Introduction and summary of the corresponding
The first paragraph: significance of the study
The second paragraph: Existing Problems: word - "passage -" related work
Third paragraph: how their solutions to problems raised by the previous paragraph, what innovation is that?
Digital Investigation
Tsinghua Science and Technology
Journal:
the Data & Knowledge Engineering
Abstract: What is the problem, we propose any way, experimental results show the effect.
1 Introduction: questions about the problem, what with the way Document 1, Document 2, with what way, what problems, this paper proposes ** way, effective and feasible.
3 model problem: The application now is what kind of process, make clear, a flow chart can be made for certain process, what problem, what solution can be used. The proposed approach can be a good solution. How to solve, how to design, write about.
Own method 3: how to design, the data structure of the innovation, to write specific data structure in the design, and must be combined with their applications, the design of a data structure of information data is as follows, for doing ** represents dry Well. If the algorithm, the model can draw their own processes, how to how to use. It is important to be able to set their own word application, try to write on, so can reflect your stuff indeed applied to practice, rather than a random series.
4 specific algorithms or operations: specific instructions, your application must be set up, in certain applications, in which the process of what, how specific applications. Of course, on a clear explanation, this section can not, as the case may be their stuff into a two.
(Three or more depending on the particular circumstances, combined and separated)
5 Theoretical analysis: why their approach feasible, and other comparative analysis.
6 Results: can be simulated experiment, comparison, the comparison chart, the proposed approach is indeed feasible and effective.
17年12月 Android Malware Detection using Deep Learning on API Method Sequences
DEX files acquired by the API function sequence encoded using a convolutional neural network classification, and classification can be two multi-classification, F1-score 96% -99%, FPR = 0.06% -2%.
ps my article and feature extraction approach is very similar, but it can only do binary and multi-classification, has no explanatory.
API API is the sequence of its acquisition sequence in each function; I was wandering API sequence multiple functions in the function call graph, to better reflect the static structure of the software.
On 18 October the 26th European Signal Processing Conference (EUSIPCO '18) Explaining Black-box Android Malware Detection
Other work: around the point x is calculated linear approximation of the input transmission information is useful, for explaining the learning algorithm [3], [14] provided by the local prediction. The basic idea is to determine the local gradient and rf (x) of the maximum (absolute) value characterized in that the most influential related, i.e., associated with the class prediction confidence f. However, in the case of sparse data, for Android malware, these methods often identified a number of influential characteristics in a given application program does not exist, so that the corresponding predicted difficult to interpret.
Reference data for use in vitro evaluation fragile, using gradient-based methods to identify the most influential local features (assuming more important features of the larger gradient).
Innovation: previous interpretation gradient-based methods difficult to interpret sparse data, as used herein 
, 
where x is the input feature, inverted triangle f (x) wherein x represents the corresponding gradient, r represents the influence of the corresponding feature x. This calculation facilitate interpretation sparse data, we can ensure that when x is empty, the corresponding impact is zero ..
Meanwhile, the paper proposes a method based on the overall interpretation of the method, the r value by a simple average of the different samples, global feature recognition of the most influential of these described features and benign malware samples.
For non-differential model, the paper also presents an approximate method.
2018 International Conference on Computing and Artificial Intelligence Proceedings Effective and Explainable Detection of Android Malware based on Machine Learning Algorithms
Abstract: In this paper, we introduce two methods of machine learning support for static analysis android malware. The first method is based on static analysis, probability and statistics to find content by reducing the uncertainty of information. Based on the present data set, the feature extraction method is proposed. Both methods are high-dimensional data into low-dimensional data to reduce the dimension of feature extraction and uncertainty. During the training phase, the complexity is reduced by 16.7%, the ability to detect unknown malware family has been improved.
Nature of the problem 19 April IEEE constructed to detect malicious Android applications, classification and direction
https://www.cnblogs.com/yvlian/p/11865264.html
On May 19 Computer Research and Development Summary of machine learning model interpretability methods, applications and security research
19年6月 Don’t Paint It Black: White-Box Explanations for Deep Learning in Computer Security
White box is explained in more concise, sparse, complete and more efficient than the black box to explain.
Network architecture in the field of security generally: NLP, CNN, RNN.
Explain the method:
1) and integrated gradient gradient: Calcd or changing the size of the input gradient to see change in the output
2) are hierarchically associated propagation (LRP) and the depth of excavation: using the back-propagation of high relevance scores propagated recursively propagated up to the lower level the input layer (also support before, convolution, rnn). The former has such constraints, ril represents neuron i l correlation layer 
; this latter refinement constraint:
[epsilon] -rule ->
, given to the correlation characteristics should equal the output y, y 'difference;
z-rule-> LRP and closely related constraints.
3) PatternNet and PatternAttribution (not applicable RNN)
PatternNet: determining a gradient and using the "direction information" instead of the network weights;
PatternAttribution: LRP-based framework for explaining calculation of the output "root point" 0's.
4) DeConvNet and GuidedBackProp (only applies to CNN)
Given output y, reconstruction of the input x, i.e., back to the input to output mapping.
. 5) the CAM, GradCAM, GradCAM ++ (only applies to the last layer is a layer CNN convolution)
by estimating the convolution output CNN last layer and global pool of calculating the average correlation score. Re-classification is modeled as the last layer of the activation value and a linear combination of weights.
6) RTIS, MASK (only applied to the image data)
Score is calculated by optimizing the correlation mask m.
, Using a sparse mask m, determine the relevant characteristics of the input x.
7)LIME和KernalSHAP
Assumed model is a nonlinear function f. Added to the input value x by a number of disturbance on the x1, x2, ... xL, by f (xi) = yi to give a series of points (xi, yi), can be modeled a linear regression model G ( x) as f x at the local approximation. 
8)LEMNA
Mixed regression model as target function f local approximation.
https://www.cnblogs.com/yvlian/p/11816658.html
This article also includes a sample intuitive performance limitations of the black box, that could learn some illusion:
1709.06182A Survey of Machine Learning for Big Code and Naturalness
代码的许多方面,e.g.名称、格式、方法名的词法顺序,对程序语义没有影响,这正是在大多数程序分析中抽象它们的原因,但是为什么代码的统计属性如此重要呢?本文提出一种假说——自然假说:软件是人类交流的一种形式;软件语料库与自然语言语料库具有相似的统计特性;这些特性可以用来构建更好的软件工程工具。(p.s. 利用人类交流的统计数据是一种成熟有效的技术,应用广泛——Dan Jurafsky. 2000. Speech & Language Processing (3 ed.). Pearson Education. )
代码和自然语言的相似之处和不同点