CN111444502B - Population-oriented android malicious software detection model library method - Google Patents

Population-oriented android malicious software detection model library method Download PDF

Info

Publication number
CN111444502B
CN111444502B CN201911215882.2A CN201911215882A CN111444502B CN 111444502 B CN111444502 B CN 111444502B CN 201911215882 A CN201911215882 A CN 201911215882A CN 111444502 B CN111444502 B CN 111444502B
Authority
CN
China
Prior art keywords
application
population
identifier
model library
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911215882.2A
Other languages
Chinese (zh)
Other versions
CN111444502A (en
Inventor
余东豪
李涛
余鑫
张晏成
颜松
郑昊天
常远
贾志强
乐金祥
黄甫
谢君臣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University of Science and Engineering WUSE
Original Assignee
Wuhan University of Science and Engineering WUSE
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Science and Engineering WUSE filed Critical Wuhan University of Science and Engineering WUSE
Priority to CN201911215882.2A priority Critical patent/CN111444502B/en
Publication of CN111444502A publication Critical patent/CN111444502A/en
Application granted granted Critical
Publication of CN111444502B publication Critical patent/CN111444502B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2411Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/24323Tree-organised classifiers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Evolutionary Computation (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Evolutionary Biology (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a population-oriented android malicious software detection model library method, which comprises the following steps of: 1) Collecting application files, extracting application authority use conditions, integrating the application authority use conditions into an authority information matrix, and forming population information of the application according to category labels; 2) Training a classifier according to the extracted application permission set; 3) The method comprises the steps of collecting an authority information matrix of an application to be detected, determining the category of the application to be detected by using a classifier, and taking population information of the application to be detected as input of a model library; and finding a recognizer pool corresponding to the population in the model library, detecting the application by using a recognizer which is most in line with the constraint condition according to the constraint condition, and judging the maliciousness of the application. The method of the invention refers to the thought of biological population, divides the application into different populations by processing the authority characteristics of the application, and finds the corresponding recognition algorithm model in the model library by constraint, thus finally obtaining better recognition results.

Description

Population-oriented android malicious software detection model library method
Technical Field
The invention relates to a malicious software detection technology, in particular to a population-oriented android malicious software detection model library method.
Background
The detection of the malicious nature of Android applications is an uncertainty problem. Heretofore, malware detection methods can be categorized into static detection, dynamic detection, and dynamic-static combination detection. However, with the rise of machine learning and data mining, more and more researchers choose to combine previous dynamic and static detection methods with machine learning techniques.
At present, a detector applied to Android application malicious detection is mainly trained by a machine learning method such as a support vector machine, a random forest, K-means and the like. Various detection methods lay a foundation for Android detection, but have some defects: because of the diversity of Android applications, the use of privacy permissions is a typical uncertainty problem, and it is difficult to distinguish between normal permissions and privacy permissions. There is still a certain disadvantage to using the same detector to achieve detection for all kinds of applications.
The different types of applications have different requirements for the rights, and should not be aimed at the rights themselves or for a certain application individual, but should consider the use of the application in combination with the function of the app. For example, address book authority is read, for social applications, because users mostly register accounts through mobile phone numbers, applications can associate friends with users through the address book of the users, and the application function integrity can be maintained only by having the authority, but not necessary for tool applications such as flashlights, readers and the like, otherwise, the 'minimum privilege principle' is violated. The risk posed by the same rights is therefore different for applications of different function types. Applications of similar use have similar functionality, resulting in similar rights requirements.
Therefore, by referring to the concept of population in biology, the invention provides a method suitable for detecting large-scale Android malicious applications based on population angles. The same type of application performs similar functions and the required system permissions are similar. Therefore, we divide the applications of the same function type into a population, set population labels for them, and conduct malicious detection research of Android applications in units of the population.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a population-oriented android malicious software detection model library method.
The technical scheme adopted for solving the technical problems is as follows: a population-oriented android malicious software detection model library method comprises the following steps:
1) Collecting application files, extracting application authority use conditions, integrating the application authority use conditions into an authority information matrix, and forming population information of the application according to category labels; the information of the population comprises category labels corresponding to each application and an authority information matrix of the application after authority pretreatment;
2) Training a classifier according to the extracted application permission set;
dividing the extracted application permission set into a training set and a testing set, wherein the training set is used as the input of the SMO algorithm classifier, so that the classifier can classify the application through the permission through continuous learning; the test set tests the classifier and verifies the classification effect of the classifier;
3) The method comprises the steps of collecting an application to be detected, acquiring a right information matrix of the application, determining the category of the application to be detected by using a classifier, dividing the application with the same function type into a population, setting a category label of the population for the application, and taking population information of the application to be detected as input of a model library; the model library encapsulates a plurality of population identifier pools, each identifier Chi Junyou SVM, and the random forest and neural network are fully connected with identifiers generated by training three algorithms;
and finding a recognizer pool corresponding to the population in the model library, detecting the application by using a recognizer which is most in line with the constraint condition according to the constraint condition, and judging the maliciousness of the application.
In the above scheme, in the step 2), the classification model is built for the data set training by using the SMO function of Weka.
According to the above scheme, the application is detected in the step 3), and the application maliciousness is determined, specifically as follows:
3.1 According to the class label of the applied population, finding a population identifier pool of a corresponding type in the model library; the population identifier pool comprises: the system comprises an SVM identifier, a random forest identifier and a neural network full-connection identifier;
3.2 According to the constraint condition, finding the identifier Classfier which is most in line with the constraint condition in the population identifier pool; the identifier Classfier is one of an SVM identifier, a random forest identifier and a neural network full-connection identifier;
the constraint conditions are detection accuracy and detection running time;
3.3 The population information of the application is used as input, provided for Classfier for identification, and the output result R, R is benign application or malignant application.
The invention has the beneficial effects that: the invention refers to the thought of biological population, divides the application into different populations by processing the authority characteristics of the application, and finds the corresponding recognition algorithm model in the model library by constraint, thus finally obtaining a better recognition result. The invention has the following characteristics:
(1) When classifying the application programs, classifying the application programs by adopting a sequence minimum optimization algorithm with higher efficiency, wherein the accuracy of the classification result of each class reaches more than 85 percent;
(2) When the application program is detected, according to the category of the application program, a corresponding identifier population is automatically found in the model library, so that the identification effect is improved;
(3) And (3) screening out the identifier which is most in line with the condition by adding the constraint condition, so that the identification effect becomes a result expected by the user.
The method of the invention not only can detect a large number of application programs at the same time, but also is easy to realize, is simple and convenient to use, and can obtain the result wanted by the user by modifying the constraint. The method provides a new idea for identifying android malicious software.
Drawings
The invention will be further described with reference to the accompanying drawings and examples, in which:
FIG. 1 is a flow chart of a method of an embodiment of the present invention;
FIG. 2 is a schematic diagram of population information according to an embodiment of the present invention;
FIG. 3 is a classifier training schematic of an embodiment of the invention;
FIG. 4 is a diagram of a test pattern structure according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the following examples in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
As shown in fig. 1, a population-oriented android malicious software detection model library method includes the following steps:
1) Collecting application files, extracting application authority use conditions, integrating the application authority use conditions into an authority information matrix, and forming population information of the application according to category labels; the information of the population comprises category labels corresponding to each application and an authority information matrix of the application after authority pretreatment;
the application APK file is crawled from the internet through the written python program to serve as a positive sample, a malicious application sample is obtained from a virus share, and the authority use condition of the application is extracted and integrated into an authority matrix;
in the embodiment, the 360 application market and the intelligent application market are selected as data sources, the python language is used for writing a crawler program, and the application is crawled and stored according to the type by using the application type label provided by the website, so that the uninterrupted batch downloading of the application from the application market is realized.
The source data acquired by the crawler also needs to be further extracted in terms of authority characteristics, so that the source data can be used as basic data of an experiment. The feature extraction is mainly divided into three stages: decompiling, analyzing the XML file, and constructing a feature vector, wherein the feature vector is specifically as follows:
(1) In the decompilation stage, apktool is combined with a python script program to finish decompilation of the application, and a manifest file AndroidManifest.xml when the application program is installed is obtained;
(2) In the XML file analysis stage, combining AAPT (Android Asset PackgingTool) tools, writing an android management file analysis code by using a python program, and extracting a 'uses-permission' tag to obtain application program authority information;
(3) After the application permission is extracted, the application permission is stored in a cloud database by taking a population as a unit. Since the rights information is scalar, it is stored in the form of a "0-1" matrix, "1" indicating the inclusion of the rights feature, and "0" indicating the absence;
thus, the characteristic data set DataSet divided by the population can be obtained.
The population is the most necessary one as the basis of the invention. And converting the apk file into population information data to form a unified input format for model library detection. A sample is marked 1 if the dimension feature exists and 0 if not, as shown in fig. 2.
The maliious field indicates whether the application is malware, a 1 indicates yes, and a 0 indicates no. The Class field corresponds to the Class of application. PackageName is the application package name, which is the unique identifier of the application. The lower field is 144 rights of the android system, the corresponding value is 1 when the application has the corresponding rights, and otherwise, the value is 0.
Applications involved in this embodiment, their rights are a subset of all rights of Android, and the following definitions are given for rights information and population information.
Definition 1Android application permissions:
Permissions={P i |P i ∈Android}
the set of rights information is a subset of all rights of Android.
The application of the same function type is used as a population, the population class is divided into x classes, the class of the population can be changed according to the increase of the total number of the crawled apps, and then the class set is defined as:
definition of category 2 tags:
Class={C 1 ,C 2 …,C x }
C x a category label for each group, such as a flashlight, camera, player, social chat, etc.;
definition of 3 populations:
Population={C x ,PermissionMatrix}
C x for the class label of each population, the permission information matrix of each application after permission pretreatment is specifically defined as follows:
defining a 4-right matrix:
PermissionMatrix=
{P ij |i=1,2,3…,m;j=1,2,3…,n}
i represents population C x App numbered i in (1), if App i Possessing rights j, then P ij 1, otherwise P ij Is 0.
2) Training a classifier according to the applied population information;
as shown in fig. 3, the population information of all extracted applications is divided into a training set and a testing set, wherein the training set is used as the input of the SMO algorithm classifier, so that the classifier can classify the applications through the authority by continuous learning; the test set tests the classifier and verifies the classification effect of the classifier;
the training data sample set contains the permission of the Android application program and the class label corresponding to each application program, and the identification of the Android application program refers to the process of carrying out class identification on the application program sample to be detected through a trained classification model.
Assume that the N training data of statistics are
(Permissions 1 ,C 1 ),(Permissions 2 ,C 2 ),…,(Permissions n ,C n ) Wherein C is i Classification tags for the application i Is a matrix of permissions for the application.
The SMO algorithm compares the N data pairs and learns the rights and categories applied in the training set to obtain a functional relationship that determines the category of the application. In the embodiment, a classification model is established for data set training by using an SMO algorithm of Weka, wherein Weka is open source software fused with machine learning and data mining under Java environment, and then the classification model is utilized to determine the category of an application program to be detected;
3) The method comprises the steps of collecting an application to be detected, acquiring a right information matrix of the application, determining the category of the application to be detected by using a classifier, obtaining population information of the application to be detected as input, finding a recognizer pool corresponding to the population in a model library, detecting the application by using a recognizer which is most in line with constraint conditions according to constraint conditions, and judging the maliciousness of the application;
3.1 According to the class label of the applied population, finding a population identifier pool of a corresponding type in the model library; the population identifier pool comprises: the system comprises an SVM identifier, a random forest identifier and a neural network full-connection identifier;
an identifier:
Classifier={Classifier(P i ,A i )|
P i ∈Population,A i ∈Algorithm}
Classifier(P i ,A i ) For machine learning algorithm A i By P i And the identifiers generated after population data training, such as a flashlight SVM identifier, a reader random forest identifier and the like. Wherein Algorithm is defined as follows:
algorithm set:
Algorithm={SVM,RF,FC}
population identifier:
ClassfierPopulation=
{Classifier(P,A i )|A i ∈Algorithm}
ClassfierPoplation is all identifiers generated after all machine learning algorithms are trained with the data of population P.
3.2 According to the category, the group identifier pool is good to the identifier of the corresponding group, such as a flashlight SVM identifier, a flashlight random forest identifier and a flashlight neural network full-connection identifier. Then comparing the constraint condition with the identifier effect record table, and finding the identifier Classfier which is most in line with the constraint condition according to the priority of the constraint condition; the identifier Classfier is one of an SVM identifier, a random forest identifier and a neural network full-connection identifier;
the constraint conditions are detection accuracy and detection running time;
three algorithms, namely a Support Vector Machine (SVM), a Random Forest (RF) and a neural network Full Connection (FC), are used for the recognizer. The SVM algorithm has stable operation effect, and the random forest algorithm has the advantage of high operation speed, and the full connection can be used for classifying any situation well.
3.3 The population information of the application is used as input, provided for Classfier for identification, and the output result R, R is benign application or malignant application.
Experimental description of the effects of the invention:
simple experiments were performed to verify the method. The sources of the datasets, the algorithms used for the experiments and simple constraints will be described.
The experimental operation environment is as follows: windows 7 operating system, 3.4GHz four-core processor, 8GB memory.
Currently, from the 360 application market and the An Zhi application market, a total of 32537 Android applications of 62 types are crawled. For the already collected apps we have acquired their rights information list androidmanfest. Xml and generated the rights information vector, where 1 represents that rights are applied and 0 represents that there is no. We scanned apps for both flashlight and reader populations using kingsoft and F-scure, ultimately selecting as positive samples that were marked benign by both software. Based on the design considerations of the experiment, a flashlight population, a camera population, a reader population, and a malicious sample from the VirusShare were selected for the experiment.
As shown in fig. 4, we selected three populations of cameras, flashlights and readers as subjects of the experiment for several reasons. Firstly, the three types of applications of the camera, the flashlight and the reader have clear functional boundaries, and for an app, whether the app belongs to the flashlight, the camera or the reader category or not is easily distinguished from the main authority statement condition and the application description text filled in during uploading. Second, flashlights, cameras and readers are widely used by users, almost every user will have a flashlight, camera or reader application installed in addition to the individual needs. If some application with rich and good functions is added with malicious codes by lawbreakers and is re-uploaded after being shelled, a large number of users are affected.
1. Classification experiments based on SMO
The experiment used three types of applications, camera, flashlight and reader, for a total of 2225, these programs combined into a training set.
And obtaining a management file of each application program by using Apktool, and extracting a permission vector in the management file through a Python script. The results of the 10-fold cross-validation using the SMO function of weka are shown in table 1.
TABLE 1 different categories of software Classification results
Figure GDA0002539154590000091
According to the application program classification result, the accuracy and recall ratio are high, and the SMO algorithm is proved to be capable of performing better classification learning.
2. Population-oriented Android malicious software detection experiment
Three algorithms, namely a Support Vector Machine (SVM), a Random Forest (RF) and a neural network Full Connection (FC), are used in the experiment. The SVM algorithm has stable operation effect, and the random forest algorithm has the advantage of high operation speed, and the full connection can be used for classifying any situation well.
Because of simple verification, the evaluation criteria of the algorithm can be used as constraints. The accuracy and the running time are adopted as evaluation standards, but the accuracy of the experiment is more important than the running time because of the high efficiency of the random forest algorithm. The higher the accuracy rate is, the higher the application recognition rate of the algorithm to the population is; and shorter run times mean faster identification of the population by the algorithm.
The data set is first divided into a training set and a testing set. And directly taking the training set non-classified population as input, training three algorithms of SVM, random forest and neural network full connection, and generating a recognizer detection test set to obtain time and accuracy. After the data set is classified by the classification module, the training set and the test set are divided according to the population, three algorithms are trained again by using training sets of different populations, so that the identifiers of different algorithms with population attribute differences are obtained, and the identifiers are divided into identifier populations according to the population. And then testing by using test sets of different populations to obtain the spending time and accuracy of the identifier corresponding to the population. The indices of the two identifiers are compared.
TABLE 2 malicious recognition results
Figure GDA0002539154590000101
Figure GDA0002539154590000111
Wherein, the data sets A, B, C and D respectively represent three populations of a camera, a flashlight and a reader and a fusion whole set of the three populations.
As can be seen from the results of table 2, the random forest algorithm is superior to the other two algorithms in time and accuracy for the camera population; for flashlight and reader population, although the random forest algorithm is excellent in detection time, the accuracy is not as good as the full connection of a support vector machine and a neural network; the three algorithms work better on the three data sets a, B, C than on data set D.
We can conclude that: 1) The detection effect of the identifier obtained by training the data set after population classification by the same algorithm is improved compared with the effect of full set training, and the maximum improvement reaches 13.26%; 2) Even the same population, the detection effects among the identifiers are different, so that the identifiers meeting the conditions can be selected from the population of the identifiers to be detected according to the actual requirements so as to achieve the best effect.
The experiment proves that the validity of the SMO algorithm on the application division population and the detection effect of the division of the application population on the application maliciousness are greatly improved. Meanwhile, verification is carried out, and the Android malicious software detection model library method facing the population is effective and feasible.
It will be understood that modifications and variations will be apparent to those skilled in the art from the foregoing description, and it is intended that all such modifications and variations be included within the scope of the following claims.

Claims (2)

1. A population-oriented android malicious software detection model library method is characterized by comprising the following steps:
1) Collecting application files, extracting application authority use conditions, integrating the application authority use conditions into an authority information matrix, and forming population information of the application according to category labels; the information of the population comprises category labels corresponding to each application and an authority information matrix of the application after authority pretreatment;
2) Training a classifier according to the extracted application permission set;
dividing the extracted application permission set into a training set and a testing set, wherein the training set is used as the input of the SMO algorithm classifier, so that the classifier can classify the application through the permission through continuous learning; the test set tests the classifier and verifies the classification effect of the classifier;
3) The method comprises the steps of collecting an application to be detected, acquiring a right information matrix of the application, determining the category of the application to be detected by using a classifier, dividing the application with the same function type into a population, setting a category label of the population for the application, and taking population information of the application to be detected as input of a model library; the model library encapsulates a plurality of population identifier pools, each identifier Chi Junyou SVM, and the random forest and neural network are fully connected with identifiers generated by training three algorithms;
finding a recognizer pool corresponding to the population in the model library, detecting the application by using a recognizer which is most in line with the constraint condition according to the constraint condition, and judging the maliciousness of the application; the method comprises the following steps:
3.1 According to the class label of the applied population, finding a population identifier pool of a corresponding type in the model library; the population identifier pool comprises: the system comprises an SVM identifier, a random forest identifier and a neural network full-connection identifier;
3.2 According to the constraint condition, finding the identifier Classfier which is most in line with the constraint condition in the population identifier pool; the identifier Classfier is one of an SVM identifier, a random forest identifier and a neural network full-connection identifier;
the constraint conditions are detection accuracy and detection running time;
3.3 The population information of the application is used as input, provided for Classfier for identification, and the output result R, R is benign application or malignant application.
2. The method of claim 1, wherein in the step 2), the classification model is built for the data set training using SMO algorithm of Weka.
CN201911215882.2A 2019-12-02 2019-12-02 Population-oriented android malicious software detection model library method Active CN111444502B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911215882.2A CN111444502B (en) 2019-12-02 2019-12-02 Population-oriented android malicious software detection model library method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911215882.2A CN111444502B (en) 2019-12-02 2019-12-02 Population-oriented android malicious software detection model library method

Publications (2)

Publication Number Publication Date
CN111444502A CN111444502A (en) 2020-07-24
CN111444502B true CN111444502B (en) 2023-05-02

Family

ID=71648571

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911215882.2A Active CN111444502B (en) 2019-12-02 2019-12-02 Population-oriented android malicious software detection model library method

Country Status (1)

Country Link
CN (1) CN111444502B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111797239B (en) * 2020-09-08 2021-01-15 中山大学深圳研究院 Application program classification method and device and terminal equipment
CN112214770B (en) * 2020-10-30 2023-11-10 奇安信科技集团股份有限公司 Malicious sample identification method, device, computing equipment and medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105426762A (en) * 2015-12-28 2016-03-23 重庆邮电大学 Static detection method for malice of android application programs

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8161548B1 (en) * 2005-08-15 2012-04-17 Trend Micro, Inc. Malware detection using pattern classification
CN104794398A (en) * 2015-04-17 2015-07-22 天津大学 Android platform malicious software detection method based on machine learning
CN104809395A (en) * 2015-04-23 2015-07-29 天津大学 Lightweight-class Android malicious software fast judging method
CN105117544B (en) * 2015-08-21 2018-09-28 李涛 Android platform App methods of risk assessment and device based on mobile cloud computing
CN106709336A (en) * 2015-11-18 2017-05-24 腾讯科技(深圳)有限公司 Method and apparatus for identifying malware
CN107992884A (en) * 2017-11-24 2018-05-04 武汉科技大学 A kind of android application permissions cluster and population characteristic analysis method based on big data
WO2019108919A1 (en) * 2017-12-01 2019-06-06 Seven Networks, Llc Detection and identification of potentially harmful applications based on detection and analysis of malware/spyware indicators

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105426762A (en) * 2015-12-28 2016-03-23 重庆邮电大学 Static detection method for malice of android application programs

Also Published As

Publication number Publication date
CN111444502A (en) 2020-07-24

Similar Documents

Publication Publication Date Title
CN109753800B (en) Android malicious application detection method and system fusing frequent item set and random forest algorithm
Saini et al. Oreo: Detection of clones in the twilight zone
Jerlin et al. A new malware detection system using machine learning techniques for API call sequences
Bai et al. Famd: A fast multifeature android malware detection framework, design, and implementation
CN105229661B (en) Method, computing device and the storage medium for determining Malware are marked based on signal
US11580222B2 (en) Automated malware analysis that automatically clusters sandbox reports of similar malware samples
CN107357902A (en) A kind of tables of data categorizing system and method based on correlation rule
CN109614795B (en) Event-aware android malicious software detection method
CN107615240B (en) Biological sequence based scheme for analyzing binary files
Zhu et al. Android malware detection based on multi-head squeeze-and-excitation residual network
CN110674360B (en) Tracing method and system for data
CN109885597B (en) User grouping processing method and device based on machine learning and electronic terminal
CN111444502B (en) Population-oriented android malicious software detection model library method
CN113360906A (en) Interpretable graph-embedding-based Android malware automatic detection
KR20200039912A (en) System and method for automatically analysing android malware by artificial intelligence
Qiu et al. Predicting the impact of android malicious samples via machine learning
CN111783126A (en) Private data identification method, device, equipment and readable medium
CN113408897A (en) Data resource sharing method applied to big data service and big data server
Liu et al. MOBIPCR: Efficient, accurate, and strict ML-based mobile malware detection
CN105631336A (en) System and method for detecting malicious files on mobile device, and computer program product
Wang et al. Xgboost-based android malware detection
Singh et al. “Emerging Trends in Computational Intelligence to Solve Real-World Problems” Android Malware Detection Using Machine Learning
US20140037154A1 (en) Automatically determining a name of a person appearing in an image
Zheng et al. Joint learning of entity semantics and relation pattern for relation extraction
Vatamanu et al. Building a practical and reliable classifier for malware detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant