CN110162975A - A kind of multistep abnormal point detecting method based on neighbour's propagation clustering algorithm - Google Patents

A kind of multistep abnormal point detecting method based on neighbour's propagation clustering algorithm Download PDF

Info

Publication number
CN110162975A
CN110162975A CN201910452071.8A CN201910452071A CN110162975A CN 110162975 A CN110162975 A CN 110162975A CN 201910452071 A CN201910452071 A CN 201910452071A CN 110162975 A CN110162975 A CN 110162975A
Authority
CN
China
Prior art keywords
sample
app
point
data
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910452071.8A
Other languages
Chinese (zh)
Other versions
CN110162975B (en
Inventor
朱会娟
冯霞
王良民
黎洋
顾伟
曹晓雯
房浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu University
Original Assignee
Jiangsu University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu University filed Critical Jiangsu University
Priority to CN201910452071.8A priority Critical patent/CN110162975B/en
Publication of CN110162975A publication Critical patent/CN110162975A/en
Application granted granted Critical
Publication of CN110162975B publication Critical patent/CN110162975B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/213Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/213Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods
    • G06F18/2135Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods based on approximation criteria, e.g. principal component analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2411Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Evolutionary Computation (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Debugging And Monitoring (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The present invention discloses a kind of multistep abnormal point detecting method based on neighbour's propagation clustering algorithm, by excavating normal application to get normal data stream mode, then Malware is detected using multistep abnormal point detecting method, it is final to realize that the purpose that initial stage accomplishes effective early warning be occurred in Android malware by not depending on known malware model.The present invention can effectively solve the problems, such as " dimension disaster " faced when outlier detection, to avoid interference of the noise data of redundancy feature or excessive extraneous features to abnormal point survey technology;Traditional abnormal point survey technology based on cluster or based on distance is overcome to depend on initial value selection unduly simultaneously, the real data assembly obtained by Virusshare and Google Play, which is puted the palms together before one, rolls over cross-validation method verifying effectiveness of the invention, to sum up, the present invention has broad application prospects in network safety filed.

Description

A kind of multistep abnormal point detecting method based on neighbour's propagation clustering algorithm
Technical field
The invention belongs to network security technologies, and in particular to a kind of multistep abnormal point based on neighbour's propagation clustering algorithm Survey method.
Background technique
The diversified route of transmission of rapid development bring and complicated application environment along with internet, it is soft to malice The propagation and attack of part bring huge convenience, and aggressive and harmfulness is more stronger than traditional computer virus.Due to Opening, the application shop of Android audits not stringent, user and arbitrarily can issue and download from third-party application market The features such as Android application program, causes Android to have become the primary challenge target of Malware, according to current research data Android device is classified as target of attack by the mobile Malware of display up to 97%.Malware refers to those without clear Prompt or without approval in the case where install privately, and nourish malicious intent or complete vicious function cause user's legitimate rights and interests by To the common name of the software of infringement.Malware usually has some significant features, for example, frequently access file, using network, Send short message, obtain user communication record etc.." network privacy safety and network fraud behavioral study analysis report are (on 2018 Half a year) " it shows and user's address list, user geographical location and other amusements and payment etc. is stolen by Android application program Privacy information forges the umber one that network security problem is in the frauds such as bank short message.Therefore the evil based on Android platform The analysis of meaning software plays vital role with detection in the research of network security.
But traditional malware detection method is often " retrospective ", i.e., after Malware wide-scale distribution, Its sufficient known sample could be relied on and excavate corresponding Malware mode.For this of Android malware detection A reality, present invention introduces abnormality detection technologies.Abnormality detection (Outlier Detection) is intended to detect do not meet The data of normal behaviour.Abnormality detection in the fields such as database, data mining, machine learning and statistics extensive application, The new spy in intrusion detection and fault diagnosis, satellite image analysis in fraud detection, network including credit card or insurance Sign identification, health medical treatment monitoring, the generation of emergency event in public safety, in drug research new molecular architecture identification Deng.Method for detecting abnormality based on distance and based on cluster is two kinds than more typical method for detecting abnormality, but is actually being answered Two big challenges can be faced with middle: (1) redundancy feature of high dimensional data or excessive extraneous features bring noise data cause different Often the accuracy rate of point detection technique is lower;(2) the abnormal point survey technology based on traditional clustering method or based on distance (such as KNN, K-means, K-center) accurate priori knowledge is needed, the selection of initial value is depended on unduly, such as the quantity and cluster of cluster Whether the initialization etc. at center, the setting that the efficiency of such solution is largely dependent on initial value are reasonable.
Summary of the invention
Goal of the invention: it is an object of the invention to solve the deficiencies in the prior art, provides a kind of based on neighbour's biography Broadcast the multistep abnormal point detecting method of clustering algorithm, the present invention can automatic detection and assessment android system safety, sufficiently Consider security threat of the Android platform in terms of information of mobile user, helps Android user to complete common application program Automatic, comprehensive and efficient detection, and guarantee the objectivity and standard to a new Android application program prediction result True property.
Technical solution: a kind of multistep abnormal point detecting method based on neighbour's propagation clustering algorithm of the invention, including with Lower step:
Step 1 obtains normal Android application program from Android official website Google Play, and from viral number According to sample database (such ashttp://virusshare.com/) in obtain malice App, building application program App sample set is (containing just Normal sample and malice sample), and it is divided into training set and test set;
Step 2 extracts the data flow in sample set using FLOWDROID tool, to construct the feature of data flow frequency Collect X=(x1,x2,...,xn)∈Rm×n, m refers to the data flow number come out, i.e. the primitive character dimension of data set, n table The quantity of sample this concentration sample;Such as { user information → log };
Step 3, the construction feature vector characterized by data flow will call corresponding data stream feature in each sample App Frequency is labeled as 0 if the corresponding eigenvalue that sample App does not call some data flow as characteristic value;
Step 4 carries out dimensionality reduction using high dimensional data of the EsttSNE dimensionality reduction technology to step 3;
Step 5 divides App sample and enters 13 subclasses for being related to user sensitive information (such as account information, contact method And the subclasses such as database manipulation, the SUSI standard that partitioning standards Rasthofer of the subclass et al. is proposed), specifically, false The App is included into " contact method class " if App has invoked the contact method stored in equipment by application programming interfaces, this is one A division being overlapped, i.e. an App may be simultaneously present in multiple subclasses, since it is considered that the same App may be same When calling station information, contact method and other sensitive informations etc.;
Step 6 is clustered for taking the normal App use in part closely to face propagation algorithm AP in each subclass, i.e., by App Different themes is divided into excavate the normal mode of such theme, and calculates the reference point of the theme;
Step 7 calculates the abnormal score for waiting sample set, i.e., the 13 groups of references calculated according to step 6 using NPOD method Point set calculates abnormal score of the candidate App in this 13 subclasses as referring to collection, if App is not subdivided into corresponding son Then its abnormal score is labeled as 0 to class, and constructs abnormal score vector;
Step 8 trains 1SVM (one-class Support using ready-portioned training set (being normal sample) in advance Vector Machine) sorter model;
Step 9, using ready-portioned test set in advance (including normal sample and malice sample), then instructed by step 8 The 1SVM classifier practised carries out Android malware prediction and assessment.
Further, the detailed process of dimensionality reduction is carried out in step 4 to high dimensional data are as follows:
Using X=[x1,x2,...,xn]∈Rm×nIt indicates High Dimensional Data Set, higher-dimension pair is constructed by EsttSNE dimension reduction method Probability distribution P as between the and probability distribution Q that these points are constructed in lower dimensional space, is then dissipated by minimizing target KL Degree obtains its optimal low-dimensional and indicates, it may be assumed that
pijIndicate sample xiAnd xjSimilarity in higher dimensional space X, calculation formula such as: δiIndicate the variance of Gaussian Profile;Wherein, pi|jCalculation method and pj|iIt is identical;
qijIndicate sample yiAnd yjIn lower dimensional space (being to the lower dimensional space after X dimensionality reduction) Y=[y1,y2,...,yn]∈ Rd×nIn similarity, d be dimensionality reduction after data, calculation such as: qij=((1+ | | yi-yj||2)K)-1,Herein, p and q is used for cycle count.
Further, point calculating method is referred in step 6 are as follows:
(6.1) using negative Euclidean distance s (i, j)=- | | xi-xj||2It calculates in normal sample collection s two-by-two between sample Similarity matrix N sets point of reference p to the intermediate value of s;
(6.2) initialization belongs to angle value A respectivelyN×NWith Attraction Degree matrix RN×NIt is 0;
(6.3) pass through ruleAttraction Degree matrix is updated, rule are passed through ThenDegree of membership matrix is updated, wherein Attraction Degree r (i, j) indicates data Point j is suitable as the attraction degree that the class of data point i represents, and degree of membership a (i, j) indicates data point i selected element j as its class The ownership degree of representative;
If the number of iterations be more than setting maximum value or when cluster centre does not change in iteration several times, Then stop calculating and then determine class center and all kinds of sample points, otherwise continue iteration update Attraction Degree r (i, j) and degree of membership a (i, j);
(6.4) each cluster centre is set as reference pointWherein k is the cluster automatically determined Number, h are the total quantity of cluster centre.
Further, the method for abnormal score being calculated using NPOD in step 7 are as follows:
(7.1) traversal needs to calculate the candidate samples collection X of abnormal scorec
(7.2) pass through formulaIt calculates and obtains reference set Cref(xc);
(7.3) pass through formula OutScr (xc)=(locDist (xc)+gloDist(xc))/2 calculating candidate samples xcIt is different Chang get Fen Outscrg(xc),
Wherein locDist (xcLo/)=[(l-2)] × [o (xc)/l], l is first number of prime number of reference set;
gloDist(xc)=gl/ (k-2), k are the reference point calculatedNumber;
For the element in reference set;
(7.4) 13 are traversed and is related to 13 subclass structural anomaly score vector OutscrVector of user sensitive information (x)←{Outscr1(x),...,OutscrcatNum(x)}。
The utility model has the advantages that the present invention is based on neighbour's propagation clustering algorithms to utilize EsttSNE dimension reduction method, abnormal score calculating side One of the buildings such as method NPOD and 1SVM sorting algorithm is used for the multistep abnormality detection model of Android malware;With it is existing Technology is compared, the invention has the following advantages that
1) high efficiency:, can be with one malice of fine-grained comprehensive characterization by the extraction and calculating frequency of data flow characteristics It is more to realize one kind in conjunction with dimensionality reduction technology PCA in machine learning method and t-SNE, AP clustering algorithm and 1SVM algorithm for software Abnormal point survey technology is walked, to complete the efficient detection of Android malware;
2) easily extension: in the environment of supporting Android platform, for emerging Malware or Malware mutation Can effectively it detect;
3) intelligent: due to not depending on known Malware mode when detecting Malware, but by excavating just Normal behavior pattern does the detection of abnormal point to effectively identify Malware, therefore can overcome traditional outlier detection The problems such as technology depends on dimension disaster and initial value setting unduly, and make up novel malicious software or Malware mutation appearance The lower problem of the accuracy rate detected when known sample deficiency when initial stage.
Detailed description of the invention
Fig. 1 is general frame schematic diagram of the invention;
Fig. 2 is the data flow characteristics schematic diagram extracted in the present invention;
Fig. 3 is reference point and abnormal point sample schematic diagram in the present invention;
Fig. 4 is the abnormal score vector schematic diagram that the present invention calculates;
Fig. 5 is 1SVM disaggregated model schematic diagram in the present invention.
Specific embodiment
Technical solution of the present invention is described in detail below, but protection scope of the present invention is not limited to the implementation Example.
As shown in Figure 1, the present invention includes following three step: (1) being dropped using the mixing in conjunction with PCA and t-SNE advantage in one Dimension technology EsttSNE;(2) AP clustering algorithm is combined to propose a kind of outlier scores calculation method NPOD of printenv, the present invention Outlier scores function not only consider candidate samples and with reference to the local distance between cluster, it is also contemplated that its global distance;(3) it instructs Practice an one-class SVM classifier and is used for pre- Malware.Specific step is as follows:
Step 1 obtains normal Android application program from Android official website Google Play, and from viral number According to sample database (such ashttp://virusshare.com/) in obtain malice App, construct application program App sample set;
Step 2 extracts the data flow in sample set using FLOWDROID tool, to construct the feature of data flow frequency Collect X=(x1,x2,...,xn)∈Rm×n, m refers to the data flow number come out, i.e. the primitive character dimension of data set, such as { user information → log };
Step 3, the construction feature vector characterized by data flow will call corresponding data stream feature in each sample App Frequency is labeled as 0 if the corresponding eigenvalue that sample App does not call some data flow as characteristic value;It is illustrated in figure 2 The present embodiment primitive character-data flow example (the calling frequency of these data flows by be EsttSNE input feature vector);
Step 4 carries out dimensionality reduction using high dimensional data of the EsttSNE dimensionality reduction technology to step 3;
Step 5 divides App sample and enters 13 subclasses for being related to user sensitive information (such as account information, contact method And the subclasses such as database manipulation), if as shown in figure 4, App has invoked the connection stored in equipment by application programming interfaces Then the App is included into " contact method class " to mode, this is the division that can be overlapped, i.e. an App may be simultaneously present in multiple Subclass, since it is considered that the same App may calling station information, contact method and other sensitive informations etc. simultaneously;
Step 6, as shown in figure 3, for taking the normal App in part to gather using closely facing propagation algorithm AP in each subclass App is divided into different themes to excavate the normal mode of such theme, and calculates the reference point of the theme by class;
Step 7 calculates the abnormal score for waiting sample set, i.e., the 13 groups of references calculated according to step 6 using NPOD method Point set calculates abnormal score of the candidate App in this 13 subclasses, its exception if App is not subdivided into corresponding subclass Score is labeled as 0, and constructs abnormal score vector;
Step 8 trains 1SVM (one-class Support using ready-portioned training set (being normal sample) in advance Vector Machine) sorter model;
Step 9 is trained using ready-portioned test set (including normal sample and malice sample) and step 8 in advance 1SVM classifier carries out Android malware prediction and assessment.
As shown in figure 5, the validity for the assessment present invention in Android malware detection, the present embodiment introduce phase Close evaluation criteria difference: precision (Precision), accuracy rate (Accuracy), F-measure are defined respectively as:
Wherein, TP (true Positive): real example is the positive sample for being classified device and correctly classifying;TN(True Negative): very negative example refers to and is classified the negative sample that device is correctly classified;FP (False Positive): refer to by wrong terrestrial reference It is denoted as the negative sample of positive sample;FN (False Negative): it is labeled erroneously as the positive sample of negative sample.
Under identical experimental situation, such as c=256 is set, g=0.0658, nu=0.06 are simultaneously used multinomial in 1SVM Formula kernel function can show that the present invention is better than traditional ORCA abnormal point detecting method by the comparison of experimental result described in table 1, Middle ORCA abnormal point detecting method is based on K arest neighbors (K-NearestNeighbor, KNN) algorithm, accuracy rate of the invention (Accuracy) up to 95.74%, and the accuracy rate (Accuracy) of ORCA method is 90.09%, i.e., under identical experiment environment The present invention improves 5.65% to accuracy rate (Accuracy).
The Experimental comparison of the present invention of table 1 and ORCA method for detecting abnormality in Android malware context of detection
Above-described embodiment is by the way that from Virusshare, ten foldings intersect in conjunction with the real data set obtained on Google Play Proof method verifies the validity of the invention, the experimental results showed that, the present invention can be realized accuracy rate and be up to 95.74%.Also, The present invention is compared with tradition ORCA Exception Model under same experiment condition, comparison result is shown, present invention invention is created The performance for building multistep abnormal point detecting method is substantially better than ORCA method.
To sum up, the present invention can solve " dimension disaster " and " depending on initial parameter setting unduly " two large problems simultaneously, and It is applied to Android malware for the first time to detect;Data flow by extracting each application program calls frequency as original spy Sign, it is final logical by carrying out classifying after EsttSNE dimensionality reduction and calculating abnormal score of the sample in each subclass using NPOD method It crosses and 1SVM classifier is trained to carry out Malware prediction.

Claims (4)

1. a kind of multistep abnormal point detecting method based on neighbour's propagation clustering algorithm, it is characterised in that: the following steps are included:
Step 1 obtains normal Android application program from Android official website Google Play, and from viral data sample Malice App is obtained in this library, constructs application program App sample set, includes that normal sample and malice sample are distinguished in the sample set For training set and test set;
Step 2 extracts the data flow in sample set using FLOWDROID tool, to construct the high dimensional data of data flow frequency Collect X=(x1,x2,...,xn)∈Rm×n, m refers to the data flow number come out, i.e. the primitive character dimension of data set, n table The quantity of sample this concentration sample;
Step 3, the construction feature vector characterized by data flow will call the frequency of corresponding data stream feature in each sample App As characteristic value, 0 is labeled as if the corresponding eigenvalue that sample App does not call some data flow;
Step 4 carries out dimensionality reduction using high dimensional data of the EsttSNE dimensionality reduction technology to step 3;
Step 5, division App sample enter 13 and are related to the subclass of user sensitive information;
Step 6 is clustered for taking the normal App use in part closely to face propagation algorithm AP in each subclass, i.e., divides App The normal mode of such theme is excavated for different themes, and calculates the reference point of the theme;
Step 7 calculates the abnormal score for waiting sample set using NPOD method, i.e., 13 groups calculated according to step 6 refer to point set Total abnormal score for calculating candidate App in this 13 subclasses, its abnormal score if App is not subdivided into corresponding subclass Labeled as 0, and construct abnormal score vector;
Step 8 trains 1SVM sorter model using ready-portioned training set in advance;
Step 9, using preparatory ready-portioned test set, the 1SVM classifier then trained by step 8 answers Android It whether is that Malware is predicted with program.
2. the multistep abnormal point detecting method according to claim 1 based on neighbour's propagation clustering algorithm, it is characterised in that: The detailed process of dimensionality reduction is carried out in step 4 to high dimensional data are as follows:
Using X=[x1,x2,...,xn]∈Rm×nIndicate High Dimensional Data Set, by EsttSNE dimension reduction method construct high dimensional object it Between probability distribution P and constructed in lower dimensional space these point probability distribution Q, then by minimum target KL divergence obtain Its optimal low-dimensional is taken to indicate, it may be assumed that
pijIndicate sample xiAnd xjSimilarity in higher dimensional space X, δiIndicate the variance of Gaussian Profile;
qijIndicate sample yiAnd yjIn lower dimensional space Y=[y1,y2,...,yn]∈Rd×nIn similarity, d be dimensionality reduction after number According to qij=((1+ | | yi-yj||2)K)-1,
3. the multistep abnormal point detecting method according to claim 1 based on neighbour's propagation clustering algorithm, it is characterised in that: Point calculating method is referred in step 6 are as follows:
(6.1) using negative Euclidean distance s (i, j)=- | | xi-xj||2It calculates similar between sample two-by-two in normal sample collection s Matrix N is spent, sets point of reference p to the intermediate value of s;
(6.2) initialization belongs to angle value A respectivelyN×NWith Attraction Degree matrix RN×NIt is 0;
(6.3) pass through ruleAttraction Degree matrix is updated, rule is passed throughDegree of membership matrix is updated,
Wherein, Attraction Degree r (i, j) indicate data point j be suitable as data point i class represent attraction degree, degree of membership a (i, J) the ownership degree that data point i selected element j is represented as its class is indicated;
If the number of iterations is stopped more than the maximum value of setting or when cluster centre does not change in iteration several times It only calculates and then determines class center and all kinds of sample points, otherwise continue iteration and update Attraction Degree r (i, j) and degree of membership a (i, j);
(6.4) each cluster centre is set as reference pointWherein k is the cluster number automatically determined, and h is The total quantity of cluster centre.
4. the multistep abnormal point detecting method according to claim 1 based on neighbour's propagation clustering algorithm, it is characterised in that: The method that abnormal score is calculated using NPOD in step 7 are as follows:
(7.1) traversal needs to calculate the candidate samples collection X of abnormal scorec
(7.2) pass through formulaIt calculates and obtains reference set Cref(xc), whereinIt represents in (6.4) Reference point;
(7.3) pass through formula OutScr (xc)=(locDist (xc)+gloDist(xc))/2 calculating candidate samples xcIt is abnormal Divide Outscrg(xc),
Wherein locDist (xcLo/)=[(l-2)] × [o (xc)/l], l is first number of prime number of reference set,
gloDist(xc)=gl/ (k-2), k are the reference point calculated in (6.4)Number,
For the element in reference set,
(7.4) traverse 13 be related to user sensitive information 13 subclass structural anomaly score vector OutscrVector (x) ← {Outscr1(x),...,OutscrcatNum(x)}。
CN201910452071.8A 2019-05-28 2019-05-28 Multi-step abnormal point detection method based on neighbor propagation clustering algorithm Active CN110162975B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910452071.8A CN110162975B (en) 2019-05-28 2019-05-28 Multi-step abnormal point detection method based on neighbor propagation clustering algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910452071.8A CN110162975B (en) 2019-05-28 2019-05-28 Multi-step abnormal point detection method based on neighbor propagation clustering algorithm

Publications (2)

Publication Number Publication Date
CN110162975A true CN110162975A (en) 2019-08-23
CN110162975B CN110162975B (en) 2022-10-25

Family

ID=67629654

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910452071.8A Active CN110162975B (en) 2019-05-28 2019-05-28 Multi-step abnormal point detection method based on neighbor propagation clustering algorithm

Country Status (1)

Country Link
CN (1) CN110162975B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110991508A (en) * 2019-11-25 2020-04-10 珠海复旦创新研究院 Anomaly detector recommendation method, device and equipment
CN112839327A (en) * 2021-01-21 2021-05-25 河北工程大学 Personnel validity detection method and device based on WiFi signals
CN113288122A (en) * 2021-05-21 2021-08-24 河南理工大学 Wearable sitting posture monitoring device and sitting posture monitoring method
CN113569920A (en) * 2021-07-06 2021-10-29 上海顿飞信息科技有限公司 Second neighbor anomaly detection method based on automatic coding

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106845240A (en) * 2017-03-10 2017-06-13 西京学院 A kind of Android malware static detection method based on random forest
CN106919841A (en) * 2017-03-10 2017-07-04 西京学院 A kind of efficient Android malware detection model DroidDet based on rotation forest
US20180121652A1 (en) * 2016-10-12 2018-05-03 Sichuan University Kind of malicious software clustering method expressed based on tlsh feature

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180121652A1 (en) * 2016-10-12 2018-05-03 Sichuan University Kind of malicious software clustering method expressed based on tlsh feature
CN106845240A (en) * 2017-03-10 2017-06-13 西京学院 A kind of Android malware static detection method based on random forest
CN106919841A (en) * 2017-03-10 2017-07-04 西京学院 A kind of efficient Android malware detection model DroidDet based on rotation forest

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110991508A (en) * 2019-11-25 2020-04-10 珠海复旦创新研究院 Anomaly detector recommendation method, device and equipment
CN112839327A (en) * 2021-01-21 2021-05-25 河北工程大学 Personnel validity detection method and device based on WiFi signals
CN112839327B (en) * 2021-01-21 2022-08-16 河北工程大学 Personnel validity detection method and device based on WiFi signals
CN113288122A (en) * 2021-05-21 2021-08-24 河南理工大学 Wearable sitting posture monitoring device and sitting posture monitoring method
CN113288122B (en) * 2021-05-21 2023-12-19 河南理工大学 Wearable sitting posture monitoring device and sitting posture monitoring method
CN113569920A (en) * 2021-07-06 2021-10-29 上海顿飞信息科技有限公司 Second neighbor anomaly detection method based on automatic coding
CN113569920B (en) * 2021-07-06 2024-05-31 上海顿飞信息科技有限公司 Second neighbor anomaly detection method based on automatic coding

Also Published As

Publication number Publication date
CN110162975B (en) 2022-10-25

Similar Documents

Publication Publication Date Title
CN110162975A (en) A kind of multistep abnormal point detecting method based on neighbour's propagation clustering algorithm
CN109753800B (en) Android malicious application detection method and system fusing frequent item set and random forest algorithm
CN105229661B (en) Method, computing device and the storage medium for determining Malware are marked based on signal
KR101767454B1 (en) Method and apparatus of fraud detection for analyzing behavior pattern
US20180365773A1 (en) Anti-money laundering platform for mining and analyzing data to identify money launderers
CN112231570B (en) Recommendation system support attack detection method, device, equipment and storage medium
CN109614795B (en) Event-aware android malicious software detection method
CN108764943B (en) Suspicious user monitoring and analyzing method based on fund transaction network
WO2022183041A1 (en) Method and system for securely deploying an artificial intelligence model
CN114124460B (en) Industrial control system intrusion detection method and device, computer equipment and storage medium
CN113468520A (en) Data intrusion detection method applied to block chain service and big data server
CN113221032A (en) Link risk detection method, device and storage medium
CN109313541A (en) For showing and the user interface of comparison attacks telemetering resource
CN110138758A (en) Mistake based on domain name vocabulary plants domain name detection method
CN117240632A (en) Attack detection method and system based on knowledge graph
CN113536322A (en) Intelligent contract reentry vulnerability detection method based on countermeasure neural network
CN109918901A (en) The method that real-time detection is attacked based on Cache
WO2021248707A1 (en) Operation verification method and apparatus
Panagiotakis et al. Detection of hurriedly created abnormal profiles in recommender systems
CN115795466B (en) Malicious software organization identification method and device
Hamdy et al. Criminal act detection and identification model
CN116647389A (en) Network access security early warning system and method for industrial control system
Mazidi et al. A Review of Outliers: Towards a Novel Fuzzy Method for Outlier Detection‎
AbuAlghanam et al. Android Malware Detection System Based on Ensemble Learning
Zhang Supervision and Investigation of Internet Fraud Crimes.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant