CN110619216B - Malicious software detection method and system for adversarial network - Google Patents
Malicious software detection method and system for adversarial network Download PDFInfo
- Publication number
- CN110619216B CN110619216B CN201910874102.9A CN201910874102A CN110619216B CN 110619216 B CN110619216 B CN 110619216B CN 201910874102 A CN201910874102 A CN 201910874102A CN 110619216 B CN110619216 B CN 110619216B
- Authority
- CN
- China
- Prior art keywords
- model
- malware
- malicious software
- generator
- noise simulation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Artificial Intelligence (AREA)
- Health & Medical Sciences (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- General Health & Medical Sciences (AREA)
- Mathematical Physics (AREA)
- Computing Systems (AREA)
- Biophysics (AREA)
- Molecular Biology (AREA)
- Computational Linguistics (AREA)
- Biomedical Technology (AREA)
- Computer Hardware Design (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Medical Informatics (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a malicious software detection method and a malicious software detection system for a resistance network, which can analyze and construct a noise simulation malicious software model based on historical software data, input normal software and malicious software into a black box model, mark the normal software and the malicious software to generate a software sample, train the noise simulation malicious software model by using the software sample, and enable the model to have the capability of continuously compounding and mutating the malicious software. After the noise simulation malicious software model is trained, the machine learning module is accessed to serve as a simulated malicious software source of the machine learning module, and the machine learning module is continuously trained by the malicious software to help improve the detection capability of the machine learning module.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and a system for detecting malicious software in a reactive network.
Background
Although the existing statistical analysis and machine learning can detect malicious software, malicious codes, malicious behaviors and the like, the two defects exist: firstly, the amount of malicious software in the training process is insufficient and far less than that of normal data, and the insufficient amount and the imbalance of the malicious software can cause unbalance of a detection model and poor detection stability; secondly, with the development of the technology, attack means of malicious software are continuously changed, but the attack means cannot be used for model training in advance, so that unknown malicious software cannot be detected by the model. Therefore, a method and a system capable of self-generating usable malicious software, enhancing training data and improving the performance of a detection model are urgently needed.
Disclosure of Invention
The invention aims to provide a malicious software detection method and a malicious software detection system of a resistance network, which can analyze and construct a noise simulation malicious software model based on historical software data, input normal software and malicious software into a black box model, mark the noise simulation malicious software model to generate a software sample, and train the noise simulation malicious software model by using the software sample, wherein the model has the capability of continuously compounding and mutating the malicious software. After the noise simulation malicious software model is trained, the machine learning module is accessed to serve as a simulated malicious software source of the machine learning module, and the machine learning module is continuously trained by the malicious software to help improve the detection capability of the machine learning module.
In a first aspect, the present application provides a method for malware detection of a resistance network, the method comprising:
acquiring historical software data, and analyzing and extracting feature vectors of malicious software in the historical software data according to the features of known malicious software types;
inputting known normal software and malicious software in historical software into a black box model, and marking the input normal software and the input malicious software by the black box model to generate a software sample;
constructing a noise simulation malware model based on the feature vector of the malware, and randomly generating known various types of malware and various malware compounds by applying the model;
the multiple malware compounds comprise characteristics of a plurality of malware simultaneously, or a plurality of malware is continuously output, or the characteristics of variant malware are obtained;
the noise simulation malicious software model is used as a generator of a resistance network, a forward neural network architecture is adopted to build the generator, and the output of the generator is uninterruptedly sent to a substitute detector together with the output of the black box model;
the substitute detector continuously learns the feature vector of the black box model, and feeds learned gradient information back to the generator, and the generator adjusts the parameters of the noise simulation malicious software model according to the gradient information;
the substitution detector obtains a judgment result according to the generator output and the black box model output which are input from the two ends; if the judgment result is true, the generator output is very close to the black box model output on the characteristic vector, and the substitute detector feeds the similarity information back to the generator; if the judgment result is false, the difference between the generator output and the black box model output on the characteristic vector is large, and the substitute detector feeds back the difference information and the characteristic vector output by the black box model to the generator;
the generator adjusts the parameters of the noise simulation malicious software model according to the feedback result of the substitute detector, and generates new output again;
when the rate of the judgment result obtained by the substitution detector is true is greater than a preset threshold value, the noise simulation malicious software model is completely trained;
the noise simulation malicious software model is accessed into a machine learning module, and the noise simulation malicious software model uninterruptedly and randomly generates malicious software flow for the machine learning module to learn by itself;
the machine learning module continuously enriches various malware characteristic vector samples by means of the noise simulation malware model, performs malware detection on real network flow, feeds back a detection result to an administrator, and the administrator can adjust parameters of the noise simulation malware model at regular time according to the detection result and starts an updating mechanism of the noise simulation malware model.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the variant malware characteristic includes an extension to a known malware characteristic vector and a modification to a field of malicious data.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the substitute detector further feeds back a result of the determination to an administrator, so that the administrator adjusts parameters of the noise simulation malware model in real time.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the updating mechanism of the noise simulation malware model refers to that the noise simulation malware model is used as a generator again, and output traffic of the generator is sent to the substitute detector.
In a second aspect, the present application provides a malware detection system for a resistance network, the system comprising:
the acquisition unit is used for acquiring historical software data, and analyzing and extracting feature vectors of malicious software in the historical software data according to the features of known malicious software types;
the black box model is used for inputting known normal software and malicious software in historical software together, and marking the input normal software and the input malicious software by the black box model to generate a software sample;
the building unit is used for building a noise simulation malware model based on the feature vector of the malicious data, and known various types of malware and various malware compounds can be randomly generated by applying the model;
the multiple malware compounds comprise characteristics of a plurality of malware simultaneously, or a plurality of malware is continuously performed, or the characteristics of the malware are mutated;
the generator is used for taking the noise simulation malicious software model as a generator of a resistance network, a forward neural network architecture is adopted to build the generator, and the output of the generator is uninterruptedly sent to a substitution detector together with the output of the black box model;
the substitution detector is used for continuously learning the feature vector of the black box model and feeding back the learned gradient information to the generator, and the generator adjusts the parameters of the noise simulation malicious software model according to the gradient information; obtaining a judgment result according to the generator output and the black box model output which are input at two ends; if the judgment result is true, the generator output is very close to the black box model output on the characteristic vector, and the substitute detector feeds the similarity information back to the generator; if the judgment result is false, the difference between the generator output and the black box model output on the characteristic vector is large, and the substitute detector feeds back the difference information and the characteristic vector output by the black box model to the generator;
the generator adjusts parameters of the noise simulation malicious software model according to the feedback result of the substitute detector, and generates new output again;
when the rate of the judgment result obtained by the substitution detector is true is greater than a preset threshold value, the noise simulation malicious software model is completely trained;
the machine learning module is used for accessing the noise simulation malicious software model, and continuously and randomly generating malicious software flow by the noise simulation malicious software model for the machine learning module to learn by itself;
the machine learning module continuously enriches various malware characteristic vector samples by means of the noise simulation malware model, performs malware detection on real network flow, feeds back a detection result to an administrator, and the administrator can adjust parameters of the noise simulation malware model at regular time according to the detection result and starts an updating mechanism of the noise simulation malware model.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the variant malware characteristic includes an extension to a known malware characteristic vector and a modification to a field of malicious data.
With reference to the second aspect, in a second possible implementation manner of the second aspect, the substitute detector further feeds back the result of the determination to an administrator, so that the administrator adjusts parameters of the noise simulation malware model in real time.
With reference to the second aspect, in a third possible implementation manner of the second aspect, the updating mechanism of the noise simulation malware model refers to that the noise simulation malware model is used as a generator again, and output traffic of the generator is sent to the substitute detector.
The invention provides a malicious software detection method and a malicious software detection system for a resistance network, which can analyze and construct a noise simulation malicious software model based on historical software data, input normal software and malicious software into a black box model, mark the normal software and the malicious software to generate a software sample, train the noise simulation malicious software model by using the software sample, and enable the model to have the capability of continuously compounding and mutating the malicious software. After the noise simulation malicious software model is trained, the machine learning module is accessed to serve as a simulated malicious software source of the machine learning module, and the machine learning module is continuously trained by the malicious software to help improve the detection capability of the machine learning module.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of a malware detection method of the adversarial network of the present invention;
FIG. 2 is an architecture diagram of the malware detection system of the adversarial network of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings so that the advantages and features of the present invention can be more easily understood by those skilled in the art, and the scope of the present invention will be more clearly and clearly defined.
Fig. 1 is a flowchart of a malware detection method for a resistance network provided in the present application, where the method includes:
acquiring historical software data, and analyzing and extracting feature vectors of malicious software in the historical software data according to the features of known malicious software types;
inputting known normal software and malicious software in historical software into a black box model, and marking the input normal software and the input malicious software by the black box model to generate a software sample;
constructing a noise simulation malware model based on the feature vector of the malware, and randomly generating known various types of malware and various malware compounds by applying the model;
the multiple malware compounds comprise characteristics of a plurality of malware simultaneously, or a plurality of malware is continuously output, or the characteristics of variant malware are obtained;
the noise simulation malicious software model is used as a generator of a resistance network, a forward neural network architecture is adopted to build the generator, and the output of the generator is uninterruptedly sent to a substitute detector together with the output of the black box model;
the substitute detector continuously learns the feature vector of the black box model, and feeds learned gradient information back to the generator, and the generator adjusts the parameters of the noise simulation malicious software model according to the gradient information;
the substitution detector obtains a judgment result according to the generator output and the black box model output which are input from the two ends; if the judgment result is true, the generator output is very close to the black box model output on the characteristic vector, and the substitute detector feeds the similarity information back to the generator; if the judgment result is false, the difference between the generator output and the black box model output on the characteristic vector is large, and the substitute detector feeds back the difference information and the characteristic vector output by the black box model to the generator;
the generator adjusts the parameters of the noise simulation malicious software model according to the feedback result of the substitute detector, and generates new output again;
when the rate of the judgment result obtained by the substitution detector is true is greater than a preset threshold value, the noise simulation malicious software model is completely trained;
the noise simulation malicious software model is accessed into a machine learning module, and the noise simulation malicious software model uninterruptedly and randomly generates malicious software flow for the machine learning module to learn by itself;
the machine learning module continuously enriches various malware characteristic vector samples by means of the noise simulation malware model, performs malware detection on real network flow, feeds back a detection result to an administrator, and the administrator can adjust parameters of the noise simulation malware model at regular time according to the detection result and starts an updating mechanism of the noise simulation malware model.
In some preferred embodiments, the variant malware features include extensions to known malware feature vectors, and modifications to fields of malicious data.
In some preferred embodiments, the substitution detector further feeds back the result of the discrimination to an administrator, so that the administrator adjusts the parameters of the noise simulation malware model in real time.
In some preferred embodiments, the updating mechanism of the noise simulation malware model refers to taking the noise simulation malware model as a generator again, and sending output traffic of the generator to the substitute detector.
Fig. 2 is an architecture diagram of a malware detection system for a adversarial network provided by the present application, the system including:
the acquisition unit is used for acquiring historical software data, and analyzing and extracting feature vectors of malicious software in the historical software data according to the features of known malicious software types;
the black box model is used for inputting known normal software and malicious software in historical software together, and marking the input normal software and the input malicious software by the black box model to generate a software sample;
the building unit is used for building a noise simulation malware model based on the feature vector of the malicious data, and known various types of malware and various malware compounds can be randomly generated by applying the model;
the multiple malware compounds comprise characteristics of a plurality of malware simultaneously, or a plurality of malware is continuously performed, or the characteristics of the malware are mutated;
the generator is used for taking the noise simulation malicious software model as a generator of a resistance network, a forward neural network architecture is adopted to build the generator, and the output of the generator is uninterruptedly sent to a substitution detector together with the output of the black box model;
the substitution detector is used for continuously learning the feature vector of the black box model and feeding back the learned gradient information to the generator, and the generator adjusts the parameters of the noise simulation malicious software model according to the gradient information; obtaining a judgment result according to the generator output and the black box model output which are input at two ends; if the judgment result is true, the generator output is very close to the black box model output on the characteristic vector, and the substitute detector feeds the similarity information back to the generator; if the judgment result is false, the difference between the generator output and the black box model output on the characteristic vector is large, and the substitute detector feeds back the difference information and the characteristic vector output by the black box model to the generator;
the generator adjusts parameters of the noise simulation malicious software model according to the feedback result of the substitute detector, and generates new output again;
when the rate of the judgment result obtained by the substitution detector is true is greater than a preset threshold value, the noise simulation malicious software model is completely trained;
the machine learning module is used for accessing the noise simulation malicious software model, and continuously and randomly generating malicious software flow by the noise simulation malicious software model for the machine learning module to learn by itself;
the machine learning module continuously enriches various malware characteristic vector samples by means of the noise simulation malware model, performs malware detection on real network flow, feeds back a detection result to an administrator, and the administrator can adjust parameters of the noise simulation malware model at regular time according to the detection result and starts an updating mechanism of the noise simulation malware model.
In some preferred embodiments, the variant malware features include extensions to known malware feature vectors, and modifications to fields of malicious data.
In some preferred embodiments, the substitution detector further feeds back the result of the discrimination to an administrator, so that the administrator adjusts the parameters of the noise simulation malware model in real time.
In some preferred embodiments, the updating mechanism of the noise simulation malware model refers to taking the noise simulation malware model as a generator again, and sending output traffic of the generator to the substitute detector.
In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments of the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments of the present specification may be referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.
Claims (2)
1. A malware detection method for a resistance network, the method comprising:
acquiring historical software data, and analyzing and extracting feature vectors of malicious software in the historical software data according to the features of known malicious software types;
inputting known normal software and malicious software in historical software into a black box model, and marking the input normal software and the input malicious software by the black box model to generate a software sample;
constructing a noise simulation malware model based on the feature vector of the malware, and randomly generating known various types of malware and various malware compounds by applying the model;
the multiple malware compounds comprise characteristics of a plurality of malware simultaneously, or a plurality of malware is continuously output, or the characteristics of variant malware are obtained;
the noise simulation malicious software model is used as a generator of a resistance network, a forward neural network architecture is adopted to build the generator, and the output of the generator is uninterruptedly sent to a substitute detector together with the output of the black box model;
the substitute detector continuously learns the feature vector of the black box model, and feeds learned gradient information back to the generator, and the generator adjusts the parameters of the noise simulation malicious software model according to the gradient information;
the substitution detector obtains a judgment result according to the generator output and the black box model output which are input from the two ends; if the judgment result is true, the generator output is very close to the black box model output on the characteristic vector, and the substitute detector feeds the similarity information back to the generator; if the judgment result is false, the difference between the generator output and the black box model output on the characteristic vector is large, and the substitute detector feeds back the difference information and the characteristic vector output by the black box model to the generator;
the generator adjusts the parameters of the noise simulation malicious software model according to the feedback result of the substitute detector, and generates new output again;
when the rate of the judgment result obtained by the substitution detector is true is greater than a preset threshold value, the noise simulation malicious software model is completely trained;
the noise simulation malicious software model is accessed into a machine learning module, and the noise simulation malicious software model uninterruptedly and randomly generates malicious software flow for the machine learning module to learn by itself;
the machine learning module continuously enriches various malware characteristic vector samples by means of the noise simulation malware model, performs malware detection on real network flow, feeds back a detection result to an administrator, and the administrator can adjust parameters of the noise simulation malware model at regular time according to the detection result and start an updating mechanism of the noise simulation malware model;
the variant malware characteristics comprise the steps of expanding known malware characteristic vectors and modifying fields of a plurality of malicious data;
the substitution detector also feeds back the judgment result to an administrator, so that the administrator can adjust the parameters of the noise simulation malicious software model in real time;
the updating mechanism of the noise simulation malicious software model refers to that the noise simulation malicious software model is used as a generator again, and the output flow of the generator is sent to the substitute detector.
2. A malware detection system for a resistance network, the system comprising:
the acquisition unit is used for acquiring historical software data, and analyzing and extracting feature vectors of malicious software in the historical software data according to the features of known malicious software types;
the black box model is used for inputting known normal software and malicious software in historical software together, and marking the input normal software and the input malicious software by the black box model to generate a software sample;
the building unit is used for building a noise simulation malware model based on the feature vector of the malicious data, and known various types of malware and various malware compounds can be randomly generated by applying the model;
the multiple malware compounds comprise characteristics of a plurality of malware simultaneously, or a plurality of malware is continuously performed, or the characteristics of the malware are mutated;
the generator is used for taking the noise simulation malicious software model as a generator of a resistance network, a forward neural network architecture is adopted to build the generator, and the output of the generator is uninterruptedly sent to a substitution detector together with the output of the black box model;
the substitution detector is used for continuously learning the feature vector of the black box model and feeding back the learned gradient information to the generator, and the generator adjusts the parameters of the noise simulation malicious software model according to the gradient information; obtaining a judgment result according to the generator output and the black box model output which are input at two ends; if the judgment result is true, the generator output is very close to the black box model output on the characteristic vector, and the substitute detector feeds the similarity information back to the generator; if the judgment result is false, the difference between the generator output and the black box model output on the characteristic vector is large, and the substitute detector feeds back the difference information and the characteristic vector output by the black box model to the generator;
the generator adjusts parameters of the noise simulation malicious software model according to the feedback result of the substitute detector, and generates new output again;
when the rate of the judgment result obtained by the substitution detector is true is greater than a preset threshold value, the noise simulation malicious software model is completely trained;
the machine learning module is used for accessing the noise simulation malicious software model, and continuously and randomly generating malicious software flow by the noise simulation malicious software model for the machine learning module to learn by itself;
the machine learning module continuously enriches various malware characteristic vector samples by means of the noise simulation malware model, performs malware detection on real network flow, feeds back a detection result to an administrator, and the administrator can adjust parameters of the noise simulation malware model at regular time according to the detection result and start an updating mechanism of the noise simulation malware model;
the variant malware characteristics comprise the steps of expanding known malware characteristic vectors and modifying fields of a plurality of malicious data;
the substitution detector also feeds back the judgment result to an administrator, so that the administrator can adjust the parameters of the noise simulation malicious software model in real time;
the updating mechanism of the noise simulation malicious software model refers to that the noise simulation malicious software model is used as a generator again, and the output flow of the generator is sent to the substitute detector.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910874102.9A CN110619216B (en) | 2019-09-17 | 2019-09-17 | Malicious software detection method and system for adversarial network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910874102.9A CN110619216B (en) | 2019-09-17 | 2019-09-17 | Malicious software detection method and system for adversarial network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110619216A CN110619216A (en) | 2019-12-27 |
CN110619216B true CN110619216B (en) | 2021-09-03 |
Family
ID=68923042
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910874102.9A Active CN110619216B (en) | 2019-09-17 | 2019-09-17 | Malicious software detection method and system for adversarial network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110619216B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111259393B (en) * | 2020-01-14 | 2023-05-23 | 河南信息安全研究院有限公司 | Malicious software detector concept drift resistance method based on generation countermeasure network |
CN111475810B (en) * | 2020-04-13 | 2021-04-06 | 广州锦行网络科技有限公司 | Malicious software detector training method and system, and detection method and system |
CN114143024B (en) * | 2021-10-26 | 2022-07-26 | 广州大学 | Black box malicious software detection countermeasure sample generation method and system based on generation countermeasure network, electronic device and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103294954A (en) * | 2013-06-07 | 2013-09-11 | 四川大学 | Compound document malicious code detecting technique and system based on spectral analysis |
CN109902709A (en) * | 2019-01-07 | 2019-06-18 | 浙江大学 | A kind of industrial control system malice sample generating method based on confrontation study |
CN110097185A (en) * | 2019-03-29 | 2019-08-06 | 北京大学 | A kind of Optimized model method and application based on generation confrontation network |
CN110210226A (en) * | 2019-06-06 | 2019-09-06 | 深信服科技股份有限公司 | A kind of malicious file detection method, system, equipment and computer storage medium |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
IL226747B (en) * | 2013-06-04 | 2019-01-31 | Verint Systems Ltd | System and method for malware detection learning |
US10291633B1 (en) * | 2016-10-18 | 2019-05-14 | The United States Of America As Represented By The Secretary Of The Army | Bandwidth conserving signature deployment with signature set and network security |
US10733385B2 (en) * | 2017-12-12 | 2020-08-04 | Institute For Information Industry | Behavior inference model building apparatus and behavior inference model building method thereof |
US10841333B2 (en) * | 2018-01-08 | 2020-11-17 | Sophos Limited | Malware detection using machine learning |
CN109190379B (en) * | 2018-08-03 | 2020-05-19 | 清华大学 | Vulnerability detection method and device of deep learning system |
CN109446808A (en) * | 2018-10-30 | 2019-03-08 | 中国人民解放军国防科技大学 | Android countermeasure sample generation method and system based on DCGAN |
CN109784056B (en) * | 2019-01-02 | 2021-04-20 | 大连理工大学 | Malicious software detection method based on deep learning |
-
2019
- 2019-09-17 CN CN201910874102.9A patent/CN110619216B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103294954A (en) * | 2013-06-07 | 2013-09-11 | 四川大学 | Compound document malicious code detecting technique and system based on spectral analysis |
CN109902709A (en) * | 2019-01-07 | 2019-06-18 | 浙江大学 | A kind of industrial control system malice sample generating method based on confrontation study |
CN110097185A (en) * | 2019-03-29 | 2019-08-06 | 北京大学 | A kind of Optimized model method and application based on generation confrontation network |
CN110210226A (en) * | 2019-06-06 | 2019-09-06 | 深信服科技股份有限公司 | A kind of malicious file detection method, system, equipment and computer storage medium |
Non-Patent Citations (1)
Title |
---|
Generating Adversarial Malware Examples for Black-Box Attacks Based on GAN;Weiwei Hu 等;《https://arxiv.org/abs/1702.05983》;20170220;1-7 * |
Also Published As
Publication number | Publication date |
---|---|
CN110619216A (en) | 2019-12-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110505241B (en) | Network attack plane detection method and system | |
Ilyas et al. | Black-box adversarial attacks with limited queries and information | |
US10397258B2 (en) | Continuous learning for intrusion detection | |
CN110619216B (en) | Malicious software detection method and system for adversarial network | |
EP3651043A1 (en) | Url attack detection method and apparatus, and electronic device | |
CN110493262B (en) | Classification-improved network attack detection method and system | |
CN110545284A (en) | Domain name detection method and system for antagonistic network | |
CN111368289B (en) | Malicious software detection method and device | |
CN112492059A (en) | DGA domain name detection model training method, DGA domain name detection device and storage medium | |
CN111245784A (en) | Method for multi-dimensional detection of malicious domain name | |
CN109462578B (en) | Threat information utilization and propagation method based on statistical learning | |
CN110598794A (en) | Classified countermeasure network attack detection method and system | |
CN112084505A (en) | Deep learning model malicious sample detection method, system, device and storage medium | |
CN110581856A (en) | malicious code detection method and system | |
CN110535874A (en) | A kind of network attack detecting method and system of antagonism network | |
Elmasry et al. | Comparative evaluation of different classification techniques for masquerade attack detection | |
CN110581857B (en) | Virtual execution malicious software detection method and system | |
Boffa et al. | Towards NLP-based processing of honeypot logs | |
KR20190028880A (en) | Method and appratus for generating machine learning data for botnet detection system | |
CN116915442A (en) | Vulnerability testing method, device, equipment and medium | |
CN106844219A (en) | Using detection method and apply detection means | |
Nalavade et al. | Evaluation of k-means clustering for effective intrusion detection and prevention in massive network traffic data | |
CN112532562B (en) | Malicious data flow detection method and system for adversarial network | |
CN114285587B (en) | Domain name identification method and device and domain name classification model acquisition method and device | |
CN112016088A (en) | Method and device for generating file detection model and method and device for detecting file |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |