[go: up one dir, main page]

CN103218566A - Active defense system based on Android platform software behavior detection - Google Patents

Active defense system based on Android platform software behavior detection Download PDF

Info

Publication number
CN103218566A
CN103218566A CN2013100323910A CN201310032391A CN103218566A CN 103218566 A CN103218566 A CN 103218566A CN 2013100323910 A CN2013100323910 A CN 2013100323910A CN 201310032391 A CN201310032391 A CN 201310032391A CN 103218566 A CN103218566 A CN 103218566A
Authority
CN
China
Prior art keywords
module
data
behavior
platform software
android platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2013100323910A
Other languages
Chinese (zh)
Inventor
余丹
孙子文
李金阳
郭晶
叶永昆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangnan University
Original Assignee
Jiangnan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangnan University filed Critical Jiangnan University
Priority to CN2013100323910A priority Critical patent/CN103218566A/en
Publication of CN103218566A publication Critical patent/CN103218566A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

本发明涉及一种基于Android平台软件行为检测的主动防御系统,主动防御手机的安仝威胁。该系统包括:利用top命令或PS命令及Android中的API所提供的ActivityManager.MemoryInfo()和ActivityManager.AppProcessInfo()收集进程数据;利用主成分分析法对收集到的数据进行分析,提取最能反映样本的特征,将样本送入神经网络模型;随机选取一部分样本进行学习,得到模型参数,作为评估部分模型参数,从而对待测样本进行评估,判断是否正常,进而判断某一进程是否异常。本发明将PCA降维与BP神经网络相结合的方式引入于机,从而降低了传统BP神经网络的计算量和存储量,使其在手机这种计算能力和存储能力都有限的移动设备上得到很好的实现,保证了手机安全。

Figure 201310032391

The invention relates to an active defense system based on Android platform software behavior detection, which actively defends against security threats of mobile phones. The system includes: using the top command or PS command and the ActivityManager.MemoryInfo() and ActivityManager.AppProcessInfo() provided by the Android API to collect process data; using the principal component analysis method to analyze the collected data and extract the most reflective The characteristics of the sample, the sample is sent to the neural network model; a part of the sample is randomly selected for learning, and the model parameters are obtained as part of the model parameters for evaluation, so as to evaluate the sample to be tested, judge whether it is normal, and then judge whether a certain process is abnormal. The present invention introduces the method of combining PCA dimensionality reduction and BP neural network into the machine, thereby reducing the amount of calculation and storage of the traditional BP neural network, and making it available on mobile devices such as mobile phones with limited computing power and storage capacity. Very good implementation, to ensure the safety of mobile phones.

Figure 201310032391

Description

基于Android平台软件行为检测的主动防御系统Active Defense System Based on Android Platform Software Behavior Detection

技术领域technical field

本发明涉及基于Android平台软件行为检测的主动防御系统。The invention relates to an active defense system based on Android platform software behavior detection.

背景技术Background technique

如今智能手机的广泛应用,特别是Android开放平台的提供,使得Android智能手机市场显现出巨大的增长优势,但也由于平台的开放性,使其更容易受到恶意软件的攻击。The wide application of smartphones today, especially the provision of the Android open platform, makes the Android smartphone market show a huge growth advantage, but also because of the openness of the platform, it is more vulnerable to malicious software attacks.

目前已有的手机安全软件主要是将PC机中比对特征码的形式的安全软件直接移植到手机中。特征码比对的形式对查杀已知的恶意程序很有效,但对未知恶意程序却束手无策,而如今恶意程序数量呈几何级增长,相对于恶意程序来说,特征库的生成与更新往往是滞后的,很多时候杀毒软件无法查杀未知的恶意程序。同时,特征库需要大量的存储空间,这对手机这种存储空间和计算能力都有限的移动设备来说存在着很大的局限性。Currently existing mobile phone security software mainly transplants the security software in the form of comparing feature codes in the PC directly to the mobile phone. The form of signature comparison is very effective for killing known malicious programs, but it is helpless for unknown malicious programs. Nowadays, the number of malicious programs is increasing geometrically. Compared with malicious programs, the generation and update of signature databases are often Lag, many times anti-virus software can not kill unknown malicious programs. At the same time, the feature library requires a large amount of storage space, which is a great limitation for mobile devices such as mobile phones with limited storage space and computing power.

基于正常行为的异常检测技术是指用已创建的正常行为轮廓检测偏离的异常行为,该机制能够有效检测出未知异常,所以可以克服特征码比对无法检测未知恶意程序的缺点,但该机制对正常行为的检测存在较高的误检率。The anomaly detection technology based on normal behavior refers to using the established normal behavior profile to detect deviant abnormal behavior. This mechanism can effectively detect unknown anomalies, so it can overcome the disadvantage that signature comparison cannot detect unknown malicious programs. The detection of normal behavior has a high false positive rate.

发明内容Contents of the invention

本发明针对Android平台的安全隐患,探索出新的基于行为检测的安全检测体系来实现检测软件异常行为的功能,在尽可能少的存储量和计算量的情况下达到主动防御的效果。Aiming at the potential safety hazards of the Android platform, the present invention explores a new safety detection system based on behavior detection to realize the function of detecting software abnormal behavior, and achieve the effect of active defense with as little storage and calculation as possible.

本发明整体构架分为三个模块:数据收集、PCA(principal component analysis,主成分分析)降维、BP(Back Propagation,反向传播)神经网络分类。The overall framework of the present invention is divided into three modules: data collection, PCA (principal component analysis, principal component analysis) dimensionality reduction, BP (Back Propagation, reverse propagation) neural network classification.

数据收集的研究主要针对如何调用本身自带系统的API(Application Programming Interface,应用程序编程接口)进行相关信息的收集,对进程、服务、任务等深度剖析;The research on data collection is mainly aimed at how to call the API (Application Programming Interface) of its own system to collect relevant information, and deeply analyze processes, services, tasks, etc.;

根据初始收集的数据运用PCA降维技术以提炼主信息;Based on the initially collected data, the PCA dimensionality reduction technique is used to extract the main information;

根据PCA降维传送到BP神经网络接口,学习后的BP神经网络对数据进行评估;According to the PCA dimension reduction, it is sent to the BP neural network interface, and the learned BP neural network evaluates the data;

为了解决技术问题,本发明对每个细节进行创新和改造,包括:In order to solve technical problems, the present invention innovates and transforms every detail, including:

(1)对计算结果做初步判定,响应手机,提出警告和建议操作;(1) Make a preliminary judgment on the calculation results, respond to the mobile phone, and issue warnings and suggested operations;

(2)对于上述方法中,所述过程可以在本机运行,无需联网或云操作;(2) For the above method, the process can be run locally without networking or cloud operations;

(3)对于上述数据收集模块,所述的收集过程采用三维数组存储来简化操作难度;(3) For the above-mentioned data collection module, the collection process adopts three-dimensional array storage to simplify the difficulty of operation;

(4)对于上述PCA主成份分析模块中,所述的方法采用QR矩阵分析求解特征向量;(4) for above-mentioned PCA principal component analysis module, described method adopts QR matrix analysis to solve eigenvector;

(5)对于上述的PCA主成份分析模块中,所述过程对特征值的筛选,采用多重比对贡献率方法,选取最优质的贡献参数来构建参数模型;(5) For the above-mentioned PCA principal component analysis module, the screening of the eigenvalues by the process adopts the multiple comparison contribution rate method, and selects the best quality contribution parameters to build the parameter model;

(6)对于上述BP神经网络模块中,所述的学习子模块,采用适合模型学习的学习因子,主要通过多重变换比对得出最佳参数。(6) For the above-mentioned BP neural network module, the learning sub-module adopts learning factors suitable for model learning, and obtains the best parameters mainly through multiple transformation comparisons.

本系统将主动防御的技术应用于手机,与手机上传统的特征码比对相比,能够提前检测、有效地提醒用户所面临的威胁,解决了手机中传统软件持续更新数据、计算量庞大的难题。This system applies active defense technology to mobile phones. Compared with the traditional feature code comparison on mobile phones, it can detect in advance and effectively remind users of the threats they face. It solves the problem of continuous data update and huge calculation in mobile phones. problem.

附图说明Description of drawings

下面结合附图和实施例对本发明作进一步说明。The present invention will be further described below in conjunction with drawings and embodiments.

图1是本发明的整体架构图。Fig. 1 is an overall architecture diagram of the present invention.

图2是本发明的数据收集流程图。Fig. 2 is a flow chart of data collection in the present invention.

图3是本发明的PCA降维流程图。Fig. 3 is a flow chart of PCA dimensionality reduction in the present invention.

图4是本发明的神经网络分类模块学习部分流程图。Fig. 4 is a flow chart of the learning part of the neural network classification module of the present invention.

图5是本发明的神经网络分类模块评估部分流程图。Fig. 5 is a flowchart of the evaluation part of the neural network classification module of the present invention.

具体实施方案specific implementation plan

如图1中所示为本发明的整体架构图,包括数据收集、PCA降维和神经网络分类三个模块。数据收集利用Linux系统管理命令收集入侵相关的进程信息作为手机入侵特征,再采用PCA对入侵特征进行降维处理,选择最能反映样本的特征,最后将降维后的特征引入BP神经网络分类器进行训练,得到最佳的模型参数,利用这些参数对待测样本进行分类识别。As shown in Fig. 1 is the overall architecture of the present invention, including three modules of data collection, PCA dimension reduction and neural network classification. Data collection uses Linux system management commands to collect intrusion-related process information as mobile phone intrusion features, and then uses PCA to reduce the dimensionality of the intrusion features, select the features that best reflect the sample, and finally introduce the dimensionality-reduced features into the BP neural network classifier Perform training to obtain the best model parameters, and use these parameters to classify and identify the samples to be tested.

如图2所示实施例为本发明的数据收集流程图。数据收集模块主要用于收集相关软件或程序的入侵数据信息。The embodiment shown in FIG. 2 is a flow chart of data collection in the present invention. The data collection module is mainly used to collect intrusion data information of related software or programs.

由于Android内核是Linux,故利用Linux的系统管理命令来收集进程的信息,利用top命令或者PS命令收集进程的CPU占用、进程的线程数、优先级、物理内存、虚拟内存、UID和进程名。除此之外,Android中的API所提供的ActivityManager.MemoryInfo()和ActivityManager.RunningAppProcessInfo()类获取进程占用的系统内存和UID号,然后根据进程名的UID号获取进程的流量使用情况等。Since the Android kernel is Linux, the system management commands of Linux are used to collect process information, and the top command or PS command is used to collect the CPU usage of the process, the number of threads of the process, priority, physical memory, virtual memory, UID and process name. In addition, the ActivityManager.MemoryInfo() and ActivityManager.RunningAppProcessInfo() classes provided by the API in Android obtain the system memory and UID number occupied by the process, and then obtain the traffic usage of the process according to the UID number of the process name.

由于基于文件来存取收集到的数据将耗费大量的程序运行时间,因此采用三维数组来存取,第一维表示时间,第二维表示不同的进程,第三维是进程的信息。考虑到样本存储对收集本身的影响,所以使用定时器,采取一定时间间隔的数据,构建一个高维矩阵,当样本检测结束时将有java本身的回收机制处理已使用过的样本。Since accessing collected data based on files will consume a lot of program running time, a three-dimensional array is used for accessing. The first dimension represents time, the second dimension represents different processes, and the third dimension is process information. Considering the impact of sample storage on the collection itself, a timer is used to collect data at a certain time interval to build a high-dimensional matrix. When the sample detection is over, Java's own recovery mechanism will process the used samples.

如图3所示实施例为本发明的PCA降维流程图。PCA降维模块主要是提取最能反映样本的特征,实现计算的简约化并达到较好的检测效果。The embodiment shown in FIG. 3 is a PCA dimensionality reduction flowchart of the present invention. The PCA dimensionality reduction module mainly extracts the features that can best reflect the sample, realizes the simplification of calculation and achieves better detection results.

主成分分析(PCA)其实是一种预处理的方法,它可以降低原本数据的维度,并且降低后的数据之间方差最大(也可以说投影误差最小)。假设是要将一个D维的数据空间投影到M维的数据空间中(M<D),将D数据特征值从大到小排列,计算贡献率,求出相应的特征向量,并取相应的前M个特征向量,构成投影矩阵,则此矩阵方差最大。Principal component analysis (PCA) is actually a preprocessing method, which can reduce the dimension of the original data, and the variance between the reduced data is the largest (it can also be said that the projection error is the smallest). The assumption is to project a D-dimensional data space into an M-dimensional data space (M<D), arrange the D data eigenvalues from large to small, calculate the contribution rate, find the corresponding eigenvector, and take the corresponding The first M eigenvectors form a projection matrix, and the variance of this matrix is the largest.

理论过程是假设将一个空间中的点投影到一个向量中去。首先,计算原空间的中心点:The theoretical process assumes that a point in a space is projected into a vector. First, calculate the center point of the original space:

xx &OverBar;&OverBar; == 11 NN &Sigma;&Sigma; nno == 11 NN xx nno -- -- -- (( 11 ))

不妨设u1为投影向量,根据方差公式,投影之后的方差为:Let u 1 be the projection vector. According to the variance formula, the variance after projection is:

11 NN &Sigma;&Sigma; nno == 11 NN {{ uu 11 TT xx nno -- uu 11 TT xx &OverBar;&OverBar; }} 22 == uu 11 TT SS 11 uu 11 -- -- -- (( 22 ))

然后求解特征值:Then solve for the eigenvalues:

uu 11 TT SS 11 uu 11 == &lambda;&lambda; 11 (( 11 -- uu 11 TT uu 11 )) -- -- -- (( 33 ))

求导上式,使之为0,得到:Deriving the above formula to make it 0, we get:

Su1=λ1u1  (4)Su 11 u 1 (4)

公式(4)为标准特征值表达式,λ为对应的特征值,u为对应的特征向量。其左边取得最大值的条件就是λ1最大,即取得最大的特征值的时候。假设是要将一个D维的数据空间投影到M维的数据空间中(M<D),将特征值从大到小排列,计算贡献率并取相应的前M个特征向量,构成投影矩阵,则此矩阵方差最大。Formula (4) is a standard eigenvalue expression, λ is the corresponding eigenvalue, and u is the corresponding eigenvector. The condition for obtaining the maximum value on the left side is that λ 1 is the largest, that is, when the maximum eigenvalue is obtained. The assumption is to project a D-dimensional data space into an M-dimensional data space (M<D), arrange the eigenvalues from large to small, calculate the contribution rate and take the corresponding first M eigenvectors to form a projection matrix. Then the variance of this matrix is the largest.

PCA降维模块中,将原数据高纬矩阵通过压缩变换构建新的低维数据矩阵,即寻找合适的最能反映样本特征的投影向量,使矩阵投影到低维空间中。实现过程是通过对原始数据进行标准化处理,求矩阵的相关系数矩阵,运用QR分解的方法求解相关系数矩阵的特征值并进行降序排列,以上所求特征值大小反映了该特征对区分样本的重要程度。每个特征值与特征值之和的比值为该特征的贡献率。求不同特征值的累计贡献率并与阈值(95%)比较,选取主成分特征,然后根据主成分特征值计算相应的特征向量,所求特征向量组成的即为投影向量矩阵,最后将标准化后的数据矩阵与投影矩阵相乘,即得到降维后的矩阵,将其送入神经网络模块。In the PCA dimension reduction module, the original data high-dimensional matrix is compressed and transformed to construct a new low-dimensional data matrix, that is, to find a suitable projection vector that best reflects the characteristics of the sample, so that the matrix is projected into a low-dimensional space. The implementation process is to standardize the original data, find the correlation coefficient matrix of the matrix, and use the QR decomposition method to solve the eigenvalues of the correlation coefficient matrix and arrange them in descending order. The size of the eigenvalues obtained above reflects the importance of this feature to distinguish samples. degree. The ratio of each eigenvalue to the sum of eigenvalues is the contribution rate of that feature. Find the cumulative contribution rate of different eigenvalues and compare it with the threshold (95%), select the principal component features, and then calculate the corresponding eigenvectors according to the eigenvalues of the principal components, the obtained eigenvectors are composed of the projection vector matrix, and finally normalized The data matrix of is multiplied by the projection matrix to obtain the dimension-reduced matrix, which is sent to the neural network module.

如图4所示实施例为本发明的神经网络分类模块学习部分流程图。神经网络模块学习部分主要通过对样本数据进行学习得到模型参数,其过程如下:The embodiment shown in FIG. 4 is a flowchart of the learning part of the neural network classification module of the present invention. The learning part of the neural network module mainly obtains the model parameters by learning the sample data, and the process is as follows:

(1)调用random()函数初始化输入层、隐含层及输出层权值,使其取值范围为-0.5到0.5;(1) Call the random() function to initialize the weights of the input layer, hidden layer and output layer, so that the value ranges from -0.5 to 0.5;

(2)输入PCA降维后的样本特征及对应的期望输出,根据样本特征,选取Sigmoid函数为激励函数,计算各层的输入输出,其输入输出公式如式(5)、(6)所示:(2) Input the sample features after PCA dimension reduction and the corresponding expected output. According to the sample features, select the Sigmoid function as the activation function to calculate the input and output of each layer. The input and output formulas are shown in formulas (5) and (6) :

Ui k=∑jWij kXj k-1 U i k =∑jW ij k X j k-1

                                 (5)  (5)

Xi k=f(Ui k)X i k =f(U i k )

                                 (6)(6)

其中,Ui k为输入,Xi k为输出,Wij k为权值;Among them, U i k is the input, X i k is the output, and W ij k is the weight;

(3)将公式(6)中计算得到的输出与期望输出比较,然后反向传递,计算各层误差,其计算公式如式(7)所示:(3) Compare the output calculated in formula (6) with the expected output, and then pass it backwards to calculate the error of each layer. The calculation formula is shown in formula (7):

di k=Xi k(1-Xi k)∑jWijdj k+1  (7)d i k =X i k (1-X i k )∑jW ij d j k+1 (7)

(4)根据误差修正权值,直至达到最大学习次数或误差达到要求,根据实验分析选取最大学习次数为200次,误差要求为小于0.01。(4) Correct the weights according to the error until the maximum number of learning times is reached or the error meets the requirements. According to the experimental analysis, the maximum number of learning times is selected as 200 times, and the error requirement is less than 0.01.

如图5所示实施例为本发明的神经网络分类模块评估部分流程图。神经网络模块评估部分主要用于判断某一样本数据是否异常,从而判断某一进程是否异常,并提示用户进行相应操作,如卸载等。The embodiment shown in FIG. 5 is a flowchart of the evaluation part of the neural network classification module of the present invention. The evaluation part of the neural network module is mainly used to judge whether a certain sample data is abnormal, thereby judging whether a certain process is abnormal, and prompting the user to perform corresponding operations, such as uninstalling.

神经网络评估部分将学习部分得到的权值作为输入层、隐含层及输出层的初始权值,然后根据输入的样本数据计算各层输出,将输出层输出与一预设阈值比较(阈值通过多次实验调整得到为0.4),若输出大于阈值,则判定为正常,反之,则判定为异常,并提示用户终止执行该程序或卸载该软件。The neural network evaluation part uses the weights obtained in the learning part as the initial weights of the input layer, the hidden layer and the output layer, and then calculates the output of each layer according to the input sample data, and compares the output of the output layer with a preset threshold (threshold passed Adjusted to 0.4 after many experiments, if the output is greater than the threshold, it is judged as normal, otherwise, it is judged as abnormal, and the user is prompted to terminate the execution of the program or uninstall the software.

Claims (6)

1. the Active Defending System Against that detects based on the behavior of Android platform software is become by data collection module, PCA dimensionality reduction module and neural network classification module thin,tough silk, it is characterized in that:
(1) data collection module: utilize the system management order of Linux and the information that the class that API provided among the Android is collected process, and adopt three-dimensional array and chronograph mechanism to come access and management;
(2) PCA dimensionality reduction module: link to each other with described data collection module, adopt principal component analysis (PCA) that the above-mentioned data of collecting are carried out dimension-reduction treatment, extract can reflected sample feature;
(3) neural network classification module: link to each other with described PCA dimensionality reduction module, by the data behind the above-mentioned dimensionality reduction repeatedly being learnt determine model parameter, carry out the processing action of this incident again according to the model parameter after the study, and take a decision as to whether abnormal behaviour and make respective response according to the output result.
2. the Active Defending System Against that detects based on the behavior of Android platform software according to claim 1, it is characterized in that: utilize the system management order of Linux to collect the information of process in the module (1), utilize top order or PS order collection process CPU take, the Thread Count of process, priority, physical memory, virtual memory, UID and process name, utilize the Installed System Memory that takies that ActivityManager.MemoryInfo () that API provided among the Android and ActivityManager.AppProcessInfo () class obtain process and UID number, according to UID number of process name, obtain the flow operating position of process then.
3. the Active Defending System Against that detects based on the behavior of Android platform software according to claim 1, it is characterized in that: module is come access data based on file in (1), adopts three-dimensional array to come access, adopts timer simultaneously, gather certain hour data at interval, make up a higher dimensional matrix.
4. the Active Defending System Against that detects based on the behavior of Android platform software according to claim 1 is characterized in that: adopt principal component analysis (PCA) to analyze the data that data collection module is collected in the module (2), and determine that as required threshold value is 95%.
5. the Active Defending System Against that detects based on the behavior of Android platform software according to claim 1, it is characterized in that: give corresponding value to each parameter of institute's established model in the module (3), this value according to collected mass data by repeatedly the experiment and statistical calculations obtain.
6. the Active Defending System Against that detects based on the behavior of Android platform software according to claim 1, it is characterized in that: in the module (3) safety coefficient is divided into two grades, which grade a certain behavior of relatively judgement according to output result and predetermined threshold value (it is 0.4 that the statistical computation by mass data obtains threshold value) belongs to, if the result is less than predetermined threshold value in output, then be judged to be unusual, and point out the user to stop carrying out this program or unload this software, otherwise be judged to be normally, will not process.
CN2013100323910A 2013-01-25 2013-01-25 Active defense system based on Android platform software behavior detection Pending CN103218566A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2013100323910A CN103218566A (en) 2013-01-25 2013-01-25 Active defense system based on Android platform software behavior detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2013100323910A CN103218566A (en) 2013-01-25 2013-01-25 Active defense system based on Android platform software behavior detection

Publications (1)

Publication Number Publication Date
CN103218566A true CN103218566A (en) 2013-07-24

Family

ID=48816342

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2013100323910A Pending CN103218566A (en) 2013-01-25 2013-01-25 Active defense system based on Android platform software behavior detection

Country Status (1)

Country Link
CN (1) CN103218566A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103942489A (en) * 2014-03-31 2014-07-23 中国科学院信息工程研究所 Attack detection method and system on basis of cursor hidden scene
CN104123499A (en) * 2014-07-18 2014-10-29 北京金山安全软件有限公司 Method and device for recognizing software for resisting uninstallation by using Android device manager
CN104699530A (en) * 2013-12-04 2015-06-10 腾讯科技(深圳)有限公司 Progress control method and device and intelligent terminal equipment
CN105187235A (en) * 2015-08-12 2015-12-23 广东睿江科技有限公司 Message processing method and device
CN105224872A (en) * 2015-09-30 2016-01-06 河南科技大学 A kind of user's anomaly detection method based on neural network clustering
CN105426760A (en) * 2015-11-05 2016-03-23 工业和信息化部电信研究院 Detection method and apparatus for malicious android application
CN105608378A (en) * 2015-12-24 2016-05-25 北京奇虎科技有限公司 Method and device for obtaining process list
CN106330599A (en) * 2016-08-16 2017-01-11 济南大学 Android application program network traffic multi-thread collection system and method
CN108052954A (en) * 2017-11-01 2018-05-18 佛山科学技术学院 The method for diagnosing faults of sample space based on multistage high dimensional feature
CN109362235A (en) * 2016-05-29 2019-02-19 微软技术许可有限责任公司 Classify to the affairs at network accessible storage device
WO2019062409A1 (en) * 2017-09-30 2019-04-04 Oppo广东移动通信有限公司 Method for managing and controlling background application program, storage medium, and electronic device
CN109933984A (en) * 2019-02-15 2019-06-25 中时瑞安(北京)网络科技有限责任公司 A kind of best cluster result screening technique, device and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100275262A1 (en) * 2009-04-22 2010-10-28 Hewlett Packard Development Company Lp Autonomous Diagnosis And Mitigation Of Network Anomalies
CN102034050A (en) * 2011-01-25 2011-04-27 四川大学 Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception
CN102082802A (en) * 2011-03-01 2011-06-01 陈彪 Behavior-based mobile terminal security protection system and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100275262A1 (en) * 2009-04-22 2010-10-28 Hewlett Packard Development Company Lp Autonomous Diagnosis And Mitigation Of Network Anomalies
CN102034050A (en) * 2011-01-25 2011-04-27 四川大学 Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception
CN102082802A (en) * 2011-03-01 2011-06-01 陈彪 Behavior-based mobile terminal security protection system and method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
李元兵 等: "基于神经网络的异常入侵检测系统", 《系统工程与电子技术》 *
韦大伟 等: "基于神经网络集成的软件可靠性预测研究", 《计算机工程与设计》 *

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104699530B (en) * 2013-12-04 2018-12-11 腾讯科技(深圳)有限公司 A kind of course control method, device and intelligent terminal
CN104699530A (en) * 2013-12-04 2015-06-10 腾讯科技(深圳)有限公司 Progress control method and device and intelligent terminal equipment
CN103942489A (en) * 2014-03-31 2014-07-23 中国科学院信息工程研究所 Attack detection method and system on basis of cursor hidden scene
CN104123499A (en) * 2014-07-18 2014-10-29 北京金山安全软件有限公司 Method and device for recognizing software for resisting uninstallation by using Android device manager
WO2016008355A1 (en) * 2014-07-18 2016-01-21 北京金山安全软件有限公司 Method and apparatus for identifying software resisting uninstallation using android device manager
CN105187235A (en) * 2015-08-12 2015-12-23 广东睿江科技有限公司 Message processing method and device
CN105224872A (en) * 2015-09-30 2016-01-06 河南科技大学 A kind of user's anomaly detection method based on neural network clustering
CN105224872B (en) * 2015-09-30 2018-04-13 河南科技大学 A kind of user's anomaly detection method based on neural network clustering
CN105426760B (en) * 2015-11-05 2018-04-06 工业和信息化部电信研究院 A kind of detection method and device of Android malicious application
CN105426760A (en) * 2015-11-05 2016-03-23 工业和信息化部电信研究院 Detection method and apparatus for malicious android application
CN105608378A (en) * 2015-12-24 2016-05-25 北京奇虎科技有限公司 Method and device for obtaining process list
CN109362235A (en) * 2016-05-29 2019-02-19 微软技术许可有限责任公司 Classify to the affairs at network accessible storage device
CN109362235B (en) * 2016-05-29 2021-10-26 微软技术许可有限责任公司 Method of classifying transactions at a network accessible storage device
CN106330599A (en) * 2016-08-16 2017-01-11 济南大学 Android application program network traffic multi-thread collection system and method
CN106330599B (en) * 2016-08-16 2019-07-19 济南大学 Android application network traffic multi-thread collection system and method
WO2019062409A1 (en) * 2017-09-30 2019-04-04 Oppo广东移动通信有限公司 Method for managing and controlling background application program, storage medium, and electronic device
CN108052954A (en) * 2017-11-01 2018-05-18 佛山科学技术学院 The method for diagnosing faults of sample space based on multistage high dimensional feature
CN108052954B (en) * 2017-11-01 2021-08-03 佛山科学技术学院 A fault diagnosis method based on the sample space of multi-level high-dimensional features
CN109933984A (en) * 2019-02-15 2019-06-25 中时瑞安(北京)网络科技有限责任公司 A kind of best cluster result screening technique, device and electronic equipment

Similar Documents

Publication Publication Date Title
CN103218566A (en) Active defense system based on Android platform software behavior detection
Ullah et al. Design and development of RNN anomaly detection model for IoT networks
Razak et al. Bio-inspired for features optimization and malware detection
CN106133642B (en) The method and system of application state is inferred by process performing analysis operation in a mobile device
Gwon et al. Network intrusion detection based on LSTM and feature embedding
US10911471B1 (en) Systems and methods for network-based intrusion detection
Zarni Aung Permission-based android malware detection
Singh et al. Dynamic behavior analysis of android applications for malware detection
CN106845240A (en) A kind of Android malware static detection method based on random forest
US20160381057A1 (en) Customized Network Traffic Models To Detect Application Anomalies
CN104903918A (en) Methods and systems of dynamically generating and using device-specific and device-state-specific classifier models for the efficient classification of mobile device behaviors
KR20170055962A (en) Methods and systems for aggregated multi-application behavioral analysis of mobile device behaviors
Yadav et al. Augmentation in performance and security of WSNs for IoT applications using feature selection and classification techniques
WO2017014896A1 (en) Memory hierarchy monitoring systems and methods
Sayadi et al. Stealthminer: Specialized time series machine learning for run-time stealthy malware detection based on microarchitectural features
CN110943974B (en) DDoS (distributed denial of service) anomaly detection method and cloud platform host
CN102291392A (en) Hybrid intrusion detection method based on bagging algorithm
CN114124460B (en) Industrial control system intrusion detection method, device, computer equipment and storage medium
CN103679025B (en) A kind of malicious code detecting method based on dendritic cell algorithm
Shen et al. Self-attention based convolutional-LSTM for android malware detection using network traffics grayscale image
CN101866403A (en) Intrusion Detection Method Based on Improved OBS-NMF Algorithm
Rajashekar et al. Smart phone user behaviour characterization based on autoencoders and self organizing maps
CN118264448A (en) A deep learning network intrusion detection model for multi-classification
Duan et al. CNN-based intrusion classification for IEEE 802.11 wireless networks
CN116756578A (en) Vehicle information security threat aggregation analysis and early warning method and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20130724