###
Journal of Software:2017.28(2):384-397

一种基于主动学习的恶意代码检测方法
毛蔚轩,蔡忠闽,童力
(智能网络与网络安全教育部重点实验室(西安交通大学), 陕西 西安 710049)
Malware Detection Method Based on Active Learning
MAO Wei-Xuan,CAI Zhong-Min,TONG Li
(Key Laboratory for Intelligent and Network Security, Ministry of Education(Xi'an Jiaotong University), Xi'an 710049, China)
Abstract
Chart / table
Reference
Similar Articles
Article :Browse 2227   Download 1829
Received:December 28, 2015    Revised:March 03, 2016
> 中文摘要: 现有恶意代码的检测往往依赖于对足够数量样本的分析.然而新型恶意代码大量涌现,其出现之初,样本数量有限,现有方法无法迅速检测出新型恶意代码及其变种.在数据流依赖网络中分析进程访问行为异常度与相似度,引入了恶意代码检测估计风险,并提出一种通过最小化估计风险实现主动学习的恶意代码检测方法.该方法只需要很少比例的训练样本即可实现准确的恶意代码检测,比现有方法更适用于新型恶意代码检测.通过对真实的8 340个正常进程和7 257个恶意代码进程的实验分析,与传统基于统计分类器的检测方法相比,该方法明显地提升了恶意代码检测效果.即便在训练样本仅为总体样本数量1%的情况下,该方法也可以达到5.55%的错误率水平,比传统方法降低了36.5%.
Abstract:Existing techniques of malware detection depend on observations of sufficient malware samples. However, only a few samples can be obtained when a novel malware first appears in the World Wide Web, which brings challenges to detect novel malware and its variants. This paper studies the anomaly and similarity of processes with respect to their access behaviors under data flow dependency network, and defines estimated risk for malware detection. Furthermore, the study proposes a malware detection method based on active learning by minimizing the estimated risk. This method achieves encouraging performance even with small samples, and is applicable to defending against rapidly increasing novel malware. Experimental results on a real-world dataset, which consists of access behaviors of 8 340 benign and 7 257 malicious processes, demonstrate better performance of the presented method than traditional malware detection method based on statistical classifier. Even with only 1% known samples, the new method achieves 5.55% error rate, which is 36.5% lower than the error rate of traditional statistical classifier based method.
文章编号:     中图分类号:    文献标志码:
基金项目:国家自然科学基金(61175039,61221063,61375040);陕西省国际合作重点项目(2013KW11);中央高校基本科研业务费专项资金(2012jdhz08) 国家自然科学基金(61175039,61221063,61375040);陕西省国际合作重点项目(2013KW11);中央高校基本科研业务费专项资金(2012jdhz08)
Foundation items:National Natural Science Foundation of China (61175039, 61221063, 61375040); International Research Collaboration Project of Shaanxi Province (2013KW11); Fundamental Research Funds for Central Universities (2012jdhz08)
Reference text:

毛蔚轩,蔡忠闽,童力.一种基于主动学习的恶意代码检测方法.软件学报,2017,28(2):384-397

MAO Wei-Xuan,CAI Zhong-Min,TONG Li.Malware Detection Method Based on Active Learning.Journal of Software,2017,28(2):384-397