Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Malicious program recognition method and device based on icon representation and software behavior consistency analysis

A malicious program and identification method technology, applied in the field of network security, can solve problems such as lack of practicability, lack of versatility, and false positives, and achieve the effects of ensuring the security of network user information assets, low resolution efficiency, and rapid detection

Inactive Publication Date: 2019-06-11
PLA STRATEGIC SUPPORT FORCE INFORMATION ENG UNIV PLA SSF IEU
View PDF7 Cites 6 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Experiments show that when icon analysis is used in the prediction model, the average accuracy increases by 10%. The disadvantage is that manual feature extraction is required, the icon classification speed and accuracy are not high, and an effective behavior analysis method is not given
The mobile terminal malicious code detection method and system based on the application program icon, the specific steps are to first analyze the installation package of the application program, extract the icon of the application program, and then extract the system API function from the application program code file, and extract the system API function from the application program code file. The icon of the application corresponds to the function rule library of the application icon, so as to retrieve the function rule corresponding to the icon, compare the API function called by the application with the function rule corresponding to the icon, and if they are consistent, it is normal Otherwise, it is a malicious application; however, this technology is not practical, there are many types of malicious code, and the API information of the application cannot fully reflect the software function, so in actual situations, there will be serious false positives or underreported issues
From the perspective of actual effect, in order to meet the automatic detection requirements of large-scale and diverse malicious samples, the existing means and methods of malicious code detection based on icon analysis have the following deficiencies: lack of versatility, and can only detect images using icons similar to normal software Detected samples, while samples using other icons cannot be detected; lack of practicality, when detecting large-scale samples, the efficiency is very low

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Malicious program recognition method and device based on icon representation and software behavior consistency analysis
  • Malicious program recognition method and device based on icon representation and software behavior consistency analysis
  • Malicious program recognition method and device based on icon representation and software behavior consistency analysis

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0025] In order to make the purpose, technical solution and advantages of the present invention more clear and understandable, the present invention will be further described in detail below in conjunction with the accompanying drawings and technical solutions.

[0026] In order to adapt to the automatic detection requirements of large-scale and diverse malicious samples, in the embodiment of the present invention, see figure 1 As shown, a malicious program identification method based on icon representation and software behavior consistency analysis is provided, including the following content:

[0027] S101) Collect known and classified normal software data, extract known normal software icon resource data and import table API data, construct CNN deep learning model, respectively train icons and import table API information, and classify information according to icon classification and software behavior , get the regular software library;

[0028] S102) Analyze the structure...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention belongs to the technical field of network security. The invention particularly relates to a malicious program recognition method and device based on icon representation and software behavior consistency analysis. The method comprises the following steps of: obtaining a sample; collecting known classification normal software data; extracting known normal software icon resource data and import table API data, constructing a CNN deep learning model, respectively training icons and import table API information, establishing an icon classification model and a software classification model, and obtaining a software program routine information base according to icon classification and software behavior classification information; Performing structure analysis on the sample to be tested, extracting icon resource data and import table API function data, testing through a CNN deep learning model, and obtaining icon classification and software behavior classification information ofthe sample to be tested; And judging the behavior consistency of the classification of the to-be-tested sample icons and the software behavior classification according to the test result. Automatic and batched malicious program rapid detection is achieved, and malicious program codes disguised through software similar icons and the like are effectively recognized.

Description

technical field [0001] The invention belongs to the technical field of network security, in particular to a malicious program identification method and device based on icon representation and software behavior consistency analysis. Background technique [0002] Traditional malicious code analysis methods are mainly divided into static analysis methods and dynamic analysis methods. The static analysis method refers to disassembling, decompiling, etc. the program without executing the program, and then analyzing it. The main methods include static source code analysis, static disassembly analysis, and decompilation analysis; the dynamic analysis method refers to Use program debugging tools to track malicious code, observe the execution process of malicious code, analyze the working mechanism of malicious code and verify the results of static analysis. The main methods are system call behavior analysis method and heuristic scanning technology. However, traditional malicious co...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/56G06N3/04
Inventor 舒辉杨萍康绯熊小兵光焱桂智杰
Owner PLA STRATEGIC SUPPORT FORCE INFORMATION ENG UNIV PLA SSF IEU
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com