Polymorphic malware is a secure menace for application of computer network systems because hacker can evade detection and launch stealthy attacks. In this paper, a novel enhanced automated signature generation (EASG...Polymorphic malware is a secure menace for application of computer network systems because hacker can evade detection and launch stealthy attacks. In this paper, a novel enhanced automated signature generation (EASG) algorithm to detect polymorphic malware is proposed. The EASG algorithm is composed of enhanced-expectation maximum algorithm and enhanced K-means clustering algorithm. In EASG algorithm, the fixed threshold value is replaced by the decision threshold of interval area. The false positive ratio can be controlled at low level, and the iterative operations and the execution time are effectively reduced. Moreover, the centroid updating is realized by application of similarity metric of Mahalanobis distance and incremental learning. Different malware group families are partitioned by the centroid updating.展开更多
基金supported by the National 11th Five-Year-Support-Plan of China under Grant No.2006BAH02A0407the National Research Foundation for the Doctoral Program of Higher Education of China under Grant No.20060614016the National Natural Science Foundation of China under Grant No. 60671033
文摘Polymorphic malware is a secure menace for application of computer network systems because hacker can evade detection and launch stealthy attacks. In this paper, a novel enhanced automated signature generation (EASG) algorithm to detect polymorphic malware is proposed. The EASG algorithm is composed of enhanced-expectation maximum algorithm and enhanced K-means clustering algorithm. In EASG algorithm, the fixed threshold value is replaced by the decision threshold of interval area. The false positive ratio can be controlled at low level, and the iterative operations and the execution time are effectively reduced. Moreover, the centroid updating is realized by application of similarity metric of Mahalanobis distance and incremental learning. Different malware group families are partitioned by the centroid updating.
