CN111159041A - Tampering software detection method based on electromagnetic signal EMR - Google Patents

Tampering software detection method based on electromagnetic signal EMR Download PDF

Info

Publication number
CN111159041A
CN111159041A CN201911408166.6A CN201911408166A CN111159041A CN 111159041 A CN111159041 A CN 111159041A CN 201911408166 A CN201911408166 A CN 201911408166A CN 111159041 A CN111159041 A CN 111159041A
Authority
CN
China
Prior art keywords
software
data
emr
sequence
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911408166.6A
Other languages
Chinese (zh)
Other versions
CN111159041B (en
Inventor
吴黎兵
刘�英
王敏
张瑞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University WHU
Original Assignee
Wuhan University WHU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University WHU filed Critical Wuhan University WHU
Priority to CN201911408166.6A priority Critical patent/CN111159041B/en
Publication of CN111159041A publication Critical patent/CN111159041A/en
Application granted granted Critical
Publication of CN111159041B publication Critical patent/CN111159041B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing

Abstract

The invention discloses a tampering software detection method based on electromagnetic signal EMR, which is used for judging whether a program to be detected is tampered compared with official original software or not; the method comprises the following steps: step 1, constructing a feature database: starting the software in the electronic equipment, acquiring an electromagnetic signal EMR emitted when the software is started by using magnetometer equipment, extracting time domain characteristics and frequency characteristics of the EMR signal, and constructing a characteristic database; step 2, software detection: and for EMR signals in the feature database, using a dynamic bending algorithm based on path slope constraint as a distance measurement algorithm, using a corresponding path slope constraint mean value center algorithm to obtain a time sequence center, matching the time sequence center with a preset original software feature library, calculating the membership degree of the EMR signals, and judging whether the EMR signals are tampered according to a threshold value. The invention can quickly and conveniently detect the software which is possibly tampered, thereby providing guarantee for the safety of the electronic equipment.

Description

Tampering software detection method based on electromagnetic signal EMR
Technical Field
The invention relates to the technical field of computers, in particular to a tamper software detection method based on electromagnetic signal EMR.
Background
The network is full of a large amount of tampered software, some rogue software and some malicious software carrying viruses, the rogue software and the malicious software often modify original software of an official network, implant advertisements or viruses and then put into the network to induce users to download, and due to network limitations, cost, downloading speed and other factors, the software is often downloaded from an offline installation package or an unofficial free software downloading network, and the software can be tampered maliciously or invaded by viruses.
The compromise of such software can be summarized as: 1. modifying the function so that the function of the software is changed and is not in accordance with the expectation; 2. the advertisement is implanted, which brings unnecessary flow loss to the user; 3. the virus is implanted, and the computer program of the user is threatened to be safe. Currently, the software detection method is less researched, and is generally regarded as a threat program to perform general security detection, such as detecting characteristics of modified registry information and the like before installation, and the method is characterized by easy report omission, and detection can be bypassed because the software is only increased or decreased in functions and does not carry serious virus characteristics. In general, it is not necessary to know what kind of virus exists in the software, and we only need to compare it with the original official software to see if it is modified. Therefore, in practical application, a simpler detection method can be used.
A large number of studies in the past have shown that the electromagnetic signals EMR emitted by electronic devices are well distinguishable. Gupta, Sidhant et al, uses an electromagnetic sensor to automatically detect and classify electronic devices in the home. They have experimentally demonstrated that EMR signals are stable and predictable, a method that enables electromagnetic signature technology to be used in homes. Vaucelle introduces an economical and effective design of wearable sensors for detecting the electric field strength and other characteristics emitted by notebook computer displays and indicating that such electromagnetic radiation is expected to become fingerprints of electrical devices for device localization. The above studies have demonstrated that electromagnetic signals are perceived and distinguished, but the requirements for sensors for these detections are relatively high. Zhu, Zhuangdi et al successfully inferred running applications and web pages viewed by the user on a nearby computer using a built-in magnetometer on a commercial handset. Furthermore, Zhu, Zhuangdi et al have demonstrated that the detection of electromagnetic signals is not disturbed by geomagnetic signals. This study demonstrates that electromagnetic signals can be identified and distinguished for portability by devices such as cell phones.
When matching and classifying electromagnetic signals, the key problem is how to calculate the distance between two time series and how to find the center of the time series. For the first problem, the time sequence has a problem of inconsistent length, so that the solution is difficult, the EMR signals acquired herein also have a fast and slow starting process due to the state difference of the devices, and therefore the obtained EMR data also has a condition of extending or contracting in a certain time, so that the problem of inconsistent length and time of the sequence can be effectively solved by adopting the distance algorithm CDTW based on the DTW. For the second problem, currently, more scholars have proposed some averaging algorithms based on DTW, such as DBA, etc., but the averaging sequences obtained by these algorithms under some special conditions may have some steep conditions, and in such a case, the averaging sequences lose original waveform characteristics.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a tamper software detection method based on an electromagnetic signal EMR, aiming at the defects in the prior art.
The technical scheme adopted by the invention for solving the technical problems is as follows:
the invention provides a tampering software detection method based on electromagnetic signal EMR, which is used for judging whether a program to be detected is tampered compared with official original software or not; the method comprises the following steps:
step 1, constructing a feature database:
starting the software in the electronic equipment, acquiring an electromagnetic signal EMR emitted when the software is started by using magnetometer equipment, extracting time domain characteristics and frequency characteristics of the EMR signal, and constructing a characteristic database;
step 2, software detection:
and for EMR signals in the feature database, using a dynamic bending algorithm based on path slope constraint as a distance measurement algorithm, using a corresponding path slope constraint mean value center algorithm to obtain a time sequence center, matching the time sequence center with a preset original software feature library, calculating the membership degree of the EMR signals, and judging whether the EMR signals are tampered according to a threshold value.
Further, the specific steps of constructing the feature database in step 1 of the present invention are:
step 11, periodically starting related software for multiple times in the electronic equipment, continuously acquiring EMR data sent by the electronic equipment when the software is started for multiple times by using magnetometer equipment, smoothing and end point detection are carried out on the acquired EMR data, a mute segment is removed, the EMR data is cut into a plurality of sub-segments, and each sub-segment is regarded as electromagnetic signal data when the electronic equipment starts the software for a single time;
step 12, performing mathematical transformation on the EMR signal fragment data processed in the step 11 to extract time domain characteristics and frequency domain characteristics of the EMR signal fragment data; the first characteristic, namely the time domain characteristic, only carries out normalization processing; the second characteristic, namely frequency domain characteristic, on the basis of normalizing the original data, do the FFT, obtain its frequency domain characteristic;
step 13, for the time domain feature and the frequency domain feature, respectively calculating respective mean center sequences by using a CDBA algorithm, and representing the category by using the center sequences; and storing the central sequence to obtain a feature database.
Further, the magnetometer device in step 11 of the invention comprises: the mobile phone with the built-in Magnetic Sensor comprises a mobile phone with the built-in Magnetic Sensor and related magnetometer software, wherein the Magnetic software comprises Magnetic Sensor software.
Further, the implementation method in step 11 of the present invention specifically includes:
the self-starting process comprises the following steps: when the software is started, stopping running of all other software in the equipment to prevent software interference, sleeping for 10 seconds after the software is started each time, closing the software, sleeping for 10 seconds again and starting the software again;
and (3) data smoothing process: smoothing the obtained data to reduce the influence of abnormal points, wherein the used data smoothing algorithm is to smooth the data by moving average values, for a group of sequences, a certain amount of data near the points are selected and the arithmetic average value of the data is calculated, and the obtained data is the moving average value and is used as the data of the points; the formula of the moving average algorithm is as follows:
Figure BDA0002349226600000031
wherein, yt,yt+1,... represents the observed values at t, t + 1.. times, respectively: n is the average number of terms;
and (3) an end point detection process: the adopted endpoint detection algorithm is a short-time autocorrelation coefficient endpoint detection algorithm, a short-time autocorrelation coefficient is calculated, and an endpoint is determined by setting a threshold value; the short-time energy calculation formula is as follows:
Figure BDA0002349226600000041
where w (n) is a window function, where the window is a square window defined as follows:
Figure BDA0002349226600000042
and N is the size of the window, and after the short-time energy value is obtained through calculation, points below the threshold are regarded as environmental noise, namely a mute section, according to the threshold.
Further, the specific process of the CDBA algorithm adopted in step 13 of the present invention is as follows:
the CDBA algorithm is used for solving a mean center sequence of a plurality of time sequences, the CDBA algorithm is a mean center algorithm of dynamic time warping CDTW distance based on path slope constraint, and the CDTW algorithm idea is to find an optimal warping path P ═ P from two pieces of time sequence data1,p2,...pwMake the curved path correspond toThe sum of the distances between the elements is minimal, i.e.:
Figure BDA0002349226600000043
wherein d (p)w)=d(xi,xj) Representing the distances between corresponding elements from different time series data in the optimal curved path P, euclidean distances are typically used to measure the distances between the elements, i.e.: d (x)i,yi)=(xi-yi)2Based on a dynamic planning method, a path meeting the optimal condition can be obtained by solving under the constraint condition of the corresponding path slope, so that the accumulated distance of the last element in the path is minimum, namely:
Figure BDA0002349226600000044
where k is the slope, and is the path P ═ P1,p2,...pwA constraint of { C };
in dataset X ═ X1,X2,...XNIn the method, first, a center sequence C is initialized to { C ═ C1,c2,...cτCalculating a curved path P between the X and the central sequence C by using a CDTW algorithmi(ii) a For each value of i, according to PiValue from XiTo select and center data point c in the sequenceiMatching sets of data points
Figure BDA0002349226600000051
Finally, all data points are calculated
Figure BDA0002349226600000052
As the updated center-in-sequence ciThe value of (a) is:
Figure BDA0002349226600000053
updating C through C ', namely C ← C', and obtaining a mean center sequence C describing the time series data set x again until the mean center sequence in two successive replacements is unchanged in convergence; the mean center sequence based on CDTW can reflect the morphological change of the original time series data, and in addition, the CDBA can describe the morphological change relation of the unequal long time sequences in the data set by using center sequences with different lengths.
Further, the software detection in step 2 of the present invention specifically comprises the following steps:
step 21, running software to be tested in the electronic equipment, acquiring an EMR signal obtained when the software is started by using the same magnetometer equipment, and preprocessing the acquired EMR signal, including data smoothing, end point detection and mute part removal, to obtain processed data;
step 22, extracting corresponding time domain features and frequency domain features from the processed data; the first characteristic is that the original data is just normalized; thirdly, on the basis of normalizing the original data, Fast Fourier Transform (FFT) is carried out to obtain frequency domain characteristic distribution of the original data;
step 23, matching the EMR signal of the software to be tested with the original software feature library, and calculating the membership degree of the software to be tested, wherein if the membership degree is higher than a threshold value, the software is not tampered, otherwise, the software is tampered; solving the membership degree by adopting Bayes probability when calculating the membership degree; and calculating the membership degree of each characteristic, and finally, carrying out arithmetic mean on the membership degrees to obtain comprehensive membership degrees for comparison and outputting a detection result.
Further, the formula for calculating the membership degree in step 23 of the present invention is:
the probability of X belonging to class C is represented using log probability, which is calculated as follows:
Figure BDA0002349226600000054
wherein the content of the first and second substances,
Figure BDA0002349226600000061
denotes x and ucThe CDTW path of (1), K is the path length, u is the central order of the C-class C sequencesThe columns of the image data are,
Figure BDA0002349226600000062
the sequence number for the point on the sequence x at the path k point,
Figure BDA0002349226600000063
to be at the k point of the path, ucSequence number of points on the sequence, σcIs a sequence of standard deviations of class C, σc(k) Indicating alignment to uc(k) The standard deviation of all points for all sequences at a point is calculated by the formula:
σc(k)←std(align(uc(k))。
the invention has the following beneficial effects: the invention discloses a tampering software detection method based on electromagnetic signal EMR, which comprises the steps of starting the software in electronic equipment, using magnetometer equipment to obtain the electromagnetic signal EMR sent when the software is started, extracting time domain characteristics and frequency characteristics of EMR signals, using a constrained dynamic bending algorithm (CDTW) algorithm based on path slope Constraint as a distance measurement algorithm, using a corresponding constrained mean value center algorithm (CDBA) algorithm of path slope Constraint to obtain a time sequence center, matching the time sequence center with a preset original software feature library, and calculating the membership of the time sequence center to judge whether tampering is performed according to a threshold value. According to the method, the software which is possibly tampered can be detected quickly and conveniently, so that the safety of the electronic equipment is guaranteed.
Drawings
The invention will be further described with reference to the accompanying drawings and examples, in which:
FIG. 1 is an overall block diagram of the detection method of the present invention.
FIG. 2 is a feature library building block of the detection system of the present invention.
FIG. 3 is a detection module of the detection method of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In the embodiment of the invention, a user uses an offline installation package attacked by viruses or downloads a piece of software such as an operating system bound with a plurality of programs from an unsafe website, some promoted applications or background trojans can be embedded in the tampered software, and the software is often successfully installed in the electronic device by bypassing common security inspection means. Generally, the potential safety hazard of the computer can be eliminated by comparing with original software to observe whether the computer is tampered without judging the potential safety hazard. In order to detect whether the software has potential safety hazard or is modified at a later date, an EMR fingerprint database of the detection software needs to be constructed.
As shown in fig. 1, the detection system is divided into two modules, one is a construction module of a feature library of original software, and the other is a detection module of software to be detected.
Step 101: EMR signal data is first collected at the time of original software startup.
Step 102: preprocessing the acquired data: data flat and endpoint detection.
Step 103: time domain features and frequency domain features are extracted from the data.
Step 104: and (5) calculating the mean center of the two types of feature sequences by using a CDBA algorithm to complete the construction of the feature library.
Step 105: at the detection module. And running the software to be tested to acquire EMR signal data when the software to be tested is started.
Step 106: and extracting time domain characteristics and frequency domain characteristics of the EMR signals of the software to be tested.
Step 107: and matching the CDTW with a pre-constructed feature library, and calculating the membership degree of the CDTW.
Step 108: and comparing the membership degree obtained in the step 107 with a threshold value, if the membership degree is greater than the threshold value, the software is considered to be the software which is not tampered, otherwise, the software is tampered and has certain potential safety hazard. And outputting the final detection result and informing the user.
As shown in fig. 2, the details of the construction of the feature library of the original software are as follows:
step 201 collects data, starts related software in the electronic device for many times periodically, obtains the data by using a three-axis magnetometer built in the mobile phone and related magnetometer software such as Magnetic Sensor, and continuously obtains EMR data of the electronic device when the software is started for many times. To obtain x1,x2,x3...xm. The self-starting script is as follows:
Figure BDA0002349226600000081
and step 202, smoothing data, namely smoothing the data acquired in step 201 to reduce the influence of abnormal points, wherein the used data smoothing algorithm is to smooth the data by using a moving average value, and the moving average value is the oldest and most popular technical analysis tool. The algorithm idea of moving average is that for a group of sequences, a certain amount of data near the point is selected and the arithmetic mean value of the data is calculated, and the obtained data is called moving average value and is used as the point data. Smoothed data y1,y2,y3...y634-N. The formula of the moving average algorithm is as follows:
Figure BDA0002349226600000082
in the formula, yt,yt+1,.. respectively representt,t+1,... phase observed: n is the average number of terms;
and 203, detecting an end point, namely calculating a short-time autocorrelation coefficient by using a short-time autocorrelation coefficient end point detection algorithm, and determining the end point by setting a reasonable threshold value. This method is commonly used in endpoint detection of speech processing, and the short-time energy calculation formula is as follows:
Figure BDA0002349226600000083
where w (n) is a window function, where the window is a square window defined as follows:
Figure BDA0002349226600000084
where N is the size of the window. And after the short-time energy value is obtained through calculation, according to the threshold value, the point below the threshold value is regarded as the environmental noise, namely the mute section.
Calculating an autocorrelation coefficient e based on the data obtained in step 2021,e2,e3...em-NAnd determining a threshold value, and dividing and removing the reserved signal section of the mute part. To obtain
Figure BDA0002349226600000091
Step 204, extracting features, namely extracting features according to the multi-segment data sequence obtained in step 203
Figure BDA0002349226600000092
Figure BDA0002349226600000093
Two types of features are extracted from the image, and two mathematical transformations are carried out on the image to extract the time domain features and the frequency domain features of the image. The first transformation is that the original data is just normalized; and the second transformation is to perform Fast Fourier Transform (FFT) on the basis of normalization of the original data to acquire frequency domain characteristic distribution of the original data.
Step 205 centers the sequence. According to the two types of features in step 204, a CDBA algorithm is used to respectively obtain a central sequence, and the central sequence is used to represent the category. The objective of the above CDBA algorithm is to find the mean-centered sequence of multiple time series. The mean-center sequence (CDBA) is a mean-center algorithm for dynamic time warping (CDTW) distance based on path slope constraint, CDTW is improved from the DTW algorithm, DTW is a classic method for similarity measurement in the field of time series data mining, and the CDTW algorithm is thought to find an optimal warped path P ═ P { P } from two pieces of time series data1,p2,...pw-minimizing the sum of the distances between corresponding elements of the curved path, i.e.:
Figure BDA0002349226600000094
in the formula, d (p)w)=d(xi,xj) Representing the distances between corresponding elements from different time series data in the optimal curved path P, euclidean distances are typically used to measure the distances between the elements, i.e.: d (x)i,yi)=(xi-yi)2
Based on a dynamic planning method, a path meeting the optimal condition can be obtained by solving under the constraint condition of the corresponding path slope, so that the accumulated distance of the last element in the path is minimum, namely:
Figure BDA0002349226600000101
where k is the slope, and is the path P ═ P1,p2,...pwConstraint of control path is a parameter that is too gentle or too steep.
The basic idea of the above CDBA is that, in the data set X ═ X1,X2,...XNIn the method, first, a center sequence C is initialized to { C ═ C1,c2,...cτCalculating a curved path P between the X and the central sequence C by using a DTW algorithmi(ii) a For each value of i, according to PiValue from XiTo select and center data point c in the sequenceiMatching sets of data points
Figure BDA0002349226600000102
Finally, all data points are calculated
Figure BDA0002349226600000103
As the updated center-in-sequence ciThe value of (a) is:
Figure BDA0002349226600000104
c, i.e. C ← C ', is updated by C', and the mean-center sequence C describing the time-series dataset x is retrieved until the mean-center sequence converges unchanged in two successive substitutions. The mean-centered sequence based on CDTW can reflect morphological changes in the raw time-series data. In addition, the CDBA can describe the form change relation of the unequal long-time sequences in the data set by using central sequences with different lengths.
Calculating the central sequences u of the two types of characteristic sequences1,u2And finally obtaining T ═ u1,u2And fourthly, finishing the original feature library construction module.
As shown in fig. 3, the details of the detection of the suspected software to be detected:
starting the software, and acquiring an EMR signal X { X } when the software is started by using a mobile phone magnetometer or other magnetometer equipment1,x2}。
Step 301: running software to be tested in the electronic equipment, acquiring an EMR signal obtained by the software when the software is started by using the same magnetometer equipment, and preprocessing the acquired EMR signal: data smoothing, end point detection and mute part removal, processed data y81...y500Stored as a file.
Step 302: extracting corresponding time domain characteristics, frequency domain characteristics and other two types of characteristics from the processed data and expressing the characteristics as X ═ { X ═ X1,x2}。
Step 303: EMR signal X of the software to be tested is set as { X ═ X1,x2}. Software feature library with original package
Figure BDA0002349226600000111
And (6) matching. A matching path is calculated using the shape-based dynamic time-rule algorithm CDTW.
And calculating the membership degree of the software, wherein if the membership degree is higher than a threshold value, the software is not tampered, and otherwise, the software is tampered. In order to reduce the influence of CDBA algorithm overfitting as much as possible, Bayesian probability is introduced to solve the membership degree. The log probability is used to represent the probability that X belongs to class C and is calculated as follows:
Figure BDA0002349226600000112
wherein the content of the first and second substances,
Figure BDA0002349226600000113
denotes x and ucCDTW path, K is the path length, ucIs the central sequence of the class C sequence,
Figure BDA0002349226600000114
the sequence number for the point on the sequence x at the path k point,
Figure BDA0002349226600000115
to be at the k point of the path, ucSequence number of points on the sequence, σcIs a sequence of standard deviations of class C, σc(k) Indicating alignment to uc(k) The standard deviation of all points for all sequences at a point is calculated by the formula:
σc(k)←std(align(uc(k))。
and calculating the membership degree of each feature, finally carrying out arithmetic mean on the membership degrees to obtain comprehensive membership degrees, comparing, outputting a detection result and informing a user.
It will be understood that modifications and variations can be made by persons skilled in the art in light of the above teachings and all such modifications and variations are intended to be included within the scope of the invention as defined in the appended claims.

Claims (7)

1. A tampering software detection method based on electromagnetic signal EMR is characterized by being used for judging whether a program to be detected is tampered compared with official original software or not; the method comprises the following steps:
step 1, constructing a feature database:
starting the software in the electronic equipment, acquiring an electromagnetic signal EMR emitted when the software is started by using magnetometer equipment, extracting time domain characteristics and frequency characteristics of the EMR signal, and constructing a characteristic database;
step 2, software detection:
and for EMR signals in the feature database, using a dynamic bending algorithm based on path slope constraint as a distance measurement algorithm, using a corresponding path slope constraint mean value center algorithm to obtain a time sequence center, matching the time sequence center with a preset original software feature library, calculating the membership degree of the EMR signals, and judging whether the EMR signals are tampered according to a threshold value.
2. The method for detecting the tampering software based on the EMR of the electromagnetic signal according to claim 1, wherein the specific steps of constructing the feature database in the step 1 are as follows:
step 11, periodically starting related software for multiple times in the electronic equipment, continuously acquiring EMR data sent by the electronic equipment when the software is started for multiple times by using magnetometer equipment, smoothing and end point detection are carried out on the acquired EMR data, a mute segment is removed, the EMR data is cut into a plurality of sub-segments, and each sub-segment is regarded as electromagnetic signal data when the electronic equipment starts the software for a single time;
step 12, performing mathematical transformation on the EMR signal fragment data processed in the step 11 to extract time domain characteristics and frequency domain characteristics of the EMR signal fragment data; the first characteristic, namely the time domain characteristic, only carries out normalization processing; the second characteristic, namely frequency domain characteristic, on the basis of normalizing the original data, do the FFT, obtain its frequency domain characteristic;
step 13, for the time domain feature and the frequency domain feature, respectively calculating respective mean center sequences by using a CDBA algorithm, and representing the category by using the center sequences; and storing the central sequence to obtain a feature database.
3. Method of tampering software detection based on electromagnetic signals EMR according to claim 2, characterized in that the magnetometer device in step 11 comprises: the mobile phone with the built-in magnetic sensor and the related magnetometer software, wherein the magnetic software comprises MagneticSensor software.
4. The tamper software detection method based on electromagnetic signals EMR according to claim 2, characterized in that the implementation method in step 11 is specifically:
the self-starting process comprises the following steps: when the software is started, stopping running of all other software in the equipment to prevent software interference, sleeping for 10 seconds after the software is started each time, closing the software, sleeping for 10 seconds again and starting the software again;
and (3) data smoothing process: smoothing the obtained data to reduce the influence of abnormal points, wherein the used data smoothing algorithm is to smooth the data by moving average values, for a group of sequences, a certain amount of data near the points are selected and the arithmetic average value of the data is calculated, and the obtained data is the moving average value and is used as the data of the points; the formula of the moving average algorithm is as follows:
Figure FDA0002349226590000021
wherein, yt,yt+1,... represents the observed values at t, t + 1.. times, respectively: n is the average number of terms;
and (3) an end point detection process: the adopted endpoint detection algorithm is a short-time autocorrelation coefficient endpoint detection algorithm, a short-time autocorrelation coefficient is calculated, and an endpoint is determined by setting a threshold value; the short-time energy calculation formula is as follows:
Figure FDA0002349226590000022
where w (n) is a window function, where the window is a square window defined as follows:
Figure FDA0002349226590000023
and N is the size of the window, and after the short-time energy value is obtained through calculation, points below the threshold are regarded as environmental noise, namely a mute section, according to the threshold.
5. The method for detecting tampering software based on electromagnetic signal EMR as claimed in claim 1, wherein the specific process of the CDBA algorithm adopted in step 13 is:
the CDBA algorithm is used for solving a mean center sequence of a plurality of time sequences, the CDBA algorithm is a mean center algorithm of dynamic time warping CDTW distance based on path slope constraint, and the CDTW algorithm idea is to find an optimal warping path P ═ P from two pieces of time sequence data1,p2,...pw-minimizing the sum of the distances between corresponding elements of the curved path, i.e.:
Figure FDA0002349226590000024
wherein d (p)w)=d(xi,xj) Representing the distances between corresponding elements from different time series data in the optimal curved path P, euclidean distances are typically used to measure the distances between the elements, i.e.: d (x)i,yi)=(xi-yi)2Based on a dynamic planning method, a path meeting the optimal condition can be obtained by solving under the constraint condition of the corresponding path slope, so that the accumulated distance of the last element in the path is minimum, namely:
Figure FDA0002349226590000031
where k is the slope, and is the path P ═ P1,p2,...pwA constraint of { C };
in dataset X ═ X1,X2,...XNIn the method, first, a center sequence C is initialized to { C ═ C1,c2,...cτCalculating a curved path P between the X and the central sequence C by using a CDTW algorithmi(ii) a For each value of i, according to PiValue from XiTo select and center data point c in the sequenceiMatching sets of data points
Figure FDA0002349226590000032
Finally, all data points are calculated
Figure FDA0002349226590000033
As the updated center-in-sequence ciThe value of (a) is:
Figure FDA0002349226590000034
updating C through C ', namely C ← C', and obtaining a mean center sequence C describing the time series data set x again until the mean center sequence in two successive replacements is unchanged in convergence; the mean center sequence based on CDTW can reflect the morphological change of the original time series data, and in addition, the CDBA can describe the morphological change relation of the unequal long time sequences in the data set by using center sequences with different lengths.
6. The method for detecting tampering software based on electromagnetic signals EMR as claimed in claim 1, wherein the software detection in step 2 comprises the following steps:
step 21, running software to be tested in the electronic equipment, acquiring an EMR signal obtained when the software is started by using the same magnetometer equipment, and preprocessing the acquired EMR signal, including data smoothing, end point detection and mute part removal, to obtain processed data;
step 22, extracting corresponding time domain features and frequency domain features from the processed data; the first characteristic is that the original data is just normalized; thirdly, on the basis of normalizing the original data, Fast Fourier Transform (FFT) is carried out to obtain frequency domain characteristic distribution of the original data;
step 23, matching the EMR signal of the software to be tested with the original software feature library, and calculating the membership degree of the software to be tested, wherein if the membership degree is higher than a threshold value, the software is not tampered, otherwise, the software is tampered; solving the membership degree by adopting Bayes probability when calculating the membership degree; and calculating the membership degree of each characteristic, and finally, carrying out arithmetic mean on the membership degrees to obtain comprehensive membership degrees for comparison and outputting a detection result.
7. The method for EMR-based tamper software detection of claim 6, wherein the formula for calculating membership in step 23 is:
the probability of X belonging to class C is represented using log probability, which is calculated as follows:
Figure FDA0002349226590000041
wherein the content of the first and second substances,
Figure FDA0002349226590000042
denotes x and ucCDTW path, K is the path length, ucIs the central sequence of the class C sequence,
Figure FDA0002349226590000043
the sequence number for the point on the sequence x at the path k point,
Figure FDA0002349226590000044
to be at the k point of the path, ucSequence number of points on the sequence, σcIs a sequence of standard deviations of class C, σc(k) Indicating alignment to uc(k) The standard deviation of all points for all sequences at a point is calculated by the formula:
σc(k)←std(align(uc(k))。
CN201911408166.6A 2019-12-31 2019-12-31 Tamper software detection method based on electromagnetic signal EMR Active CN111159041B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911408166.6A CN111159041B (en) 2019-12-31 2019-12-31 Tamper software detection method based on electromagnetic signal EMR

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911408166.6A CN111159041B (en) 2019-12-31 2019-12-31 Tamper software detection method based on electromagnetic signal EMR

Publications (2)

Publication Number Publication Date
CN111159041A true CN111159041A (en) 2020-05-15
CN111159041B CN111159041B (en) 2022-05-24

Family

ID=70559730

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911408166.6A Active CN111159041B (en) 2019-12-31 2019-12-31 Tamper software detection method based on electromagnetic signal EMR

Country Status (1)

Country Link
CN (1) CN111159041B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102542037A (en) * 2011-12-26 2012-07-04 广州商景网络科技有限公司 License original image identification method and system
WO2017194163A1 (en) * 2016-05-13 2017-11-16 Telefonaktiebolaget Lm Ericsson (Publ) Enduser verification in mobile networks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102542037A (en) * 2011-12-26 2012-07-04 广州商景网络科技有限公司 License original image identification method and system
WO2017194163A1 (en) * 2016-05-13 2017-11-16 Telefonaktiebolaget Lm Ericsson (Publ) Enduser verification in mobile networks

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
SHANG YUN等: "Research of Big Data Analysis", 《2014 IEEE INTERNATIONAL CONFERENCE ON COMPUTER AND INFORMATION TECHNOLOGY》 *
邹冰玉: "基于系统虚拟化的软件安全保护关键技术研究", 《CNKI博士学位论文全文库》 *
郭霞等: "面向频谱数据库的电磁频谱检测系统", 《现代电子技术》 *

Also Published As

Publication number Publication date
CN111159041B (en) 2022-05-24

Similar Documents

Publication Publication Date Title
Wang et al. Review of android malware detection based on deep learning
CN102664875B (en) Malicious code type detection method based on cloud mode
CN102222199B (en) Method and system for identifying identification of application program
US10397266B1 (en) Verifying that the influence of a user data point has been removed from a machine learning classifier
US9218461B2 (en) Method and apparatus for detecting malicious software through contextual convictions
Zhuang et al. Ensemble clustering for internet security applications
CN109271788B (en) Android malicious software detection method based on deep learning
EP2693356B1 (en) Detecting pirated applications
CN107315956B (en) It is a kind of for quick and precisely detecting the Graph-theoretical Approach of Malware on the zero
CN107273416B (en) Webpage hidden link detection method and device and computer readable storage medium
Zhang et al. Malware variant detection using opcode image recognition with small training sets
CN112005532B (en) Method, system and storage medium for classifying executable files
CN103488941A (en) Hardware Trojan horse detection method and hardware Trojan horse detection system
CN112329713A (en) Network flow abnormity online detection method, system, computer equipment and storage medium
Du et al. A novel approach to detect malware variants based on classified behaviors
Park et al. Antibot: Clustering common semantic patterns for bot detection
CN108959930A (en) Malice PDF detection method, system, data storage device and detection program
Thunga et al. Identifying metamorphic virus using n-grams and hidden markov model
Stiawan et al. Ransomware detection based on opcode behavior using k-nearest neighbors algorithm
Ideses et al. Adware detection and privacy control in mobile devices
CN113836240B (en) Time sequence data classification method, device, terminal equipment and storage medium
Sánchez et al. A methodology to identify identical single-board computers based on hardware behavior fingerprinting
CN113746780B (en) Abnormal host detection method, device, medium and equipment based on host image
US20200372085A1 (en) Classification apparatus, classification method, and classification program
Suhuan et al. Android malware detection based on logistic regression and XGBoost

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant