CN111159041A - Tampering software detection method based on electromagnetic signal EMR - Google Patents
Tampering software detection method based on electromagnetic signal EMR Download PDFInfo
- Publication number
- CN111159041A CN111159041A CN201911408166.6A CN201911408166A CN111159041A CN 111159041 A CN111159041 A CN 111159041A CN 201911408166 A CN201911408166 A CN 201911408166A CN 111159041 A CN111159041 A CN 111159041A
- Authority
- CN
- China
- Prior art keywords
- software
- data
- emr
- sequence
- algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
Abstract
The invention discloses a tampering software detection method based on electromagnetic signal EMR, which is used for judging whether a program to be detected is tampered compared with official original software or not; the method comprises the following steps: step 1, constructing a feature database: starting the software in the electronic equipment, acquiring an electromagnetic signal EMR emitted when the software is started by using magnetometer equipment, extracting time domain characteristics and frequency characteristics of the EMR signal, and constructing a characteristic database; step 2, software detection: and for EMR signals in the feature database, using a dynamic bending algorithm based on path slope constraint as a distance measurement algorithm, using a corresponding path slope constraint mean value center algorithm to obtain a time sequence center, matching the time sequence center with a preset original software feature library, calculating the membership degree of the EMR signals, and judging whether the EMR signals are tampered according to a threshold value. The invention can quickly and conveniently detect the software which is possibly tampered, thereby providing guarantee for the safety of the electronic equipment.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a tamper software detection method based on electromagnetic signal EMR.
Background
The network is full of a large amount of tampered software, some rogue software and some malicious software carrying viruses, the rogue software and the malicious software often modify original software of an official network, implant advertisements or viruses and then put into the network to induce users to download, and due to network limitations, cost, downloading speed and other factors, the software is often downloaded from an offline installation package or an unofficial free software downloading network, and the software can be tampered maliciously or invaded by viruses.
The compromise of such software can be summarized as: 1. modifying the function so that the function of the software is changed and is not in accordance with the expectation; 2. the advertisement is implanted, which brings unnecessary flow loss to the user; 3. the virus is implanted, and the computer program of the user is threatened to be safe. Currently, the software detection method is less researched, and is generally regarded as a threat program to perform general security detection, such as detecting characteristics of modified registry information and the like before installation, and the method is characterized by easy report omission, and detection can be bypassed because the software is only increased or decreased in functions and does not carry serious virus characteristics. In general, it is not necessary to know what kind of virus exists in the software, and we only need to compare it with the original official software to see if it is modified. Therefore, in practical application, a simpler detection method can be used.
A large number of studies in the past have shown that the electromagnetic signals EMR emitted by electronic devices are well distinguishable. Gupta, Sidhant et al, uses an electromagnetic sensor to automatically detect and classify electronic devices in the home. They have experimentally demonstrated that EMR signals are stable and predictable, a method that enables electromagnetic signature technology to be used in homes. Vaucelle introduces an economical and effective design of wearable sensors for detecting the electric field strength and other characteristics emitted by notebook computer displays and indicating that such electromagnetic radiation is expected to become fingerprints of electrical devices for device localization. The above studies have demonstrated that electromagnetic signals are perceived and distinguished, but the requirements for sensors for these detections are relatively high. Zhu, Zhuangdi et al successfully inferred running applications and web pages viewed by the user on a nearby computer using a built-in magnetometer on a commercial handset. Furthermore, Zhu, Zhuangdi et al have demonstrated that the detection of electromagnetic signals is not disturbed by geomagnetic signals. This study demonstrates that electromagnetic signals can be identified and distinguished for portability by devices such as cell phones.
When matching and classifying electromagnetic signals, the key problem is how to calculate the distance between two time series and how to find the center of the time series. For the first problem, the time sequence has a problem of inconsistent length, so that the solution is difficult, the EMR signals acquired herein also have a fast and slow starting process due to the state difference of the devices, and therefore the obtained EMR data also has a condition of extending or contracting in a certain time, so that the problem of inconsistent length and time of the sequence can be effectively solved by adopting the distance algorithm CDTW based on the DTW. For the second problem, currently, more scholars have proposed some averaging algorithms based on DTW, such as DBA, etc., but the averaging sequences obtained by these algorithms under some special conditions may have some steep conditions, and in such a case, the averaging sequences lose original waveform characteristics.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a tamper software detection method based on an electromagnetic signal EMR, aiming at the defects in the prior art.
The technical scheme adopted by the invention for solving the technical problems is as follows:
the invention provides a tampering software detection method based on electromagnetic signal EMR, which is used for judging whether a program to be detected is tampered compared with official original software or not; the method comprises the following steps:
step 1, constructing a feature database:
starting the software in the electronic equipment, acquiring an electromagnetic signal EMR emitted when the software is started by using magnetometer equipment, extracting time domain characteristics and frequency characteristics of the EMR signal, and constructing a characteristic database;
step 2, software detection:
and for EMR signals in the feature database, using a dynamic bending algorithm based on path slope constraint as a distance measurement algorithm, using a corresponding path slope constraint mean value center algorithm to obtain a time sequence center, matching the time sequence center with a preset original software feature library, calculating the membership degree of the EMR signals, and judging whether the EMR signals are tampered according to a threshold value.
Further, the specific steps of constructing the feature database in step 1 of the present invention are:
step 11, periodically starting related software for multiple times in the electronic equipment, continuously acquiring EMR data sent by the electronic equipment when the software is started for multiple times by using magnetometer equipment, smoothing and end point detection are carried out on the acquired EMR data, a mute segment is removed, the EMR data is cut into a plurality of sub-segments, and each sub-segment is regarded as electromagnetic signal data when the electronic equipment starts the software for a single time;
step 12, performing mathematical transformation on the EMR signal fragment data processed in the step 11 to extract time domain characteristics and frequency domain characteristics of the EMR signal fragment data; the first characteristic, namely the time domain characteristic, only carries out normalization processing; the second characteristic, namely frequency domain characteristic, on the basis of normalizing the original data, do the FFT, obtain its frequency domain characteristic;
step 13, for the time domain feature and the frequency domain feature, respectively calculating respective mean center sequences by using a CDBA algorithm, and representing the category by using the center sequences; and storing the central sequence to obtain a feature database.
Further, the magnetometer device in step 11 of the invention comprises: the mobile phone with the built-in Magnetic Sensor comprises a mobile phone with the built-in Magnetic Sensor and related magnetometer software, wherein the Magnetic software comprises Magnetic Sensor software.
Further, the implementation method in step 11 of the present invention specifically includes:
the self-starting process comprises the following steps: when the software is started, stopping running of all other software in the equipment to prevent software interference, sleeping for 10 seconds after the software is started each time, closing the software, sleeping for 10 seconds again and starting the software again;
and (3) data smoothing process: smoothing the obtained data to reduce the influence of abnormal points, wherein the used data smoothing algorithm is to smooth the data by moving average values, for a group of sequences, a certain amount of data near the points are selected and the arithmetic average value of the data is calculated, and the obtained data is the moving average value and is used as the data of the points; the formula of the moving average algorithm is as follows:
wherein, yt,yt+1,... represents the observed values at t, t + 1.. times, respectively: n is the average number of terms;
and (3) an end point detection process: the adopted endpoint detection algorithm is a short-time autocorrelation coefficient endpoint detection algorithm, a short-time autocorrelation coefficient is calculated, and an endpoint is determined by setting a threshold value; the short-time energy calculation formula is as follows:
where w (n) is a window function, where the window is a square window defined as follows:
and N is the size of the window, and after the short-time energy value is obtained through calculation, points below the threshold are regarded as environmental noise, namely a mute section, according to the threshold.
Further, the specific process of the CDBA algorithm adopted in step 13 of the present invention is as follows:
the CDBA algorithm is used for solving a mean center sequence of a plurality of time sequences, the CDBA algorithm is a mean center algorithm of dynamic time warping CDTW distance based on path slope constraint, and the CDTW algorithm idea is to find an optimal warping path P ═ P from two pieces of time sequence data1,p2,...pwMake the curved path correspond toThe sum of the distances between the elements is minimal, i.e.:
wherein d (p)w)=d(xi,xj) Representing the distances between corresponding elements from different time series data in the optimal curved path P, euclidean distances are typically used to measure the distances between the elements, i.e.: d (x)i,yi)=(xi-yi)2Based on a dynamic planning method, a path meeting the optimal condition can be obtained by solving under the constraint condition of the corresponding path slope, so that the accumulated distance of the last element in the path is minimum, namely:
where k is the slope, and is the path P ═ P1,p2,...pwA constraint of { C };
in dataset X ═ X1,X2,...XNIn the method, first, a center sequence C is initialized to { C ═ C1,c2,...cτCalculating a curved path P between the X and the central sequence C by using a CDTW algorithmi(ii) a For each value of i, according to PiValue from XiTo select and center data point c in the sequenceiMatching sets of data pointsFinally, all data points are calculatedAs the updated center-in-sequence ciThe value of (a) is:
updating C through C ', namely C ← C', and obtaining a mean center sequence C describing the time series data set x again until the mean center sequence in two successive replacements is unchanged in convergence; the mean center sequence based on CDTW can reflect the morphological change of the original time series data, and in addition, the CDBA can describe the morphological change relation of the unequal long time sequences in the data set by using center sequences with different lengths.
Further, the software detection in step 2 of the present invention specifically comprises the following steps:
step 21, running software to be tested in the electronic equipment, acquiring an EMR signal obtained when the software is started by using the same magnetometer equipment, and preprocessing the acquired EMR signal, including data smoothing, end point detection and mute part removal, to obtain processed data;
step 22, extracting corresponding time domain features and frequency domain features from the processed data; the first characteristic is that the original data is just normalized; thirdly, on the basis of normalizing the original data, Fast Fourier Transform (FFT) is carried out to obtain frequency domain characteristic distribution of the original data;
step 23, matching the EMR signal of the software to be tested with the original software feature library, and calculating the membership degree of the software to be tested, wherein if the membership degree is higher than a threshold value, the software is not tampered, otherwise, the software is tampered; solving the membership degree by adopting Bayes probability when calculating the membership degree; and calculating the membership degree of each characteristic, and finally, carrying out arithmetic mean on the membership degrees to obtain comprehensive membership degrees for comparison and outputting a detection result.
Further, the formula for calculating the membership degree in step 23 of the present invention is:
the probability of X belonging to class C is represented using log probability, which is calculated as follows:
wherein the content of the first and second substances,denotes x and ucThe CDTW path of (1), K is the path length, u is the central order of the C-class C sequencesThe columns of the image data are,the sequence number for the point on the sequence x at the path k point,to be at the k point of the path, ucSequence number of points on the sequence, σcIs a sequence of standard deviations of class C, σc(k) Indicating alignment to uc(k) The standard deviation of all points for all sequences at a point is calculated by the formula:
σc(k)←std(align(uc(k))。
the invention has the following beneficial effects: the invention discloses a tampering software detection method based on electromagnetic signal EMR, which comprises the steps of starting the software in electronic equipment, using magnetometer equipment to obtain the electromagnetic signal EMR sent when the software is started, extracting time domain characteristics and frequency characteristics of EMR signals, using a constrained dynamic bending algorithm (CDTW) algorithm based on path slope Constraint as a distance measurement algorithm, using a corresponding constrained mean value center algorithm (CDBA) algorithm of path slope Constraint to obtain a time sequence center, matching the time sequence center with a preset original software feature library, and calculating the membership of the time sequence center to judge whether tampering is performed according to a threshold value. According to the method, the software which is possibly tampered can be detected quickly and conveniently, so that the safety of the electronic equipment is guaranteed.
Drawings
The invention will be further described with reference to the accompanying drawings and examples, in which:
FIG. 1 is an overall block diagram of the detection method of the present invention.
FIG. 2 is a feature library building block of the detection system of the present invention.
FIG. 3 is a detection module of the detection method of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In the embodiment of the invention, a user uses an offline installation package attacked by viruses or downloads a piece of software such as an operating system bound with a plurality of programs from an unsafe website, some promoted applications or background trojans can be embedded in the tampered software, and the software is often successfully installed in the electronic device by bypassing common security inspection means. Generally, the potential safety hazard of the computer can be eliminated by comparing with original software to observe whether the computer is tampered without judging the potential safety hazard. In order to detect whether the software has potential safety hazard or is modified at a later date, an EMR fingerprint database of the detection software needs to be constructed.
As shown in fig. 1, the detection system is divided into two modules, one is a construction module of a feature library of original software, and the other is a detection module of software to be detected.
Step 101: EMR signal data is first collected at the time of original software startup.
Step 102: preprocessing the acquired data: data flat and endpoint detection.
Step 103: time domain features and frequency domain features are extracted from the data.
Step 104: and (5) calculating the mean center of the two types of feature sequences by using a CDBA algorithm to complete the construction of the feature library.
Step 105: at the detection module. And running the software to be tested to acquire EMR signal data when the software to be tested is started.
Step 106: and extracting time domain characteristics and frequency domain characteristics of the EMR signals of the software to be tested.
Step 107: and matching the CDTW with a pre-constructed feature library, and calculating the membership degree of the CDTW.
Step 108: and comparing the membership degree obtained in the step 107 with a threshold value, if the membership degree is greater than the threshold value, the software is considered to be the software which is not tampered, otherwise, the software is tampered and has certain potential safety hazard. And outputting the final detection result and informing the user.
As shown in fig. 2, the details of the construction of the feature library of the original software are as follows:
step 201 collects data, starts related software in the electronic device for many times periodically, obtains the data by using a three-axis magnetometer built in the mobile phone and related magnetometer software such as Magnetic Sensor, and continuously obtains EMR data of the electronic device when the software is started for many times. To obtain x1,x2,x3...xm. The self-starting script is as follows:
and step 202, smoothing data, namely smoothing the data acquired in step 201 to reduce the influence of abnormal points, wherein the used data smoothing algorithm is to smooth the data by using a moving average value, and the moving average value is the oldest and most popular technical analysis tool. The algorithm idea of moving average is that for a group of sequences, a certain amount of data near the point is selected and the arithmetic mean value of the data is calculated, and the obtained data is called moving average value and is used as the point data. Smoothed data y1,y2,y3...y634-N. The formula of the moving average algorithm is as follows:
in the formula, yt,yt+1,.. respectively representt,t+1,... phase observed: n is the average number of terms;
and 203, detecting an end point, namely calculating a short-time autocorrelation coefficient by using a short-time autocorrelation coefficient end point detection algorithm, and determining the end point by setting a reasonable threshold value. This method is commonly used in endpoint detection of speech processing, and the short-time energy calculation formula is as follows:
where w (n) is a window function, where the window is a square window defined as follows:
where N is the size of the window. And after the short-time energy value is obtained through calculation, according to the threshold value, the point below the threshold value is regarded as the environmental noise, namely the mute section.
Calculating an autocorrelation coefficient e based on the data obtained in step 2021,e2,e3...em-NAnd determining a threshold value, and dividing and removing the reserved signal section of the mute part. To obtain
Step 204, extracting features, namely extracting features according to the multi-segment data sequence obtained in step 203 Two types of features are extracted from the image, and two mathematical transformations are carried out on the image to extract the time domain features and the frequency domain features of the image. The first transformation is that the original data is just normalized; and the second transformation is to perform Fast Fourier Transform (FFT) on the basis of normalization of the original data to acquire frequency domain characteristic distribution of the original data.
Step 205 centers the sequence. According to the two types of features in step 204, a CDBA algorithm is used to respectively obtain a central sequence, and the central sequence is used to represent the category. The objective of the above CDBA algorithm is to find the mean-centered sequence of multiple time series. The mean-center sequence (CDBA) is a mean-center algorithm for dynamic time warping (CDTW) distance based on path slope constraint, CDTW is improved from the DTW algorithm, DTW is a classic method for similarity measurement in the field of time series data mining, and the CDTW algorithm is thought to find an optimal warped path P ═ P { P } from two pieces of time series data1,p2,...pw-minimizing the sum of the distances between corresponding elements of the curved path, i.e.:
in the formula, d (p)w)=d(xi,xj) Representing the distances between corresponding elements from different time series data in the optimal curved path P, euclidean distances are typically used to measure the distances between the elements, i.e.: d (x)i,yi)=(xi-yi)2;
Based on a dynamic planning method, a path meeting the optimal condition can be obtained by solving under the constraint condition of the corresponding path slope, so that the accumulated distance of the last element in the path is minimum, namely:
where k is the slope, and is the path P ═ P1,p2,...pwConstraint of control path is a parameter that is too gentle or too steep.
The basic idea of the above CDBA is that, in the data set X ═ X1,X2,...XNIn the method, first, a center sequence C is initialized to { C ═ C1,c2,...cτCalculating a curved path P between the X and the central sequence C by using a DTW algorithmi(ii) a For each value of i, according to PiValue from XiTo select and center data point c in the sequenceiMatching sets of data pointsFinally, all data points are calculatedAs the updated center-in-sequence ciThe value of (a) is:
c, i.e. C ← C ', is updated by C', and the mean-center sequence C describing the time-series dataset x is retrieved until the mean-center sequence converges unchanged in two successive substitutions. The mean-centered sequence based on CDTW can reflect morphological changes in the raw time-series data. In addition, the CDBA can describe the form change relation of the unequal long-time sequences in the data set by using central sequences with different lengths.
Calculating the central sequences u of the two types of characteristic sequences1,u2And finally obtaining T ═ u1,u2And fourthly, finishing the original feature library construction module.
As shown in fig. 3, the details of the detection of the suspected software to be detected:
starting the software, and acquiring an EMR signal X { X } when the software is started by using a mobile phone magnetometer or other magnetometer equipment1,x2}。
Step 301: running software to be tested in the electronic equipment, acquiring an EMR signal obtained by the software when the software is started by using the same magnetometer equipment, and preprocessing the acquired EMR signal: data smoothing, end point detection and mute part removal, processed data y81...y500Stored as a file.
Step 302: extracting corresponding time domain characteristics, frequency domain characteristics and other two types of characteristics from the processed data and expressing the characteristics as X ═ { X ═ X1,x2}。
Step 303: EMR signal X of the software to be tested is set as { X ═ X1,x2}. Software feature library with original packageAnd (6) matching. A matching path is calculated using the shape-based dynamic time-rule algorithm CDTW.
And calculating the membership degree of the software, wherein if the membership degree is higher than a threshold value, the software is not tampered, and otherwise, the software is tampered. In order to reduce the influence of CDBA algorithm overfitting as much as possible, Bayesian probability is introduced to solve the membership degree. The log probability is used to represent the probability that X belongs to class C and is calculated as follows:
wherein the content of the first and second substances,denotes x and ucCDTW path, K is the path length, ucIs the central sequence of the class C sequence,the sequence number for the point on the sequence x at the path k point,to be at the k point of the path, ucSequence number of points on the sequence, σcIs a sequence of standard deviations of class C, σc(k) Indicating alignment to uc(k) The standard deviation of all points for all sequences at a point is calculated by the formula:
σc(k)←std(align(uc(k))。
and calculating the membership degree of each feature, finally carrying out arithmetic mean on the membership degrees to obtain comprehensive membership degrees, comparing, outputting a detection result and informing a user.
It will be understood that modifications and variations can be made by persons skilled in the art in light of the above teachings and all such modifications and variations are intended to be included within the scope of the invention as defined in the appended claims.
Claims (7)
1. A tampering software detection method based on electromagnetic signal EMR is characterized by being used for judging whether a program to be detected is tampered compared with official original software or not; the method comprises the following steps:
step 1, constructing a feature database:
starting the software in the electronic equipment, acquiring an electromagnetic signal EMR emitted when the software is started by using magnetometer equipment, extracting time domain characteristics and frequency characteristics of the EMR signal, and constructing a characteristic database;
step 2, software detection:
and for EMR signals in the feature database, using a dynamic bending algorithm based on path slope constraint as a distance measurement algorithm, using a corresponding path slope constraint mean value center algorithm to obtain a time sequence center, matching the time sequence center with a preset original software feature library, calculating the membership degree of the EMR signals, and judging whether the EMR signals are tampered according to a threshold value.
2. The method for detecting the tampering software based on the EMR of the electromagnetic signal according to claim 1, wherein the specific steps of constructing the feature database in the step 1 are as follows:
step 11, periodically starting related software for multiple times in the electronic equipment, continuously acquiring EMR data sent by the electronic equipment when the software is started for multiple times by using magnetometer equipment, smoothing and end point detection are carried out on the acquired EMR data, a mute segment is removed, the EMR data is cut into a plurality of sub-segments, and each sub-segment is regarded as electromagnetic signal data when the electronic equipment starts the software for a single time;
step 12, performing mathematical transformation on the EMR signal fragment data processed in the step 11 to extract time domain characteristics and frequency domain characteristics of the EMR signal fragment data; the first characteristic, namely the time domain characteristic, only carries out normalization processing; the second characteristic, namely frequency domain characteristic, on the basis of normalizing the original data, do the FFT, obtain its frequency domain characteristic;
step 13, for the time domain feature and the frequency domain feature, respectively calculating respective mean center sequences by using a CDBA algorithm, and representing the category by using the center sequences; and storing the central sequence to obtain a feature database.
3. Method of tampering software detection based on electromagnetic signals EMR according to claim 2, characterized in that the magnetometer device in step 11 comprises: the mobile phone with the built-in magnetic sensor and the related magnetometer software, wherein the magnetic software comprises MagneticSensor software.
4. The tamper software detection method based on electromagnetic signals EMR according to claim 2, characterized in that the implementation method in step 11 is specifically:
the self-starting process comprises the following steps: when the software is started, stopping running of all other software in the equipment to prevent software interference, sleeping for 10 seconds after the software is started each time, closing the software, sleeping for 10 seconds again and starting the software again;
and (3) data smoothing process: smoothing the obtained data to reduce the influence of abnormal points, wherein the used data smoothing algorithm is to smooth the data by moving average values, for a group of sequences, a certain amount of data near the points are selected and the arithmetic average value of the data is calculated, and the obtained data is the moving average value and is used as the data of the points; the formula of the moving average algorithm is as follows:
wherein, yt,yt+1,... represents the observed values at t, t + 1.. times, respectively: n is the average number of terms;
and (3) an end point detection process: the adopted endpoint detection algorithm is a short-time autocorrelation coefficient endpoint detection algorithm, a short-time autocorrelation coefficient is calculated, and an endpoint is determined by setting a threshold value; the short-time energy calculation formula is as follows:
where w (n) is a window function, where the window is a square window defined as follows:
and N is the size of the window, and after the short-time energy value is obtained through calculation, points below the threshold are regarded as environmental noise, namely a mute section, according to the threshold.
5. The method for detecting tampering software based on electromagnetic signal EMR as claimed in claim 1, wherein the specific process of the CDBA algorithm adopted in step 13 is:
the CDBA algorithm is used for solving a mean center sequence of a plurality of time sequences, the CDBA algorithm is a mean center algorithm of dynamic time warping CDTW distance based on path slope constraint, and the CDTW algorithm idea is to find an optimal warping path P ═ P from two pieces of time sequence data1,p2,...pw-minimizing the sum of the distances between corresponding elements of the curved path, i.e.:
wherein d (p)w)=d(xi,xj) Representing the distances between corresponding elements from different time series data in the optimal curved path P, euclidean distances are typically used to measure the distances between the elements, i.e.: d (x)i,yi)=(xi-yi)2Based on a dynamic planning method, a path meeting the optimal condition can be obtained by solving under the constraint condition of the corresponding path slope, so that the accumulated distance of the last element in the path is minimum, namely:
where k is the slope, and is the path P ═ P1,p2,...pwA constraint of { C };
in dataset X ═ X1,X2,...XNIn the method, first, a center sequence C is initialized to { C ═ C1,c2,...cτCalculating a curved path P between the X and the central sequence C by using a CDTW algorithmi(ii) a For each value of i, according to PiValue from XiTo select and center data point c in the sequenceiMatching sets of data pointsFinally, all data points are calculatedAs the updated center-in-sequence ciThe value of (a) is:
updating C through C ', namely C ← C', and obtaining a mean center sequence C describing the time series data set x again until the mean center sequence in two successive replacements is unchanged in convergence; the mean center sequence based on CDTW can reflect the morphological change of the original time series data, and in addition, the CDBA can describe the morphological change relation of the unequal long time sequences in the data set by using center sequences with different lengths.
6. The method for detecting tampering software based on electromagnetic signals EMR as claimed in claim 1, wherein the software detection in step 2 comprises the following steps:
step 21, running software to be tested in the electronic equipment, acquiring an EMR signal obtained when the software is started by using the same magnetometer equipment, and preprocessing the acquired EMR signal, including data smoothing, end point detection and mute part removal, to obtain processed data;
step 22, extracting corresponding time domain features and frequency domain features from the processed data; the first characteristic is that the original data is just normalized; thirdly, on the basis of normalizing the original data, Fast Fourier Transform (FFT) is carried out to obtain frequency domain characteristic distribution of the original data;
step 23, matching the EMR signal of the software to be tested with the original software feature library, and calculating the membership degree of the software to be tested, wherein if the membership degree is higher than a threshold value, the software is not tampered, otherwise, the software is tampered; solving the membership degree by adopting Bayes probability when calculating the membership degree; and calculating the membership degree of each characteristic, and finally, carrying out arithmetic mean on the membership degrees to obtain comprehensive membership degrees for comparison and outputting a detection result.
7. The method for EMR-based tamper software detection of claim 6, wherein the formula for calculating membership in step 23 is:
the probability of X belonging to class C is represented using log probability, which is calculated as follows:
wherein the content of the first and second substances,denotes x and ucCDTW path, K is the path length, ucIs the central sequence of the class C sequence,the sequence number for the point on the sequence x at the path k point,to be at the k point of the path, ucSequence number of points on the sequence, σcIs a sequence of standard deviations of class C, σc(k) Indicating alignment to uc(k) The standard deviation of all points for all sequences at a point is calculated by the formula:
σc(k)←std(align(uc(k))。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911408166.6A CN111159041B (en) | 2019-12-31 | 2019-12-31 | Tamper software detection method based on electromagnetic signal EMR |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911408166.6A CN111159041B (en) | 2019-12-31 | 2019-12-31 | Tamper software detection method based on electromagnetic signal EMR |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111159041A true CN111159041A (en) | 2020-05-15 |
CN111159041B CN111159041B (en) | 2022-05-24 |
Family
ID=70559730
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911408166.6A Active CN111159041B (en) | 2019-12-31 | 2019-12-31 | Tamper software detection method based on electromagnetic signal EMR |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111159041B (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102542037A (en) * | 2011-12-26 | 2012-07-04 | 广州商景网络科技有限公司 | License original image identification method and system |
WO2017194163A1 (en) * | 2016-05-13 | 2017-11-16 | Telefonaktiebolaget Lm Ericsson (Publ) | Enduser verification in mobile networks |
-
2019
- 2019-12-31 CN CN201911408166.6A patent/CN111159041B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102542037A (en) * | 2011-12-26 | 2012-07-04 | 广州商景网络科技有限公司 | License original image identification method and system |
WO2017194163A1 (en) * | 2016-05-13 | 2017-11-16 | Telefonaktiebolaget Lm Ericsson (Publ) | Enduser verification in mobile networks |
Non-Patent Citations (3)
Title |
---|
SHANG YUN等: "Research of Big Data Analysis", 《2014 IEEE INTERNATIONAL CONFERENCE ON COMPUTER AND INFORMATION TECHNOLOGY》 * |
邹冰玉: "基于系统虚拟化的软件安全保护关键技术研究", 《CNKI博士学位论文全文库》 * |
郭霞等: "面向频谱数据库的电磁频谱检测系统", 《现代电子技术》 * |
Also Published As
Publication number | Publication date |
---|---|
CN111159041B (en) | 2022-05-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Wang et al. | Review of android malware detection based on deep learning | |
CN102664875B (en) | Malicious code type detection method based on cloud mode | |
CN102222199B (en) | Method and system for identifying identification of application program | |
US10397266B1 (en) | Verifying that the influence of a user data point has been removed from a machine learning classifier | |
US9218461B2 (en) | Method and apparatus for detecting malicious software through contextual convictions | |
Zhuang et al. | Ensemble clustering for internet security applications | |
CN109271788B (en) | Android malicious software detection method based on deep learning | |
EP2693356B1 (en) | Detecting pirated applications | |
CN107315956B (en) | It is a kind of for quick and precisely detecting the Graph-theoretical Approach of Malware on the zero | |
CN107273416B (en) | Webpage hidden link detection method and device and computer readable storage medium | |
Zhang et al. | Malware variant detection using opcode image recognition with small training sets | |
CN112005532B (en) | Method, system and storage medium for classifying executable files | |
CN103488941A (en) | Hardware Trojan horse detection method and hardware Trojan horse detection system | |
CN112329713A (en) | Network flow abnormity online detection method, system, computer equipment and storage medium | |
Du et al. | A novel approach to detect malware variants based on classified behaviors | |
Park et al. | Antibot: Clustering common semantic patterns for bot detection | |
CN108959930A (en) | Malice PDF detection method, system, data storage device and detection program | |
Thunga et al. | Identifying metamorphic virus using n-grams and hidden markov model | |
Stiawan et al. | Ransomware detection based on opcode behavior using k-nearest neighbors algorithm | |
Ideses et al. | Adware detection and privacy control in mobile devices | |
CN113836240B (en) | Time sequence data classification method, device, terminal equipment and storage medium | |
Sánchez et al. | A methodology to identify identical single-board computers based on hardware behavior fingerprinting | |
CN113746780B (en) | Abnormal host detection method, device, medium and equipment based on host image | |
US20200372085A1 (en) | Classification apparatus, classification method, and classification program | |
Suhuan et al. | Android malware detection based on logistic regression and XGBoost |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |