基于Windows API调用序列的恶意代码检测方法

为解决现有恶意代码检测方法存在的特征提取能力不足、检测模型泛化性弱的问题，提出了一种基于Windows API调用序列的恶意代码检测方法.使用N-gram算法和TF-IDF算法提取序列的统计特征，采用Word2Vec模型提取语义特征，将统计特征和语义特征进行特征融合，作为API调用序列的特征.设计了基于Stacking的三层检测模型，通过多个弱学习器构成一个强学习器提高检测模型性能.实验结果表明，提出的特征提取方法可以获得更关键的特征，设计的检测模型的准确率、精确率、召回率均优于单一模型且具有良好的泛化性，证明了检测方法的有效性.     

基于自相似特性的恶意代码动态分析技术

在比较恶意代码的分析技术的基础上,将自相似特性技术引入恶意代码的动态分析中。跟踪同类型的恶意程序,采集API函数的调用序列,提取关键特征信息,得到时间调用序列,并进行归一化处理。通过重新标度权差分析算法、回归方差算法和Higuchi算法,分别计算程序的Hurst指数,匹配同种恶意程序的自相似性。将恶意程序与正常程序的API调用序列和Hurst指数进行对比实验表明,恶意程序调用API函数与正常程序存在差异,并且同一类型的恶意程序确实具有自相似性,从而能够动态检测出恶意程序。     

基于最长频繁序列挖掘的恶意代码检测

基于动态API序列挖掘的恶意代码检测方法未考虑不同类别恶意代码之间的行为差别,导致代表恶意行为的恶意序列挖掘效果不佳,其恶意代码检测效率较低.本文引入面向目标的关联挖掘技术,提出一种最长频繁序列挖掘算法,挖掘最长频繁序列作为特征用于恶意代码检测.首先,该方法提取样本文件的动态API序列并进行预处理;然后,使用最长频繁序列挖掘算法挖掘多个类别的最长频繁序列集合;最后,使用挖掘的最长频繁序列集合构造词袋模型,根据该词袋模型将样本文件的动态API序列转化为向量,使用随机森林算法构造分类器检测恶意代码.本文采用阿里云提供的数据集进行实验,恶意代码检测的准确率和AUC(Area Under Curve)值分别达到了95.6%和0.99,结果表明,本文所提出的方法能有效地检测恶意代码.     

一种针对Android平台恶意代码的检测方法及系统实现

针对Android恶意代码泛滥的问题,综合静态和动态分析技术,设计实现了Android恶意代码检测系统.在静态分析部分,提取Android程序中的权限、API调用序列、组件、资源以及APK结构构建特征向量,应用相似性度量算法,检测已知恶意代码家族的恶意代码样本;在动态分析部分,通过修改Android源码、重新编译成内核镜像,使用该镜像文件加载模拟器,实时监控Android程序的文件读写、网络连接、短信发送以及电话拨打等行为,基于行为的统计分析检测未知恶意代码.经过实际部署测试,所提检测方法具有较高的检测率和较低的误报率.所开发Android恶意代码检测系统已经在互联网上发布,可免费提供分析检测服务.     

基于IRP的未知恶意代码检测方法

目前采用的基于API的恶意代码检测方法只能检测运行在用户态的恶意代码,不能检测运行在内核态、采用内核API调用的恶意代码.为此,文中提出基于I/O请求包(IRP)的未知恶意代码检测方法.应用朴素贝叶斯、贝叶斯网络、支持向量机、C4.5决策树、Boosting、否定选择算法及针对IRP序列特点改进的人工免疫算法对捕获的I...     

基于IRP的运行时恶意代码检测方法

目前普遍采用API序列分析Windows系统下的程序行为,进行运行时恶意代码的检测.但API调用序列可以被篡改以逃避检测.为了解决这个问题,文中提出基于IRP(L/O请求包)的运行时恶意代码检测方法.该方法采用n-gram特征分析方法对IRP序列进行分析,将人工免疫系统中的否定选择算法和肯定选择算法相结合,筛选出仅在恶...     

基于图注意力网络的安卓恶意软件检测

安卓恶意软件的爆发式增长对恶意软件检测方法提出了更高效、准确的要求.早年的检测方法主要是基于权限、opcode序列等特征,然而这些方法并未充分挖掘程序的结构信息.基于API调用图的方法是目前主流方法之一,它重在捕获结构信息,可准确地预测应用程序可能的行为.本文提出一种基于图注意力网络的安卓恶意软件检测方法,该方法通过静态分析构建API调用图来初步表征APK,然后引入SDNE图嵌入算法从API调用图中学习结构特征和内容特征,再通过注意力网络充分融合邻居节点特征向量,进而构成图嵌入进行检测任务.在AMD数据集上的实验结果表明,本文提出的方法可以有效检测恶意软件,准确率为97.87%,F1分数为97.40%.     

基于图卷积网络的恶意代码聚类

许多新型恶意代码往往是攻击者在已有的恶意代码基础上修改而来,因此对恶意代码的家族同源性分析有助于研究恶意代码的演化趋势和溯源.本文从恶意代码的API调用图入手,结合图卷积网络(GCN),设计了恶意代码的相似度计算和家族聚类模型.首先,利用反汇编工具提取了恶意代码的API调用,并对API函数进行属性标注.然后,根据API对恶意代码家族的贡献度,选取关键API函数并构建恶意代码API调用图.使用GCN和卷积神经网络(CNN)作为恶意代码的相似度计算模型,以API调用图作为模型输入计算恶意代码之间的相似度.最后,使用DBSCAN聚类算法对恶意代码进行家族聚类.实验结果表明,本文提出的方法可以达到87.3%的聚类准确率,能够有效地对恶意代码进行家族聚类.     

基于API Hook的进程行为监控系统

基于API Hook的进程行为监控系统,利用钩子技术和内存保护技术,实现了透明地对客户机进程API调用行为的安全监控.首先通过对客户虚拟机的API函数设置钩子,截获虚拟机中的进程API调用行为;接着利用内存保护技术,对客户机的钩子进行隐藏和保护,保证行为监控对客户虚拟机的透明性;然后利用虚拟机管理器的隔离性,将安全工具放在安全域中,一方面防止恶意进程检测并且攻击安全工具,另外一方面解决恶意租户利用虚拟机进行攻击的问题;最后在截获客户虚拟机API调用的基础上,利用语义重构技术,对客户虚拟机进程创建、文件操作、注册表操作等行为进行细粒度监控.测试结果表明:(1)监控系统可以有效的截获客户虚拟机进程API调用,结合语义重构技术,监控系统能够有效地对进程创建、文件操作、注册表操作等进程行为进行监控;(2)针对单个Hook点性能测试表明,监控系统截获API调用对系统性能的影响为4.8%;(3)在文件监控方面,基于API Hook的进程行为监控系统相对于现有截获系统调用的监控系统性能提高73%.     

Android系统中恶意代码的动态检测技术研究

随着手机普及程度的日益提高,人们对智能手机的依赖性加重,手机的安全性问题变得愈加突出.根据Android安装包(APK)文件的权限调用和Android系统的应用程序接口(API)函数调用情况,设计了一种基于API拦截技术的检测恶意代码的动态检测方法.实验结果表明,该方法可以有效检测并报告Android系统中的恶意代码.     

Characterization of Ordovician carbonate reservoirs, southeastern Saskatchewan, Canada

The discovery of the prolific Ordovician Red River reservoirs in 1995 in southeastern Saskatchewan was the catalyst for extensive exploration activity which resulted in the discovery of more than 15 new Red River pools. The best yields of Red River production to date have been from dolomite reservoirs. Understanding the processes of dolomitization is, therefore, crucial for the prediction of the connectivity, spatial distribution and heterogeneity of dolomite reservoirs.The Red River reservoirs in the Midale area consist of 3～4 thin dolomitized zones, with a total thickness of about 20 m, which occur at the top of the Yeoman Formation. Two types of replacement dolomite were recognized in the Red River reservoir: dolomitized burrow infills and dolomitized host matrix. The spatial distribution of dolomite suggests that burrowing organisms played an important role in facilitating the fluid flow in the backfilled sediments. This resulted in penecontemporaneous dolomitization of burrow infills by normal seawater. The dolomite in the host matrix is interpreted as having occurred at shallow burial by evaporitic seawater during precipitation of Lake Almar anhydrite that immediately overlies the Yeoman Formation. However, the low δ18O values of dolomited burrow infills (-5.9‰～ -7.8‰, PDB) and matrix dolomites (-6.6‰～ -8.1‰, avg. -7.4‰ PDB) compared to the estimated values for the late Ordovician marine dolomite could be attributed to modification and alteration of dolomite at higher temperatures during deeper burial, which could also be responsible for its 87Sr/86Sr ratios (0.7084～0.7088) that are higher than suggested for the late Ordovician seawaters (0.7078～0.7080). The trace amounts of saddle dolomite cement in the Red River carbonates are probably related to "cannibalization" of earlier replacement dolomite during the chemical compaction.     

An Index mechanism for multi-scale view in spatial databases

There are numerous geometric objects stored in the spatial databases. An importance function in a spatial database is that users can browse the geometric objects as a map efficiently. Thus the spatial database should display the geometric objects users concern about swiftly onto the display window. This process includes two operations:retrieve data from database and then draw them onto screen. Accordingly, to improve the efficiency, we should try to reduce time of both retrieving object and displaying them. The former can be achieved with the aid of spatial index such as R-tree, the latter require to simplify the objects. Simplification means that objects are shown with sufficient but not with unnecessary detail which depend on the scale of browse. So the major problem is how to retrieve data at different detail level efficiently. This paper introduces the implementation of a multi-scale index in the spatial database SISP (Spatial Information Shared Platform) which is generalized from R-tree. The difference between the generalization and the R-tree lies on two facets: One is that every node and geometric object in the generalization is assigned with a importance value which denote the importance of them, and every vertex in the objects are assigned with a importance value,too. The importance value can be use to decide which data should be retrieve from disk in a query. The other difference is that geometric objects in the generalization are divided into one or more sub-blocks, and vertexes are total ordered by their importance value. With the help of the generalized R-tree, one can easily retrieve data at different detail levels.Some experiments are performed on real-life data to evaluate the performance of solutions that separately use normal spatial index and multi-scale spatial index. The results show that the solution using multi-scale index in SISP is satisfying.     

A computer generator for randomly layered structures

AcomputergeneratorforrandomlylayeredstructuresYUJia shun1,2,HEZhen hua2(1.TheInstituteofGeologicalandNuclearSciences,NewZealand;2.StateKeyLaboratoryofOilandGasReservoirGeologyandExploitation,ChengduUniversityofTechnology,China)Abstract:Analgorithmisintrod…     

海南岛地体及其毗邻陆缘晚中生代—新生代古地磁研究和构造演化

本文叙述了对海南岛及其毗邻大陆边缘白垩纪到第四纪地层岩石进行古地磁研究的全部工作过程。通过分析岩石中剩余磁矢量的磁偏角及磁倾角的变化,提出海南岛白垩纪以来经历的构造演化模式如下:早期伴随顺时针旋转而向南迁移,后期伴随逆时针转动并向北运移。联系该地区及邻区的地质、地球物理资料,对海南岛上述的构造地体运动提出以下认识:北部湾内早期有一拉张作用,主要是该作用使湾内地壳显著伸长减薄,形成北部湾盆地。从而导致了海南岛的早期构造运动,而海南岛后期的构造运动则主要是受南海海底扩张的影响。海南地体运动规律的阐明对于了解北部湾油气盆地的形成演化有重要的理论和实际意义。     

Exciton Seebeck in Molecular Systems

Various applications relevant to the exciton dynamics,such as the organic solar cell,the large-area organic light-emitting diodes and the thermoelectricity,are operating under temperature gradient.The potential abnormal behavior of the exicton dynamics driven by the temperature difference may affect the efficiency and performance of the corresponding devices.In the above situations,the exciton dynamics under temperature difference is mixed with     

Achieving Unusual States of Matter Under High Pressure

The elongation method,originally proposed by Imamura was further developed for many years in our group.As a method towards O(N)with high efficiency and high accuracy for any dimensional systems.This treatment designed for one-dimensional(ID)polymers is now available for three-dimensional(3D)systems,but geometry optimization is now possible only for 1D-systems.As an approach toward post-Hartree-Fock,it was also extended to     

《Chinese Science Bulletin》SUBJECT INDEX TO VOLUME 59(2014)

正~~     

An on-line scaling method for improving scalability of a database cluster

The explosive growth of the Internet and database applications has driven database to be more scalable and available, and able to support on-line scaling without interrupting service. To support more client's queries without downtime and degrading the response time, more nodes have to be scaled up while the database is running. This paper presents the overview of scalable and available database that satisfies the above characteristics. And we propose a novel on-line scaling method. Our method improves the existing on-line scaling method for fast response time and higher throughputs. Our proposed method reduces unnecessary network use, i.e. , we decrease the number of data copy by reusing the backup data. Also, our on-line scaling operation can be processed parallel by selecting adequate nodes as new node. Our performance study shows that our method results in significant reduction in data copy time.     

An improved R-tree based on childnode''s probability

R-Tree is a good structure for spatial searching. But in this indexing structure,either the sequence of nodes in the same level or sequence of traveling these nodes when queries are made is random. Since the possibility that the object appears in different MBR which have the same parents node is different, if we make the subnode who has the most possibility be traveled first, the time cost will be decreased in most of the cases. In some case, the possibility of a point belong to a rectangle will shows direct proportion with the size of the rectangle. But this conclusion is based on an assumption that the objects are symmetrically distributing in the area and this assumption is not always coming into existence. Now we found a more direct parameter to scale the possibility and made a little change on the structure of R-tree, to increase the possibility of founding the satisfying answer in the front sub trees. We names this structure probability based arranged R-tree (PBAR-tree).     

Integrating GIS Web services based on mediating architecture

The geographic information service is enabled by the advancements in general Web service technology and the focused efforts of the OGC in defining XML-based Web GIS service. Based on these models, this paper addresses the issue of services chaining,the process of combining or pipelining results from several interoperable GIS Web Services to create a customized solution. This paper presents a mediated chaining architecture in which a specific service takes responsibility for performing the process that describes a service chain. We designed the Spatial Information Process Language (SIPL) for dynamic modeling and describing the service chain, also a prototype of the Spatial Information Process Execution Engine (SIPEE) is implemented for executing processes written in SIPL. Discussion of measures to improve the functionality and performance of such system will be included.