CN114640502A - Android malicious software detection method and detection system based on traffic fingerprint and graph data characteristics - Google Patents
Android malicious software detection method and detection system based on traffic fingerprint and graph data characteristics Download PDFInfo
- Publication number
- CN114640502A CN114640502A CN202210144962.9A CN202210144962A CN114640502A CN 114640502 A CN114640502 A CN 114640502A CN 202210144962 A CN202210144962 A CN 202210144962A CN 114640502 A CN114640502 A CN 114640502A
- Authority
- CN
- China
- Prior art keywords
- graph
- clusters
- fingerprint
- features
- destination
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 20
- 238000000034 method Methods 0.000 claims abstract description 24
- 238000003062 neural network model Methods 0.000 claims abstract description 14
- 238000000354 decomposition reaction Methods 0.000 claims abstract description 12
- 238000011176 pooling Methods 0.000 claims abstract description 11
- 238000012549 training Methods 0.000 claims abstract description 10
- 238000004140 cleaning Methods 0.000 claims abstract description 9
- 238000000605 extraction Methods 0.000 claims description 7
- 239000011159 matrix material Substances 0.000 claims description 6
- 238000010606 normalization Methods 0.000 claims description 6
- 230000000694 effects Effects 0.000 claims description 3
- 238000012790 confirmation Methods 0.000 claims description 2
- 238000012216 screening Methods 0.000 claims description 2
- 230000002596 correlated effect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000013528 artificial neural network Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000013527 convolutional neural network Methods 0.000 description 2
- 238000002474 experimental method Methods 0.000 description 2
- 230000001788 irregular Effects 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000875 corresponding effect Effects 0.000 description 1
- 238000000265 homogenisation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/211—Selection of the most significant subset of features
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
- G06F18/231—Hierarchical techniques, i.e. dividing or merging pattern sets so as to obtain a dendrogram
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Abstract
The invention discloses an android malicious software detection method and a detection system based on flow fingerprint and graph data characteristics, which comprise the following steps: and generating a flow fingerprint: firstly, acquiring network flow generated when an application program runs, cleaning data of the network flow, extracting features of the network flow, extracting destination features and time features, clustering the destination features according to the time features to obtain a plurality of clusters, associating the clusters by analyzing time correlation between the clusters to generate a complete graph, and finally generating a flow fingerprint according to the complete graph; carrying out graph decomposition; constructing a graph convolution neural network model, and training the graph convolution neural network model by adopting a graph pooling method SAGPool to obtain an android malicious software detection model; classifying; a warning is given.
Description
Technical Field
The invention relates to the field of android malicious software detection, in particular to an android malicious software detection method and an android malicious software detection system based on traffic fingerprints and graph data characteristics.
Background
Android malware detection based on network traffic has been the direction of efforts of researchers. Since privacy leakage is mostly transmitted through a network, traffic data generated during the operation of an application program becomes a key point of human analysis.
Most of the traditional detection schemes based on the flow rate mainly detect the abnormity, and the characteristics are easy to be avoided by attackers. In addition, since most applications communicate with third party public libraries, these applications share many network traffic characteristics.
In summary, a new detection method is needed to avoid the above problems in view of the characteristics of homogeneity, dynamics and iteration of network traffic.
Disclosure of Invention
In view of the above, the present invention provides a method and a system for detecting android malware based on traffic fingerprint and graph data characteristics, so as to solve the technical problems mentioned in the background art. The invention combines the graph convolution neural network to protect the privacy information of the user.
In order to achieve the purpose, the invention adopts the following technical scheme:
a detection method of android malicious software based on traffic fingerprints and graph data characteristics comprises the following steps:
step S1, generating a traffic fingerprint, including: firstly, acquiring network flow generated when an application program runs, cleaning data of the network flow, extracting features of the network flow, extracting destination features and time features, clustering the destination features according to the time features to obtain a plurality of clusters, associating the clusters by analyzing time correlation between the clusters to generate a complete graph, and finally generating a flow fingerprint according to the complete graph;
step S2, performing graph decomposition, including: decomposing the flow fingerprint obtained in the step S1 into a two-dimensional adjacency matrix, a node feature vector, an edge feature vector, an icon sign vector, and an icon sign vector;
s3, constructing a graph convolution neural network model, and training the graph convolution neural network model by using a graph pooling method SAGPool to obtain an android malicious software detection model;
step S4, classifying, including: inputting the five data obtained by the graph decomposition in the step S2 into the android malicious software detection model obtained in the step S3 for detection to obtain a label, wherein the label is a malicious domain name or a benign domain name;
step S5, warning, including: and if the obtained domain name is a malicious domain name, warning the user.
Further, in step S1, data is cleaned by removing the network traffic that has lost the message and the acknowledgment number.
Further, in the step S1, the extraction of the destination characteristic and the time characteristic is performed for the TCP and UDP streams.
Further, in step S1, the destination characteristics include destination IP and port number, and the time characteristics are obtained by segmenting the network traffic according to a preset time interval, wherein the time characteristics represent the time correlation between the destinations.
Further, in step S1, while performing the clustering process on the destination characteristics, a size characteristic of each cluster is obtained, where the size characteristic represents the size of the current destination IP and destination port number session flow.
Further, in step S1, the associating the clusters by analyzing the time correlation between the clusters to generate a complete graph specifically includes:
first, the time correlation between all clusters and the clusters is measured by equation (1), which is expressed as:
in the formula (1), cjAnd cjRepresenting two different clusters for measuring time correlation, and segmenting each cluster according to a time interval T, wherein the time T is set to be 30 s; in the time interval, if a cluster CiWhen at least one message is sent or received to the target cluster, the two clusters are considered to have activity, and is marked as Ci[t]1, otherwise, is denoted as Ci[t]=0;
Then, setting a time correlation threshold, screening out cluster pairs higher than the threshold, and carrying out normalization operation on the cluster pairs, wherein the value after normalization is regarded as a undirected edge between two nodes, and the value range of the edge is [0,1], so as to obtain a undirected correlation graph, wherein the normalization operation is carried out through a formula (2);
further, in step S1, the generating a traffic fingerprint according to the full map specifically includes:
and aiming at the undirected correlation graph, setting a threshold value of correlation to be 0.1, deleting edges of which the correlation value is less than 0.1, reserving the rest edges to obtain a complete subgraph, and extracting information of a cluster in the complete subgraph as a fingerprint, wherein a destination IP (Internet protocol) and a port number in the cluster and a TLS (transport layer server) certificate are combined into a set and stored in a json file format, and each json file is the fingerprint generated by an application program.
An android malware detection system based on traffic fingerprints and graph data features, the detection system comprising:
a fingerprint generation module, comprising: firstly, acquiring network flow generated when an application program runs, cleaning data of the network flow, extracting features of the network flow, extracting destination features and time features, clustering the destination features according to the time features to obtain a plurality of clusters, associating the clusters by analyzing time correlation between the clusters to generate a complete graph, and finally generating a flow fingerprint according to the complete graph;
a graph decomposition module, comprising: decomposing the acquired flow fingerprint into a two-dimensional adjacency matrix, a node feature vector, an edge feature vector, an icon sign vector and an icon sign vector;
a training module, comprising: constructing a graph convolution neural network model, and training the graph convolution neural network model by adopting a graph pooling method SAGPool to obtain an android malicious software detection model;
a classification module, comprising: inputting the five data obtained by the graph decomposition into an android malicious software detection model for detection to obtain a label, wherein the label is a malicious domain name or a benign domain name;
a warning module, comprising: and if the obtained domain name is a malicious domain name, warning the user.
The invention has the beneficial effects that:
1. the invention carries out malicious software detection by generating the application program fingerprint, can completely cover the application appearing on the network, and reduces the false alarm rate after the update iteration of the mobile application program.
2. The invention uses the time correlation characteristic between the time correlation characteristic and the destination address under the encrypted network flow environment, and reduces the difficulty of characteristic extraction.
3. The invention adopts a layered pooling architecture model based on a self-attention mechanism, and the convolution layer adopts an image convolution neural network, so that the method not only can learn the characteristics of the clusters in the flow fingerprint, but also can learn the associated information among the clusters.
Drawings
Fig. 1 is a schematic structural diagram of an android malware detection system based on traffic fingerprints and graph data features provided in embodiment 1.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
Referring to fig. 1, the present embodiment provides an android malware detection system based on traffic fingerprint and graph data characteristics, where the detection system includes:
a fingerprint generation module, comprising: firstly, acquiring network flow generated when an application program runs, cleaning data of the network flow, extracting features of the network flow, extracting destination features and time features, clustering the destination features according to the time features to obtain a plurality of clusters, associating the clusters by analyzing time correlation between the clusters to generate a complete graph, and finally generating a flow fingerprint according to the complete graph;
a graph decomposition module, comprising: decomposing the acquired flow fingerprint into a two-dimensional adjacency matrix, a node feature vector, an edge feature vector, an icon sign vector and an icon sign vector;
a training module, omitted from the block diagram and not shown, comprising: constructing a graph convolution neural network model, and training the graph convolution neural network model by adopting a graph pooling method SAGPool to obtain an android malicious software detection model;
a classification module, comprising: inputting the five data obtained by the graph decomposition into an android malicious software detection model for detection to obtain a label, wherein the label is a malicious domain name or a benign domain name;
a warning module, omitted from the block diagram and not shown, comprising: and if the obtained domain name is a malicious domain name, warning the user.
Example 2
The embodiment provides an android malicious software detection method based on traffic fingerprints and graph data characteristics, which comprises the following steps:
step 1, generating a fingerprint, comprising the following steps;
step 101, data preprocessing, including flow data cleaning and feature extraction;
step 102, clustering the flow according to time characteristics;
103, associating the dispersed clusters by utilizing the time correlation among the clusters;
104, constructing an application program flow fingerprint;
and 2, carrying out graph decomposition, comprising the following steps: based on the fact that the nature of the application program fingerprint is a strongly correlated undirected graph, the fingerprint is further decomposed into a two-dimensional adjacency matrix, a node characteristic vector, an edge characteristic vector, an icon sign vector and an icon sign vector for input in the subsequent steps;
step 4, constructing a graph convolution neural network model, and training the graph convolution neural network model by adopting a graph pooling method SAGPool to obtain an android malicious software detection model;
and 5, carrying out a classification module, wherein the input of the step is five files generated by the module 2, the output of the step is a label of a category corresponding to the fingerprint of each application program, 0 represents a benign application, and 1 represents a malicious application.
Specifically, in this embodiment, in step 101, data preprocessing, including flow data cleaning and feature extraction, is performed as follows:
the network flow generated when each mobile application program runs is used as input, and mainly aims at TCP messages in the network flow. During communication, messages and confirmation numbers may be lost due to problems such as network, and this traffic may interfere with and contaminate subsequent feature extraction and fingerprint generation.
The embodiment mainly performs feature extraction from two dimensions of a destination and time in TCP and UDP streams, and more specifically:
destination characteristics: the destination IP and port number are the main ones, because each application will communicate with a fixed server, and therefore the communication address of each application is relatively fixed. In addition to extracting the destination IP and port number from the encrypted network traffic, the domain name communicated by the application may also be extracted through DNS traffic. Although the domain name information can enrich the destination address characteristics, because of the DNS cache, these data cannot be used to generate fingerprints, so the scheme proposed by the present embodiment does not use domain names as characteristics.
Time characteristics: in the process of generating the application fingerprint, the embodiment performs segmentation processing on the network traffic according to time so as to study the time correlation between destinations.
Specifically, in this embodiment, in step 102, the flow rate is clustered according to the time characteristics; the specific process is as follows:
the input data is first divided into given time intervals, here set to 5 minutes.
After the data is divided into given time intervals, clustering is carried out according to the destination IP and the destination port number of the TCP/UDP flow, and the size characteristic of each cluster is obtained at the same time. The size characteristic here is not the size of the current application upload or download volume in the conventional sense, but the size of the session flow for the current destination IP and destination port number.
Specifically, in this embodiment, in step 103, the time correlation between clusters is used to associate the dispersed clusters, and the specific process is as follows:
and (4) associating the scattered clusters by utilizing the time correlation among the clusters to generate a complete graph with the association.
To measure the correlation between clusters, the correlation of all clusters is calculated using the following formula:
in a certain time interval, if a cluster CiSending or receiving at least one message to the target cluster, then acknowledgingFor the presence of activity between the two clusters, denoted Ci[t]1, otherwise, is denoted as Ci[t]0. If the time correlation between two nodes is strong, the value is high, and therefore needs to be normalized, as shown in the formula;
the normalized value can be regarded as a non-directional edge between two nodes, and the value range of the edge is [0,1 ]. Therefore, a undirected correlation graph is obtained through the correlation clustering of the destination addresses. The higher the value of the edge is, the higher the correlation between the two destination addresses in a certain time is, and otherwise, the lower the correlation is.
Specifically, in this embodiment, the step 104 constructs the application traffic fingerprint, and the specific process is as follows:
edges with weak correlation in the correlation graph are removed, the remaining is the complete subgraph with strongly correlated clusters, and the threshold is set to 0.1. The information of the clusters in the graph is extracted as the fingerprint, and the fingerprint does not contain any additional information because all graphs are complete subgraphs. The destination IP and port number in the cluster and the TLS certificate are combined into a set and stored in the form of json files, each json file being a fingerprint generated by an application.
Specifically, in this embodiment, step 5 includes:
the algorithm model of the invention uses a graph pooling method SAPOol based on a self-attention mechanism. The method learns the hierarchical representation in an end-to-end manner using relatively few parameters. The invention adopts a layered pooling framework of a SAGPOOl algorithm, the framework is divided into three layers, and each layer consists of a graph volume layer and a graph pooling layer. The outputs of each layer will be summed up and then the sum of the outputs fed to the linear layers for classification.
In summary, aiming at the characteristics of homogenization, dynamism and iteration of network traffic, the invention generates the application program fingerprint by utilizing the characteristics of limited network destination addresses influenced by users, and provides an android malicious software detection scheme based on traffic fingerprint and graph data characteristics. The application program fingerprint is generated through the network flow to detect the malicious software, so that the application appearing in the network can be completely covered, and the false alarm rate after the application program is updated and iterated is reduced.
By deeply analyzing the fingerprints of the application program, the fingerprints are essentially strongly correlated undirected graphs and are irregular space structures, each node in the fingerprints represents a group of clusters with the same destination address, and the clusters also have structural information except characteristic information of the nodes, namely, certain relation exists between the clusters. Because the non-translation of the convolutional neural network is not suitable for the irregular graph data, the graph convolutional neural network model used in the scheme has the advantages that the characteristics of the clusters in the flow fingerprint can be automatically learned, and the associated information among the clusters can be learned. Experiments show that the method has higher classification and detection results for different types of malicious software, and has higher robustness and generalization.
The invention is not described in detail, but is well known to those skilled in the art.
The foregoing detailed description of the preferred embodiments of the invention has been presented. It should be understood that numerous modifications and variations could be devised by those skilled in the art in light of the present teachings without departing from the inventive concepts. Therefore, the technical solutions available to those skilled in the art through logic analysis, reasoning and limited experiments based on the prior art according to the concept of the present invention should be within the scope of protection defined by the claims.
Claims (8)
1. An android malicious software detection method based on traffic fingerprint and graph data characteristics is characterized by comprising the following steps:
step S1, generating a traffic fingerprint, including: firstly, acquiring network flow generated when an application program runs, cleaning data of the network flow, extracting features of the network flow, extracting destination features and time features, clustering the destination features according to the time features to obtain a plurality of clusters, associating the clusters by analyzing time correlation between the clusters to generate a complete graph, and finally generating a flow fingerprint according to the complete graph;
step S2, performing graph decomposition, including: decomposing the flow fingerprint obtained in the step S1 into a two-dimensional adjacency matrix, a node feature vector, an edge feature vector, an icon sign vector, and an icon sign vector;
s3, constructing a graph convolution neural network model, and training the graph convolution neural network model by using a graph pooling method SAGPool to obtain an android malicious software detection model;
step S4, classifying, including: inputting the five data obtained by the graph decomposition in the step S2 into the android malicious software detection model obtained in the step S3 for detection to obtain a label, wherein the label is a malicious domain name or a benign domain name;
step S5, warning, including: and if the obtained domain name is a malicious domain name, warning the user.
2. The method for detecting the android malware based on the traffic fingerprint and the graph data features according to claim 1, wherein in the step S1, data cleaning is performed by removing network traffic that loses messages and confirmation numbers.
3. The method for detecting android malware according to claim 2, wherein in step S1, the extraction of destination characteristics and time characteristics is performed for TCP and UDP streams.
4. The method as claimed in claim 3, wherein in the step S1, the destination characteristics include destination IP and port number, and the time characteristics are obtained by segmenting the network traffic according to a preset time interval, wherein the time characteristics represent the time correlation between destinations.
5. The method as claimed in claim 4, wherein in step S1, a size characteristic of each cluster is obtained while clustering the destination characteristics, wherein the size characteristic represents the size of the current destination IP and destination port number session flow.
6. The method according to claim 5, wherein in step S1, the clusters are associated by analyzing time correlation between the clusters to generate a complete graph, and the method specifically includes:
first, the time correlation between all clusters and the clusters is measured by equation (1), which is expressed as:
in the formula (1), cjAnd cjRepresenting two different clusters for measuring time correlation, and segmenting each cluster according to a time interval T, wherein the time T is set to be 30 s; in the time interval, if a cluster CiWhen at least one message is sent or received to the target cluster, the two clusters are considered to have activity, and is marked as Ci[t]1, otherwise, is denoted as Ci[t]=0;
Then, setting a time correlation threshold, screening out cluster pairs higher than the threshold, and carrying out normalization operation on the cluster pairs, wherein the value after normalization is regarded as a undirected edge between two nodes, and the value range of the edge is [0,1], so as to obtain a undirected correlation graph, wherein the normalization operation is carried out through a formula (2);
7. the method for detecting android malware according to claim 6, wherein in step S1, the generating a traffic fingerprint from the full graph specifically includes:
and aiming at the undirected correlation graph, setting a threshold value of correlation to be 0.1, deleting edges of which the correlation value is less than 0.1, reserving the rest edges to obtain a complete subgraph, and extracting information of a cluster in the complete subgraph as a fingerprint, wherein a destination IP (Internet protocol) and a port number in the cluster and a TLS (transport layer server) certificate are combined into a set and stored in a json file format, and each json file is the fingerprint generated by an application program.
8. An android malware detection system based on traffic fingerprints and graph data features, the detection system comprising:
a fingerprint generation module, comprising: firstly, acquiring network flow generated when an application program runs, cleaning data of the network flow, extracting features of the network flow, extracting destination features and time features, clustering the destination features according to the time features to obtain a plurality of clusters, associating the clusters by analyzing time correlation between the clusters to generate a complete graph, and finally generating a flow fingerprint according to the complete graph;
a graph decomposition module, comprising: decomposing the acquired flow fingerprint into a two-dimensional adjacency matrix, a node characteristic vector, an edge characteristic vector, an icon label vector and an icon label vector;
a training module, comprising: constructing a graph convolution neural network model, and training the graph convolution neural network model by adopting a graph pooling method SAGPool to obtain an android malicious software detection model;
a classification module, comprising: inputting the five data obtained by the graph decomposition into an android malicious software detection model for detection to obtain a label, wherein the label is a malicious domain name or a benign domain name;
a warning module, comprising: and if the obtained domain name is a malicious domain name, warning the user.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210144962.9A CN114640502A (en) | 2022-02-17 | 2022-02-17 | Android malicious software detection method and detection system based on traffic fingerprint and graph data characteristics |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210144962.9A CN114640502A (en) | 2022-02-17 | 2022-02-17 | Android malicious software detection method and detection system based on traffic fingerprint and graph data characteristics |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114640502A true CN114640502A (en) | 2022-06-17 |
Family
ID=81946773
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210144962.9A Pending CN114640502A (en) | 2022-02-17 | 2022-02-17 | Android malicious software detection method and detection system based on traffic fingerprint and graph data characteristics |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114640502A (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112291277A (en) * | 2020-12-29 | 2021-01-29 | 腾讯科技(深圳)有限公司 | Malicious software detection method, device, equipment and storage medium |
CN112966271A (en) * | 2021-03-18 | 2021-06-15 | 中山大学 | Malicious software detection method based on graph convolution network |
CN113591085A (en) * | 2021-07-27 | 2021-11-02 | 深圳市纽创信安科技开发有限公司 | Android malicious application detection method, device and equipment |
CN113821799A (en) * | 2021-09-07 | 2021-12-21 | 南京邮电大学 | Multi-label classification method for malicious software based on graph convolution neural network |
WO2022011977A1 (en) * | 2020-07-15 | 2022-01-20 | 中国科学院深圳先进技术研究院 | Network anomaly detection method and system, terminal and storage medium |
-
2022
- 2022-02-17 CN CN202210144962.9A patent/CN114640502A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2022011977A1 (en) * | 2020-07-15 | 2022-01-20 | 中国科学院深圳先进技术研究院 | Network anomaly detection method and system, terminal and storage medium |
CN112291277A (en) * | 2020-12-29 | 2021-01-29 | 腾讯科技(深圳)有限公司 | Malicious software detection method, device, equipment and storage medium |
CN112966271A (en) * | 2021-03-18 | 2021-06-15 | 中山大学 | Malicious software detection method based on graph convolution network |
CN113591085A (en) * | 2021-07-27 | 2021-11-02 | 深圳市纽创信安科技开发有限公司 | Android malicious application detection method, device and equipment |
CN113821799A (en) * | 2021-09-07 | 2021-12-21 | 南京邮电大学 | Multi-label classification method for malicious software based on graph convolution neural network |
Non-Patent Citations (2)
Title |
---|
张雪涛等: "基于GCN的安卓恶意软件检测模型", 《软件导刊》 * |
李煳桦: "基于深度学习的恶意软件检测方法", 《中国优秀硕士学位论文全文数据库(电子期刊)》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Salo et al. | Dimensionality reduction with IG-PCA and ensemble classifier for network intrusion detection | |
Zhong et al. | Applying big data based deep learning system to intrusion detection | |
Nie et al. | Intrusion detection for secure social internet of things based on collaborative edge computing: a generative adversarial network-based approach | |
Talukder et al. | A dependable hybrid machine learning model for network intrusion detection | |
CN112953924B (en) | Network abnormal flow detection method, system, storage medium, terminal and application | |
Ji et al. | A multi-level intrusion detection method for abnormal network behaviors | |
WO2019105163A1 (en) | Target person search method and apparatus, device, program product and medium | |
Carrasco et al. | Unsupervised intrusion detection through skip-gram models of network behavior | |
Moghanian et al. | GOAMLP: Network intrusion detection with multilayer perceptron and grasshopper optimization algorithm | |
CN113992349B (en) | Malicious traffic identification method, device, equipment and storage medium | |
CN113612767B (en) | Encrypted malicious flow detection method and system based on multitask learning enhancement | |
CN113378899A (en) | Abnormal account identification method, device, equipment and storage medium | |
Bi et al. | Achieving lightweight and privacy-preserving object detection for connected autonomous vehicles | |
CN112883377A (en) | Feature countermeasure based federated learning poisoning detection method and device | |
CN113271292A (en) | Malicious domain name cluster detection method and device based on word vectors | |
Krishnasamy et al. | DIWGAN optimized with Namib Beetle Optimization Algorithm for intrusion detection in mobile ad hoc networks | |
Sagu et al. | Hybrid deep neural network model for detection of security attacks in IoT enabled environment | |
Hasan et al. | An Explainable Ensemble Deep Learning Approach for Intrusion Detection in Industrial Internet of Things | |
Chen et al. | Steganalysis of LSB matching using characteristic function moment of pixel differences | |
CN111291078B (en) | Domain name matching detection method and device | |
CN114640502A (en) | Android malicious software detection method and detection system based on traffic fingerprint and graph data characteristics | |
CN112215300A (en) | Network structure enhancement-based graph convolution model defense method, device and system | |
CN112085051A (en) | Image classification method and system based on weighted voting and electronic equipment | |
Malik et al. | Performance Evaluation of Classification Algorithms for Intrusion Detection on NSL-KDD Using Rapid Miner | |
US8015128B2 (en) | Biometric security using neuroplastic fidelity |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220617 |
|
RJ01 | Rejection of invention patent application after publication |