CN109753794A - A kind of recognition methods of malicious application, system, training method, equipment and medium - Google Patents
A kind of recognition methods of malicious application, system, training method, equipment and medium Download PDFInfo
- Publication number
- CN109753794A CN109753794A CN201811453800.3A CN201811453800A CN109753794A CN 109753794 A CN109753794 A CN 109753794A CN 201811453800 A CN201811453800 A CN 201811453800A CN 109753794 A CN109753794 A CN 109753794A
- Authority
- CN
- China
- Prior art keywords
- vector
- data
- target
- dynamic
- target application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 156
- 238000012549 training Methods 0.000 title claims abstract description 47
- 239000013598 vector Substances 0.000 claims abstract description 338
- 230000003068 static effect Effects 0.000 claims abstract description 100
- 238000000605 extraction Methods 0.000 claims abstract description 95
- 238000013527 convolutional neural network Methods 0.000 claims abstract description 61
- 230000003542 behavioural effect Effects 0.000 claims abstract description 23
- 238000012360 testing method Methods 0.000 claims abstract description 23
- 230000006399 behavior Effects 0.000 claims description 139
- 230000008569 process Effects 0.000 claims description 61
- 238000009434 installation Methods 0.000 claims description 42
- 238000013528 artificial neural network Methods 0.000 claims description 24
- 244000035744 Hura crepitans Species 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 12
- 238000012163 sequencing technique Methods 0.000 claims description 12
- 229910002056 binary alloy Inorganic materials 0.000 claims description 5
- 230000000694 effects Effects 0.000 abstract description 6
- 238000012545 processing Methods 0.000 description 99
- 230000004913 activation Effects 0.000 description 64
- 230000009467 reduction Effects 0.000 description 26
- 241000700605 Viruses Species 0.000 description 19
- 230000006870 function Effects 0.000 description 14
- 239000000284 extract Substances 0.000 description 8
- 230000008901 benefit Effects 0.000 description 6
- 238000004422 calculation algorithm Methods 0.000 description 6
- 235000013399 edible fruits Nutrition 0.000 description 5
- 238000006243 chemical reaction Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000011176 pooling Methods 0.000 description 4
- 238000001514 detection method Methods 0.000 description 3
- 210000005036 nerve Anatomy 0.000 description 3
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 230000003213 activating effect Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000003475 lamination Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000001537 neural effect Effects 0.000 description 2
- 238000003062 neural network model Methods 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 230000003612 virological effect Effects 0.000 description 2
- 241000208340 Araliaceae Species 0.000 description 1
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 description 1
- 235000003140 Panax quinquefolius Nutrition 0.000 description 1
- 239000000039 congener Substances 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 235000008434 ginseng Nutrition 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 210000004218 nerve net Anatomy 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 241000894007 species Species 0.000 description 1
Abstract
The present invention discloses recognition methods, system, training method, equipment and the medium of a kind of malicious application, recognition methods includes: to obtain the dynamic behaviour data and static code data of target application, the dynamic behaviour data are the behavioral data that the target application is generated according to user behavior, and the static code data are the code data writing the target application and generating;Feature extraction is carried out to the dynamic behaviour data using the first convolutional neural networks, obtains target dynamic vector;Feature extraction is carried out to the static code data using the second convolutional neural networks, obtains target quiescent vector;The malice testing result of the target application is exported according to target quiescent vector described in the target dynamic vector sum.The considerations of method and system provided by the present application is to solve recognition methods factor is single, and there are the not high technical problems of the recognition accuracy of malicious application.Realize the technical effect for improving recognition accuracy.
Description
Technical field
The present invention relates to field of computer technology more particularly to a kind of recognition methods of malicious application, system, training side
Method, equipment and medium.
Background technique
With the development of science and technology smart phone has been popularized, the activity such as public life, consumption, amusement all be unable to do without each
Class mobile device.The universal of smart phone brings convenience, this convenience derive from be mounted on smart phone it is abundant not
Congener application program.
It is just extremely heavy to whether application program takes viruliferous identification in order to guarantee the safety for the application program installed
It wants.Whether existing recognition application takes viruliferous technology, and detection application program whether there is abnormal behaviour, such as
There are abnormal behaviours for fruit, then it is assumed that the application program is malicious application, then the processing such as deletion or killing is carried out to it.
However, the considerations of due to existing recognition methods factor it is single, there are the not high skills of the recognition accuracy of malicious application
Art problem.
Summary of the invention
In view of the above problems, it proposes on the present invention overcomes the above problem or at least be partially solved in order to provide one kind
State recognition methods, system, training method, equipment and the medium of the malicious application of problem.
In a first aspect, providing a kind of recognition methods of malicious application, comprising:
The dynamic behaviour data and static code data of target application are obtained, the dynamic behaviour data are that the target is answered
With the behavioral data generated according to user behavior, the static code data are the code number writing the target application and generating
According to;
Feature extraction is carried out to the dynamic behaviour data using the first convolutional neural networks, obtains target dynamic vector;
Feature extraction is carried out to the static code data using the second convolutional neural networks, obtains target quiescent vector;
The malice testing result of the target application is exported according to target quiescent vector described in the target dynamic vector sum.
Optionally, the dynamic behaviour data for obtaining target application, comprising: run the target in sandbox environment and answer
With;According to default piling point, the dynamic behaviour data of the target application in the process of running are obtained.
Optionally, described that the target application is run in sandbox environment, comprising: in the operational process of the target application
In, the operation of analog subscriber generates behavioral data to trigger the target application.
Optionally, the static code data for obtaining target application, comprising: parse the installation kit of the target application
The static code data that code file obtains.
Optionally, the static code data for obtaining target application, comprising: parse the installation kit of the target application
Code file obtains the corresponding binary file of the target application installation kit, using the binary file as the static state
Code data;Alternatively, the code file of the installation kit of target application described in decompiling, obtains the volume of the target application installation kit
Code is translated, using the compiled code as the static code data.
Optionally, described that feature extraction is carried out to the dynamic behaviour data using the first convolutional neural networks, obtain mesh
Mark dynamic vector, comprising: convert the dynamic behaviour data to the first dynamic vector sequence of vector expression;By described first
Dynamic vector sequencing batch time input first convolutional neural networks carry out feature extraction, obtain target dynamic vector.
It is optionally, described that the first dynamic vector sequencing batch time is inputted into the first convolution neural network model,
It include: according to preset batch length and spacing parameter, by the first dynamic vector sequencing batch time input first volume
Product neural network, wherein the vector quantity of the first dynamic vector of every batch of is equal to the batch length, and the first of adjacent batch is dynamic
The vector quantity being spaced between the start vector of state vector is equal to the spacing parameter, and the batch length is joined greater than the interval
Number.
Optionally, described that feature extraction is carried out to the dynamic behaviour data using the first convolutional neural networks, obtain mesh
Mark dynamic vector, comprising: convert the dynamic behaviour data to the first dynamic vector sequence of vector expression;By described first
Every vector pre-training in dynamic vector sequence is the vector being described using its week edge-vector, generate the second dynamic to
Measure sequence;Using the first convolutional neural networks to the second dynamic vector sequence carry out feature extraction, obtain target dynamic to
Amount.
Optionally, described that feature extraction is carried out to the dynamic behaviour data using the first convolutional neural networks, obtain mesh
Mark dynamic vector, comprising: according to preset virus characteristic, screen out in the dynamic behaviour data and mismatch with the virus characteristic
Nonsignificant data;The dynamic behaviour data after screening out the nonsignificant data are carried out using the first convolutional neural networks
Feature extraction obtains target dynamic vector.
Optionally, described that feature extraction is carried out to the dynamic behaviour data using the first convolutional neural networks, obtain mesh
Mark dynamic vector, comprising: in first convolutional neural networks, using the convolution kernel of multiple and different sizes, to the dynamic
Behavioral data carries out feature extraction, obtains multiple groups feature vector;According to the multiple groups feature vector, obtain the target dynamic to
Amount.
Optionally, the multiple various sizes of convolution kernel, comprising: with each vector in the dynamic behaviour data
The identical single convolution kernel of size.
Optionally, described that feature extraction is carried out to the static code data using the second convolutional neural networks, obtain mesh
Mark static vector, comprising: be based on the static code data, generate N number of characteristic sequence, and respectively to each characteristic sequence
Preset fisrt feature parameter extraction processing is carried out, N number of first eigenvector is obtained, wherein N is the integer more than or equal to 2;
N number of first eigenvector is spliced, preset second feature ginseng is carried out to the second feature vector obtained after splicing
Number extraction process obtains obtaining target quiescent vector.
Optionally, described that preset fisrt feature parameter extraction processing is carried out to each characteristic sequence respectively, obtain N
A first eigenvector, comprising: one-dimensional process of convolution is carried out to characteristic sequence each in N number of characteristic sequence, obtains the spy
The fisrt feature information of sequence is levied, and the fisrt feature information is activated by preset first activation primitive, is obtained
Fisrt feature information after activation;To the fisrt feature letter after the corresponding activation of characteristic sequence each in N number of characteristic sequence
Breath carries out pond processing, obtains N number of first eigenvector.
Optionally, described that one-dimensional process of convolution is carried out to characteristic sequence each in N number of characteristic sequence, obtain this feature
The fisrt feature information of sequence, comprising: to each characteristic sequence in N number of characteristic sequence, execute following steps: to the spy
It levies sequence and carries out one-dimensional process of convolution, obtain the first processing result;By preset second activation primitive to first processing
As a result it is activated, obtains second processing result;By the product of first processing result and the second processing result, as
The fisrt feature information of the characteristic sequence.
Optionally, the fisrt feature information after the corresponding activation of characteristic sequence each in N number of characteristic sequence is carried out
Pondization processing, obtains N number of first eigenvector, comprising: respectively in N number of characteristic sequence by way of maximum pond
Fisrt feature information after the corresponding activation of each characteristic sequence carries out pond processing, obtains N number of first eigenvector.
Optionally, N number of first eigenvector is spliced, the second feature vector obtained after splicing is carried out pre-
If the processing of second feature parameter extraction, obtain obtaining target quiescent vector, comprising: will the N number of first eigenvector progress
Splicing, obtains second feature vector, carries out one-dimensional process of convolution to the second feature vector, obtains the second feature vector
Second feature information, and the second feature information is activated by preset third activation primitive, after obtaining activation
Second feature information;Pond processing is carried out to the second feature information after the activation, obtains target quiescent vector.
Optionally, described that one-dimensional process of convolution is carried out to the second feature vector, obtain the second feature vector
Second feature information, comprising: one-dimensional process of convolution is carried out to the second feature vector, obtains third processing result;By pre-
If the 4th activation primitive the third processing result is activated, obtain fourth process result;Third processing is tied
The product of fruit and the fourth process result, the second feature information as the second feature vector.
Optionally, the second feature information to after the activation carries out pond processing, obtains target quiescent vector, wraps
It includes: pond processing being carried out to the second feature information after the activation by way of average pond, obtains target quiescent vector.
Optionally, the target quiescent vector according to the target dynamic vector sum exports the evil of the target application
Meaning testing result, comprising: merge target quiescent vector described in the target dynamic vector sum, generate and merge vector;According to described
Merge the malice testing result that vector exports the target application.
Second aspect provides a kind of identifying system of malicious application, comprising:
Module is obtained, for obtaining the dynamic behaviour data and static code data of target application, the dynamic behaviour number
According to the behavioral data generated for the target application according to user behavior, the static code data are to write the target application
The code data of generation.
First convolution neural network module obtains target dynamic vector for carrying out feature extraction to dynamic behaviour data;
Second convolution neural network module obtains target quiescent vector for carrying out feature extraction to static code data;
Output module exports the target application for the target quiescent vector according to the target dynamic vector sum
Malice testing result.
Optionally, the acquisition module includes: first acquisition unit, is answered for running the target in sandbox environment
With;According to default piling point, the dynamic behaviour data of the target application in the process of running are obtained.
Optionally, the first acquisition unit is also used to: in the operational process of the target application, the behaviour of analog subscriber
Make, generates behavioral data to trigger the target application.
Optionally, the acquisition module further include: second acquisition unit, for parsing the installation kit of the target application
The static code data that code file obtains.
Optionally, further includes: second acquisition unit, the code file of the installation kit for parsing the target application obtain
To the corresponding binary file of the target application installation kit, using the binary file as the static code data;Or
Person, the code file of the installation kit of target application described in decompiling, obtains the compiled code of the target application installation kit, with institute
Compiled code is stated as the static code data.
Optionally, the first convolution neural network module includes: word embeding layer, for turning the dynamic behaviour data
Turn to the first dynamic vector sequence of vector expression;First convolutional layer, for the dynamic behaviour to vector expression is converted into
Data carry out feature extraction and obtain characteristic vector sequence;First pond layer is obtained for carrying out dimensionality reduction to described eigenvector sequence
Dimensionality reduction sequence vector is obtained, and according to the dimensionality reduction sequence vector, obtains target dynamic vector.
Optionally, institute's predicate embeding layer is also used to: by the first dynamic vector sequencing batch time input first volume
Lamination carries out feature extraction.
Optionally, institute's predicate embeding layer is also used to: according to preset batch length and spacing parameter, by first dynamic
Sequence vector inputs first convolutional layer in batches, wherein the vector quantity of the first dynamic vector of every batch of is equal to described batch
Secondary length, the vector quantity being spaced between the start vector of the first dynamic vector of adjacent batch are equal to the spacing parameter, institute
Batch length is stated greater than the spacing parameter.
Optionally, the first convolution neural network module further include: pre-training unit, for institute's predicate embeding layer to be turned
The every vector pre-training in the first dynamic vector sequence changed is the vector being described using its week edge-vector, generation the
Two dynamic vector sequences;The first convolutional layer described in the second dynamic vector sequence inputting is subjected to feature extraction again.
Optionally, the first convolution neural network module further include: unit is screened out, for special according to preset virus
Sign, screen out in the dynamic behaviour data with the unmatched nonsignificant data of the virus characteristic;It will screen out again described meaningless
The dynamic behaviour data after data input first convolutional layer and carry out feature extraction.
Optionally, first convolutional layer is also used to: using the convolution kernel of multiple and different sizes, to the dynamic behaviour number
According to feature extraction is carried out, multiple groups characteristic vector sequence is obtained.
Optionally, the multiple various sizes of convolution kernel, comprising: with each vector in the dynamic behaviour data
The identical single convolution kernel of size.
Optionally, the second convolution neural network module, comprising: the first sub-network, for being based on the static code
Data generate N number of characteristic sequence, and carry out preset fisrt feature parameter extraction to each characteristic sequence respectively and handle,
Obtain N number of first eigenvector, wherein N is the integer more than or equal to 2;Second sub-network, for special by described N number of first
Sign vector is spliced, and is carried out preset second feature parameter extraction to the second feature vector obtained after splicing and is handled, obtains
Obtain target quiescent vector.
Optionally, first sub-network includes: input layer, the second convolutional layer and the second pond layer, the input layer, institute
It states the second convolutional layer and second pond layer is sequentially connected;The input layer is used to be based on the static code data, raw
At N number of characteristic sequence;Second convolutional layer is for carrying out one-dimensional volume to characteristic sequence each in N number of characteristic sequence respectively
Product processing, obtains the fisrt feature information of this feature sequence, and believe the fisrt feature by preset first activation primitive
Breath is activated, the fisrt feature information after being activated;Second pond layer, for respectively to N number of characteristic sequence
In fisrt feature information after the corresponding activation of each characteristic sequence carry out pond processing, obtain N number of first eigenvector.
Optionally, second convolutional layer is also used to: to each characteristic sequence in N number of characteristic sequence, being executed following
Step: one-dimensional process of convolution is carried out to the characteristic sequence, obtains the first processing result;Pass through preset second activation primitive pair
First processing result is activated, and second processing result is obtained;By first processing result and the second processing knot
The product of fruit, the fisrt feature information as the characteristic sequence.
Optionally, second pond layer is also used to: respectively to every in N number of characteristic sequence by way of maximum pond
Fisrt feature information after the corresponding activation of a characteristic sequence carries out pond processing, obtains N number of first eigenvector.
Optionally, second sub-network includes third convolutional layer and third pond layer, the third convolutional layer and third
Pond layer is sequentially connected;The third convolutional layer splices N number of first eigenvector, obtains second feature vector,
One-dimensional process of convolution is carried out to the second feature vector, obtains the second feature information of the second feature vector, and pass through
Preset third activation primitive activates the second feature information, the second feature information after being activated;Described
Three pond layers carry out pond processing to the second feature information after the activation, obtain target quiescent vector.
Optionally, the third convolutional layer is also used to: being carried out one-dimensional process of convolution to the second feature vector, is obtained the
Three processing results;The third processing result is activated by preset 4th activation primitive, obtains fourth process result;
By the product of the third processing result and the fourth process result, the second feature as the second feature vector is believed
Breath.
Optionally, third pond layer is also used to: being believed by way of average pond the second feature after the activation
Breath carries out pond processing, obtains target quiescent vector.
Optionally, the output module further include: combining unit, for merging target described in the target dynamic vector sum
Static vector generates and merges vector;Output unit, the malice for exporting the target application according to the merging vector detect
As a result.
The third aspect provides a kind of training method, and the method is for training identifying system described in second aspect;
The training sample of the training method includes the dynamic behaviour data of multiple application programs, static code data and retouches
State the multiple application program whether be malicious application labeled data;The dynamic behaviour data be the target application according to
The behavioral data that user behavior generates, the static code data are the code data writing the target application and generating.
Fourth aspect, provides a kind of electronic equipment, including memory, processor and storage on a memory and can handled
The computer program run on device, the processor realize first aspect any method when executing described program.
5th aspect, provides a kind of computer readable storage medium, is stored thereon with computer program, the program is processed
First aspect any method is realized when device executes.
The technical solution provided in the embodiment of the present application, has at least the following technical effects or advantages:
Recognition methods, system, training method, equipment and the medium of malicious application provided by the embodiments of the present application obtain mesh
It marks the dynamic behaviour data applied and static code data and considers data collectively as the identification of malicious application, by more fully
Data are considered in setting identification, effectively increase the recognition accuracy of malicious application.And using convolutional neural networks to dynamic behaviour
Data and static code data carry out feature extraction, obtain can more characterize target dynamic vector sum target quiescent using feature to
Amount, to obtain more accurate malice testing result.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 is the flow chart of the recognition methods of malicious application in the embodiment of the present invention;
Fig. 2 is the structure chart of the identifying system of malicious application in the embodiment of the present invention;
Fig. 3 is the flow chart of training method in the embodiment of the present invention;
Fig. 4 is the schematic diagram of electronic equipment in the embodiment of the present invention;
Fig. 5 is the schematic diagram of storage medium in the embodiment of the present invention.
Specific embodiment
Technical solution in the embodiment of the present application, general thought are as follows:
The dynamic behaviour data and static code data for obtaining target application carry out feature using convolutional neural networks and mention
It takes, obtains target dynamic vector sum target quiescent vector, and export the malice detection knot of the target application according to two vectors
Fruit.By the way that more fully data are arranged and carry out feature extraction, the standard of Lai Tigao malicious application identification using convolutional neural networks
Exactness.
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
Embodiment one
A kind of recognition methods of malicious application is present embodiments provided, as shown in Figure 1, comprising:
Step S101, obtains the dynamic behaviour data and static code data of target application, and the dynamic behaviour data are
The behavioral data that the target application is generated according to user behavior, the static code data are to write the target application to generate
Code data;
Step S102 carries out feature extraction to the dynamic behaviour data using the first convolutional neural networks, obtains target
Dynamic vector;
Step S103 carries out feature extraction to the static code data using the second convolutional neural networks, obtains target
Static vector;
Step S104 exports the malice of the target application according to target quiescent vector described in the target dynamic vector sum
Testing result.
It should be noted that the recognition methods that the present embodiment improves can be applied to server end (separate server, service
Device group or cloud) or client terminal.Preferably, which is applied to client terminal, to avoid virus by repeatedly accessing
Server end records the sandbox feature in cloud and server end, to avoid the generation of sandbox escape situation.
The first convolutional neural networks and the second convolutional neural networks in the present embodiment are trained network, can be used
Training method described in subsequent embodiment three is trained.
In the following, the recognition methods of malicious application provided in this embodiment is described in detail in conjunction with Fig. 1:
Step S101, obtains the dynamic behaviour data and static code data of target application, and the dynamic behaviour data are
The behavioral data that the target application is generated according to user behavior, the static code data are to write the target application to generate
Code data.
In one embodiment, dynamic behaviour data are by the operational objective application in sandbox environment, further according to pre-
If driving piles point to obtain.
By taking the recognition methods is applied to mobile phone as an example, sandbox is installed, target application can be the peace in mobile phone in mobile phone
The unknown application program of full situation, or need to carry out the application program of viral diagnosis.In order to guarantee the safety of cell phone system,
Can the operational objective application in sandbox environment, even if in this way target application be virus, cell phone system will not be had an impact.
In target application in the operational process of sandbox environment, the operation of analog subscriber generates behavioral data to trigger target application.?
In the present embodiment, presetting piling point can be by the mode of customized ROM (Read Only Memory, read-only memory) in system
Insertion piling point is in service to realize.It should be understood that piling point can be according to history virus behavior detection experience and journey
The behavior susceptibility of sequence is arranged, for example, the behaviors such as background monitoring access contact person, background monitoring access short message are sensitivity
Higher behavior is spent, piling point can be inserted into corresponding system service.Certainly, other can also be arranged in by presetting piling point
Position is such as arranged in the process of program to be detected, here without limitation.
The setting number of piling point can be set according to actual needs.In one embodiment, piling point is preset
It is 200, it, all can be by the row if program to be detected triggers any one of this 200 piling points in the process of running
To extract, dynamic goal behavior sequence is constituted by the multiple behaviors extracted, to reflect that program to be detected is being run
Dynamic behaviour in the process.
Specifically, target application can generate many behaviors in process, including call all kinds of API to system request
The behavior of (Application Programming Interface, application programming interface).It should be understood that system clothes
Business can be understood as the service of response API Calls, can be according to corresponding system service to API after some API is called
Call request responded, and feed back a call result.Due to having carried out piling processing in goal systems services, if
It has invoked goal systems and services corresponding API, point can extract the calling behavior by driving piles.
In one embodiment, static code data source refers to needs in the installation kit of target application, the installation kit
It detects whether to carry virulent application program installation kit, alternatively, in other embodiments of the invention, application program installation kit
It is also possible to the application program installation kit for needing to detect whether to carry virus and the viral species carried.Specifically, using
Program installation kit can be the software installation packet of mobile terminal, and such as Android (Android) installation kit, suffix apk is also possible to
The software installation packet of computer, such as the installation kit that suffix is exe.
In the present embodiment, static code data are the information obtained by parsing the code file of target application installation kit.
As an implementation, static code data can be the binary file of target application installation kit.
In other embodiments of the invention, static code data may be the code text according to target application installation kit
The sequence of opcodes that part obtains, operation code are the partial code in the code file of the target application installation kit, can be and have
After getting multiple operation codes, sequence of opcodes is can be obtained after these operation codes are ranked up in the code of function logic.This
When, the process for obtaining the static information of target application installation kit can be with are as follows: obtains target application installation kit and to the application program
Installation kit carries out dis-assembling operation, obtains returning assembled smali file, extracts operation code (opcode), obtain operation code
Sequence.For example, it is assumed that application program installation kit to be measured is apk file, there are the code that format is dex texts in apk file
Part includes all source codes of the corresponding target application of apk file in dex file, arrives by the way that disassemblers is available
Corresponding Jave coding.Format can be obtained after dis-assembling for the file of smali, in each smali file representative dex file
One class, each class are made of function, and each function is then made of instruction, and each instruction is by an operation code and multiple operands
Composition.
Step S102 carries out feature extraction to the dynamic behaviour data using the first convolutional neural networks, and it is dynamic to obtain target
State vector.
First convolutional neural networks include: word embeding layer, for converting vector expression for the dynamic behaviour data
First dynamic vector sequence;First convolutional layer is obtained for carrying out feature extraction to the dynamic behaviour data for being converted into vector expression
Obtain characteristic vector sequence;First pond layer obtains dimensionality reduction sequence vector for carrying out dimensionality reduction to characteristic vector sequence, and according to institute
Dimensionality reduction sequence vector is stated, target dynamic vector is obtained.In the following, the characteristic extraction procedure of the first convolutional neural networks of detailed description.
In order to provide the data for being suitable for neural computing, before carrying out feature extraction to dynamic behaviour data, word
Embeding layer first converts dynamic behaviour data to the first dynamic vector sequence of vector expression, then the first dynamic vector sequence is defeated
Enter the first convolutional neural networks and carries out feature extraction.Further, in order to reduce the data that the first convolutional neural networks calculate every time
Amount reduces the size of corresponding model and improves extraction efficiency, can be by first dynamic vector sequencing batch time the first convolution of input
Neural network carries out feature extraction.
Further, in order to keep neural computing calculation amount stability, batch length can also be preset
And the vector of the first dynamic vector of every batch of is arranged during inputting the first dynamic vector sequence in batches in spacing parameter
Quantity is equal to batch length, between the vector quantity being spaced between the start vector of the first dynamic vector of adjacent input batch is equal to
Every parameter.Batch length can also be set greater than spacing parameter, to avoid appearance when inputting the first dynamic vector sequence in batches
Vector is omitted, wherein when batch length is fixed, in the first dynamic vector of the smaller then adjacent batch of spacing parameter it is duplicate to
Amount quantity is more, and combination of the corresponding same vector in different batches is more, can realize to a greater extent related
Vector is included in same batch, to improve the comprehensive and accuracy of subsequent characteristics extraction.
For example, it is assumed that batch length is 30, spacing parameter 9, then first batch is in the first dynamic vector sequence
The 1-30 vector, second lot is the 10-40 vector, and third batch is 20-50 vector, etc..
In one embodiment, pre-training first can also be carried out to the first dynamic vector sequence, to accelerate the first convolution
The convergence rate of neural network.Training method is to be by every vector pre-training in the first dynamic vector sequence, using its week
The vector that edge-vector is described generates the second dynamic vector sequence, by the second dynamic vector sequence inputting after pre-training the
One convolutional neural networks carry out feature extraction.
For example, it is assumed that the first dynamic vector sequence be action1, action2, action3 ... action100,
When then to its pre-training, use by action3 and action1 describe action2 position description vectors as second dynamic
Second vector of sequence vector, or the description vectors conjunction of the position of action2 will be described by action3 and action1
It is incorporated to second vector after action2 as the second dynamic vector sequence.Its position is described by being added in each vector
It sets or the vector of meaning is come the factor that can refer to when improving convolutional neural networks calculating, quickening convergence rate.
It should be noted that the pre-training carried out to the first dynamic vector sequence can be aforementioned to primary vector sequence point
It executes, can also execute after which, this is not restricted before batch.
In one embodiment, the data of history virus can be collected in advance, and extracts virus characteristic, to dynamic
Behavioral data carry out feature extraction before, first according to virus characteristic screen out in dynamic behaviour data with the unmatched nothing of virus characteristic
Meaning data carry out special to retain with virus associated stronger dynamic behaviour data, subsequent first convolutional neural networks of reduction
The calculation amount extracted is levied, convergence rate is improved.
It, can be by dynamic behaviour number it should be noted that the nonsignificant data carried out to dynamic behaviour data screens out
It executes, can also execute after which, this is not restricted according to before being converted into the first dynamic vector sequence.
In the embodiment of the present application, it is first logical for carrying out feature extraction to dynamic behaviour data using the first convolutional neural networks
The extraction of the characteristic vector sequence of the first convolutional layer is crossed, then realized by the dimensionality reduction of the first pond layer, it carries out separately below
It introduces:
When first convolutional layer of the first convolutional neural networks carries out feature extraction to dynamic behaviour data, need by default
Convolution kernel carry out the extraction of feature.In the embodiment of the present application, it is arranged in the first convolutional neural networks, use is multiple and different
The convolution kernel of size carries out feature extraction to dynamic behaviour data, obtains multiple groups feature vector to carry out subsequent dimensionality reduction, with to the greatest extent
Amount guarantees that related vector can be divided into same group of feature of extraction, improves the generalization ability of feature.
For example, it is assumed that after the conversion of dynamic behaviour data, the batch of every batch of the first dynamic vector sequence of input is long
Degree is 100, and vector dimension 64 then can be set 1*64,3*64,5*64,7*64 this four convolution kernels and come to every batch of first
The extraction of dynamic vector sequence progress characteristic vector sequence.
Further, it is possible to which the convolution kernel that multiple and different sizes are arranged includes each vector in the first dynamic vector sequence
The identical single convolution kernel of size, when acquisition to overcome dynamic behaviour data, prototype, which is got ready, gets that sequence is different to be caused ready with sandbox
Influence.For example, it is assumed that after the conversion of dynamic behaviour data, the batch length of every batch of the first dynamic vector sequence of input
It is 100, vector dimension 64 includes this convolution kernel of 1*64 in the convolution kernel being then arranged, to guarantee there is list in the feature extracted
The characteristic vector sequence that a vector is one group.
After extracting characteristic vector sequence by the first convolutional layer, the first pond layer of input carries out characteristic vector sequence
Dimensionality reduction obtains dimensionality reduction sequence vector, and merges dimensionality reduction sequence vector, obtains target dynamic vector.It is specific to merge dimensionality reduction sequence vector
It can be through concat function and realize.
Step S103 carries out feature extraction to the static code data using the second convolutional neural networks, obtains target
Static vector.
Second convolutional neural networks include the first sub-network and the second sub-network.First sub-network is pacified for target application
The static code data of dress packet are divided into multiple characteristic sequences, and extract the corresponding local key message of each characteristic sequence.Second
The corresponding local key message of each characteristic sequence that sub-network is used to extract based on the first sub-network further extracts more comprehensively
Characteristic parameter, obtain target quiescent vector.As an implementation, the first sub-network and the second sub-network can be all made of
Convolutional neural networks.
First sub-network is based on the static code data, generates N number of characteristic sequence, and respectively to each spy
It levies sequence and carries out preset fisrt feature parameter extraction processing, obtain N number of first eigenvector.
In the present embodiment, N is the integer more than or equal to 2.When static code data be target application installation kit two into
When file processed, be based on static code data, generate N number of characteristic sequence specific implementation process can there are many, be mainly situated between below
Continue four kinds of embodiments.
The first, is divided into N number of binary sequence for binary file;To binary system sequence each in N number of binary sequence
Column are encoded, and N number of characteristic sequence is obtained.
Second, binary file is divided into N number of binary sequence;To binary system sequence each in N number of binary sequence
Column are encoded, and N number of first coded sequence is obtained;First coded sequence each in N number of first coded sequence is carried out at dimensionality reduction
Reason, obtains N number of characteristic sequence, wherein the dimension of each characteristic sequence is lower than the dimension of corresponding first coded sequence.
Specifically, in above-mentioned the first and second embodiment, binary file is divided into N number of binary system sequence
The division mode of column can be set according to actual needs.As an implementation, it can be spaced the division of predetermined word joint number, preset
Byte number can be set according to actual needs, for example, it is assumed that aiI-th of byte is indicated, when predetermined word joint number is 50000, by a1
~a50000It is divided into a binary sequence, by a50001~a100000It is divided into a binary sequence, and so on.As another
A kind of embodiment can be divided according to the first preset step-length and the first preset length, and the first preset step-length and first is preset
Length can according to need setting, for example, it is assumed that aiIndicate i-th of byte, when the first preset step-length be 10000 bytes,
When first preset length is 50000 bytes, by a1~a50000It is divided into a binary sequence, by a10001~a60000It divides
For a binary sequence, and so on.
The third, encodes binary file, obtains the second coded sequence, the second coded sequence is divided into N number of
Characteristic sequence.
4th kind, binary file is encoded, obtain the second coded sequence, the second coded sequence is carried out at dimensionality reduction
Reason, obtains target sequence;Target sequence is divided into N number of characteristic sequence.The coded number of second coded sequence is the second coding
The dimension of sequence, the dimension of target sequence are lower than the dimension of the second coded sequence.Specific dimensionality reduction multiple can be according to actual needs
Setting, such as 100 times or 50 times etc. can be reduced, the second coded sequence can be reduced to tens of thousands of dimensions by millions of dimensions.
Similarly, in above-mentioned the third and the 4th kind of mode, the second coded sequence is divided into the division side of N number of characteristic sequence
Formula can be set according to actual needs.As an implementation, it can be spaced the division of pre-arranged code number, pre-arranged code number can be with
It is arranged according to actual needs.As another embodiment, it can be divided according to the second preset step-length and the second preset length,
Second preset step-length and the second preset length can according to need setting.
For example, the second coded sequence is 5,000,000 dimensions, the second coded sequence is converted to the mesh of 90,000 dimensions by dimension-reduction treatment
Sequence is marked, then the target sequence of 90,000 dimensions is divided again.For example, when interval pre-arranged code number divides, and pre-arranged code number
When being 1000, target sequence can be divided into the characteristic sequence of 90 1000 dimensions.
In above-mentioned several embodiments, coding mode can there are many, specifically can according to need setting.For example, can
To convert decimal number for the binary number of each byte, then each byte can be converted into 0~255 range
Number.For example, being " x90 to binary number corresponding hexadecimal code in part in the binary file of application program installation kit
X00 x03 x00 x00 x00 x04 x00 x00 x00 xff xff ", being encoded to after corresponding conversion " 144,0,3,0,0,
0,4,0,0,0,255,255”。
Specifically, the specific implementation process of above-mentioned dimension-reduction treatment can be with are as follows: using preset algorithm to the first coded sequence
Or second coded sequence carry out dimensionality reduction.Preset algorithm can be with are as follows: bicubic interpolation algorithm, closest interpolation algorithm or bilinearity are inserted
Value-based algorithm etc..Subsequent processing is carried out again after carrying out dimensionality reduction to coded sequence, is conducive to improve processing speed, it correspondingly, can also be with
The training time of nerve network system is reduced, resource occupation is reduced.
In other embodiments of the invention, when static code data are to be obtained according to the code file of target application installation kit
When the sequence of opcodes arrived, can also be based on sequence of opcodes, obtain N number of characteristic sequence, thus again to each characteristic sequence into
Row subsequent processing.
Optionally, the first sub-network includes: input layer, the second convolutional layer and the second pond layer.Input layer, the second convolutional layer
And second pond layer be sequentially connected.It is understood that the effect of the second convolutional layer is based on pre-set present count
The convolution kernel of amount and each characteristic sequence do convolution, obtain convolution feature, and convolution feature is inputted an activation primitive and is swashed
It is living.The effect of second pond layer is further to carry out dimensionality reduction and feature extraction to the convolution feature after activation.
At this point, above-mentioned first sub-network is based on the static code data, N number of characteristic sequence is generated, and respectively to each
The characteristic sequence carries out preset fisrt feature parameter extraction processing, and the process for obtaining N number of first eigenvector may include:
Input layer execution is above-mentioned to be based on static code data, generates N number of characteristic sequence;Second convolutional layer is respectively in N number of characteristic sequence
Each characteristic sequence carries out one-dimensional process of convolution, obtains the fisrt feature information of this feature sequence, and swash by preset first
Function living activates fisrt feature information, the fisrt feature information after being activated;Second pond layer is respectively to described N number of
Fisrt feature information in characteristic sequence after the corresponding activation of each characteristic sequence carries out pond processing, obtains N number of fisrt feature
Vector.
Optionally, above-mentioned first activation primitive can be Relu function.Relu activation primitive can preferably prevent gradient
Attenuation problem.It is of course also possible to use other activation primitives as needed.
Optionally, above-mentioned second convolutional layer carries out one-dimensional convolution to characteristic sequence each in N number of characteristic sequence respectively
Processing, the fisrt feature information for obtaining this feature sequence can specifically include: the second convolutional layer is in N number of characteristic sequence
Each characteristic sequence executes following steps: carrying out one-dimensional process of convolution to the characteristic sequence, obtains the first processing result;It is logical
It crosses preset second activation primitive to activate first processing result, obtains second processing result;At described first
Manage the product of result and the second processing result, the fisrt feature information as the characteristic sequence.Wherein, the second activation letter
Number can use Sigmoid function.A kind of Gate structure can be thus formed, at this point, this Gate structure can be preferably
The transmitting for controlling local characteristic information, improves the expression ability of local feature.
It should be noted that quantity, size and the step-length of one-dimensional convolution kernel can bases in above-mentioned one-dimensional process of convolution
Actual needs setting.The present embodiment can be calculated and be stored to reduce by using the one-dimensional convolution kernel and step-length of larger size
Pressure.
Optionally, the second pond layer is respectively to after the corresponding activation of characteristic sequence each in N number of characteristic sequence
One characteristic information carries out pond processing, and obtaining N number of first eigenvector can specifically include: the second pond layer passes through maximum
Pond mode (max-pooling) is special to first after the corresponding activation of characteristic sequence each in N number of characteristic sequence respectively
Reference breath carries out pond processing, obtains N number of first eigenvector.Invariance is introduced using max-pooling, while into
It has gone dimensionality reduction and local key message extracts, prevented over-fitting.
After the completion of the processing of the first sub-network, the second sub-network splices N number of first eigenvector, to splicing
The second feature vector obtained afterwards carries out preset second feature parameter extraction processing, obtains target quiescent vector.
As an implementation, the second sub-network may include third convolutional layer, third pond layer and output layer, third
Convolutional layer, third pond layer and output layer are sequentially connected.
At this point, the second above-mentioned sub-network splices N number of first eigenvector, to second obtained after splicing
Feature vector carries out preset second feature parameter extraction processing, obtains target quiescent vector, can specifically include: third convolution
Layer splices N number of first eigenvector, obtains second feature vector, carries out one-dimensional volume to the second feature vector
Product processing, obtains the second feature information of the second feature vector, and by preset third activation primitive to described second
Characteristic information is activated, the second feature information after being activated;Third pond layer believes the second feature after the activation
Breath carries out pond processing, obtains target quiescent vector.
Wherein, third activation primitive can also sample Relu function.Equally, Relu activation primitive can preferably prevent ladder
Spend attenuation problem.
Optionally, above-mentioned that one-dimensional process of convolution is carried out to the second feature vector, obtain the second feature vector
Second feature information can specifically include: carrying out one-dimensional process of convolution to the second feature vector, obtains third processing result;
The third processing result is activated by preset 4th activation primitive, obtains fourth process result;By the third
The product of processing result and the fourth process result, the second feature information as the second feature vector.Wherein, the 4th
Activation primitive can use Sigmoid function.A kind of Gate structure can be thus formed, at this point, this Gate structure can be with
The transmitting for preferably controlling global characteristics information, improves the expression ability of global characteristics.
Optionally, third pond layer carries out pond processing to the second feature information after the activation, obtains third
Feature vector, comprising: third pond layer (avg-pooling) by way of average pond is special to second after the activation
Reference breath carries out pond processing, obtains target quiescent vector.It is that global information and part are believed in order to balance using avg-pooling
Breath, makes model can make full use of the feature of each characteristic sequence.
Step S104 exports the malice of the target application according to target quiescent vector described in the target dynamic vector sum
Testing result.
In the embodiment of the present application, it can first merge target dynamic vector sum target quiescent vector, generate and merge vector, then
According to the malice testing result for merging vector output target application.It specifically can be through concat function and realize target dynamic
The merging of vector sum target quiescent vector can be through softmax function and calculate whether target application is malicious application
Probability is as malice testing result.It is of course also possible to use the function of other pooled functions or other calculating malice testing results,
This is not restricted.
Based on the same inventive concept, the embodiment of the invention also provides the corresponding system of method in embodiment one, see implementation
Example two.
Embodiment two
A kind of identifying system of malicious application is provided, as shown in Figure 2, comprising:
Module 201 is obtained, for obtaining the dynamic behaviour data and static code data of target application, the dynamic behaviour
Data are the behavioral data that the target application is generated according to user behavior, and the static code data are to write the target to answer
With the code data of generation.
First convolution neural network module 202, for dynamic behaviour data carry out feature extraction, obtain target dynamic to
Amount;
Second convolution neural network module 203, for static code data carry out feature extraction, obtain target quiescent to
Amount;
Output module 204 exports the target for the target quiescent vector according to the target dynamic vector sum and answers
Malice testing result.
Optionally, the acquisition module 201 includes: first acquisition unit, for running the target in sandbox environment
Using;According to default piling point, the dynamic behaviour data of the target application in the process of running are obtained.
Optionally, the first acquisition unit is also used to: in the operational process of the target application, the behaviour of analog subscriber
Make, generates behavioral data to trigger the target application.
The optional acquisition module 201 further include: second acquisition unit, for parsing the installation kit of the target application
The obtained static code data of code file.
Optionally, the second acquisition unit, the code file of the installation kit for parsing the target application, obtains institute
The corresponding binary file of target application installation kit is stated, using the binary file as the static code data;Alternatively, anti-
The code file for compiling the installation kit of the target application obtains the compiled code of the target application installation kit, with the volume
Code is translated as the static code data.
Optionally, the first convolution neural network module 202 includes:
Word embeding layer, for converting the dynamic behaviour data to the first dynamic vector sequence of vector expression;
First convolutional layer obtains feature for carrying out feature extraction to the dynamic behaviour data for being converted into vector expression
Sequence vector;
First pond layer obtains dimensionality reduction sequence vector for carrying out dimensionality reduction to described eigenvector sequence, and according to described
Dimensionality reduction sequence vector obtains target dynamic vector.
Optionally, institute's predicate embeding layer is also used to: by the first dynamic vector sequencing batch time input first volume
Lamination carries out feature extraction.
Optionally, institute's predicate embeding layer is also used to: according to preset batch length and spacing parameter, by first dynamic
Sequence vector inputs first convolutional layer in batches, wherein the vector quantity of the first dynamic vector of every batch of is equal to described batch
Secondary length, the vector quantity being spaced between the start vector of the first dynamic vector of adjacent batch are equal to the spacing parameter, institute
Batch length is stated greater than the spacing parameter.
Optionally, the first convolution neural network module 202 further include: pre-training unit, for institute's predicate to be embedded in
Every vector pre-training in first dynamic vector sequence of layer conversion is the vector being described using its week edge-vector, raw
At the second dynamic vector sequence;The first convolutional layer described in the second dynamic vector sequence inputting is subjected to feature extraction again.
Optionally, the first convolution neural network module 202 further include: unit is screened out, for according to preset virus
Feature, screen out in the dynamic behaviour data with the unmatched nonsignificant data of the virus characteristic;Described be not intended to will be screened out again
The dynamic behaviour data after adopted data input first convolutional layer and carry out feature extraction.
Optionally, first convolutional layer is also used to: using the convolution kernel of multiple and different sizes, to the dynamic behaviour number
According to feature extraction is carried out, multiple groups characteristic vector sequence is obtained.
Optionally, the multiple various sizes of convolution kernel, comprising: with each vector in the dynamic behaviour data
The identical single convolution kernel of size.
Optionally, the second convolution neural network module 203, comprising:
First sub-network 2031 generates N number of characteristic sequence, and respectively to each for being based on the static code data
The characteristic sequence carries out preset fisrt feature parameter extraction processing, obtains N number of first eigenvector, wherein N be greater than or
Integer equal to 2;
Second sub-network 2032, it is special to second obtained after splicing for splicing N number of first eigenvector
It levies vector and carries out preset second feature parameter extraction processing, obtain obtaining target quiescent vector.
Optionally, first sub-network 2031 includes: input layer, the second convolutional layer and the second pond layer, the input
Layer, second convolutional layer and second pond layer are sequentially connected;
The input layer is used to be based on the static code data, generates N number of characteristic sequence;
Second convolutional layer is for respectively carrying out at one-dimensional convolution characteristic sequence each in N number of characteristic sequence
Reason, obtains the fisrt feature information of this feature sequence, and by preset first activation primitive to the fisrt feature information into
Line activating, the fisrt feature information after being activated;
Second pond layer, for respectively to the corresponding activation of characteristic sequence each in N number of characteristic sequence after
Fisrt feature information carries out pond processing, obtains N number of first eigenvector.
Optionally, second convolutional layer is also used to: to each characteristic sequence in N number of characteristic sequence, being executed following
Step: one-dimensional process of convolution is carried out to the characteristic sequence, obtains the first processing result;Pass through preset second activation primitive pair
First processing result is activated, and second processing result is obtained;By first processing result and the second processing knot
The product of fruit, the fisrt feature information as the characteristic sequence.
Optionally, second pond layer is also used to: respectively to every in N number of characteristic sequence by way of maximum pond
Fisrt feature information after the corresponding activation of a characteristic sequence carries out pond processing, obtains N number of first eigenvector.
Optionally, second sub-network 2032 include third convolutional layer and third pond layer, the third convolutional layer with
Third pond layer is sequentially connected;
The third convolutional layer splices N number of first eigenvector, obtains second feature vector, to described
Two feature vectors carry out one-dimensional process of convolution, obtain the second feature information of the second feature vector, and pass through preset the
Three activation primitives activate the second feature information, the second feature information after being activated;
Third pond layer to after the activation second feature information carry out pond processing, obtain target quiescent to
Amount.
Optionally, the third convolutional layer is also used to: being carried out one-dimensional process of convolution to the second feature vector, is obtained the
Three processing results;The third processing result is activated by preset 4th activation primitive, obtains fourth process result;
By the product of the third processing result and the fourth process result, the second feature as the second feature vector is believed
Breath.
Optionally, third pond layer is also used to: being believed by way of average pond the second feature after the activation
Breath carries out pond processing, obtains target quiescent vector.
Optionally, the output module 204 further include:
Combining unit generates for merging target quiescent vector described in the target dynamic vector sum and merges vector;
Output unit, for exporting the malice testing result of the target application according to the merging vector.
By the system that the embodiment of the present invention two is introduced, it is used by the method to implement the embodiment of the present invention one
System, so based on the method that the embodiment of the present invention one is introduced, the affiliated personnel in this field can understand the specific structure of the system
And deformation, so details are not described herein.System used by the method for all embodiment of the present invention one belongs to the present invention and is intended to
The range of protection.
Based on the same inventive concept, the embodiment of the invention also provides the training method of system in embodiment two, that is, implement
The training method of first convolutional neural networks and the second convolutional neural networks in example one, is shown in embodiment three.
Embodiment three
The present embodiment provides a kind of training method, the method is for training identifying system described in embodiment two;
The training sample of the training method includes the dynamic behaviour data of multiple application programs, static code data and retouches
State the multiple application program whether be malicious application labeled data;The dynamic behaviour data be the target application according to
The behavioral data that user behavior generates, the static code data are the code data writing the target application and generating.
As shown in figure 3, the step of training method are as follows:
Step S301, constructing initial nerve network system (can be the identifying system in initial embodiment two, or initial
Embodiment one in the first convolutional neural networks and the second convolutional neural networks);
Step S302, input training sample are trained initial nerve network system, obtain trained neural network
System (can be the first convolution nerve net in the identifying system or trained embodiment one in trained embodiment two
Network and the second convolutional neural networks);The training sample includes the dynamic behaviour data of multiple application programs, static code data
With describe the multiple application program whether be malicious application labeled data.
The recognition methods introduced in specific sample training method and steps and embodiment one is identical, so based on the present invention
The step of system that the method and embodiment two that embodiment one is introduced are introduced, the affiliated personnel in this field can understand this method
And deformation, so details are not described herein.The training method and the present invention of the convolutional neural networks of all embodiment of the present invention one are real
The training method for applying the identifying system of example two belongs to the range of the invention to be protected.
Based on the same inventive concept, the embodiment of the invention also provides the corresponding equipment of method in embodiment one, see implementation
Example four.
Example IV
As shown in figure 4, the present embodiment provides a kind of electronic equipment, including memory 410, processor 420 and it is stored in
On reservoir 410 and the computer program 411 that can run on processor 420, the processor 420 execute the computer program
It is performed the steps of when 411
The dynamic behaviour data and static code data of target application are obtained, the dynamic behaviour data are that the target is answered
With the behavioral data generated according to user behavior, the static code data are the code number writing the target application and generating
According to;
Feature extraction is carried out to the dynamic behaviour data using the first convolutional neural networks, obtains target dynamic vector;
Feature extraction is carried out to the static code data using the second convolutional neural networks, obtains target quiescent vector;
The malice testing result of the target application is exported according to target quiescent vector described in the target dynamic vector sum.
In the embodiment of the present application, the application reality may be implemented when the processor 420 executes the computer program 411
Apply any embodiment in example one.
By the equipment that the embodiment of the present invention four is introduced, set used by the method to implement the embodiment of the present invention one
It is standby, so based on the method that the embodiment of the present invention one is introduced, the affiliated personnel in this field can understand the specific structure of the equipment
And deformation, so details are not described herein.Equipment used by the method for all embodiment of the present invention one belongs to the present invention and is intended to
The range of protection.
Based on the same inventive concept, the embodiment of the invention also provides the corresponding storage medium of method in embodiment one, see
Embodiment five.
Embodiment five
The present embodiment provides a kind of computer readable storage mediums 500, as shown in figure 5, being stored thereon with computer program
511, which is characterized in that the computer program 511 performs the steps of when being executed by processor
The dynamic behaviour data and static code data of target application are obtained, the dynamic behaviour data are that the target is answered
With the behavioral data generated according to user behavior, the static code data are the code number writing the target application and generating
According to;
Feature extraction is carried out to the dynamic behaviour data using the first convolutional neural networks, obtains target dynamic vector;
Feature extraction is carried out to the static code data using the second convolutional neural networks, obtains target quiescent vector;
The malice testing result of the target application is exported according to target quiescent vector described in the target dynamic vector sum.
In the specific implementation process, when which is executed by processor, the embodiment of the present application one may be implemented
Middle any embodiment.
The technical solution provided in the embodiment of the present application, has at least the following technical effects or advantages:
Recognition methods, device, training method, equipment and the medium of malicious application provided by the embodiments of the present application obtain mesh
It marks the dynamic behaviour data applied and static code data and considers data collectively as the identification of malicious application, by more fully
Data are considered in setting identification, effectively increase the recognition accuracy of malicious application.And using convolutional neural networks to dynamic behaviour
Data and static code data carry out feature extraction, obtain can more characterize target dynamic vector sum target quiescent using feature to
Amount, to obtain more accurate malice testing result.
Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein.
Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system
Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various
Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect
Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
All as a separate embodiment of the present invention.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment
Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any
Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed
All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power
Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments in this include institute in other embodiments
Including certain features rather than other feature, but the combination of the feature of different embodiment means in the scope of the present invention
Within and form different embodiments.For example, in the following claims, embodiment claimed it is any it
One can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors
Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice
Microprocessor or digital signal processor (DSP) realize gateway according to an embodiment of the present invention, proxy server, in system
Some or all components some or all functions.The present invention is also implemented as executing side as described herein
Some or all device or device programs (for example, computer program and computer program product) of method.It is such
It realizes that program of the invention can store on a computer-readable medium, or can have the shape of one or more signal
Formula.Such signal can be downloaded from an internet website to obtain, and perhaps be provided on the carrier signal or with any other shape
Formula provides.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability
Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Component or step listed in the claims.Word "a" or "an" before component does not exclude the presence of multiple such
Component.The present invention can be by means of including the hardware of several different components and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch
To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame
Claim.
The invention discloses A1, a kind of recognition methods of malicious application, comprising:
The dynamic behaviour data and static code data of target application are obtained, the dynamic behaviour data are that the target is answered
With the behavioral data generated according to user behavior, the static code data are the code number writing the target application and generating
According to;
Feature extraction is carried out to the dynamic behaviour data using the first convolutional neural networks, obtains target dynamic vector;
Feature extraction is carried out to the static code data using the second convolutional neural networks, obtains target quiescent vector;
The malice testing result of the target application is exported according to target quiescent vector described in the target dynamic vector sum.
A2, method as described in a1, which is characterized in that the dynamic behaviour data for obtaining target application, comprising:
The target application is run in sandbox environment;
According to default piling point, the dynamic behaviour data of the target application in the process of running are obtained.
A3, as described in A2 method, which is characterized in that described that the target application is run in sandbox environment, comprising:
In the operational process of the target application, the operation of analog subscriber generates behavior to trigger the target application
Data.
A4, method as described in a1, which is characterized in that the static code data for obtaining target application, comprising:
Parse the static code data that the code file of the installation kit of the target application obtains.
A5, method as described in a1, which is characterized in that the static code data for obtaining target application, comprising:
The code file for parsing the installation kit of the target application obtains the corresponding binary system of the target application installation kit
File, using the binary file as the static code data;Alternatively,
The code file of the installation kit of target application described in decompiling obtains the compiling generation of the target application installation kit
Code, using the compiled code as the static code data.
A6, method as described in a1, which is characterized in that described to use the first convolutional neural networks to the dynamic behaviour number
According to feature extraction is carried out, target dynamic vector is obtained, comprising:
Convert the dynamic behaviour data to the first dynamic vector sequence of vector expression;
The first dynamic vector sequencing batch time input, first convolutional neural networks are subjected to feature extraction, are obtained
Target dynamic vector.
A7, the method as described in A6, which is characterized in that it is described will be described in the first dynamic vector sequencing batch time input
First convolution neural network model, comprising:
According to preset batch length and spacing parameter, by the first dynamic vector sequencing batch time input described first
Convolutional neural networks, wherein the vector quantity of the first dynamic vector of every batch of be equal to the batch length, the first of adjacent batch
The vector quantity being spaced between the start vector of dynamic vector is equal to the spacing parameter, and the batch length is greater than the interval
Parameter.
A8, method as described in a1, which is characterized in that described to use the first convolutional neural networks to the dynamic behaviour number
According to feature extraction is carried out, target dynamic vector is obtained, comprising:
Convert the dynamic behaviour data to the first dynamic vector sequence of vector expression;
Be by every vector pre-training in the first dynamic vector sequence, using its week edge-vector be described to
Amount generates the second dynamic vector sequence;
Using the first convolutional neural networks to the second dynamic vector sequence carry out feature extraction, obtain target dynamic to
Amount.
A9, method as described in a1, which is characterized in that described to use the first convolutional neural networks to the dynamic behaviour number
According to feature extraction is carried out, target dynamic vector is obtained, comprising:
According to preset virus characteristic, screen out unmatched meaningless with the virus characteristic in the dynamic behaviour data
Data;
Feature is carried out to the dynamic behaviour data after screening out the nonsignificant data using the first convolutional neural networks
It extracts, obtains target dynamic vector.
A10, method as described in a1, which is characterized in that described to use the first convolutional neural networks to the dynamic behaviour
Data carry out feature extraction, obtain target dynamic vector, comprising:
In first convolutional neural networks, using the convolution kernel of multiple and different sizes, to the dynamic behaviour data
Feature extraction is carried out, multiple groups feature vector is obtained;
According to the multiple groups feature vector, the target dynamic vector is obtained.
A11, the method as described in A10, which is characterized in that the multiple various sizes of convolution kernel, comprising:
List convolution kernel identical with the size of each vector in the dynamic behaviour data.
A12, method as described in a1, it is described that feature is carried out to the static code data using the second convolutional neural networks
It extracts, obtains target quiescent vector, comprising:
Based on the static code data, N number of characteristic sequence is generated, and each characteristic sequence is preset respectively
The processing of fisrt feature parameter extraction, obtain N number of first eigenvector, wherein N is integer more than or equal to 2;
N number of first eigenvector is spliced, preset the is carried out to the second feature vector that obtains after splicing
The processing of two characteristic parameter extractions obtains obtaining target quiescent vector.
A13, the method as described in A12, which is characterized in that described that preset the is carried out to each characteristic sequence respectively
The processing of one characteristic parameter extraction, obtains N number of first eigenvector, comprising:
One-dimensional process of convolution is carried out to characteristic sequence each in N number of characteristic sequence, obtains the first of this feature sequence
Characteristic information, and the fisrt feature information is activated by preset first activation primitive, first after being activated
Characteristic information;
Pond Hua Chu is carried out to the fisrt feature information after the corresponding activation of characteristic sequence each in N number of characteristic sequence
Reason, obtains N number of first eigenvector.
A14, the method as described in A13, which is characterized in that it is described to each characteristic sequence in N number of characteristic sequence into
The one-dimensional process of convolution of row, obtains the fisrt feature information of this feature sequence, comprising:
To each characteristic sequence in N number of characteristic sequence, following steps are executed:
One-dimensional process of convolution is carried out to the characteristic sequence, obtains the first processing result;
First processing result is activated by preset second activation primitive, obtains second processing result;
Fisrt feature by the product of first processing result and the second processing result, as the characteristic sequence
Information.
A15. the method according to A13, which is characterized in that corresponding to characteristic sequence each in N number of characteristic sequence
Activation after fisrt feature information carry out pond processing, obtain N number of first eigenvector, comprising:
Respectively to first after the corresponding activation of characteristic sequence each in N number of characteristic sequence by way of maximum pond
Characteristic information carries out pond processing, obtains N number of first eigenvector.
A16, the method as described in A12, which is characterized in that splice N number of first eigenvector, after splicing
Obtained second feature vector carries out preset second feature parameter extraction processing, obtains obtaining target quiescent vector, comprising:
N number of first eigenvector is spliced, second feature vector is obtained, the second feature vector is carried out
One-dimensional process of convolution obtains the second feature information of the second feature vector, and by preset third activation primitive to institute
It states second feature information to be activated, the second feature information after being activated;
Pond processing is carried out to the second feature information after the activation, obtains target quiescent vector.
A17, the method as described in A16, which is characterized in that described that the second feature vector is carried out at one-dimensional convolution
Reason, obtains the second feature information of the second feature vector, comprising:
One-dimensional process of convolution is carried out to the second feature vector, obtains third processing result;
The third processing result is activated by preset 4th activation primitive, obtains fourth process result;
By the product of the third processing result and the fourth process result, as the second feature vector second
Characteristic information.
A18. the method according to A16, which is characterized in that the second feature information to after the activation carries out pond
Change processing, obtains target quiescent vector, comprising:
By way of average pond to after the activation second feature information carry out pond processing, obtain target quiescent to
Amount.
A19, method as described in a1, which is characterized in that the target quiescent according to the target dynamic vector sum
Vector exports the malice testing result of the target application, comprising:
Merge target quiescent vector described in the target dynamic vector sum, generates and merge vector;
The malice testing result of the target application is exported according to the merging vector.
B20, a kind of identifying system of malicious application, comprising:
Module is obtained, for obtaining the dynamic behaviour data and static code data of target application, the dynamic behaviour number
According to the behavioral data generated for the target application according to user behavior, the static code data are to write the target application
The code data of generation.
First convolution neural network module obtains target dynamic vector for carrying out feature extraction to dynamic behaviour data;
Second convolution neural network module obtains target quiescent vector for carrying out feature extraction to static code data;
Output module exports the target application for the target quiescent vector according to the target dynamic vector sum
Malice testing result.
B21, the system as described in B20, which is characterized in that the acquisition module includes:
First acquisition unit, for running the target application in sandbox environment;According to default piling point, described in acquisition
The dynamic behaviour data of target application in the process of running.
B22, the system as described in B21, which is characterized in that the first acquisition unit is also used to:
In the operational process of the target application, the operation of analog subscriber generates behavior to trigger the target application
Data.
B23, the system as described in B20, which is characterized in that the acquisition module further include:
Second acquisition unit, the static code obtained for parsing the code file of installation kit of the target application
Data.
B24, the system as described in B20, which is characterized in that further include:
Second acquisition unit, the code file of the installation kit for parsing the target application, obtains the target application
The corresponding binary file of installation kit, using the binary file as the static code data;Alternatively, mesh described in decompiling
Mark application installation kit code file, obtain the compiled code of the target application installation kit, using the compiled code as
The static code data.
B25, the system as described in B20, which is characterized in that the first convolution neural network module includes:
Word embeding layer, for converting the dynamic behaviour data to the first dynamic vector sequence of vector expression;
First convolutional layer obtains feature for carrying out feature extraction to the dynamic behaviour data for being converted into vector expression
Sequence vector;
First pond layer obtains dimensionality reduction sequence vector for carrying out dimensionality reduction to described eigenvector sequence, and according to described
Dimensionality reduction sequence vector obtains target dynamic vector.
B26, the system as described in B26, which is characterized in that institute's predicate embeding layer is also used to:
The first dynamic vector sequencing batch time input, first convolutional layer is subjected to feature extraction.
B28, the system as described in B27, which is characterized in that institute's predicate embeding layer is also used to:
According to preset batch length and spacing parameter, by the first dynamic vector sequencing batch time input described first
Convolutional layer, wherein the vector quantity of the first dynamic vector of every batch of is equal to the batch length, the first dynamic of adjacent batch to
The vector quantity being spaced between the start vector of amount is equal to the spacing parameter, and the batch length is greater than the spacing parameter.
B29, the system as described in B26, which is characterized in that the first convolution neural network module further include:
Pre-training unit, every vector pre-training in the first dynamic vector sequence for converting institute's predicate embeding layer
For the vector being described using its week edge-vector generates the second dynamic vector sequence;Again by the second dynamic vector sequence
It inputs first convolutional layer and carries out feature extraction.
B30, the system as described in B26, which is characterized in that the first convolution neural network module further include:
Screen out unit, for according to preset virus characteristic, screen out in the dynamic behaviour data with the virus characteristic
Unmatched nonsignificant data;The dynamic behaviour data after the nonsignificant data will be screened out again inputs first convolution
Layer carries out feature extraction.
B31, the system as described in B26, which is characterized in that first convolutional layer is also used to:
Using the convolution kernel of multiple and different sizes, feature extraction is carried out to the dynamic behaviour data, obtains multiple groups feature
Sequence vector.
B32, the system as described in B26, which is characterized in that the multiple various sizes of convolution kernel, comprising:
List convolution kernel identical with the size of each vector in the dynamic behaviour data.
B33, the system as described in B20, the second convolution neural network module, comprising:
First sub-network generates N number of characteristic sequence, and respectively to each described for being based on the static code data
Characteristic sequence carries out the processing of preset fisrt feature parameter extraction, obtains N number of first eigenvector, wherein N be more than or equal to
2 integer;
Second sub-network, for N number of first eigenvector to be spliced, to the second feature obtained after splicing to
Amount carries out preset second feature parameter extraction processing, obtains obtaining target quiescent vector.
B34, the system as described in B33, which is characterized in that first sub-network include: input layer, the second convolutional layer and
Second pond layer, the input layer, second convolutional layer and second pond layer are sequentially connected;
The input layer is used to be based on the static code data, generates N number of characteristic sequence;
Second convolutional layer is for respectively carrying out at one-dimensional convolution characteristic sequence each in N number of characteristic sequence
Reason, obtains the fisrt feature information of this feature sequence, and by preset first activation primitive to the fisrt feature information into
Line activating, the fisrt feature information after being activated;
Second pond layer, for respectively to the corresponding activation of characteristic sequence each in N number of characteristic sequence after
Fisrt feature information carries out pond processing, obtains N number of first eigenvector.
B35, the system as described in B34, which is characterized in that second convolutional layer is also used to:
To each characteristic sequence in N number of characteristic sequence, following steps are executed:
One-dimensional process of convolution is carried out to the characteristic sequence, obtains the first processing result;Pass through preset second activation letter
It is several that first processing result is activated, obtain second processing result;At first processing result and described second
Manage the product of result, the fisrt feature information as the characteristic sequence.
B36. the system according to B34, which is characterized in that second pond layer is also used to:
Respectively to first after the corresponding activation of characteristic sequence each in N number of characteristic sequence by way of maximum pond
Characteristic information carries out pond processing, obtains N number of first eigenvector.
B37, the system as described in B33, which is characterized in that second sub-network includes third convolutional layer and third pond
Layer, the third convolutional layer and third pond layer are sequentially connected;
The third convolutional layer splices N number of first eigenvector, obtains second feature vector, to described
Two feature vectors carry out one-dimensional process of convolution, obtain the second feature information of the second feature vector, and pass through preset the
Three activation primitives activate the second feature information, the second feature information after being activated;
Third pond layer to after the activation second feature information carry out pond processing, obtain target quiescent to
Amount.
B38, the system as described in B37, which is characterized in that the third convolutional layer is also used to:
One-dimensional process of convolution is carried out to the second feature vector, obtains third processing result;
The third processing result is activated by preset 4th activation primitive, obtains fourth process result;
By the product of the third processing result and the fourth process result, as the second feature vector second
Characteristic information.
B39. the system according to B37, which is characterized in that third pond layer is also used to:
By way of average pond to after the activation second feature information carry out pond processing, obtain target quiescent to
Amount.
B40, the system as described in B20, which is characterized in that the output module further include:
Combining unit generates for merging target quiescent vector described in the target dynamic vector sum and merges vector;
Output unit, for exporting the malice testing result of the target application according to the merging vector.
C41, a kind of training method, the method are used to train any identifying system of claim 20-40;
The training sample of the training method includes the dynamic behaviour data of multiple application programs, static code data and retouches
State the multiple application program whether be malicious application labeled data;The dynamic behaviour data be the target application according to
The behavioral data that user behavior generates, the static code data are the code data writing the target application and generating.
D42, a kind of electronic equipment, including memory, processor and storage can be run on a memory and on a processor
Computer program, which is characterized in that the processor realizes A1-A19 any method when executing described program.
E43, a kind of computer readable storage medium, are stored thereon with computer program, which is characterized in that the program is located
It manages and realizes A1-A19 any method when device executes.
Claims (10)
1. a kind of recognition methods of malicious application characterized by comprising
The dynamic behaviour data and static code data of target application are obtained, the dynamic behaviour data are the target application root
According to the behavioral data that user behavior generates, the static code data are the code data writing the target application and generating;
Feature extraction is carried out to the dynamic behaviour data using the first convolutional neural networks, obtains target dynamic vector;
Feature extraction is carried out to the static code data using the second convolutional neural networks, obtains target quiescent vector;
The malice testing result of the target application is exported according to target quiescent vector described in the target dynamic vector sum.
2. the method as described in claim 1, which is characterized in that the dynamic behaviour data for obtaining target application, comprising:
The target application is run in sandbox environment;
According to default piling point, the dynamic behaviour data of the target application in the process of running are obtained.
3. method according to claim 2, which is characterized in that described to run the target application in sandbox environment, comprising:
In the operational process of the target application, the operation of analog subscriber generates behavioral data to trigger the target application.
4. the method as described in claim 1, which is characterized in that the static code data for obtaining target application, comprising:
Parse the static code data that the code file of the installation kit of the target application obtains.
5. the method as described in claim 1, which is characterized in that the static code data for obtaining target application, comprising:
The code file for parsing the installation kit of the target application obtains the corresponding binary system text of the target application installation kit
Part, using the binary file as the static code data;Alternatively,
The code file of the installation kit of target application described in decompiling obtains the compiled code of the target application installation kit, with
The compiled code is as the static code data.
6. the method as described in claim 1, which is characterized in that described to use the first convolutional neural networks to the dynamic behaviour
Data carry out feature extraction, obtain target dynamic vector, comprising:
Convert the dynamic behaviour data to the first dynamic vector sequence of vector expression;
The first dynamic vector sequencing batch time input, first convolutional neural networks are subjected to feature extraction, obtain target
Dynamic vector.
7. a kind of identifying system of malicious application characterized by comprising
Module is obtained, for obtaining the dynamic behaviour data and static code data of target application, the dynamic behaviour data are
The behavioral data that the target application is generated according to user behavior, the static code data are to write the target application to generate
Code data;
First convolution neural network module obtains target dynamic vector for carrying out feature extraction to dynamic behaviour data;
Second convolution neural network module obtains target quiescent vector for carrying out feature extraction to static code data;
Output module exports the malice of the target application for the target quiescent vector according to the target dynamic vector sum
Testing result.
8. a kind of training method, which is characterized in that the method is for training identifying system as claimed in claim 7;
The training sample of the training method includes the dynamic behaviour data, static code data and description institute of multiple application programs
State multiple application programs whether be malicious application labeled data;The dynamic behaviour data are the target application according to user
The behavioral data that behavior generates, the static code data are the code data writing the target application and generating.
9. a kind of electronic equipment including memory, processor and stores the calculating that can be run on a memory and on a processor
Machine program, which is characterized in that the processor realizes claim 1-6 any method when executing described program.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is by processor
Claim 1-6 any method is realized when execution.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811453800.3A CN109753794A (en) | 2018-11-30 | 2018-11-30 | A kind of recognition methods of malicious application, system, training method, equipment and medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811453800.3A CN109753794A (en) | 2018-11-30 | 2018-11-30 | A kind of recognition methods of malicious application, system, training method, equipment and medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109753794A true CN109753794A (en) | 2019-05-14 |
Family
ID=66403452
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811453800.3A Pending CN109753794A (en) | 2018-11-30 | 2018-11-30 | A kind of recognition methods of malicious application, system, training method, equipment and medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109753794A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110647746A (en) * | 2019-08-22 | 2020-01-03 | 成都网思科平科技有限公司 | Malicious software detection method, system and storage medium |
CN112115266A (en) * | 2020-09-25 | 2020-12-22 | 奇安信科技集团股份有限公司 | Malicious website classification method and device, computer equipment and readable storage medium |
WO2021207874A1 (en) * | 2020-04-13 | 2021-10-21 | 华为技术有限公司 | Non-secure software detection apparatus and detection method, and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104598824A (en) * | 2015-01-28 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Method and device for detecting malicious programs |
KR101880686B1 (en) * | 2018-02-28 | 2018-07-20 | 에스지에이솔루션즈 주식회사 | A malware code detecting system based on AI(Artificial Intelligence) deep learning |
CN108334781A (en) * | 2018-03-07 | 2018-07-27 | 腾讯科技(深圳)有限公司 | Method for detecting virus, device, computer readable storage medium and computer equipment |
CN108595953A (en) * | 2018-04-04 | 2018-09-28 | 厦门雷德蒙软件开发有限公司 | Method for carrying out risk assessment on mobile phone application |
CN108595955A (en) * | 2018-04-25 | 2018-09-28 | 东北大学 | A kind of Android mobile phone malicious application detecting system and method |
CN108734012A (en) * | 2018-05-21 | 2018-11-02 | 上海戎磐网络科技有限公司 | Malware recognition methods, device and electronic equipment |
-
2018
- 2018-11-30 CN CN201811453800.3A patent/CN109753794A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104598824A (en) * | 2015-01-28 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Method and device for detecting malicious programs |
KR101880686B1 (en) * | 2018-02-28 | 2018-07-20 | 에스지에이솔루션즈 주식회사 | A malware code detecting system based on AI(Artificial Intelligence) deep learning |
CN108334781A (en) * | 2018-03-07 | 2018-07-27 | 腾讯科技(深圳)有限公司 | Method for detecting virus, device, computer readable storage medium and computer equipment |
CN108595953A (en) * | 2018-04-04 | 2018-09-28 | 厦门雷德蒙软件开发有限公司 | Method for carrying out risk assessment on mobile phone application |
CN108595955A (en) * | 2018-04-25 | 2018-09-28 | 东北大学 | A kind of Android mobile phone malicious application detecting system and method |
CN108734012A (en) * | 2018-05-21 | 2018-11-02 | 上海戎磐网络科技有限公司 | Malware recognition methods, device and electronic equipment |
Non-Patent Citations (2)
Title |
---|
王聪 等: "基于CNN和LSTM混合的Android恶意应用检测", 通信技术, vol. 51, no. 09, pages 2209 - 2214 * |
芦效峰 等: "基于API序列特征和统计特征组合的恶意样本检测框架", 清华大学学报(自然科学版), vol. 58, no. 05, pages 500 - 508 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110647746A (en) * | 2019-08-22 | 2020-01-03 | 成都网思科平科技有限公司 | Malicious software detection method, system and storage medium |
WO2021207874A1 (en) * | 2020-04-13 | 2021-10-21 | 华为技术有限公司 | Non-secure software detection apparatus and detection method, and storage medium |
CN112115266A (en) * | 2020-09-25 | 2020-12-22 | 奇安信科技集团股份有限公司 | Malicious website classification method and device, computer equipment and readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Xu et al. | Hadm: Hybrid analysis for detection of malware | |
CN109753794A (en) | A kind of recognition methods of malicious application, system, training method, equipment and medium | |
US20200273570A1 (en) | Predictive analysis platform | |
CN109635563A (en) | The method, apparatus of malicious application, equipment and storage medium for identification | |
CN110058922B (en) | Method and device for extracting metadata of machine learning task | |
CN109711160A (en) | Application program detection method, device and nerve network system | |
CN109101817A (en) | A kind of identification malicious file class method for distinguishing and calculate equipment | |
CN104050543A (en) | Event processing method in stream processing system and stream processing system | |
US11741370B2 (en) | Transfer learning based on cross-domain homophily influences | |
CN110135160A (en) | The method, apparatus and system of software detection | |
CN109753790A (en) | A kind of landing page monitoring method and system | |
Bensaoud et al. | Deep multi-task learning for malware image classification | |
CN109299032B (en) | Data analysing method, electronic equipment and computer storage medium | |
CN106960141A (en) | Coding, coding/decoding method and the device of virtual machine instructions, virtual machine protection system | |
WO2023126217A1 (en) | Graph neural network ensemble learning | |
GB2603574A (en) | Synthetic system fault generation | |
CN110189163A (en) | Evaluation method, device, electronic equipment and the storage medium of promotional content | |
CN109543409A (en) | For detecting the method, device and equipment of malicious application and training detection model | |
Deng et al. | Enimanal: Augmented cross-architecture IoT malware analysis using graph neural networks | |
CN110399191A (en) | A kind of program graphic user interface automatic interaction processing method and processing device | |
CN108399066A (en) | A kind of regulation engine implementation method and device | |
US11762758B2 (en) | Source code fault detection | |
CN111262818B (en) | Virus detection method, system, device, equipment and storage medium | |
CN114881235A (en) | Inference service calling method and device, electronic equipment and storage medium | |
CN113823371A (en) | Medical data structured processing method, device and equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |