[Retracted] Naive Bayes Algorithm Mining Mobile Phone Trojan Crime Clues

Zhao, Fugang

doi:https://doi.org/10.1155/2022/6262147

Mobile Information Systems

On this page

Abstract Introduction Conclusions Data Availability Conflicts of Interest References Copyright Related Articles

Research Article Retraction

!

This article has been Retracted. To view the article details, please click the ‘Retraction’ tab above.

Special Issue

Ambient Intelligence for Massive Communication in Mobile Information Systems

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 6262147 | https://doi.org/10.1155/2022/6262147

[Retracted] Naive Bayes Algorithm Mining Mobile Phone Trojan Crime Clues

Fugang Zhao¹

Academic Editor: Yajuan Tang

Received14 Jun 2022

Revised20 Jul 2022

Accepted01 Aug 2022

Published26 Aug 2022

Abstract

After the mobile phone virus infects the mobile phone, it can transmit the real-time information of the user to the designated place set by the virus through the built-in recorder and camera on the mobile phone, thereby causing information leakage. With the rapid development of the Internet, the penetration rate of mobile terminals is also increasing day by day. As an emerging mobile terminal, smart phones have now fully occupied the market. With this trend, the importance of mobile phone information security is also increasing day by day. How to prevent mobile phone virus has gradually become an important issue. Trojan horse crime cases have different manifestations and behavioral characteristics from traditional cases. They have the characteristics of low crime cost, high income, high concealment, novel criminal methods, and great difficulty in detection, which brings greater difficulties to the public security organs in their investigation and detection. And the current research on mobile phone virus behavior is still in the preliminary stage, and some existing detection models can only target random networks. Trojan horses, viruses, and malicious software for smartphones have sprung up like mushrooms after rain, seriously infringing on the data security of mobile communication terminals, such as mobile phones and causing incalculable losses to users. This paper proposes a naive Bayesian algorithm to mine the clues of the criminal cases of mobile phone Trojans. It helps detect and discover new viruses at the beginning of an attack, allowing them to be more effectively defended and contained. And based on the feature set data extracted from the network data packets, it conducts an in-depth analysis of the current business behaviors of mobile phone Trojans, such as propagation and implantation, remote control, leakage of user privacy information, and malicious ordering, and extracts its behavior characteristics. Thus, unknown mobile Trojan horses that are taking place can be detected. The experimental results of the naive Bayesian classification algorithm proposed in this paper show that the algorithm improves the accuracy of mobile phone Trojan virus mining by 28%, which plays a significant role.

1. Introduction

In recent years, with the rapid development of mobile communication technology, the degree of intelligence of mobile phones is also getting higher and higher. The hardware configuration of smart phones is constantly upgraded, and it also integrates technologies, such as short message (SMS), multimedia message (MMS), Bluetooth (Bluetooth), wireless application protocol (WAP) surfing, and general packet radio service (GPRS) Internet access. With the popularization of computers and the rapid development of the Internet, people’s lifestyles and values have undergone earthshaking changes. While enjoying a large amount of information resources and an increasingly convenient life brought by the Internet, some lawbreakers use emerging science and technology to commit illegal and criminal acts, infringing on citizens’ legitimate rights and interests and disrupting public order. In recent years, a large number of illegal and criminal activities using Trojan horses have occurred throughout the country. Mobile phone viruses can damage the software and hardware of mobile phones and directly affect the normal work of mobile phones. The main symptoms include crashes, automatic restarts, keyboard locks, rapid power consumption, slow operation, and abnormal noises. The form of crime has also evolved from the initial singularity and individualization to the diversification and industrialization of today. The perpetrators of most Trojan horse crime cases have formed a huge interest group with a clear division of labor. They use methods such as stealing virtual property to sell for profit or maliciously destroying important data, and so on, to commit crimes of infringement of property and disrupting the order of social management. even crimes that endanger national security. The popularity of smart phones has brought a new situation of mobile phone applications. The functions of mobile phone-based applications are more powerful, the types are more diverse, and the download volume is increasing.

The formulation of an information security policy involves more than just the formulation and implementation of the policy. Unless organizations clearly recognize the various steps required to develop a security strategy, they run the risk of developing a strategy that is well thought out, incomplete, redundant, and irrelevant, and will not be fully supported by users. Flowerday and Tuyikeze believe that an information security strategy has a complete life cycle, and it must be passed during its useful life cycle. A formal content analysis of the information security policy formulation method was carried out using secondhand data. Flowerday and Tuyikeze subsequently developed a conceptual framework based on the results of content analysis. The proposed framework outlines the various structures required to develop and implement an effective information security strategy. During their research, they conducted a survey of 310 security professionals to verify and refine the concepts contained in the key components of the framework. However, the conceptual framework they proposed is too general to accurately explain the information security strategy [1]. Gusmo et al. proposed a risk analysis model for information security assessment. This model identifies and evaluates the sequence of events in potential accident scenarios (called alternatives) after the initial event corresponding to the abuse of information technology systems occurs. In order to carry out this assessment, this work proposes to use event tree analysis combined with fuzzy decision theory. The contribution of the proposal is to develop a classification of events and scenarios, rank alternatives according to the severity of the risk, take into account financial losses, and, finally, provide information about the most serious causes of attacks on information systems. For the management relevance of the organization, they included an illustrative example of a data center to illustrate the applicability of the proposed model. In order to evaluate its robustness, they considered two different methods for setting the probability of occurrence of events and analyzed twelve alternatives. However, the information security assessment risk analysis model they proposed is too complicated, and errors may occur in the calculation process [2]. Runtime security is a hot spot in current cyberspace security research, especially embedded terminals, such as smart hardware and wearable and mobile devices. These devices usually use common hardware and software to connect to public networks via the Internet and may be vulnerable to security threats from Trojan horse viruses and other malicious software. Therefore, the security of sensitive personal data is threatened, and the economic interests of the industry are harmed. In order to effectively solve the problem of runtime security, Rui et al. proposed a security architecture based on information security. The experimental results prove the effectiveness and the feasibility of the proposed safety scheme. However, there are still deficiencies in the handling of runtime security issues [3].

The innovation of this paper is to use the proposed naive Bayes algorithm to mine the clues of mobile phone Trojan horse criminal cases, and based on the feature set data extracted from network data packets, including protocol type, content length, connection status, whether to carry the installation files, and so on, truly reflect the mobile phone network behavior of the data, and then the mining engine based on the data can effectively summarize the behavior characteristics of the existing mobile phone viruses and use this to detect unknown mobile phone viruses.

2. Mobile Phone Trojan Virus Data Mining Algorithm

2.1. Bayesian Classification Method

Bayes’ theorem is a result of probability theory, which is related to the conditional probability of the machine variable and the marginal probability distribution [4]. Let D and S be two random variables, D = d is a certain result hypothesis, T = t is a set of sample data, T(D = d) is the prior probability of time D = d, and S(D = d/T = t) is the posterior probability of event D = d under the premise of sample data T = t. The Bayes formula is also called the posterior probability formula:

In addition to signatures, the behavior of mobile phone viruses is also special. Studying the behavioral characteristics of mobile phone viruses is helpful to detect and discover new viruses at the early stage of the outbreak so as to be able to defend and control them more effectively. The Bayesian classification model is a typical classification model, based on statistical methods, with Bayesian formula as the core. The specific expression is A = (D1, D2, ..., DN, G) is the original training set, where D1, D2, ..., DN are the N special attributes of the training data, and the value of the class label G, the range, is (G1, G2, ..., gm); that is, there are m class labels in total.

The naive Bayes classification algorithm assumes that each attribute value of the sample data in the original training set is independent of each other, which greatly simplifies the calculation of the posterior probability. Among them, is the prior probability of the sample data , which has nothing to do with the specific value of the class label, so it can be treated as a constant when judging the class label.

2.2. Naive Bayes Classification Algorithm

The naive Bayes smashing algorithm is based on the premise of class condition independence; that is, it is assumed that each attribute value of the sample data in the original training set is independent of each other [5]. This assumption greatly simplifies the amount of calculation when obtaining the posterior probability, so it is called “naive.”

The specific workflow of the naive Bayes classification method is as follows:

Let D be a collection of training samples and class labels (training set), and suppose that each training sample is represented by an n-dimensional attribute vector , where r₁, r₂, ..., r_n are, respectively, corresponding to n, a collection of specific values of attributes.

Assuming that, for a given data sample R, there are a total of m class labels, denoted as , the classification algorithm will calculate the posterior probability value of each class label under the data sample R, and determine that R belongs to the posterior probability, the class with the largest value, that is, when R belongs to class G_j:

In this way, to maximize , the value of can be calculated according to Bayes’ theorem.

Since the naive Bayes classification algorithm assumes that each feature attribute is independent of each other, that is, the attributes do not affect each other, then

Use formula (5) to estimate , where R_x represents the value of the attribute D_x in the sample data R. For each attribute, consider whether the attribute is discrete or continuous.Therefore,

Using formula (5), to predict the class number of R, calculate for each class G_i. The classification method predicts that the class label of the sample data R is G_i, only if

That is, the final class label is class that makes the largest under the condition of R.

2.3. Naive Bayes with Tree Augmentation

To create a naive Bayesian classification tree classification model, you must first calculate the mutual information between all variable attributes according to formula (9). Mutual information is used to measure the amount of information contained in one variable in another variable. The greater the amount of mutual information, the more explanation, most information contains the relationship between two variables.

Next, obtain all attribute variables as node and mutual status information, and artificially link the nodes to create an undirected complete graph. The maximum tree weight algorithm is used to create the maximum weight tree for the unguided graph. The naive Bayes classification algorithm is based on the premise of class conditional independence; that is, it is assumed that each attribute value of the sample data in the original training set is independent of each other. This assumption greatly simplifies the amount of computation when calculating the posterior probability.

2.4. Incremental Learning Bayesian Classification

Incremental learning Bayesian classification is to overcome its two shortcomings by continuously completing the training set of the naive Bayes algorithm. After the initial modeling is completed, the incremental learning algorithm is used to select the incremental samples without category labels in the incremental set K, and the new modeling parameters are obtained after the discriminated incremental samples are added to the original training set. Then, the unknown samples are judged according to this new classification model. The core of the algorithm is to continuously select new sample data to be added to the training set Y, making the training set more and more complete and testing with training data repeatedly, which makes the conditional correlation between the attribute values of the sample instances weaken and become more independent [6, 7].

A loss weight coefficient is introduced from all instances in the training set Y, and reflects the sensitivity of the instances in Y to newly added instances. Suppose that the class conditional probability of is stored in in the learning new instance, and the new class conditional probability of is calculated in Y and expressed as . Definition:

The estimate of is the absolute loss of in the calculation formula:

The algorithm of this module is to make the stock calculation formula of all the instances in the training set Y and the smallest instance enter Y from the photos in K, gradually reduce the number of instances in the test set K, knowing that K is empty or the LossSum value is greater than the set maximum threshold.

2.5. Selection Method of Characteristic Attributes

The methodology of feature attribute extraction is based on judging the gain rate of each feature attribute to obtain the most suitable feature set. Before introducing the gain rate, first introduce the concept of information gain as its foundation. Information gain belongs to the category of information theory. It is used to measure the ability of an attribute to distinguish samples. The larger the value, the stronger the ability, and vice versa.

The expected information required for the classification of tuples (feature attributes) in the data set T is obtained by the following formula:

Among them, is the probability of using the 2-base logarithmic function because any T (attribute property) set belongs to the class and the information is binary bits. Inf (T) is the average value of the information required to identify the class label of T and is calculated as follows:

Information capture is defined as the difference between the initial demand for information (based on analogy only) and the new demand.

Obtaining information also has the disadvantage of multiple output feature deviations, which means that they often have a large number of feature values. In order to overcome this prejudice, the profit margin is used as an extension of information acquisition, using the split information value to normalize the information gain, and “split information” is defined as follows:

Select the attributes with short answer gain rate to form a new feature set.

3. Characteristics of Illegal and Criminal Cases of Trojan Horse under Information Security

3.1. Main Forms of Trojan Horse Crime Cases

In the crime of property invading Trojan horses, criminal suspects use various means and excuses, such as building false web pages to deceive users from clicking, and so on, downloading Trojan horses to the user’s computer to steal user’s related information or virtual property. After that, the criminal suspect may use the stolen information to conduct traditional crimes such as blackmail and fraud or sell the virtual property and convert it into real currency to directly benefit. In short, since the ultimate goal of the criminal suspects in such cases is to obtain economic benefits, they are collectively referred to as the crime of invading property Trojan horses [8,9]. Trojan horse virus is a program used by computer hackers to remotely control the computer. The control program is parasitized in the controlled computer system, and the inside and outside are combined to perform operations on the computer infected with the Trojan horse virus.

In the crime of disrupting the order of social management, the suspect uses a Trojan horse to control the user’s computer, not for the purpose of obtaining economic benefits, and maliciously delete, modify, add, or interfere with the user’s storage data, information system, or network environment. This behavior produced serious consequences and disrupted the management order of the society [10, 11].

In the crime of endangering national security, criminal suspects use Trojan horses to invade information systems, such as national affairs, national defense construction, and cutting-edge science and technology, and their behavior constitutes a violation of national security [12].

3.2. Behavioral Characteristics of Trojan Horse Crime Cases

Concealment. Trojan horse crime occurs automatically when the system is started, most of the Trojan horse programs are hidden in the task manager and taskbar, deceiving the operating system in the form of system services that are difficult for users to detect [13].

In unauthorized, Trojan horse crime cases, any operation of the criminal suspect on the target host is illegal [14], and the operation authority granted by the user is not obtained.

Self-Protection. In Trojan horse crime cases, the Trojan horse used by the criminal suspect has an automatic recovery function, and the user thinks that the Trojan horse is deleted and then runs other programs to cause the Trojan horse to recover; or has a self-destruction function that will self-destruct after achieving the expected goal This type of function brings great difficulties when discovering and investigating Trojan horse crimes, and plays a role of self-protection [15,16].

Function Peculiarities. In Trojan horse crime cases, due to the different needs of the criminal suspect, the function of the Trojan horse is very special, such as keylogging, obtaining passwords, and modifying the registry [17].

3.3. Investigation Thinking of the Trojan Horse Crime Case

(1)The thinking of investigation is that after the criminal act is filed by the case-handling agency, in order to logically associate the case with the suspect, it effectively integrates some messy clues and evidence, through on-site visits, on-site investigations, on-site evidence collection, queuing, and investigation, and through interrogation, search, wanted criminal suspects, and other investigative measures and methods, and finally identifies and arrests criminal suspects. The quality of the case-handling thinking adopted by the investigators will directly affect the smoothness of the case-handling process. In Trojan horse crime cases, due to the characteristics of a wide geographical span, a large number of people are involved, and with a fast transmission speed, if the thinking of handling the case cannot be directed to criminal behavior quickly and effectively, the economic and spiritual losses brought about will be immeasurable [18, 19].(2)Use the information involved in investigations.

The user discovers that the computer is attacked by Trojan horse crime, which usually occurs in two stages. One is that users discover the existence of Trojan horses through real-time monitoring of IDS, firewall, FTP, WWW and antivirus software log abnormal detection, Trojan horse discovery tools, and so on; the second is that during the “horizon-troubled” stage, the WEB website finds that the system is running abnormally and reports a case. In either case, the attacker often finds the server or target host with system vulnerabilities on the Internet through vulnerability scanning technology, directly attacks it or induces users to log in to the website, run the download program, and so on, to hang the horse. First of all, investigators need to investigate the victimization of the system, extract the logs of the invaded system to find scan traces, uploaded active files, registry modification information, and so on. After analysis, the source of the attack was found, and the Trojan horse used by the suspect was obtained [20, 21]. Analyze and test the Trojan horse, and locate the virtual address of the criminal suspect through the receiving address of the returned data packet in the Trojan horse function. Secondly, investigators need to inspect the server that is linked to the horse, and find information related to the criminal suspect in the real society through the rental information and maintenance information of the server [22, 23]. The data packet received on the server records the victim’s situation. The data packet can not only be used as evidence for future prosecution, but also can be used as a clue to find unknown victims in the real society. In this way, some criminal activities that the investigators have not yet mastered will be obtained, and the criminal behavior of the criminal suspect will be further determined.

3.4. Spread and Implant of Trojan Horse Virus

At present, there are two main ways for mobile phone Trojans to spread and implant. The first is to pretend to be a popular mobile phone application and hang on the website to induce users to download and install. The second is to cooperate with copycat mobile phone manufacturers and directly implant it on their mobile ROM [24]. The first method is to spread and implant through network downloads. Mainly take advantage of the lack of security review management loopholes in today’s mobile phone forums, use current popular mobile applications, and use vocabulary such as free version, cracked version, and Chinese version as inducements, and use the psychology of some users not to pay for genuine mobile applications to spread and plant into, such as disguised as QQ landlord, call flipping, mobile phone accelerator, and other applications. The second method is implanting in the ROM of the factory through the copycat mobile phone. Once the user bought this kind of fake mobile phone, he was directly attacked by the Trojan horse after plugging in the SIM card. A large number of mobile phone users suffer from the harm caused by mobile phone Trojan horses [25]. Summary of behavioral characteristics: The first method is actually to induce mobile phone users to manually download and install mobile phone Trojan horses. It is no different from mobile phone users downloading and installing a normal mobile phone application through the Internet. The installed applications are tested [26,27]. The second method is that the mobile phone Trojan has been implanted into the mobile terminal first, so the mobile phone user’s behavior cannot be used to detect its propagation and implantation behavior. After the mobile phone Trojan is successfully implanted in the mobile terminal, it will contact the server, notify the server that the mobile terminal has become the target terminal, and request the server to issue a command [28,29].

3.5. Mobile Phone Trojan Horse Behavior

3.5.1. A Mobile Phone Trojan Horse Is Usually a Virus Program with a Server and a Client

The Trojan horse client program is responsible for performing malicious actions in response to the server’s commands in the mobile terminal, and the remote server is mainly responsible for issuing commands to the client. A typical mobile phone Trojan horse behavior model is shown in Figure 1.

The smart phone communicates with the control terminal through the socket. The computer generates various click commands by clicking on the visual interface, and the Android client analyzes the commands and calls the corresponding operators for command control. This control method is based on the C/S architecture, where the computer is the control device and the Android device is the implanted device. Figure 2 shows the overall control flow.

After the mobile phone Trojans induce users to download and install them to the mobile terminal through various means of propagation, they first complete the initialization work, such as obtaining operation permissions, registering the listener, and running in the background, and then contact the remote server to inform the server that the mobile terminal has been implanted. And wait for the server to issue a command for the next action. After receiving the command issued by the server, the mobile phone Trojan will execute the corresponding action. After completion, it will contact the server again to inform that the command has been executed and wait for the next command.

3.5.2. SMS Command Control Technology

The mobile phone Trojan can also communicate via SMS. The client and the server communicate with each other through command short messages containing special characters or custom keywords as identification. However, this method is not common, mainly because the communication via SMS requires the operator’s SMS service, and the requirements for the server are higher, and the ability to send and receive SMS is required. Its complexity and cost are more than those through the network. The way of communication is higher. The way to check the short message command is to send a short message based on SMS (Short Message Service) and check the command. SMS is a store and forward service. Figure 3 shows the flowchart of saving and forwarding messages. SMS is a store and forward service. That is to say, short messages are not sent directly from sender to receiver, but are always forwarded through the short message service center.

The SMS sent by P1 is received from the base station and then forwarded to the Mobile Switching Center (MSC), and the mobile switching center sends the data to the Short Business Service Center (SMSC). After SMSC receives the message, it will send a confirmation message to the sender to notify them that the message has been received. Finally, the SMS service center forwards the received SMS to the mobile switching center, and the mobile switching center sends the mobile phone P2.

In the final analysis, the entire process of the control terminal controlling the terminal through SMS commands includes three steps: sending SMS instructions, SMS spying, and SMS processing. The control principle diagram is shown as in Figure 4.

The Trojan can determine the encryption algorithm used by adding a format to the additional bits. You can specify the number 5 to indicate the use of RAS encryption to send packet data. As shown in Figure 5, encrypted data can achieve the purpose of restoring information by preventing antivirus software and firewall software from being intercepted.

Figure 5 shows that encrypted data cannot be analyzed by antivirus software. Improve the concealment of data recovery and ensure the normal transmission of data. The unencrypted data is intercepted and cannot be obtained by the control end. Only from the mobile phone Trojan horse client program implanted in the mobile terminal, we can only analyze which malicious behaviors it may have, but we cannot know under what circumstances these malicious behaviors will be executed. If the key parameters of certain malicious behaviors are also distributed through the server, we cannot even analyze what kind of malicious behavior the mobile phone Trojan will perform. For example, there is a network access behavior in the client program, but the specific access address is passed in with the instruction issued by the server as a parameter. Another example is the behavior of sending a text message in the program, but the recipient of the SMS and the content of the SMS are delivered by command from the server. Therefore, only when the mobile phone Trojan runs in an executable environment and can get in normal contact with the server, can it show a complete malicious behavior.

4. Naive Bayes Algorithm Trojan Virus Mining

4.1. Weighted Naive Bayes Algorithm Classification Processing

The idea of the experiment in this paper is to use the idea of rough set attribute reduction to perform attribute reduction, check whether there are attributes and redundant attributes that are not relevant to decision-making, and if so, select the best attribute set and use the naive Bayes method classification; if not, proceed to classification directly. Let A, B, C, D, E, F, and G, respectively, represent setting startup items, hiding, phishing interface, remote thread injection into other processes in the registry, reducing security, binding network ports, and killing other processes. The establishment of the recognizable matrix is shown in Table 1.

The seven different attributes in the experiment are different from the normal inverted triangle and the normal triangle discernibility matrix. The following discernible matrix rows represent Trojan horses and the columns represent normal programs. The kernel attributes obtained are {A, B, C, D, E, F, G}, indicating that there is no redundancy in the data; this core attribute can be used for classification.

4.2. Comparative Analysis of Weighted Naive Bayes Algorithm

The weighted Bayes algorithm is used for learning, but the weighted probability value obtained by learning is optimal, and it is not optimal for different test sets. That is, when the best experience risk is the largest, the confidence range is often relatively low. Therefore, this article weights the different probability values of each attribute in turn, tests the test set data, and selects the optimal value from the test results, which is the weighted parameter value found in this article. According to the abovementioned feature attribute selection method, the feature attributes required by the mobile phone Trojan horse clue mining in this article are obtained, as shown in Table 2.

Among them, method_type records the data submission method used when the mobile phone accesses the data requested by the website, is_connect_flag records whether the person has sent a CONNECT request, is_contain_url records whether the sample contains a URL link, transmit_size records the stream length, protocol_type records the protocol type, receive_or_send records whether the sample is a received file or a sent file, and flowtype records whether the sample is an MMS or a normal file.

The experimental results are shown in Figure 6. After comparing the results, the weighted Bayes classifier has a significantly higher detection accuracy than the naive Bayes algorithm.

The result is shown in Figure 7. After comparing the results, the weighted Bayes classifier has a significantly lower detection false alarm rate than the naive Bayes algorithm.

The result is shown in Figure 8. After comparing the results, the weighted Bayesian classifier has a significantly lower detection false negative rate than the naive Bayes algorithm. This shows that the naive Bayes method assumes that the importance of each conditional attribute to classification is the same is not true.

4.3. Naive Bayesian Classification Algorithm Behavior Feature Extraction

Download 10 Trojans from the hacker base, and put their server side on the experimental machine. For the feature extraction of the sample program, this article mainly focuses on 7 attribute features, such as setting self-starting items in the registry, hiding, whether there is visibility Interface, remotely inject other processes, reduce security, bind ports, and kill other processes. The extraction of behavioral characteristics needs to be carried out under the conditions of the running of the sample program. Through the above three software and the tools for viewing services and processes that come with the system, the behavioral characteristics (shown or hidden) of the sample program during operation can be viewed and analyzed, and the feature library recorded in the sample program is used as the data set of the naive Bayes classifier detection and verification experiment. The feature database of the recorded sample set is shown in Table 3.

4.4. Experimental Analysis of Improved Pattern Search Method

Aiming at the problem of parameter optimization in support vector machines, this paper proposes an improved method based on the pattern search method. First, the grid technique and the quadratic Lagrange difference technique are used to obtain the initial point, and then the obtained initial point is used for the pattern search method. Find the best parameter combination according to the improved pattern search method, and use the cross-validation method to verify. The experimental results are shown in Table 4.

This experiment verifies that the improved algorithm overcomes the local optimal problem of the pattern search method and can obtain the global optimal node. But the algorithm also has the following problems: the basic pattern search method does have a higher requirement for the initial node, and the quality of the initial node plays a vital role in the final result. The improved algorithm has a good effect on the selection of the abovementioned initial points, and the accuracy rate can be at a relatively high level, which reflects the advantages of the improved algorithm in parameter optimization. For example, in the test data, the correct rate achieved by the improved algorithm has reached more than 99%. This article also has areas for improvement. The improved algorithm does not have a theoretical guide to the grid setting problem. When the grid setting is too large, it will degenerate into a basic pattern search method. When the grid setting is too small, it will degenerate into a basic pattern search method, grid search method.

5. Conclusions

With the wide application of smart phones, the information security of mobile phones has become one of the key points that people pay attention to. As one of the key factors affecting mobile phone security, Trojan horse crime has spread rapidly in recent years. Trojan horse crime cases have different manifestations and behavioral characteristics from traditional cases, which bring more difficulties to the public security organs’ investigation and cracking, such as disturbing the social order and network order and even seriously affecting the socialist economic construction. Because the Trojan horse crime case is a new type of case with the development of the Internet, this type of case has the characteristics of low cost, new technology, strong concealment, novel criminal methods, high difficulty in investigation and punishment, and huge benefits. In order to punish such crimes, this paper proposes to use the naive Bayes algorithm to mine the clues of the criminal cases of mobile phone Trojans and detect the mobile phone Trojan virus by extracting the characteristic attributes in the data packets. The accuracy of the search method has been greatly improved. In order to more effectively maintain social stability and development, it is not enough for the investigators to solve the case only by using the professional knowledge of computer crime investigation because the computer network is composed of two levels of human and technology. As the level of technology becomes more and more perfect, in the face of certain cases, it becomes easy for those who use technology to break through the whole link. Effective use of knowledge from other disciplines can give full play to people’s subjective initiative in investigative activities. Collecting a large amount of relevant information is an indispensable prerequisite for applying other integrated disciplines to solving investigative problems.

Data Availability

No data were used to support this study.

Conflicts of Interest

The author declares that there are no conflicts of interest regarding the publication of this article.

References

S. V. Flowerday and T. Tuyikeze, “Information security policy development and implementation: the what, how and who,” Computers & Security, vol. 61, no. aug, pp. 169–183, 2016.
View at: Publisher Site | Google Scholar
A. P. H. D. Gusmo, L. Silva, and M. M. Silva, “Information security risk analysis model using fuzzy decision,” International Journal of Information Management, vol. 36, no. 1, pp. 25–34, 2016.
View at: Google Scholar
C. Rui, J. Liehui, C. Wenzhi, X. Yaobin, and Z. Lu, “A TrustEnclave-based architecture for ensuring run-time security in embedded terminals,” Tsinghua Science and Technology, vol. 05, no. 22, pp. 3–13, 2017.
View at: Google Scholar
N. S. Safa and R. Von Solms, “An information security knowledge sharing model in organizations,” Computers in Human Behavior, vol. 57, no. apr, pp. 442–451, 2016.
View at: Publisher Site | Google Scholar
Y. Mengke, Z. Xiaoguang, Z. Jianqiu, and X. Jianjian, “Challenges and solutions of information security issues in the age of big data,” China Communications, vol. 13, no. 3, pp. 193–202, 2016.
View at: Publisher Site | Google Scholar
L. Hadlington and K. Parsons, “Can cyberloafing and Internet addiction affect organizational information security?” Cyberpsychology, Behavior, and Social Networking, vol. 20, no. 9, pp. 567–571, 2017.
View at: Publisher Site | Google Scholar
G. Spanos and L. Angelis, “The impact of information security events to the stock market: a systematic literature review,” Computers & Security, vol. 58, no. May, pp. 216–229, 2016.
View at: Publisher Site | Google Scholar
M. Tang, M. Li, and Z. Tao, “The impacts of organizational culture on information security culture: a case study,” Information Technology and Management, vol. 17, no. 2, pp. 179–186, 2016.
View at: Google Scholar
W. R. Flores and M. Ekstedt, “Shaping intention to resist social engineering through transformational leadership, information security culture and awareness,” Computers & Security, vol. 59, no. Jun, pp. 26–44, 2016.
View at: Google Scholar
D. Ki-Aries and S. Faily, “Persona-centred information security awareness,” Computers & Security, vol. 70, no. sep, pp. 663–674, 2017.
View at: Publisher Site | Google Scholar
G. Dhillon, R. Syed, and F. d Sá-Soares, “Information security concerns in IT outsourcing: i,” Information & Management, vol. 54, no. 4, pp. 452–464, 2017.
View at: Publisher Site | Google Scholar
A. M. Nia, S. Sur-Kolay, and A. Raghunathan, “Physiological information leakage: a new frontier in health information security,” IEEE Transactions on Emerging Topics in Computing, vol. 4, no. 3, pp. 321–334, 2017.
View at: Google Scholar
Y. Xiuqing, W. Kejin, M. Haiqiang, D. Yungang, W. Lingan, and S. Shihai, “Trojan horse attacks on counterfactual quantum key distribution,” Physics Letters A, vol. 380, no. 18-19, pp. 1589–1592, 2016.
View at: Google Scholar
L. Xu, C. Jiang, and J. Wang, “Information security in big data: privacy and data mining,” IEEE Access, vol. 2, no. 2, pp. 1149–1176, 2017.
View at: Google Scholar
D. S. . Zamierowski, “Embedded “extra” scenario material—babushka doll or trojan horse?” Clinical Simulation in Nursing, vol. 12, no. 11, pp. 473-474, 2016.
View at: Publisher Site | Google Scholar
R. V. Ionescu, “The economic trojan horse is actually a German horse. Acta universitatis danubius,” OEconomica, vol. 12, no. Issue 1, pp. 166–178, 2016.
View at: Google Scholar
L. Chain, “Trojan horse in the war on cancer,” Popular Science, vol. 288, no. 2, p. 26, 2016.
View at: Google Scholar
S. R. Moonesinghe, T. Bashford, and D. Wagstaff, “Implementing risk calculators: time for the Trojan Horse?” British Journal of Anaesthesia, vol. 121, no. 6, pp. 1192–1196, 2018.
View at: Publisher Site | Google Scholar
S. Thomas, “China’s nuclear export drive: Trojan Horse or Marshall Plan?” Energy Policy, vol. 101, no. FEB, pp. 683–691, 2017.
View at: Publisher Site | Google Scholar
E. J. Park, J. Yi, Y. Kim, K. Choi, and K. Park, “Silver nanoparticles induce cytotoxicity by a Trojan-horse type mechanism,” Toxicology in Vitro, vol. 24, no. 3, pp. 872–878, 2010.
View at: Publisher Site | Google Scholar
W. Wang, G. Zhao, X. Dong, and Y. Sun, “Unexpected function of a heptapeptide-conjugated zwitterionic polymer that coassembles into β-amyloid fibrils and eliminates the amyloid cytotoxicity,” ACS Applied Materials & Interfaces, vol. 13, no. 15, pp. 18089–18099, 2021.
View at: Publisher Site | Google Scholar
S. Liu, Z. Hu, X. Peng, Z. Liu, H. N. H. Cheng, and J. Sun, “Mining learning behavioral patterns of students by sequence analysis in cloud classroom,” International Journal of Distance Education Technologies, vol. 15, no. 1, pp. 15–27, 2017.
View at: Publisher Site | Google Scholar
N. Hein, E. Rantou, and P. Schuette, “Comparing methods for clinical investigator site inspection selection: a comparison of site selection methods of investigators in clinical trials,” Journal of Biopharmaceutical Statistics, vol. 29, no. 3, pp. 1–14, 2019.
View at: Google Scholar
X. Han, Jj Kim, and C. K. Kwoh, “Active learning for ontological event extraction incorporating named entity recognition and unknown word handling,” Journal of Biomedical Semantics, vol. 7, no. 1, p. 22, 2016.
View at: Publisher Site | Google Scholar
Y. Zhan, S. Zhou, Y. Li et al., “Using the BITOLA system to identify candidate molecules in the interaction between oral lichen planus and depression,” Behavioural Brain Research, vol. 320, no. Complete, pp. 136–142, 2017.
View at: Publisher Site | Google Scholar
S. Etteieb, S. Magdouli, and M. Zolfaghari, “Monitoring and analysis of selenium as an emerging contaminant in mining industry: a critical review,” The Science of the Total Environment, vol. 698, no. Jan.1, pp. 1343391–13433914, 2020.
View at: Google Scholar
L. Yu, F. Lu, and X. Liu, “A bootstrapping based approach for open geo-entity relation extraction,” Acta Geodaetica et Cartographica Sinica, vol. 45, no. 5, pp. 616–622, 2016.
View at: Google Scholar
T. P. Liu, Y. H. Hong, and P. M. Yang, “In silico and in vitro identification of inhibitory activities of sorafenib on histone deacetylases in hepatocellular carcinoma cells,” Oncotarget, vol. 8, no. 49, pp. 86168–86180, 2017.
View at: Publisher Site | Google Scholar
S. H. Yang, W. D. Maier, B. Godel, S. J. Barnes, E. Hanski, and H. O’Brien, “Parental magma composition of the main zone of the bushveld complex: evidence fromin situLA-ICP-MS trace element analysis of silicate minerals in the cumulate rocks,” Journal of Petrology, vol. 60, no. 2, pp. 359–392, 2019.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Fugang Zhao. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

250

Downloads

388

Citations