摘要
针对恶意样本行为分析,该文提出了一种组合机器学习框架,首先对应用程序编程接口(application programming interface,API)序列中调用的依赖关系进行功能层面上的分析,提取特征,使用随机森林进行检测;其次利用深度学习中的循环神经网络处理时间序列数据的特性,在冗余信息预处理的基础上,直接对序列进行学习和检测;最后对2种方法进行了组合。在恶意软件样本上进行的实验结果表明:2种方法均可有效检测恶意样本,但是组合学习的效果更优,AUC(area under the curve of ROC)达到99.3%,优于现有的类似研究结果。
This paper presents a combined machine learning framework for malware behavior analyses. One part of the framework analyzes the dependency relation in the API call sequence at the functional level to extract features to train and classify a random forest.The other part uses a recurrent neural network(RNN)to study the API sequence to identify malware with redundant information preprocessing using the RNN time series forecasting ability.Tests on a malware dataset show that both methods can effectively detect malwares.However,the combined framework is better with an AUC of 99.3%.
作者
芦效峰
蒋方朔
周箫
崔宝江
伊胜伟
沙晶
LU Xiaofeng;JIANG Fangshuo;ZHOU Xiao;CUI Baojiang;YI Shengwei;SHA Jing(School of Cyberspace Security, Beijing University of Post and Telecommunications, Beijing 100876, China;China Information Technology Security Evaluation Center, Beijing 100085, China;The Third Research Institute of Ministry of Public Security, Shanghai 201204, China)
出处
《清华大学学报(自然科学版)》
EI
CAS
CSCD
北大核心
2018年第5期500-508,共9页
Journal of Tsinghua University(Science and Technology)
基金
国家自然科学基金资助项目(61472046,U1536122)
信息网络安全公安部重点实验室开放课题项目(C17607)
北京市科协“金桥工程种子资金”项目
中国计算机学会-绿盟科技鲲鹏基金项目(CCF-NSFOUS 2017006)
关键词
计算机病毒与防治
恶意样本检测
机器学习
深度学习
调用序列
computer virus and prevention
malware classification
machine learning
deep learning
call sequence
