CN114579970B - Convolutional neural network-based android malicious software detection method and system - Google Patents
Convolutional neural network-based android malicious software detection method and system Download PDFInfo
- Publication number
- CN114579970B CN114579970B CN202210483736.3A CN202210483736A CN114579970B CN 114579970 B CN114579970 B CN 114579970B CN 202210483736 A CN202210483736 A CN 202210483736A CN 114579970 B CN114579970 B CN 114579970B
- Authority
- CN
- China
- Prior art keywords
- android
- software
- classes
- malicious
- data stream
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/048—Activation functions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Biomedical Technology (AREA)
- Mathematical Physics (AREA)
- Data Mining & Analysis (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- Computational Linguistics (AREA)
- Biophysics (AREA)
- Evolutionary Computation (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Virology (AREA)
- Image Analysis (AREA)
Abstract
The invention relates to an android malicious software detection method and system based on a convolutional neural network, wherein a brand-new logic design is adopted, a class.dex file extracted from android software is subjected to intermediate hexadecimal conversion and 6-gram processing in sequence, and a frequency domain characteristic image corresponding to the android software is obtained, so that a malicious software identification model is obtained by combining the frequency domain characteristic image corresponding to the android sample software based on each known android sample software belonging to a normal label or a malicious label, and further malicious detection aiming at target android software is completed in actual implementation.
Description
Technical Field
The invention relates to an android malicious software detection method and system based on a convolutional neural network, and belongs to the technical field of malicious software detection.
Background
The android system is widely spread due to openness and simplicity, and thus becomes a target of being abused by malware, and under the condition, various security protection technologies against malware attacks under the android platform are vigorously developed, and an android malware visualization detection technology is one of the technologies which is receiving much attention.
At present, classification detection aiming at android software is mostly realized by transplanting detection schemes of other platforms (such as windows), uniqueness of the android platform is not considered, interaction relation between front and back of a bit stream is not considered, accuracy is low, and detection is to be further improved; and due to the automation code writing and reusing technology and the openness of the android system, a part of android malicious software is written by benign software and is difficult to distinguish by a visual detection framework, so that the android malicious software is easy to generate false reports and is expressed as low recall rate.
Disclosure of Invention
The technical problem to be solved by the invention is to provide an android malicious software detection method based on a convolutional neural network, and the problems of low accuracy and low recall rate in the conventional android detection method are solved by adopting a brand new logic design, so that the efficient and accurate android malicious software detection work is completed.
The invention adopts the following technical scheme for solving the technical problems: the invention designs an android malicious software detection method based on a convolutional neural network, wherein android sample software belonging to normal tags or malicious tags are respectively known based on a preset number, and a malicious software identification model is obtained according to the following steps A to B; then, applying a malicious software identification model, executing the step i, and executing malicious detection aiming at the target android software;
step A, respectively executing the following steps A1 to A4 aiming at each android sample software to obtain frequency domain characteristic images respectively corresponding to each android sample software, and then entering step B;
step A1, class.dex files in the android sample software compression package are obtained, and a hexadecimal data stream corresponding to the class.dex files is obtained through data system conversion based on the binary data stream form of the class.dex files, and then the step A2 is carried out;
step A2, aiming at the hexadecimal data stream corresponding to the classes and dex file, executing n-gram processing to obtain each gram fragment corresponding to the classes and dex file, and entering step A3;
step A3, obtaining a three-channel color image corresponding to the classes and dex file according to each gram fragment corresponding to the classes and dex file, and then entering step A4;
step A4, performing frequency domain transformation mapping processing on a three-channel color image corresponding to the classes.
B, training a target convolutional neural network based on each android sample software by taking the frequency domain characteristic image corresponding to the android sample software as input and the normal label or the malicious label of the android sample software as output to obtain a malicious software identification model;
and step i, acquiring a frequency domain characteristic image corresponding to the target android software in the mode from the step A1 to the step A4, and applying a malicious software identification model to acquire a normal label or a malicious label of the target android software, namely, realizing malicious detection of the target android software.
As a preferred technical scheme of the invention: the step A1 comprises the following steps A1-1 to A1-2;
step A1-1, based on the binary data stream form of class.dex file, converting each four-digit binary number into a one-digit hexadecimal number in sequence with the step length of 4 to obtain the corresponding converted hexadecimal data stream, and entering step A1-2;
step A1-2, judging whether the length of the hexadecimal data stream is a multiple of 6, if so, the hexadecimal data stream is used as the hexadecimal data stream corresponding to the classes. Otherwise, for the hexadecimal data stream, obtaining the hexadecimal data stream with the length of a multiple of 6 by a mode of complementing the least number of bits at the tail with 0, and using the hexadecimal data stream as the hexadecimal data stream corresponding to the classes.
As a preferred technical scheme of the invention: in step a2, a sliding window with a sliding step length of 6 and a window length of 6 is applied, and the hexadecimal data stream corresponding to the classes.
As a preferred technical scheme of the invention: the step A3 comprises the following steps A3-1 to A3-4;
step A3-1, initializing 256 × 3 three-channel basic images with pixel values of 0, and entering step A3-2;
step A3-2, sequentially selecting decimal numbers corresponding to a first hexadecimal number and a second hexadecimal number combination respectively aiming at each gram fragment corresponding to the classes.
Sequentially selecting decimal numbers corresponding to the combination of the third hexadecimal number and the fourth hexadecimal number to form the abscissa of the second pixel point corresponding to the gram fragment, and sequentially selecting decimal numbers corresponding to the combination of the fifth hexadecimal number and the sixth hexadecimal number to form the ordinate of the second pixel point corresponding to the gram fragment;
obtaining coordinates of two pixel points corresponding to the gram fragments, further obtaining coordinates of two pixel points corresponding to each gram fragment, and then entering step A3-3;
step A3-3, sequentially selecting each two hexadecimal numbers in the gram fragments to be converted into one decimal number according to the step length of 2 for each gram fragment corresponding to the classes and dex files respectively, obtaining three decimal numbers, corresponding to the color value of each color channel respectively, forming the pixel values of two pixel points corresponding to the gram fragment, further obtaining the pixel values of two pixel points corresponding to each gram fragment respectively, and then entering the step A3-4;
and step A3-4, placing two pixel points corresponding to each gram fragment in a three-channel basic image according to the coordinates and pixel values of the two pixel points to form a three-channel color image corresponding to the classes.
As a preferred technical scheme of the invention: in the step a4, for a three-channel color image corresponding to a classes.
Performing frequency domain transformation mapping processing to obtain a frequency domain characteristic image corresponding to the three-channel color image, namely the frequency domain characteristic image corresponding to the android sample software, wherein,
representing one in the spatial domain
Two-dimensional vector elements of (i.e. a)
Representing 256 x 256 three channel color images,
which represents the coordinates of the pixel or pixels,
,
,
representing a transform domain matrix obtained by two-dimensional discrete cosine transform, namely a frequency domain characteristic image,
,
。
as a preferred technical scheme of the invention: the target convolutional neural network in the step B comprises an input layer, a Sigmoid sorted output layer, two fully connected layers, two random inactivated layers, three pooling layers and three convolutional layers, wherein the 256 × 1 input layer sequentially comprises 32 convolutional layers with the size of 3 × 3, a pooling layer with a pooling window of 2 × 2, a pooling layer with the size of 64 convolutional layers with the size of 3 × 3, a pooling layer with the pooling window of 2 × 2, a pooling layer with the size of 128 convolutional layers with the size of 3 × 3, a pooling layer with the pooling window of 2 × 2, 512 fully connected layers, a random inactivated layer with the probability of 0.5, 256 fully connected layers, a random inactivated layer with the probability of 0.5 and a Sigmoid sorted output layer in series.
Correspondingly, the technical problem to be solved by the invention is to provide a system of the android malware detection method based on the convolutional neural network, and the android malware can be efficiently detected by respectively executing each step in the method through a modular partition design.
In order to solve the technical problems, the invention adopts the following technical scheme: the invention designs a system of an android malicious software detection method based on a convolutional neural network, which comprises an acquisition module, a processing module, a visualization module, a training module and a detection module; the obtaining module is used for obtaining classes.dex files in the android software compression package in the step A1; the processing module is used for executing the step A1 to obtain the hexadecimal data stream corresponding to the classes.dex file, and executing the steps A1 to A2 to execute n-gram processing on the hexadecimal data stream; the visualization module is used for executing the steps A3 to A4 to obtain a frequency domain characteristic image corresponding to the android software; the training module is used for executing the step B to obtain a malicious software identification model; and the detection module is used for executing step i to execute malicious detection aiming at the target android software.
Compared with the prior art, the android malicious software detection method and system based on the convolutional neural network have the following technical effects:
the invention designs an android malicious software detection method and system based on a convolutional neural network, which adopts a brand-new logic design, and obtains a frequency domain characteristic image corresponding to android software through intermediate hexadecimal conversion and 6-gram processing in sequence based on class.dex files extracted from the android software, so that a malicious software identification model is obtained through a network training mode based on each known android sample software belonging to a normal label or a malicious label in combination with the frequency domain characteristic image corresponding to the android sample software, and further malicious detection aiming at target android software is completed in actual implementation.
Drawings
FIG. 1 is a schematic flow chart of an android malware detection method based on a convolutional neural network in the design of the present invention;
FIG. 2 is a schematic diagram of the structure of a target convolutional neural network in the design of the present invention.
Detailed Description
The following description will explain embodiments of the present invention in further detail with reference to the accompanying drawings.
In practical application, as shown in fig. 1, each piece of android sample software belonging to a normal tag or a malicious tag is respectively known based on a preset number, and a malicious software identification model is obtained according to the following steps a to B.
And step A, respectively executing the following steps A1 to A4 aiming at each android sample software to obtain frequency domain characteristic images respectively corresponding to each android sample software, and then entering the step B.
Step A1, a script tool is used for calling a system command to decompress the android sample software to obtain a file forming the android sample software, a classes.
In an actual application scenario, for an apk application package of the android system, an unship tool carried in a Python programming language is used for decompressing apk, and various files organized according to a program structure are generated, such as android manifest. Because most of class.dex files are located in the root directory of the decompressed folder through the analysis program structure, and the suffix name of the file is unique dex, the class.dex files can be directly searched according to the suffix name.
In practical applications, the step A1 specifically executes the following steps A1-1 to A1-2.
Step A1-1, based on the binary data stream form of the classes, dex file, with the step length of 4, sequentially converting each four-digit binary number into a one-digit hexadecimal number, obtaining the corresponding converted hexadecimal data stream, and proceeding to step A1-2.
Step A1-2, judging whether the length of the hexadecimal data stream is a multiple of 6, if so, the hexadecimal data stream is used as the hexadecimal data stream corresponding to the classes. Otherwise, for the hexadecimal data stream, obtaining the hexadecimal data stream with the length of a multiple of 6 by a mode of complementing the least number of bits at the tail with 0, and using the hexadecimal data stream as the hexadecimal data stream corresponding to the classes.
In an actual application scenario, a Python script tool is used to read the classes file in a binary stream manner to obtain a bit stream of the classes file, and the bit stream is converted into a hexadecimal number by using a self-contained decoding tool. E.g., bit streams 1010, 0100, 0011, 0101, 0000, 0010, hexadecimally converted to a 43502; then, dividing the hexadecimal numbers into a group by taking six as a unit, namely, carrying out 6-gram processing with six windows and six step lengths to obtain a plurality of groups of 6-bit hexadecimal numbers. Such as sixteen-fed streams 00a43502150306a1b0, treated with 6-grams to yield 00a435, 021503, and 06a1b 0.
Step A2, aiming at the hexadecimal data stream corresponding to the classes.
In the specific implementation operation, in step a2, a sliding window with a sliding step length of 6 and a window length of 6 is applied, and the hexadecimal data streams corresponding to the classes.
Step A3, obtaining a three-channel color image corresponding to the classes.
In practical applications, the step A3 specifically performs the following steps A3-1 to A3-4.
Step A3-1, initialize 256 × 3 three-channel basic image with pixel values of 0, and go to step A3-2.
And step A3-2, sequentially selecting decimal numbers corresponding to the combination of the first hexadecimal number and the second hexadecimal number to form the abscissa of the first pixel point corresponding to the gram fragment, and sequentially selecting decimal numbers corresponding to the combination of the third hexadecimal number and the fourth hexadecimal number to form the ordinate of the first pixel point corresponding to the gram fragment.
And sequentially selecting the decimal number corresponding to the combination of the third hexadecimal number and the fourth hexadecimal number to form the abscissa of the second pixel point corresponding to the gram fragment, and sequentially selecting the decimal number corresponding to the combination of the fifth hexadecimal number and the sixth hexadecimal number to form the ordinate of the second pixel point corresponding to the gram fragment.
Obtaining the coordinates of two pixel points corresponding to the gram fragment, further obtaining the coordinates of two pixel points corresponding to each gram fragment, and then entering step A3-3.
And step A3-3, sequentially selecting each two hexadecimal numbers in the gram fragments to be converted into one decimal number according to the step length of 2 for each gram fragment corresponding to the classes and dex files respectively, obtaining three decimal numbers, respectively corresponding to the color value of each color channel, forming the pixel values of two pixel points corresponding to the gram fragment, further obtaining the pixel values of two pixel points corresponding to each gram fragment respectively, and then entering the step A3-4.
In practical applications, such as with an RGB three-channel color space, the first two hexadecimals are decimal as the color value of the Red channel, the third and fourth hexadecimals are decimal as the color value of the Green channel, and the last two hexadecimals are decimal as the color value of the Blue channel.
Step A3-4, placing two pixel points corresponding to each gram fragment in a three-channel basic image according to the coordinates and pixel values of the two pixel points to form a three-channel color image corresponding to the classes.
In practical applications, such as the gram slice 00a435, three channels of pixel values (0,164, 53) and two coordinate points (0,164), (164,53) are generated.
Step A4, aiming at the three-channel color image corresponding to the classes.
Performing frequency domain transformation mapping processing to obtain a frequency domain characteristic image corresponding to the three-channel color image, namely the frequency domain characteristic image corresponding to the android sample software,
representing one in the spatial domain
Two-dimensional vector elements of (i.e. a)
Representing 256 x 256 three channel color images,
which represents the coordinates of the pixel or pixels,
,
,
representing a transform domain matrix obtained by two-dimensional discrete cosine transform, namely a frequency domain characteristic image,
,
。
when discrete cosine transform is performed, three channels are combined into one channel (i.e., a color picture is converted into a gray picture), and then two-dimensional discrete cosine transform is performed.
And B, based on each piece of android sample software, training a target convolutional neural network by taking the frequency domain characteristic image corresponding to the android sample software as input and the android sample software belongs to a normal label or a malicious label as output, and obtaining a malicious software identification model.
In the practical application of the target convolutional neural network, as shown in fig. 2, the specific design includes an input layer, a Sigmoid classification output layer, two fully-connected layers, two random deactivation layers, three pooling layers, and three convolution layers, wherein 256 × 1 input layers sequentially and serially include 32 convolution layers with a size of 3 × 3, a pooling layer with a pooling window of 2 × 2, a pooling layer with a size of 64 convolution layers with a size of 3 × 3, a pooling layer with a pooling window of 2 × 2, a pooling layer with a size of 128 convolution layers with a size of 3 × 3, a pooling layer with a pooling window of 2 × 2, 512 fully-connected layers, a random deactivation layer with a probability of 0.5, 256 fully-connected layers, a random deactivation layer with a probability of 0.5, and a Sigmoid classification output layer.
Based on the above steps a to B, regarding obtaining of the malware identification model, next, as shown in fig. 1, the malware identification model is applied, step i is executed, and malicious detection is executed for the target android software.
And i, acquiring a frequency domain characteristic image corresponding to the target android software in the modes from the step A1 to the step A4, and applying a malicious software identification model to acquire a normal label or a malicious label of the target android software, namely, malicious detection of the target android software is realized.
The designed convolutional neural network-based android malicious software detection method further designs a system for realizing the method, and the system comprises an acquisition module, a processing module, a visualization module, a training module and a detection module; the obtaining module is used for obtaining classes.dex files in the android software compression package in the step A1; the processing module is used for executing the hexadecimal data stream corresponding to the classes.dex file obtained in the step A1, and executing the step A1 to the step A2 to execute n-gram processing on the hexadecimal data stream; the visualization module is used for executing the steps A3 to A4 to obtain a frequency domain characteristic image corresponding to the android software; the training module is used for executing the step B to obtain a malicious software identification model; and the detection module is used for executing step i to execute malicious detection aiming at the target android software.
The android malicious software detection method based on the convolutional neural network is applied to practice, and specifically comprises the following steps from the hardware perspective: a processor, a memory, an input/output interface, a communication interface, and a bus; the processor, the memory, the input/output interface and the communication interface are in communication connection with each other inside the device through the bus.
The processor may be implemented by a general CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute a relevant program, so as to implement the method for detecting android malware based on a convolutional neural network according to the present invention.
The Memory may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory and called by the processor to be executed.
The input/output interface is used for connecting the input/output module to realize information input and output. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface is used for connecting a communication module (not shown in the figure) to realize the communication interaction of the equipment and other equipment. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
A bus includes a path that transfers information between various components of the device, such as the processor, memory, input/output interfaces, and communication interfaces.
Computer-readable media of embodiments, including both permanent and non-permanent, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
According to the android malicious software detection method and system based on the convolutional neural network, a brand-new logic design is adopted, based on class.dex files extracted from android software, the frequency domain characteristic images corresponding to the android software are obtained through intermediate hexadecimal conversion and 6-gram processing in sequence, therefore, based on each piece of android sample software known to belong to a normal label or a malicious label, a malicious software identification model is obtained through a network training mode in combination with the frequency domain characteristic images corresponding to the android sample software, and further in actual implementation, malicious detection aiming at target android software is completed.
The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.
Claims (5)
1. A method for detecting android malicious software based on a convolutional neural network is characterized by comprising the following steps: respectively knowing each piece of android sample software belonging to a normal tag or a malicious tag based on a preset number, and obtaining a malicious software identification model according to the following steps A to B; then, a malicious software identification model is applied, the step i is executed, and malicious detection is executed aiming at the target android software;
step A, aiming at each android sample software, executing the following steps A1 to A4 to obtain frequency domain characteristic images corresponding to each android sample software respectively, and then entering step B;
a1, obtaining class.dex files in an android sample software compression package, performing data system conversion on the basis of a binary data stream form of the class.dex files to obtain hexadecimal data streams corresponding to the class.dex files, and entering the step A2;
step A2, executing n-gram processing on the hexadecimal data stream corresponding to the classes.dex file to obtain each gram fragment corresponding to the classes.dex file, specifically applying a sliding window with the sliding step length of 6 and the window length of 6, dividing the hexadecimal data stream corresponding to the classes.dex file to obtain each gram fragment with the length of 6, namely each gram fragment corresponding to the classes.dex file, and then entering step A3;
step A3, obtaining a three-channel color image corresponding to the classes and dex file according to each gram fragment corresponding to the classes and dex file, and then entering step A4;
the step A3 includes the following steps A3-1 to A3-4;
step A3-1, initializing 256 × 3 three-channel basic images with pixel values of 0, and entering step A3-2;
step A3-2, sequentially selecting decimal numbers corresponding to a first hexadecimal number and a second hexadecimal number combination respectively aiming at each gram fragment corresponding to the classes.
Sequentially selecting decimal numbers corresponding to the combination of the third hexadecimal number and the fourth hexadecimal number to form the abscissa of the second pixel point corresponding to the gram fragment, and sequentially selecting decimal numbers corresponding to the combination of the fifth hexadecimal number and the sixth hexadecimal number to form the ordinate of the second pixel point corresponding to the gram fragment;
obtaining coordinates of two pixel points corresponding to the gram fragments, further obtaining coordinates of two pixel points corresponding to each gram fragment, and then entering step A3-3;
step A3-3, sequentially selecting each two hexadecimal numbers in the gram fragments to be converted into one decimal number according to the step length of 2 for each gram fragment corresponding to the classes and dex files respectively, obtaining three decimal numbers, corresponding to the color value of each color channel respectively, forming the pixel values of two pixel points corresponding to the gram fragment, further obtaining the pixel values of two pixel points corresponding to each gram fragment respectively, and then entering the step A3-4;
step A3-4, placing two pixel points corresponding to each gram fragment in a three-channel basic image according to the coordinates and pixel values of the two pixel points to form a three-channel color image corresponding to a classes.
Step A4, performing frequency domain transformation mapping processing on a three-channel color image corresponding to the classes. B, training a target convolutional neural network based on each android sample software by taking the frequency domain characteristic image corresponding to the android sample software as input and the normal label or the malicious label of the android sample software as output to obtain a malicious software identification model;
and i, acquiring a frequency domain characteristic image corresponding to the target android software in the modes from the step A1 to the step A4, and applying a malicious software identification model to acquire a normal label or a malicious label of the target android software, namely, malicious detection of the target android software is realized.
2. The convolutional neural network-based android malware detection method of claim 1, characterized in that:
the step A1 comprises the following steps A1-1 to A1-2;
step A1-1, based on the binary data stream form of class.dex file, converting each four-digit binary number into a one-digit hexadecimal number in sequence with the step length of 4 to obtain the corresponding converted hexadecimal data stream, and entering step A1-2;
step A1-2, judging whether the length of the hexadecimal data stream is a multiple of 6, if so, the hexadecimal data stream is used as the hexadecimal data stream corresponding to the classes. Otherwise, for the hexadecimal data stream, obtaining the hexadecimal data stream with the length of a multiple of 6 by a mode of complementing the last least digit with 0, and using the hexadecimal data stream as the hexadecimal data stream corresponding to the classes.
3. The method for detecting android malware based on convolutional neural network of claim 1, characterized in that: in the step a4, for a three-channel color image corresponding to the classes.
And performing frequency domain transformation mapping processing to obtain a frequency domain characteristic image corresponding to the three-channel color image, namely the frequency domain characteristic image corresponding to the android sample software, wherein F (a, b) represents one two-dimensional vector element of N × N in a spatial domain, namely N ═ 256, and represents the three-channel color image of 256 × 256, (a, b) represents pixel coordinates, a ═ 0,1, …, N-1, b ═ 0,1, …, N-1, F (p, q) represents a transformation domain matrix obtained by two-dimensional discrete cosine transformation, namely the frequency domain characteristic image, and p ═ 0,1, …, N-1, q ═ 0,1, …, and N-1.
4. The method for detecting android malware based on convolutional neural network of claim 1, characterized in that: the target convolutional neural network in the step B comprises an input layer, a Sigmoid sorted output layer, two fully connected layers, two random inactivated layers, three pooling layers and three convolutional layers, wherein the 256 × 1 input layer sequentially comprises 32 convolutional layers with the size of 3 × 3, a pooling layer with a pooling window of 2 × 2, a pooling layer with the size of 64 convolutional layers with the size of 3 × 3, a pooling layer with the pooling window of 2 × 2, a pooling layer with the size of 128 convolutional layers with the size of 3 × 3, a pooling layer with the pooling window of 2 × 2, 512 fully connected layers, a random inactivated layer with the probability of 0.5, 256 fully connected layers, a random inactivated layer with the probability of 0.5 and a Sigmoid sorted output layer in series.
5. A system based on the convolutional neural network-based android malware detection method of any one of claims 1 to 4, characterized in that: the system comprises an acquisition module, a processing module, a visualization module, a training module and a detection module; the obtaining module is used for obtaining classes.dex files in the android software compressed package in the step A1; the processing module is used for executing the hexadecimal data stream corresponding to the classes.dex file obtained in the step A1, and executing the step A1 to the step A2 to execute n-gram processing on the hexadecimal data stream; the visualization module is used for executing the steps A3 to A4 to obtain a frequency domain characteristic image corresponding to the android software; the training module is used for executing the step B to obtain a malicious software identification model; and the detection module is used for executing the step i to execute malicious detection aiming at the target android software.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210483736.3A CN114579970B (en) | 2022-05-06 | 2022-05-06 | Convolutional neural network-based android malicious software detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210483736.3A CN114579970B (en) | 2022-05-06 | 2022-05-06 | Convolutional neural network-based android malicious software detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114579970A CN114579970A (en) | 2022-06-03 |
| CN114579970B true CN114579970B (en) | 2022-07-22 |
Family
ID=81785444
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210483736.3A Active CN114579970B (en) | 2022-05-06 | 2022-05-06 | Convolutional neural network-based android malicious software detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114579970B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118246012B (en) * | 2024-03-29 | 2024-11-01 | 广东工业大学 | Android malicious software detection method and system based on EPM-MCNET neural network |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106096405A (en) * | 2016-04-26 | 2016-11-09 | 浙江工业大学 | A kind of Android malicious code detecting method abstract based on Dalvik instruction |
| CN106096411A (en) * | 2016-06-08 | 2016-11-09 | 浙江工业大学 | A kind of Android malicious code family classification method based on bytecode image clustering |
| CN107103235A (en) * | 2017-02-27 | 2017-08-29 | 广东工业大学 | A kind of Android malware detection method based on convolutional neural networks |
| CN107646190A (en) * | 2015-03-17 | 2018-01-30 | 英国电讯有限公司 | Identified using the malice refined net flow of Fourier transformation |
| CN108717512A (en) * | 2018-05-16 | 2018-10-30 | 中国人民解放军陆军炮兵防空兵学院郑州校区 | A kind of malicious code sorting technique based on convolutional neural networks |
| CN108846284A (en) * | 2018-06-29 | 2018-11-20 | 浙江工业大学 | A kind of Android malicious application detection method based on bytecode image and deep learning |
| CN110084737A (en) * | 2019-05-10 | 2019-08-02 | 钱涛 | A kind of watermark insertion and extracting method based on two-dimensional adaptive Fourier decomposition |
| CN110427756A (en) * | 2019-06-20 | 2019-11-08 | 中国人民解放军战略支援部队信息工程大学 | Android malware detection method and device based on capsule network |
| CN112100619A (en) * | 2019-06-18 | 2020-12-18 | 深信服科技股份有限公司 | Malicious file detection method, system, equipment and computer storage medium |
| CN114091028A (en) * | 2022-01-19 | 2022-02-25 | 南京明博互联网安全创新研究院有限公司 | Android application information leakage detection method based on data flow |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2942563C (en) * | 2014-03-24 | 2019-01-22 | Vendwatch Telematics, Llc | Systems and methods for installation of a remotely monitored vending network |
| KR101720686B1 (en) * | 2014-10-21 | 2017-03-28 | 한국전자통신연구원 | Apparaus and method for detecting malcious application based on visualization similarity |
| WO2016146609A1 (en) * | 2015-03-17 | 2016-09-22 | British Telecommunications Public Limited Company | Learned profiles for malicious encrypted network traffic identification |
| CN109165688A (en) * | 2018-08-28 | 2019-01-08 | 暨南大学 | A kind of Android Malware family classification device construction method and its classification method |
-
2022
- 2022-05-06 CN CN202210483736.3A patent/CN114579970B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107646190A (en) * | 2015-03-17 | 2018-01-30 | 英国电讯有限公司 | Identified using the malice refined net flow of Fourier transformation |
| CN106096405A (en) * | 2016-04-26 | 2016-11-09 | 浙江工业大学 | A kind of Android malicious code detecting method abstract based on Dalvik instruction |
| CN106096411A (en) * | 2016-06-08 | 2016-11-09 | 浙江工业大学 | A kind of Android malicious code family classification method based on bytecode image clustering |
| CN107103235A (en) * | 2017-02-27 | 2017-08-29 | 广东工业大学 | A kind of Android malware detection method based on convolutional neural networks |
| CN108717512A (en) * | 2018-05-16 | 2018-10-30 | 中国人民解放军陆军炮兵防空兵学院郑州校区 | A kind of malicious code sorting technique based on convolutional neural networks |
| CN108846284A (en) * | 2018-06-29 | 2018-11-20 | 浙江工业大学 | A kind of Android malicious application detection method based on bytecode image and deep learning |
| CN110084737A (en) * | 2019-05-10 | 2019-08-02 | 钱涛 | A kind of watermark insertion and extracting method based on two-dimensional adaptive Fourier decomposition |
| CN112100619A (en) * | 2019-06-18 | 2020-12-18 | 深信服科技股份有限公司 | Malicious file detection method, system, equipment and computer storage medium |
| CN110427756A (en) * | 2019-06-20 | 2019-11-08 | 中国人民解放军战略支援部队信息工程大学 | Android malware detection method and device based on capsule network |
| CN114091028A (en) * | 2022-01-19 | 2022-02-25 | 南京明博互联网安全创新研究院有限公司 | Android application information leakage detection method based on data flow |
Non-Patent Citations (7)
| Title |
|---|
| 《An Automated Vision-Based Deep Learning Model for Efficient Detection of Android Malware Attacks》;Iman Almomani等;《IEEE Access》;20220104;第10卷;第2700-2720页 * |
| 《KRProtector: Detection and Files Protection for IoT devices on Android without ROOT against Ransomware Based on Decoys》;Senmiao Wang等;《IEEE Internet of Things Journal》;20220304;全文 * |
| 《NTRU公钥密码的量子算法攻击研究》;董经等;《密码学报》;20210630;第8卷(第6期);第948-959页 * |
| 《一个基于RSA的无证书多重签名方案》;刘莉等;《四川大学学报(工程科学版)》;20160229;第48卷(第2期);第162-168页 * |
| 《基于动静态结合的Android重打包应用多级检测方法研究》;宋志勇;《中国优秀硕士学位论文全文数据库》;20220430;信息科技辑I138-41 * |
| 《基于图像分析的恶意软件检测技术研究》;张健等;《信息网络安全》;20191031(第10期);第24-31页 * |
| 《移动互联环境下工业控制系统安全问题研究》;时忆杰等;《中国博士学位论文全文数据库(电子期刊)》;20180228;信息科技辑I140-61 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114579970A (en) | 2022-06-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109964204B (en) | Method and system for processing graphics | |
| US11395010B2 (en) | Massive picture processing method converting decimal element in matrices into binary element | |
| CN114579970B (en) | Convolutional neural network-based android malicious software detection method and system | |
| CN109948762A (en) | Method and apparatus for generating two dimensional code | |
| CN113015022A (en) | Behavior recognition method and device, terminal equipment and computer readable storage medium | |
| CN113360911A (en) | Malicious code homologous analysis method and device, computer equipment and storage medium | |
| CN114896594B (en) | Malicious code detection device and method based on image feature multi-attention learning | |
| CN115223181A (en) | Text detection-based method and device for recognizing characters of seal of report material | |
| CN113139617B (en) | Power transmission line autonomous positioning method and device and terminal equipment | |
| CN111639523B (en) | Target detection method, device, computer equipment and storage medium | |
| CN109753794A (en) | A kind of recognition methods of malicious application, system, training method, equipment and medium | |
| EP4354348A1 (en) | Sparsity processing on unpacked data | |
| US11562555B2 (en) | Methods, systems, articles of manufacture, and apparatus to extract shape features based on a structural angle template | |
| CN116912556A (en) | Picture classification method and device, electronic equipment and storage medium | |
| CN109859092A (en) | Information concealing method, device, equipment and computer readable storage medium | |
| US20020146179A1 (en) | Method for minimal-logic non-linear filter implementation | |
| CN112330768B (en) | Image rapid synthesis method based on data characteristics | |
| CN111783787B (en) | Method and device for recognizing image characters and electronic equipment | |
| CN114741697A (en) | Malicious code classification method and device, electronic equipment and medium | |
| CN114625903A (en) | Image retrieval method and device and image retrieval equipment | |
| CN110134813B (en) | Image retrieval method, image retrieval device and terminal equipment | |
| CN113961752A (en) | Method and related device for analyzing basic reachability graph of information physical system | |
| US6690491B1 (en) | Image processing apparatus for overlapping bit map data and vector data | |
| CN112801960A (en) | Image processing method and device, storage medium and electronic equipment | |
| CN114301671A (en) | Network intrusion detection method, system, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |