CN111143833B - Illegal application program category identification method and device - Google Patents

Illegal application program category identification method and device Download PDF

Info

Publication number
CN111143833B
CN111143833B CN201911340852.4A CN201911340852A CN111143833B CN 111143833 B CN111143833 B CN 111143833B CN 201911340852 A CN201911340852 A CN 201911340852A CN 111143833 B CN111143833 B CN 111143833B
Authority
CN
China
Prior art keywords
application program
identified
illegal
similarity
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911340852.4A
Other languages
Chinese (zh)
Other versions
CN111143833A (en
Inventor
刘威歆
宁振虎
薛见新
张润滋
陈磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical Nsfocus Technologies Inc
Priority to CN201911340852.4A priority Critical patent/CN111143833B/en
Publication of CN111143833A publication Critical patent/CN111143833A/en
Application granted granted Critical
Publication of CN111143833B publication Critical patent/CN111143833B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Abstract

The invention provides an illegal application program category identification method and device, wherein the method comprises the following steps: acquiring an application program sample set, virtually operating each application program in the application program sample set on a simulation operation platform, acquiring sequence characteristics generated in operation, and acquiring name characteristics representing the generation of an installation package from the installation package of each application program; determining a first similarity according to the sequence characteristics of each application program, and determining a second similarity according to the name characteristics of each application program; determining final similarity according to the first similarity and the second similarity; and determining whether the application program to be identified is an illegal application program or not according to the final similarity, and determining the type of the illegal application program when the application program to be identified is determined to be the illegal application program.

Description

Illegal application program category identification method and device
Technical Field
The present invention relates to the field of application program category identification, and in particular, to an illegal application program category identification method and apparatus.
Background
In recent years, the number of illegal applications has increased, and with the increasing growth rate and the increasing propagation rate of illegal applications, it has become increasingly difficult to analyze and classify illegal applications. The illegal application program is an application program which is installed and operated on a user computer or other terminals under the condition that a user is not explicitly prompted or the user is not authorized, the legal rights and interests of the user are damaged, the illegal application program generates a variant through an original program, so that a detection measure based on a signature is avoided, the illegal application program becomes more complicated, the category to which the illegal application program belongs is difficult to obtain through simple automatic analysis, and the illegal application program can easily bypass an antivirus program based on a program signature to avoid monitoring and classification.
The existing classification method for illegal application program is to monitor several simple features such as the calling authority and calling graph of the illegal application program to judge which kind of illegal application program the program is, however, it is difficult to find the association between each feature and classify according to the association relationship only by several features, the classification method for illegal application program is not suitable for modern application program cluster, the authority of the existing authority information for distinguishing the illegal application programs is not the same as the authority of the existing authority information in the prior art, a plurality of legal application programs can call a large number of authorities, the calling condition of the authorities is not enough to indicate the types of the illegal application programs only by observing, there is a need to establish a mechanism for monitoring aspects of illegitimate applications to analyze behavioral characteristics of the illegitimate applications to better determine the classification of the illegitimate applications.
Disclosure of Invention
The invention provides an illegal application program category identification method and device, which are used for solving the problem that association between features is difficult to find under the condition that only one or a few simple features such as authority and call graph are used, and the existing benign application program also needs a large number of authorities, and if an application program detection system only uses one or a small number of features, a biased result can be generated.
In a first aspect of the present invention, a method for identifying categories of illegal applications is provided, where the method includes:
acquiring an application program sample set, wherein the application program sample set comprises at least one illegal application program with a recognized category and at least one application program to be recognized;
virtually operating each application program in an application program sample set on a simulation operation platform, acquiring sequence characteristics generated in operation, wherein the sequence characteristics comprise an API (application programming interface) calling sequence which represents an API interface sequence called in the operation of the application program, and acquiring name characteristics which represent the generation of an installation package from the installation package of each application program;
determining a first similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively according to the sequence characteristics of the application programs, and determining a second similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively according to the name characteristics of the application programs;
determining final similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively according to the first similarity and the second similarity;
and determining whether the application program to be identified is an illegal application program or not according to the final similarity, and determining the type of the illegal application program when the application program to be identified is determined to be the illegal application program.
Optionally, determining whether the application to be identified is an illegal application according to the final similarity, and determining the category of the illegal application to which the application belongs when the application to be identified is determined to be an illegal application, includes:
determining that the application program with the highest final similarity to the application program to be identified is an illegal application program, and determining that the identified application program is the illegal application program when the highest final similarity is higher than a set high threshold;
and determining the illegal application program category with the highest final similarity with the application program to be identified as the illegal application program category to which the application program to be identified belongs.
Optionally, determining whether the application to be identified is an illegal application according to the final similarity includes:
and determining that the application program to be identified is illegal when the final similarity with the application program to be identified is highest, and determining that the application program to be identified is legal when the highest final similarity is lower than a set low threshold.
Optionally, determining whether the application to be identified is an illegal application according to the final similarity includes:
and when determining that the application program to be identified with the highest final similarity is the other application programs to be identified and the highest final similarity is higher than a set clustering threshold, dividing the application program to be identified and the other application programs to be identified with the highest final similarity into the same type set.
Optionally, the method further comprises:
and determining the application program to be identified which belongs to the same type set as the application program to be identified according to the fact that the application program to be identified is an illegal application program and the category of the illegal application program to which the application program belongs, and determining the application program to be identified which belongs to the same type set as the application program to be identified is the illegal application program and the category of the illegal application program.
Optionally, obtaining a name feature indicating generation of the installation package from the installation package of each application program includes:
acquiring authority information which represents calling authority names and is determined when the installation package of each application program is virtually run on a simulation running platform;
acquiring signature information determined by the name of a developer in the installation package of each application program in an application program sample set according to the signature information determined by the development account in the installation package of each application program;
and acquiring activity name information determined by activity names generated by application program components in the virtual operation of the installation package of each application program on the simulation operation platform.
Optionally, determining a first similarity between any application to be identified and each illegal application and other applications to be identified respectively includes:
unifying API calling sequences in the sequence characteristics of all application programs into abstract information with the same length by using a Nilsimsa algorithm in the sensitive hash;
and obtaining corresponding first similarity by comparing the abstract information of any application program to be identified with each illegal application program and other application programs to be identified.
Optionally, determining a second similarity between any application to be identified and each illegal application and other applications to be identified includes:
and determining second similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively by using a jaccard set similarity algorithm.
Optionally, determining final similarities between any application to be identified and each illegal application and other applications to be identified according to the first similarity and the second similarity includes:
and multiplying the first similarity and the second similarity by corresponding weights respectively and summing to obtain the final similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively.
Optionally, the method further comprises:
determining first similarity among the illegal application programs according to the sequence characteristics of the illegal application programs, and determining second similarity among the illegal application programs according to the name characteristics of the illegal application programs;
inputting the first similarity and the second similarity of any two illegal application programs into a weight optimizer, and adjusting the weights of the first similarity and the second similarity by using the weight optimizer, so that the result of whether the two illegal application programs output after weighted summation of the first similarity and the second similarity belong to the same category is consistent with the result of whether the two illegal application programs in an application program sample set belong to the same category;
and obtaining the weights corresponding to the first similarity and the second similarity according to the weight after the weight optimizer finishes the adjustment.
The second aspect of the present invention provides an illegal application class identification device, which includes the following modules:
the system comprises a sample acquisition module, a classification module and a classification module, wherein the sample acquisition module is used for acquiring an application program sample set, and the application program sample set comprises at least one illegal application program with a recognized class and at least one application program to be recognized;
the system comprises a characteristic acquisition module, a simulation operation platform and a simulation module, wherein the characteristic acquisition module is used for virtually operating each application program in an application program sample set on the simulation operation platform, acquiring sequence characteristics generated in operation, the sequence characteristics comprise an API (application programming interface) calling sequence for expressing the API interface sequence called in the operation of the application program, and acquiring name characteristics for expressing the generation of an installation package from the installation package of each application program;
the similarity determining module is used for determining first similarities between any application program to be identified and each illegal application program and other application programs to be identified respectively according to the sequence characteristics of the application programs, and determining second similarities between any application program to be identified and each illegal application program and other application programs to be identified respectively according to the name characteristics of the application programs;
the final similarity determining module is used for determining the final similarity between any application program to be identified and each illegal application program and other application programs to be identified according to the first similarity and the second similarity;
and the application program type determining module is used for determining whether the application program to be identified is an illegal application program or not according to the final similarity, and determining the type of the illegal application program when the application program to be identified is determined to be the illegal application program.
An application program category determining module, configured to determine whether the application program to be identified is an illegal application program according to the final similarity, and determine a category of the illegal application program to which the application program belongs when the application program to be identified is determined to be the illegal application program, where the determining includes:
determining that the application program with the highest final similarity to the application program to be identified is an illegal application program, and determining that the identified application program is the illegal application program when the highest final similarity is higher than a set high threshold;
and determining the illegal application program category with the highest final similarity with the application program to be identified as the illegal application program category to which the application program to be identified belongs.
The application program category determining module is used for determining whether the application program to be identified is an illegal application program according to the final similarity, and comprises the following steps:
and determining that the application program to be identified is illegal when the final similarity with the application program to be identified is highest, and determining that the application program to be identified is legal when the highest final similarity is lower than a set low threshold.
The application program category determining module is used for determining whether the application program to be identified is an illegal application program according to the final similarity, and comprises the following steps:
and when determining that the application program to be identified with the highest final similarity is the other application programs to be identified and the highest final similarity is higher than a set clustering threshold, dividing the application program to be identified and the other application programs to be identified with the highest final similarity into the same type set.
The application program category determination module further comprises:
and determining the application program to be identified which belongs to the same type set as the application program to be identified according to the fact that the application program to be identified is an illegal application program and the category of the illegal application program to which the application program belongs, and determining the application program to be identified which belongs to the same type set as the application program to be identified is the illegal application program and the category of the illegal application program.
The feature acquisition module acquires name features representing installation package generation from installation packages of all application programs, and comprises the following steps:
acquiring authority information which represents calling authority names and is determined when the installation package of each application program is virtually run on a simulation running platform;
acquiring signature information determined by the name of a developer in the installation package of each application program in an application program sample set according to the signature information determined by the development account in the installation package of each application program;
and acquiring activity name information determined by activity names generated by application program components in the virtual operation of the installation package of each application program on the simulation operation platform.
The similarity determining module is used for determining first similarities between any application program to be identified and each illegal application program and other application programs to be identified respectively, and comprises the following steps:
unifying API calling sequences in the sequence characteristics of all application programs into abstract information with the same length by using a Nilsimsa algorithm in the sensitive hash;
and obtaining corresponding first similarity by comparing the abstract information of any application program to be identified with each illegal application program and other application programs to be identified.
The similarity determining module determines second similarities between any application program to be identified and each illegal application program and other application programs to be identified respectively, and comprises the following steps:
and determining second similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively by using a jaccard set similarity algorithm.
The final similarity determining module determines final similarities between any application program to be identified and each illegal application program and other application programs to be identified according to the first similarity and the second similarity, and includes:
and multiplying the first similarity and the second similarity by corresponding weights respectively and summing to obtain the final similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively.
The similarity weight determination module further comprises:
determining first similarity among the illegal application programs according to the sequence characteristics of the illegal application programs, and determining second similarity among the illegal application programs according to the name characteristics of the illegal application programs;
inputting the first similarity and the second similarity of any two illegal application programs into a weight optimizer, and adjusting the weights of the first similarity and the second similarity by using the weight optimizer, so that the result of whether the two illegal application programs output after weighted summation of the first similarity and the second similarity belong to the same category is consistent with the result of whether the two illegal application programs in an application program sample set belong to the same category;
and obtaining the weights corresponding to the first similarity and the second similarity according to the weight after the weight optimizer finishes the adjustment.
A third aspect of the present invention provides an illegal application class identification apparatus, which includes a processor and a memory, wherein the memory stores a computer program, the processor is configured to execute the computer program in the memory, and the computer program is configured to execute an illegal application class identification method provided by the first aspect of the present invention.
A fourth aspect of the present invention provides a computer program medium, wherein the computer readable storage medium stores computer instructions, and the computer instructions, when executed by a processor, implement an illegal application class identification method provided by the first aspect of the present invention.
By utilizing the illegal application program type identification method and device provided by the invention, a mechanism for monitoring various aspects of the illegal application program can be established to analyze the behavior characteristics of the illegal application program so as to better determine the type of the illegal application program.
Drawings
FIG. 1 is a system diagram illustrating an illegal application class identification method;
FIG. 2 is a flowchart illustrating an illegal application class identification method;
FIG. 3 is a diagram illustrating an illegal application identification and classification process;
FIG. 4 is a complete diagram of the illegal application class identification method;
FIG. 5 is a block diagram of an illegal application class identification device;
fig. 6 is a schematic structural diagram of an illegal application class identification device.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, and to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiments of the present invention will be described in further detail with reference to the drawings attached hereto. It is to be understood that the embodiments described herein are merely illustrative and explanatory of the invention and are not restrictive thereof.
As shown in fig. 1, which is a system diagram of an illegal application class identification method, in an SDK platform 101, a virtual running device 102 and an application characteristic analysis device 103 exist; the SDK is (Software Development Kit), the SDK platform is used to run a Software Development Kit, and the Software Development Kit is a set of Development tools for establishing application Software, such as a specific Software package, a Software framework, a hardware platform, and an operating system; the virtual execution device 102 includes a sample set of applications, the sample set of applications including: at least one illegal application program for identifying the category and at least one application program to be identified, wherein the illegal application program for identifying the category is obtained from BitDefender (BitSander, BD); the most important function of the BitDefinder is to determine the type of an application program by monitoring the activities of the application program and similar viruses and provide an advanced heuristic technology for deleting illegal codes; and virtually operating each application program in the application program sample set on the simulation operation platform to obtain the sequence characteristics and the name characteristics corresponding to each application in the application program sample set. The virtual running equipment 102 sends the sequence characteristics and name characteristics corresponding to each application in the application program sample set to the application program characteristic analysis equipment 103, and the application program characteristic analysis equipment 103 determines the similarity between each sample in the application program sample set according to the sequence characteristics of each application program; the application characteristic analysis device 103 determines the category of the illegal application program to which the application program belongs when determining that the application program is the illegal application program according to the similarity between the samples.
Example 1
The embodiment of the invention provides an illegal application program category identification method, which comprises the following steps as shown in figure 2:
step S201, obtaining an application program sample set, wherein the application program sample set comprises at least one illegal application program with a recognized category and at least one application program to be recognized;
the method comprises the steps that an SDK platform obtains a sample set which comprises at least one illegal application program with a recognized type and at least one application program to be recognized, wherein the application program sample is obtained and uploaded to the SDK platform in the form of an installation package APK, and the APK (Android application package) is in a file format similar to Symbian Sis or Sisx. The APK file can be installed by directly transmitting the APK file to an Android simulator or an Android mobile phone for execution, and the installation package can be exe, ipa, sisx, rpm, dep and other types of installation packages for execution and installation on other platforms;
the at least one identified category of illegitimate application comprises a known category of illegitimate application obtained by the BitDefender, and the illegitimate application comprises: fakebank, Gepew, Gidix, Fakelnst, SmSpy, Bank, Misosms, Telman and other illegal application program types;
step S202, virtually operating each application program in an application program sample set on a simulation operation platform, acquiring sequence characteristics generated in operation, wherein the sequence characteristics comprise an API (application programming interface) calling sequence representing the API interface sequence called in the operation of the application program, and acquiring name characteristics representing the generation of an installation package from the installation package of each application program;
the application program to be identified and the illegal application program are run in the virtual running device 102 through the dispatcher of the SDK platform, and the sequence feature and the name feature of the application program are obtained by running the application programs.
Specifically, the sequence feature is an API call sequence of an API interface sequence called by the application program during runtime, and the API call sequence cannot be extracted through code analysis and packet analysis of the application program, and can only be obtained by executing in the virtual runtime device. For an illegal application program, the API calling sequence is the time sequence of the application program attacking the API interface in the virtual operating equipment; because the behavior of the application program is closely related to the API calling sequence, the function of the application program can be deduced by utilizing the API calling sequence, the API calling sequence names calling interfaces in each application program in the virtual operation equipment, and the API calling sequence is obtained by arranging the names of the calling interfaces in sequence according to the calling sequence of the application program, so that if the similarity of the API calling sequence is obtained, the application program samples with similar functions can be classified with higher precision.
The name feature mainly comprises three parts:
1) the method comprises the steps that authority information is obtained when each application program runs in virtual running equipment, the related authority of the virtual running equipment is obtained, when the related information and files of the virtual running equipment need to be obtained by illegal application programs, the related information and files of the equipment are obtained by obtaining the equipment authority, therefore, the more the obtained authority is, the more the danger change of the application program is represented, and the obtained authority can be used for classifying similar application programs according to purposeful attack.
2) Signature information, presence of image files, XML files, source code files and any other files in the installation package. Since different developers have different rules for naming files, signature information of the developers is usually included in the file names. When the developer is creating other applications, the same signature information may remain in other application packages, and thus, the signature information in the file name may be used to compare the similarity between the applications.
3) The activity name information, the activity in the running of the application program is operated on the main activity, and the name (such as file name) of the activity is also determined by the developer. Since the campaign also includes the package name of the application, the developer's signature information is more inclined to the campaign name than to the file name. Further, since the campaign names are referenced from the outside, when an illegal application automatically converts its code, the corresponding campaign name cannot be changed. Thus, the activity name can also be used as a method for comparing the similarity between applications.
Step S203, determining a first similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively according to the sequence characteristics of each application program, and determining a second similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively according to the name characteristics of each application program;
the first similarity is determined by the similarity of sequence features between any application program to be identified and each illegal application program and other application programs to be identified, wherein the lengths of API call sequences corresponding to the application programs should be kept consistent and should not be significantly different due to slight content change differences, so that the embodiment of the present invention employs Locality Sensitive Hashing (LSH): the basic idea of locality sensitive hashing is similar to a spatial domain conversion idea, the LSH algorithm is based on an assumption that if two texts are similar in the original data space, the two texts are also highly similar after being respectively subjected to hash function conversion; conversely, if they themselves are dissimilar, they should still not have similarity after conversion. Therefore, the similarity of the API calling sequences is calculated through the Nilsimsa hash algorithm of the LSH algorithm, the API sequences corresponding to the samples of the application programs are converted into abstracts with the same length, in the embodiment, the length of the abstracts is converted into 256 bits, the values between-1 and 1 in the abstracts are normalized, and after normalization, the normalized abstracts are compared to obtain the first similarity between the application programs.
The second similarity is calculated by authority information, signature information and activity name information in name features, specifically, the authority information, the signature information and the activity name information are placed in name character strings corresponding to an application program, based on a jaccard set similarity calculation method, the similarity calculation method is to calculate intersection and union of the character names contained in the two character strings, divide the size of the intersection by the size of the union to obtain the second similarity, the obtained value is between 0 and 1, the similarity of 0 indicates that the given two sets have no public characters, and the similarity of 1 indicates that the two sets are equivalent.
Step S204, determining final similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively according to the first similarity and the second similarity;
specifically, the final similarity between any application program to be identified and each illegal application program is obtained according to the weights of the corresponding first similarity and the second similarity between any application program to be identified and each illegal application program;
obtaining the final similarity between any application program to be identified and other application programs to be identified according to the weights of the corresponding first similarity and the second similarity between any application program to be identified and other application programs to be identified;
the weights of the first similarity and the second similarity are obtained based on a weight optimizer, wherein the first similarity between the illegal application programs is determined according to the sequence characteristics of the illegal application programs, and the second similarity between the illegal application programs is determined according to the name characteristics of the illegal application programs;
inputting the first similarity and the second similarity of any two illegal application programs into a weight optimizer, and adjusting the weights of the first similarity and the second similarity by using the weight optimizer, so that the result of whether the two illegal application programs output after weighted summation of the first similarity and the second similarity belong to the same category is consistent with the result of whether the two illegal application programs in an application program sample set belong to the same category;
different weights are obtained by setting different illegal application programs for the input times, and the optimal weights corresponding to the first similarity and the second similarity are obtained according to the classification accuracy of the different weights for the application programs.
According to the weights corresponding to the first similarity and the second similarity, multiplying the first similarity and the second similarity by the corresponding weights respectively and summing to obtain the final similarity between any application program to be identified and each illegal application program; and
according to the weights corresponding to the first similarity and the second similarity, multiplying the first similarity and the second similarity by the corresponding weights respectively and summing to obtain the final similarity between any application program to be identified and other application programs to be identified;
step S205, determining whether the application to be identified is an illegal application according to the final similarity, and determining the category of the illegal application to which the application belongs when the application to be identified is determined to be an illegal application.
Judging whether the application program with the highest final similarity to any application program to be identified is an illegal application program or not, and when the application program with the highest final similarity to the application program to be identified is determined to be the illegal application program and the highest final similarity is higher than a set high threshold value, determining that the identified application program is the illegal application program;
determining the category of the illegal application program with the highest final similarity with the application program to be identified, wherein the category is the category of the illegal application program to which the application program to be identified belongs;
and when the highest final similarity with the application program to be identified is determined to be lower than a set low threshold, determining the identified application program as a legal application program.
As an optional implementation manner, it is determined whether the application program to be identified is an illegal application program, and when the application program to be identified is determined to be an illegal application program, the category of the illegal application program to which the application program belongs may be determined, or when it is determined that the application program to be identified has the highest final similarity with the application program to be identified is another application program to be identified, and the highest final similarity is higher than a set clustering threshold, the application program to be identified and the other application program to be identified having the highest final similarity are classified into the same type set.
The clustering threshold is predicted based on K-fold cross validation. In order to obtain better precision under various threshold conditions, the precision is measured according to different (80% -95%) set clustering thresholds, and classification experiments are repeated to determine the optimal threshold. The threshold value is increased from 80% to 95% in sequence, the accuracy is improved along with the increase of each threshold value, but the clustering effect on the application program to be classified is poor, because the number of illegal application program samples used by the method is small, the experiment is carried out through K-fold cross validation to supplement the shortage of the samples, the optimal clustering threshold value is obtained based on the setting of K and the iteration times in K-fold, and the accuracy on the classification category of the same type of set is highest under the optimal clustering threshold value.
And determining the application program to be identified which belongs to the same type set as the application program to be identified according to the fact that the application program to be identified is an illegal application program and the category of the illegal application program to which the application program belongs, and determining the application program to be identified which belongs to the same type set as the application program to be identified is the illegal application program and the category of the illegal application program.
Specifically, according to other application programs to be identified which have the highest final similarity with the application program to be identified and are the highest, and the final similarity is higher than the optimal clustering threshold obtained through the K-fold cross validation, the application program to be identified and the corresponding other application programs to be identified are divided into the same type set, and according to the type of known illegal application programs which belong to the type set, the application programs to be identified in the type set are determined, wherein the application programs to be identified are all the types of the known illegal application programs.
As shown in fig. 3, if the final similarity between the sample a to be recognized and the sample B to be recognized in the application sample set is the highest and is higher than the optimal clustering threshold, the sample a to be recognized and the sample B to be recognized are divided into sets of the same type, and in addition, the final similarity between the sample C to be recognized and the sample B to be recognized in the application sample set is the highest, the sample C to be recognized and the sample B to be recognized are divided into sets of the same type, and in the judgment of the illegal application, the final similarity between the sample B to be recognized and the illegal application D of which the known type is Fakebank is the highest, the set of the type is judged to be a type set of the Fakebank type, wherein the samples A, B, C to be recognized are all illegal applications of the Fakebank type.
And finally, generating an application program category classification chart representing the similarity relation and the category of each application program according to the final similarity relation and the type of each application program in the application program sample set, so as to more clearly display the category of each application program to be identified.
As shown in fig. 4, which is a complete step of an illegal application class identification method,
step S401, acquiring an application program sample set to an SDK platform;
step S402, virtually operating each application program in the application program sample set on a simulation operation platform, acquiring sequence characteristics generated in operation, and acquiring name characteristics from an installation package of each application program;
step S403, determining a first similarity and a second similarity between any application program to be identified in the application program sample set and each illegal application program and other application programs to be identified according to the sequence characteristics and the name characteristics;
step S404, obtaining the final similarity between any application program to be identified and each illegal application program and other application programs to be identified according to the corresponding weight of the first similarity and the second similarity;
step S405, judging the application program type with the highest final similarity with any application program to be identified, executing step S406 when the type is illegal, and executing step S407 when the type is other application programs to be identified;
step S406, judging the type of any application program to be identified according to the highest final similarity and the relationship between the low threshold and the high threshold, executing step S408 when the highest final similarity is higher than the set high threshold, and executing step S409 when the highest final similarity is lower than the set low threshold;
step S407, when determining that the application program to be identified with the highest final similarity is the other application programs to be identified and the highest final similarity is higher than a set clustering threshold, dividing the application program to be identified and the other application programs to be identified with the highest final similarity into a same type set;
step S408, the application program to be identified is determined as the same category as the illegal application program with the highest final similarity;
step S409, determining the application program to be identified as a legal application program;
step S410, according to the application program to be identified as the illegal application program and the category of the illegal application program, determining the application program to be identified which belongs to the same type set as the application program to be identified as the illegal application program and the category of the same illegal application program;
step S411, after all samples to be identified in the application program sample set are subjected to sample type identification, generating an application program category classification chart according to the final similarity relation of each application program and the type of the application program.
Example 2
The embodiment of the invention provides an illegal application program category identification device, which comprises the following modules:
a sample obtaining module 501, configured to obtain an application sample set, where the application sample set includes at least one illegal application with a recognized category and at least one application to be recognized;
a feature obtaining module 502, configured to virtually run each application in the application sample set on the simulation running platform, obtain a sequence feature generated during running, where the sequence feature includes an API call sequence representing an API interface sequence called during running of the application, and obtain a name feature representing generation of an installation package from an installation package of each application;
the similarity determining module 503 is configured to determine, according to the sequence characteristics of each application program, first similarities between any one of the application programs to be identified and each of the illegal application programs and the other application programs to be identified, and determine, according to the name characteristics of each application program, second similarities between any one of the application programs to be identified and each of the illegal application programs and the other application programs to be identified;
a final similarity determining module 504, configured to determine final similarities between any application to be identified and each illegal application and other applications to be identified according to the first similarity and the second similarity;
and an application program type determining module 505, configured to determine, according to the final similarity, whether the application program to be identified is an illegal application program, and determine a type of the illegal application program to which the application program belongs when the application program to be identified is determined to be the illegal application program.
The application type determining module 505, according to the final similarity, determines whether the application to be identified is an illegal application, and determines the type of the illegal application to which the application belongs when the application to be identified is determined to be the illegal application, including:
determining that the application program with the highest final similarity to the application program to be identified is an illegal application program, and determining that the identified application program is the illegal application program when the highest final similarity is higher than a set high threshold;
and determining the illegal application program category with the highest final similarity with the application program to be identified as the illegal application program category to which the application program to be identified belongs.
The application program category determining module is used for determining whether the application program to be identified is an illegal application program according to the final similarity, and comprises the following steps:
and determining that the application program to be identified is illegal when the final similarity with the application program to be identified is highest, and determining that the application program to be identified is legal when the highest final similarity is lower than a set low threshold.
The application type determining module 505, according to the final similarity, determines whether the application to be identified is an illegal application, including:
and when determining that the application program to be identified with the highest final similarity is the other application programs to be identified and the highest final similarity is higher than a set clustering threshold, dividing the application program to be identified and the other application programs to be identified with the highest final similarity into the same type set.
The application category determination module 505 further includes:
and determining the application program to be identified which belongs to the same type set as the application program to be identified according to the fact that the application program to be identified is an illegal application program and the category of the illegal application program to which the application program belongs, and determining the application program to be identified which belongs to the same type set as the application program to be identified is the illegal application program and the category of the illegal application program.
The feature obtaining module 502 obtains, from the installation package of each application program, a name feature indicating generation of the installation package, including:
acquiring authority information which represents calling authority names and is determined when the installation package of each application program is virtually run on a simulation running platform;
acquiring signature information determined by the name of a developer in the installation package of each application program in an application program sample set according to the signature information determined by the development account in the installation package of each application program;
and acquiring activity name information determined by activity names generated by application program components in the virtual operation of the installation package of each application program on the simulation operation platform.
The similarity determining module 503, for determining a first similarity between any application to be identified and each illegal application and other applications to be identified, includes:
unifying API calling sequences in the sequence characteristics of all application programs into abstract information with the same length by using a Nilsimsa algorithm in the sensitive hash;
and obtaining corresponding first similarity by comparing the abstract information of any application program to be identified with each illegal application program and other application programs to be identified.
The similarity determining module 503 determines a second similarity between any application to be identified and each illegal application and other applications to be identified, including:
and determining second similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively by using a jaccard set similarity algorithm.
The final similarity determining module 504, according to the first similarity and the second similarity, determines final similarities between any application to be identified and each illegal application and other applications to be identified, including:
and multiplying the first similarity and the second similarity by corresponding weights respectively and summing to obtain the final similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively.
The similarity weight determination module 506 further includes:
determining first similarity among the illegal application programs according to the sequence characteristics of the illegal application programs, and determining second similarity among the illegal application programs according to the name characteristics of the illegal application programs;
inputting the first similarity and the second similarity of any two illegal application programs into a weight optimizer, and adjusting the weights of the first similarity and the second similarity by using the weight optimizer, so that the result of whether the two illegal application programs output after weighted summation of the first similarity and the second similarity belong to the same category is consistent with the result of whether the two illegal application programs in an application program sample set belong to the same category;
and obtaining the weights corresponding to the first similarity and the second similarity according to the weight after the weight optimizer finishes the adjustment.
Example 3
The present invention provides a computer program medium, the computer readable storage medium storing computer instructions, the computer instructions when executed by a processor perform the method of:
acquiring an application program sample set, wherein the application program sample set comprises at least one illegal application program with a recognized category and at least one application program to be recognized;
virtually operating each application program in an application program sample set on a simulation operation platform, acquiring sequence characteristics generated in operation, wherein the sequence characteristics comprise an API (application programming interface) calling sequence which represents an API interface sequence called in the operation of the application program, and acquiring name characteristics which represent the generation of an installation package from the installation package of each application program;
determining a first similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively according to the sequence characteristics of the application programs, and determining a second similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively according to the name characteristics of the application programs;
determining final similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively according to the first similarity and the second similarity;
and determining whether the application program to be identified is an illegal application program or not according to the final similarity, and determining the type of the illegal application program when the application program to be identified is determined to be the illegal application program.
The illegal application class identification device may have a relatively large difference due to different configurations or performances, and may include one or more Central Processing Units (CPUs) 601 (e.g., one or more processors) and a memory 602, one or more storage media 603 (e.g., one or more mass storage devices) for storing applications 604 or data 605. Wherein the memory 602 and storage medium 603 may be transient or persistent storage. The program stored in the storage medium 603 may include one or more modules (not shown), and each module may include a series of instruction operations in the information processing apparatus. Still further, the central processor 601 may be arranged to communicate with the storage medium 603, to execute a series of instruction operations in the storage medium 603 on the apparatus 600.
The device 600 may also include one or more power supplies 606, one or more wired or wireless network interfaces 607, one or more input-output interfaces 608, and/or one or more operating systems 609, such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, etc.
Optionally, the determining, by the device, whether the application to be identified is an illegal application according to the final similarity, and determining a category of the illegal application to which the application belongs when the application is determined to be the illegal application includes:
determining that the application program with the highest final similarity to the application program to be identified is an illegal application program, and determining that the identified application program is the illegal application program when the highest final similarity is higher than a set high threshold;
and determining the illegal application program category with the highest final similarity with the application program to be identified as the illegal application program category to which the application program to be identified belongs.
Optionally, the determining, by the device, whether the application to be identified is an illegal application according to the final similarity includes:
and determining that the application program to be identified is illegal when the final similarity with the application program to be identified is highest, and determining that the application program to be identified is legal when the highest final similarity is lower than a set low threshold.
Optionally, the determining, by the device, whether the application to be identified is an illegal application according to the final similarity includes:
and when determining that the application program to be identified with the highest final similarity is the other application programs to be identified and the highest final similarity is higher than a set clustering threshold, dividing the application program to be identified and the other application programs to be identified with the highest final similarity into the same type set.
Optionally, the apparatus further comprises:
and determining the application program to be identified which belongs to the same type set as the application program to be identified according to the fact that the application program to be identified is an illegal application program and the category of the illegal application program to which the application program belongs, and determining the application program to be identified which belongs to the same type set as the application program to be identified is the illegal application program and the category of the illegal application program.
Optionally, the obtaining, by the apparatus, a name feature indicating generation of an installation package from the installation package of each application includes:
acquiring authority information which represents calling authority names and is determined when the installation package of each application program is virtually run on a simulation running platform;
acquiring signature information determined by the name of a developer in the installation package of each application program in an application program sample set according to the signature information determined by the development account in the installation package of each application program;
and acquiring activity name information determined by activity names generated by application program components in the virtual operation of the installation package of each application program on the simulation operation platform.
Optionally, the determining, by the apparatus, a first similarity between any application to be identified and each illegal application and other applications to be identified respectively includes:
unifying API calling sequences in the sequence characteristics of all application programs into abstract information with the same length by using a Nilsimsa algorithm in the sensitive hash;
and obtaining corresponding first similarity by comparing the abstract information of any application program to be identified with each illegal application program and other application programs to be identified.
Optionally, the determining, by the apparatus, a second similarity between each of the applications to be identified and each of the illegal applications and other applications to be identified includes:
and determining second similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively by using a jaccard set similarity algorithm.
Optionally, the determining, by the apparatus, final similarities between any application to be identified and each illegal application and other applications to be identified according to the first similarity and the second similarity includes:
and multiplying the first similarity and the second similarity by corresponding weights respectively and summing to obtain the final similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively.
Optionally, the apparatus further comprises:
determining first similarity among the illegal application programs according to the sequence characteristics of the illegal application programs, and determining second similarity among the illegal application programs according to the name characteristics of the illegal application programs;
inputting the first similarity and the second similarity of any two illegal application programs into a weight optimizer, and adjusting the weights of the first similarity and the second similarity by using the weight optimizer, so that the result of whether the two illegal application programs output after weighted summation of the first similarity and the second similarity belong to the same category is consistent with the result of whether the two illegal application programs in an application program sample set belong to the same category;
and obtaining the weights corresponding to the first similarity and the second similarity according to the weight after the weight optimizer finishes the adjustment.
Example 4
An embodiment of the present invention provides a computer program medium, where a computer instruction is stored in the computer readable storage medium, and when the computer instruction is executed by a processor, the method for identifying the category of the illegal application provided in embodiment 1 is implemented.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (11)

1. An illegal application class identification method, characterized in that the method comprises:
acquiring an application program sample set, wherein the application program sample set comprises at least one illegal application program with a recognized category and at least one application program to be recognized;
virtually operating each application program in an application program sample set on a simulation operation platform, acquiring sequence characteristics generated in operation, wherein the sequence characteristics comprise an API (application programming interface) calling sequence which represents an API interface sequence called in the operation of the application program, and acquiring name characteristics which represent the generation of an installation package from the installation package of each application program;
determining a first similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively according to the sequence characteristics of the application programs, and determining a second similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively according to the name characteristics of the application programs;
determining final similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively according to the first similarity and the second similarity;
determining whether the application program to be identified is an illegal application program or not according to the final similarity, and determining the type of the illegal application program when the application program to be identified is determined to be the illegal application program;
determining whether the application program to be identified is an illegal application program according to the final similarity, wherein the step of determining whether the application program to be identified is an illegal application program comprises the following steps:
when the application program to be identified with the highest final similarity is determined to be other application programs to be identified, and the highest final similarity is higher than a set clustering threshold, the application program to be identified and the other application programs to be identified with the highest final similarity are divided into a same type set;
determining the application program to be identified which belongs to the same type set as the application program to be identified according to the fact that the application program to be identified is an illegal application program and the category of the illegal application program to which the application program belongs, and determining the application program to be identified which belongs to the same type set as the application program to be identified is the illegal application program and the category of the illegal application program to which the application program belongs;
the name feature for generating the installation package is represented and comprises the following steps: authority information, signature information, and activity name information.
2. The method according to claim 1, wherein determining whether the application to be identified is an illegal application according to the final similarity, and determining a category of the illegal application to which the application belongs when the application is determined to be illegal comprises:
determining that the application program with the highest final similarity to the application program to be identified is an illegal application program, and determining that the identified application program is the illegal application program when the highest final similarity is higher than a set high threshold;
and determining the illegal application program category with the highest final similarity with the application program to be identified as the illegal application program category to which the application program to be identified belongs.
3. The method of claim 2, wherein determining whether the application to be identified is an illegal application according to the final similarity comprises:
and determining that the application program to be identified is illegal when the final similarity with the application program to be identified is highest, and determining that the application program to be identified is legal when the highest final similarity is lower than a set low threshold.
4. The method of claim 1, wherein obtaining a name feature from the installation package of each application program, the name feature indicating the generation of the installation package, comprises:
acquiring authority information which represents calling authority names and is determined when the installation package of each application program is virtually run on a simulation running platform;
acquiring signature information determined by the name of a developer in the installation package of each application program in an application program sample set according to the signature information determined by the development account in the installation package of each application program;
and acquiring activity name information determined by activity names generated by application program components in the virtual operation of the installation package of each application program on the simulation operation platform.
5. The method of claim 1, wherein determining a first similarity between any application to be identified and each illegal application and other applications to be identified comprises:
unifying API calling sequences in the sequence characteristics of all application programs into abstract information with the same length by using a Nilsimsa algorithm in the sensitive hash;
and obtaining corresponding first similarity by comparing the abstract information of any application program to be identified with each illegal application program and other application programs to be identified.
6. The method of claim 1, wherein determining a second similarity between any application to be identified and each of the illegal applications and other applications to be identified comprises:
and determining second similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively by using a jaccard set similarity algorithm.
7. The method according to claim 1, wherein determining final similarities between any application to be identified and illegal applications and other applications to be identified respectively according to the first similarity and the second similarity comprises:
and multiplying the first similarity and the second similarity by corresponding weights respectively and summing to obtain the final similarity between any application program to be identified and each illegal application program and other application programs to be identified respectively.
8. The method of claim 7, further comprising:
determining first similarity among the illegal application programs according to the sequence characteristics of the illegal application programs, and determining second similarity among the illegal application programs according to the name characteristics of the illegal application programs;
inputting the first similarity and the second similarity of any two illegal application programs into a weight optimizer, and adjusting the weights of the first similarity and the second similarity by using the weight optimizer, so that the result of whether the two illegal application programs output after weighted summation of the first similarity and the second similarity belong to the same category is consistent with the result of whether the two illegal application programs in an application program sample set belong to the same category;
and obtaining the weights corresponding to the first similarity and the second similarity according to the weight after the adjustment of the weight optimizer is finished.
9. An illegal application class identification device, characterized in that the device comprises:
the system comprises a sample acquisition module, a classification module and a classification module, wherein the sample acquisition module is used for acquiring an application program sample set, and the application program sample set comprises at least one illegal application program with a recognized class and at least one application program to be recognized;
the system comprises a characteristic acquisition module, a simulation operation platform and a simulation module, wherein the characteristic acquisition module is used for virtually operating each application program in an application program sample set on the simulation operation platform, acquiring sequence characteristics generated in operation, the sequence characteristics comprise an API (application programming interface) calling sequence for expressing the API interface sequence called in the operation of the application program, and acquiring name characteristics for expressing the generation of an installation package from the installation package of each application program;
the similarity determining module is used for determining first similarities between any application program to be identified and each illegal application program and other application programs to be identified respectively according to the sequence characteristics of the application programs, and determining second similarities between any application program to be identified and each illegal application program and other application programs to be identified respectively according to the name characteristics of the application programs;
the final similarity determining module is used for determining the final similarity between any application program to be identified and each illegal application program and other application programs to be identified according to the first similarity and the second similarity;
the application program type determining module is used for determining whether the application program to be identified is an illegal application program or not according to the final similarity, and determining the type of the illegal application program when the application program to be identified is determined to be the illegal application program;
the application program category determining module is specifically configured to:
when the application program to be identified with the highest final similarity is determined to be other application programs to be identified, and the highest final similarity is higher than a set clustering threshold, the application program to be identified and the other application programs to be identified with the highest final similarity are divided into a same type set;
determining the application program to be identified which belongs to the same type set as the application program to be identified according to the fact that the application program to be identified is an illegal application program and the category of the illegal application program to which the application program belongs, and determining the application program to be identified which belongs to the same type set as the application program to be identified is the illegal application program and the category of the illegal application program to which the application program belongs;
the name feature for generating the installation package is represented and comprises the following steps: authority information, signature information, and activity name information.
10. An illegal application program class identification device, characterized in that the device comprises a processor and a memory, wherein the memory is used for storing a computer program, the processor is used for executing the computer program in the memory, and the computer program is used for executing the illegal application program class identification method according to any one of claims 1-8.
11. A computer program medium, characterized in that the computer readable storage medium stores computer instructions which, when executed by a processor, implement the illegal application class identification method according to any of claims 1 to 8.
CN201911340852.4A 2019-12-23 2019-12-23 Illegal application program category identification method and device Active CN111143833B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911340852.4A CN111143833B (en) 2019-12-23 2019-12-23 Illegal application program category identification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911340852.4A CN111143833B (en) 2019-12-23 2019-12-23 Illegal application program category identification method and device

Publications (2)

Publication Number Publication Date
CN111143833A CN111143833A (en) 2020-05-12
CN111143833B true CN111143833B (en) 2022-03-11

Family

ID=70519464

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911340852.4A Active CN111143833B (en) 2019-12-23 2019-12-23 Illegal application program category identification method and device

Country Status (1)

Country Link
CN (1) CN111143833B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107180192A (en) * 2017-05-09 2017-09-19 北京理工大学 Android malicious application detection method and system based on multi-feature fusion
CN107766342A (en) * 2016-08-15 2018-03-06 中国移动通信集团公司 A kind of recognition methods of application and device
CN109800575A (en) * 2018-12-06 2019-05-24 成都网安科技发展有限公司 A kind of safety detection method of Android application program

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8635694B2 (en) * 2009-01-10 2014-01-21 Kaspersky Lab Zao Systems and methods for malware classification
US20110219449A1 (en) * 2010-03-04 2011-09-08 St Neitzel Michael Malware detection method, system and computer program product

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107766342A (en) * 2016-08-15 2018-03-06 中国移动通信集团公司 A kind of recognition methods of application and device
CN107180192A (en) * 2017-05-09 2017-09-19 北京理工大学 Android malicious application detection method and system based on multi-feature fusion
CN109800575A (en) * 2018-12-06 2019-05-24 成都网安科技发展有限公司 A kind of safety detection method of Android application program

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《面向Android平台的恶意软件检测系统的设计与实现》;杨帆;《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》;20190215(第2期);I138-574 *

Also Published As

Publication number Publication date
CN111143833A (en) 2020-05-12

Similar Documents

Publication Publication Date Title
Li et al. Libd: Scalable and precise third-party library detection in android markets
CN106161342B (en) The dynamic optimization of safety applications
US8572007B1 (en) Systems and methods for classifying unknown files/spam based on a user actions, a file's prevalence within a user community, and a predetermined prevalence threshold
BR102015017215A2 (en) computer-implemented method for classifying mobile applications, and computer program encoded on non-transient storage medium
CN106951780A (en) Beat again the static detection method and device of bag malicious application
CN103782303A (en) System and method for non-signature based detection of malicious processes
CN106599688A (en) Application category-based Android malicious software detection method
CN112084497A (en) Method and device for detecting malicious program of embedded Linux system
KR102073068B1 (en) Method for clustering application and apparatus thereof
JP2017142744A (en) Information processing apparatus, virus detection method, and program
CN106709336A (en) Method and apparatus for identifying malware
US20230418943A1 (en) Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same
CN108694319A (en) A kind of malicious code family determination method and device
CN106998336B (en) Method and device for detecting user in channel
CN112148305A (en) Application detection method and device, computer equipment and readable storage medium
KR102058966B1 (en) Method for detecting malicious application and apparatus thereof
EP3293664A1 (en) Software analysis system, software analysis method, and software analysis program
KR101256468B1 (en) Apparatus and method for detecting malicious file
CN105631336B (en) Detect the system and method for the malicious file in mobile device
KR20200073822A (en) Method for classifying malware and apparatus thereof
CN111382432A (en) Malicious software detection and classification model generation method and device
Suhuan et al. Android malware detection based on logistic regression and XGBoost
CN109684837A (en) A kind of mobile application malware detection method and system towards electric power enterprise
CN110011964B (en) Webpage environment detection method and device
CN111143833B (en) Illegal application program category identification method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Applicant after: NSFOCUS Technologies Group Co.,Ltd.

Applicant after: NSFOCUS TECHNOLOGIES Inc.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Applicant before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.

Applicant before: NSFOCUS TECHNOLOGIES Inc.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant