CN110554961A - abnormal software detection method and device, computer equipment and storage medium - Google Patents
abnormal software detection method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN110554961A CN110554961A CN201910759677.6A CN201910759677A CN110554961A CN 110554961 A CN110554961 A CN 110554961A CN 201910759677 A CN201910759677 A CN 201910759677A CN 110554961 A CN110554961 A CN 110554961A
- Authority
- CN
- China
- Prior art keywords
- abnormal
- software
- detected
- classifiers
- attribute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 210
- 238000001514 detection method Methods 0.000 claims abstract description 73
- 238000000034 method Methods 0.000 claims abstract description 31
- 230000006870 function Effects 0.000 claims description 36
- 230000005856 abnormality Effects 0.000 claims description 10
- 230000002547 anomalous effect Effects 0.000 claims description 6
- 238000010276 construction Methods 0.000 claims description 2
- 238000013475 authorization Methods 0.000 description 15
- 238000004590 computer program Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 3
- 238000005034 decoration Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3604—Software analysis for verifying properties of programs
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides an abnormal software detection method, an abnormal software detection device, computer equipment and a storage medium, wherein the method comprises the following steps: respectively constructing corresponding classifiers according to various attribute information detected by software, and cascading the classifiers to form an abnormal recognition model; extracting target attribute information of software to be detected, inputting the target attribute information into an abnormal recognition model, and sequentially performing multi-stage recognition through classifiers at all stages; sequentially reading output results of classifiers of the abnormal recognition model at all levels, and calling an abnormal operation function to calculate an abnormal detection value; and when the abnormal detection value correspondingly calculated by any one stage of classifier reaches a set abnormal threshold value, stopping detection and judging the software to be detected as abnormal software. The method has the advantages that the multiple attribute information of the software to be detected is detected in sequence, when any attribute is detected to be abnormal, the detection can be stopped, the software to be detected is judged to be abnormal, and the detection efficiency is higher; the method and the device can detect various target attribute information of software more comprehensively and more accurately.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to an abnormal software detection method, an abnormal software detection apparatus, a computer device, and a storage medium.
Background
With the rapid development of internet technology and communication technology, operating systems have rapidly spread from the personal computer field to the mobile terminal field. In an operating system, some application software has strong aggressivity and intrusiveness, which may damage the operating system or steal privacy information of a user, and therefore, detection of abnormal software in the operating system is required.
At present, a detection method based on static characteristics is generally adopted for detection, namely whether application software is abnormal software is judged according to an abnormal authorization combination of the application software, all authorities of the software need to be detected, whether the software is abnormal is comprehensively judged after all the authorities are detected, the detection accuracy rate of the scheme is not high enough, and the efficiency is low.
Disclosure of Invention
the invention aims to solve at least one of the technical defects, particularly the technical defects that the detection accuracy of abnormal software is not high enough and the efficiency is low.
The invention provides an abnormal software detection method, which comprises the following steps:
Respectively constructing corresponding classifiers according to various attribute information detected by software, and cascading the classifiers to form an abnormal recognition model;
extracting target attribute information of software to be detected, inputting the target attribute information into the abnormal recognition model and sequentially performing multi-stage recognition through classifiers at all stages;
Sequentially reading output results of classifiers of the abnormal recognition model at all levels, and calling an abnormal operation function to calculate an abnormal detection value;
and when the abnormal detection value correspondingly calculated by the classifier at any stage reaches a set abnormal threshold value, stopping detection and judging the software to be detected as abnormal software.
in one embodiment, the step of respectively constructing corresponding classifiers according to the attribute information detected by the software includes:
Acquiring a first attribute set of a plurality of normal sample software detections and a second attribute set of a plurality of abnormal sample software detections;
selecting effective attributes from the first attribute set and the second attribute set;
And generating corresponding classifiers according to the attribute information of the effective attributes.
in one embodiment, the selecting the valid attribute from the first attribute set and the second attribute set includes:
Calculating a first support degree between each attribute and the first attribute set and a second support degree between each attribute and the second attribute set in the first attribute set and the second attribute set;
Calculating the difference between the first support degree and the second support degree to obtain a support degree difference value;
And when the support degree difference is larger than a preset difference, taking the corresponding attribute as the effective attribute.
In one embodiment, the step of cascading the classifiers to form an anomaly identification model includes:
sorting the corresponding classifiers according to the size of the support degree difference;
And cascading all the classifiers which are sequenced to form the anomaly identification model.
in one embodiment, the step of extracting the target attribute information of the software to be detected includes:
Acquiring initial attribute information of software to be detected;
And searching the target attribute information corresponding to the effective attribute from the initial attribute information.
in one embodiment, the step of calling the abnormal operation function to calculate the abnormal detection value includes:
Inquiring abnormal operation functions corresponding to the classifiers respectively;
And calling each abnormal operation function in sequence to operate each corresponding output result to obtain each abnormal detection value.
in one embodiment, before the steps of stopping detecting and determining that the software to be detected is abnormal software when the abnormal detection value correspondingly calculated by the classifier at any stage reaches the set abnormal threshold value, the method further includes:
and acquiring a set abnormal threshold corresponding to each classifier.
The invention also provides a computer device comprising a memory and a processor, wherein the memory stores computer readable instructions, and the computer readable instructions, when executed by the processor, cause the processor to execute the steps of the abnormal software detection method according to any embodiment.
The present invention also provides a storage medium having stored thereon computer-readable instructions which, when executed by one or more processors, cause the one or more processors to perform the steps of the method for detecting anomalous software in any of the embodiments.
according to the abnormal software detection method, the abnormal software detection device, the computer equipment and the storage medium, corresponding classifiers are respectively constructed according to various attribute information detected by software, and the classifiers are cascaded to form an abnormal recognition model; extracting target attribute information of software to be detected, inputting the target attribute information into the abnormal recognition model and sequentially performing multi-stage recognition through classifiers at all stages; sequentially reading output results of classifiers of the abnormal recognition model at all levels, and calling an abnormal operation function to calculate an abnormal detection value; and when the abnormal detection value correspondingly calculated by the classifier at any stage reaches a set abnormal threshold value, stopping detection and judging the software to be detected as abnormal software. The method has the advantages that the multiple attribute information of the software to be detected is detected in sequence, when any attribute is detected to be abnormal, the detection can be stopped, the software to be detected is judged to be abnormal, and the detection efficiency is higher; the method and the device can detect various target attribute information of software more comprehensively and more accurately.
Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
drawings
the foregoing and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a diagram illustrating an exemplary application environment of the abnormal software detection method;
FIG. 2 is a flow diagram of a method for anomalous software detection in one embodiment;
FIG. 3 is a flow diagram of a method for anomalous software detection in one embodiment;
FIG. 4 is a flow chart of a method of detecting anomalous software in another embodiment;
FIG. 5 is a flowchart illustrating a method for detecting abnormal software in one embodiment;
FIG. 6 is a diagram illustrating an exemplary abnormal software detection apparatus;
FIG. 7 is a diagram showing an internal configuration of a computer device according to an embodiment.
Detailed Description
reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are illustrative only and should not be construed as limiting the invention.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
The abnormal software detection method provided by the application can be applied to the application environment shown in fig. 1. As shown in fig. 1, the server 104 respectively constructs corresponding classifiers according to various attribute information detected by the software, and concatenates the classifiers to form an anomaly identification model; the server 104 extracts target attribute information of the software to be detected from the terminal 102, inputs the target attribute information into the abnormal recognition model and sequentially carries out multi-stage recognition through classifiers at all stages; the server 104 sequentially reads the output results of the classifiers of the abnormal recognition model at all levels and calls an abnormal operation function to calculate an abnormal detection value; when the abnormal detection value correspondingly calculated by the classifier at any stage reaches the set abnormal threshold value, the server 104 stops recognizing and judges that the software to be detected of the terminal 102 is abnormal software.
Those skilled in the art will understand that the terminal used herein may be a Mobile phone, a tablet computer, a PDA (Personal Digital Assistant), an MID (Mobile Internet Device), etc.; the server may be implemented as a stand-alone server or as a server cluster consisting of a plurality of servers.
in one embodiment, as shown in fig. 2, an abnormal software detection method is provided, which is described by taking the application of the method to the server in fig. 1 as an example, and includes the following steps:
Step S201, respectively constructing corresponding classifiers according to various attribute information detected by software, and cascading the classifiers to form an anomaly identification model.
The various attributes detected by the software may include attributes such as identity authentication, authorization, confidentiality, availability, integrity and the like; but may also refer to various ones of the application rights individually.
in the specific implementation process, classifiers corresponding to the attribute information are respectively constructed, then the classifiers are cascaded according to a preset sequence to form an abnormality identification model, and abnormality detection is carried out on the attributes according to the abnormality identification model; the method and the device can detect various target attribute information of software more comprehensively and more accurately.
Taking three attributes of identity authentication, authorization and confidentiality as examples for explanation, respectively constructing three classifiers, respectively corresponding to the identity authentication, the authorization and the confidentiality, acquiring the target identity authentication, the target authorization and the target confidentiality of the software to be detected, and sequentially inputting the target identity authentication, the target authorization and the target confidentiality into the corresponding classifiers for anomaly detection.
In one embodiment, the step S201 of respectively constructing corresponding classifiers according to the attribute information detected by the software includes:
A1, acquiring a first attribute set of a plurality of normal sample software detections, and acquiring a second attribute set of a plurality of abnormal sample software detections.
The normal sample software refers to software with normal attributes after detection, and the abnormal sample software refers to sample software which is judged to be abnormal software after detection.
A2, selecting effective attributes from the first attribute set and the second attribute set.
The specific steps for selecting the effective attributes are as follows:
(1) Calculating a first support degree between each attribute and the first attribute set and a second support degree between each attribute and the second attribute set in the first attribute set and the second attribute set;
Specifically, the first support degree represents a degree of correlation between the attribute and the first attribute set, and the second support degree represents a degree of correlation between the attribute and the second attribute set.
(2) calculating the difference between the first support degree and the second support degree to obtain a support degree difference value;
(3) and when the support degree difference is larger than a preset difference, taking the corresponding attribute as the effective attribute.
it can be understood that the larger the support degree difference is, the more obvious the attribute is to distinguish between the normal sample software and the abnormal sample software, and the attribute is more valuable to be determined, so that when the support degree difference is larger than the preset difference, the attribute is determined to be the valid attribute.
A3, generating each corresponding classifier according to the attribute information of each effective attribute.
in the embodiment, the effective attributes are obtained by screening the software detection attributes by judging the difference degree of each attribute between the normal sample software and the abnormal sample software, and the corresponding classifier is constructed according to the attribute information of the effective attributes, so that the target attribute information corresponding to the effective attributes in all the attribute information of the software to be detected is detected, and the detection efficiency can be effectively improved.
In one embodiment, the step S201 of cascading the classifiers to form the anomaly identification model includes:
and B1, sorting the corresponding classifiers according to the size of the support degree difference.
The greater the support degree difference value is, the more obvious the attribute is to distinguish between the normal sample software and the abnormal sample software is shown, the more judgment value is shown for the attribute, and the importance degree is relatively higher, so that the corresponding classifiers can be sorted according to the support degree difference value of each effective attribute, and the classifiers corresponding to the important effective attributes can be arranged at the positions closer to the front, so as to more quickly detect the software abnormality.
And B2, cascading the sorted classifiers to form the anomaly identification model.
in the embodiment, corresponding classifiers are sorted according to the support degree difference of each effective attribute, and then the sorted classifiers are cascaded to form an abnormality identification model, so that whether software is abnormal can be detected more quickly; (ii) a The method and the device can detect various target attribute information of software more comprehensively and more accurately.
And S202, extracting target attribute information of the software to be detected, inputting the target attribute information into the abnormal recognition model, and sequentially performing multi-stage recognition through classifiers at different stages.
The target attribute information is attribute information of effective attributes of the software to be detected.
In the specific implementation process, the attribute information of the effective attribute of the software to be detected is sequentially input into the classifiers corresponding to the effective attribute according to the importance degree of each classifier to carry out multi-level identification.
As shown in fig. 3, in an embodiment, the extracting of the target attribute information of the software to be detected in step S202 includes:
Step S210, acquiring initial attribute information of the software to be detected.
step S220, searching the target attribute information corresponding to the effective attribute from the initial attribute information.
because some attribute information in the software to be detected is not high in reference value for judging whether the software to be detected is abnormal software, the target attribute information corresponding to the effective attribute is searched from the initial attribute information, and whether the software to be detected is abnormal software is judged according to the target attribute information.
And step S203, sequentially reading output results of each stage of classifiers of the abnormal recognition model, and calling an abnormal operation function to calculate an abnormal detection value.
Specifically, the abnormal operation functions corresponding to each stage of classifier may be the same, or multiple abnormal operation functions may be set, and each abnormal operation function corresponds to each classifier.
as shown in fig. 4, in one embodiment, the step of calling the abnormal operation function in step S203 to calculate the abnormal detection value includes:
Step S310, querying an abnormal operation function corresponding to each classifier.
It can be understood that, since the attribute information detected by each classifier is different, the corresponding abnormal operation function is different.
Specifically, a plurality of abnormal operation functions are prestored in the server, each abnormal operation function is provided with a corresponding effective attribute, and the abnormal operation function corresponding to the effective attribute can be obtained only by querying the effective attribute corresponding to each classifier.
Step S320, sequentially calling each abnormal operation function to operate each corresponding output result, so as to obtain each abnormal detection value.
in this embodiment, the abnormal operation function corresponding to the valid attribute is queried according to the valid attribute corresponding to the classifier, and each time one valid attribute is detected, the output result is operated according to the corresponding abnormal operation function, and each target attribute is detected in sequence according to the importance degree of the valid attribute.
and step S204, when the abnormal detection value correspondingly calculated by the classifier at any stage reaches a set abnormal threshold value, stopping detection and judging the software to be detected as abnormal software.
in the specific implementation process, the importance degree of the effective attributes is detected for each target according to each classifier in sequence, and when the output result corresponding to a certain target attribute is found to be abnormal, the software to be detected is judged to be abnormal software.
It should be noted that, when an output result corresponding to a certain target attribute is abnormal, detection may be stopped and the software to be detected is determined to be abnormal software, and detection of other subsequent target attributes is not required, because the importance degree of the target attribute information in the detection sequence is higher, when the more important target attribute information is detected to be abnormal, it is not required to detect the target attribute information with a relatively lower importance degree again.
For example, assuming that there are three classifiers, the corresponding valid attributes are authentication, authorization and confidentiality, and the authentication, authorization and confidentiality of the software to be detected are sequentially detected according to the different classifiers, and when the detection result of the authorization attribute is abnormal, the remaining confidentiality attribute does not need to be detected any more, because the importance degree of the authorization attribute is greater than that of the confidentiality attribute, the detection can improve the software detection speed.
Specifically, the set abnormal threshold corresponding to the multi-stage classifier may be the same, or a plurality of set abnormal thresholds may be provided, and each set abnormal threshold corresponds to each classifier.
In one embodiment, the step S204, before stopping detecting and determining that the software to be detected is abnormal software when the abnormal detection value correspondingly calculated by the any one-stage classifier reaches the set abnormal threshold value, further includes: and acquiring a set abnormal threshold corresponding to each classifier.
Further, each time the abnormality detection of the first-stage classifier is performed, it is necessary to determine whether the output result of the classifier reaches a set abnormality threshold, the effective attributes corresponding to different classifiers are inconsistent, and the set abnormality thresholds corresponding to different effective attributes may be set to be different, so that the set abnormality thresholds corresponding to the classifiers need to be obtained first.
In the specific implementation process, a plurality of set abnormal threshold values are prestored in the server, and each set abnormal threshold value is provided with a corresponding effective attribute, so that the set abnormal threshold value corresponding to the effective attribute can be obtained only by inquiring the effective attribute corresponding to each classifier.
The abnormal software detection method is further explained with reference to fig. 5, the target attribute information of the software to be detected is extracted and sequentially input into an abnormal detection model formed by cascade connection of a plurality of classifiers, each stage of classifier is input, a corresponding abnormal operation function is modified and called to operate, the detection result of each stage of classifier is compared with a set abnormal threshold value, when the operation result corresponding to a certain stage of classifier reaches a corresponding abnormal detection value, the detection is stopped, the target attribute information does not need to be input into the next stage of classifier to operate, and the software to be detected is judged to be abnormal software.
For a better understanding of the above method, an example of the application of the anomaly software detection of the present invention is described in detail below:
1) Acquiring a plurality of normal sample software and a plurality of abnormal sample software, and selecting effective attributes from the attribute information of the plurality of normal sample software and the plurality of abnormal sample software;
2) Selecting the obtained effective attributes as authentication and authorization, sequencing the two attributes according to the support difference of the effective attributes, and sequentially decreasing the importance degree as the authentication and the authentication;
3) Sequentially cascading classifiers corresponding to authorization and identity verification to form an abnormal recognition model;
4) extracting target attribute information corresponding to authorization and identity verification from initial attribute information of software to be detected;
5) Inputting target attribute information corresponding to the authorization into a classifier corresponding to the authorization, and judging whether a first output result reaches a first set abnormal threshold value;
6) And if the first output result does not reach the first set abnormal threshold, inputting the target attribute information corresponding to the identity authentication into a classifier corresponding to the identity authentication, and judging whether the second output result reaches a second set abnormal threshold.
in the abnormal software detection method, corresponding classifiers are respectively constructed according to various attribute information detected by software, and the classifiers are cascaded to form an abnormal recognition model; extracting target attribute information of software to be detected, inputting the target attribute information into the abnormal recognition model and sequentially performing multi-stage recognition through classifiers at all stages; sequentially reading output results of classifiers of the abnormal recognition model at all levels, and calling an abnormal operation function to calculate an abnormal detection value; and when the abnormal detection value correspondingly calculated by the classifier at any stage reaches a set abnormal threshold value, stopping detection and judging the software to be detected as abnormal software. The method has the advantages that the multiple attribute information of the software to be detected is detected in sequence, when any attribute is detected to be abnormal, the detection can be stopped, the software to be detected is judged to be abnormal, and the detection efficiency is higher; the method and the device can detect various target attribute information of software more comprehensively and more accurately.
as shown in fig. 6, fig. 6 is a schematic structural diagram of an abnormal software detection apparatus in an embodiment, and the abnormal software detection apparatus provided in this embodiment includes an identification model building module 601, a multi-stage identification module 602, an abnormal operation module 603, and an abnormal determination module 604, where:
The identification model construction module 601 is used for respectively constructing corresponding classifiers according to various attribute information detected by software, and cascading the classifiers to form an abnormal identification model;
The multi-stage identification module 602 is configured to extract target attribute information of software to be detected, input the target attribute information into the anomaly identification model, and sequentially perform multi-stage identification through each stage of classifier;
an anomaly operation module 603, configured to sequentially read output results of each stage of classifiers of the anomaly identification model, and call an anomaly operation function to calculate an anomaly detection value;
And an anomaly determination module 604, configured to stop detection and determine that the software to be detected is abnormal software when an anomaly detection value correspondingly calculated by the any one-stage classifier reaches a set anomaly threshold value.
for the specific definition of the abnormal software detection device, the above definition of the abnormal software detection method can be referred to, and is not described herein again. The modules in the abnormal software detection device can be wholly or partially realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
Fig. 7 is a schematic diagram of an internal structure of a computer device according to an embodiment, as shown in fig. 7. The computer apparatus includes a processor, a non-volatile storage medium, a memory, and a network interface connected by a device bus. The non-volatile storage medium of the computer device stores an operating device, a database and computer readable instructions, the database can store control information sequences, and the computer readable instructions can enable the processor to realize an abnormal software detection method when being executed by the processor. The processor of the computer device is used for providing calculation and control capability and supporting the operation of the whole computer device. The memory of the computer device may have stored therein computer readable instructions that, when executed by the processor, may cause the processor to perform a method of anomalous software detection. The network interface of the computer device is used for connecting and communicating with the terminal. Those skilled in the art will appreciate that the architecture shown in fig. 7 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
in one embodiment, a computer device is provided, the computer device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program: respectively constructing corresponding classifiers according to various attribute information detected by software, and cascading the classifiers to form an abnormal recognition model; extracting target attribute information of software to be detected, inputting the target attribute information into the abnormal recognition model and sequentially performing multi-stage recognition through classifiers at all stages; sequentially reading output results of classifiers of the abnormal recognition model at all levels, and calling an abnormal operation function to calculate an abnormal detection value; and when the abnormal detection value correspondingly calculated by the classifier at any stage reaches a set abnormal threshold value, stopping detection and judging the software to be detected as abnormal software.
In one embodiment, the step of constructing corresponding classifiers according to the attribute information detected by the software when the processor executes the computer program includes: acquiring a first attribute set of a plurality of normal sample software detections and a second attribute set of a plurality of abnormal sample software detections; selecting effective attributes from the first attribute set and the second attribute set; and generating corresponding classifiers according to the attribute information of the effective attributes.
In one embodiment, the step of selecting valid attributes from the first set of attributes and the second set of attributes when the processor executes the computer program comprises: calculating a first support degree between each attribute and the first attribute set and a second support degree between each attribute and the second attribute set in the first attribute set and the second attribute set; calculating the difference between the first support degree and the second support degree to obtain a support degree difference value; and when the support degree difference is larger than a preset difference, taking the corresponding attribute as the effective attribute.
In one embodiment, the step of cascading the classifiers to form the anomaly identification model when the processor executes the computer program comprises: sorting the corresponding classifiers according to the size of the support degree difference; and cascading all the classifiers which are sequenced to form the anomaly identification model.
in one embodiment, the step of extracting the target attribute information of the software to be detected when the processor executes the computer program includes: acquiring initial attribute information of software to be detected; and searching the target attribute information corresponding to the effective attribute from the initial attribute information.
in one embodiment, the step of calling the abnormal operation function to calculate the abnormal detection value when the processor executes the computer program includes: inquiring abnormal operation functions corresponding to the classifiers respectively; and calling each abnormal operation function in sequence to operate each corresponding output result to obtain each abnormal detection value.
in one embodiment, before the steps of stopping detecting and determining that the software to be detected is abnormal software when the processor executes the computer program and the abnormal detection value correspondingly calculated by the arbitrary one-stage classifier reaches the set abnormal threshold value, the method further includes: and acquiring a set abnormal threshold corresponding to each classifier.
In one embodiment, a storage medium is provided that stores computer-readable instructions that, when executed by one or more processors, cause the one or more processors to perform the steps of: respectively constructing corresponding classifiers according to various attribute information detected by software, and cascading the classifiers to form an abnormal recognition model; extracting target attribute information of software to be detected, inputting the target attribute information into the abnormal recognition model and sequentially performing multi-stage recognition through classifiers at all stages; sequentially reading output results of classifiers of the abnormal recognition model at all levels, and calling an abnormal operation function to calculate an abnormal detection value; and when the abnormal detection value correspondingly calculated by the classifier at any stage reaches a set abnormal threshold value, stopping detection and judging the software to be detected as abnormal software.
in one embodiment, the step of constructing corresponding classifiers according to the attribute information detected by the software when the computer readable instructions are executed by the processor comprises: acquiring a first attribute set of a plurality of normal sample software detections and a second attribute set of a plurality of abnormal sample software detections; selecting effective attributes from the first attribute set and the second attribute set; and generating corresponding classifiers according to the attribute information of the effective attributes.
In one embodiment, the step of selecting valid attributes from the first set of attributes and the second set of attributes when executed by a processor comprises: calculating a first support degree between each attribute and the first attribute set and a second support degree between each attribute and the second attribute set in the first attribute set and the second attribute set; calculating the difference between the first support degree and the second support degree to obtain a support degree difference value; and when the support degree difference is larger than a preset difference, taking the corresponding attribute as the effective attribute.
In one embodiment, the step of cascading the classifiers into an anomaly recognition model when executed by the processor comprises: sorting the corresponding classifiers according to the size of the support degree difference; and cascading all the classifiers which are sequenced to form the anomaly identification model.
In one embodiment, the step of extracting target attribute information of the software to be detected when the computer readable instructions are executed by the processor includes: acquiring initial attribute information of software to be detected; and searching the target attribute information corresponding to the effective attribute from the initial attribute information.
In one embodiment, the step of calling an abnormal operation function to calculate an abnormal detection value when the computer readable instructions are executed by the processor comprises: inquiring abnormal operation functions corresponding to the classifiers respectively; and calling each abnormal operation function in sequence to operate each corresponding output result to obtain each abnormal detection value.
in one embodiment, before the steps of stopping detecting and determining that the software to be detected is abnormal software when the abnormal detection value correspondingly calculated by the arbitrary level classifier reaches the set abnormal threshold value when the computer readable instructions are executed by the processor, the method further includes: and acquiring a set abnormal threshold corresponding to each classifier.
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless explicitly stated herein. Moreover, at least a portion of the steps in the flow chart of the figure may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
The foregoing is only a partial embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (10)
1. An abnormal software detection method is characterized by comprising the following steps:
respectively constructing corresponding classifiers according to various attribute information detected by software, and cascading the classifiers to form an abnormal recognition model;
extracting target attribute information of software to be detected, inputting the target attribute information into the abnormal recognition model and sequentially performing multi-stage recognition through classifiers at all stages;
Sequentially reading output results of classifiers of the abnormal recognition model at all levels, and calling an abnormal operation function to calculate an abnormal detection value;
and when the abnormal detection value correspondingly calculated by the classifier at any stage reaches a set abnormal threshold value, stopping detection and judging the software to be detected as abnormal software.
2. The method according to claim 1, wherein the step of constructing corresponding classifiers according to the attribute information detected by the software respectively comprises:
acquiring a first attribute set of a plurality of normal sample software detections and a second attribute set of a plurality of abnormal sample software detections;
selecting effective attributes from the first attribute set and the second attribute set;
and generating corresponding classifiers according to the attribute information of the effective attributes.
3. the method of claim 2, wherein the step of selecting the valid attribute from the first set of attributes and the second set of attributes comprises:
Calculating a first support degree between each attribute and the first attribute set and a second support degree between each attribute and the second attribute set in the first attribute set and the second attribute set;
calculating the difference between the first support degree and the second support degree to obtain a support degree difference value;
And when the support degree difference is larger than a preset difference, taking the corresponding attribute as the effective attribute.
4. the method of claim 3, wherein the step of cascading the classifiers to form an anomaly recognition model comprises:
Sorting the corresponding classifiers according to the size of the support degree difference;
And cascading all the classifiers which are sequenced to form the anomaly identification model.
5. the method according to claim 2, wherein the step of extracting the target attribute information of the software to be detected comprises:
Acquiring initial attribute information of software to be detected;
And searching the target attribute information corresponding to the effective attribute from the initial attribute information.
6. the method of claim 1, wherein the step of calling the abnormal operation function to calculate the abnormal detection value comprises:
inquiring abnormal operation functions corresponding to the classifiers respectively;
And calling each abnormal operation function in sequence to operate each corresponding output result to obtain each abnormal detection value.
7. The method according to claim 1, wherein before the steps of stopping detecting and determining that the software to be detected is abnormal software when the abnormal detection value correspondingly calculated by the classifier at any stage reaches the set abnormal threshold value, the method further comprises:
And acquiring a set abnormal threshold corresponding to each classifier.
8. an abnormal software detecting apparatus, comprising:
the identification model construction module is used for respectively constructing corresponding classifiers according to various attribute information detected by software and cascading the classifiers to form an abnormal identification model;
The multi-stage identification module is used for extracting target attribute information of the software to be detected, inputting the target attribute information into the abnormal identification model and sequentially carrying out multi-stage identification through each stage of classifier;
The abnormal operation module is used for sequentially reading output results of all levels of classifiers of the abnormal recognition model and calling an abnormal operation function to calculate an abnormal detection value;
and the abnormality judgment module is used for stopping detection and judging the software to be detected as abnormal software when the abnormal detection value correspondingly calculated by the classifier at any stage reaches a set abnormal threshold value.
9. a computer device comprising a memory and a processor, the memory having stored therein computer readable instructions, wherein the computer readable instructions, when executed by the processor, cause the processor to perform the steps of the abnormal software detection method according to any one of claims 1 to 7.
10. A storage medium having computer-readable instructions stored thereon which, when executed by one or more processors, cause the one or more processors to perform the steps of the anomalous software detection method as in any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910759677.6A CN110554961A (en) | 2019-08-16 | 2019-08-16 | abnormal software detection method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910759677.6A CN110554961A (en) | 2019-08-16 | 2019-08-16 | abnormal software detection method and device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110554961A true CN110554961A (en) | 2019-12-10 |
Family
ID=68737725
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910759677.6A Pending CN110554961A (en) | 2019-08-16 | 2019-08-16 | abnormal software detection method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110554961A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111340502A (en) * | 2020-02-24 | 2020-06-26 | 中国银联股份有限公司 | Abnormal behavior identification method and device, terminal equipment and storage medium |
| CN113361451A (en) * | 2021-06-24 | 2021-09-07 | 福建万福信息技术有限公司 | Ecological environment target identification method based on multi-level model and preset point automatic adjustment |
| CN115348139A (en) * | 2022-07-18 | 2022-11-15 | 中国人民解放军国防科技大学 | Modulation identification method based on cascade characteristic fusion and multi-level classification |
| CN115766554A (en) * | 2022-11-07 | 2023-03-07 | 深圳复临科技有限公司 | Software detection method and device, computer equipment and storage medium |
| CN117056152A (en) * | 2023-10-13 | 2023-11-14 | 腾讯科技(深圳)有限公司 | Equipment detection method and related device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105335684A (en) * | 2014-06-25 | 2016-02-17 | 小米科技有限责任公司 | Face detection method and device |
| US20160335432A1 (en) * | 2015-05-17 | 2016-11-17 | Bitdefender IPR Management Ltd. | Cascading Classifiers For Computer Security Applications |
| CN107180190A (en) * | 2016-03-11 | 2017-09-19 | 深圳先进技术研究院 | A kind of Android malware detection method and system based on composite character |
-
2019
- 2019-08-16 CN CN201910759677.6A patent/CN110554961A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105335684A (en) * | 2014-06-25 | 2016-02-17 | 小米科技有限责任公司 | Face detection method and device |
| US20160335432A1 (en) * | 2015-05-17 | 2016-11-17 | Bitdefender IPR Management Ltd. | Cascading Classifiers For Computer Security Applications |
| CN107180190A (en) * | 2016-03-11 | 2017-09-19 | 深圳先进技术研究院 | A kind of Android malware detection method and system based on composite character |
Non-Patent Citations (1)
| Title |
|---|
| 王星: "安卓应用程序若干典型特征刻画及其恶意行为检测方法", 中国博士学位论文全文数据库信息科技辑, no. 2019, 15 January 2019 (2019-01-15), pages 138 - 19 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111340502A (en) * | 2020-02-24 | 2020-06-26 | 中国银联股份有限公司 | Abnormal behavior identification method and device, terminal equipment and storage medium |
| CN111340502B (en) * | 2020-02-24 | 2024-07-16 | 中国银联股份有限公司 | Abnormal behavior identification method and device, terminal equipment and storage medium |
| CN113361451A (en) * | 2021-06-24 | 2021-09-07 | 福建万福信息技术有限公司 | Ecological environment target identification method based on multi-level model and preset point automatic adjustment |
| CN113361451B (en) * | 2021-06-24 | 2024-04-30 | 福建万福信息技术有限公司 | Ecological environment target identification method based on multistage model and preset point automatic adjustment |
| CN115348139A (en) * | 2022-07-18 | 2022-11-15 | 中国人民解放军国防科技大学 | Modulation identification method based on cascade characteristic fusion and multi-level classification |
| CN115348139B (en) * | 2022-07-18 | 2024-01-05 | 中国人民解放军国防科技大学 | Modulation identification method based on cascade feature fusion and multi-stage classification |
| CN115766554A (en) * | 2022-11-07 | 2023-03-07 | 深圳复临科技有限公司 | Software detection method and device, computer equipment and storage medium |
| CN117056152A (en) * | 2023-10-13 | 2023-11-14 | 腾讯科技(深圳)有限公司 | Equipment detection method and related device |
| CN117056152B (en) * | 2023-10-13 | 2024-02-09 | 腾讯科技(深圳)有限公司 | Equipment detection method and related device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110554961A (en) | abnormal software detection method and device, computer equipment and storage medium | |
| CN110177108B (en) | Abnormal behavior detection method, device and verification system | |
| CN106503558B (en) | A kind of Android malicious code detecting method based on community structure analysis | |
| US10963551B2 (en) | Method and apparatus for user authentication based on feature information | |
| US8332944B2 (en) | System and method for detecting new malicious executables, based on discovering and monitoring characteristic system call sequences | |
| CN101593253B (en) | Method and device for judging malicious programs | |
| KR20170108330A (en) | Apparatus and method for detecting malware code | |
| CN108985057B (en) | Webshell detection method and related equipment | |
| CN104933352A (en) | Weak password detection method and device | |
| CN113422763B (en) | Alarm correlation analysis method constructed based on attack scene | |
| CN109191021B (en) | Association rule matching method and device for power grid abnormal event | |
| CN111813845A (en) | ETL task-based incremental data extraction method, device, equipment and medium | |
| CN111339531A (en) | Malicious code detection method and device, storage medium and electronic equipment | |
| Naik et al. | Fuzzy-Import Hashing: A malware analysis approach | |
| CN105243327B (en) | A kind of secure file processing method | |
| CN105468972B (en) | A kind of mobile terminal document detection method | |
| CN112464297B (en) | Hardware Trojan detection method, device and storage medium | |
| CN108509796B (en) | Method for detecting risk and server | |
| CN113378161A (en) | Security detection method, device, equipment and storage medium | |
| CN113452700A (en) | Method, device, equipment and storage medium for processing safety information | |
| CN108650249B (en) | POC attack detection method and device, computer equipment and storage medium | |
| CN116232656A (en) | Internet of vehicles intrusion detection model training method, detection method and equipment based on generation of countermeasure network | |
| CN115659354A (en) | Method and device for detecting multi-granularity vulnerability similarity of power system Internet of things firmware | |
| CN107832609B (en) | Android malicious software detection method and system based on authority characteristics | |
| CN117896186B (en) | Vulnerability scanning method, system and storage medium based on log analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |