CN108197474A - The classification of mobile terminal application and detection method - Google Patents

The classification of mobile terminal application and detection method Download PDF

Info

Publication number
CN108197474A
CN108197474A CN201711469132.9A CN201711469132A CN108197474A CN 108197474 A CN108197474 A CN 108197474A CN 201711469132 A CN201711469132 A CN 201711469132A CN 108197474 A CN108197474 A CN 108197474A
Authority
CN
China
Prior art keywords
sample
classification
class
application
classification results
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711469132.9A
Other languages
Chinese (zh)
Inventor
王伟
马君丽
解男男
刘吉强
韩臻
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jiaotong University
Original Assignee
Beijing Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jiaotong University filed Critical Beijing Jiaotong University
Priority to CN201711469132.9A priority Critical patent/CN108197474A/en
Publication of CN108197474A publication Critical patent/CN108197474A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/285Selection of pattern recognition techniques, e.g. of classifiers in a multi-classifier system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Health & Medical Sciences (AREA)
  • Evolutionary Biology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

An embodiment of the present invention provides a kind of classification of mobile terminal application and malice detection methods.This method mainly includes:The feature vector using sample is extracted, the feature vector using sample is separately input in various sorting algorithms;Each sorting algorithm exports described using classification results of the sample for malicious application or normal use respectively, and the classification results that various sorting algorithms are exported carry out voting processing, the final classification results of the sample that is applied.The classification and detection method using sample of the embodiment of the present invention can make full use of the advantage of various sorting algorithms by using multi-categorizer ballot, make up respective deficiency, so as to reach classification performance more better than single sorting algorithm, realize and application sample effectively classify and detect.It effectively improves manual examination and verification mode easily to be manipulated by malice developer, and the problem of cost of labor is higher.

Description

The classification of mobile terminal application and detection method
Technical field
The present invention relates to the application software detection fields of mobile terminal, and in particular to a kind of classification of mobile terminal application and Detection method.
Background technology
Static nature refers to the Android application feature extracted by static analysis (Static Analysis) technology, static Analysis refer in the case where not running code, using the various technological means such as morphological analysis, syntactic analysis to program file into Row scanning so as to generate the dis-assembling code of program, then reads dis-assembling code to grasp a kind of technology of program function.
The detection of mobile client malicious application refers to the feature by statically or dynamically analyzing application, with detection application Malicious act, to avoid malicious application may cause the leakage of privacy of user, battery exhaust and send it is high caused by refuse messages The harm such as volume telephone expenses spending.
It is to identify the generic of application by itself various feature of application using automatic clustering.City is applied at present The application of field is sorted out selection classification when generally use is first uploaded by developer and is provided using description information, then through market management people The mode that member's manual examination and verification determine.This mode is easily manipulated, and cost of labor is inclined there are classification results by malice developer The problem of high.
Machine learning is a multi-field cross discipline, is related to probability theory, statistics, Approximation Theory, convextiry analysis, algorithm complexity The multi-door subject such as topology degree.Specialize in the learning behavior that the mankind were simulated or realized to computer how, with obtain new knowledge or Technical ability reorganizes the existing structure of knowledge and is allowed to constantly improve the performance of itself.In recent years, machine learning algorithm is in each neck Domain, which is obtained for, to be widely applied, and it is an important research direction that different machine learning algorithms, which is combined,.Because no Same learning algorithm often has respective Pros and Cons, and can be made full use of with reference to a variety of learning algorithms respective excellent Gesture is learnt from other's strong points to offset one's weaknesses, so as to reach filter effect more better than single learning algorithm.
Current research person is primarily upon permission about the work that malicious application detects, the traditional detection side based on permission feature The work of method can obtain good effect, but this more single features cannot comprehensively portray an application very much.Machine Study all plays important role in each field, and existing researcher has been introduced in the detection of Android malice and classification at present, But it is mostly confined to realize single machine learning algorithm.In addition, it is Android application market pipe that will reasonably accurate apply classification Reason is alleviated malicious application and is threatened and needs the matter of utmost importance that solves, before researcher all focus on malicious application detection and It is not on the automatic clustering of normal use.
Therefore, developing a kind of method for for mobile client application maliciously detect and automatically classify has important reality Meaning.
Invention content
Classification and detection method the embodiment provides a kind of application of mobile terminal, to realize to applying sample Effectively classify and detect.
To achieve these goals, this invention takes following technical solutions.
According to an aspect of the invention, there is provided a kind of classification of mobile terminal application and malice detection method, including:
The feature vector using sample is extracted, the feature vector using sample is separately input to various classification calculates In method;
Each sorting algorithm export respectively it is described using classification results of the sample for malicious application or normal use, will be each The classification results of kind sorting algorithm output carry out voting processing, the final classification results of the sample that is applied.
Preferably, the feature vector extracted using sample, including:
It is analyzed using the .apk files of sample each using Static Analysis Method, 11 classes of sample are applied in extraction The feature of type, 11 types include application permission, filtering matching Intent, be restricted API Calls, application component name, with Code dependent feature, certificate information, Payload information, character string feature, the permission used, hardware characteristics and suspicious API tune With the feature of each type contains multiple subcharacters, by all types of feature composition characteristic set;
The feature set format is processed into vector format, the feature vector set for the sample that is applied, each Feature vector represents one using sample, the SHA-1 values of its apk file of each sample as unique mark, each feature to The tag along sort and characteristic information using sample are included in amount.
Preferably, it is described that the feature vector using sample is separately input in various sorting algorithms, including:
The feature vector using sample is separately input to support vector machines, random forest, k nearest neighbor, classification recurrence Tree and naive Bayesian are in totally 5 kinds of common sorting algorithms.
Preferably, each described sorting algorithm is exported respectively using classification of the sample for malicious application or normal use As a result, the classification results that various sorting algorithms are exported carry out voting processing, the final classification results of the sample that is applied, Including:
The support vector machines, random forest, k nearest neighbor, post-class processing and Naive Bayes Classification Algorithm export respectively Using classification results of the sample for normal use sample or malicious application sample, by the classification results of this 5 kinds of sorting algorithms into Row votes processing, the final classification results of the sample that is applied.
Preferably, the method further includes:
Different classes of mobile terminal is acquired from third-party application market applies sample, with the application sample data of acquisition It forms using sample data set;
Being scanned using sample for storage is concentrated using sample data to described by VirusTotal, will wherein be killed virus The sample that using sample is demarcated as normally be greater than or equal to antivirus software alarm number 2 of the software alarm number less than 2 It is demarcated as malice.
Preferably, the method further includes:
Further classification is carried out to normal use sample, normal use sample is divided into game class and non-gaming Game class sample and non-gaming class sample are carried out refinement category division by class respectively again;
The refinement category division of 1 game class sample of table
Number Game class name Sample number
1 G_ACTION is acted 2,832
2 G_BRAIN_CARDS_AND_CASUAL leisure intelligence developments 11,509
3 G_FLIGHT_GAMES sports flights 367
4 G_ONLINE_GAMES online games 390
5 G_RPG role playings 1,164
6 G_SIMULATION simulations 497
7 G_SPORTS_AND_RACING sport racings 1,307
8 G_STRATEGY policy class 800
The refinement category division of 2 non-gaming class sample of table
Number Class name Sample number
1 A_BOOKS_READER_AND_MAGAZINES books and magazines are read 14,563
2 A_BROWSER browsers 190
3 A_FINANCE finance and money management 1,440
4 A_INPUT_METHOD input methods 62
5 A_LIFE services for life 21,674
6 A_MUSIC music 1,995
7 A_NEWS news 1,738
8 A_OFFICE_AND_BUSINESS working and studyings 4,464
9 A_PHOTOGRAPHY_AND_BEAUTIFICATION photography beautifications 866
10 A_SECURITY mobile phone safes 261
11 A_SHOPPING_AND_PAYMENT shopping payments 2,605
12 A_SOCIAL_AND_COMMUNICATION social communications 3,428
13 A_THEMES_AND_WALLPAPER theme wallpapers 29,311
14 A_TOOLS system tools 3,031
15 A_TRANSPORTATION traffic classes 1,589
16 A_VIDEO video cameras 1,244
Preferably, the method further includes:
It is game and the classification results of non-gaming class that each sorting algorithm, which is also exported using sample, also exports game class The refinement category division result of sample and non-gaming class sample;
By according to each sorting algorithm obtain using sample be game with the classification results of non-gaming class with shown in table 1 Classification results are compared, and the refinement classification of the game class sample obtained according to each sorting algorithm and non-gaming class sample is drawn Point result is compared with the classification results shown in table 2, verify that sorting algorithm obtains according to comparing result using sample The correctness of category division result is refined, after obtaining the ballot using the refinement category division result of sample that sorting algorithm obtains Accuracy.
Point using sample of the embodiment of the present invention it can be seen from the technical solution provided by embodiments of the invention described above Class and detection method can make full use of the advantage of various sorting algorithms by using multi-categorizer ballot, make up it is respective not Foot so as to reach classification performance more better than single sorting algorithm, realizes and application sample effectively classify and detect. It effectively improves manual examination and verification mode easily to be manipulated by malice developer, and the problem of cost of labor is higher.
The additional aspect of the present invention and advantage will be set forth in part in the description, these will become from the following description It obtains significantly or is recognized by the practice of the present invention.
Description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment Attached drawing be briefly described, it should be apparent that, the accompanying drawings in the following description is only some embodiments of the present invention, for this For the those of ordinary skill of field, without having to pay creative labor, other are can also be obtained according to these attached drawings Attached drawing.
Fig. 1 is a kind of classification of mobile terminal application and the process flow of detection method that the embodiment of the present invention one provides Figure.
Specific embodiment
Embodiments of the present invention are described below in detail, the example of the embodiment is shown in the drawings, wherein from beginning Same or similar element is represented to same or similar label eventually or there is the element of same or like function.Below by ginseng The embodiment for examining attached drawing description is exemplary, and is only used for explaining the present invention, and is not construed as limiting the claims.
Those skilled in the art of the present technique are appreciated that unless expressly stated, singulative " one " used herein, " one It is a ", " described " and "the" may also comprise plural form.It is to be further understood that is used in the specification of the present invention arranges Diction " comprising " refers to there are the feature, integer, step, operation, element and/or component, but it is not excluded that presence or addition Other one or more features, integer, step, operation, element, component and/or their group.It should be understood that when we claim member Part is " connected " or during " coupled " to another element, it can be directly connected or coupled to other elements or there may also be Intermediary element.In addition, " connection " used herein or " coupling " can include wireless connection or coupling.Wording used herein "and/or" includes any cell of one or more associated list items and all combines.
Those skilled in the art of the present technique are appreciated that unless otherwise defined all terms used herein are (including technology art Language and scientific terminology) there is the meaning identical with the general understanding of the those of ordinary skill in fields of the present invention.Should also Understand, those terms such as defined in the general dictionary, which should be understood that, to be had and the meaning in the context of the prior art The consistent meaning of justice, and unless defined as here, will not be with idealizing or the meaning of too formal be explained.
For ease of the understanding to the embodiment of the present invention, done further by taking several specific embodiments as an example below in conjunction with attached drawing Explanation, and each embodiment does not form the restriction to the embodiment of the present invention.
The embodiment of the present invention devises a malice detection and automatic clustering based on a variety of machine learning algorithms ballot formula Method, the advantage of each algorithm can be made full use of, make up respective deficiency, so as to reach than the better classification of single study Energy.The embodiment of the present invention employs more comprehensive feature set, and the automatic of normal use is carried out while malicious application detects and is returned Class.
A kind of classification of mobile terminal application provided in an embodiment of the present invention and process flow such as Fig. 1 institutes of detection method Show, including following processing step:
Step S110, it from each application market acquisition applications data, forms using sample data set.
Different classes of application sample is acquired from different channels, each third-party application market, sample is applied with acquisition Data are formed using sample data set.Above application sample can be Android application sample.
Samples sources are applied in third-party application market as main, mainly including following 6 domestic application market:Using It converges (AppChina), the more nets of N (nduoa), using precious (myapp), machine cutting edge of a knife or a sword (gfan), happy shop (lenovo) and pacify intelligence market (AnZhi).In practical applications, we, which have collected, comes from 6 third-party application markets totally 287,631 samples.
Step S120, to applying the calibration that normal sample or malice sample are carried out using sample in sample data set, And further classification is carried out to normal use sample.
(1) sample is demarcated.
First, it is pre-processed to what is stored in application sample data set using sample, each application data is carried out just The calibration of normal sample or malice sample concentrates application sample data what is stored to upload to antivirus software using sample VirusTotal is scanned.
Antivirus software alarm number is demarcated as normal use sample less than 2 using sample.Then, to normal use Sample carries out the further classification shown in Tables 1 and 2, first, normal use sample is divided into game class and non-gaming Game class and non-gaming class are carried out refinement category division by class respectively again.
The refinement category division of 1 game class sample of table
Number Game class name Sample number
1 G_ACTION is acted 2,832
2 G_BRAIN_CARDS_AND_CASUAL leisure intelligence developments 11,509
3 G_FLIGHT_GAMES sports flights 367
4 G_ONLINE_GAMES online games 390
5 G_RPG role playings 1,164
6 G_SIMULATION simulations 497
7 G_SPORTS_AND_RACING sport racings 1,307
8 G_STRATEGY policy class 800
The refinement category division of 2 non-gaming class sample of table
Antivirus software alarm number is demarcated as malicious application sample more than or equal to 2 using sample.
Step S130, feature extraction is carried out to application sample, obtains characteristic set.
Feature extraction is carried out to each application sample.Sample is applied to each using Static Analysis Technology in the embodiment of the present invention This .apk files are analyzed, and are extracted the feature of 11 types as shown in table 3, wherein, it is contained per category feature multiple Feature, by all types of feature composition characteristic set.
The embodiment of the present invention is analyzed using the apk files of sample using Static Analysis Technology each, is extracted 11 A classification totally 2,374,340 features, to portray the behavior for applying sample.
The detailed table of 3 feature classification of table
Serial number Feature class name Description
1 Requested Permissions Apply for permission
2 Filtered Intents Filtering matching Intent
3 Restricted API Calls It is restricted API Calls
4 App Components Names Application component name
5 Code-related Features With code dependent feature
6 Certification Information Certificate information
7 Payload Information Payload information
8 Interesting Strings Character string feature
9 Used Permissions The permission used
10 Hardware Features Hardware characteristics
11 Suspicious API Calls Suspicious API Calls
Step S140, vectorization is carried out to characteristic set, is represented using feature vector using sample.
Vector format is processed into features described above set format, the feature vector set for the sample that is applied.Each Feature vector represents one and applies sample, and classification and characteristic using sample are included in each feature vector.
Step S150, application sample is carried out normal using common sorting algorithm according to the feature vector of application sample Using the differentiation with malicious application.
Employed in the embodiment of the present invention support vector machines (SVM), random forest (RF), K arest neighbors (KNN), classification with Regression tree (CART) and naive Bayesian (NB) totally 5 kinds of common sorting algorithms, by the feature vector set of above application sample It is separately input in each sorting algorithm, each sorting algorithm output is using classification of the sample for normal use or malicious application As a result, the classification results of this 5 kinds of sorting algorithms are carried out to vote processing, the final classification results of the sample that is applied.
For normal and malice sample two classification, the strategy of ballot is as shown in the table.Wherein, five kinds of algorithms are for each The operation result of a sample is divided into six kinds of possible situations, for example, situation 2 represents, in five kinds of algorithms, has a kind of by the sample Judge to become normal, there are four types of the sample is judged as malice, therefore according to ballot, which is judged as malice sample.
Situation serial number It is judged as normal algorithm number It is judged as the algorithm number of malice Conclusion
1 0 5 Maliciously
2 1 4 Maliciously
3 2 3 Maliciously
4 3 2 Normally
5 4 1 Normally
6 5 0 Normally
Then, it is killed by the classification results final using sample obtained according to sorting algorithm and according in above-mentioned steps S110 What malicious software obtained is compared using the classification results of sample, final using sample come verify that sorting algorithm obtains with this The correctness of classification results, accuracy after the ballot for the classification results for obtaining sorting algorithm.
Step Classification type Classification number Classification accuracy
1 Malicious application detects 2 0.9923
2 Game and non-gaming classification 2 0.9678
3 Game class application class 8 0.6623
4 Non-gaming class application class 16 0.8207
In practical applications, each sorting algorithm classification results ballot after, can also export using sample for game with The classification results of non-gaming class can also export the further classification result of game class and non-gaming class.
In more classification based on voting method, the temporal voting strategy of algorithm is different.For example, to non-gaming in normal sample Class, when carrying out the division of 16 classifications, five kinds of algorithms will appear the combination of a variety of possible situations.Since sample set is uneven , wherein some classifications have datas up to ten thousand, and some classifications only have hundreds of datas, it is contemplated that the imbalance of data in itself Property, and algorithm of support vector machine has the mechanism of the uneven situation of processing, therefore, for some sample, by practical classification As a result it is handled as follows:
(1) when in five algorithms there are three and more than three the sample is divided into one kind when, then the sample be divided into this It is a kind of;
(2) when the sample is divided into one kind less than three in five algorithms, the classification results of the sample using support to The classification results of amount machine algorithm.
By according to each sorting algorithm obtain using sample be game with the classification results of non-gaming class with shown in table 1 Classification results are compared, and the refinement classification of the game class sample obtained according to each sorting algorithm and non-gaming class sample is drawn Point result is compared with the classification results shown in table 2, verify that sorting algorithm obtains according to comparing result using sample The correctness of category division result is refined, after obtaining the ballot using the refinement category division result of sample that sorting algorithm obtains Accuracy.
The performance of more classification voting methods proposed above by classification accuracy comparative evaluation, and it is able to verify that this Algorithm has preferable validity and feasibility in mobile terminal application malice detection and more classification of normal sample.
In conclusion the embodiment of the present invention using sample classification and detection method by using multi-categorizer ballot can To make full use of the advantage of various sorting algorithms, respective deficiency is made up, so as to reach more better than the study of single sorting algorithm Classification performance realizes and application sample effectively classify and detect.Manual examination and verification mode is improved easily maliciously to be opened The problem of originator manipulates, and cost of labor is higher.
The embodiment of the present invention applies sample extraction more comprehensive Android etc. using the classification and detection method of sample Feature, and these features of first Application carry out normal use automatic clustering while malicious application detects, it can be more perfect Realization for the applications such as Android a series of processing.
One of ordinary skill in the art will appreciate that:Attached drawing is the schematic diagram of one embodiment, module in attached drawing or Flow is not necessarily implemented necessary to the present invention.
As seen through the above description of the embodiments, those skilled in the art can be understood that the present invention can It is realized by the mode of software plus required general hardware platform.Based on such understanding, technical scheme of the present invention essence On the part that the prior art contributes can be embodied in the form of software product in other words, the computer software product It can be stored in storage medium, such as ROM/RAM, magnetic disc, CD, be used including some instructions so that a computer equipment (can be personal computer, server either network equipment etc.) performs the certain of each embodiment of the present invention or embodiment Method described in part.
Each embodiment in this specification is described by the way of progressive, identical similar portion between each embodiment Point just to refer each other, and the highlights of each of the examples are difference from other examples.Especially for device or For system embodiment, since it is substantially similar to embodiment of the method, so describing fairly simple, related part is referring to method The part explanation of embodiment.Apparatus and system embodiment described above is only schematical, wherein the conduct The unit that separating component illustrates may or may not be it is physically separate, the component shown as unit can be or Person may not be physical unit, you can be located at a place or can also be distributed in multiple network element.It can root Factually border needs to select some or all of module therein realize the purpose of this embodiment scheme.Ordinary skill Personnel are without creative efforts, you can to understand and implement.
The foregoing is only a preferred embodiment of the present invention, but protection scope of the present invention be not limited thereto, Any one skilled in the art in the technical scope disclosed by the present invention, the change or replacement that can be readily occurred in, It should be covered by the protection scope of the present invention.Therefore, protection scope of the present invention should be with scope of the claims Subject to.

Claims (7)

1. a kind of classification of mobile terminal application and malice detection method, which is characterized in that including:
The feature vector using sample is extracted, the feature vector using sample is separately input to various sorting algorithms In;
Each sorting algorithm export respectively it is described using classification results of the sample for malicious application or normal use, by various points The classification results of class algorithm output carry out voting processing, the final classification results of the sample that is applied.
2. classification and the detection method of mobile terminal application according to claim 1, which is characterized in that described extracts Using the feature vector of sample, including:
It is analyzed using the .apk files of sample each using Static Analysis Method, extraction is using 11 types of sample Feature, 11 types include application permission, filtering matching Intent, are restricted API Calls, application component name and code Relevant feature, certificate information, Payload information, character string feature, the permission used, hardware characteristics and suspicious API Calls, The feature of each type contains multiple subcharacters, by all types of feature composition characteristic set;
The feature set format is processed into vector format, the feature vector set for the sample that is applied, each feature Vector represents one using sample, the SHA-1 values of its apk file of each sample are as unique mark, in each feature vector Include the tag along sort and characteristic information of application sample.
3. classification and the detection method of mobile terminal application according to claim 2, which is characterized in that described in the general It is separately input in various sorting algorithms using the feature vector of sample, including:
By the feature vector using sample be separately input to support vector machines, random forest, k nearest neighbor, post-class processing and Naive Bayesian is in totally 5 kinds of common sorting algorithms.
4. classification and the detection method of mobile terminal application according to claim 3, which is characterized in that each described point Class algorithm exports point that using classification results of the sample for malicious application or normal use, various sorting algorithms are exported respectively Class result carries out voting processing, the final classification results of the sample that is applied, including:
The support vector machines, random forest, k nearest neighbor, post-class processing and Naive Bayes Classification Algorithm export application respectively Sample is normal use sample or the classification results of malicious application sample, and the classification results of this 5 kinds of sorting algorithms are thrown Ticket voting process, the final classification results of the sample that is applied.
5. classification and the detection method of mobile terminal application according to claim 4, which is characterized in that the method is also Including:
Different classes of mobile terminal is acquired from third-party application market applies sample, is formed with the application sample data of acquisition Using sample data set;
Being scanned using sample for storage is concentrated using sample data to described by VirusTotal, it will wherein antivirus software Alarm number using sample is demarcated as that normally, sample of the antivirus software alarm number more than or equal to 2 being demarcated less than 2 For malice.
6. classification and the detection method of mobile terminal application according to claim 1, which is characterized in that the method is also Including:
Further classification is carried out to normal use sample, normal use sample is divided into game class and non-gaming class, it will Game class sample and non-gaming class sample carry out refinement category division respectively again;
The refinement category division of 1 game class sample of table
Number Game class name Sample number 1 G_ACTION is acted 2,832 2 G_BRAIN_CARDS_AND_CASUAL leisure intelligence developments 11,509 3 G_FLIGHT_GAMES sports flights 367 4 G_ONLINE_GAMES online games 390 5 G_RPG role playings 1,164 6 G_SIMULATION simulations 497 7 G_SPORTS_AND_RACING sport racings 1,307 8 G_STRATEGY policy class 800
The refinement category division of 2 non-gaming class sample of table
Number Class name Sample number 1 A_BOOKS_READER_AND_MAGAZINES books and magazines are read 14,563 2 A_BROWSER browsers 190 3 A_FINANCE finance and money management 1,440 4 A_INPUT_METHOD input methods 62 5 A_LIFE services for life 21,674 6 A_MUSIC music 1,995 7 A_NEWS news 1,738 8 A_OFFICE_AND_BUSINESS working and studyings 4,464 9 A_PHOTOGRAPHY_AND_BEAUTIFICATION photography beautifications 866 10 A_SECURITY mobile phone safes 261 11 A_SHOPPING_AND_PAYMENT shopping payments 2,605 12 A_SOCIAL_AND_COMMUNICATION social communications 3,428 13 A_THEMES_AND_WALLPAPER theme wallpapers 29,311 14 A_TOOLS system tools 3,031 15 A_TRANSPORTATION traffic classes 1,589 16 A_VIDEO video cameras 1,244
7. classification and the detection method of mobile terminal application according to claim 6, which is characterized in that the method is also Including:
It is game and the classification results of non-gaming class that each sorting algorithm, which is also exported using sample, also exports game class sample With the refinement category division result of non-gaming class sample;
It is game and the classification results of non-gaming class and the classification shown in table 1 using sample by what is obtained according to each sorting algorithm As a result it is compared, by the game class sample obtained according to each sorting algorithm and the refinement category division knot of non-gaming class sample Fruit is compared with the classification results shown in table 2, and the refinement using sample that sorting algorithm obtains is verified according to comparing result The correctness of category division result is correct after the ballot using the refinement category division result of sample that acquisition sorting algorithm obtains Rate.
CN201711469132.9A 2017-12-29 2017-12-29 The classification of mobile terminal application and detection method Pending CN108197474A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711469132.9A CN108197474A (en) 2017-12-29 2017-12-29 The classification of mobile terminal application and detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711469132.9A CN108197474A (en) 2017-12-29 2017-12-29 The classification of mobile terminal application and detection method

Publications (1)

Publication Number Publication Date
CN108197474A true CN108197474A (en) 2018-06-22

Family

ID=62585679

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711469132.9A Pending CN108197474A (en) 2017-12-29 2017-12-29 The classification of mobile terminal application and detection method

Country Status (1)

Country Link
CN (1) CN108197474A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109101817A (en) * 2018-08-13 2018-12-28 亚信科技(成都)有限公司 A kind of identification malicious file class method for distinguishing and calculate equipment
CN109242038A (en) * 2018-09-25 2019-01-18 安徽果力智能科技有限公司 A kind of robot classification of landform device training method for label deficiency situation
CN109949160A (en) * 2019-03-27 2019-06-28 上海优扬新媒信息技术有限公司 A kind of sharding method and device of block chain
CN109979525A (en) * 2019-02-28 2019-07-05 天津大学 Improved hormonebinding protein qualitative classification method
CN110197194A (en) * 2019-04-12 2019-09-03 佛山科学技术学院 A kind of Method for Bearing Fault Diagnosis and device based on improvement random forest
CN111669412A (en) * 2020-08-10 2020-09-15 南京江北新区生物医药公共服务平台有限公司 Machine learning paas cloud platform system providing multiple machine learning frameworks

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103106365A (en) * 2013-01-25 2013-05-15 北京工业大学 Detection method for malicious application software on mobile terminal
CN106845240A (en) * 2017-03-10 2017-06-13 西京学院 A kind of Android malware static detection method based on random forest
CN107256357A (en) * 2017-04-18 2017-10-17 北京交通大学 The detection of Android malicious application based on deep learning and analysis method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103106365A (en) * 2013-01-25 2013-05-15 北京工业大学 Detection method for malicious application software on mobile terminal
CN106845240A (en) * 2017-03-10 2017-06-13 西京学院 A kind of Android malware static detection method based on random forest
CN107256357A (en) * 2017-04-18 2017-10-17 北京交通大学 The detection of Android malicious application based on deep learning and analysis method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
马君丽,王伟: "安卓恶意应用检测中的特征研究与应用", 《中国科技论文在线》 *
马君丽: "安卓应用的恶意行为检测与归类方法研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109101817A (en) * 2018-08-13 2018-12-28 亚信科技(成都)有限公司 A kind of identification malicious file class method for distinguishing and calculate equipment
CN109101817B (en) * 2018-08-13 2023-09-01 亚信科技(成都)有限公司 Method for identifying malicious file category and computing device
CN109242038A (en) * 2018-09-25 2019-01-18 安徽果力智能科技有限公司 A kind of robot classification of landform device training method for label deficiency situation
CN109979525A (en) * 2019-02-28 2019-07-05 天津大学 Improved hormonebinding protein qualitative classification method
CN109949160A (en) * 2019-03-27 2019-06-28 上海优扬新媒信息技术有限公司 A kind of sharding method and device of block chain
CN110197194A (en) * 2019-04-12 2019-09-03 佛山科学技术学院 A kind of Method for Bearing Fault Diagnosis and device based on improvement random forest
CN111669412A (en) * 2020-08-10 2020-09-15 南京江北新区生物医药公共服务平台有限公司 Machine learning paas cloud platform system providing multiple machine learning frameworks

Similar Documents

Publication Publication Date Title
CN108197474A (en) The classification of mobile terminal application and detection method
Sheikhi et al. An effective model for SMS spam detection using content-based features and averaged neural network
CN104331436B (en) The quick classifying method of malicious code based on family gene code
CN104899508B (en) A kind of multistage detection method for phishing site and system
CN103106365B (en) The detection method of the malicious application software on a kind of mobile terminal
Lekha et al. Data mining techniques in detecting and predicting cyber crimes in banking sector
CN107577942A (en) A kind of composite character screening technique for Android malware detection
CN104217160A (en) Method and system for detecting Chinese phishing website
CN107368856A (en) Clustering method and device, the computer installation and readable storage medium storing program for executing of Malware
CN108228845B (en) Mobile phone game classification method
CN109639744A (en) A kind of detection method and relevant device in the tunnel DNS
CN107026831A (en) A kind of personal identification method and device
CN107679403A (en) It is a kind of to extort software mutation detection method based on sequence alignment algorithms
CN108334758A (en) A kind of detection method, device and the equipment of user's ultra vires act
US20220200959A1 (en) Data collection system for effectively processing big data
CN106960153B (en) Virus type identification method and device
CN103136372A (en) Method of quick location, classification and filtration of universal resource locator (URL) in network credibility behavior management
CN108229131A (en) Counterfeit APP recognition methods and device
CN109241392A (en) Recognition methods, device, system and the storage medium of target word
CN107832611B (en) Zombie program detection and classification method combining dynamic and static characteristics
CN112750030A (en) Risk pattern recognition method, risk pattern recognition device, risk pattern recognition equipment and computer readable storage medium
Thiyagarajan et al. Improved real‐time permission based malware detection and clustering approach using model independent pruning
CN110611655B (en) Blacklist screening method and related product
US20180096142A1 (en) System and method for determining a security classification of an unknown application
CN110008352B (en) Entity discovery method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180622