基于机器学习算法的主机恶意代码检测技术研究

doi:10.11959/j.issn.2096-109x.2017.00179

摘要/Abstract

摘要：

对机器学习算法下主机恶意代码检测的主流技术途径进行了研究，分别针对静态、动态这2种分析模式下的检测方案进行了讨论，涵盖了恶意代码样本采集、特征提取与选择、机器学习算法分类模型的建立等要点。对机器学习算法下恶意代码检测的未来工作与挑战进行了梳理。为下一代恶意代码检测技术的设计和优化提供了重要的参考。

关键词: 恶意代码检测, 机器学习, 静态分析, 动态分析, 分类模型

Abstract:

Main trends of host malcode detection using machine learning were focused on,and two categories of detection models(namely static analysis and dynamic analysis) were well discussed.Moreover,the critical stages such as malcode samples collection,feature extraction and selection,the construction of machine learning classifiers were considered fully.At last,some future work and challenges in this field were listed.The work can serve as a practical reference for establishing next-generation malcode detection techniques.

Key words: malcode detection, machine learning, static analysis, dynamic analysis, classification model

张东,张尧,刘刚,宋桂香. 基于机器学习算法的主机恶意代码检测技术研究[J]. 网络与信息安全学报, 2017, 3(7): 25-32.

Dong ZHANG,Yao ZHANG,Gang LIU,Gui-xiang SONG. Research on host malcode detection using machine learning[J]. Chinese Journal of Netword and Information Security, 2017, 3(7): 25-32.

图/表 4

参考文献 29

[1]	国家互联网应急中心. 2015年中国互联网网络安全报告[EB/OL]. .CNCERT/CC. 2015 China cyber security report[EB/OL]. .
[2]	ZHANG Y , WANG X , PERRIG A ,et al. Tumbler:adaptable link access in the bots-infested Internet[J]. Computer Networks, 2016,105: 180-193.
[3]	360威胁情报中心. 2016中国高级持续性威胁(APT)研究报告[EB/OL]. .360 Threat Intelligence Center. 2016 China APT research report[EB/OL]. .
[4]	COHEN P . Models of practical defenses against computer viruses[J]. Computers ＆Security, 1989,8(2): 149-160.
[5]	VirusBulletin[EB/OL]. .
[6]	Open Malware[EB/OL]. .
[7]	VX Heavens[EB/OL]. .
[8]	BAECHER P , KOETTER M , HOLZ T ,et al. The nepenthes platform:an efficient approach to collect malware[C]// The International Symposium on Recent Advances in Intrusion Detection (RAID). 2006: 165-184.
[9]	卡饭论坛[EB/OL]. .Kaspersky Forum[EB/OL]. .
[10]	HEX-RAYS SA . IDA pro introduction[EB/OL]. .
[11]	ABOU-ASSALEH T , CERCONE N , KESELJ V ,et al. N-gram-based detection of new malicious code[C]// The 28th Annual International Computer Software and Applications Conference (COMPSAC). 2004: 41-42.
[12]	KOLTER J Z , MALOOF M A . Learning to detect and classify malicious executables in the wild[J]. The Journal of Machine Learning Research, 2006(7): 2721-2744.
[13]	MOSKOVITCH R , STOPEL D , FEHER C ,et al. Unknown malcode detection via text categorization and the imbalance problem[C]// IEEE International Conference on Intelligence and Security Informatics (ISI). 2008: 156-161.
[14]	KARIM M E , WALENSTEIN A , LAKHOTIA A ,et al. Malware phylogeny generation using permutations of code[J]. Journal in Computer Virology, 2005,1(1/2): 13-23.
[15]	SIDDIQUI M , WANG M C , LEE J . Data mining methods for malware detection using instruction sequences[C]// The Artificial Intelligence and Applications (AIA). 2008.
[16]	MOSKOVITCH R , FEHER C , TZACHAR N ,et al. Unknown malcode detection using opcode representation[C]// European Conference on Intelligence and Security Informatics(EuroISI). 2008: 204-215.
[17]	SCHULTZ M G , ESKIN E , ZADOK F ,et al. Data mining methods for detection of new malicious executables[C]// IEEE Symposium on Security and Privacy (S＆P). 2001: 38-49.
[18]	LAI Y , . A feature selection for malicious detection[C]// The 9th International Conference on Software Engineering,Artificial Intelligence,Networking,and Parallel/Distributed Computing. 2008: 365-370.
[19]	DING Y , YUAN X , TANG K ,et al. A fast malware detection algo-rithm based on objective-oriented association mining[J]. Computers ＆Security, 2013,39: 315-324.
[20]	MARICONTI E , ONWUZURIKE L , ANDRIOTIS P ,et al. MA-MADROID:detecting android malware by building Markov chains of behavioral models[C]// The Symposium on Network and Distributed System Security (NDSS). 2017.
[21]	SCHWARTZ E J , AVGERINOS T , BRUMLEY D . All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask)[C]// IEEE Symposium on Security and Privacy (S＆P). 2010: 317-331.
[22]	CHRISTODORESCU M , JHA S , KRUEGEL C . Mining specifications of malicious behavior[C]// The 1st India Software Engineering Conference. 2008: 5-14.
[23]	RIECK K , HOLZ T , WILLEMS C ,et al. Learning and classification of malware behavior[C]// The International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment (DIMVA). 2008: 108-125.
[24]	杨轶, 苏璞睿, 应凌云 ,等. 基于行为依赖特征的恶意代码相似性比较方法[J]. 软件学报, 2011,22(10): 2438-2453. YANG Y , SU P , YING L ,et al. Dependency-based malware similarity comparison method[J]. Journal of Software, 2011,22(10): 2438-2453.
[25]	IMRAN M , AFZAL M T , QADIR M A . Malware classification using dynamic features and hidden markov model[J]. Journal of Intelligent ＆Fuzzy Systems, 2016,31(2): 837-847.
[26]	ANDERSON B , QUIST D , NEIL J ,et al. Graph-based malware detection using dynamic analysis[J]. Journal in Computer Virolo-gy, 2011,7(4): 247-258.
[27]	TRINIUS P , WILLEMS C , HOLZ T ,et al. A malware instruction set for behavior-based analysis[C]// The 5th GI Conference on Sicherheit,Schutz und Zuverl assigkeit. 2010: 205-216.
[28]	杨晔 . 基于行为的恶意代码检测方法研究[D]. 西安:西安电子科技大学, 2015. YANG Y . Research on detection method of malware based on behavior[D]. Xi’an:Xidian University, 2015.
[29]	HUANG W , STOKES J W . MtNet:a multi-task neural network for dynamic malware classification[C]// The International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment(DIMVA). 2016: 399-418.