Method and apparatus for identifying malicious software
First Claim
1. A method for identifying malicious software implemented by a server, the method comprising:
- obtaining, according to a source code of a software detected on a terminal, a function call diagram of the software;
generating a feature sequence of the software according to the function call diagram, the feature sequence comprising an eigenvalue of at least one feature of the software, wherein the at least one feature is a function included in a preset function library, and wherein the eigenvalue of the at least one feature is a quantity of times the function is called by the software; and
determining whether the software is malicious software according to the feature sequence and a random forest, the random forest comprising at least one decision tree comprising reference eigenvalues of multiple features of the software.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus are disclosed for identifying malicious software in the technical field of computers. The method includes: obtaining, according to a source code of to-be-detected software, a function call diagram of the software; generating a feature sequence of the software according to the function call diagram, the feature sequence including an eigenvalue of at least one feature, the feature being a function in a preset function library, and the eigenvalue of the feature being a quantity of times of calling of the function by the software; and identifying whether the software is malicious software according to the feature sequence and a random forest, the random forest including at least one decision tree, and the decision tree including reference eigenvalues of multiple features. The apparatus includes: an obtaining module, a generation module, and an identification module. The present disclosure may improve identification accuracy.
13 Citations
20 Claims
-
1. A method for identifying malicious software implemented by a server, the method comprising:
-
obtaining, according to a source code of a software detected on a terminal, a function call diagram of the software; generating a feature sequence of the software according to the function call diagram, the feature sequence comprising an eigenvalue of at least one feature of the software, wherein the at least one feature is a function included in a preset function library, and wherein the eigenvalue of the at least one feature is a quantity of times the function is called by the software; and determining whether the software is malicious software according to the feature sequence and a random forest, the random forest comprising at least one decision tree comprising reference eigenvalues of multiple features of the software. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus for identifying malicious software, the apparatus comprising:
-
a processing circuitry; and a non-transitory storage medium configured to store executable instructions that, when executed, cause the processing circuitry to; execute an obtaining module to obtain, according to a source code of a software, a function call diagram of the software; execute a generation module to generate a feature sequence of the software according to the function call diagram, the feature sequence comprising an eigenvalue of at least one feature of the software, wherein the at least one feature is a function in a preset function library, and wherein the eigenvalue of the at least one feature is a quantity of times of calling of the function by the software; and execute an identification module to determine whether the software is malicious software according to the feature sequence and a random forest, the random forest comprising at least one decision tree comprising reference eigenvalues of multiple features. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. An apparatus for identifying malicious software, comprising one or more processors and a non-transitory storage medium storing operation instructions, wherein executing the operation instructions causes the processors to:
-
obtain, according to a source code of a software detected on a terminal, a function call diagram of the software; generate a feature sequence of the software according to the function call diagram, the feature sequence comprising an eigenvalue of at least one feature of the software, wherein the at least one feature is a function included in a preset function library, and wherein the eigenvalue of the at least one feature is a quantity of times the function is called by the software; and determine whether the software is malicious software according to the feature sequence and a random forest, the random forest comprising at least one decision tree comprising reference eigenvalues of multiple features of the software. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification