CN110554961A - abnormal software detection method and device, computer equipment and storage medium - Google Patents

abnormal software detection method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN110554961A
CN110554961A CN201910759677.6A CN201910759677A CN110554961A CN 110554961 A CN110554961 A CN 110554961A CN 201910759677 A CN201910759677 A CN 201910759677A CN 110554961 A CN110554961 A CN 110554961A
Authority
CN
China
Prior art keywords
software
abnormal
classifiers
detected
attribute
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910759677.6A
Other languages
Chinese (zh)
Inventor
成卓鸿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Puhui Enterprise Management Co Ltd
Original Assignee
Ping An Puhui Enterprise Management Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Puhui Enterprise Management Co Ltd filed Critical Ping An Puhui Enterprise Management Co Ltd
Priority to CN201910759677.6A priority Critical patent/CN110554961A/en
Publication of CN110554961A publication Critical patent/CN110554961A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Prevention of errors by analysis, debugging or testing of software
    • G06F11/3604Analysis of software for verifying properties of programs

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

本发明提供一种异常软件检测方法、装置、计算机设备和存储介质,方法包括:根据软件检测的各项属性信息分别构建对应的分类器,将分类器进行级联构成异常识别模型;提取待检测软件的目标属性信息,将目标属性信息输入异常识别模型并通过各级分类器依次进行多级识别;依次读取异常识别模型的各级分类器的输出结果,并调用异常运算函数计算异常检测值;当任意一级分类器对应计算的异常检测值达到设定异常阈值时,停止检测并判定待检测软件为异常软件。对待检测软件的多种属性信息依次检测,当任一种属性检测出异常时,即可停止检测并判定待检测软件为异常软件,检测效率更高;对软件的多种目标属性信息进行检测,检测更加全面,准确率更高。

The invention provides an abnormal software detection method, device, computer equipment and storage medium. The method includes: respectively constructing corresponding classifiers according to various attribute information detected by the software, and cascading the classifiers to form an abnormal recognition model; The target attribute information of the software, input the target attribute information into the abnormal recognition model and perform multi-level recognition through classifiers at all levels in sequence; read the output results of the classifiers at all levels of the abnormal recognition model in sequence, and call the abnormal operation function to calculate the abnormal detection value ; When the anomaly detection value calculated by any classifier reaches the set anomaly threshold, stop the detection and determine that the software to be detected is abnormal software. The various attribute information of the software to be detected is detected in sequence. When any attribute is detected to be abnormal, the detection can be stopped and the software to be detected is judged to be abnormal software, and the detection efficiency is higher; the detection of various target attribute information of the software, The detection is more comprehensive and the accuracy is higher.

Description

异常软件检测方法、装置、计算机设备和存储介质Abnormal software detection method, device, computer equipment and storage medium

技术领域technical field

本发明涉及计算机技术领域,具体而言,本发明涉及一种异常软件检测方法、异常软件检测装置、计算机设备和存储介质。The present invention relates to the field of computer technology, in particular, the present invention relates to a method for detecting abnormal software, a device for detecting abnormal software, computer equipment and a storage medium.

背景技术Background technique

随着互联网技术以及通信技术的快速发展,操作系统已经从个人电脑领域迅速普及到移动终端领域。在操作系统中,有一些应用软件具有很强的攻击性和入侵性,会破坏操作系统,或者窃取用户的隐私信息,因此,需要对操作系统中的异常软件进行检测。With the rapid development of Internet technology and communication technology, operating systems have rapidly spread from the field of personal computers to the field of mobile terminals. In the operating system, some application software is very aggressive and intrusive, and may destroy the operating system or steal the user's private information. Therefore, it is necessary to detect abnormal software in the operating system.

目前通常采用基于静态特征的检测方法进行检测,即根据应用软件的异常授权组合来判定该应用软件是否为异常软件,需要对软件的所有权限进行检测,所有权限检测完后综合判断该软件是否异常,该方案的检测准确率不够高,而且效率也比较低。At present, the detection method based on static features is usually used for detection, that is, to determine whether the application software is abnormal software according to the combination of abnormal authorization of the application software. It is necessary to detect all the permissions of the software. , the detection accuracy of this scheme is not high enough, and the efficiency is relatively low.

发明内容Contents of the invention

本发明的目的旨在至少能解决上述的技术缺陷之一,特别是异常软件的检测准确率不够高、效率也比较低的技术缺陷。The purpose of the present invention is to at least solve one of the above-mentioned technical defects, especially the technical defects that the detection accuracy of abnormal software is not high enough and the efficiency is relatively low.

本发明提供一种异常软件检测方法,包括如下步骤:The present invention provides a method for detecting abnormal software, comprising the following steps:

根据软件检测的各项属性信息分别构建对应的分类器,将所述分类器进行级联构成异常识别模型;Construct corresponding classifiers respectively according to the attribute information detected by the software, and cascade the classifiers to form an abnormality recognition model;

提取待检测软件的目标属性信息,将所述目标属性信息输入所述异常识别模型并通过各级分类器依次进行多级识别;extracting the target attribute information of the software to be detected, inputting the target attribute information into the abnormality recognition model and sequentially performing multi-level recognition through classifiers at all levels;

依次读取所述异常识别模型的各级分类器的输出结果,并调用异常运算函数计算异常检测值;Read the output results of the classifiers at all levels of the abnormal recognition model in sequence, and call the abnormal operation function to calculate the abnormal detection value;

当所述任意一级分类器对应计算的异常检测值达到设定异常阈值时,停止检测并判定所述待检测软件为异常软件。When the abnormality detection value calculated correspondingly by any one-level classifier reaches the set abnormality threshold, the detection is stopped and the software to be detected is determined to be abnormal software.

在一个实施例中,所述根据软件检测的各项属性信息分别构建对应的分类器的步骤,包括:In one embodiment, the step of constructing corresponding classifiers according to the attribute information detected by the software includes:

获取多个正常样本软件检测的第一属性集合,以及获取多个异常样本软件检测的第二属性集合;Obtaining a first set of attributes detected by a plurality of normal sample software, and obtaining a second set of attributes detected by a plurality of abnormal sample software;

从所述第一属性集合和所述第二属性集合中选取有效属性;selecting valid attributes from the first attribute set and the second attribute set;

根据各所述有效属性的属性信息生成对应的各所述分类器。The corresponding classifiers are generated according to the attribute information of each effective attribute.

在一个实施例中,所述从所述第一属性集合和所述第二属性集合中选取有效属性,包括:In one embodiment, the selecting valid attributes from the first attribute set and the second attribute set includes:

计算所述第一属性集合和所述第二属性集合中,各属性和所述第一属性集合之间的第一支持度,以及各属性和所述第二属性集合之间的第二支持度;Calculating the first support degree between each attribute and the first attribute set in the first attribute set and the second attribute set, and the second support degree between each attribute and the second attribute set ;

计算所述第一支持度和所述第二支持度之差,得到支持度差值;calculating the difference between the first support degree and the second support degree to obtain a support degree difference;

当所述支持度差值大于预设差值时,将对应的属性作为所述有效属性。When the support difference is greater than a preset difference, the corresponding attribute is used as the effective attribute.

在一个实施例中,所述将所述分类器进行级联构成异常识别模型的步骤,包括:In one embodiment, the step of cascading the classifiers to form an abnormality recognition model includes:

按照各所述支持度差值的大小对对应的各所述分类器进行排序;Sorting the corresponding classifiers according to the size of the support difference;

将排序完成的各所述分类器进行级联构成所述异常识别模型。The sorted classifiers are cascaded to form the abnormality recognition model.

在一个实施例中,所述提取待检测软件的目标属性信息的步骤,包括:In one embodiment, the step of extracting target attribute information of the software to be detected includes:

获取待检测软件的初始属性信息;Obtain initial attribute information of the software to be detected;

从所述初始属性信息中查找与所述有效属性对应的所述目标属性信息。Searching for the target attribute information corresponding to the effective attribute from the initial attribute information.

在一个实施例中,所述调用异常运算函数计算异常检测值的步骤,包括:In one embodiment, the step of calling the abnormal operation function to calculate the abnormal detection value includes:

查询各所述分类器分别对应的异常运算函数;Querying the abnormal operation functions corresponding to each of the classifiers;

依次调用各所述异常运算函数对对应的各所述输出结果进行运算,得到各所述异常检测值。Each of the abnormal operation functions is called in turn to perform operations on the corresponding output results to obtain each of the abnormal detection values.

在一个实施例中,所述当所述任意一级分类器对应计算的异常检测值达到设定异常阈值时,停止检测并判定所述待检测软件为异常软件的步骤之前,还包括:In one embodiment, before the step of stopping the detection and determining that the software to be detected is abnormal software when the abnormality detection value calculated by any one-level classifier reaches the set abnormality threshold, it further includes:

获取与各所述分类器对应的设定异常阈值。A set abnormality threshold corresponding to each of the classifiers is acquired.

本发明还提供一种计算机设备,包括存储器和处理器,所述存储器中存储有计算机可读指令,所述计算机可读指令被所述处理器执行时,使得所述处理器执行如任一实施例所述异常软件检测方法的步骤。The present invention also provides a computer device, including a memory and a processor, where computer-readable instructions are stored in the memory, and when the computer-readable instructions are executed by the processor, the processor executes any one of the implementations. The steps of the abnormal software detection method described in the example.

本发明还提供一种存储有计算机可读指令的存储介质,所述计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行任一实施例所述异常软件检测方法的步骤。The present invention also provides a storage medium storing computer-readable instructions. When the computer-readable instructions are executed by one or more processors, one or more processors execute the abnormal software detection method described in any embodiment. A step of.

上述的异常软件检测方法、装置、计算机设备和存储介质,通过根据软件检测的各项属性信息分别构建对应的分类器,将所述分类器进行级联构成异常识别模型;提取待检测软件的目标属性信息,将所述目标属性信息输入所述异常识别模型并通过各级分类器依次进行多级识别;依次读取所述异常识别模型的各级分类器的输出结果,并调用异常运算函数计算异常检测值;当所述任意一级分类器对应计算的异常检测值达到设定异常阈值时,停止检测并判定所述待检测软件为异常软件。对待检测软件的多种属性信息依次检测,当任一种属性检测出异常时,即可停止检测并判定待检测软件为异常软件,检测效率更高;对软件的多种目标属性信息进行检测,检测更加全面,准确率更高。In the above abnormal software detection method, device, computer equipment and storage medium, corresponding classifiers are respectively constructed according to the attribute information detected by the software, and the classifiers are cascaded to form an abnormal recognition model; the target of the software to be detected is extracted Attribute information, input the target attribute information into the abnormality recognition model and perform multi-level recognition sequentially through classifiers at all levels; sequentially read the output results of the classifiers at all levels in the abnormality recognition model, and call the abnormal operation function to calculate Abnormality detection value; when the abnormality detection value calculated correspondingly by any one-level classifier reaches a set abnormality threshold, stop detection and determine that the software to be detected is abnormal software. The various attribute information of the software to be detected is detected in sequence. When any attribute is detected to be abnormal, the detection can be stopped and the software to be detected is judged to be abnormal software, and the detection efficiency is higher; the detection of various target attribute information of the software, The detection is more comprehensive and the accuracy is higher.

本发明附加的方面和优点将在下面的描述中部分给出,这些将从下面的描述中变得明显,或通过本发明的实践了解到。Additional aspects and advantages of the invention will be set forth in part in the description which follows, and will become apparent from the description, or may be learned by practice of the invention.

附图说明Description of drawings

本发明上述的和/或附加的方面和优点从下面结合附图对实施例的描述中将变得明显和容易理解,其中:The above and/or additional aspects and advantages of the present invention will become apparent and easy to understand from the following description of the embodiments in conjunction with the accompanying drawings, wherein:

图1为一个实施例中异常软件检测方法的应用环境示意图;Fig. 1 is a schematic diagram of an application environment of an abnormal software detection method in an embodiment;

图2为一个实施例中异常软件检测方法的流程图;Fig. 2 is a flowchart of an abnormal software detection method in an embodiment;

图3为一个实施例中异常软件检测方法的流程图;Fig. 3 is a flowchart of an abnormal software detection method in an embodiment;

图4为另一个实施例中异常软件检测方法的流程图;Fig. 4 is the flowchart of abnormal software detection method in another embodiment;

图5为一个实施例中异常软件检测方法的流程示意图;FIG. 5 is a schematic flow diagram of an abnormal software detection method in an embodiment;

图6为一个实施例中异常软件检测装置结构示意图;Fig. 6 is a schematic structural diagram of an abnormal software detection device in an embodiment;

图7为一个实施例中计算机设备的内部结构示意图。Fig. 7 is a schematic diagram of the internal structure of a computer device in one embodiment.

具体实施方式Detailed ways

下面详细描述本发明的实施例,所述实施例的示例在附图中示出,其中自始至终相同或类似的标号表示相同或类似的元件或具有相同或类似功能的元件。下面通过参考附图描述的实施例是示例性的,仅用于解释本发明,而不能解释为对本发明的限制。Embodiments of the present invention are described in detail below, examples of which are shown in the drawings, wherein the same or similar reference numerals designate the same or similar elements or elements having the same or similar functions throughout. The embodiments described below by referring to the figures are exemplary only for explaining the present invention and should not be construed as limiting the present invention.

本技术领域技术人员可以理解,除非特意声明,这里使用的单数形式“一”、“一个”、“所述”和“该”也可包括复数形式。应该进一步理解的是,本发明的说明书中使用的措辞“包括”是指存在所述特征、整数、步骤、操作、元件和/或组件,但是并不排除存在或添加一个或多个其他特征、整数、步骤、操作、元件、组件和/或它们的组。Those skilled in the art will understand that unless otherwise stated, the singular forms "a", "an", "said" and "the" used herein may also include plural forms. It should be further understood that the word "comprising" used in the description of the present invention refers to the presence of said features, integers, steps, operations, elements and/or components, but does not exclude the presence or addition of one or more other features, Integers, steps, operations, elements, components, and/or groups thereof.

本技术领域技术人员可以理解,除非另外定义,这里使用的所有术语(包括技术术语和科学术语),具有与本发明所属领域中的普通技术人员的一般理解相同的意义。还应该理解的是,诸如通用字典中定义的那些术语,应该被理解为具有与现有技术的上下文中的意义一致的意义,并且除非像这里一样被特定定义,否则不会用理想化或过于正式的含义来解释。Those skilled in the art can understand that, unless otherwise defined, all terms (including technical terms and scientific terms) used herein have the same meaning as commonly understood by those of ordinary skill in the art to which this invention belongs. It should also be understood that terms, such as those defined in commonly used dictionaries, should be understood to have meanings consistent with their meaning in the context of the prior art, and unless specifically defined as herein, are not intended to be idealized or overly Formal meaning to explain.

本申请提供的异常软件检测方法,可以应用于如图1所示的应用环境中。如图1所示,服务器104根据软件检测的各项属性信息分别构建对应的分类器,将所述分类器进行级联构成异常识别模型;服务器104从终端102中提取待检测软件的目标属性信息,将所述目标属性信息输入所述异常识别模型并通过各级分类器依次进行多级识别;服务器104依次读取所述异常识别模型的各级分类器的输出结果,并调用异常运算函数计算异常检测值;当所述任意一级分类器对应计算的异常检测值达到设定异常阈值时,服务器104停止识别并判定终端102的待检测软件为异常软件。The abnormal software detection method provided in this application can be applied to the application environment shown in FIG. 1 . As shown in Figure 1, the server 104 builds corresponding classifiers according to the various attribute information detected by the software, and the classifiers are cascaded to form an abnormality recognition model; the server 104 extracts the target attribute information of the software to be detected from the terminal 102 , input the target attribute information into the abnormal recognition model and perform multi-level recognition sequentially through classifiers at all levels; the server 104 sequentially reads the output results of the classifiers at all levels of the abnormal recognition model, and calls the abnormal operation function to calculate Abnormality detection value: when the abnormality detection value calculated correspondingly by any classifier reaches the set abnormality threshold, the server 104 stops identifying and determines that the software to be detected in the terminal 102 is abnormal software.

本技术领域技术人员可以理解,这里所使用的终端可以是手机、平板电脑、PDA(Personal Digital Assistant,个人数字助理)、MID(Mobile Internet Device,移动互联网设备)等;服务器可以用独立的服务器或者是多个服务器组成的服务器集群来实现。Those skilled in the art can understand that the terminal used here can be mobile phone, tablet computer, PDA (Personal Digital Assistant, personal digital assistant), MID (Mobile Internet Device, mobile Internet device) etc.; Server can use independent server or It is implemented by a server cluster composed of multiple servers.

在一个实施例中,如图2所示,提供了一种异常软件检测方法,以该方法应用于图1中的服务器为例进行说明,包括以下步骤:In one embodiment, as shown in FIG. 2 , a method for detecting abnormal software is provided. The method is applied to the server in FIG. 1 as an example for illustration, including the following steps:

步骤S201,根据软件检测的各项属性信息分别构建对应的分类器,将所述分类器进行级联构成异常识别模型。In step S201, corresponding classifiers are respectively constructed according to various attribute information detected by the software, and the classifiers are cascaded to form an abnormality recognition model.

其中,软件检测的各项属性可以包括身份验证、授权、机密性、可用性和完整性等等属性;也可以单指应用权限中的各种权限。The attributes detected by the software may include attributes such as identity verification, authorization, confidentiality, availability, and integrity; or they may simply refer to various permissions in the application permissions.

在具体实施过程中,分别构建和各属性信息对应的分类器,再将各分类器按照预设次序进行级联构成异常识别模型,根据异常识别模型对各属性进行异常检测;对软件的多种目标属性信息进行检测,检测更加全面,准确率更高。In the specific implementation process, the classifiers corresponding to each attribute information are respectively constructed, and then the classifiers are cascaded according to the preset order to form an abnormality recognition model, and the abnormality detection is performed on each attribute according to the abnormality recognition model; The target attribute information is detected, the detection is more comprehensive, and the accuracy is higher.

以身份验证、授权、机密性三种属性为例进行说明,分别构建三种分类器,和身份验证、授权、机密性分别对应,获取待检测软件的目标身份验证、目标授权和目标机密性,依次输入到对应的分类器进行异常检测。Taking the three attributes of authentication, authorization, and confidentiality as examples, three classifiers are constructed respectively, corresponding to authentication, authorization, and confidentiality, to obtain the target authentication, target authorization, and target confidentiality of the software to be tested. Input to the corresponding classifier in turn for anomaly detection.

在一个实施例中,步骤S201的根据软件检测的各项属性信息分别构建对应的分类器,包括:In one embodiment, step S201 constructs corresponding classifiers according to the attribute information detected by the software, including:

A1,获取多个正常样本软件检测的第一属性集合,以及获取多个异常样本软件检测的第二属性集合。A1. Obtain a first attribute set detected by multiple normal sample software, and acquire a second attribute set detected by multiple abnormal sample software.

其中,正常样本软件是指已经经过检测各项属性都正常的软件,异常样本软件是指已经经过检测判定为异常软件的样本软件。Wherein, the normal sample software refers to the software whose various attributes are normal after testing, and the abnormal sample software refers to the sample software which has been detected as abnormal software.

A2,从所述第一属性集合和所述第二属性集合中选取有效属性。A2. Select valid attributes from the first attribute set and the second attribute set.

选取有效属性的具体步骤如下:The specific steps for selecting valid attributes are as follows:

(1)计算所述第一属性集合和所述第二属性集合中,各属性和所述第一属性集合之间的第一支持度,以及各属性和所述第二属性集合之间的第二支持度;(1) Calculate the first support between each attribute and the first attribute set in the first attribute set and the second attribute set, and the first support degree between each attribute and the second attribute set Second degree of support;

具体的,第一支持度代表属性和第一属性集合之间的相关程度,第二支持度代表属性和第二属性集合之间的相关程度。Specifically, the first support degree represents the degree of correlation between the attribute and the first attribute set, and the second support degree represents the degree of correlation between the attribute and the second attribute set.

(2)计算所述第一支持度和所述第二支持度之差,得到支持度差值;(2) calculating the difference between the first degree of support and the second degree of support to obtain a difference in support degree;

(3)当所述支持度差值大于预设差值时,将对应的属性作为所述有效属性。(3) When the support difference is greater than a preset difference, use the corresponding attribute as the effective attribute.

可以理解的是,支持度差值越大,说明该属性对于正常样本软件和异常样本软件之间的区分更加明显,说明该属性更具有判定价值,因此,当支持度差值大于预设差值时,判定该属性为有效属性。It can be understood that the larger the support difference, the more obvious the distinction between the normal sample software and the abnormal sample software, indicating that the attribute has more judgment value. Therefore, when the support difference is greater than the preset difference , the attribute is determined to be a valid attribute.

A3,根据各所述有效属性的属性信息生成对应的各所述分类器。A3. Generate corresponding classifiers according to attribute information of each effective attribute.

本实施例中,通过判断各属性对于正常样本软件和异常样本软之间的差异程度,从软件检测属性中筛选得到有效属性,根据有效属性的属性信息构建对应的分类器,从而对待检测软件的所有属性信息中和有效属性对应的目标属性信息进行检测,可以有效提高检测效率。In this embodiment, by judging the degree of difference between each attribute for normal sample software and abnormal sample software, effective attributes are obtained from the software detection attributes, and a corresponding classifier is constructed according to the attribute information of the effective attributes, so that the software to be detected Detecting target attribute information corresponding to valid attributes among all attribute information can effectively improve detection efficiency.

在一个实施例中,步骤S201的将所述分类器进行级联构成异常识别模型,包括:In one embodiment, the step S201 of cascading the classifiers to form an abnormality recognition model includes:

B1,按照各所述支持度差值的大小对对应的各所述分类器进行排序。B1. Sorting the corresponding classifiers according to the magnitudes of the support differences.

由于支持度差值越大,说明说明该属性对于正常样本软件和异常样本软件之间的区分更加明显,说明该属性更具有判定价值,那么重要程度相对就会更高,因此,会根据各有效属性的支持度差值对对应的分类器进行排序,重要的有效属性对应的分类器会排在更靠前的位置,以便于更快速检测出软件异常。Since the greater the support difference, it means that this attribute is more obvious for the distinction between normal sample software and abnormal sample software, indicating that this attribute has more judgment value, and the relative importance will be higher. Therefore, according to each effective The support difference of attributes sorts the corresponding classifiers, and the classifiers corresponding to important effective attributes will be ranked higher, so as to detect software anomalies more quickly.

B2,将排序完成的各所述分类器进行级联构成所述异常识别模型。B2, cascading the sorted classifiers to form the abnormality recognition model.

在本实施例中,根据各有效属性的支持度差值对对应的分类器进行排序,然后将排序完成的各所述分类器进行级联构成异常识别模型,可以更快速地检测出软件是否异常;;对软件的多种目标属性信息进行检测,检测更加全面,准确率更高。In this embodiment, the corresponding classifiers are sorted according to the support difference of each effective attribute, and then the sorted classifiers are cascaded to form an abnormality recognition model, which can detect whether the software is abnormal more quickly ;; Detect various target attribute information of the software, the detection is more comprehensive and the accuracy is higher.

步骤S202,提取待检测软件的目标属性信息,将所述目标属性信息输入所述异常识别模型并通过各级分类器依次进行多级识别。Step S202, extracting the target attribute information of the software to be tested, inputting the target attribute information into the abnormality recognition model, and performing multi-level recognition sequentially through classifiers at all levels.

其中,目标属性信息是待检测软件的有效属性的属性信息。Wherein, the target attribute information is attribute information of effective attributes of the software to be detected.

在具体实施过程中,将待检测软件的有效属性的属性信息按照各分类器的重要程度,依次输入和有效属性对应的分类器进行多级识别。In the specific implementation process, the attribute information of the effective attributes of the software to be detected is sequentially input into the classifiers corresponding to the effective attributes according to the importance of each classifier for multi-level identification.

如图3所示,在一个实施例中,所述步骤S202的提取待检测软件的目标属性信息,包括:As shown in Figure 3, in one embodiment, the step S202 of extracting the target attribute information of the software to be detected includes:

步骤S210,获取待检测软件的初始属性信息。Step S210, acquiring initial attribute information of the software to be detected.

步骤S220,从所述初始属性信息中查找与所述有效属性对应的所述目标属性信息。Step S220, searching for the target attribute information corresponding to the effective attribute from the initial attribute information.

由于待检测软件中有一些属性信息对于判断该待检测软件是否为异常软件的参考价值不高,因此,会先从初始属性信息中查找与所述有效属性对应的所述目标属性信息,根据目标属性信息判断待检测软件是否为异常软件。Since some attribute information in the software to be detected is not of high reference value for judging whether the software to be detected is abnormal software, the target attribute information corresponding to the effective attribute will be searched from the initial attribute information, and the The attribute information determines whether the software to be detected is abnormal software.

步骤S203,依次读取所述异常识别模型的各级分类器的输出结果,并调用异常运算函数计算异常检测值。Step S203, read the output results of the classifiers at all levels of the abnormality recognition model in sequence, and call the abnormality operation function to calculate the abnormality detection value.

具体的,各级分类器对应的异常运算函数可以相同,也可以设置多种异常运算函数,各异常运算函数分别和各分类器对应。Specifically, the abnormal operation functions corresponding to classifiers at all levels may be the same, or multiple abnormal operation functions may be set, and each abnormal operation function corresponds to each classifier.

如图4所示,在一个实施例中,步骤S203中的调用异常运算函数计算异常检测值的步骤,包括:As shown in Figure 4, in one embodiment, the step of calling the abnormal operation function in step S203 to calculate the abnormal detection value includes:

步骤S310,查询各所述分类器分别对应的异常运算函数。Step S310, querying the abnormal operation functions corresponding to each of the classifiers.

可以理解的是,由于各分类器检测的属性信息不同,因此,对应的异常运算函数不同。It can be understood that, since the attribute information detected by each classifier is different, the corresponding abnormal operation functions are different.

具体的,服务器中预存有多种异常运算函数,各异常运算函数分别设置有对应的有效属性,只需要查询各分类器对应的有效属性,便可获取和有效属性对应的异常运算函数。Specifically, a variety of abnormal operation functions are pre-stored in the server, and each abnormal operation function is set with a corresponding valid attribute. Only by querying the corresponding effective attributes of each classifier, the abnormal operation function corresponding to the valid attribute can be obtained.

步骤S320,依次调用各所述异常运算函数对对应的各所述输出结果进行运算,得到各所述异常检测值。Step S320, sequentially calling each of the abnormal operation functions to perform operations on the corresponding output results to obtain each of the abnormal detection values.

在本实施例中,根据和分类器对应的有效属性,查询和有效属性对应的异常运算函数,每检测一种有效属性,便根据对应的异常运算函数对输出结果进行运算,按照有效属性的重要程度,依次对各目标属性进行检测。In this embodiment, according to the effective attribute corresponding to the classifier, the abnormal operation function corresponding to the effective attribute is queried, and each time an effective attribute is detected, the output result is calculated according to the corresponding abnormal operation function, and the value of the effective attribute is calculated according to the importance of the effective attribute. degree, each target attribute is detected in turn.

步骤S204,当所述任意一级分类器对应计算的异常检测值达到设定异常阈值时,停止检测并判定所述待检测软件为异常软件。Step S204, when the abnormality detection value calculated by any one of the classifiers reaches the set abnormality threshold, stop the detection and determine that the software to be detected is abnormal software.

在具体实施过程中,有效属性的重要程度,依次根据各分类器对各目标进行检测,当发现某一目标属性对应的输出结果为异常时,判定该待检测软件为异常软件。In the specific implementation process, the importance of the effective attributes is sequentially detected by each classifier for each target. When the output result corresponding to a certain target attribute is found to be abnormal, the software to be detected is determined to be abnormal software.

需要说明的是,当某一目标属性对应的输出结果为异常时,就可以停止检测并判定待检测软件为异常软件,无需再对后面的其他目标属性进行检测,因为检测排序更靠前的目标属性信息重要程度更高,当更重要的目标属性信息已经检测出异常了,无需再检测重要程度相对没有那么高的目标属性信息了。It should be noted that when the output result corresponding to a target attribute is abnormal, the detection can be stopped and the software to be detected is determined to be abnormal software, and there is no need to detect other target attributes later, because the detection of the higher-ranked target The importance of the attribute information is higher. When the more important target attribute information has detected anomalies, there is no need to detect the relatively less important target attribute information.

例如,假设有三种分类器,对应的有效属性分别为身份验证、授权、机密性,根据不同的分类器,依次检测待检测软件的身份验证、授权、机密性,当授权属性的检测结果出现异常时,即可不用再检测剩下的机密性属性了,因为授权属性的重要程度大于机密性属性,这样检测可以提高软件检测的速度。For example, suppose there are three classifiers, and the corresponding valid attributes are authentication, authorization, and confidentiality. According to different classifiers, the authentication, authorization, and confidentiality of the software to be tested are detected in sequence. When the detection result of the authorization attribute is abnormal When , it is no longer necessary to detect the remaining confidentiality attributes, because the authorization attribute is more important than the confidentiality attribute, so detection can improve the speed of software detection.

具体的,多级分类器对应的设定异常阈值可以相同,也可以设置多个设定异常阈值,各设定异常阈值分别和各分类器对应。Specifically, the set abnormality thresholds corresponding to the multi-level classifiers may be the same, or multiple set abnormality thresholds may be set, and each set abnormality threshold corresponds to each classifier.

在一个实施例中,步骤S204的当所述任意一级分类器对应计算的异常检测值达到设定异常阈值时,停止检测并判定所述待检测软件为异常软件之前,还包括:获取与各所述分类器对应的设定异常阈值。In one embodiment, when the abnormality detection value calculated by any one-level classifier reaches the set abnormality threshold in step S204, before stopping the detection and judging that the software to be detected is abnormal software, it also includes: The abnormality threshold corresponding to the classifier is set.

进一步的,由于每经过一级分类器的异常检测,就需要判断该分类器的输出结果是否达到设定异常阈值,而不同的分类器对应的有效属性不一致,不同的有效属性对应的设定异常阈值可以设置为不同,因此,需要先获取和各分类器对应的设定异常阈值。Furthermore, because each classifier passes through the anomaly detection, it is necessary to judge whether the output result of the classifier reaches the set anomaly threshold, and the effective attributes corresponding to different classifiers are inconsistent, and the set anomalies corresponding to different effective attributes The threshold can be set to be different, therefore, it is necessary to obtain the set abnormal threshold corresponding to each classifier first.

在具体实施过程中,服务器中预存有多种设定异常阈值,各设定异常阈值分别设置有对应的有效属性,只需要查询各分类器对应的有效属性,便可获取和有效属性对应的设定异常阈值。In the specific implementation process, there are many kinds of set abnormal thresholds pre-stored in the server, and each set abnormal threshold is set with corresponding valid attributes. You only need to query the valid attributes corresponding to each classifier, and you can obtain the set corresponding to the valid attributes. Set the exception threshold.

结合附图5对上述异常软件检测方法进行进一步说明,提取待测软件的目标属性信息,依次输入到有多种分类器级联行成的异常检测模型中,每输入一级分类器,变调取对应的异常运算函数进行运算,将每一级分类器的检测结果和设定异常阈值进行对比,当某一级分类器对应的运算结果达到对应的异常检测值的时候,便停止检测,无需再将目标属性信息输入下一级分类器进行运算,判定待检测软件为异常软件。In conjunction with accompanying drawing 5, the above-mentioned abnormal software detection method is further described, the target attribute information of the software to be tested is extracted, and input into the abnormal detection model formed by cascading multiple classifiers in sequence, each time a classifier is input, the pitch Take the corresponding abnormal operation function for operation, and compare the detection results of each level of classifier with the set abnormal threshold. When the operation result corresponding to a certain level of classifier reaches the corresponding abnormal detection value, the detection will be stopped. Then input the target attribute information into the next classifier for calculation, and determine that the software to be detected is abnormal software.

为了更好地理解上述方法,以下详细阐述一个本发明的异常软件检测的应用实例:In order to better understand the above method, an application example of abnormal software detection of the present invention is elaborated below:

1)、获取多个正常样本软件和多个异常样本软件,从多个正常样本软件和多个异常样本软件的属性信息中选取出有效属性;1), obtaining a plurality of normal sample software and a plurality of abnormal sample software, and selecting effective attributes from attribute information of a plurality of normal sample software and a plurality of abnormal sample software;

2)、选取得到的有效属性为身份验证、授权,按照各有效属性的支持度差值,将两种属性进行排序,重要程度依次递减为授权和身份验证;2) The selected effective attributes are authentication and authorization, and the two attributes are sorted according to the support difference of each effective attribute, and the importance is descending to authorization and authentication;

3)、将授权对应的分类器、身份验证对应的分类器依次进行级联构成异常识别模型;3) Concatenate the classifiers corresponding to the authorization and the classifiers corresponding to the identity verification in order to form an abnormality recognition model;

4)从待检测软件的初始属性信息中提取和授权、身份验证对应的目标属性信息;4) Extracting the target attribute information corresponding to authorization and identity verification from the initial attribute information of the software to be detected;

5)将和授权对应的目标属性信息,输入和授权对应的分类器中,判断第一输出结果是否达到第一设定异常阈值;5) inputting the target attribute information corresponding to the authorization into the classifier corresponding to the authorization, and judging whether the first output result reaches the first set abnormal threshold;

6)如果第一输出结果没有达到第一设定异常阈值,将和身份验证对应的目标属性信息,输入和身份验证对应的分类器中,判断第二输出结果是否达到第二设定异常阈值。6) If the first output result does not reach the first set abnormal threshold, input the target attribute information corresponding to the identity verification into the classifier corresponding to the identity verification, and judge whether the second output result reaches the second set abnormal threshold.

上述的异常软件检测方法,通过根据软件检测的各项属性信息分别构建对应的分类器,将所述分类器进行级联构成异常识别模型;提取待检测软件的目标属性信息,将所述目标属性信息输入所述异常识别模型并通过各级分类器依次进行多级识别;依次读取所述异常识别模型的各级分类器的输出结果,并调用异常运算函数计算异常检测值;当所述任意一级分类器对应计算的异常检测值达到设定异常阈值时,停止检测并判定所述待检测软件为异常软件。对待检测软件的多种属性信息依次检测,当任一种属性检测出异常时,即可停止检测并判定待检测软件为异常软件,检测效率更高;对软件的多种目标属性信息进行检测,检测更加全面,准确率更高。In the method for detecting abnormal software described above, corresponding classifiers are respectively constructed according to the attribute information detected by the software, and the classifiers are cascaded to form an abnormal recognition model; the target attribute information of the software to be detected is extracted, and the target attribute The information is input into the abnormality recognition model and multi-level recognition is sequentially carried out by classifiers at all levels; the output results of the classifiers at all levels of the abnormality recognition model are read in sequence, and the abnormal operation function is called to calculate the abnormality detection value; when any When the abnormal detection value calculated by the first-level classifier reaches the set abnormal threshold, the detection is stopped and the software to be detected is determined to be abnormal software. The various attribute information of the software to be detected is detected in sequence. When any attribute is detected to be abnormal, the detection can be stopped and the software to be detected is judged to be abnormal software, and the detection efficiency is higher; the detection of various target attribute information of the software, The detection is more comprehensive and the accuracy is higher.

如图6所示,图6为一个实施例中异常软件检测装置的结构示意图,本实施例中提供一种异常软件检测装置,包括识别模型构建模块601、多级识别模块602、异常运算模块603和异常判定模块604,其中:As shown in FIG. 6, FIG. 6 is a schematic structural diagram of an abnormal software detection device in an embodiment. An abnormal software detection device is provided in this embodiment, including a recognition model building module 601, a multi-level recognition module 602, and an abnormal operation module 603. And abnormal judgment module 604, wherein:

识别模型构建模块601,用于根据软件检测的各项属性信息分别构建对应的分类器,将所述分类器进行级联构成异常识别模型;The recognition model building module 601 is used to build corresponding classifiers according to the attribute information detected by the software, and cascade the classifiers to form an abnormal recognition model;

多级识别模块602,用于提取待检测软件的目标属性信息,将所述目标属性信息输入所述异常识别模型并通过各级分类器依次进行多级识别;The multi-level identification module 602 is used to extract the target attribute information of the software to be detected, input the target attribute information into the abnormal identification model and perform multi-level identification sequentially through classifiers at all levels;

异常运算模块603,用于依次读取所述异常识别模型的各级分类器的输出结果,并调用异常运算函数计算异常检测值;Abnormal operation module 603, used to sequentially read the output results of the classifiers at all levels of the abnormal recognition model, and call the abnormal operation function to calculate the abnormal detection value;

异常判定模块604,用于当所述任意一级分类器对应计算的异常检测值达到设定异常阈值时,停止检测并判定所述待检测软件为异常软件。An abnormality determination module 604, configured to stop detection and determine that the software to be detected is abnormal software when the abnormality detection value calculated correspondingly by any one of the classifiers reaches a set abnormality threshold.

关于异常软件检测装置的具体限定可以参见上文中对于异常软件检测方法的限定,在此不再赘述。上述异常软件检测装置中的各个模块可全部或部分通过软件、硬件及其组合来实现。上述各模块可以硬件形式内嵌于或独立于计算机设备中的处理器中,也可以以软件形式存储于计算机设备中的存储器中,以便于处理器调用执行以上各个模块对应的操作。For the specific limitations of the abnormal software detection device, please refer to the above-mentioned definition of the abnormal software detection method, which will not be repeated here. Each module in the above-mentioned abnormal software detection device can be fully or partially realized by software, hardware and a combination thereof. The above-mentioned modules can be embedded in or independent of the processor in the computer device in the form of hardware, and can also be stored in the memory of the computer device in the form of software, so that the processor can invoke and execute the corresponding operations of the above-mentioned modules.

如图7所示,图7为一个实施例中计算机设备的内部结构示意图。该计算机设备包括通过装置总线连接的处理器、非易失性存储介质、存储器和网络接口。其中,该计算机设备的非易失性存储介质存储有操作装置、数据库和计算机可读指令,数据库中可存储有控件信息序列,该计算机可读指令被处理器执行时,可使得处理器实现一种异常软件检测方法。该计算机设备的处理器用于提供计算和控制能力,支撑整个计算机设备的运行。该计算机设备的存储器中可存储有计算机可读指令,该计算机可读指令被处理器执行时,可使得处理器执行一种异常软件检测方法。该计算机设备的网络接口用于与终端连接通信。本领域技术人员可以理解,图7中示出的结构,仅仅是与本申请方案相关的部分结构的框图,并不构成对本申请方案所应用于其上的计算机设备的限定,具体的计算机设备可以包括比图中所示更多或更少的部件,或者组合某些部件,或者具有不同的部件布置。As shown in FIG. 7, FIG. 7 is a schematic diagram of the internal structure of a computer device in an embodiment. The computer equipment includes a processor, a non-volatile storage medium, a memory and a network interface connected through a device bus. Wherein, the non-volatile storage medium of the computer device stores an operating device, a database, and computer-readable instructions, and the database can store control information sequences. When the computer-readable instructions are executed by the processor, the processor can realize a An abnormal software detection method. The processor of the computer equipment is used to provide computing and control capabilities and support the operation of the entire computer equipment. Computer-readable instructions may be stored in the memory of the computer device, and when the computer-readable instructions are executed by the processor, the processor may execute a method for detecting abnormal software. The network interface of the computer device is used for connecting and communicating with the terminal. Those skilled in the art can understand that the structure shown in Figure 7 is only a block diagram of a part of the structure related to the solution of this application, and does not constitute a limitation to the computer equipment on which the solution of this application is applied. The specific computer equipment can be More or fewer components than shown in the figures may be included, or some components may be combined, or have a different arrangement of components.

在一个实施例中,提出了一种计算机设备,计算机设备包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,处理器执行计算机程序时实现如下步骤:根据软件检测的各项属性信息分别构建对应的分类器,将所述分类器进行级联构成异常识别模型;提取待检测软件的目标属性信息,将所述目标属性信息输入所述异常识别模型并通过各级分类器依次进行多级识别;依次读取所述异常识别模型的各级分类器的输出结果,并调用异常运算函数计算异常检测值;当所述任意一级分类器对应计算的异常检测值达到设定异常阈值时,停止检测并判定所述待检测软件为异常软件。In one embodiment, a computer device is proposed. The computer device includes a memory, a processor, and a computer program stored on the memory and operable on the processor. When the processor executes the computer program, the following steps are implemented: Each attribute information constructs a corresponding classifier, and the classifiers are cascaded to form an abnormality recognition model; the target attribute information of the software to be detected is extracted, and the target attribute information is input into the abnormality recognition model and passed through all levels of classification. The multi-level identification is carried out in sequence; the output results of the classifiers at all levels of the abnormal identification model are read in sequence, and the abnormal operation function is called to calculate the abnormal detection value; when the abnormal detection value calculated by any one of the classifiers reaches the set When the abnormal threshold is set, the detection is stopped and the software to be detected is determined to be abnormal software.

在其中一个实施例中,处理器执行计算机程序时所述根据软件检测的各项属性信息分别构建对应的分类器的步骤,包括:获取多个正常样本软件检测的第一属性集合,以及获取多个异常样本软件检测的第二属性集合;从所述第一属性集合和所述第二属性集合中选取有效属性;根据各所述有效属性的属性信息生成对应的各所述分类器。In one of the embodiments, when the processor executes the computer program, the step of constructing corresponding classifiers according to the attribute information detected by the software includes: obtaining a plurality of first attribute sets detected by software of normal samples, and obtaining multiple A second attribute set detected by abnormal sample software; selecting effective attributes from the first attribute set and the second attribute set; generating corresponding classifiers according to the attribute information of each of the effective attributes.

在其中一个实施例中,处理器执行计算机程序时所述从所述第一属性集合和所述第二属性集合中选取有效属性的步骤,包括:计算所述第一属性集合和所述第二属性集合中,各属性和所述第一属性集合之间的第一支持度,以及各属性和所述第二属性集合之间的第二支持度;计算所述第一支持度和所述第二支持度之差,得到支持度差值;当所述支持度差值大于预设差值时,将对应的属性作为所述有效属性。In one of the embodiments, when the processor executes the computer program, the step of selecting effective attributes from the first attribute set and the second attribute set includes: calculating the first attribute set and the second attribute set In the attribute set, the first support between each attribute and the first attribute set, and the second support between each attribute and the second attribute set; calculate the first support and the second support The difference between the two support degrees is to obtain a support difference value; when the support degree difference value is greater than a preset difference value, the corresponding attribute is used as the effective attribute.

在其中一个实施例中,处理器执行计算机程序时所述将所述分类器进行级联构成异常识别模型的步骤,包括:按照各所述支持度差值的大小对对应的各所述分类器进行排序;将排序完成的各所述分类器进行级联构成所述异常识别模型。In one of the embodiments, when the processor executes the computer program, the step of cascading the classifiers to form an abnormality recognition model includes: pairing the corresponding classifiers according to the size of the support difference Sorting; cascading the sorted classifiers to form the abnormality recognition model.

在其中一个实施例中,处理器执行计算机程序时所述提取待检测软件的目标属性信息的步骤,包括:获取待检测软件的初始属性信息;从所述初始属性信息中查找与所述有效属性对应的所述目标属性信息。In one of the embodiments, when the processor executes the computer program, the step of extracting the target attribute information of the software to be detected includes: obtaining the initial attribute information of the software to be detected; searching for the effective attribute information from the initial attribute information The corresponding target attribute information.

在其中一个实施例中,处理器执行计算机程序时所述调用异常运算函数计算异常检测值的步骤,包括:查询和各所述分类器分别对应的异常运算函数;依次调用各所述异常运算函数对对应的各所述输出结果进行运算,得到各所述异常检测值。In one embodiment, when the processor executes the computer program, the step of calling the abnormal operation function to calculate the abnormal detection value includes: querying the abnormal operation function corresponding to each of the classifiers; calling each of the abnormal operation functions in turn Computing is performed on each of the corresponding output results to obtain each of the abnormality detection values.

在其中一个实施例中,处理器执行计算机程序时所述当所述任意一级分类器对应计算的异常检测值达到设定异常阈值时,停止检测并判定所述待检测软件为异常软件的步骤之前,还包括:获取与各所述分类器对应的设定异常阈值。In one of the embodiments, when the processor executes the computer program, when the abnormality detection value calculated correspondingly by any one-level classifier reaches the set abnormality threshold, the step of stopping the detection and determining that the software to be detected is abnormal software Before, the method further includes: acquiring the set abnormality threshold corresponding to each classifier.

在一个实施例中,提出了一种存储有计算机可读指令的存储介质,该计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行如下步骤:根据软件检测的各项属性信息分别构建对应的分类器,将所述分类器进行级联构成异常识别模型;提取待检测软件的目标属性信息,将所述目标属性信息输入所述异常识别模型并通过各级分类器依次进行多级识别;依次读取所述异常识别模型的各级分类器的输出结果,并调用异常运算函数计算异常检测值;当所述任意一级分类器对应计算的异常检测值达到设定异常阈值时,停止检测并判定所述待检测软件为异常软件。In one embodiment, a storage medium storing computer-readable instructions is provided. When executed by one or more processors, the computer-readable instructions cause the one or more processors to perform the following steps: Each attribute information constructs a corresponding classifier, and the classifiers are cascaded to form an abnormality recognition model; the target attribute information of the software to be detected is extracted, and the target attribute information is input into the abnormality recognition model and passed through all levels of classification. The multi-level identification is carried out in sequence; the output results of the classifiers at all levels of the abnormal identification model are read in sequence, and the abnormal operation function is called to calculate the abnormal detection value; when the abnormal detection value calculated by any one of the classifiers reaches the set When the abnormal threshold is set, the detection is stopped and the software to be detected is determined to be abnormal software.

在其中一个实施例中,计算机可读指令被处理器执行时所述根据软件检测的各项属性信息分别构建对应的分类器的步骤,包括:获取多个正常样本软件检测的第一属性集合,以及获取多个异常样本软件检测的第二属性集合;从所述第一属性集合和所述第二属性集合中选取有效属性;根据各所述有效属性的属性信息生成对应的各所述分类器。In one of the embodiments, when the computer-readable instructions are executed by the processor, the step of constructing corresponding classifiers according to the attribute information detected by the software includes: obtaining the first attribute set detected by the software of a plurality of normal samples, and acquiring a plurality of second attribute sets detected by abnormal sample software; selecting effective attributes from the first attribute set and the second attribute set; generating corresponding classifiers according to the attribute information of each of the effective attributes .

在其中一个实施例中,计算机可读指令被处理器执行时所述从所述第一属性集合和所述第二属性集合中选取有效属性的步骤,包括:计算所述第一属性集合和所述第二属性集合中,各属性和所述第一属性集合之间的第一支持度,以及各属性和所述第二属性集合之间的第二支持度;计算所述第一支持度和所述第二支持度之差,得到支持度差值;当所述支持度差值大于预设差值时,将对应的属性作为所述有效属性。In one of the embodiments, when the computer readable instructions are executed by the processor, the step of selecting valid attributes from the first attribute set and the second attribute set includes: calculating the first attribute set and the In the second attribute set, the first support between each attribute and the first attribute set, and the second support between each attribute and the second attribute set; calculate the first support and The difference of the second support degree obtains a support degree difference value; when the support degree difference value is greater than a preset difference value, the corresponding attribute is used as the effective attribute.

在其中一个实施例中,计算机可读指令被处理器执行时所述将所述分类器进行级联构成异常识别模型的步骤,包括:按照各所述支持度差值的大小对对应的各所述分类器进行排序;将排序完成的各所述分类器进行级联构成所述异常识别模型。In one of the embodiments, when the computer-readable instructions are executed by the processor, the step of cascading the classifiers to form an abnormality recognition model includes: pairing the corresponding classifiers according to the size of the support difference The classifiers are sorted; the sorted classifiers are cascaded to form the abnormality recognition model.

在其中一个实施例中,计算机可读指令被处理器执行时所述提取待检测软件的目标属性信息的步骤,包括:获取待检测软件的初始属性信息;从所述初始属性信息中查找与所述有效属性对应的所述目标属性信息。In one of the embodiments, when the computer-readable instructions are executed by the processor, the step of extracting the target attribute information of the software to be detected includes: obtaining the initial attribute information of the software to be detected; The target attribute information corresponding to the effective attribute.

在其中一个实施例中,计算机可读指令被处理器执行时所述调用异常运算函数计算异常检测值的步骤,包括:查询和各所述分类器分别对应的异常运算函数;依次调用各所述异常运算函数对对应的各所述输出结果进行运算,得到各所述异常检测值。In one of the embodiments, when the computer-readable instructions are executed by the processor, the step of calling the abnormal operation function to calculate the abnormal detection value includes: querying the abnormal operation function corresponding to each of the classifiers; The abnormal operation function performs operation on each of the corresponding output results to obtain each of the abnormal detection values.

在其中一个实施例中,计算机可读指令被处理器执行时所述当所述任意一级分类器对应计算的异常检测值达到设定异常阈值时,停止检测并判定所述待检测软件为异常软件的步骤之前,还包括:获取与各所述分类器对应的设定异常阈值。In one of the embodiments, when the computer-readable instructions are executed by the processor, when the abnormal detection value calculated correspondingly by any classifier reaches the set abnormal threshold, the detection is stopped and the software to be detected is determined to be abnormal. Before the steps of the software, it also includes: acquiring the set abnormality threshold corresponding to each classifier.

应该理解的是,虽然附图的流程图中的各个步骤按照箭头的指示依次显示,但是这些步骤并不是必然按照箭头指示的顺序依次执行。除非本文中有明确的说明,这些步骤的执行并没有严格的顺序限制,其可以以其他的顺序执行。而且,附图的流程图中的至少一部分步骤可以包括多个子步骤或者多个阶段,这些子步骤或者阶段并不必然是在同一时刻执行完成,而是可以在不同的时刻执行,其执行顺序也不必然是依次进行,而是可以与其他步骤或者其他步骤的子步骤或者阶段的至少一部分轮流或者交替地执行。It should be understood that although the various steps in the flow chart of the accompanying drawings are displayed sequentially according to the arrows, these steps are not necessarily executed sequentially in the order indicated by the arrows. Unless otherwise specified herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some of the steps in the flowcharts of the accompanying drawings may include multiple sub-steps or multiple stages, and these sub-steps or stages are not necessarily executed at the same time, but may be executed at different times, and the order of execution is also It is not necessarily performed sequentially, but may be performed alternately or alternately with at least a part of other steps or sub-steps or stages of other steps.

以上所述仅是本发明的部分实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above descriptions are only part of the embodiments of the present invention. It should be pointed out that those skilled in the art can make some improvements and modifications without departing from the principles of the present invention. It should be regarded as the protection scope of the present invention.

Claims (10)

1.一种异常软件检测方法,其特征在于,包括如下步骤:1. A method for detecting abnormal software, characterized in that, comprising the steps of: 根据软件检测的各项属性信息分别构建对应的分类器,将所述分类器进行级联构成异常识别模型;Construct corresponding classifiers respectively according to the attribute information detected by the software, and cascade the classifiers to form an abnormality recognition model; 提取待检测软件的目标属性信息,将所述目标属性信息输入所述异常识别模型并通过各级分类器依次进行多级识别;extracting the target attribute information of the software to be detected, inputting the target attribute information into the abnormality recognition model and sequentially performing multi-level recognition through classifiers at all levels; 依次读取所述异常识别模型的各级分类器的输出结果,并调用异常运算函数计算异常检测值;Read the output results of the classifiers at all levels of the abnormal recognition model in sequence, and call the abnormal operation function to calculate the abnormal detection value; 当所述任意一级分类器对应计算的异常检测值达到设定异常阈值时,停止检测并判定所述待检测软件为异常软件。When the abnormality detection value calculated correspondingly by any one-level classifier reaches the set abnormality threshold, the detection is stopped and the software to be detected is determined to be abnormal software. 2.根据权利要求1所述的方法,其特征在于,所述根据软件检测的各项属性信息分别构建对应的分类器的步骤,包括:2. The method according to claim 1, wherein the step of constructing corresponding classifiers according to the attribute information detected by the software includes: 获取多个正常样本软件检测的第一属性集合,以及获取多个异常样本软件检测的第二属性集合;Obtaining a first set of attributes detected by a plurality of normal sample software, and obtaining a second set of attributes detected by a plurality of abnormal sample software; 从所述第一属性集合和所述第二属性集合中选取有效属性;selecting valid attributes from the first attribute set and the second attribute set; 根据各所述有效属性的属性信息生成对应的各所述分类器。The corresponding classifiers are generated according to the attribute information of each effective attribute. 3.根据权利要求2所述的方法,其特征在于,所述从所述第一属性集合和所述第二属性集合中选取有效属性的步骤,包括:3. The method according to claim 2, wherein the step of selecting valid attributes from the first attribute set and the second attribute set comprises: 计算所述第一属性集合和所述第二属性集合中,各属性和所述第一属性集合之间的第一支持度,以及各属性和所述第二属性集合之间的第二支持度;Calculating the first support degree between each attribute and the first attribute set in the first attribute set and the second attribute set, and the second support degree between each attribute and the second attribute set ; 计算所述第一支持度和所述第二支持度之差,得到支持度差值;calculating the difference between the first support degree and the second support degree to obtain a support degree difference; 当所述支持度差值大于预设差值时,将对应的属性作为所述有效属性。When the support difference is greater than a preset difference, the corresponding attribute is used as the effective attribute. 4.根据权利要求3所述的方法,其特征在于,所述将所述分类器进行级联构成异常识别模型的步骤,包括:4. The method according to claim 3, wherein the step of cascading the classifiers to form an abnormality recognition model comprises: 按照各所述支持度差值的大小对对应的各所述分类器进行排序;Sorting the corresponding classifiers according to the size of the support difference; 将排序完成的各所述分类器进行级联构成所述异常识别模型。The sorted classifiers are cascaded to form the abnormality recognition model. 5.根据权利要求2所述的方法,其特征在于,所述提取待检测软件的目标属性信息的步骤,包括:5. The method according to claim 2, wherein the step of extracting the target attribute information of the software to be detected comprises: 获取待检测软件的初始属性信息;Obtain initial attribute information of the software to be detected; 从所述初始属性信息中查找与所述有效属性对应的所述目标属性信息。Searching for the target attribute information corresponding to the effective attribute from the initial attribute information. 6.根据权利要求1所述的方法,其特征在于,所述调用异常运算函数计算异常检测值的步骤,包括:6. The method according to claim 1, wherein the step of calling an abnormal operation function to calculate an abnormal detection value comprises: 查询各所述分类器分别对应的异常运算函数;Querying the abnormal operation functions corresponding to each of the classifiers; 依次调用各所述异常运算函数对对应的各所述输出结果进行运算,得到各所述异常检测值。Each of the abnormal operation functions is called in turn to perform operations on the corresponding output results to obtain each of the abnormal detection values. 7.根据权利要求1所述的方法,其特征在于,所述当所述任意一级分类器对应计算的异常检测值达到设定异常阈值时,停止检测并判定所述待检测软件为异常软件的步骤之前,还包括:7. The method according to claim 1, characterized in that, when the abnormality detection value calculated correspondingly by the any one-level classifier reaches the set abnormality threshold, the detection is stopped and the software to be detected is determined to be abnormal software Before the steps, also include: 获取与各所述分类器对应的设定异常阈值。A set abnormality threshold corresponding to each of the classifiers is acquired. 8.一种异常软件检测装置,其特征在于,包括:8. A device for detecting abnormal software, comprising: 识别模型构建模块,用于根据软件检测的各项属性信息分别构建对应的分类器,将所述分类器进行级联构成异常识别模型;A recognition model building module, used to construct corresponding classifiers respectively according to the attribute information detected by the software, and cascade the classifiers to form an abnormal recognition model; 多级识别模块,用于提取待检测软件的目标属性信息,将所述目标属性信息输入所述异常识别模型并通过各级分类器依次进行多级识别;A multi-level identification module is used to extract the target attribute information of the software to be detected, input the target attribute information into the abnormal identification model and perform multi-level identification sequentially through classifiers at all levels; 异常运算模块,用于依次读取所述异常识别模型的各级分类器的输出结果,并调用异常运算函数计算异常检测值;The abnormal operation module is used to sequentially read the output results of the classifiers at all levels of the abnormal recognition model, and call the abnormal operation function to calculate the abnormal detection value; 异常判定模块,用于当所述任意一级分类器对应计算的异常检测值达到设定异常阈值时,停止检测并判定所述待检测软件为异常软件。An abnormality determination module, configured to stop detection and determine that the software to be detected is abnormal software when the abnormality detection value calculated correspondingly by any one of the classifiers reaches a set abnormality threshold. 9.一种计算机设备,包括存储器和处理器,所述存储器中存储有计算机可读指令,其特征在于,所述计算机可读指令被所述处理器执行时,使得所述处理器执行如权利要求1至7中任一项所述异常软件检测方法的步骤。9. A computer device, comprising a memory and a processor, wherein computer-readable instructions are stored in the memory, wherein when the computer-readable instructions are executed by the processor, the processor performs the The steps of the abnormal software detection method described in any one of requirements 1 to 7. 10.一种存储有计算机可读指令的存储介质,其特征在于,所述计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行如权利要求1至7中任一项所述异常软件检测方法的步骤。10. A storage medium storing computer-readable instructions, wherein, when the computer-readable instructions are executed by one or more processors, one or more processors execute any A step of the abnormal software detection method.
CN201910759677.6A 2019-08-16 2019-08-16 abnormal software detection method and device, computer equipment and storage medium Pending CN110554961A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910759677.6A CN110554961A (en) 2019-08-16 2019-08-16 abnormal software detection method and device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910759677.6A CN110554961A (en) 2019-08-16 2019-08-16 abnormal software detection method and device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN110554961A true CN110554961A (en) 2019-12-10

Family

ID=68737725

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910759677.6A Pending CN110554961A (en) 2019-08-16 2019-08-16 abnormal software detection method and device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN110554961A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111340502A (en) * 2020-02-24 2020-06-26 中国银联股份有限公司 Abnormal behavior identification method and device, terminal equipment and storage medium
CN113361451A (en) * 2021-06-24 2021-09-07 福建万福信息技术有限公司 Ecological environment target identification method based on multi-level model and preset point automatic adjustment
CN115348139A (en) * 2022-07-18 2022-11-15 中国人民解放军国防科技大学 Modulation Recognition Method Based on Cascade Feature Fusion and Multi-level Classification
CN115766554A (en) * 2022-11-07 2023-03-07 深圳复临科技有限公司 Software detection method and device, computer equipment and storage medium
CN117056152A (en) * 2023-10-13 2023-11-14 腾讯科技(深圳)有限公司 Equipment detection method and related device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105335684A (en) * 2014-06-25 2016-02-17 小米科技有限责任公司 Face detection method and device
US20160335432A1 (en) * 2015-05-17 2016-11-17 Bitdefender IPR Management Ltd. Cascading Classifiers For Computer Security Applications
CN107180190A (en) * 2016-03-11 2017-09-19 深圳先进技术研究院 A kind of Android malware detection method and system based on composite character

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105335684A (en) * 2014-06-25 2016-02-17 小米科技有限责任公司 Face detection method and device
US20160335432A1 (en) * 2015-05-17 2016-11-17 Bitdefender IPR Management Ltd. Cascading Classifiers For Computer Security Applications
CN107180190A (en) * 2016-03-11 2017-09-19 深圳先进技术研究院 A kind of Android malware detection method and system based on composite character

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王星: "安卓应用程序若干典型特征刻画及其恶意行为检测方法", 中国博士学位论文全文数据库信息科技辑, no. 2019, 15 January 2019 (2019-01-15), pages 138 - 19 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111340502A (en) * 2020-02-24 2020-06-26 中国银联股份有限公司 Abnormal behavior identification method and device, terminal equipment and storage medium
CN111340502B (en) * 2020-02-24 2024-07-16 中国银联股份有限公司 Abnormal behavior identification method and device, terminal equipment and storage medium
CN113361451A (en) * 2021-06-24 2021-09-07 福建万福信息技术有限公司 Ecological environment target identification method based on multi-level model and preset point automatic adjustment
CN113361451B (en) * 2021-06-24 2024-04-30 福建万福信息技术有限公司 Ecological environment target identification method based on multistage model and preset point automatic adjustment
CN115348139A (en) * 2022-07-18 2022-11-15 中国人民解放军国防科技大学 Modulation Recognition Method Based on Cascade Feature Fusion and Multi-level Classification
CN115348139B (en) * 2022-07-18 2024-01-05 中国人民解放军国防科技大学 Modulation identification method based on cascade feature fusion and multi-stage classification
CN115766554A (en) * 2022-11-07 2023-03-07 深圳复临科技有限公司 Software detection method and device, computer equipment and storage medium
CN117056152A (en) * 2023-10-13 2023-11-14 腾讯科技(深圳)有限公司 Equipment detection method and related device
CN117056152B (en) * 2023-10-13 2024-02-09 腾讯科技(深圳)有限公司 Equipment detection method and related device

Similar Documents

Publication Publication Date Title
CN110554961A (en) abnormal software detection method and device, computer equipment and storage medium
CN108090567B (en) Method and device for fault diagnosis of power communication system
US10303874B2 (en) Malicious code detection method based on community structure analysis
CN108985057B (en) Webshell detection method and related equipment
CN111797402B (en) A method, device and storage medium for software vulnerability detection
WO2019148712A1 (en) Phishing website detection method, device, computer equipment and storage medium
KR20170108330A (en) Apparatus and method for detecting malware code
CN105224600B (en) A kind of detection method and device of Sample Similarity
WO2019144548A1 (en) Security test method, apparatus, computer device and storage medium
CN111711540B (en) Method and device for identifying government and enterprise business alarm
CN108509796B (en) A risk detection method and server
CN109145651B (en) Data processing method and device
CN112468452A (en) Flow detection method and device, electronic equipment and computer readable storage medium
CN114462040A (en) Malicious software detection model training method, malicious software detection method and malicious software detection device
CN109086186A (en) log detection method and device
CN111143858B (en) Data checking method and device
CN118445125A (en) Performance test method and device and computer equipment
CN105843859A (en) Data processing method, device and equipment
CN110598115A (en) Sensitive webpage identification method and system based on artificial intelligence multi-engine
CN114513341B (en) Malicious traffic detection method, device, terminal and computer-readable storage medium
WO2019085075A1 (en) Information element set generation method and rule execution method based on rule engine
CN115344861A (en) Malicious software detection model construction method and device and malicious software detection method and device
CN114020905A (en) Text classification external distribution sample detection method, device, medium and equipment
CN114281696A (en) Incremental code detection method, device, medium and electronic equipment
CN111966515A (en) Business abnormal data processing method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20191210