一种基于主动学习的恶意代码检测方法
作者:
作者单位:

作者简介:

通讯作者:

中图分类号:

基金项目:

国家自然科学基金(61175039,61221063,61375040);陕西省国际合作重点项目(2013KW11);中央高校基本科研业务费专项资金(2012jdhz08)


Malware Detection Method Based on Active Learning
Author:
Affiliation:

Fund Project:

National Natural Science Foundation of China (61175039, 61221063, 61375040); International Research Collaboration Project of Shaanxi Province (2013KW11); Fundamental Research Funds for Central Universities (2012jdhz08)

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    现有恶意代码的检测往往依赖于对足够数量样本的分析.然而新型恶意代码大量涌现,其出现之初,样本数量有限,现有方法无法迅速检测出新型恶意代码及其变种.在数据流依赖网络中分析进程访问行为异常度与相似度,引入了恶意代码检测估计风险,并提出一种通过最小化估计风险实现主动学习的恶意代码检测方法.该方法只需要很少比例的训练样本即可实现准确的恶意代码检测,比现有方法更适用于新型恶意代码检测.通过对真实的8 340个正常进程和7 257个恶意代码进程的实验分析,与传统基于统计分类器的检测方法相比,该方法明显地提升了恶意代码检测效果.即便在训练样本仅为总体样本数量1%的情况下,该方法也可以达到5.55%的错误率水平,比传统方法降低了36.5%.

    Abstract:

    Existing techniques of malware detection depend on observations of sufficient malware samples. However, only a few samples can be obtained when a novel malware first appears in the World Wide Web, which brings challenges to detect novel malware and its variants. This paper studies the anomaly and similarity of processes with respect to their access behaviors under data flow dependency network, and defines estimated risk for malware detection. Furthermore, the study proposes a malware detection method based on active learning by minimizing the estimated risk. This method achieves encouraging performance even with small samples, and is applicable to defending against rapidly increasing novel malware. Experimental results on a real-world dataset, which consists of access behaviors of 8 340 benign and 7 257 malicious processes, demonstrate better performance of the presented method than traditional malware detection method based on statistical classifier. Even with only 1% known samples, the new method achieves 5.55% error rate, which is 36.5% lower than the error rate of traditional statistical classifier based method.

    参考文献
    相似文献
    引证文献
引用本文

毛蔚轩,蔡忠闽,童力.一种基于主动学习的恶意代码检测方法.软件学报,2017,28(2):384-397

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2015-12-28
  • 最后修改日期:2016-03-03
  • 录用日期:
  • 在线发布日期: 2017-01-24
  • 出版日期:
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号