origami
Feature;
Step 4: being classified using C5.0 decision Tree algorithms.
Further, above-mentioned steps one specifically: pdf document to be checked is converted into binary system byte with PDFParser first
Then file calculates the comentropy of each pdf document.
Further, above-mentioned steps three specifically: analyze the structure of apocrypha first with Origami and search for malice spy
Then the general features for structure of seeking peace analyzes the JavaScript code of apocrypha again and searches for malice feature.
Further, above-mentioned steps four specifically: each pdf document is indicated that the vector is by structure with a vector first
General features, structure behavioral characteristics and JavaScript feature composition;Then vector, classification are input to C5.0 decision tree
Classify.
Another object of the present invention are as follows: a kind of malice PDF detection system is provided, comprising:
Pdf document to be checked is converted into byte sequence by comentropy computing module, calculates the comentropy of each PDF part;
Screen module, maximum value, minimum value according to the information entropy of the malice pdf document and benign pdf document of statistics
Threshold alpha is set with average value and empirical value, by the comentropy of each pdf document compared with threshold alpha, comentropy higher than α's
Pdf document is as normal file, and the pdf document using comentropy lower than α is as apocrypha;
Analysis module analyzes the JavaScript and knot for extracting and being usually used in malicious attack in apocrypha using Origami
Structure feature;
Categorization module is classified using C5.0 decision Tree algorithms.
Another object of the present invention are as follows: a kind of data storage device, including instruction are provided, when it runs on computers
When, so that computer executes above-mentioned malice PDF detection method.
Another object of the present invention are as follows: a kind of detection program for realizing above-mentioned malice PDF detection method is provided.
The present invention has the advantage that and good effect are as follows:
The comentropy of pdf document, javascript feature and structure feature are combined and utilize C5.0 decision tree by the present invention
Algorithm is classified, this method detection accuracy with higher, and greatly reduces detection time, enhances practicability.
Detailed description of the invention
Fig. 1 is the flow chart of the preferred embodiment of the present invention;
Specific embodiment
In order to further understand the content, features and effects of the present invention, the following examples are hereby given, and cooperate attached drawing
Detailed description are as follows:
As shown in Figure 1, a kind of malice PDF detection method: including the following steps:
Step 1: the pdf document in data set is converted into byte sequence, the comentropy of each pdf document is calculated;
Specific step is as follows:
(1) pdf document in data set is converted into binary system with PDFParser first.
(2) comentropy of file is then calculated with formula 1.
Wherein, x represents file;N represents the sum that file is converted into different bytes after byte sequence;I is represented i-th in file
Byte in a byte sequence;piIndicate the probability that byte i occurs.
Step 2: by the comentropy of each file compared with threshold alpha, file using comentropy higher than α as normal file,
File using comentropy lower than α is as apocrypha;
Specific step is as follows:
(1) it is simulated according to test of many times, setting information entropy threshold α is 7.74.
(2) the comentropy H (x) that step 1 is obtained and threshold alpha substitute into formula 2, to obtain their difference.If difference
Greater than 0, then step 3 is carried out using the pdf document as apocrypha, is otherwise exported as normal file.
Δ H=α-H (x) (2)
Δ H: the comentropy H (x) of threshold alpha and pdf document to be measured difference.
Step 3: analyzing the JavaScript and structure for extracting and being usually used in malicious attack in apocrypha using Origami
Feature;
Specific step is as follows:
(1) structure of pdf document is analyzed first with Origami and search for the general features of malice feature and structure.Its
Middle malice feature includes '/JS', '/JavaScript', '/Go To ', ' Go To R ', ' Go To E ', ' open
action','/Submit Form');The general features of structure includes the size of file, the quantity of indirect object.
(2) it then analyzes the JavaScript code of pdf document and searches for malice feature.Malice feature includes
Substring, fromChar Code, stringcount, document.Write, document.create Element,
Eval, setTime Out, eval_length, max_string.
Classify Step 4: choosing C5.0 decision Tree algorithms;
Specific step is as follows:
(1) S is feature samples set, including structure feature set S1With JavaScript characteristic set S2.With structure feature
For, metadata type variable C has K class, belongs to CiThe sample number of class is freq (Ci,S1), structure feature is calculated using formula 3
Set S1Comentropy Info (S1):
Wherein, | S1| it is structure feature set S1In element number.
(2) characteristic attribute T has N class, utilizes the conditional entropy Info (T) of 4 computation attribute T of formula:
Wherein, TiIt is the i-th category feature attribute.
(3) the information gain Gain (T) of 5 computation attribute variable T of formula is utilized:
Gain (T)=Info (S1)-Info(T) (5)
(4) node, i.e. formula 6 are generated using information gain-ratio:
Gainration (A)=Gain (A)/Info (A) (6)
When wherein, in the case of Gain (A) expression A, the child node information gain of generation;Info (A) indicates raw under situation A
At child node number index, the child node after segmentation is more, and Info (A) is bigger.
(5) after tree generates, beta pruning is realized using the method based on tree rule.
A kind of malice PDF detection system, comprising:
Pdf document to be checked is converted into byte sequence by comentropy computing module, calculates the comentropy of each PDF part;
Screen module, maximum value, minimum value according to the information entropy of the malice pdf document and benign pdf document of statistics
Threshold alpha is set with average value and empirical value, by the comentropy of each pdf document compared with threshold alpha, comentropy higher than α's
Pdf document is as normal file, and the pdf document using comentropy lower than α is as apocrypha;
Analysis module analyzes the JavaScript and knot for extracting and being usually used in malicious attack in apocrypha using Origami
Structure feature;
Categorization module is classified using C5.0 decision Tree algorithms.
A kind of data storage device, including instruction, when run on a computer, so that computer executes following evil
Meaning PDF detection method;
Step 1: pdf document to be checked is converted into byte sequence, the comentropy of each PDF part is calculated;
Step 2: according to the maximum value of the information entropy of the malice pdf document of statistics and benign pdf document, minimum value and
Threshold alpha is arranged in average value and empirical value, by the comentropy of each pdf document compared with threshold alpha, comentropy is higher than the PDF of α
File is as normal file, and the pdf document using comentropy lower than α is as apocrypha;
Step 3: analyzing the JavaScript and structure for extracting and being usually used in malicious attack in apocrypha using Origami
Feature;
Step 4: being classified using C5.0 decision Tree algorithms.
As preferred: above-mentioned steps one specifically: pdf document to be checked is converted into binary word with PDFParser first
File is saved, the comentropy of each pdf document is then calculated.
As preferred: above-mentioned steps three specifically: analyze the structure of apocrypha first with Origami and search for malice
Then the general features of feature and structure analyzes the JavaScript code of apocrypha again and searches for malice feature.
As preferred: above-mentioned steps four specifically: each pdf document is indicated that the vector is by tying with a vector first
The general features of structure, the behavioral characteristics of structure and JavaScript feature composition;Then vector, classification are input to C5.0 decision
Tree is classified.
It is a kind of realize below malice PDF detection method detection program;
Step 1: pdf document to be checked is converted into byte sequence, the comentropy of each PDF part is calculated;
Step 2: according to the maximum value of the information entropy of the malice pdf document of statistics and benign pdf document, minimum value and
Threshold alpha is arranged in average value and empirical value, by the comentropy of each pdf document compared with threshold alpha, comentropy is higher than the PDF of α
File is as normal file, and the pdf document using comentropy lower than α is as apocrypha;
Step 3: analyzing the JavaScript and structure for extracting and being usually used in malicious attack in apocrypha using Origami
Feature;
Step 4: being classified using C5.0 decision Tree algorithms.
As preferred: above-mentioned steps one specifically: pdf document to be checked is converted into binary word with PDFParser first
File is saved, the comentropy of each pdf document is then calculated.
As preferred: above-mentioned steps three specifically: analyze the structure of apocrypha first with Origami and search for malice
Then the general features of feature and structure analyzes the JavaScript code of apocrypha again and searches for malice feature.
As preferred: above-mentioned steps four specifically: each pdf document is indicated that the vector is by tying with a vector first
The general features of structure, the behavioral characteristics of structure and JavaScript feature composition;Then vector, classification are input to C5.0 decision
Tree is classified.
Embodiment:
In order to verify the effect of this method, the present inventor devises corresponding embodiment, one side experimental design difference
Influence of the parameter to model inspection effect, on the other hand and at present using more malice pdf document detection model: being based on
The detection model (PJScan) of JavaScript and the detection model (PDFMS) based on structure feature are compared.
Detection data collection is used in Contagiodump, totally 11207 malicious files and 9745 normal files, wherein having
It is embedded in JavaScript in 10310 malice samples, accounts for the 92% of malice sample.Formal detection is repeated by 10 folding cross validations
10 times.
Comparison one: being the verifying present invention based on the detection performance under different attack patterns, evaluates whereby based on information
Whether the malice PDF detection method of javascript and structure feature is conducive to improve the detection accuracy of malice detection under entropy.It is real
Test that the results are shown in Table 1.As shown in Table 1, context of methods makes verification and measurement ratio reach 98.73%, false detection rate 1.8%.PJScan's
Verification and measurement ratio (TPR) is 71.94%, and false detection rate (FPR) is 1.1%.The verification and measurement ratio of PDFMS is 99.55%, false detection rate 2.5%.
Although method false detection rate proposed in this paper is higher than PDFM, verification and measurement ratio ratio PJScan high 26.79%.It follows that mentioning herein
Method out is rationally effective, and while the malice pdf document based on malice JavaScropt attack is effectively detected out,
The malice pdf document attacked based on non-JavaScropt can be effectively detected again.
1 algorithms of different detection accuracy of table is compared with detection time
Comparison two: it is the verifying present invention in the detection time based on different attack patterns, utilizes PDF's whereby to evaluate
Whether the method that JavaScript feature and structure feature carry out malice detection advantageously reduces the time loss of malice detection.Table
1 gives the ratio of the accuracy rate (TPR) of context of methods and PDFMS and PJScan, false detection rate (FPR) and detection time (T (s))
Compared with.As can be seen from Table 1, the detection time that PDFMS expends is most for 2330s;The detection time that PJScan expends is placed in the middle,
For 2247s;The method consuming detection time that the present invention is mentioned is minimum, is 1857s, 473s fewer than PDFMS, fewer than PJScan
390s, to sum up by the present invention proposed method when detecting between on be superior to PDFMS and PJScan.
Malice PDF detection method basic principle provided by the invention based on javascript under comentropy and structure feature
It is as follows: in order to reduce time loss, apocrypha and normal file to be filtered out first with comentropy, then just for suspicious text
Part is detected;Then, in order to expand detection range, when detecting, structure feature and JavaScript feature are extracted;Finally make
Classified with C5.0 decision Tree algorithms.
The embodiments of the present invention have been described in detail above, but content is only the preferred embodiment of the present invention,
It should not be considered as limiting the scope of the invention.Any changes and modifications in accordance with the scope of the present application,
It should still be within the scope of the patent of the present invention.
Claims (7)
1. a kind of malice PDF detection method, it is characterised in that: include at least following steps:
Step 1: pdf document to be checked is converted into byte sequence, the comentropy of each PDF part is calculated;
Step 2: according to the maximum value of the information entropy of the malice pdf document of statistics and benign pdf document, minimum value and being averaged
Threshold alpha is arranged in value and empirical value, by the comentropy of each pdf document compared with threshold alpha, comentropy is higher than the pdf document of α
As normal file, the pdf document using comentropy lower than α is as apocrypha;
Step 3: analyzing the JavaScript and structure feature for extracting and being usually used in malicious attack in apocrypha using Origami;
Step 4: being classified using C5.0 decision Tree algorithms.
2. malice PDF detection method according to claim 1, it is characterised in that: above-mentioned steps one specifically: use first
Pdf document to be checked is converted into binary system byte file by PDFParser, then calculates the comentropy of each pdf document.
3. malice PDF detection method according to claim 1, it is characterised in that: above-mentioned steps three specifically: first with
The structure of Origami analysis apocrypha and the general features for searching for malice feature and structure, then analyze apocrypha again
JavaScript code simultaneously searches for malice feature.
4. malice PDF detection method according to claim 1, it is characterised in that: above-mentioned steps four specifically: first every
A pdf document indicates that the vector is by the general features of structure, the behavioral characteristics of structure and JavaScript feature with a vector
Composition;Then vector, classification C5.0 decision tree is input to classify.
5. a kind of malice PDF detection system, it is characterised in that: include:
Pdf document to be checked is converted into byte sequence by comentropy computing module, calculates the comentropy of each PDF part;
Screen module, maximum value, minimum value peace according to the information entropy of the malice pdf document and benign pdf document of statistics
Threshold alpha is arranged in mean value and empirical value, the PDF text by the comentropy of each pdf document compared with threshold alpha, comentropy higher than α
Part is as normal file, and the pdf document using comentropy lower than α is as apocrypha;
Analysis module is analyzed using Origami and extracts the JavaScript for being usually used in malicious attack in apocrypha and structure spy
Sign;
Categorization module is classified using C5.0 decision Tree algorithms.
6. a kind of data storage device, it is characterised in that: including instruction, when run on a computer, so that computer is held
The malice PDF detection method of any one of row claim 1-4.
7. a kind of detection program for the malice PDF detection method for realizing any one of claim 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810832905.3A CN108959930A (en) | 2018-07-26 | 2018-07-26 | Malice PDF detection method, system, data storage device and detection program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810832905.3A CN108959930A (en) | 2018-07-26 | 2018-07-26 | Malice PDF detection method, system, data storage device and detection program |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108959930A true CN108959930A (en) | 2018-12-07 |
Family
ID=64464972
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810832905.3A Pending CN108959930A (en) | 2018-07-26 | 2018-07-26 | Malice PDF detection method, system, data storage device and detection program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108959930A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110069927A (en) * | 2019-04-22 | 2019-07-30 | 中国民航大学 | Malice APK detection method, system, data storage device and detection program |
| CN110784561A (en) * | 2019-09-30 | 2020-02-11 | 奇安信科技集团股份有限公司 | IPv6 address segmentation method and similar site or link address set searching method |
| CN112231701A (en) * | 2020-09-29 | 2021-01-15 | 广州威尔森信息科技有限公司 | PDF file processing method and device |
| CN116578536A (en) * | 2023-07-12 | 2023-08-11 | 北京安天网络安全技术有限公司 | File detection method, storage medium and electronic device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107180192A (en) * | 2017-05-09 | 2017-09-19 | 北京理工大学 | Android malicious application detection method and system based on multi-feature fusion |
| CN108287992A (en) * | 2017-01-07 | 2018-07-17 | 长沙有干货网络技术有限公司 | A kind of malicious program detection system of the computer learning based on Android |
-
2018
- 2018-07-26 CN CN201810832905.3A patent/CN108959930A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108287992A (en) * | 2017-01-07 | 2018-07-17 | 长沙有干货网络技术有限公司 | A kind of malicious program detection system of the computer learning based on Android |
| CN107180192A (en) * | 2017-05-09 | 2017-09-19 | 北京理工大学 | Android malicious application detection method and system based on multi-feature fusion |
Non-Patent Citations (3)
| Title |
|---|
| DAVIDE MAIORCA等: "A Structural and Content-based Approach for a Precise and Robust Detection of Malicious PDF Files", 《2015 INTERNATIONAL CONFERENCE ON INFORMATION SYSTEMS SECURITY AND PRIVACY (ICISSP)》 * |
| HIMANSHU PAREEK 等: "Entropy and n-gram Analysis of Malicious PDF Documents", 《INTERNATIONAL JOURNAL OF ENGINEERING RESEARCH & TECHNOLOGY》 * |
| 武雪峰: "恶意PDF文档的分析", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110069927A (en) * | 2019-04-22 | 2019-07-30 | 中国民航大学 | Malice APK detection method, system, data storage device and detection program |
| CN110784561A (en) * | 2019-09-30 | 2020-02-11 | 奇安信科技集团股份有限公司 | IPv6 address segmentation method and similar site or link address set searching method |
| CN112231701A (en) * | 2020-09-29 | 2021-01-15 | 广州威尔森信息科技有限公司 | PDF file processing method and device |
| CN116578536A (en) * | 2023-07-12 | 2023-08-11 | 北京安天网络安全技术有限公司 | File detection method, storage medium and electronic device |
| CN116578536B (en) * | 2023-07-12 | 2023-09-22 | 北京安天网络安全技术有限公司 | File detection method, storage medium and electronic device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Gibert et al. | The rise of machine learning for detection and classification of malware: Research developments, trends and challenges | |
| Ni et al. | Malware identification using visualization images and deep learning | |
| Yuxin et al. | Malware detection based on deep learning algorithm | |
| Chen et al. | Adversarial examples for cnn-based malware detectors | |
| Fan et al. | Malicious sequential pattern mining for automatic malware detection | |
| CN109784056B (en) | Malicious software detection method based on deep learning | |
| Liu et al. | ATMPA: attacking machine learning-based malware visualization detection methods via adversarial examples | |
| US9747452B2 (en) | Method of generating in-kernel hook point candidates to detect rootkits and the system thereof | |
| US9021589B2 (en) | Integrating multiple data sources for malware classification | |
| Cesare et al. | A fast flowgraph based classification system for packed and polymorphic malware on the endhost | |
| Saxe et al. | A deep learning approach to fast, format-agnostic detection of malicious web content | |
| Yan et al. | A survey of adversarial attack and defense methods for malware classification in cyber security | |
| CN109145600A (en) | Use the system and method for static analysis Element detection malicious file | |
| CN108959930A (en) | Malice PDF detection method, system, data storage device and detection program | |
| CN113935033B (en) | Feature fusion malicious code family classification method, device and storage medium | |
| Kakisim et al. | Metamorphic malware identification using engine-specific patterns based on co-opcode graphs | |
| CN111382438B (en) | Malware detection method based on multi-scale convolutional neural network | |
| Xiaofang et al. | Malware variant detection using similarity search over content fingerprint | |
| Li et al. | An adversarial machine learning method based on OpCode N-grams feature in malware detection | |
| Ling et al. | Malgraph: Hierarchical graph neural networks for robust windows malware detection | |
| Kakisim et al. | Sequential opcode embedding-based malware detection method | |
| Yuste et al. | Optimization of code caves in malware binaries to evade machine learning detectors | |
| Fang et al. | JStrong: Malicious JavaScript detection based on code semantic representation and graph neural network | |
| Sahu et al. | Kernel K-means clustering for phishing website and malware categorization | |
| Visaggio et al. | A comparative study of adversarial attacks to malware detectors based on deep learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181207 |