基于机器学习的内核恶意程序检测研究与实现

Research and Implementation of Kernel Malicious Code Detection Based on Machine Learning

随着计算机科学的发展,世界对计算机的依赖越来越强,计算机安全也越来越重要,恶意代码是计算机安全面临的最大敌人.针对传统的恶意代码检测和分析技术在现在已经无法满足需求的问题,提出使用机器学习并应用新的分类特征来识别恶意程序,并且对他们进行初级的家族分类,指出以往机器学习在恶意代码检测和分类上的不足,筛选出更好的区分特征.首先使用了n-gram算法来优化恶意代码反汇编代码中的操作码特征,然后使用词袋模型和TF-IDF算法优化API调用特征,最后编程实现模型并使用数据集进行了模型的训练和测试.实验中使用决策树算法的模型的分类准确率上达到了87.41%,使用随机森林算法的模型的分类准确率上达到了90.06%,实验结果表明提出的特征相比以往在恶意代码检测分类上应用的特征有着更好的效果.

With the development of computer science,the world is becoming more and more dependent on computers,and computer security is becoming more and more important.Malicious code is the biggest enemy of computer security.In this paper,a new method was proposed based on machine learning and new classification features to identify malicious programs,make a preliminary family classification of them,point out some shortcomings of previous machine learning in malicious code detection and classification,and screen out better distinguishing features.Firstly,n-gram algorithm was used to optimize the opcode characteristics in the disassembly code of malicious code.And then a Bag of Words model and TF-IDF algorithm were used to optimize the API call characteristics.Finally,a model was programmed and the data set was used to train and test the model.In the experiment,the classification accuracy of the model with decision tree algorithm can reach 87.41%,and the classification accuracy of the model with random forest algorithm can reach 90.06%.The experimental results show that,compared with others presented in the detection and classification of malicious code,the features of proposed method can achieve a better effect.