CN111444502A - Population-oriented android malicious software detection model library method - Google Patents

Population-oriented android malicious software detection model library method Download PDF

Info

Publication number
CN111444502A
CN111444502A CN201911215882.2A CN201911215882A CN111444502A CN 111444502 A CN111444502 A CN 111444502A CN 201911215882 A CN201911215882 A CN 201911215882A CN 111444502 A CN111444502 A CN 111444502A
Authority
CN
China
Prior art keywords
application
population
recognizer
authority
classifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911215882.2A
Other languages
Chinese (zh)
Other versions
CN111444502B (en
Inventor
余东豪
李涛
余鑫
张晏成
颜松
郑昊天
常远
贾志强
乐金祥
黄甫
谢君臣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University of Science and Engineering WUSE
Original Assignee
Wuhan University of Science and Engineering WUSE
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Science and Engineering WUSE filed Critical Wuhan University of Science and Engineering WUSE
Priority to CN201911215882.2A priority Critical patent/CN111444502B/en
Publication of CN111444502A publication Critical patent/CN111444502A/en
Application granted granted Critical
Publication of CN111444502B publication Critical patent/CN111444502B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2411Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/24323Tree-organised classifiers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Abstract

The invention discloses a population-oriented android malicious software detection model library method, which comprises the following steps of: 1) collecting application files, extracting application permission use conditions, integrating the application permission use conditions into an permission information matrix, and forming application population information according to the category labels; 2) training a classifier according to the extracted application authority set; 3) acquiring an authority information matrix of an application to be detected, determining the category of the application to be detected by using a classifier, and inputting population information of the application to be detected as a model library; finding the recognizer pool corresponding to the population in the model library, detecting the application by using the recognizer which best meets the constraint condition according to the constraint condition, and judging the maliciousness of the application. The method of the invention uses the thought of biological population for reference, divides the application into different populations by processing the authority characteristics of the application, and finds out the corresponding recognition algorithm model in the model base by constraining, and finally obtains a better recognition result.

Description

Population-oriented android malicious software detection model library method
Technical Field
The invention relates to a malicious software detection technology, in particular to a population-oriented android malicious software detection model library method.
Background
Malicious detection of Android applications is an uncertainty problem. Heretofore, malware detection methods can be classified into static detection, dynamic detection, and dynamic-static combined detection. However, with the rise of machine learning and data mining, more and more researchers choose to combine the previous dynamic and static detection methods with machine learning techniques.
At present, a detector applied to malicious detection of Android applications is mainly trained by machine learning methods such as a support vector machine, random forest, K-means and the like. Various detection methods lay a foundation for Android detection, but have some defects: due to the diversity of Android applications, the use of privacy authorities is a typical uncertainty problem, and it is difficult to distinguish the relationship between normal authorities and privacy authorities. There are still certain disadvantages to using the same detector to achieve detection for all kinds of applications.
The requirements of different types of applications on the rights are different, and the usage of the applications should be considered not only for the rights themselves or a certain application individual, but also in combination with the functions of the apps. For example, the authority of the address book is read, for social applications, most users register accounts through mobile phone numbers, the applications can perform friend association for the users through the communication records of the users, the authority is possessed to keep the integrity of the application functions, the application is not necessary for tool applications such as a flashlight and a reader, and otherwise the minimum privilege principle is violated. The risk posed by the same privilege is therefore different for applications of different functional types. Applications for similar purposes have similar functionality, thereby creating similar rights requirements.
Therefore, by taking the concept of population in biology as a reference, the invention provides a method suitable for large-scale Android malicious application detection based on a population angle. The same type of application performs similar functions and requires similar system permissions. Therefore, applications with the same function type are divided into a population, a population label is set for the applications, and malicious detection research of the Android applications is carried out by taking the population as a unit.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a population-oriented android malicious software detection model library method aiming at the defects in the prior art.
The technical scheme adopted by the invention for solving the technical problems is as follows: a population-oriented android malicious software detection model library method comprises the following steps:
1) collecting application files, extracting application permission use conditions, integrating the application permission use conditions into an permission information matrix, and forming application population information according to the category labels; the information of the population comprises a category label corresponding to each application and an authority information matrix after the application is subjected to authority preprocessing;
2) training a classifier according to the extracted application authority set;
dividing the extracted application authority set into a training set and a test set, wherein the training set is used as the input of an SMO algorithm classifier, so that the classifier can classify applications through authorities by continuous learning; the test set tests the classifier and verifies the classification effect of the classifier;
3) acquiring an authority information matrix of an application to be detected, determining the class of the application to be detected by using a classifier, dividing the application with the same function type into a group, setting a class label of the group for the application, and taking the group information of the application to be detected as the input of a model library; the model base encapsulates recognizer pools of a plurality of populations, and each recognizer pool is composed of recognizers generated by training through three algorithms of SVM, random forest and neural network full connection;
finding the recognizer pool corresponding to the population in the model base, detecting the application by using the recognizer which is most consistent with the constraint condition according to the constraint condition, and judging the maliciousness of the application.
According to the scheme, the SMO function of Weka is used for training and establishing a classification model for the data set in the step 2).
According to the scheme, the application is detected in the step 3), and the maliciousness of the application is judged, which specifically comprises the following steps:
3.1) finding a population identifier pool of a corresponding type in the model base according to the class label of the applied population; the population identifier pool comprises: the system comprises an SVM recognizer, a random forest recognizer and a neural network full-connection recognizer;
3.2) finding the identifier Classfier which best meets the conditions in the population identifier pool according to the constraint conditions; the recognizer Classfier is one of an SVM recognizer, a random forest recognizer and a neural network full-connection recognizer;
the constraint conditions are detection accuracy and detection running time;
3.3) taking the applied population information as input, providing the input to a Classfier for identification, and outputting a result R, wherein R is benign application or malignant application.
The invention has the following beneficial effects: the invention uses the thought of biological population for reference, divides the application into different populations by processing the applied right characteristics, and finds out the corresponding recognition algorithm model in the model base by constraining, and finally obtains a better recognition result. The invention has the following characteristics:
(1) when the application programs are classified, the application programs are classified by adopting a sequence minimum optimization algorithm with higher efficiency, and the accuracy of the classification result of each class reaches more than 85%;
(2) when the application program is detected, the corresponding recognizer population is automatically found in the model base according to the category of the application program, so that the recognition effect is improved;
(3) by adding the constraint condition, the recognizer which best meets the condition is screened out, and the recognition effect becomes a result expected by a user.
The method of the invention can detect a large number of application programs simultaneously, is easy to realize and simple and convenient to use, and can obtain the result desired by the user by modifying the constraint. Provides a new idea for solving the identification of android malicious software.
Drawings
The invention will be further described with reference to the accompanying drawings and examples, in which:
FIG. 1 is a flow chart of a method of an embodiment of the present invention;
FIG. 2 is a schematic diagram of population information for an embodiment of the present invention;
FIG. 3 is a schematic diagram of classifier training according to an embodiment of the present invention;
FIG. 4 is a diagram of a test model architecture according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, a method for detecting a population-oriented android malware model library includes the following steps:
1) collecting application files, extracting application permission use conditions, integrating the application permission use conditions into an permission information matrix, and forming application population information according to the category labels; the information of the population comprises a category label corresponding to each application and an authority information matrix after the application is subjected to authority preprocessing;
an application APK file is crawled from the Internet as a positive sample through a written python program, the malicious application sample is obtained from VirusShare, and the permission use condition of the application is extracted and integrated into a permission matrix;
in the embodiment, 360 application markets and an intelligent application market are selected as data sources, a crawler program is written by using a python language, and applications are crawled and stored according to categories by using application category labels provided by a website, so that the applications are continuously downloaded in batches from the application market.
The source data acquired by the crawler also needs further authority feature extraction to be used as basic data of an experiment, the feature extraction is mainly divided into three stages, namely decompiling, analyzing an XM L file and constructing a feature vector, and the method specifically comprises the following steps:
(1) in the decompiling stage, Apktool is combined with a python script program to finish the decompiling of the application to obtain a manifest file android.xml when the application is installed;
(2) in the stage of analyzing the XM L file, in this embodiment, an aapt (android Asset packaging tool) tool is combined, an android manifest.
(3) And after the application authority is extracted, storing the application authority in a cloud database by taking the population as a unit. Because the authority information is a scalar, the authority information is stored in a form of a matrix of 0-1, wherein 1 represents that the authority feature is contained, and 0 represents that the authority feature is not contained;
at this point, a feature data set DataSet divided by the population can be obtained.
The population is the most necessary ring as the basis of the invention. And converting the apk file into population information data to form a unified input format for model library detection. A sample is marked as 1 if the dimensional feature is present and 0 if not, as shown in fig. 2.
The malicious field indicates whether the application is malware, a 1 indicates yes, and a 0 indicates no. The Class field corresponds to the Class of the application. The PackageName is the application package name and is the unique identifier of the application. The following fields are 144 permissions of the android system, if the application has the corresponding permission, the corresponding value is 1, and if not, the corresponding value is 0.
In the applications related in this embodiment, their permissions are all subsets of all the permissions of the Android, and the following definitions are given for the permission information and the population information.
Defining 1Android application program authority:
Permissions={Pi|Pi∈Android}
the representation permission information set is a subset of all permissions of the Android.
The applications with the same function type are used as a population, the category of the population is divided into x types, the category of the population can change according to the increase of the total number of the crawled apps, and then the category set is defined as:
define 2 class tags:
Class={C1,C2…,Cx}
Cxcategory labels for each group, categories such as flashlight, camera, player, social chat, etc.;
define 3 populations:
Population={Cx,PermissionMatrix}
Cxfor the category label of each population, PermissionMatrix is an authority information matrix after each application is subjected to authority preprocessing, and is specifically defined as follows:
define 4 permission matrices:
PermissionMatrix= {Pij|i=1,2,3…,m;j=1,2,3…,n}
i represents a population CxIn App with number i, if APPiPossession of the Authority j, then PijIs 1, otherwise PijIs 0.
2) Training a classifier according to the applied population information;
dividing all the extracted application population information into a training set and a test set, wherein the training set is used as the input of an SMO algorithm classifier, so that the classifier can classify the applications through the authority by continuously learning; the test set tests the classifier and verifies the classification effect of the classifier;
the trained data sample set comprises the permission of the Android application program and the class label corresponding to each application program, and the identification of the Android application program refers to the process of identifying the class of the application program sample to be detected through the trained classification model.
Assume statistical N training data as
(Permissions1,C1),(Permissions2,C2),…,(Permissionsn,Cn) Wherein C isiAs class labels for the application, PermissionsiIs the permission matrix of the application.
The SMO algorithm compares the N data pairwise, and then learns the authority and the category applied in the training set, so that a functional relation for judging the category of the application program is obtained. In the embodiment, a classification model is trained and established on a data set by using an SMO algorithm of Weka, which is open source software fusing machine learning and data mining based on a Java environment, and then the classification model is used for determining the category of an application program to be detected;
3) acquiring an authority information matrix of an application to be detected, determining the class of the application to be detected by using a classifier, obtaining population information of the application to be detected as input, finding a recognizer pool corresponding to the population in a model base, detecting the application by using a recognizer which best meets constraint conditions according to the constraint conditions, and judging the application maliciousness;
3.1) finding a population identifier pool of a corresponding type in the model base according to the class label of the applied population; the population identifier pool comprises: the system comprises an SVM recognizer, a random forest recognizer and a neural network full-connection recognizer;
the recognizer:
Classifier={Classifier(Pi,Ai)|
Pi∈Population,Ai∈Algorithm}
Classifier(Pi,Ai) For machine learning Algorithm AiBy PiRecognition generated after population data trainingAnd the recognizer is a flashlight SVM recognizer, a reader random forest recognizer and the like. Wherein Algorithm is defined as follows:
the algorithm set is as follows:
Algorithm={SVM,RF,FC}
a population identifier:
ClassfierPopulation= {Classifier(P,Ai)|Ai∈Algorithm}
ClassfierPopulation is all the discriminators generated by all machine learning algorithms after training with population P data.
And 3.2) identifying devices which are in the population identifier pool according to the categories and reach the corresponding population, such as a flashlight SVM (support vector machine) identifier, a flashlight random forest identifier and a flashlight neural network full-connection identifier. Then comparing the constraint conditions with the recognizer effect record table, and finding the recognizer Classfier which best meets the conditions according to the priority of the constraint conditions; the recognizer Classfier is one of an SVM recognizer, a random forest recognizer and a neural network full-connection recognizer;
the constraint conditions are detection accuracy and detection running time;
the recognizer uses three algorithms, namely a Support Vector Machine (SVM), a Random Forest (RF) and a neural network Full Connection (FC). The SVM algorithm is stable in operation effect, the random forest algorithm has the advantage of high operation speed, and full connection can well classify any condition.
3.3) taking the applied population information as input, providing the input to a Classfier for identification, and outputting a result R, wherein R is benign application or malignant application.
Experimental description of the effects of the invention:
simple experiments were performed to verify the method. The source of the data set, the algorithms used for the experiments and the simple constraints will be described.
The experimental operating environment is as follows: windows 7 operating system, 3.4GHz four-core processor, 8GB memory.
A total of 32537 Android applications of 62 types are crawled from 360 application markets and an intelligence application market. Xml, we obtain their authority information list android, and generate an authority information vector, where 1 represents that authority is applied and 0 represents that no authority is applied. We have scanned the apps of both the flashlight and reader populations using kingsoft and F-script, and finally have selected the app that was marked as benign by both software as a positive sample. Based on the design concept of the experiment, a flashlight population, a camera population, a reader population and a malicious sample from VirusShare were selected for the experiment.
For several reasons we selected three populations of cameras, flashlights and readers as the subjects of the experiments. Firstly, the functional boundaries of three types of applications, namely a camera, a flashlight and a reader, are clear, and whether a certain app belongs to the category of the flashlight, the camera or the reader or not can be easily distinguished from the main authority declaration condition of the app and the application description words filled in during uploading. Secondly, flashlights, cameras and readers are widely used by users, and almost every user additionally installs a flashlight, camera or reader application for personalization. If a certain application with rich and good functions is added with malicious codes by a lawbreaker and is uploaded again after being subjected to shell adding processing, a large number of users are affected.
1. SMO-based classification experiments
The experiment used 2225 total applications of camera, flashlight and reader, which were combined into a training set.
And obtaining a Manifest file of each application program by using Apktool, and extracting the permission vector in the Manifest file through a Python script. The results of cross validation using 10-fold using the SMO function of weka are shown in Table 1.
TABLE 1 results of different classes of software classification
Figure BDA0002299480680000091
According to the application program classification result, the accuracy and the recall ratio are high, and the fact that the SMO algorithm can perform better classification learning is proved.
2. Population-oriented Android malware detection experiment
Three algorithms are used in the experiment, namely a Support Vector Machine (SVM), a Random Forest (RF) and a neural network Full Connection (FC). The SVM algorithm is stable in operation effect, the random forest algorithm has the advantage of high operation speed, and full connection can well classify any situation.
Because of simple verification, the evaluation criterion of the algorithm can be used as a constraint condition. Accuracy and running time are used as evaluation criteria, but the accuracy of the experiment is more important than the running time due to the high efficiency of the random forest algorithm. The higher the accuracy rate is, the higher the application recognition rate of the algorithm to the population is; and a shorter running time means that the algorithm is more efficient at identifying the population.
The data set is first divided into a training set and a test set. And (3) directly taking the training set without population as input, training an SVM (support vector machine), and fully connecting a random forest and a neural network to generate a recognizer detection test set, and obtaining time and accuracy. After the data sets are classified through the classification module, the training set and the test set are divided according to the population, the training sets of different populations are used for training three algorithms again to obtain recognizers with different algorithms of population attribute difference, and the recognizers are divided into recognizer populations according to the populations. And then, testing by using test sets of different populations to obtain the time spent and the accuracy of the identifier corresponding to the population. The indices of the two recognizers are compared.
TABLE 2 malicious identification results
Figure BDA0002299480680000101
Figure BDA0002299480680000111
The data sets A, B, C and D represent three groups of a camera, a flashlight and a reader and a fused complete set of the three groups respectively.
As can be seen from the results in Table 2, for the camera population, the random forest algorithm is superior to the other two algorithms in terms of time and accuracy; for the flashlight and reader population, although the random forest algorithm is excellent in detection time, the accuracy rate is not as high as that of the full connection of a support vector machine and a neural network; the three algorithms work better on the three data sets a, B, and C than on data set D.
We can conclude that: 1) in the same algorithm, the detection effect of the recognizer obtained by training the data set after population classification is improved compared with that of the whole set training, and the maximum improvement reaches 13.26%; 2) even if the same group exists, the detection effect of the recognizers is different, so that the recognizers meeting the conditions can be selected from the group of recognizers for detection according to the actual requirement to achieve the best effect.
The above experiments prove that the effectiveness of the SMO algorithm on application division populations and the detection effect of application maliciousness of application division of the application populations are greatly improved. Meanwhile, verification is carried out, and the Android malicious software detection model library method facing the population is effective and feasible.
It will be understood that modifications and variations can be made by persons skilled in the art in light of the above teachings and all such modifications and variations are intended to be included within the scope of the invention as defined in the appended claims.

Claims (3)

1. A population-oriented android malware detection model library method is characterized by comprising the following steps:
1) collecting application files, extracting application permission use conditions, integrating the application permission use conditions into an permission information matrix, and forming application population information according to the category labels; the information of the population comprises a category label corresponding to each application and an authority information matrix after the application is subjected to authority preprocessing;
2) training a classifier according to the extracted application authority set;
dividing the extracted application authority set into a training set and a test set, wherein the training set is used as the input of an SMO algorithm classifier, so that the classifier can classify applications through authorities by continuous learning; the test set tests the classifier and verifies the classification effect of the classifier;
3) acquiring an authority information matrix of an application to be detected, determining the class of the application to be detected by using a classifier, dividing the application with the same function type into a group, setting a class label of the group for the application, and taking the group information of the application to be detected as the input of a model library; the model base encapsulates recognizer pools of a plurality of populations, and each recognizer pool is composed of recognizers generated by training through three algorithms of SVM, random forest and neural network full connection;
finding the recognizer pool corresponding to the population in the model library, detecting the application by using the recognizer which best meets the constraint condition according to the constraint condition, and judging the maliciousness of the application.
2. The population-oriented android malware detection model library method of claim 1, wherein in step 2) classification models are trained on datasets using the SMO algorithm of Weka.
3. The population-oriented android malware detection model library method of claim 1, wherein the application is detected in step 3) to determine the maliciousness of the application, and the method specifically comprises the following steps:
3.1) finding a population identifier pool of a corresponding type in the model base according to the class label of the applied population; the population identifier pool comprises: the system comprises an SVM recognizer, a random forest recognizer and a neural network full-connection recognizer;
3.2) finding the identifier Classfier which best meets the conditions in the population identifier pool according to the constraint conditions; the recognizer Classfier is one of an SVM recognizer, a random forest recognizer and a neural network full-connection recognizer;
the constraint conditions are detection accuracy and detection running time;
3.3) taking the applied population information as input, providing the input to a Classfier for identification, and outputting a result R, wherein R is benign application or malignant application.
CN201911215882.2A 2019-12-02 2019-12-02 Population-oriented android malicious software detection model library method Active CN111444502B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911215882.2A CN111444502B (en) 2019-12-02 2019-12-02 Population-oriented android malicious software detection model library method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911215882.2A CN111444502B (en) 2019-12-02 2019-12-02 Population-oriented android malicious software detection model library method

Publications (2)

Publication Number Publication Date
CN111444502A true CN111444502A (en) 2020-07-24
CN111444502B CN111444502B (en) 2023-05-02

Family

ID=71648571

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911215882.2A Active CN111444502B (en) 2019-12-02 2019-12-02 Population-oriented android malicious software detection model library method

Country Status (1)

Country Link
CN (1) CN111444502B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111797239A (en) * 2020-09-08 2020-10-20 中山大学深圳研究院 Application program classification method and device and terminal equipment
CN112214770A (en) * 2020-10-30 2021-01-12 奇安信科技集团股份有限公司 Malicious sample identification method and device, computing equipment and medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8161548B1 (en) * 2005-08-15 2012-04-17 Trend Micro, Inc. Malware detection using pattern classification
CN104794398A (en) * 2015-04-17 2015-07-22 天津大学 Android platform malicious software detection method based on machine learning
CN104809395A (en) * 2015-04-23 2015-07-29 天津大学 Lightweight-class Android malicious software fast judging method
CN105117544A (en) * 2015-08-21 2015-12-02 李涛 Android platform App risk assessment method based on mobile cloud computing and Android platform App risk assessment device based on mobile cloud computing
CN105426762A (en) * 2015-12-28 2016-03-23 重庆邮电大学 Static detection method for malice of android application programs
WO2017084451A1 (en) * 2015-11-18 2017-05-26 腾讯科技(深圳)有限公司 Method and apparatus for identifying malicious software
CN107992884A (en) * 2017-11-24 2018-05-04 武汉科技大学 A kind of android application permissions cluster and population characteristic analysis method based on big data
WO2019108919A1 (en) * 2017-12-01 2019-06-06 Seven Networks, Llc Detection and identification of potentially harmful applications based on detection and analysis of malware/spyware indicators

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8161548B1 (en) * 2005-08-15 2012-04-17 Trend Micro, Inc. Malware detection using pattern classification
CN104794398A (en) * 2015-04-17 2015-07-22 天津大学 Android platform malicious software detection method based on machine learning
CN104809395A (en) * 2015-04-23 2015-07-29 天津大学 Lightweight-class Android malicious software fast judging method
CN105117544A (en) * 2015-08-21 2015-12-02 李涛 Android platform App risk assessment method based on mobile cloud computing and Android platform App risk assessment device based on mobile cloud computing
WO2017084451A1 (en) * 2015-11-18 2017-05-26 腾讯科技(深圳)有限公司 Method and apparatus for identifying malicious software
CN105426762A (en) * 2015-12-28 2016-03-23 重庆邮电大学 Static detection method for malice of android application programs
CN107992884A (en) * 2017-11-24 2018-05-04 武汉科技大学 A kind of android application permissions cluster and population characteristic analysis method based on big data
WO2019108919A1 (en) * 2017-12-01 2019-06-06 Seven Networks, Llc Detection and identification of potentially harmful applications based on detection and analysis of malware/spyware indicators

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
S T CHEN: "Android malware detection method based on random forest" *
李剑;朱月俊;: "基于权限的安卓恶意软件检测方法" *
杨宏宇;徐晋;: "Android恶意软件静态检测模型" *
肖智婕: "面向种群的Android安全风险评估和恶意应用检测" *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111797239A (en) * 2020-09-08 2020-10-20 中山大学深圳研究院 Application program classification method and device and terminal equipment
CN112214770A (en) * 2020-10-30 2021-01-12 奇安信科技集团股份有限公司 Malicious sample identification method and device, computing equipment and medium
CN112214770B (en) * 2020-10-30 2023-11-10 奇安信科技集团股份有限公司 Malicious sample identification method, device, computing equipment and medium

Also Published As

Publication number Publication date
CN111444502B (en) 2023-05-02

Similar Documents

Publication Publication Date Title
CN108304720A (en) A kind of Android malware detection methods based on machine learning
CN105184160B (en) A kind of method of the Android phone platform application program malicious act detection based on API object reference relational graphs
Yildiz et al. Permission-based android malware detection system using feature selection with genetic algorithm
CN109753801A (en) The intelligent terminal Malware dynamic testing method called based on system
US11580222B2 (en) Automated malware analysis that automatically clusters sandbox reports of similar malware samples
Li et al. ModelDiff: Testing-based DNN similarity comparison for model reuse detection
CN101286163B (en) Recognition method based on recognition knowledge base
Zhu et al. Android malware detection based on multi-head squeeze-and-excitation residual network
CN112257114A (en) Application privacy compliance detection method, device, equipment and medium
CN108563951B (en) Virus detection method and device
US11275970B2 (en) Systems and methods for distributed data analytics
CN111783126B (en) Private data identification method, device, equipment and readable medium
CN111444502A (en) Population-oriented android malicious software detection model library method
CN112132238A (en) Method, device, equipment and readable medium for identifying private data
Qiu et al. Predicting the impact of android malicious samples via machine learning
CN113408897A (en) Data resource sharing method applied to big data service and big data server
CN113468017A (en) Online service state detection method applied to block chain and service server
US11797705B1 (en) Generative adversarial network for named entity recognition
Vatamanu et al. Building a practical and reliable classifier for malware detection
Rana et al. Malware analysis on Android using supervised machine learning techniques
Congyi et al. Method for detecting Android malware based on ensemble learning
CN113259369B (en) Data set authentication method and system based on machine learning member inference attack
CN114443834A (en) Method and device for extracting license information and storage medium
CN111079145B (en) Malicious program detection method based on graph processing
Qi et al. Giant panda age recognition based on a facial image deep learning system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant