CN109753794A

CN109753794A - A kind of recognition methods of malicious application, system, training method, equipment and medium

Info

Publication number: CN109753794A
Application number: CN201811453800.3A
Authority: CN
Inventors: 史东杰; 周楠
Original assignee: Beijing Qihoo Technology Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd
Priority date: 2018-11-30
Filing date: 2018-11-30
Publication date: 2019-05-14

Abstract

The present invention discloses recognition methods, system, training method, equipment and the medium of a kind of malicious application, recognition methods includes: to obtain the dynamic behaviour data and static code data of target application, the dynamic behaviour data are the behavioral data that the target application is generated according to user behavior, and the static code data are the code data writing the target application and generating；Feature extraction is carried out to the dynamic behaviour data using the first convolutional neural networks, obtains target dynamic vector；Feature extraction is carried out to the static code data using the second convolutional neural networks, obtains target quiescent vector；The malice testing result of the target application is exported according to target quiescent vector described in the target dynamic vector sum.The considerations of method and system provided by the present application is to solve recognition methods factor is single, and there are the not high technical problems of the recognition accuracy of malicious application.Realize the technical effect for improving recognition accuracy.

Description

A kind of recognition methods of malicious application, system, training method, equipment and medium

Technical field

The present invention relates to field of computer technology more particularly to a kind of recognition methods of malicious application, system, training side Method, equipment and medium.

Background technique

With the development of science and technology smart phone has been popularized, the activity such as public life, consumption, amusement all be unable to do without each Class mobile device.The universal of smart phone brings convenience, this convenience derive from be mounted on smart phone it is abundant not Congener application program.

It is just extremely heavy to whether application program takes viruliferous identification in order to guarantee the safety for the application program installed It wants.Whether existing recognition application takes viruliferous technology, and detection application program whether there is abnormal behaviour, such as There are abnormal behaviours for fruit, then it is assumed that the application program is malicious application, then the processing such as deletion or killing is carried out to it.

However, the considerations of due to existing recognition methods factor it is single, there are the not high skills of the recognition accuracy of malicious application Art problem.

Summary of the invention

In view of the above problems, it proposes on the present invention overcomes the above problem or at least be partially solved in order to provide one kind State recognition methods, system, training method, equipment and the medium of the malicious application of problem.

In a first aspect, providing a kind of recognition methods of malicious application, comprising:

The dynamic behaviour data and static code data of target application are obtained, the dynamic behaviour data are that the target is answered With the behavioral data generated according to user behavior, the static code data are the code number writing the target application and generating According to；

Feature extraction is carried out to the dynamic behaviour data using the first convolutional neural networks, obtains target dynamic vector；

Feature extraction is carried out to the static code data using the second convolutional neural networks, obtains target quiescent vector；

The malice testing result of the target application is exported according to target quiescent vector described in the target dynamic vector sum.

Optionally, the dynamic behaviour data for obtaining target application, comprising: run the target in sandbox environment and answer With；According to default piling point, the dynamic behaviour data of the target application in the process of running are obtained.

Optionally, described that the target application is run in sandbox environment, comprising: in the operational process of the target application In, the operation of analog subscriber generates behavioral data to trigger the target application.

Optionally, the static code data for obtaining target application, comprising: parse the installation kit of the target application The static code data that code file obtains.

Optionally, the static code data for obtaining target application, comprising: parse the installation kit of the target application Code file obtains the corresponding binary file of the target application installation kit, using the binary file as the static state Code data；Alternatively, the code file of the installation kit of target application described in decompiling, obtains the volume of the target application installation kit Code is translated, using the compiled code as the static code data.

Optionally, described that feature extraction is carried out to the dynamic behaviour data using the first convolutional neural networks, obtain mesh Mark dynamic vector, comprising: convert the dynamic behaviour data to the first dynamic vector sequence of vector expression；By described first Dynamic vector sequencing batch time input first convolutional neural networks carry out feature extraction, obtain target dynamic vector.

It is optionally, described that the first dynamic vector sequencing batch time is inputted into the first convolution neural network model, It include: according to preset batch length and spacing parameter, by the first dynamic vector sequencing batch time input first volume Product neural network, wherein the vector quantity of the first dynamic vector of every batch of is equal to the batch length, and the first of adjacent batch is dynamic The vector quantity being spaced between the start vector of state vector is equal to the spacing parameter, and the batch length is joined greater than the interval Number.

Optionally, described that feature extraction is carried out to the dynamic behaviour data using the first convolutional neural networks, obtain mesh Mark dynamic vector, comprising: convert the dynamic behaviour data to the first dynamic vector sequence of vector expression；By described first Every vector pre-training in dynamic vector sequence is the vector being described using its week edge-vector, generate the second dynamic to Measure sequence；Using the first convolutional neural networks to the second dynamic vector sequence carry out feature extraction, obtain target dynamic to Amount.

Optionally, described that feature extraction is carried out to the dynamic behaviour data using the first convolutional neural networks, obtain mesh Mark dynamic vector, comprising: according to preset virus characteristic, screen out in the dynamic behaviour data and mismatch with the virus characteristic Nonsignificant data；The dynamic behaviour data after screening out the nonsignificant data are carried out using the first convolutional neural networks Feature extraction obtains target dynamic vector.

Optionally, described that feature extraction is carried out to the dynamic behaviour data using the first convolutional neural networks, obtain mesh Mark dynamic vector, comprising: in first convolutional neural networks, using the convolution kernel of multiple and different sizes, to the dynamic Behavioral data carries out feature extraction, obtains multiple groups feature vector；According to the multiple groups feature vector, obtain the target dynamic to Amount.

Optionally, the multiple various sizes of convolution kernel, comprising: with each vector in the dynamic behaviour data The identical single convolution kernel of size.

Optionally, described that feature extraction is carried out to the static code data using the second convolutional neural networks, obtain mesh Mark static vector, comprising: be based on the static code data, generate N number of characteristic sequence, and respectively to each characteristic sequence Preset fisrt feature parameter extraction processing is carried out, N number of first eigenvector is obtained, wherein N is the integer more than or equal to 2； N number of first eigenvector is spliced, preset second feature ginseng is carried out to the second feature vector obtained after splicing Number extraction process obtains obtaining target quiescent vector.

Optionally, described that preset fisrt feature parameter extraction processing is carried out to each characteristic sequence respectively, obtain N A first eigenvector, comprising: one-dimensional process of convolution is carried out to characteristic sequence each in N number of characteristic sequence, obtains the spy The fisrt feature information of sequence is levied, and the fisrt feature information is activated by preset first activation primitive, is obtained Fisrt feature information after activation；To the fisrt feature letter after the corresponding activation of characteristic sequence each in N number of characteristic sequence Breath carries out pond processing, obtains N number of first eigenvector.

Optionally, described that one-dimensional process of convolution is carried out to characteristic sequence each in N number of characteristic sequence, obtain this feature The fisrt feature information of sequence, comprising: to each characteristic sequence in N number of characteristic sequence, execute following steps: to the spy It levies sequence and carries out one-dimensional process of convolution, obtain the first processing result；By preset second activation primitive to first processing As a result it is activated, obtains second processing result；By the product of first processing result and the second processing result, as The fisrt feature information of the characteristic sequence.

Optionally, the fisrt feature information after the corresponding activation of characteristic sequence each in N number of characteristic sequence is carried out Pondization processing, obtains N number of first eigenvector, comprising: respectively in N number of characteristic sequence by way of maximum pond Fisrt feature information after the corresponding activation of each characteristic sequence carries out pond processing, obtains N number of first eigenvector.

Optionally, N number of first eigenvector is spliced, the second feature vector obtained after splicing is carried out pre- If the processing of second feature parameter extraction, obtain obtaining target quiescent vector, comprising: will the N number of first eigenvector progress Splicing, obtains second feature vector, carries out one-dimensional process of convolution to the second feature vector, obtains the second feature vector Second feature information, and the second feature information is activated by preset third activation primitive, after obtaining activation Second feature information；Pond processing is carried out to the second feature information after the activation, obtains target quiescent vector.

Optionally, described that one-dimensional process of convolution is carried out to the second feature vector, obtain the second feature vector Second feature information, comprising: one-dimensional process of convolution is carried out to the second feature vector, obtains third processing result；By pre- If the 4th activation primitive the third processing result is activated, obtain fourth process result；Third processing is tied The product of fruit and the fourth process result, the second feature information as the second feature vector.

Optionally, the second feature information to after the activation carries out pond processing, obtains target quiescent vector, wraps It includes: pond processing being carried out to the second feature information after the activation by way of average pond, obtains target quiescent vector.

Optionally, the target quiescent vector according to the target dynamic vector sum exports the evil of the target application Meaning testing result, comprising: merge target quiescent vector described in the target dynamic vector sum, generate and merge vector；According to described Merge the malice testing result that vector exports the target application.

Second aspect provides a kind of identifying system of malicious application, comprising:

Module is obtained, for obtaining the dynamic behaviour data and static code data of target application, the dynamic behaviour number According to the behavioral data generated for the target application according to user behavior, the static code data are to write the target application The code data of generation.

First convolution neural network module obtains target dynamic vector for carrying out feature extraction to dynamic behaviour data；

Second convolution neural network module obtains target quiescent vector for carrying out feature extraction to static code data；

Output module exports the target application for the target quiescent vector according to the target dynamic vector sum Malice testing result.

Optionally, the acquisition module includes: first acquisition unit, is answered for running the target in sandbox environment With；According to default piling point, the dynamic behaviour data of the target application in the process of running are obtained.

Optionally, the first acquisition unit is also used to: in the operational process of the target application, the behaviour of analog subscriber Make, generates behavioral data to trigger the target application.

Optionally, the acquisition module further include: second acquisition unit, for parsing the installation kit of the target application The static code data that code file obtains.

Optionally, further includes: second acquisition unit, the code file of the installation kit for parsing the target application obtain To the corresponding binary file of the target application installation kit, using the binary file as the static code data；Or Person, the code file of the installation kit of target application described in decompiling, obtains the compiled code of the target application installation kit, with institute Compiled code is stated as the static code data.

Optionally, the first convolution neural network module includes: word embeding layer, for turning the dynamic behaviour data Turn to the first dynamic vector sequence of vector expression；First convolutional layer, for the dynamic behaviour to vector expression is converted into Data carry out feature extraction and obtain characteristic vector sequence；First pond layer is obtained for carrying out dimensionality reduction to described eigenvector sequence Dimensionality reduction sequence vector is obtained, and according to the dimensionality reduction sequence vector, obtains target dynamic vector.

Optionally, institute's predicate embeding layer is also used to: by the first dynamic vector sequencing batch time input first volume Lamination carries out feature extraction.

Optionally, institute's predicate embeding layer is also used to: according to preset batch length and spacing parameter, by first dynamic Sequence vector inputs first convolutional layer in batches, wherein the vector quantity of the first dynamic vector of every batch of is equal to described batch Secondary length, the vector quantity being spaced between the start vector of the first dynamic vector of adjacent batch are equal to the spacing parameter, institute Batch length is stated greater than the spacing parameter.

Optionally, the first convolution neural network module further include: pre-training unit, for institute's predicate embeding layer to be turned The every vector pre-training in the first dynamic vector sequence changed is the vector being described using its week edge-vector, generation the Two dynamic vector sequences；The first convolutional layer described in the second dynamic vector sequence inputting is subjected to feature extraction again.

Optionally, the first convolution neural network module further include: unit is screened out, for special according to preset virus Sign, screen out in the dynamic behaviour data with the unmatched nonsignificant data of the virus characteristic；It will screen out again described meaningless The dynamic behaviour data after data input first convolutional layer and carry out feature extraction.

Optionally, first convolutional layer is also used to: using the convolution kernel of multiple and different sizes, to the dynamic behaviour number According to feature extraction is carried out, multiple groups characteristic vector sequence is obtained.

Optionally, the second convolution neural network module, comprising: the first sub-network, for being based on the static code Data generate N number of characteristic sequence, and carry out preset fisrt feature parameter extraction to each characteristic sequence respectively and handle, Obtain N number of first eigenvector, wherein N is the integer more than or equal to 2；Second sub-network, for special by described N number of first Sign vector is spliced, and is carried out preset second feature parameter extraction to the second feature vector obtained after splicing and is handled, obtains Obtain target quiescent vector.

Optionally, first sub-network includes: input layer, the second convolutional layer and the second pond layer, the input layer, institute It states the second convolutional layer and second pond layer is sequentially connected；The input layer is used to be based on the static code data, raw At N number of characteristic sequence；Second convolutional layer is for carrying out one-dimensional volume to characteristic sequence each in N number of characteristic sequence respectively Product processing, obtains the fisrt feature information of this feature sequence, and believe the fisrt feature by preset first activation primitive Breath is activated, the fisrt feature information after being activated；Second pond layer, for respectively to N number of characteristic sequence In fisrt feature information after the corresponding activation of each characteristic sequence carry out pond processing, obtain N number of first eigenvector.

Optionally, second convolutional layer is also used to: to each characteristic sequence in N number of characteristic sequence, being executed following Step: one-dimensional process of convolution is carried out to the characteristic sequence, obtains the first processing result；Pass through preset second activation primitive pair First processing result is activated, and second processing result is obtained；By first processing result and the second processing knot The product of fruit, the fisrt feature information as the characteristic sequence.

Optionally, second pond layer is also used to: respectively to every in N number of characteristic sequence by way of maximum pond Fisrt feature information after the corresponding activation of a characteristic sequence carries out pond processing, obtains N number of first eigenvector.

Optionally, second sub-network includes third convolutional layer and third pond layer, the third convolutional layer and third Pond layer is sequentially connected；The third convolutional layer splices N number of first eigenvector, obtains second feature vector, One-dimensional process of convolution is carried out to the second feature vector, obtains the second feature information of the second feature vector, and pass through Preset third activation primitive activates the second feature information, the second feature information after being activated；Described Three pond layers carry out pond processing to the second feature information after the activation, obtain target quiescent vector.

Optionally, the third convolutional layer is also used to: being carried out one-dimensional process of convolution to the second feature vector, is obtained the Three processing results；The third processing result is activated by preset 4th activation primitive, obtains fourth process result； By the product of the third processing result and the fourth process result, the second feature as the second feature vector is believed Breath.

Optionally, third pond layer is also used to: being believed by way of average pond the second feature after the activation Breath carries out pond processing, obtains target quiescent vector.

Optionally, the output module further include: combining unit, for merging target described in the target dynamic vector sum Static vector generates and merges vector；Output unit, the malice for exporting the target application according to the merging vector detect As a result.

The third aspect provides a kind of training method, and the method is for training identifying system described in second aspect；

The training sample of the training method includes the dynamic behaviour data of multiple application programs, static code data and retouches State the multiple application program whether be malicious application labeled data；The dynamic behaviour data be the target application according to The behavioral data that user behavior generates, the static code data are the code data writing the target application and generating.

Fourth aspect, provides a kind of electronic equipment, including memory, processor and storage on a memory and can handled The computer program run on device, the processor realize first aspect any method when executing described program.

5th aspect, provides a kind of computer readable storage medium, is stored thereon with computer program, the program is processed First aspect any method is realized when device executes.

The technical solution provided in the embodiment of the present application, has at least the following technical effects or advantages:

Recognition methods, system, training method, equipment and the medium of malicious application provided by the embodiments of the present application obtain mesh It marks the dynamic behaviour data applied and static code data and considers data collectively as the identification of malicious application, by more fully Data are considered in setting identification, effectively increase the recognition accuracy of malicious application.And using convolutional neural networks to dynamic behaviour Data and static code data carry out feature extraction, obtain can more characterize target dynamic vector sum target quiescent using feature to Amount, to obtain more accurate malice testing result.

The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention, And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, the followings are specific embodiments of the present invention.

Detailed description of the invention

By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:

Fig. 1 is the flow chart of the recognition methods of malicious application in the embodiment of the present invention；

Fig. 2 is the structure chart of the identifying system of malicious application in the embodiment of the present invention；

Fig. 3 is the flow chart of training method in the embodiment of the present invention；

Fig. 4 is the schematic diagram of electronic equipment in the embodiment of the present invention；

Fig. 5 is the schematic diagram of storage medium in the embodiment of the present invention.

Specific embodiment

Technical solution in the embodiment of the present application, general thought are as follows:

The dynamic behaviour data and static code data for obtaining target application carry out feature using convolutional neural networks and mention It takes, obtains target dynamic vector sum target quiescent vector, and export the malice detection knot of the target application according to two vectors Fruit.By the way that more fully data are arranged and carry out feature extraction, the standard of Lai Tigao malicious application identification using convolutional neural networks Exactness.

Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure It is fully disclosed to those skilled in the art.

Embodiment one

A kind of recognition methods of malicious application is present embodiments provided, as shown in Figure 1, comprising:

Step S101, obtains the dynamic behaviour data and static code data of target application, and the dynamic behaviour data are The behavioral data that the target application is generated according to user behavior, the static code data are to write the target application to generate Code data；

Step S102 carries out feature extraction to the dynamic behaviour data using the first convolutional neural networks, obtains target Dynamic vector；

Step S103 carries out feature extraction to the static code data using the second convolutional neural networks, obtains target Static vector；

Step S104 exports the malice of the target application according to target quiescent vector described in the target dynamic vector sum Testing result.

It should be noted that the recognition methods that the present embodiment improves can be applied to server end (separate server, service Device group or cloud) or client terminal.Preferably, which is applied to client terminal, to avoid virus by repeatedly accessing Server end records the sandbox feature in cloud and server end, to avoid the generation of sandbox escape situation.

The first convolutional neural networks and the second convolutional neural networks in the present embodiment are trained network, can be used Training method described in subsequent embodiment three is trained.

In the following, the recognition methods of malicious application provided in this embodiment is described in detail in conjunction with Fig. 1:

Step S101, obtains the dynamic behaviour data and static code data of target application, and the dynamic behaviour data are The behavioral data that the target application is generated according to user behavior, the static code data are to write the target application to generate Code data.

In one embodiment, dynamic behaviour data are by the operational objective application in sandbox environment, further according to pre- If driving piles point to obtain.

By taking the recognition methods is applied to mobile phone as an example, sandbox is installed, target application can be the peace in mobile phone in mobile phone The unknown application program of full situation, or need to carry out the application program of viral diagnosis.In order to guarantee the safety of cell phone system, Can the operational objective application in sandbox environment, even if in this way target application be virus, cell phone system will not be had an impact. In target application in the operational process of sandbox environment, the operation of analog subscriber generates behavioral data to trigger target application.? In the present embodiment, presetting piling point can be by the mode of customized ROM (Read Only Memory, read-only memory) in system Insertion piling point is in service to realize.It should be understood that piling point can be according to history virus behavior detection experience and journey The behavior susceptibility of sequence is arranged, for example, the behaviors such as background monitoring access contact person, background monitoring access short message are sensitivity Higher behavior is spent, piling point can be inserted into corresponding system service.Certainly, other can also be arranged in by presetting piling point Position is such as arranged in the process of program to be detected, here without limitation.

The setting number of piling point can be set according to actual needs.In one embodiment, piling point is preset It is 200, it, all can be by the row if program to be detected triggers any one of this 200 piling points in the process of running To extract, dynamic goal behavior sequence is constituted by the multiple behaviors extracted, to reflect that program to be detected is being run Dynamic behaviour in the process.

Specifically, target application can generate many behaviors in process, including call all kinds of API to system request The behavior of (Application Programming Interface, application programming interface).It should be understood that system clothes Business can be understood as the service of response API Calls, can be according to corresponding system service to API after some API is called Call request responded, and feed back a call result.Due to having carried out piling processing in goal systems services, if It has invoked goal systems and services corresponding API, point can extract the calling behavior by driving piles.

In one embodiment, static code data source refers to needs in the installation kit of target application, the installation kit It detects whether to carry virulent application program installation kit, alternatively, in other embodiments of the invention, application program installation kit It is also possible to the application program installation kit for needing to detect whether to carry virus and the viral species carried.Specifically, using Program installation kit can be the software installation packet of mobile terminal, and such as Android (Android) installation kit, suffix apk is also possible to The software installation packet of computer, such as the installation kit that suffix is exe.

In the present embodiment, static code data are the information obtained by parsing the code file of target application installation kit. As an implementation, static code data can be the binary file of target application installation kit.

In other embodiments of the invention, static code data may be the code text according to target application installation kit The sequence of opcodes that part obtains, operation code are the partial code in the code file of the target application installation kit, can be and have After getting multiple operation codes, sequence of opcodes is can be obtained after these operation codes are ranked up in the code of function logic.This When, the process for obtaining the static information of target application installation kit can be with are as follows: obtains target application installation kit and to the application program Installation kit carries out dis-assembling operation, obtains returning assembled smali file, extracts operation code (opcode), obtain operation code Sequence.For example, it is assumed that application program installation kit to be measured is apk file, there are the code that format is dex texts in apk file Part includes all source codes of the corresponding target application of apk file in dex file, arrives by the way that disassemblers is available Corresponding Jave coding.Format can be obtained after dis-assembling for the file of smali, in each smali file representative dex file One class, each class are made of function, and each function is then made of instruction, and each instruction is by an operation code and multiple operands Composition.

Step S102 carries out feature extraction to the dynamic behaviour data using the first convolutional neural networks, and it is dynamic to obtain target State vector.

First convolutional neural networks include: word embeding layer, for converting vector expression for the dynamic behaviour data First dynamic vector sequence；First convolutional layer is obtained for carrying out feature extraction to the dynamic behaviour data for being converted into vector expression Obtain characteristic vector sequence；First pond layer obtains dimensionality reduction sequence vector for carrying out dimensionality reduction to characteristic vector sequence, and according to institute Dimensionality reduction sequence vector is stated, target dynamic vector is obtained.In the following, the characteristic extraction procedure of the first convolutional neural networks of detailed description.

In order to provide the data for being suitable for neural computing, before carrying out feature extraction to dynamic behaviour data, word Embeding layer first converts dynamic behaviour data to the first dynamic vector sequence of vector expression, then the first dynamic vector sequence is defeated Enter the first convolutional neural networks and carries out feature extraction.Further, in order to reduce the data that the first convolutional neural networks calculate every time Amount reduces the size of corresponding model and improves extraction efficiency, can be by first dynamic vector sequencing batch time the first convolution of input Neural network carries out feature extraction.

Further, in order to keep neural computing calculation amount stability, batch length can also be preset And the vector of the first dynamic vector of every batch of is arranged during inputting the first dynamic vector sequence in batches in spacing parameter Quantity is equal to batch length, between the vector quantity being spaced between the start vector of the first dynamic vector of adjacent input batch is equal to Every parameter.Batch length can also be set greater than spacing parameter, to avoid appearance when inputting the first dynamic vector sequence in batches Vector is omitted, wherein when batch length is fixed, in the first dynamic vector of the smaller then adjacent batch of spacing parameter it is duplicate to Amount quantity is more, and combination of the corresponding same vector in different batches is more, can realize to a greater extent related Vector is included in same batch, to improve the comprehensive and accuracy of subsequent characteristics extraction.

For example, it is assumed that batch length is 30, spacing parameter 9, then first batch is in the first dynamic vector sequence The 1-30 vector, second lot is the 10-40 vector, and third batch is 20-50 vector, etc..

In one embodiment, pre-training first can also be carried out to the first dynamic vector sequence, to accelerate the first convolution The convergence rate of neural network.Training method is to be by every vector pre-training in the first dynamic vector sequence, using its week The vector that edge-vector is described generates the second dynamic vector sequence, by the second dynamic vector sequence inputting after pre-training the One convolutional neural networks carry out feature extraction.

For example, it is assumed that the first dynamic vector sequence be action1, action2, action3 ... action100, When then to its pre-training, use by action3 and action1 describe action2 position description vectors as second dynamic Second vector of sequence vector, or the description vectors conjunction of the position of action2 will be described by action3 and action1 It is incorporated to second vector after action2 as the second dynamic vector sequence.Its position is described by being added in each vector It sets or the vector of meaning is come the factor that can refer to when improving convolutional neural networks calculating, quickening convergence rate.

It should be noted that the pre-training carried out to the first dynamic vector sequence can be aforementioned to primary vector sequence point It executes, can also execute after which, this is not restricted before batch.

In one embodiment, the data of history virus can be collected in advance, and extracts virus characteristic, to dynamic Behavioral data carry out feature extraction before, first according to virus characteristic screen out in dynamic behaviour data with the unmatched nothing of virus characteristic Meaning data carry out special to retain with virus associated stronger dynamic behaviour data, subsequent first convolutional neural networks of reduction The calculation amount extracted is levied, convergence rate is improved.

It, can be by dynamic behaviour number it should be noted that the nonsignificant data carried out to dynamic behaviour data screens out It executes, can also execute after which, this is not restricted according to before being converted into the first dynamic vector sequence.

In the embodiment of the present application, it is first logical for carrying out feature extraction to dynamic behaviour data using the first convolutional neural networks The extraction of the characteristic vector sequence of the first convolutional layer is crossed, then realized by the dimensionality reduction of the first pond layer, it carries out separately below It introduces:

When first convolutional layer of the first convolutional neural networks carries out feature extraction to dynamic behaviour data, need by default Convolution kernel carry out the extraction of feature.In the embodiment of the present application, it is arranged in the first convolutional neural networks, use is multiple and different The convolution kernel of size carries out feature extraction to dynamic behaviour data, obtains multiple groups feature vector to carry out subsequent dimensionality reduction, with to the greatest extent Amount guarantees that related vector can be divided into same group of feature of extraction, improves the generalization ability of feature.

For example, it is assumed that after the conversion of dynamic behaviour data, the batch of every batch of the first dynamic vector sequence of input is long Degree is 100, and vector dimension 64 then can be set 1*64,3*64,5*64,7*64 this four convolution kernels and come to every batch of first The extraction of dynamic vector sequence progress characteristic vector sequence.

Further, it is possible to which the convolution kernel that multiple and different sizes are arranged includes each vector in the first dynamic vector sequence The identical single convolution kernel of size, when acquisition to overcome dynamic behaviour data, prototype, which is got ready, gets that sequence is different to be caused ready with sandbox Influence.For example, it is assumed that after the conversion of dynamic behaviour data, the batch length of every batch of the first dynamic vector sequence of input It is 100, vector dimension 64 includes this convolution kernel of 1*64 in the convolution kernel being then arranged, to guarantee there is list in the feature extracted The characteristic vector sequence that a vector is one group.

After extracting characteristic vector sequence by the first convolutional layer, the first pond layer of input carries out characteristic vector sequence Dimensionality reduction obtains dimensionality reduction sequence vector, and merges dimensionality reduction sequence vector, obtains target dynamic vector.It is specific to merge dimensionality reduction sequence vector It can be through concat function and realize.

Step S103 carries out feature extraction to the static code data using the second convolutional neural networks, obtains target Static vector.

Second convolutional neural networks include the first sub-network and the second sub-network.First sub-network is pacified for target application The static code data of dress packet are divided into multiple characteristic sequences, and extract the corresponding local key message of each characteristic sequence.Second The corresponding local key message of each characteristic sequence that sub-network is used to extract based on the first sub-network further extracts more comprehensively Characteristic parameter, obtain target quiescent vector.As an implementation, the first sub-network and the second sub-network can be all made of Convolutional neural networks.

First sub-network is based on the static code data, generates N number of characteristic sequence, and respectively to each spy It levies sequence and carries out preset fisrt feature parameter extraction processing, obtain N number of first eigenvector.

In the present embodiment, N is the integer more than or equal to 2.When static code data be target application installation kit two into When file processed, be based on static code data, generate N number of characteristic sequence specific implementation process can there are many, be mainly situated between below Continue four kinds of embodiments.

The first, is divided into N number of binary sequence for binary file；To binary system sequence each in N number of binary sequence Column are encoded, and N number of characteristic sequence is obtained.

Second, binary file is divided into N number of binary sequence；To binary system sequence each in N number of binary sequence Column are encoded, and N number of first coded sequence is obtained；First coded sequence each in N number of first coded sequence is carried out at dimensionality reduction Reason, obtains N number of characteristic sequence, wherein the dimension of each characteristic sequence is lower than the dimension of corresponding first coded sequence.

Specifically, in above-mentioned the first and second embodiment, binary file is divided into N number of binary system sequence The division mode of column can be set according to actual needs.As an implementation, it can be spaced the division of predetermined word joint number, preset Byte number can be set according to actual needs, for example, it is assumed that a_iI-th of byte is indicated, when predetermined word joint number is 50000, by a₁ ~a₅₀₀₀₀It is divided into a binary sequence, by a₅₀₀₀₁~a₁₀₀₀₀₀It is divided into a binary sequence, and so on.As another A kind of embodiment can be divided according to the first preset step-length and the first preset length, and the first preset step-length and first is preset Length can according to need setting, for example, it is assumed that a_iIndicate i-th of byte, when the first preset step-length be 10000 bytes, When first preset length is 50000 bytes, by a₁~a₅₀₀₀₀It is divided into a binary sequence, by a₁₀₀₀₁~a₆₀₀₀₀It divides For a binary sequence, and so on.

The third, encodes binary file, obtains the second coded sequence, the second coded sequence is divided into N number of Characteristic sequence.

4th kind, binary file is encoded, obtain the second coded sequence, the second coded sequence is carried out at dimensionality reduction Reason, obtains target sequence；Target sequence is divided into N number of characteristic sequence.The coded number of second coded sequence is the second coding The dimension of sequence, the dimension of target sequence are lower than the dimension of the second coded sequence.Specific dimensionality reduction multiple can be according to actual needs Setting, such as 100 times or 50 times etc. can be reduced, the second coded sequence can be reduced to tens of thousands of dimensions by millions of dimensions.

Similarly, in above-mentioned the third and the 4th kind of mode, the second coded sequence is divided into the division side of N number of characteristic sequence Formula can be set according to actual needs.As an implementation, it can be spaced the division of pre-arranged code number, pre-arranged code number can be with It is arranged according to actual needs.As another embodiment, it can be divided according to the second preset step-length and the second preset length, Second preset step-length and the second preset length can according to need setting.

For example, the second coded sequence is 5,000,000 dimensions, the second coded sequence is converted to the mesh of 90,000 dimensions by dimension-reduction treatment Sequence is marked, then the target sequence of 90,000 dimensions is divided again.For example, when interval pre-arranged code number divides, and pre-arranged code number When being 1000, target sequence can be divided into the characteristic sequence of 90 1000 dimensions.

In above-mentioned several embodiments, coding mode can there are many, specifically can according to need setting.For example, can To convert decimal number for the binary number of each byte, then each byte can be converted into 0~255 range Number.For example, being " x90 to binary number corresponding hexadecimal code in part in the binary file of application program installation kit X00 x03 x00 x00 x00 x04 x00 x00 x00 xff xff ", being encoded to after corresponding conversion " 144,0,3,0,0, 0,4,0,0,0,255,255”。

Specifically, the specific implementation process of above-mentioned dimension-reduction treatment can be with are as follows: using preset algorithm to the first coded sequence Or second coded sequence carry out dimensionality reduction.Preset algorithm can be with are as follows: bicubic interpolation algorithm, closest interpolation algorithm or bilinearity are inserted Value-based algorithm etc..Subsequent processing is carried out again after carrying out dimensionality reduction to coded sequence, is conducive to improve processing speed, it correspondingly, can also be with The training time of nerve network system is reduced, resource occupation is reduced.

In other embodiments of the invention, when static code data are to be obtained according to the code file of target application installation kit When the sequence of opcodes arrived, can also be based on sequence of opcodes, obtain N number of characteristic sequence, thus again to each characteristic sequence into Row subsequent processing.

Optionally, the first sub-network includes: input layer, the second convolutional layer and the second pond layer.Input layer, the second convolutional layer And second pond layer be sequentially connected.It is understood that the effect of the second convolutional layer is based on pre-set present count The convolution kernel of amount and each characteristic sequence do convolution, obtain convolution feature, and convolution feature is inputted an activation primitive and is swashed It is living.The effect of second pond layer is further to carry out dimensionality reduction and feature extraction to the convolution feature after activation.

At this point, above-mentioned first sub-network is based on the static code data, N number of characteristic sequence is generated, and respectively to each The characteristic sequence carries out preset fisrt feature parameter extraction processing, and the process for obtaining N number of first eigenvector may include: Input layer execution is above-mentioned to be based on static code data, generates N number of characteristic sequence；Second convolutional layer is respectively in N number of characteristic sequence Each characteristic sequence carries out one-dimensional process of convolution, obtains the fisrt feature information of this feature sequence, and swash by preset first Function living activates fisrt feature information, the fisrt feature information after being activated；Second pond layer is respectively to described N number of Fisrt feature information in characteristic sequence after the corresponding activation of each characteristic sequence carries out pond processing, obtains N number of fisrt feature Vector.

Optionally, above-mentioned first activation primitive can be Relu function.Relu activation primitive can preferably prevent gradient Attenuation problem.It is of course also possible to use other activation primitives as needed.

Optionally, above-mentioned second convolutional layer carries out one-dimensional convolution to characteristic sequence each in N number of characteristic sequence respectively Processing, the fisrt feature information for obtaining this feature sequence can specifically include: the second convolutional layer is in N number of characteristic sequence Each characteristic sequence executes following steps: carrying out one-dimensional process of convolution to the characteristic sequence, obtains the first processing result；It is logical It crosses preset second activation primitive to activate first processing result, obtains second processing result；At described first Manage the product of result and the second processing result, the fisrt feature information as the characteristic sequence.Wherein, the second activation letter Number can use Sigmoid function.A kind of Gate structure can be thus formed, at this point, this Gate structure can be preferably The transmitting for controlling local characteristic information, improves the expression ability of local feature.

It should be noted that quantity, size and the step-length of one-dimensional convolution kernel can bases in above-mentioned one-dimensional process of convolution Actual needs setting.The present embodiment can be calculated and be stored to reduce by using the one-dimensional convolution kernel and step-length of larger size Pressure.

Optionally, the second pond layer is respectively to after the corresponding activation of characteristic sequence each in N number of characteristic sequence One characteristic information carries out pond processing, and obtaining N number of first eigenvector can specifically include: the second pond layer passes through maximum Pond mode (max-pooling) is special to first after the corresponding activation of characteristic sequence each in N number of characteristic sequence respectively Reference breath carries out pond processing, obtains N number of first eigenvector.Invariance is introduced using max-pooling, while into It has gone dimensionality reduction and local key message extracts, prevented over-fitting.

After the completion of the processing of the first sub-network, the second sub-network splices N number of first eigenvector, to splicing The second feature vector obtained afterwards carries out preset second feature parameter extraction processing, obtains target quiescent vector.

As an implementation, the second sub-network may include third convolutional layer, third pond layer and output layer, third Convolutional layer, third pond layer and output layer are sequentially connected.

At this point, the second above-mentioned sub-network splices N number of first eigenvector, to second obtained after splicing Feature vector carries out preset second feature parameter extraction processing, obtains target quiescent vector, can specifically include: third convolution Layer splices N number of first eigenvector, obtains second feature vector, carries out one-dimensional volume to the second feature vector Product processing, obtains the second feature information of the second feature vector, and by preset third activation primitive to described second Characteristic information is activated, the second feature information after being activated；Third pond layer believes the second feature after the activation Breath carries out pond processing, obtains target quiescent vector.

Wherein, third activation primitive can also sample Relu function.Equally, Relu activation primitive can preferably prevent ladder Spend attenuation problem.

Optionally, above-mentioned that one-dimensional process of convolution is carried out to the second feature vector, obtain the second feature vector Second feature information can specifically include: carrying out one-dimensional process of convolution to the second feature vector, obtains third processing result； The third processing result is activated by preset 4th activation primitive, obtains fourth process result；By the third The product of processing result and the fourth process result, the second feature information as the second feature vector.Wherein, the 4th Activation primitive can use Sigmoid function.A kind of Gate structure can be thus formed, at this point, this Gate structure can be with The transmitting for preferably controlling global characteristics information, improves the expression ability of global characteristics.

Optionally, third pond layer carries out pond processing to the second feature information after the activation, obtains third Feature vector, comprising: third pond layer (avg-pooling) by way of average pond is special to second after the activation Reference breath carries out pond processing, obtains target quiescent vector.It is that global information and part are believed in order to balance using avg-pooling Breath, makes model can make full use of the feature of each characteristic sequence.

In the embodiment of the present application, it can first merge target dynamic vector sum target quiescent vector, generate and merge vector, then According to the malice testing result for merging vector output target application.It specifically can be through concat function and realize target dynamic The merging of vector sum target quiescent vector can be through softmax function and calculate whether target application is malicious application Probability is as malice testing result.It is of course also possible to use the function of other pooled functions or other calculating malice testing results, This is not restricted.

Based on the same inventive concept, the embodiment of the invention also provides the corresponding system of method in embodiment one, see implementation Example two.

Embodiment two

A kind of identifying system of malicious application is provided, as shown in Figure 2, comprising:

Module 201 is obtained, for obtaining the dynamic behaviour data and static code data of target application, the dynamic behaviour Data are the behavioral data that the target application is generated according to user behavior, and the static code data are to write the target to answer With the code data of generation.

First convolution neural network module 202, for dynamic behaviour data carry out feature extraction, obtain target dynamic to Amount；

Second convolution neural network module 203, for static code data carry out feature extraction, obtain target quiescent to Amount；

Output module 204 exports the target for the target quiescent vector according to the target dynamic vector sum and answers Malice testing result.

Optionally, the acquisition module 201 includes: first acquisition unit, for running the target in sandbox environment Using；According to default piling point, the dynamic behaviour data of the target application in the process of running are obtained.

The optional acquisition module 201 further include: second acquisition unit, for parsing the installation kit of the target application The obtained static code data of code file.

Optionally, the second acquisition unit, the code file of the installation kit for parsing the target application, obtains institute The corresponding binary file of target application installation kit is stated, using the binary file as the static code data；Alternatively, anti- The code file for compiling the installation kit of the target application obtains the compiled code of the target application installation kit, with the volume Code is translated as the static code data.

Optionally, the first convolution neural network module 202 includes:

Word embeding layer, for converting the dynamic behaviour data to the first dynamic vector sequence of vector expression；

First convolutional layer obtains feature for carrying out feature extraction to the dynamic behaviour data for being converted into vector expression Sequence vector；

First pond layer obtains dimensionality reduction sequence vector for carrying out dimensionality reduction to described eigenvector sequence, and according to described Dimensionality reduction sequence vector obtains target dynamic vector.

Optionally, the first convolution neural network module 202 further include: pre-training unit, for institute's predicate to be embedded in Every vector pre-training in first dynamic vector sequence of layer conversion is the vector being described using its week edge-vector, raw At the second dynamic vector sequence；The first convolutional layer described in the second dynamic vector sequence inputting is subjected to feature extraction again.

Optionally, the first convolution neural network module 202 further include: unit is screened out, for according to preset virus Feature, screen out in the dynamic behaviour data with the unmatched nonsignificant data of the virus characteristic；Described be not intended to will be screened out again The dynamic behaviour data after adopted data input first convolutional layer and carry out feature extraction.

Optionally, the second convolution neural network module 203, comprising:

First sub-network 2031 generates N number of characteristic sequence, and respectively to each for being based on the static code data The characteristic sequence carries out preset fisrt feature parameter extraction processing, obtains N number of first eigenvector, wherein N be greater than or Integer equal to 2；

Second sub-network 2032, it is special to second obtained after splicing for splicing N number of first eigenvector It levies vector and carries out preset second feature parameter extraction processing, obtain obtaining target quiescent vector.

Optionally, first sub-network 2031 includes: input layer, the second convolutional layer and the second pond layer, the input Layer, second convolutional layer and second pond layer are sequentially connected；

The input layer is used to be based on the static code data, generates N number of characteristic sequence；

Second convolutional layer is for respectively carrying out at one-dimensional convolution characteristic sequence each in N number of characteristic sequence Reason, obtains the fisrt feature information of this feature sequence, and by preset first activation primitive to the fisrt feature information into Line activating, the fisrt feature information after being activated；

Second pond layer, for respectively to the corresponding activation of characteristic sequence each in N number of characteristic sequence after Fisrt feature information carries out pond processing, obtains N number of first eigenvector.

Optionally, second sub-network 2032 include third convolutional layer and third pond layer, the third convolutional layer with Third pond layer is sequentially connected；

The third convolutional layer splices N number of first eigenvector, obtains second feature vector, to described Two feature vectors carry out one-dimensional process of convolution, obtain the second feature information of the second feature vector, and pass through preset the Three activation primitives activate the second feature information, the second feature information after being activated；

Third pond layer to after the activation second feature information carry out pond processing, obtain target quiescent to Amount.

Optionally, the output module 204 further include:

Combining unit generates for merging target quiescent vector described in the target dynamic vector sum and merges vector；

Output unit, for exporting the malice testing result of the target application according to the merging vector.

By the system that the embodiment of the present invention two is introduced, it is used by the method to implement the embodiment of the present invention one System, so based on the method that the embodiment of the present invention one is introduced, the affiliated personnel in this field can understand the specific structure of the system And deformation, so details are not described herein.System used by the method for all embodiment of the present invention one belongs to the present invention and is intended to The range of protection.

Based on the same inventive concept, the embodiment of the invention also provides the training method of system in embodiment two, that is, implement The training method of first convolutional neural networks and the second convolutional neural networks in example one, is shown in embodiment three.

Embodiment three

The present embodiment provides a kind of training method, the method is for training identifying system described in embodiment two；

As shown in figure 3, the step of training method are as follows:

Step S301, constructing initial nerve network system (can be the identifying system in initial embodiment two, or initial Embodiment one in the first convolutional neural networks and the second convolutional neural networks)；

Step S302, input training sample are trained initial nerve network system, obtain trained neural network System (can be the first convolution nerve net in the identifying system or trained embodiment one in trained embodiment two Network and the second convolutional neural networks)；The training sample includes the dynamic behaviour data of multiple application programs, static code data With describe the multiple application program whether be malicious application labeled data.

The recognition methods introduced in specific sample training method and steps and embodiment one is identical, so based on the present invention The step of system that the method and embodiment two that embodiment one is introduced are introduced, the affiliated personnel in this field can understand this method And deformation, so details are not described herein.The training method and the present invention of the convolutional neural networks of all embodiment of the present invention one are real The training method for applying the identifying system of example two belongs to the range of the invention to be protected.

Based on the same inventive concept, the embodiment of the invention also provides the corresponding equipment of method in embodiment one, see implementation Example four.

Example IV

As shown in figure 4, the present embodiment provides a kind of electronic equipment, including memory 410, processor 420 and it is stored in On reservoir 410 and the computer program 411 that can run on processor 420, the processor 420 execute the computer program It is performed the steps of when 411

In the embodiment of the present application, the application reality may be implemented when the processor 420 executes the computer program 411 Apply any embodiment in example one.

By the equipment that the embodiment of the present invention four is introduced, set used by the method to implement the embodiment of the present invention one It is standby, so based on the method that the embodiment of the present invention one is introduced, the affiliated personnel in this field can understand the specific structure of the equipment And deformation, so details are not described herein.Equipment used by the method for all embodiment of the present invention one belongs to the present invention and is intended to The range of protection.

Based on the same inventive concept, the embodiment of the invention also provides the corresponding storage medium of method in embodiment one, see Embodiment five.

Embodiment five

The present embodiment provides a kind of computer readable storage mediums 500, as shown in figure 5, being stored thereon with computer program 511, which is characterized in that the computer program 511 performs the steps of when being executed by processor

In the specific implementation process, when which is executed by processor, the embodiment of the present application one may be implemented Middle any embodiment.

Recognition methods, device, training method, equipment and the medium of malicious application provided by the embodiments of the present application obtain mesh It marks the dynamic behaviour data applied and static code data and considers data collectively as the identification of malicious application, by more fully Data are considered in setting identification, effectively increase the recognition accuracy of malicious application.And using convolutional neural networks to dynamic behaviour Data and static code data carry out feature extraction, obtain can more characterize target dynamic vector sum target quiescent using feature to Amount, to obtain more accurate malice testing result.

Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein. Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.

In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this specification.

Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects, Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself All as a separate embodiment of the present invention.

Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose It replaces.

In addition, it will be appreciated by those of skill in the art that although some embodiments in this include institute in other embodiments Including certain features rather than other feature, but the combination of the feature of different embodiment means in the scope of the present invention Within and form different embodiments.For example, in the following claims, embodiment claimed it is any it One can in any combination mode come using.

Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice Microprocessor or digital signal processor (DSP) realize gateway according to an embodiment of the present invention, proxy server, in system Some or all components some or all functions.The present invention is also implemented as executing side as described herein Some or all device or device programs (for example, computer program and computer program product) of method.It is such It realizes that program of the invention can store on a computer-readable medium, or can have the shape of one or more signal Formula.Such signal can be downloaded from an internet website to obtain, and perhaps be provided on the carrier signal or with any other shape Formula provides.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Component or step listed in the claims.Word "a" or "an" before component does not exclude the presence of multiple such Component.The present invention can be by means of including the hardware of several different components and being come by means of properly programmed computer real It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame Claim.

The invention discloses A1, a kind of recognition methods of malicious application, comprising:

A2, method as described in a1, which is characterized in that the dynamic behaviour data for obtaining target application, comprising:

The target application is run in sandbox environment；

According to default piling point, the dynamic behaviour data of the target application in the process of running are obtained.

A3, as described in A2 method, which is characterized in that described that the target application is run in sandbox environment, comprising:

In the operational process of the target application, the operation of analog subscriber generates behavior to trigger the target application Data.

A4, method as described in a1, which is characterized in that the static code data for obtaining target application, comprising:

Parse the static code data that the code file of the installation kit of the target application obtains.

A5, method as described in a1, which is characterized in that the static code data for obtaining target application, comprising:

The code file for parsing the installation kit of the target application obtains the corresponding binary system of the target application installation kit File, using the binary file as the static code data；Alternatively,

The code file of the installation kit of target application described in decompiling obtains the compiling generation of the target application installation kit Code, using the compiled code as the static code data.

A6, method as described in a1, which is characterized in that described to use the first convolutional neural networks to the dynamic behaviour number According to feature extraction is carried out, target dynamic vector is obtained, comprising:

Convert the dynamic behaviour data to the first dynamic vector sequence of vector expression；

The first dynamic vector sequencing batch time input, first convolutional neural networks are subjected to feature extraction, are obtained Target dynamic vector.

A7, the method as described in A6, which is characterized in that it is described will be described in the first dynamic vector sequencing batch time input First convolution neural network model, comprising:

According to preset batch length and spacing parameter, by the first dynamic vector sequencing batch time input described first Convolutional neural networks, wherein the vector quantity of the first dynamic vector of every batch of be equal to the batch length, the first of adjacent batch The vector quantity being spaced between the start vector of dynamic vector is equal to the spacing parameter, and the batch length is greater than the interval Parameter.

A8, method as described in a1, which is characterized in that described to use the first convolutional neural networks to the dynamic behaviour number According to feature extraction is carried out, target dynamic vector is obtained, comprising:

Be by every vector pre-training in the first dynamic vector sequence, using its week edge-vector be described to Amount generates the second dynamic vector sequence；

Using the first convolutional neural networks to the second dynamic vector sequence carry out feature extraction, obtain target dynamic to Amount.

A9, method as described in a1, which is characterized in that described to use the first convolutional neural networks to the dynamic behaviour number According to feature extraction is carried out, target dynamic vector is obtained, comprising:

According to preset virus characteristic, screen out unmatched meaningless with the virus characteristic in the dynamic behaviour data Data；

Feature is carried out to the dynamic behaviour data after screening out the nonsignificant data using the first convolutional neural networks It extracts, obtains target dynamic vector.

A10, method as described in a1, which is characterized in that described to use the first convolutional neural networks to the dynamic behaviour Data carry out feature extraction, obtain target dynamic vector, comprising:

In first convolutional neural networks, using the convolution kernel of multiple and different sizes, to the dynamic behaviour data Feature extraction is carried out, multiple groups feature vector is obtained；

According to the multiple groups feature vector, the target dynamic vector is obtained.

A11, the method as described in A10, which is characterized in that the multiple various sizes of convolution kernel, comprising:

List convolution kernel identical with the size of each vector in the dynamic behaviour data.

A12, method as described in a1, it is described that feature is carried out to the static code data using the second convolutional neural networks It extracts, obtains target quiescent vector, comprising:

Based on the static code data, N number of characteristic sequence is generated, and each characteristic sequence is preset respectively The processing of fisrt feature parameter extraction, obtain N number of first eigenvector, wherein N is integer more than or equal to 2；

N number of first eigenvector is spliced, preset the is carried out to the second feature vector that obtains after splicing The processing of two characteristic parameter extractions obtains obtaining target quiescent vector.

A13, the method as described in A12, which is characterized in that described that preset the is carried out to each characteristic sequence respectively The processing of one characteristic parameter extraction, obtains N number of first eigenvector, comprising:

One-dimensional process of convolution is carried out to characteristic sequence each in N number of characteristic sequence, obtains the first of this feature sequence Characteristic information, and the fisrt feature information is activated by preset first activation primitive, first after being activated Characteristic information；

Pond Hua Chu is carried out to the fisrt feature information after the corresponding activation of characteristic sequence each in N number of characteristic sequence Reason, obtains N number of first eigenvector.

A14, the method as described in A13, which is characterized in that it is described to each characteristic sequence in N number of characteristic sequence into The one-dimensional process of convolution of row, obtains the fisrt feature information of this feature sequence, comprising:

To each characteristic sequence in N number of characteristic sequence, following steps are executed:

One-dimensional process of convolution is carried out to the characteristic sequence, obtains the first processing result；

First processing result is activated by preset second activation primitive, obtains second processing result；

Fisrt feature by the product of first processing result and the second processing result, as the characteristic sequence Information.

A15. the method according to A13, which is characterized in that corresponding to characteristic sequence each in N number of characteristic sequence Activation after fisrt feature information carry out pond processing, obtain N number of first eigenvector, comprising:

Respectively to first after the corresponding activation of characteristic sequence each in N number of characteristic sequence by way of maximum pond Characteristic information carries out pond processing, obtains N number of first eigenvector.

A16, the method as described in A12, which is characterized in that splice N number of first eigenvector, after splicing Obtained second feature vector carries out preset second feature parameter extraction processing, obtains obtaining target quiescent vector, comprising:

N number of first eigenvector is spliced, second feature vector is obtained, the second feature vector is carried out One-dimensional process of convolution obtains the second feature information of the second feature vector, and by preset third activation primitive to institute It states second feature information to be activated, the second feature information after being activated；

Pond processing is carried out to the second feature information after the activation, obtains target quiescent vector.

A17, the method as described in A16, which is characterized in that described that the second feature vector is carried out at one-dimensional convolution Reason, obtains the second feature information of the second feature vector, comprising:

One-dimensional process of convolution is carried out to the second feature vector, obtains third processing result；

The third processing result is activated by preset 4th activation primitive, obtains fourth process result；

By the product of the third processing result and the fourth process result, as the second feature vector second Characteristic information.

A18. the method according to A16, which is characterized in that the second feature information to after the activation carries out pond Change processing, obtains target quiescent vector, comprising:

By way of average pond to after the activation second feature information carry out pond processing, obtain target quiescent to Amount.

A19, method as described in a1, which is characterized in that the target quiescent according to the target dynamic vector sum Vector exports the malice testing result of the target application, comprising:

Merge target quiescent vector described in the target dynamic vector sum, generates and merge vector；

The malice testing result of the target application is exported according to the merging vector.

B20, a kind of identifying system of malicious application, comprising:

B21, the system as described in B20, which is characterized in that the acquisition module includes:

First acquisition unit, for running the target application in sandbox environment；According to default piling point, described in acquisition The dynamic behaviour data of target application in the process of running.

B22, the system as described in B21, which is characterized in that the first acquisition unit is also used to:

B23, the system as described in B20, which is characterized in that the acquisition module further include:

Second acquisition unit, the static code obtained for parsing the code file of installation kit of the target application Data.

B24, the system as described in B20, which is characterized in that further include:

Second acquisition unit, the code file of the installation kit for parsing the target application, obtains the target application The corresponding binary file of installation kit, using the binary file as the static code data；Alternatively, mesh described in decompiling Mark application installation kit code file, obtain the compiled code of the target application installation kit, using the compiled code as The static code data.

B25, the system as described in B20, which is characterized in that the first convolution neural network module includes:

B26, the system as described in B26, which is characterized in that institute's predicate embeding layer is also used to:

The first dynamic vector sequencing batch time input, first convolutional layer is subjected to feature extraction.

B28, the system as described in B27, which is characterized in that institute's predicate embeding layer is also used to:

According to preset batch length and spacing parameter, by the first dynamic vector sequencing batch time input described first Convolutional layer, wherein the vector quantity of the first dynamic vector of every batch of is equal to the batch length, the first dynamic of adjacent batch to The vector quantity being spaced between the start vector of amount is equal to the spacing parameter, and the batch length is greater than the spacing parameter.

B29, the system as described in B26, which is characterized in that the first convolution neural network module further include:

Pre-training unit, every vector pre-training in the first dynamic vector sequence for converting institute's predicate embeding layer For the vector being described using its week edge-vector generates the second dynamic vector sequence；Again by the second dynamic vector sequence It inputs first convolutional layer and carries out feature extraction.

B30, the system as described in B26, which is characterized in that the first convolution neural network module further include:

Screen out unit, for according to preset virus characteristic, screen out in the dynamic behaviour data with the virus characteristic Unmatched nonsignificant data；The dynamic behaviour data after the nonsignificant data will be screened out again inputs first convolution Layer carries out feature extraction.

B31, the system as described in B26, which is characterized in that first convolutional layer is also used to:

Using the convolution kernel of multiple and different sizes, feature extraction is carried out to the dynamic behaviour data, obtains multiple groups feature Sequence vector.

B32, the system as described in B26, which is characterized in that the multiple various sizes of convolution kernel, comprising:

B33, the system as described in B20, the second convolution neural network module, comprising:

First sub-network generates N number of characteristic sequence, and respectively to each described for being based on the static code data Characteristic sequence carries out the processing of preset fisrt feature parameter extraction, obtains N number of first eigenvector, wherein N be more than or equal to 2 integer；

Second sub-network, for N number of first eigenvector to be spliced, to the second feature obtained after splicing to Amount carries out preset second feature parameter extraction processing, obtains obtaining target quiescent vector.

B34, the system as described in B33, which is characterized in that first sub-network include: input layer, the second convolutional layer and Second pond layer, the input layer, second convolutional layer and second pond layer are sequentially connected；

B35, the system as described in B34, which is characterized in that second convolutional layer is also used to:

One-dimensional process of convolution is carried out to the characteristic sequence, obtains the first processing result；Pass through preset second activation letter It is several that first processing result is activated, obtain second processing result；At first processing result and described second Manage the product of result, the fisrt feature information as the characteristic sequence.

B36. the system according to B34, which is characterized in that second pond layer is also used to:

B37, the system as described in B33, which is characterized in that second sub-network includes third convolutional layer and third pond Layer, the third convolutional layer and third pond layer are sequentially connected；

B38, the system as described in B37, which is characterized in that the third convolutional layer is also used to:

B39. the system according to B37, which is characterized in that third pond layer is also used to:

B40, the system as described in B20, which is characterized in that the output module further include:

C41, a kind of training method, the method are used to train any identifying system of claim 20-40；

D42, a kind of electronic equipment, including memory, processor and storage can be run on a memory and on a processor Computer program, which is characterized in that the processor realizes A1-A19 any method when executing described program.

E43, a kind of computer readable storage medium, are stored thereon with computer program, which is characterized in that the program is located It manages and realizes A1-A19 any method when device executes.

Claims

1. a kind of recognition methods of malicious application characterized by comprising

The dynamic behaviour data and static code data of target application are obtained, the dynamic behaviour data are the target application root According to the behavioral data that user behavior generates, the static code data are the code data writing the target application and generating；

2. the method as described in claim 1, which is characterized in that the dynamic behaviour data for obtaining target application, comprising:

The target application is run in sandbox environment；

3. method according to claim 2, which is characterized in that described to run the target application in sandbox environment, comprising:

In the operational process of the target application, the operation of analog subscriber generates behavioral data to trigger the target application.

4. the method as described in claim 1, which is characterized in that the static code data for obtaining target application, comprising:

5. the method as described in claim 1, which is characterized in that the static code data for obtaining target application, comprising:

The code file for parsing the installation kit of the target application obtains the corresponding binary system text of the target application installation kit Part, using the binary file as the static code data；Alternatively,

The code file of the installation kit of target application described in decompiling obtains the compiled code of the target application installation kit, with The compiled code is as the static code data.

6. the method as described in claim 1, which is characterized in that described to use the first convolutional neural networks to the dynamic behaviour Data carry out feature extraction, obtain target dynamic vector, comprising:

The first dynamic vector sequencing batch time input, first convolutional neural networks are subjected to feature extraction, obtain target Dynamic vector.

7. a kind of identifying system of malicious application characterized by comprising

Module is obtained, for obtaining the dynamic behaviour data and static code data of target application, the dynamic behaviour data are The behavioral data that the target application is generated according to user behavior, the static code data are to write the target application to generate Code data；

Output module exports the malice of the target application for the target quiescent vector according to the target dynamic vector sum Testing result.

8. a kind of training method, which is characterized in that the method is for training identifying system as claimed in claim 7；

The training sample of the training method includes the dynamic behaviour data, static code data and description institute of multiple application programs State multiple application programs whether be malicious application labeled data；The dynamic behaviour data are the target application according to user The behavioral data that behavior generates, the static code data are the code data writing the target application and generating.

9. a kind of electronic equipment including memory, processor and stores the calculating that can be run on a memory and on a processor Machine program, which is characterized in that the processor realizes claim 1-6 any method when executing described program.

10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is by processor Claim 1-6 any method is realized when execution.