[go: up one dir, main page]

CN115203682A - Anti-aging high-efficiency malicious APP detection method for constructing API (application programming interface) associated confidence - Google Patents

Anti-aging high-efficiency malicious APP detection method for constructing API (application programming interface) associated confidence Download PDF

Info

Publication number
CN115203682A
CN115203682A CN202210536022.4A CN202210536022A CN115203682A CN 115203682 A CN115203682 A CN 115203682A CN 202210536022 A CN202210536022 A CN 202210536022A CN 115203682 A CN115203682 A CN 115203682A
Authority
CN
China
Prior art keywords
api
model
apk
models
efficiency
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210536022.4A
Other languages
Chinese (zh)
Inventor
罗森林
张钊
郝靖伟
潘丽敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Technology BIT
Original Assignee
Beijing Institute of Technology BIT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Technology BIT filed Critical Beijing Institute of Technology BIT
Priority to CN202210536022.4A priority Critical patent/CN115203682A/en
Publication of CN115203682A publication Critical patent/CN115203682A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Stored Programmes (AREA)

Abstract

本发明涉及一种构建API关联置信度的抗老化高效恶意APP检测方法,属于网络空间安全技术领域。首先,该方法通过对APK文件内的API包名按层抽象,应对Android系统的不断升级对恶意软件分析带来的偏差;其次,通过计算API之间的关联置信度,提取软件的高层级行为语义;最后,通过对不同发布时段的APK分别构建分类器,选择代表性分类器学习API组合间的行为模式,完成对恶意软件的检测。当前恶意软件检测方法软件意图表征和抗老化能力弱,难以检测持续进化和变异的恶意软件。本发明建立高层级行为意图表征模式,提出恶意软件分类器抗老化策略,能够有效检测持续进化的恶意软件,具备较高的检测效率和抗老化性。

Figure 202210536022

The invention relates to an anti-aging and high-efficiency malicious APP detection method for building API association confidence, and belongs to the technical field of cyberspace security. First, this method can deal with the deviation of the malware analysis caused by the continuous upgrading of the Android system by abstracting the API package names in the APK file layer by layer; secondly, by calculating the correlation confidence between APIs, the high-level behavior of the software is extracted. Semantics; finally, by building classifiers for APKs in different release periods, and selecting representative classifiers to learn behavior patterns among API combinations, malware detection is completed. Current malware detection methods have weak software intent characterization and anti-aging capabilities, making it difficult to detect continuously evolving and mutating malware. The present invention establishes a high-level behavior intention representation mode, proposes an anti-aging strategy for a malware classifier, can effectively detect continuously evolving malware, and has high detection efficiency and anti-aging performance.

Figure 202210536022

Description

Anti-aging high-efficiency malicious APP detection method for constructing API (application programming interface) associated confidence
Technical Field
The invention belongs to the technical field of network space security, and relates to an anti-aging high-efficiency malicious APP detection method for constructing API (application program interface) correlation confidence.
Background
According to different data acquisition modes, android malware detection methods can be roughly divided into dynamic detection methods and static detection methods.
1. The dynamic Android malicious software detection method is used for acquiring behavior data of software by running the software so as to judge whether the software is malicious software or not. Firstly, the method needs to operate software in Android entity equipment or a sandbox to obtain behavior data of the software, such as user layer API call, kernel layer API call, software network flow data and the like. And then, analyzing the data by combining a machine learning algorithm and obtaining a detection result. The method has advantages in resisting attack means in the forms of code confusion, dynamic loading and the like. However, the methods have inherent defects of low code coverage rate, large resource consumption and the like, so that the detection accuracy is low, and the industrial requirements under the efficient and rapid detection scene are difficult to meet.
2. The static analysis method refers to malicious detection by directly analyzing static data contained in an APK file. The method directly analyzes files such as source codes, android manifest and the like of installation package files, excavates characteristics of malicious codes and constructs a detector. Compared with a dynamic analysis method, the code coverage rate of the static analysis method is high, multi-layer analysis data can be provided, and an accurate detection result is guaranteed. Therefore, the method becomes a focus of cross-research of machine learning and malicious APP analysis, and the research work of the invention also focuses on the static analysis method. According to the feature construction mode of the analysis process, the existing static analysis method can be divided into a detection method based on statistical features and an analysis method based on behavior semantics. The characteristics of the two methods and the problems that exist will be analyzed in turn.
(1) The detection method based on the statistical characteristics comprises the following steps: the method for screening characteristics by a statistical method, which can effectively distinguish characteristics of malicious software and normal software, is called a statistical characteristic detection method.
(2) The detection method based on the behavior semantics comprises the following steps: for malicious APP which continuously evolves, researchers provide a large number of malicious software detection methods based on semantic analysis. The method aims to learn the behavior intention of the software and realize software representation from a high-level behavior semantic level.
In addition, aging of the models put into production may occur. The reason is that the statistical properties of the target variables that the model tries to predict change in an unpredictable manner over time, and the types of changes include abrupt change, gradual change, and repeated change. Over time, the prediction accuracy of the model decreases, and most Android malware detection models age quickly.
In conclusion: based on the analysis of the existing work, the existing static malware detection method has the following problems: (1) The method based on the statistical characteristics generally takes the existing structured data in the installation package as an analysis material, and the method only depends on the statistical characteristics of a surface layer, so that a high-level behavior intention characterization mode cannot be established, and the method is difficult to cope with continuously evolved and mutated malicious software. (2) Most of the existing methods based on behavior semantics need data such as function call graphs or control flow graphs depending on programs, and the complexity of graph construction and analysis processes is high, so that the detection efficiency is low. In addition, the method has a certain promotion space in the comprehensiveness of semantic construction. (3) The existing static malicious software detection method has the problem of model aging, so that the accuracy rate of a malicious software detection model is gradually reduced after the malicious software detection model is put into production.
Disclosure of Invention
The invention aims to provide an anti-aging high-efficiency malicious APP detection method for constructing API (application programming interface) associated confidence aiming at the problems in the malicious APP detection research.
The design principle of the invention is as follows: firstly, the method deals with the deviation caused by the continuous upgrade of an Android system to the analysis of malicious software by abstracting the name of an API package in an APK file according to layers; secondly, extracting high-level behavior semantics of the software by calculating the correlation confidence coefficient between the APIs; and finally, respectively constructing classifiers for the APKs in different release periods, and selecting a representative classifier to learn the behavior pattern among API combinations to finish the detection of the malicious software.
The technical scheme of the invention is realized by the following steps:
step 1, pretreatment;
step 1.1, decompressing the APK file to obtain a DEX file;
step 1.2, decompiling the DEX file to obtain Smali codes of each APK;
step 2, API abstraction;
step 2.1, extracting method methods defined by all developers from Smali codes of the APK, and generating a method dictionary for each APK;
step 2.2, in each method, retrieving API call instructions including invoke-virtual, invoke-direct, invoke-static and invoke-super, and acquiring all API information called by the instructions;
step 2.3, the specific API is expressed by adopting the API packet names distributed according to the layers, and the high-level attribute with the fine-grained meaning in the packet names is deleted;
step 3, feature extraction, namely calculating the association confidence coefficients between the two abstract APIs one by one for all the abstract APIs in the abstracted API set to generate an APK confidence coefficient matrix;
step 4, classifier prediction;
step 4.1, acquiring APK issued in a fixed sliding time window, and inputting a corresponding confidence matrix;
step 4.2, constructing a new classifier model in each sliding time window;
and 4.3, detecting whether the new classifier model is aged: if yes, clustering all historical models, extracting representative models of different clustering clusters, and entering the step 4.5; if not, entering step 4.4;
step 4.4, measuring the similarity of the models, judging whether the new models are similar to the historical models or not: if so, deleting the old model and storing the new model into a historical model list; if not, only saving the new model to a history list;
and 4.5, outputting a prediction result by the representative model in the history list through a weighted majority voting method.
Advantageous effects
Compared with the MaDroid method (Onwuzurike L, mariconti E, andriotis P, et al. MaDroid: detecting and android malware by building markov chains of behavial models [ J ]. ACM Transactions On Privacy and Security (TOPS), 2019,22 (2): 14.), the method can effectively detect continuously evolving malware and has certain anti-aging property. In addition, the construction process of the function call graph needs to analyze the global call relation of all the APIs in the APK file, and the method provided by the invention avoids the time-consuming operation, so that the method has higher detection efficiency and detection stability.
Drawings
Fig. 1 is a flow chart of an anti-aging high-efficiency malicious APP detection method for constructing API associated confidence according to the present invention.
FIG. 2 is a schematic diagram of the confidence associated with an abstract API according to the present invention.
FIG. 3 is a schematic diagram of a confidence matrix according to the present invention.
FIG. 4 is a flow chart of classifier prediction according to the present invention.
Detailed Description
In order to better illustrate the objects and advantages of the present invention, embodiments of the method of the present invention are described in further detail below with reference to examples.
The data source details are shown in table 1. The first database was Drebin, which contained 5560 samples from 179 families, with the age of the samples being between 2010-2012. In addition, 5945 normal samples with the same distribution in ages as the Drebin samples in the android database are obtained. The second database is AMD, which contains 2453 malicious samples distributed between 2010-2016 and belonging to 71 malicious families. In addition, 20519 normal software with a contemporary distribution were acquired on the android platform. During the actual APK processing, part of APK samples cannot be normally converted into feature vectors due to packet decompression or file parsing errors. In the # Drebin database with 11505 samples, 11332 processes were successfully performed, wherein 5883 normal samples and 5448 malicious samples. Of the 41362 samples in the # AMD database, a total of 40533 samples were successfully pre-processed (malicious sample: 20583, normal sample: 19950).
TABLE 1 method characterization Experimental data set information overview
Figure BDA0003647268840000031
Figure BDA0003647268840000041
The experiment is carried out on one computer, and the specific configuration of the computer is as follows: intel (R) Core (TM) i 7-6700, CPU 3.40GHz, memory 8G, operating system windows 7, 64 bits; the programming tools were used python3.6, scimit-spare 0.22, and androguard 3.3.5.
Detection of malware is a two-class problem, so the test uses the evaluation index commonly used in the class problem in table 2. FP in the table is the number of applications that the classifier wrongly classified a sample as malicious; FN is the number of applications that the classifier wrongly classifies as normal; TP represents the number of applications correctly classified as malicious; TN is the number of applications that are correctly classified as normal.
TABLE 2 evaluation indexes adopted in malware detection experiments
Figure BDA0003647268840000042
The specific process of the experiment is as follows:
step 1, pretreatment;
step 1.1, decompressing the APK file to obtain a DEX file;
step 1.2, decompiling the DEX file to obtain Smali codes of each APK;
step 2, API abstraction;
step 2.1, extracting method methods defined by all developers from Smali codes of the APK, and generating a method dictionary for each APK;
step 2.2, in each method, retrieving API call instructions including invoke-virtual, invoke-direct, invoke-static and invoke-super, and obtaining all API information called by the instructions;
step 2.3, the specific API is expressed by adopting the API packet names distributed according to the layers, and the high-level attribute with the fine-grained meaning in the packet names is deleted;
taking "android.telephone.gsm" as an example, level one "Android" represents that the API belongs to an Android system function; level two, "telephone," indicates that the API has functionality associated with telephone operation; level three "GSM" indicates that the function provides system services using a particular GSM telephony function. Thus, the API can be further abstracted by deleting high-level attributes with fine-grained meaning. The first two levels of attributes are preserved during the actual API abstraction, which abstracts 443 packages from the Android system APIs to 73, plus custom APIs and obfuscation APIs, for a total of 75 abstract APIs.
Step 3, feature extraction, namely calculating the association confidence coefficients between the two abstract APIs one by one for all the abstract APIs in the abstracted API set to generate an APK confidence coefficient matrix;
the strength of association between the two abstract APIs is calculated by confidence: configence (X → Y) = δ (X utoxy)/δ (X), in which δ (X) = | { t |, (X) = | (t)/(X) i |X∈t i ,t i E.g. T } |, X and Y are two abstraction APIs, delta (X) refers to the number of times of X occurrence, and delta (X @ Y) refers to the number of times of X and Y occurrence simultaneously. In malware analysis, each abstract API is referred to as an item, and the set of items can be represented as: i = [ ] 1 ,I 2 ,I 3 ,I 4 ,...,I d ]D =75, if an APK sample contains k methods, the APK sample can be represented as T = [ T ] 1 ,t 2 ,t 3 ,t 4 ,...,t k ]. By focusing on the rules between two items, e.g., { java>{java.net},{android.net}—>Xml, establish a rule association. The strength of association between rules is calculated by confidence. Generate all 75 abstract API calls
Figure BDA0003647268840000051
An association rule. The abstract API associates a confidence correspondence calculation relationship, see fig. 2. And obtaining a confidence matrix as a vector representation of the Android application software, which is shown in figure 3.
And 4, predicting by using the classifier, wherein the prediction process of the classifier is shown in figure 4.
And 4.1, acquiring the APK issued in the sliding time window, and inputting the corresponding confidence matrix, wherein the sliding time window can be set to be 10 days.
Step 4.2, constructing a new classifier model in each sliding time window;
and 4.3, detecting whether the new classifier model is aged: if yes, clustering all historical models, extracting representative models of different clustering clusters, and entering the step 4.5; if not, entering step 4.4;
the model aging detection method can judge whether the classification accuracy of the model is less than 90%, and if the classification accuracy of the model is less than 90%, the model is aged; if not, the model is normal. The model clustering method is that all history models predict APK released in a time window, and the prediction result 1 is correct and 0 is incorrect. And if the number of the models in the historical model list is M and the number of the APKs in the time window is b, the number of the prediction results is M multiplied by b. And clustering the prediction results by adopting an expectation maximization algorithm, wherein the prediction results of the same cluster belong to the same class corresponding to the model.
Step 4.4, measuring the similarity of the model, and judging whether the new model is similar to the historical model: if so, deleting the old model and storing the new model into a historical model list; if not, only saving the new model to a history list;
the similarity calculation method adopts a Q statistical method, and the calculation formula is as follows: q i,j =(N 11 N 00 -N 01 N 10 )/(N 11 N 00 +N 01 N 10 ) Wherein N is a,b The number of the APK confidence coefficient matrixes which are classified into different categories by the classifier is as per the classifier c i Classification as a according to classifier c j The classification is b,1 is a positive classification, and 0 is an erroneous classification. The Q value varies between-1 and 1, and the model classifies the same sample, and if the result is correct or wrong at the same time, the Q value is positive, and if the classification result of the same sample is opposite, the Q value is negative. Whether the models are similar or not is judged by setting a threshold value theta. If Q is larger than or equal to theta, the classifier model is similar to the historical model, the new model is stored in the historical model list, and the similar historical model is deleted. If Q < θ, only the new model is saved in the historical model list, and θ can be set to 0.5.
And 4.5, outputting a prediction result by the representative model in the history list through a weighted majority voting method.
And (3) testing results: experiments are based on the anti-aging high-efficiency malicious APP detection method for establishing API (application programming interface) associated confidence, performance test experiments are carried out on Drebin and AMD public data sets, and the effectiveness of the method is proved. The performance results of the anti-aging high-efficiency malicious APP detection method for constructing the API correlation confidence coefficient in the two databases are shown in tables 3 and 4 under different classification algorithms.
Table 3 AMD database under different algorithm test results
Figure BDA0003647268840000061
TABLE 4# Drebin database
Figure BDA0003647268840000062
Aiming at the problem of detecting continuously evolving malicious software, the method is subjected to detailed analysis and comparison on the detection accuracy and the detection efficiency by using a MaMaDroid method, and the analysis efficiency is further proved to have superiority under the condition of keeping the detection accuracy. The results of the test for comparison of detection accuracy are shown in table 5, which shows the results of 36F-number tests for both methods during malware classification. The results of the time efficiency test are shown in table 6, with the group with the addition of "", removed the abnormal samples from the experiment that were analyzed over 20 minutes.
TABLE 5 comparative Experimental malware Classification F-value test Experimental results
Figure BDA0003647268840000063
Note: in the table, "old" represents an old version normal APP sample with the year 2014, and "new" represents a new generation normal APP sample with the year 2017. The numbers 2013 to 2017 represent malicious APP samples for that year.
Table 6 comparative experiment detection efficiency test analysis results
Figure BDA0003647268840000071
Note: in the table, A refers to the result of MaMaDroid method experiment, and B refers to the result of the invention experiment.
The above detailed description is provided for the purpose of illustrating the invention and the accompanying claims, and it is to be understood that the above description is only exemplary of the invention and is not intended to limit the scope of the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the invention should be included in the scope of the invention.

Claims (4)

1. The anti-aging high-efficiency malicious APP detection method for building the API correlation confidence coefficient is characterized by comprising the following steps:
step 1, pretreatment;
step 1.1, decompressing the APK file to obtain a DEX file;
step 1.2, decompiling the DEX file to obtain Smali codes of each APK;
step 2, API abstraction;
step 2.1, extracting method methods defined by all developers from Smali codes of the APK, and generating a method dictionary for each APK;
step 2.2, in each method, retrieving API call instructions including invoke-virtual, invoke-direct, invoke-static and invoke-super, and acquiring all API information called by the instructions;
step 2.3, the specific API is expressed by adopting the API packet names distributed according to the layers, and the high-level attribute with the fine-grained meaning in the packet names is deleted;
step 3, feature extraction, namely calculating the association confidence coefficients between the two abstract APIs one by one for all the abstract APIs in the abstracted API set to generate an APK confidence coefficient matrix;
step 4, predicting by a classifier;
step 4.1, acquiring APK issued in a fixed sliding time window, and inputting a corresponding confidence matrix;
step 4.2, constructing a new classifier model in each sliding time window;
step 4.3, detecting whether the new classifier model is aged: if yes, clustering all historical models, extracting representative models of different clustering clusters, and entering the step 4.5; if not, entering step 4.4;
step 4.4, measuring the similarity of the model, and judging whether the new model is similar to the historical model: if so, deleting the old model and storing the new model into a historical model list; if not, only saving the new model to a history list;
and 4.5, outputting a prediction result by the representative model in the history list through a weighted majority voting method.
2. The anti-aging high-efficiency malicious APP detection method for constructing the API association confidence coefficient according to claim 1, characterized in that: in step 2.3, in the API abstraction process, the high-level attributes with fine-grained meaning in the packet name need to be deleted, and only the attributes of the first two levels are reserved.
3. The anti-aging high-efficiency malicious APP detection method for constructing the API association confidence coefficient according to claim 1, characterized in that: and 4.3, if the classifier model is aged, clustering all historical models, and extracting representative models of different clustering clusters, wherein all historical models predict a plurality of APK confidence matrixes in the sliding time window, and the clustering class of the predicted value is used as the class of the corresponding model.
4. The anti-aging high-efficiency malicious APP detection method for constructing the API correlation confidence according to claim 1, characterized in that: and 4.4, managing historical model list adding and deleting models through model similarity measurement, wherein when the model list is stored fully, similarity measurement is carried out on every two models in the list, two most similar models are selected, and one model is deleted.
CN202210536022.4A 2022-05-17 2022-05-17 Anti-aging high-efficiency malicious APP detection method for constructing API (application programming interface) associated confidence Pending CN115203682A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210536022.4A CN115203682A (en) 2022-05-17 2022-05-17 Anti-aging high-efficiency malicious APP detection method for constructing API (application programming interface) associated confidence

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210536022.4A CN115203682A (en) 2022-05-17 2022-05-17 Anti-aging high-efficiency malicious APP detection method for constructing API (application programming interface) associated confidence

Publications (1)

Publication Number Publication Date
CN115203682A true CN115203682A (en) 2022-10-18

Family

ID=83574494

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210536022.4A Pending CN115203682A (en) 2022-05-17 2022-05-17 Anti-aging high-efficiency malicious APP detection method for constructing API (application programming interface) associated confidence

Country Status (1)

Country Link
CN (1) CN115203682A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118349866A (en) * 2024-04-15 2024-07-16 哈尔滨工业大学 A large-scale fine-grained classification algorithm for SNI information of mobile applications

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106096405A (en) * 2016-04-26 2016-11-09 浙江工业大学 A kind of Android malicious code detecting method abstract based on Dalvik instruction
CN106663172A (en) * 2014-07-23 2017-05-10 高通股份有限公司 Methods and systems for detecting malware and attacks that target behavioral security mechanisms of a mobile device
CN109101815A (en) * 2018-07-27 2018-12-28 平安科技(深圳)有限公司 A kind of malware detection method and relevant device
CN109271788A (en) * 2018-08-23 2019-01-25 北京理工大学 An Android malware detection method based on deep learning
US20190156037A1 (en) * 2017-11-17 2019-05-23 AVAST Software s.r.o. Using a machine learning model in quantized steps for malware detection
CN112257062A (en) * 2020-12-23 2021-01-22 北京金睛云华科技有限公司 Sandbox knowledge base generation method and device based on frequent item set mining

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106663172A (en) * 2014-07-23 2017-05-10 高通股份有限公司 Methods and systems for detecting malware and attacks that target behavioral security mechanisms of a mobile device
CN106096405A (en) * 2016-04-26 2016-11-09 浙江工业大学 A kind of Android malicious code detecting method abstract based on Dalvik instruction
US20190156037A1 (en) * 2017-11-17 2019-05-23 AVAST Software s.r.o. Using a machine learning model in quantized steps for malware detection
CN109101815A (en) * 2018-07-27 2018-12-28 平安科技(深圳)有限公司 A kind of malware detection method and relevant device
CN109271788A (en) * 2018-08-23 2019-01-25 北京理工大学 An Android malware detection method based on deep learning
CN112257062A (en) * 2020-12-23 2021-01-22 北京金睛云华科技有限公司 Sandbox knowledge base generation method and device based on frequent item set mining

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李良训: "基于异质图嵌入的Android恶意软件检测的研究与实现", 中国优秀硕士学位论文全文数据库, vol. 2022, no. 1, 15 January 2022 (2022-01-15), pages 3 - 9 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118349866A (en) * 2024-04-15 2024-07-16 哈尔滨工业大学 A large-scale fine-grained classification algorithm for SNI information of mobile applications

Similar Documents

Publication Publication Date Title
Lange et al. Stability-based model selection
US20060005177A1 (en) Method, system and program product for optimizing java application performance through data mining
CN109271788B (en) Android malicious software detection method based on deep learning
CN117951701A (en) Method for determining flaws and vulnerabilities in software code
US20230205880A1 (en) Augmented machine learning malware detection based on static and dynamic analysis
CN116305158A (en) A Vulnerability Identification Method Based on Sliced Code Dependency Graph Semantic Learning
CN107577605A (en) A kind of feature clustering system of selection of software-oriented failure prediction
CN114153721B (en) API misuse detection method based on decision tree algorithm
CN114969755A (en) Cross-language unknown executable program binary vulnerability analysis method
AU2022202270A1 (en) Securely designing and executing an automation workflow based on validating the automation workflow
CN113360906A (en) Interpretable graph-embedding-based Android malware automatic detection
CN117688434A (en) User abnormal behavior detection method, device, equipment and storage medium
CN119004486B (en) Intelligent screening method for software information of motor vehicle inspection and testing equipment
CN114139636B (en) Abnormal operation processing method and device
KR20210158740A (en) Apparatus and method for clustering validation based on machine learning performance
CN115203682A (en) Anti-aging high-efficiency malicious APP detection method for constructing API (application programming interface) associated confidence
CN111522750B (en) Method and system for processing function test problem
CN112749003B (en) System optimization method, device and computer-readable storage medium
US20100005043A1 (en) Active learning system, active learning method and program for active learning
CN114462040B (en) Malicious software detection model training method and device and malicious software detection method and device
CN114519187B (en) Android malicious application detection method and system based on multi-dimensional hybrid features
Naeem et al. Identifying vulnerable IoT applications using deep learning
US7647581B2 (en) Evaluating java objects across different virtual machine vendors
Lu et al. Multi-class malware classification using deep residual network with non-softmax classifier
Gong et al. SICode: Embedding-Based Subgraph Isomorphism Identification for Bug Detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination