基于机器学习算法的主机恶意代码检测技术研究

doi:10.11959/j.issn.2096-109x.2017.00179

网络与信息安全学报 ›› 2017, Vol. 3 ›› Issue (7): 25-32.doi: 10.11959/j.issn.2096-109x.2017.00179

基于机器学习算法的主机恶意代码检测技术研究

张东,张尧,刘刚,宋桂香

浪潮电子信息产业股份有限公司，北京100085

修回日期:2017-07-02 出版日期:2017-07-01 发布日期:2017-08-01
作者简介:张东（1974-），男，山东威海人，浪潮电子信息产业股份有限公司高级工程师，主要研究方向为系统软件安全。|张尧（1988-），男，湖北襄阳人，博士，浪潮电子信息产业股份有限公司研究员，主要研究方向为网络安全、主机系统安全与应用密码学。|刘刚（1979-），男，四川德阳人，硕士，浪潮电子信息产业股份有限公司工程师，主要研究方向为操作系统安全、可信计算与云安全。|宋桂香（1978-），女，山东郓城人，浪潮电子信息产业股份有限公司工程师，主要研究方向为安全测评。

Research on host malcode detection using machine learning

Dong ZHANG,Yao ZHANG,Gang LIU,Gui-xiang SONG

Inspur Electronic Information Industry Co.,Ltd,Beijing 100085,China

Revised:2017-07-02 Online:2017-07-01 Published:2017-08-01

摘要/Abstract

摘要：

对机器学习算法下主机恶意代码检测的主流技术途径进行了研究，分别针对静态、动态这2种分析模式下的检测方案进行了讨论，涵盖了恶意代码样本采集、特征提取与选择、机器学习算法分类模型的建立等要点。对机器学习算法下恶意代码检测的未来工作与挑战进行了梳理。为下一代恶意代码检测技术的设计和优化提供了重要的参考。

关键词: 恶意代码检测, 机器学习, 静态分析, 动态分析, 分类模型

Abstract:

Main trends of host malcode detection using machine learning were focused on,and two categories of detection models(namely static analysis and dynamic analysis) were well discussed.Moreover,the critical stages such as malcode samples collection,feature extraction and selection,the construction of machine learning classifiers were considered fully.At last,some future work and challenges in this field were listed.The work can serve as a practical reference for establishing next-generation malcode detection techniques.

Key words: malcode detection, machine learning, static analysis, dynamic analysis, classification model

中图分类号:

TP309

张东,张尧,刘刚,宋桂香. 基于机器学习算法的主机恶意代码检测技术研究[J]. 网络与信息安全学报, 2017, 3(7): 25-32.

Dong ZHANG,Yao ZHANG,Gang LIU,Gui-xiang SONG. Research on host malcode detection using machine learning[J]. Chinese Journal of Network and Information Security, 2017, 3(7): 25-32.

图/表 4

参考文献 29

[1]	国家互联网应急中心. 2015年中国互联网网络安全报告[EB/OL]. .
	CNCERT/CC. 2015 China cyber security report[EB/OL]. .
[2]	ZHANG Y , WANG X , PERRIG A ,et al. Tumbler:adaptable link access in the bots-infested Internet[J]. Computer Networks, 2016,105: 180-193.
[3]	360威胁情报中心. 2016中国高级持续性威胁(APT)研究报告[EB/OL]. .
	360 Threat Intelligence Center. 2016 China APT research report[EB/OL]. .
[4]	COHEN P . Models of practical defenses against computer viruses[J]. Computers ＆Security, 1989,8(2): 149-160.
[5]	VirusBulletin[EB/OL]. .
[6]	Open Malware[EB/OL]. .
[7]	VX Heavens[EB/OL]. .
[8]	BAECHER P , KOETTER M , HOLZ T ,et al. The nepenthes platform:an efficient approach to collect malware[C]// The International Symposium on Recent Advances in Intrusion Detection (RAID). 2006: 165-184.
[9]	卡饭论坛[EB/OL]. .
	Kaspersky Forum[EB/OL]. .
[10]	HEX-RAYS SA . IDA pro introduction[EB/OL]. .
[11]	ABOU-ASSALEH T , CERCONE N , KESELJ V ,et al. N-gram-based detection of new malicious code[C]// The 28th Annual International Computer Software and Applications Conference (COMPSAC). 2004: 41-42.
[12]	KOLTER J Z , MALOOF M A . Learning to detect and classify malicious executables in the wild[J]. The Journal of Machine Learning Research, 2006(7): 2721-2744.
[13]	MOSKOVITCH R , STOPEL D , FEHER C ,et al. Unknown malcode detection via text categorization and the imbalance problem[C]// IEEE International Conference on Intelligence and Security Informatics (ISI). 2008: 156-161.
[14]	KARIM M E , WALENSTEIN A , LAKHOTIA A ,et al. Malware phylogeny generation using permutations of code[J]. Journal in Computer Virology, 2005,1(1/2): 13-23.
[15]	SIDDIQUI M , WANG M C , LEE J . Data mining methods for malware detection using instruction sequences[C]// The Artificial Intelligence and Applications (AIA). 2008.
[16]	MOSKOVITCH R , FEHER C , TZACHAR N ,et al. Unknown malcode detection using opcode representation[C]// European Conference on Intelligence and Security Informatics(EuroISI). 2008: 204-215.
[17]	SCHULTZ M G , ESKIN E , ZADOK F ,et al. Data mining methods for detection of new malicious executables[C]// IEEE Symposium on Security and Privacy (S＆P). 2001: 38-49.
[18]	LAI Y , . A feature selection for malicious detection[C]// The 9th International Conference on Software Engineering,Artificial Intelligence,Networking,and Parallel/Distributed Computing. 2008: 365-370.
[19]	DING Y , YUAN X , TANG K ,et al. A fast malware detection algo-rithm based on objective-oriented association mining[J]. Computers ＆Security, 2013,39: 315-324.
[20]	MARICONTI E , ONWUZURIKE L , ANDRIOTIS P ,et al. MA-MADROID:detecting android malware by building Markov chains of behavioral models[C]// The Symposium on Network and Distributed System Security (NDSS). 2017.
[21]	SCHWARTZ E J , AVGERINOS T , BRUMLEY D . All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask)[C]// IEEE Symposium on Security and Privacy (S＆P). 2010: 317-331.
[22]	CHRISTODORESCU M , JHA S , KRUEGEL C . Mining specifications of malicious behavior[C]// The 1st India Software Engineering Conference. 2008: 5-14.
[23]	RIECK K , HOLZ T , WILLEMS C ,et al. Learning and classification of malware behavior[C]// The International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment (DIMVA). 2008: 108-125.
[24]	杨轶, 苏璞睿, 应凌云 ,等. 基于行为依赖特征的恶意代码相似性比较方法[J]. 软件学报, 2011,22(10): 2438-2453.
	YANG Y , SU P , YING L ,et al. Dependency-based malware similarity comparison method[J]. Journal of Software, 2011,22(10): 2438-2453.
[25]	IMRAN M , AFZAL M T , QADIR M A . Malware classification using dynamic features and hidden markov model[J]. Journal of Intelligent ＆Fuzzy Systems, 2016,31(2): 837-847.
[26]	ANDERSON B , QUIST D , NEIL J ,et al. Graph-based malware detection using dynamic analysis[J]. Journal in Computer Virolo-gy, 2011,7(4): 247-258.
[27]	TRINIUS P , WILLEMS C , HOLZ T ,et al. A malware instruction set for behavior-based analysis[C]// The 5th GI Conference on Sicherheit,Schutz und Zuverl assigkeit. 2010: 205-216.
[28]	杨晔 . 基于行为的恶意代码检测方法研究[D]. 西安:西安电子科技大学, 2015.
	YANG Y . Research on detection method of malware based on behavior[D]. Xi’an:Xidian University, 2015.
[29]	HUANG W , STOKES J W . MtNet:a multi-task neural network for dynamic malware classification[C]// The International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment(DIMVA). 2016: 399-418.

基于机器学习算法的主机恶意代码检测技术研究

Research on host malcode detection using machine learning

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 4

参考文献 29

相关文章 15

编辑推荐

Metrics

本文评价

[1]	张颖君,刘尚奇,杨牧,张海霞,黄克振. 基于日志的异常检测技术综述[J]. 网络与信息安全学报, 2020, 6(6): 1-12.
[2]	周天昱,申文博,杨男子,李金库,秦承刚,喻望. Docker组件间标准输入输出复制的DoS攻击分析[J]. 网络与信息安全学报, 2020, 6(6): 45-56.
[3]	付溪,李晖,赵兴文. 网络钓鱼识别研究综述[J]. 网络与信息安全学报, 2020, 6(5): 1-10.
[4]	超凡,杨智,杜学绘,孙彦. 基于深度神经网络的Android恶意软件检测方法[J]. 网络与信息安全学报, 2020, 6(5): 67-79.
[5]	何康,祝跃飞,刘龙,芦斌,刘彬. 敌对攻击环境下基于移动目标防御的算法稳健性增强方法[J]. 网络与信息安全学报, 2020, 6(4): 67-76.
[6]	袁福祥,刘粉林,刘翀,刘琰,罗向阳. MLAR：面向IP定位的大规模网络别名解析[J]. 网络与信息安全学报, 2020, 6(4): 77-94.
[7]	尹小康,刘鎏,刘龙,刘胜利. PPC和MIPS指令集下二进制代码中函数参数个数的识别方法[J]. 网络与信息安全学报, 2020, 6(4): 95-103.
[8]	骆子铭,许书彬,刘晓东. 基于机器学习的TLS恶意加密流量检测方案[J]. 网络与信息安全学报, 2020, 6(1): 77-83.
[9]	黄伟,刘存才,祁思博. 针对设备端口链路的LSTM网络流量预测与链路拥塞方案[J]. 网络与信息安全学报, 2019, 5(6): 50-57.
[10]	宋蕾, 马春光, 段广晗. 机器学习安全及隐私保护研究进展[J]. 网络与信息安全学报, 2018, 4(8): 1-11.
[11]	肖达,刘博寒,崔宝江,王晓晨,张索星. 基于程序基因的恶意程序预测技术[J]. 网络与信息安全学报, 2018, 4(8): 21-30.
[12]	明拓思宇, 陈鸿昶. 文本摘要研究进展与趋势[J]. 网络与信息安全学报, 2018, 4(6): 1-10.
[13]	王正琦,冯晓兵,张驰. 基于两层分类器的恶意网页快速检测系统研究[J]. 网络与信息安全学报, 2017, 3(8): 44-60.
[14]	张茜,延志伟,李洪涛,耿光刚. 网络钓鱼欺诈检测技术研究[J]. 网络与信息安全学报, 2017, 3(7): 7-24.
[15]	叶益林,周振吉,洪征,颜慧颖,吴礼发. 基于静态分析的Android应用事件输入生成方法[J]. 网络与信息安全学报, 2017, 3(6): 21-32.