CN110619216B - Malicious software detection method and system for adversarial network - Google Patents

Malicious software detection method and system for adversarial network Download PDF

Info

Publication number
CN110619216B
CN110619216B CN201910874102.9A CN201910874102A CN110619216B CN 110619216 B CN110619216 B CN 110619216B CN 201910874102 A CN201910874102 A CN 201910874102A CN 110619216 B CN110619216 B CN 110619216B
Authority
CN
China
Prior art keywords
model
malware
malicious software
generator
noise simulation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910874102.9A
Other languages
Chinese (zh)
Other versions
CN110619216A (en
Inventor
段彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuling Technology Co Ltd
Original Assignee
Wuhan Sipuling Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuling Technology Co Ltd filed Critical Wuhan Sipuling Technology Co Ltd
Priority to CN201910874102.9A priority Critical patent/CN110619216B/en
Publication of CN110619216A publication Critical patent/CN110619216A/en
Application granted granted Critical
Publication of CN110619216B publication Critical patent/CN110619216B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Artificial Intelligence (AREA)
  • Health & Medical Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Computing Systems (AREA)
  • Biophysics (AREA)
  • Molecular Biology (AREA)
  • Computational Linguistics (AREA)
  • Biomedical Technology (AREA)
  • Computer Hardware Design (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Medical Informatics (AREA)
  • Virology (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention provides a malicious software detection method and a malicious software detection system for a resistance network, which can analyze and construct a noise simulation malicious software model based on historical software data, input normal software and malicious software into a black box model, mark the normal software and the malicious software to generate a software sample, train the noise simulation malicious software model by using the software sample, and enable the model to have the capability of continuously compounding and mutating the malicious software. After the noise simulation malicious software model is trained, the machine learning module is accessed to serve as a simulated malicious software source of the machine learning module, and the machine learning module is continuously trained by the malicious software to help improve the detection capability of the machine learning module.

Description

Malicious software detection method and system for adversarial network
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and a system for detecting malicious software in a reactive network.
Background
Although the existing statistical analysis and machine learning can detect malicious software, malicious codes, malicious behaviors and the like, the two defects exist: firstly, the amount of malicious software in the training process is insufficient and far less than that of normal data, and the insufficient amount and the imbalance of the malicious software can cause unbalance of a detection model and poor detection stability; secondly, with the development of the technology, attack means of malicious software are continuously changed, but the attack means cannot be used for model training in advance, so that unknown malicious software cannot be detected by the model. Therefore, a method and a system capable of self-generating usable malicious software, enhancing training data and improving the performance of a detection model are urgently needed.
Disclosure of Invention
The invention aims to provide a malicious software detection method and a malicious software detection system of a resistance network, which can analyze and construct a noise simulation malicious software model based on historical software data, input normal software and malicious software into a black box model, mark the noise simulation malicious software model to generate a software sample, and train the noise simulation malicious software model by using the software sample, wherein the model has the capability of continuously compounding and mutating the malicious software. After the noise simulation malicious software model is trained, the machine learning module is accessed to serve as a simulated malicious software source of the machine learning module, and the machine learning module is continuously trained by the malicious software to help improve the detection capability of the machine learning module.
In a first aspect, the present application provides a method for malware detection of a resistance network, the method comprising:
acquiring historical software data, and analyzing and extracting feature vectors of malicious software in the historical software data according to the features of known malicious software types;
inputting known normal software and malicious software in historical software into a black box model, and marking the input normal software and the input malicious software by the black box model to generate a software sample;
constructing a noise simulation malware model based on the feature vector of the malware, and randomly generating known various types of malware and various malware compounds by applying the model;
the multiple malware compounds comprise characteristics of a plurality of malware simultaneously, or a plurality of malware is continuously output, or the characteristics of variant malware are obtained;
the noise simulation malicious software model is used as a generator of a resistance network, a forward neural network architecture is adopted to build the generator, and the output of the generator is uninterruptedly sent to a substitute detector together with the output of the black box model;
the substitute detector continuously learns the feature vector of the black box model, and feeds learned gradient information back to the generator, and the generator adjusts the parameters of the noise simulation malicious software model according to the gradient information;
the substitution detector obtains a judgment result according to the generator output and the black box model output which are input from the two ends; if the judgment result is true, the generator output is very close to the black box model output on the characteristic vector, and the substitute detector feeds the similarity information back to the generator; if the judgment result is false, the difference between the generator output and the black box model output on the characteristic vector is large, and the substitute detector feeds back the difference information and the characteristic vector output by the black box model to the generator;
the generator adjusts the parameters of the noise simulation malicious software model according to the feedback result of the substitute detector, and generates new output again;
when the rate of the judgment result obtained by the substitution detector is true is greater than a preset threshold value, the noise simulation malicious software model is completely trained;
the noise simulation malicious software model is accessed into a machine learning module, and the noise simulation malicious software model uninterruptedly and randomly generates malicious software flow for the machine learning module to learn by itself;
the machine learning module continuously enriches various malware characteristic vector samples by means of the noise simulation malware model, performs malware detection on real network flow, feeds back a detection result to an administrator, and the administrator can adjust parameters of the noise simulation malware model at regular time according to the detection result and starts an updating mechanism of the noise simulation malware model.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the variant malware characteristic includes an extension to a known malware characteristic vector and a modification to a field of malicious data.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the substitute detector further feeds back a result of the determination to an administrator, so that the administrator adjusts parameters of the noise simulation malware model in real time.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the updating mechanism of the noise simulation malware model refers to that the noise simulation malware model is used as a generator again, and output traffic of the generator is sent to the substitute detector.
In a second aspect, the present application provides a malware detection system for a resistance network, the system comprising:
the acquisition unit is used for acquiring historical software data, and analyzing and extracting feature vectors of malicious software in the historical software data according to the features of known malicious software types;
the black box model is used for inputting known normal software and malicious software in historical software together, and marking the input normal software and the input malicious software by the black box model to generate a software sample;
the building unit is used for building a noise simulation malware model based on the feature vector of the malicious data, and known various types of malware and various malware compounds can be randomly generated by applying the model;
the multiple malware compounds comprise characteristics of a plurality of malware simultaneously, or a plurality of malware is continuously performed, or the characteristics of the malware are mutated;
the generator is used for taking the noise simulation malicious software model as a generator of a resistance network, a forward neural network architecture is adopted to build the generator, and the output of the generator is uninterruptedly sent to a substitution detector together with the output of the black box model;
the substitution detector is used for continuously learning the feature vector of the black box model and feeding back the learned gradient information to the generator, and the generator adjusts the parameters of the noise simulation malicious software model according to the gradient information; obtaining a judgment result according to the generator output and the black box model output which are input at two ends; if the judgment result is true, the generator output is very close to the black box model output on the characteristic vector, and the substitute detector feeds the similarity information back to the generator; if the judgment result is false, the difference between the generator output and the black box model output on the characteristic vector is large, and the substitute detector feeds back the difference information and the characteristic vector output by the black box model to the generator;
the generator adjusts parameters of the noise simulation malicious software model according to the feedback result of the substitute detector, and generates new output again;
when the rate of the judgment result obtained by the substitution detector is true is greater than a preset threshold value, the noise simulation malicious software model is completely trained;
the machine learning module is used for accessing the noise simulation malicious software model, and continuously and randomly generating malicious software flow by the noise simulation malicious software model for the machine learning module to learn by itself;
the machine learning module continuously enriches various malware characteristic vector samples by means of the noise simulation malware model, performs malware detection on real network flow, feeds back a detection result to an administrator, and the administrator can adjust parameters of the noise simulation malware model at regular time according to the detection result and starts an updating mechanism of the noise simulation malware model.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the variant malware characteristic includes an extension to a known malware characteristic vector and a modification to a field of malicious data.
With reference to the second aspect, in a second possible implementation manner of the second aspect, the substitute detector further feeds back the result of the determination to an administrator, so that the administrator adjusts parameters of the noise simulation malware model in real time.
With reference to the second aspect, in a third possible implementation manner of the second aspect, the updating mechanism of the noise simulation malware model refers to that the noise simulation malware model is used as a generator again, and output traffic of the generator is sent to the substitute detector.
The invention provides a malicious software detection method and a malicious software detection system for a resistance network, which can analyze and construct a noise simulation malicious software model based on historical software data, input normal software and malicious software into a black box model, mark the normal software and the malicious software to generate a software sample, train the noise simulation malicious software model by using the software sample, and enable the model to have the capability of continuously compounding and mutating the malicious software. After the noise simulation malicious software model is trained, the machine learning module is accessed to serve as a simulated malicious software source of the machine learning module, and the machine learning module is continuously trained by the malicious software to help improve the detection capability of the machine learning module.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of a malware detection method of the adversarial network of the present invention;
FIG. 2 is an architecture diagram of the malware detection system of the adversarial network of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings so that the advantages and features of the present invention can be more easily understood by those skilled in the art, and the scope of the present invention will be more clearly and clearly defined.
Fig. 1 is a flowchart of a malware detection method for a resistance network provided in the present application, where the method includes:
acquiring historical software data, and analyzing and extracting feature vectors of malicious software in the historical software data according to the features of known malicious software types;
inputting known normal software and malicious software in historical software into a black box model, and marking the input normal software and the input malicious software by the black box model to generate a software sample;
constructing a noise simulation malware model based on the feature vector of the malware, and randomly generating known various types of malware and various malware compounds by applying the model;
the multiple malware compounds comprise characteristics of a plurality of malware simultaneously, or a plurality of malware is continuously output, or the characteristics of variant malware are obtained;
the noise simulation malicious software model is used as a generator of a resistance network, a forward neural network architecture is adopted to build the generator, and the output of the generator is uninterruptedly sent to a substitute detector together with the output of the black box model;
the substitute detector continuously learns the feature vector of the black box model, and feeds learned gradient information back to the generator, and the generator adjusts the parameters of the noise simulation malicious software model according to the gradient information;
the substitution detector obtains a judgment result according to the generator output and the black box model output which are input from the two ends; if the judgment result is true, the generator output is very close to the black box model output on the characteristic vector, and the substitute detector feeds the similarity information back to the generator; if the judgment result is false, the difference between the generator output and the black box model output on the characteristic vector is large, and the substitute detector feeds back the difference information and the characteristic vector output by the black box model to the generator;
the generator adjusts the parameters of the noise simulation malicious software model according to the feedback result of the substitute detector, and generates new output again;
when the rate of the judgment result obtained by the substitution detector is true is greater than a preset threshold value, the noise simulation malicious software model is completely trained;
the noise simulation malicious software model is accessed into a machine learning module, and the noise simulation malicious software model uninterruptedly and randomly generates malicious software flow for the machine learning module to learn by itself;
the machine learning module continuously enriches various malware characteristic vector samples by means of the noise simulation malware model, performs malware detection on real network flow, feeds back a detection result to an administrator, and the administrator can adjust parameters of the noise simulation malware model at regular time according to the detection result and starts an updating mechanism of the noise simulation malware model.
In some preferred embodiments, the variant malware features include extensions to known malware feature vectors, and modifications to fields of malicious data.
In some preferred embodiments, the substitution detector further feeds back the result of the discrimination to an administrator, so that the administrator adjusts the parameters of the noise simulation malware model in real time.
In some preferred embodiments, the updating mechanism of the noise simulation malware model refers to taking the noise simulation malware model as a generator again, and sending output traffic of the generator to the substitute detector.
Fig. 2 is an architecture diagram of a malware detection system for a adversarial network provided by the present application, the system including:
the acquisition unit is used for acquiring historical software data, and analyzing and extracting feature vectors of malicious software in the historical software data according to the features of known malicious software types;
the black box model is used for inputting known normal software and malicious software in historical software together, and marking the input normal software and the input malicious software by the black box model to generate a software sample;
the building unit is used for building a noise simulation malware model based on the feature vector of the malicious data, and known various types of malware and various malware compounds can be randomly generated by applying the model;
the multiple malware compounds comprise characteristics of a plurality of malware simultaneously, or a plurality of malware is continuously performed, or the characteristics of the malware are mutated;
the generator is used for taking the noise simulation malicious software model as a generator of a resistance network, a forward neural network architecture is adopted to build the generator, and the output of the generator is uninterruptedly sent to a substitution detector together with the output of the black box model;
the substitution detector is used for continuously learning the feature vector of the black box model and feeding back the learned gradient information to the generator, and the generator adjusts the parameters of the noise simulation malicious software model according to the gradient information; obtaining a judgment result according to the generator output and the black box model output which are input at two ends; if the judgment result is true, the generator output is very close to the black box model output on the characteristic vector, and the substitute detector feeds the similarity information back to the generator; if the judgment result is false, the difference between the generator output and the black box model output on the characteristic vector is large, and the substitute detector feeds back the difference information and the characteristic vector output by the black box model to the generator;
the generator adjusts parameters of the noise simulation malicious software model according to the feedback result of the substitute detector, and generates new output again;
when the rate of the judgment result obtained by the substitution detector is true is greater than a preset threshold value, the noise simulation malicious software model is completely trained;
the machine learning module is used for accessing the noise simulation malicious software model, and continuously and randomly generating malicious software flow by the noise simulation malicious software model for the machine learning module to learn by itself;
the machine learning module continuously enriches various malware characteristic vector samples by means of the noise simulation malware model, performs malware detection on real network flow, feeds back a detection result to an administrator, and the administrator can adjust parameters of the noise simulation malware model at regular time according to the detection result and starts an updating mechanism of the noise simulation malware model.
In some preferred embodiments, the variant malware features include extensions to known malware feature vectors, and modifications to fields of malicious data.
In some preferred embodiments, the substitution detector further feeds back the result of the discrimination to an administrator, so that the administrator adjusts the parameters of the noise simulation malware model in real time.
In some preferred embodiments, the updating mechanism of the noise simulation malware model refers to taking the noise simulation malware model as a generator again, and sending output traffic of the generator to the substitute detector.
In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments of the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments of the present specification may be referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims (2)

1. A malware detection method for a resistance network, the method comprising:
acquiring historical software data, and analyzing and extracting feature vectors of malicious software in the historical software data according to the features of known malicious software types;
inputting known normal software and malicious software in historical software into a black box model, and marking the input normal software and the input malicious software by the black box model to generate a software sample;
constructing a noise simulation malware model based on the feature vector of the malware, and randomly generating known various types of malware and various malware compounds by applying the model;
the multiple malware compounds comprise characteristics of a plurality of malware simultaneously, or a plurality of malware is continuously output, or the characteristics of variant malware are obtained;
the noise simulation malicious software model is used as a generator of a resistance network, a forward neural network architecture is adopted to build the generator, and the output of the generator is uninterruptedly sent to a substitute detector together with the output of the black box model;
the substitute detector continuously learns the feature vector of the black box model, and feeds learned gradient information back to the generator, and the generator adjusts the parameters of the noise simulation malicious software model according to the gradient information;
the substitution detector obtains a judgment result according to the generator output and the black box model output which are input from the two ends; if the judgment result is true, the generator output is very close to the black box model output on the characteristic vector, and the substitute detector feeds the similarity information back to the generator; if the judgment result is false, the difference between the generator output and the black box model output on the characteristic vector is large, and the substitute detector feeds back the difference information and the characteristic vector output by the black box model to the generator;
the generator adjusts the parameters of the noise simulation malicious software model according to the feedback result of the substitute detector, and generates new output again;
when the rate of the judgment result obtained by the substitution detector is true is greater than a preset threshold value, the noise simulation malicious software model is completely trained;
the noise simulation malicious software model is accessed into a machine learning module, and the noise simulation malicious software model uninterruptedly and randomly generates malicious software flow for the machine learning module to learn by itself;
the machine learning module continuously enriches various malware characteristic vector samples by means of the noise simulation malware model, performs malware detection on real network flow, feeds back a detection result to an administrator, and the administrator can adjust parameters of the noise simulation malware model at regular time according to the detection result and start an updating mechanism of the noise simulation malware model;
the variant malware characteristics comprise the steps of expanding known malware characteristic vectors and modifying fields of a plurality of malicious data;
the substitution detector also feeds back the judgment result to an administrator, so that the administrator can adjust the parameters of the noise simulation malicious software model in real time;
the updating mechanism of the noise simulation malicious software model refers to that the noise simulation malicious software model is used as a generator again, and the output flow of the generator is sent to the substitute detector.
2. A malware detection system for a resistance network, the system comprising:
the acquisition unit is used for acquiring historical software data, and analyzing and extracting feature vectors of malicious software in the historical software data according to the features of known malicious software types;
the black box model is used for inputting known normal software and malicious software in historical software together, and marking the input normal software and the input malicious software by the black box model to generate a software sample;
the building unit is used for building a noise simulation malware model based on the feature vector of the malicious data, and known various types of malware and various malware compounds can be randomly generated by applying the model;
the multiple malware compounds comprise characteristics of a plurality of malware simultaneously, or a plurality of malware is continuously performed, or the characteristics of the malware are mutated;
the generator is used for taking the noise simulation malicious software model as a generator of a resistance network, a forward neural network architecture is adopted to build the generator, and the output of the generator is uninterruptedly sent to a substitution detector together with the output of the black box model;
the substitution detector is used for continuously learning the feature vector of the black box model and feeding back the learned gradient information to the generator, and the generator adjusts the parameters of the noise simulation malicious software model according to the gradient information; obtaining a judgment result according to the generator output and the black box model output which are input at two ends; if the judgment result is true, the generator output is very close to the black box model output on the characteristic vector, and the substitute detector feeds the similarity information back to the generator; if the judgment result is false, the difference between the generator output and the black box model output on the characteristic vector is large, and the substitute detector feeds back the difference information and the characteristic vector output by the black box model to the generator;
the generator adjusts parameters of the noise simulation malicious software model according to the feedback result of the substitute detector, and generates new output again;
when the rate of the judgment result obtained by the substitution detector is true is greater than a preset threshold value, the noise simulation malicious software model is completely trained;
the machine learning module is used for accessing the noise simulation malicious software model, and continuously and randomly generating malicious software flow by the noise simulation malicious software model for the machine learning module to learn by itself;
the machine learning module continuously enriches various malware characteristic vector samples by means of the noise simulation malware model, performs malware detection on real network flow, feeds back a detection result to an administrator, and the administrator can adjust parameters of the noise simulation malware model at regular time according to the detection result and start an updating mechanism of the noise simulation malware model;
the variant malware characteristics comprise the steps of expanding known malware characteristic vectors and modifying fields of a plurality of malicious data;
the substitution detector also feeds back the judgment result to an administrator, so that the administrator can adjust the parameters of the noise simulation malicious software model in real time;
the updating mechanism of the noise simulation malicious software model refers to that the noise simulation malicious software model is used as a generator again, and the output flow of the generator is sent to the substitute detector.
CN201910874102.9A 2019-09-17 2019-09-17 Malicious software detection method and system for adversarial network Active CN110619216B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910874102.9A CN110619216B (en) 2019-09-17 2019-09-17 Malicious software detection method and system for adversarial network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910874102.9A CN110619216B (en) 2019-09-17 2019-09-17 Malicious software detection method and system for adversarial network

Publications (2)

Publication Number Publication Date
CN110619216A CN110619216A (en) 2019-12-27
CN110619216B true CN110619216B (en) 2021-09-03

Family

ID=68923042

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910874102.9A Active CN110619216B (en) 2019-09-17 2019-09-17 Malicious software detection method and system for adversarial network

Country Status (1)

Country Link
CN (1) CN110619216B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111259393B (en) * 2020-01-14 2023-05-23 河南信息安全研究院有限公司 Malicious software detector concept drift resistance method based on generation countermeasure network
CN111475810B (en) * 2020-04-13 2021-04-06 广州锦行网络科技有限公司 Malicious software detector training method and system, and detection method and system
CN114143024B (en) * 2021-10-26 2022-07-26 广州大学 Black box malicious software detection countermeasure sample generation method and system based on generation countermeasure network, electronic device and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103294954A (en) * 2013-06-07 2013-09-11 四川大学 Compound document malicious code detecting technique and system based on spectral analysis
CN109902709A (en) * 2019-01-07 2019-06-18 浙江大学 A kind of industrial control system malice sample generating method based on confrontation study
CN110097185A (en) * 2019-03-29 2019-08-06 北京大学 A kind of Optimized model method and application based on generation confrontation network
CN110210226A (en) * 2019-06-06 2019-09-06 深信服科技股份有限公司 A kind of malicious file detection method, system, equipment and computer storage medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IL226747B (en) * 2013-06-04 2019-01-31 Verint Systems Ltd System and method for malware detection learning
US10291633B1 (en) * 2016-10-18 2019-05-14 The United States Of America As Represented By The Secretary Of The Army Bandwidth conserving signature deployment with signature set and network security
US10733385B2 (en) * 2017-12-12 2020-08-04 Institute For Information Industry Behavior inference model building apparatus and behavior inference model building method thereof
US10841333B2 (en) * 2018-01-08 2020-11-17 Sophos Limited Malware detection using machine learning
CN109190379B (en) * 2018-08-03 2020-05-19 清华大学 Vulnerability detection method and device of deep learning system
CN109446808A (en) * 2018-10-30 2019-03-08 中国人民解放军国防科技大学 Android countermeasure sample generation method and system based on DCGAN
CN109784056B (en) * 2019-01-02 2021-04-20 大连理工大学 Malicious software detection method based on deep learning

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103294954A (en) * 2013-06-07 2013-09-11 四川大学 Compound document malicious code detecting technique and system based on spectral analysis
CN109902709A (en) * 2019-01-07 2019-06-18 浙江大学 A kind of industrial control system malice sample generating method based on confrontation study
CN110097185A (en) * 2019-03-29 2019-08-06 北京大学 A kind of Optimized model method and application based on generation confrontation network
CN110210226A (en) * 2019-06-06 2019-09-06 深信服科技股份有限公司 A kind of malicious file detection method, system, equipment and computer storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Generating Adversarial Malware Examples for Black-Box Attacks Based on GAN;Weiwei Hu 等;《https://arxiv.org/abs/1702.05983》;20170220;1-7 *

Also Published As

Publication number Publication date
CN110619216A (en) 2019-12-27

Similar Documents

Publication Publication Date Title
CN110505241B (en) Network attack plane detection method and system
Ilyas et al. Black-box adversarial attacks with limited queries and information
US10397258B2 (en) Continuous learning for intrusion detection
CN110619216B (en) Malicious software detection method and system for adversarial network
EP3651043A1 (en) Url attack detection method and apparatus, and electronic device
CN110493262B (en) Classification-improved network attack detection method and system
CN110545284A (en) Domain name detection method and system for antagonistic network
CN111368289B (en) Malicious software detection method and device
CN112492059A (en) DGA domain name detection model training method, DGA domain name detection device and storage medium
CN111245784A (en) Method for multi-dimensional detection of malicious domain name
CN109462578B (en) Threat information utilization and propagation method based on statistical learning
CN110598794A (en) Classified countermeasure network attack detection method and system
CN112084505A (en) Deep learning model malicious sample detection method, system, device and storage medium
CN110581856A (en) malicious code detection method and system
CN110535874A (en) A kind of network attack detecting method and system of antagonism network
Elmasry et al. Comparative evaluation of different classification techniques for masquerade attack detection
CN110581857B (en) Virtual execution malicious software detection method and system
Boffa et al. Towards NLP-based processing of honeypot logs
KR20190028880A (en) Method and appratus for generating machine learning data for botnet detection system
CN116915442A (en) Vulnerability testing method, device, equipment and medium
CN106844219A (en) Using detection method and apply detection means
Nalavade et al. Evaluation of k-means clustering for effective intrusion detection and prevention in massive network traffic data
CN112532562B (en) Malicious data flow detection method and system for adversarial network
CN114285587B (en) Domain name identification method and device and domain name classification model acquisition method and device
CN112016088A (en) Method and device for generating file detection model and method and device for detecting file

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant