基于机器学习算法的主机恶意代码检测技术研究

doi:10.11959/j.issn.2096-109x.2017.00179

网络与信息安全学报 ›› 2017, Vol. 3 ›› Issue (7): 25-32.doi: 10.11959/j.issn.2096-109x.2017.00179

基于机器学习算法的主机恶意代码检测技术研究

张东,张尧,刘刚,宋桂香

浪潮电子信息产业股份有限公司，北京100085

修回日期:2017-07-02 出版日期:2017-07-01 发布日期:2017-08-01
作者简介:张东（1974-），男，山东威海人，浪潮电子信息产业股份有限公司高级工程师，主要研究方向为系统软件安全。|张尧（1988-），男，湖北襄阳人，博士，浪潮电子信息产业股份有限公司研究员，主要研究方向为网络安全、主机系统安全与应用密码学。|刘刚（1979-），男，四川德阳人，硕士，浪潮电子信息产业股份有限公司工程师，主要研究方向为操作系统安全、可信计算与云安全。|宋桂香（1978-），女，山东郓城人，浪潮电子信息产业股份有限公司工程师，主要研究方向为安全测评。

Research on host malcode detection using machine learning

Dong ZHANG,Yao ZHANG,Gang LIU,Gui-xiang SONG

Inspur Electronic Information Industry Co.,Ltd,Beijing 100085,China

Revised:2017-07-02 Online:2017-07-01 Published:2017-08-01

摘要/Abstract

摘要：

对机器学习算法下主机恶意代码检测的主流技术途径进行了研究，分别针对静态、动态这2种分析模式下的检测方案进行了讨论，涵盖了恶意代码样本采集、特征提取与选择、机器学习算法分类模型的建立等要点。对机器学习算法下恶意代码检测的未来工作与挑战进行了梳理。为下一代恶意代码检测技术的设计和优化提供了重要的参考。

关键词: 恶意代码检测, 机器学习, 静态分析, 动态分析, 分类模型

Abstract:

Main trends of host malcode detection using machine learning were focused on,and two categories of detection models(namely static analysis and dynamic analysis) were well discussed.Moreover,the critical stages such as malcode samples collection,feature extraction and selection,the construction of machine learning classifiers were considered fully.At last,some future work and challenges in this field were listed.The work can serve as a practical reference for establishing next-generation malcode detection techniques.

Key words: malcode detection, machine learning, static analysis, dynamic analysis, classification model

中图分类号:

TP309

张东,张尧,刘刚,宋桂香. 基于机器学习算法的主机恶意代码检测技术研究[J]. 网络与信息安全学报, 2017, 3(7): 25-32.

Dong ZHANG,Yao ZHANG,Gang LIU,Gui-xiang SONG. Research on host malcode detection using machine learning[J]. Chinese Journal of Netword and Information Security, 2017, 3(7): 25-32.

图/表 4

参考文献 29

[1]	国家互联网应急中心. 2015年中国互联网网络安全报告[EB/OL]. .
	CNCERT/CC. 2015 China cyber security report[EB/OL]. .
[2]	ZHANG Y , WANG X , PERRIG A ,et al. Tumbler:adaptable link access in the bots-infested Internet[J]. Computer Networks, 2016,105: 180-193.
[3]	360威胁情报中心. 2016中国高级持续性威胁(APT)研究报告[EB/OL]. .
	360 Threat Intelligence Center. 2016 China APT research report[EB/OL]. .
[4]	COHEN P . Models of practical defenses against computer viruses[J]. Computers ＆Security, 1989,8(2): 149-160.
[5]	VirusBulletin[EB/OL]. .
[6]	Open Malware[EB/OL]. .
[7]	VX Heavens[EB/OL]. .
[8]	BAECHER P , KOETTER M , HOLZ T ,et al. The nepenthes platform:an efficient approach to collect malware[C]// The International Symposium on Recent Advances in Intrusion Detection (RAID). 2006: 165-184.
[9]	卡饭论坛[EB/OL]. .
	Kaspersky Forum[EB/OL]. .
[10]	HEX-RAYS SA . IDA pro introduction[EB/OL]. .
[11]	ABOU-ASSALEH T , CERCONE N , KESELJ V ,et al. N-gram-based detection of new malicious code[C]// The 28th Annual International Computer Software and Applications Conference (COMPSAC). 2004: 41-42.
[12]	KOLTER J Z , MALOOF M A . Learning to detect and classify malicious executables in the wild[J]. The Journal of Machine Learning Research, 2006(7): 2721-2744.
[13]	MOSKOVITCH R , STOPEL D , FEHER C ,et al. Unknown malcode detection via text categorization and the imbalance problem[C]// IEEE International Conference on Intelligence and Security Informatics (ISI). 2008: 156-161.
[14]	KARIM M E , WALENSTEIN A , LAKHOTIA A ,et al. Malware phylogeny generation using permutations of code[J]. Journal in Computer Virology, 2005,1(1/2): 13-23.
[15]	SIDDIQUI M , WANG M C , LEE J . Data mining methods for malware detection using instruction sequences[C]// The Artificial Intelligence and Applications (AIA). 2008.
[16]	MOSKOVITCH R , FEHER C , TZACHAR N ,et al. Unknown malcode detection using opcode representation[C]// European Conference on Intelligence and Security Informatics(EuroISI). 2008: 204-215.
[17]	SCHULTZ M G , ESKIN E , ZADOK F ,et al. Data mining methods for detection of new malicious executables[C]// IEEE Symposium on Security and Privacy (S＆P). 2001: 38-49.
[18]	LAI Y , . A feature selection for malicious detection[C]// The 9th International Conference on Software Engineering,Artificial Intelligence,Networking,and Parallel/Distributed Computing. 2008: 365-370.
[19]	DING Y , YUAN X , TANG K ,et al. A fast malware detection algo-rithm based on objective-oriented association mining[J]. Computers ＆Security, 2013,39: 315-324.
[20]	MARICONTI E , ONWUZURIKE L , ANDRIOTIS P ,et al. MA-MADROID:detecting android malware by building Markov chains of behavioral models[C]// The Symposium on Network and Distributed System Security (NDSS). 2017.
[21]	SCHWARTZ E J , AVGERINOS T , BRUMLEY D . All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask)[C]// IEEE Symposium on Security and Privacy (S＆P). 2010: 317-331.
[22]	CHRISTODORESCU M , JHA S , KRUEGEL C . Mining specifications of malicious behavior[C]// The 1st India Software Engineering Conference. 2008: 5-14.
[23]	RIECK K , HOLZ T , WILLEMS C ,et al. Learning and classification of malware behavior[C]// The International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment (DIMVA). 2008: 108-125.
[24]	杨轶, 苏璞睿, 应凌云 ,等. 基于行为依赖特征的恶意代码相似性比较方法[J]. 软件学报, 2011,22(10): 2438-2453.
	YANG Y , SU P , YING L ,et al. Dependency-based malware similarity comparison method[J]. Journal of Software, 2011,22(10): 2438-2453.
[25]	IMRAN M , AFZAL M T , QADIR M A . Malware classification using dynamic features and hidden markov model[J]. Journal of Intelligent ＆Fuzzy Systems, 2016,31(2): 837-847.
[26]	ANDERSON B , QUIST D , NEIL J ,et al. Graph-based malware detection using dynamic analysis[J]. Journal in Computer Virolo-gy, 2011,7(4): 247-258.
[27]	TRINIUS P , WILLEMS C , HOLZ T ,et al. A malware instruction set for behavior-based analysis[C]// The 5th GI Conference on Sicherheit,Schutz und Zuverl assigkeit. 2010: 205-216.
[28]	杨晔 . 基于行为的恶意代码检测方法研究[D]. 西安:西安电子科技大学, 2015.
	YANG Y . Research on detection method of malware based on behavior[D]. Xi’an:Xidian University, 2015.
[29]	HUANG W , STOKES J W . MtNet:a multi-task neural network for dynamic malware classification[C]// The International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment(DIMVA). 2016: 399-418.

基于机器学习算法的主机恶意代码检测技术研究

Research on host malcode detection using machine learning

RichHTML

PDF (PC)

赞

可视化

摘要/Abstract

引用本文

使用本文

图/表 4

参考文献 29

相关文章 9

Metrics

本文评价

推荐阅读 10

[1]	宋蕾,马春光,段广晗. 机器学习安全及隐私保护研究进展[J]. 网络与信息安全学报, 2018, 4(8): 1-11.
[2]	肖达,刘博寒,崔宝江,王晓晨,张索星. 基于程序基因的恶意程序预测技术[J]. 网络与信息安全学报, 2018, 4(8): 21-30.
[3]	明拓思宇,陈鸿昶. 文本摘要研究进展与趋势[J]. 网络与信息安全学报, 2018, 4(6): 1-10.
[4]	王正琦,冯晓兵,张驰. 基于两层分类器的恶意网页快速检测系统研究[J]. 网络与信息安全学报, 2017, 3(8): 44-60.
[5]	张茜,延志伟,李洪涛,耿光刚. 网络钓鱼欺诈检测技术研究[J]. 网络与信息安全学报, 2017, 3(7): 7-24.
[6]	叶益林,周振吉,洪征,颜慧颖,吴礼发. 基于静态分析的Android应用事件输入生成方法[J]. 网络与信息安全学报, 2017, 3(6): 21-32.
[7]	孙博文,黄炎裔,温俏琨,田斌,吴鹏,李祺. 基于静态多特征融合的恶意软件分类方法[J]. 网络与信息安全学报, 2017, 3(11): 68-76.
[8]	邢月秀,胡爱群,王永剑,赵然. 多维度iOS隐私泄露评估模型研究[J]. 网络与信息安全学报, 2016, 2(4): 73-79.
[9]	陈佳,郭山清. 面向服务端私有Web API的自动发现技术研究[J]. 网络与信息安全学报, 2016, 2(12): 27-38.