CN117034218A - Apk confusion mechanism detection method based on graph attention network and NLP word embedding model - Google Patents
Apk confusion mechanism detection method based on graph attention network and NLP word embedding model Download PDFInfo
- Publication number
- CN117034218A CN117034218A CN202310897727.3A CN202310897727A CN117034218A CN 117034218 A CN117034218 A CN 117034218A CN 202310897727 A CN202310897727 A CN 202310897727A CN 117034218 A CN117034218 A CN 117034218A
- Authority
- CN
- China
- Prior art keywords
- apk
- confusion
- code
- detected
- graph
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 48
- 230000007246 mechanism Effects 0.000 title claims abstract description 20
- 239000013598 vector Substances 0.000 claims abstract description 61
- 239000011159 matrix material Substances 0.000 claims abstract description 25
- 238000012549 training Methods 0.000 claims abstract description 14
- 238000004458 analytical method Methods 0.000 claims abstract description 9
- 238000010586 diagram Methods 0.000 claims abstract description 9
- 230000003068 static effect Effects 0.000 claims abstract description 7
- 238000012935 Averaging Methods 0.000 claims abstract description 6
- 238000000034 method Methods 0.000 claims description 29
- 238000012545 processing Methods 0.000 claims description 18
- 238000013528 artificial neural network Methods 0.000 claims description 9
- 238000000605 extraction Methods 0.000 claims description 9
- 238000004886 process control Methods 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 claims description 5
- 230000009467 reduction Effects 0.000 claims description 5
- 238000003062 neural network model Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 claims description 4
- 238000012546 transfer Methods 0.000 claims description 4
- 230000006870 function Effects 0.000 description 19
- 238000005516 engineering process Methods 0.000 description 7
- 239000000203 mixture Substances 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 210000002569 neuron Anatomy 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/042—Knowledge-based neural networks; Logical representations of neural networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
- G06N3/0442—Recurrent networks, e.g. Hopfield networks characterised by memory or gating, e.g. long short-term memory [LSTM] or gated recurrent units [GRU]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/0464—Convolutional networks [CNN, ConvNet]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- Mathematical Physics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computing Systems (AREA)
- Molecular Biology (AREA)
- Evolutionary Computation (AREA)
- Virology (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Stored Programmes (AREA)
Abstract
The application provides an apk confusion mechanism detection method based on a graph attention network and an NLP word embedding model, which obtains an initial ICFG by acquiring apk to be detected and performing static analysis; regularizing each jimple instruction of the apk to be detected, and obtaining a vector corresponding to each instruction; accumulating and averaging the vectors according to the corresponding dimension to obtain the vector of each basic block, and combining the ICFG structural information to obtain a final code attribute map; and obtaining the confusion type of the apk to be detected by training the confusion detection model completed by the basic block feature matrix and the adjacent matrix of the final code attribute diagram. According to the application, the word2vec model is used for converting the jimple code block into the vector, so that semantic information of the jimple code can be integrated to the greatest extent, and structural information of the jimple code block can be learned by combining the GAT model, thereby having higher accuracy.
Description
Technical Field
The application belongs to the technical field of network security, and particularly relates to an apk confusion mechanism detection method based on a graph attention network and an NLP word embedding model.
Background
Due to the development of code confusion technology, more and more malicious software writers can modify malicious codes of software through the confusion technology, so that the codes are difficult to be found by an automatic malicious code detection tool, the codes still have malicious functions, and the use of the confusion technology in the aspect of malicious codes also improves the difficulty for technicians to reverse malicious code software. Therefore, the detection of the code obfuscation method is helpful for quickly determining the obfuscation method of malicious codes, and facilitates the detection of the malicious property of software and the reverse analysis of a security reverse engineer.
The prior technical scheme discloses a function level confusion detection method (application number is 202011521368.4) based on a graph convolution neural network, the scheme detects a function level confusion mechanism, and the scheme has low adaptability to a complex confusion mechanism. In addition, when the scheme is used for extracting the features, the statistical features in the decompilation instruction are selected, and the extraction of code semantic information is lacked, so that the recognition accuracy of the scheme is low.
Disclosure of Invention
In order to solve the problems in the prior art, the application provides an apk confusion mechanism detection method based on a graph attention network and an NLP word embedding model. The technical problems to be solved by the application are realized by the following technical scheme:
the application provides an apk confusion mechanism detection method based on a graph attention network and an NLP word embedding model, which comprises the following steps:
s100, acquiring an apk to be detected, and performing flow analysis on the apk to be detected to obtain an initial inter-process control flow graph ICFG of the apk to be detected; the initial ICFG includes: a call graph CG of the function and Jimple code blocks within each function, each Jimple code block including a plurality of instructions;
s200, carrying out corresponding regularization processing on each instruction of the apk to be detected, and converting the processed instructions into vectors;
s300, accumulating and averaging vectors corresponding to each instruction according to corresponding dimensions to obtain detection vectors of each Jimpe code block, and introducing the detection vectors into an initial ICFG to obtain a final code attribute map of apk to be detected;
s400, carrying out information transfer, overall information extraction and loss processing on the basic block feature matrix and the adjacent matrix of the final code attribute diagram through the trained confusion detection model to obtain the confusion class of the apk to be detected.
The application provides an apk confusion mechanism detection method based on a graph attention network and an NLP word embedding model, which comprises the steps of obtaining an apk to be detected, carrying out static analysis on the apk to be detected to obtain an initial inter-process control flow graph ICFG of the apk to be detected, converting each instruction of the apk to be detected into a vector, and carrying out regularization treatment on each vector to obtain a vector corresponding to each instruction; the vector corresponding to each instruction is accumulated and averaged according to the corresponding dimension to obtain a detection vector of each Jimpe code block, and the detection vector is introduced into an initial ICFG to obtain a final code attribute diagram of apk to be detected; and carrying out information transfer, overall information extraction and loss processing on the basic block feature matrix and the adjacent matrix of the final code attribute diagram through the trained confusion detection model to obtain the confusion type of the apk to be detected. According to the application, the jtime code block of the apk is obtained, and the word2vec model is used for converting the jtime code block into the vector, so that semantic information of the jtime code can be integrated to the greatest extent, and structural information of the jtime code block is learned by combining with GAT, so that the method has higher accuracy compared with other neural network methods.
The present application will be described in further detail with reference to the accompanying drawings and examples.
Drawings
FIG. 1 is a flow diagram of an apk confusion mechanism detection method based on a graph attention network and an NLP word embedding model;
FIG. 2 is an exemplary schematic diagram of an apk confusion mechanism detection method based on a graph attention network and an NLP word embedding model provided by the present application;
FIG. 3 is a schematic diagram of a training confusion detection model provided by the present application.
Detailed Description
The present application will be described in further detail with reference to specific examples, but embodiments of the present application are not limited thereto.
With reference to fig. 1 and fig. 2, the present application provides an apk confusion mechanism detection method based on a graph attention network and an NLP word embedding model, which includes:
s100, acquiring an apk to be detected, and performing static analysis on the apk to be detected to obtain an initial inter-process control flow graph ICFG of the apk to be detected; the initial ICFG includes: a call graph CG of the function and Jimple code blocks within each function, each Jimple code block including a plurality of instructions;
s200, carrying out corresponding regularization processing on each instruction of the apk to be detected, and converting the processed instructions into vectors;
the S200 of the present application includes:
s210, converting each instruction into a vector by using a preset word2vec model;
since there are various NLP Word embedding models, word2Vec of the present application can be replaced with Glove, fastText, doc2Vec or the like.
S220, regularizing each vector to remove the custom variable names in the Jimple code block, and obtaining the code text of the Jimple code block;
noteworthy are: the jimple code block is the code that results after apk is processed using flowdrop. word2vec is a model of natural language data processing, the model is trained by inputting text, and after training is completed, a command of a jimple code is input, and a corresponding vector is output.
After the application is processed by the flowdroid, the calling Graph (Call Graph) of apk and the inter-calling relation between functions can be obtained and displayed. Thus, the application obtains a graph structure, and after obtaining the graph structure, the vector of each node in the graph needs to be determined, namely, the code block corresponding to each method is converted into the vector, and the dimensions of the vectors are necessarily the same, or no training is performed.
The application carries out corresponding regularization processing on each vector so as to reduce code differences introduced by user-defined variables. The regularization processing method is to convert all the custom variable names into the same variable name, so as to reduce the code difference introduced by the custom variable, remove the custom variable names in the jimage code and only leave the corresponding jimage code. Then the processed code text is put into a word2vec file for training, so that the vector corresponding to each jimple instruction can be obtained.
S230, the code text is put into a word2vec file for training, so that vectors corresponding to each instruction are obtained, and the dimensions of all vectors are the same.
S300, accumulating and averaging vectors corresponding to each instruction according to corresponding dimensions to obtain detection vectors of each Jimpe code block, and introducing the detection vectors into an initial ICFG to obtain a final code attribute map of apk to be detected;
the S300 of the present application includes:
s310, carrying out accumulated averaging on vectors corresponding to each instruction according to corresponding dimensions to obtain an average vector;
s320, determining the average vector as the vector of the jimple code block.
The method of converting the present application into vectors uses word2vec, the number of instructions in each code block is definitely different, so for unification, the present application uses word2vec to convert each instruction in each code block into a vector, thus processing the code blocks the present application obtains a plurality of vectors, and then uses an average method to convert the vectors into a vector. For example, assume a method with two instructions, which are processed by [ [1,2,3], [5,6,7] ], then averaged by ([ 1,2,3] + [5,6,7 ])/2= [3,4,5], and then each code block is processed accordingly. Then, the vector dimensions of all the functions of the application are unified, and then the vector and the call graph are combined to obtain a complete graph structure. The previously obtained call graph is a vector value without each node, the vector value needs to be calculated, and the complete graph structure can be obtained by combining the call graph, so that the training or the identification of the neural network can be performed.
After the vector of the corresponding jimple instruction is obtained, the vector in each code block is accumulated and then is averaged to obtain the vector of each code block.
S400, carrying out information transfer, overall information extraction and loss processing on the basic block feature matrix and the adjacent matrix of the final code attribute diagram through the trained confusion detection model to obtain the confusion class of the apk to be detected.
The S400 of the present application includes:
s410, determining a basic block feature matrix and an adjacent matrix of a final code attribute map;
s420, transmitting the basic block feature matrix and the adjacent matrix through each layer of the trained confusion detection model, and performing dimension reduction, splicing, overall information extraction and loss processing in the transmission process to obtain the confusion class of the apk to be detected.
S420 of the present application includes:
s421, transmitting the basic block feature matrix and the adjacent matrix through each layer of the trained confusion detection model according to the attention correlation score of each layer of the trained confusion detection model, and performing dimension reduction, splicing, overall information extraction and loss processing in the transmission process to obtain probability distribution of confusion categories of apk to be detected;
s422, determining the confusion category which is larger than the preset probability threshold value as the confusion category of the apk to be detected.
The basic block feature matrix of the final code attribute map is expressed as X ε R N×M The adjacency matrix is denoted as A.epsilon.R N×N . Wherein N represents the total number of nodes, M represents the dimension of each node vector, the application uses a 5-layer GAT graph convolution neural network, and the rule of layer-by-layer propagation is as follows:
wherein,representing the vector value of the ith node at the next level. a, a ij Is an attention cross-correlation score representing the contribution of node j to node i. j is the other node adjacent to node i, and N represents the number of nodes adjacent to node i. Wherein a is ij The calculation is performed by:
wherein W is E R M′×M Is a trainable matrix whose main function is to take charge of h j Is transformed and is subjected to dimension reduction. Is representative of a concatenation of vectors of two nodes, and LeakyReLU represents a nonlinear activation function.
All of the CFGs are combinedIs the embedding summation of the nodes of the whole graph
The LSTM is used for processing the embedding of the graph, the whole information is further extracted, dropout is added, the Dropout is a common regularization method, and the probability of partial neurons being disconnected in the forward transmission and weight updating process effectively avoids the occurrence of the overfitting problem. The LSTM layer outputs s epsilon R k Where k is the number of obfuscated technology categories to be checked:
s=Dropout(LSTM(g)) (7);
processing the output of LSTM using a softmax layer with an output of y ε R k 。
y=softmax(s) (8);
Where y is the probability distribution of all classes, and the class result of the confusion technique used by the function is derived from y.
Referring to fig. 2, the training process for training the completed confusion detection model includes:
s010, acquiring an apk set subjected to confusion processing from a database;
wherein the apk set comprises: common confusion sets, rename confusion sets, encryption confusion sets, reflection confusion sets, code confusion sets, and multi-way mixture confusion sets.
Common confusion: as the name suggests, such methods include simple methods of operation that do not produce a true confusing effect on apk, but which can fool some signature-based malware, including: the apk file is signed with the new signature, and byte codes contained in the class. Dex file are disassembled and reassembled to obtain different versions of the file, etc.
Renaming confusion: in software development, the names of identifiers (variable names, function names, etc.) should make sense to provide good readability and maintainability of the code. However, such an explicit name may reveal relevant functional information of the code. In addition, since the package name uniquely identifies an Android application, its modification is equivalent to installing a new application into the system. Thus, renaming techniques replace each identifier with a obsolete and nonsensical identifier. Although renaming methods and fields does not have any impact on the normal operation of the program, renaming class and package names is more complex because android management.
Encryption confusion: some of the resources required for APK files may be requested at run-time, including local link libraries or text resources that make some string types. These files may be encrypted and decrypted at run-time. In this case, the analyst of the malware needs to get the encrypted key first to complete access to the resource file, but this obfuscation method reduces the efficiency of the software operation.
Reflection confusion: reflection is a property of the java language that allows a class of java to be modified and tested at runtime, which is typically used to invoke a method of a given object. The basic principle of the technology is that the call to the APK file class in the APK executable code is queried instead of the call to the Android system file class, and then the call can not be made by using the reflected API in the calls is checked, so that the inter-call relation in the APK can be covered without influencing the normal operation of the code.
Code confusion: the confusion technology mainly affects the content in the class. Dex file, and specific methods are used for deleting useful information in the debugging process, adding nonsensical arithmetic branches, adding new methods to realize indirect calling and the like.
Confusion of various confusion modes: by a mixture of two or more of the above confusion methods.
S020, carrying out static analysis on each apk in the apk set to obtain an inter-process control flow graph ICFG of each apk;
wherein the ICFG includes a call graph CG of the function and Jimple code blocks within each function, each Jimple code block including a plurality of instructions.
The application adopts FlowDroid open source software which is used in a large amount at present, the FlowDroid is a static stain analysis tool suitable for Android application programs, the sensitivity is improved by using a flow function based on IFDS, meanwhile, the Android life cycle and callback are completely modeled, and a special main method is generated so as to ensure that any available information is not lost, and the tool has higher analysis precision and reliability. The construction of the control flow graph is achieved by the FlowDroid tool obtaining the call graph and the jimple code of each function.
S030, constructing a graph data structure corresponding to each apk according to the ICFG of the apk;
based on the Jimpe code of each function, the application uses word2vec model to convert the Jimpe code into vector, and then combines CG of the function to construct corresponding graph data structure.
S040, establishing a GAT neural network model according to the graph data structure corresponding to each apk and a preset GAT neural network structure;
s050, using the GAT neural network model as a confusion detection model;
and S060, training the confusion detection model to obtain a trained confusion detection model.
According to the application, by obtaining the jtime code block of the apk and using the word2vec model, semantic information of the jtime code can be integrated to the greatest extent, and structural information of the jtime code is learned by combining with GAT, so that the method has higher accuracy compared with other neural network methods. The method directly adopts flowdroid to acquire the jimple code of AndroOBFS Dataset to acquire the data set of the neural network for training of the graph neural network, and compared with certain confusion recognition technologies, the method omits the steps of confusion and labeling of the open source code, and the data set is acquired more conveniently and rapidly.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. In the description of the present application, the meaning of "a plurality" is two or more, unless explicitly defined otherwise.
Although the application is described herein in connection with various embodiments, other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed application, from a study of the drawings, the disclosure, and the appended claims. In the claims, the word "comprising" does not exclude other elements or steps, and the "a" or "an" does not exclude a plurality.
The foregoing is a further detailed description of the application in connection with the preferred embodiments, and it is not intended that the application be limited to the specific embodiments described. It will be apparent to those skilled in the art that several simple deductions or substitutions may be made without departing from the spirit of the application, and these should be considered to be within the scope of the application.
Claims (8)
1. An apk confusion mechanism detection method based on a graph attention network and an NLP word embedding model is characterized by comprising the following steps:
s100, acquiring an apk to be detected, and performing static analysis on the apk to be detected to obtain an initial inter-process control flow graph ICFG of the apk to be detected; the initial ICFG includes: a call graph CG of the function and Jimple code blocks within each function, each Jimple code block including a plurality of instructions;
s200, carrying out corresponding regularization processing on each instruction of the apk to be detected, and converting the processed instructions into vectors;
s300, accumulating and averaging vectors corresponding to each instruction according to corresponding dimensions to obtain a detection vector of each Jimpe code block, and introducing the detection vector into the initial ICFG to obtain a final code attribute diagram of the apk to be detected;
and S400, carrying out information transfer, overall information extraction and loss processing on the basic block feature matrix and the adjacent matrix of the final code attribute map through a trained confusion detection model to obtain the confusion type of the apk to be detected.
2. The apk confusion mechanism detection method based on the graph attention network and the NLP word embedding model according to claim 1, wherein the training process of the trained confusion detection model comprises the following steps:
s010, acquiring an apk set subjected to confusion processing from a database;
s020, carrying out static analysis on each apk in the apk set to obtain an inter-process control flow graph ICFG of each apk;
s030, constructing a graph data structure corresponding to each apk according to the ICFG of the apk;
s040, establishing a GAT neural network model according to the graph data structure corresponding to each apk and a preset GAT neural network structure;
s050, using the GAT neural network model as a confusion detection model;
and S060, training the confusion detection model to obtain a trained confusion detection model.
3. The method for detecting apk confusion mechanism based on graph attention network and NLP word embedding model according to claim 2, wherein the apk set in S010 comprises: common confusion sets, renamed confusion sets, encrypted confusion sets, reflection confusion sets, code confusion sets, and confusion sets that are mixed in multiple ways.
4. The apk confusion mechanism detection method based on the graph attention network and the NLP word embedding model according to claim 2, wherein the ICFG in S020 includes a call graph CG of a function and Jimple code blocks within each function, each Jimple code block including a plurality of instructions.
5. The apk confusion mechanism detection method based on the graph attention network and the NLP word embedding model according to claim 1, wherein S200 comprises:
s210, converting each instruction into a vector by using a preset word2vec model;
s220, regularizing each vector to remove the custom variable names in the Jimple code block, and obtaining the code text of the Jimple code block;
s230, putting the code text into a word2vec file for training to obtain vectors corresponding to each instruction, wherein the dimensions of all vectors are the same.
6. The apk confusion mechanism detection method based on the graph attention network and the NLP word embedding model according to claim 1, wherein S300 comprises:
s310, carrying out accumulated averaging on the vectors corresponding to each instruction according to the corresponding dimension to obtain an average vector;
and S320, determining the average vector as a vector of a jimple code block.
7. The apk confusion mechanism detection method based on the graph attention network and the NLP word embedding model of claim 1, wherein S400 comprises:
s410, determining a basic block feature matrix and an adjacent matrix of the final code attribute map;
s420, transmitting the basic block feature matrix and the adjacent matrix through each layer of the trained confusion detection model, and performing dimension reduction, splicing, overall information extraction and loss processing in the transmission process to obtain the confusion class of the apk to be detected.
8. The graph attention network and NLP word embedding model-based apk confusion mechanism detection method of claim 7, wherein S420 comprises:
s421, transmitting the basic block feature matrix and the adjacent matrix through each layer of the trained confusion detection model according to the attention correlation score of each layer, and performing dimension reduction, splicing, overall information extraction and loss processing in the transmission process to obtain probability distribution of the confusion class of the apk to be detected;
s422, determining the confusion category which is larger than a preset probability threshold as the confusion category of the apk to be detected.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310897727.3A CN117034218A (en) | 2023-07-20 | 2023-07-20 | Apk confusion mechanism detection method based on graph attention network and NLP word embedding model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310897727.3A CN117034218A (en) | 2023-07-20 | 2023-07-20 | Apk confusion mechanism detection method based on graph attention network and NLP word embedding model |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117034218A true CN117034218A (en) | 2023-11-10 |
Family
ID=88642088
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310897727.3A Pending CN117034218A (en) | 2023-07-20 | 2023-07-20 | Apk confusion mechanism detection method based on graph attention network and NLP word embedding model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117034218A (en) |
-
2023
- 2023-07-20 CN CN202310897727.3A patent/CN117034218A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113360915B (en) | Intelligent contract multi-vulnerability detection method and system based on source code diagram representation learning | |
| Kapitsaki et al. | An insight into license tools for open source software systems | |
| CN113486357B (en) | Intelligent contract security detection method based on static analysis and deep learning | |
| CN106537333A (en) | Systems and methods for a database of software artifacts | |
| Chen et al. | When chatgpt meets smart contract vulnerability detection: How far are we? | |
| Narayana et al. | Automation and smart materials in detecting smart contracts vulnerabilities in Blockchain using deep learning | |
| Liu et al. | Identifying and characterizing silently-evolved methods in the android API | |
| Naeem et al. | Scalable mutation testing using predictive analysis of deep learning model | |
| Sun et al. | Effectiveness of exploring historical commits for developer recommendation: an empirical study | |
| Nam et al. | A bug finder refined by a large set of open-source projects | |
| Nelaturu et al. | Correct-by-design interacting smart contracts and a systematic approach for verifying ERC20 and ERC721 contracts with VeriSolid | |
| Kirschner et al. | Automatic derivation of vulnerability models for software architectures | |
| CN117725592A (en) | Intelligent contract vulnerability detection method based on directed graph annotation network | |
| Cai et al. | Fine-grained smart contract vulnerability detection by heterogeneous code feature learning and automated dataset construction | |
| CN116702157B (en) | Intelligent contract vulnerability detection method based on neural network | |
| US11722324B2 (en) | Secure and accountable execution of robotic process automation | |
| CN110688368B (en) | Component behavior model mining method and device | |
| CN116305131B (en) | Static confusion removing method and system for script | |
| Luo et al. | Code confusion in white box crowdsourced software testing | |
| CN117034218A (en) | Apk confusion mechanism detection method based on graph attention network and NLP word embedding model | |
| Mandloi et al. | A machine learning-based dynamic method for detecting vulnerabilities in smart contracts | |
| Beksultanova et al. | Analysis tools for smart contract security | |
| Montandon et al. | Unboxing default argument breaking changes in Scikit Learn | |
| Zakurdaeva et al. | Detecting architectural integrity violation patterns using machine learning | |
| Cao et al. | LLM-CloudSec: Large Language Model Empowered Automatic and Deep Vulnerability Analysis for Intelligent Clouds |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |