基于改进SOINN算法的恶意软件增量检测方法

Malware detection approach based on improved SOINN

针对基于批量学习的恶意软件检测方法存在检测模型动态更新困难、运算存储开销大的问题,将改进的SOINN算法与有监督分类器有机结合,利用SOINN算法的增量学习特性赋予恶意软件检测模型动态更新能力,有效降低运算存储开销。首先对SOINN算法进行改进:在SOINN算法竞争学习周期内,根据全排列思想搜索所有样本输入次序下神经元的权重调节量,计算所有权重调节量的平均值作为神经元最终权重调节量,避免不同样本输入次序影响训练所得神经网络的稳定性,使所得神经网络更能反映原始数据本质特征,从而提高神经网络针对恶意软件检测的精度。然后采用非负矩阵分解和Z-score归一化对数据进行预处理,将恶意软件行为特征向量从高维高数量级转换至低维低数量级,在提高检测速度的同时有效降低高数量级维度对特征学习的不利影响,进一步提高检测准确性。实验结果表明,所提方法支持检测模型动态更新,对未知新样本的检测准确率显著高于传统检测方法,且运算存储开销更小。

To deal with the problems of dynamic update of detection model and high computation costs in malware detection model based on batch learning, a novel malware detection approach is proposed by combing SOINN and supervised classifiers, to reduce computation costs and enable the detection model to update dynamically with the assistance of SOINN′s incremental learning characteristic. Firstly, the improved SOINN was given. According to the whole alignment algorithm, search the adjusted weights of neurons under all input sequences in the learning cycle and then calculate the average value of all adjusted weights as the final result, to avoid SOINN′s stability under different input sequences and representativeness of original data, therefore improve malware detection accuracy. Then a data preprocessing algorithm was proposed based on nonnegative matrix factor and Z-score normalization to transfer the malware behavior feature vector from high dimension and high order to low dimension and low order, to speed up and avoid overfitting and further improve detection accuracy. The results of experiments show that proposed approach supports dynamic updating of detection model and has a significantly higher accuracy of detecting unknown new samples and lower computation costs than tradition methods.