基于支持向量机的恶意软件行为评估系统

doi:10.11772/j.issn.1001-9081.2015.04.0972

计算机应用 ›› 2015, Vol. 35 ›› Issue (4): 972-976.DOI: 10.11772/j.issn.1001-9081.2015.04.0972

基于支持向量机的恶意软件行为评估系统

欧阳博宇, 刘新, 徐婵, 吴建, 安晓

湘潭大学信息工程学院, 湖南湘潭 411105

收稿日期:2014-11-04 修回日期:2014-12-30 出版日期:2015-04-10 发布日期:2015-04-08
通讯作者: 刘新
作者简介:欧阳博宇(1989-),男,湖南湘潭人,硕士研究生,CCF会员,主要研究方向:信息安全; 刘新(1975-),男,湖南湘潭人,副教授,博士,CCF会员,主要研究方向:信息安全、社会计算; 徐婵(1988-),女,湖南衡阳人,硕士研究生,CCF会员,主要研究方向:信息安全;吴建(1990-),男,湖南常德人,硕士研究生,CCF会员,主要研究方向:信息安全; 安晓(1990-),女,河南南阳人,硕士研究生,CCF会员,主要研究方向:信息检索。
基金资助:
湖南省自然科学基金资助项目(12JJ3066);教育部重点实验室开放课题基金资助项目(2013IM02);湖南省"十二五"重点学科建设基金资助项目。

Malware behavior assessment system based on support vector machine

OUYANG Boyu, LIU Xin, XU Chan, WU Jian, AN Xiao

College of Information Engineering, Xiangtan University, Xiangtan Hunan 411105, China

Received:2014-11-04 Revised:2014-12-30 Online:2015-04-10 Published:2015-04-08

摘要/Abstract

摘要：

为解决恶意软件行为分析系统中分类准确率较低的问题,提出了一种基于支持向量机(SVM)的恶意软件分类方法。首先人工建立了一个以软件行为结果作为特征的危险行为库;然后捕获软件所有行为,并与危险行为库进行匹配,通过样本转换算法将匹配结果变成适合SVM处理的数据,再利用SVM进行分类。在SVM模型、核函数以及参数对(C,g)的选择方面先进行理论分析确定大致范围,再使用网格搜索和遗传算法(GA)相结合的方式进行寻优。为验证所提恶意软件分类方法的有效性,设计了一个基于SVM模型的恶意软件行为评估系统。实验结果表明,该系统的误报率和漏报率分别为5.52%和3.04%,比K近邻(KNN)、朴素贝叶斯(NB)算法更好,与反向传播(BP)神经网络相当,但比BP神经网络的训练和分类效率更高。

关键词: 恶意软件, 支持向量机, 遗传算法, 行为评估

Abstract:

Aiming at the problem that the classification accuracy in malware behavior analysis system was low,a malware classification method based on Support Vector Machine (SVM) was proposed. First, the risk behavior library which used software behavior results as characteristics was established manually. Then all of the software behaviors were captured and matched with the risk behavior library, and the matching results were converted to data suitable for SVM training through the conversion algorithm. In the selection of the SVM model, kernel function and parameters (C,g), a method combining the grid search and Genetic Algorithm (GA) was used to search optimization after theoretical analysis. A malware behavior assessment system based on SVM classification model was designed to verify the effectiveness of the proposed malware classification method. The experiments show that the false positive rate and false negative rate of the system were 5.52% and 3.04% respectively. It means that the proposed method outperforms K-Nearest Neighbor (KNN) and Naive Bayes (NB); its performance is at the same level with the BP neural network, however, it has a higer efficiency in training and classification.

Key words: malware, Support Vector Machine (SVM), Genetic Algorithm(GA), behavior evaluation

中图分类号:

TP309.5

欧阳博宇, 刘新, 徐婵, 吴建, 安晓. 基于支持向量机的恶意软件行为评估系统[J]. 计算机应用, 2015, 35(4): 972-976.

OUYANG Boyu, LIU Xin, XU Chan, WU Jian, AN Xiao. Malware behavior assessment system based on support vector machine[J]. Journal of Computer Applications, 2015, 35(4): 972-976.

参考文献

[1] National Internet Emergency Center. 2013 China Internet network security situation comprehensive[EB/OL]. [2014-06-03]. http://www.cert.org.cn/publish/main/46/2014/20140603151551324 380013/20140603151551324380013.html.(国家互联网应急中心. 2013年中国互联网网络安全态势综[EB/OL].[2014-06-03]. http://www.cert.org.cn/publish/main/46/2014/201406031 51551324380013/20140603151551324380013.html.)
[2] LI Y. Malicious code detection and behavior analysis[D]. Xi'an:Xidian University,2010.(李阳.恶意代码检测及其行为分析[D].西安:西安电子科技大学,2010.)
[3] SANTOS I, BREZO F, UGARTE-PEDRERO X, et al. Opcode sequences as representation of executables for data-mining-based unknown malware detection[J]. Information Sciences,2013,231:64-82.
[4] WANG R, FENG D, YANG Y, et al. Semantics-based malware behavior signature extraction and detection method[J]. Journal of Software,2012,23(2):378-393.(王蕊,冯登国,杨轶,等.基于语义的恶意代码行为特征提取及检测方法[J].软件学报,2012,23(2):378-393.)
[5] NAKAZATO J, SONG J, ETO M. A novel malware clustering method using frequency of function call traces in parallel threads[J]. IEICE Transactions on Information and Systems,2011,E94-D(11):2150-2158.
[6] QI S. Research into malware classification and detection based on instruction analysis[D]. Hangzhou: Hangzhou Dianzi University,2012.(戚树慧. 基于指令分析的恶意代码分类与检测研究[D]. 杭州:杭州电子科技大学,2012.)
[7] ZHANG C. A research on engine of behavior-based detection of malicious code technology[D]. Beijing: Beijing University of Posts and Telecommunications,2012.(张程. 基于行为检测的恶意代码查杀引擎技术研究[D]. 北京:北京邮电大学,2012.)
[8] WANG S, ZHOU J, PENG B. Unknown virus detection based on API sequence and support vector machine[J]. Journal of Computer Applications,2007,27(8):1942-1943.(王硕,周激流,彭博. 基于API序列分析和支持向量机的未知病毒检测[J].计算机应用,2007,27(8):1942-1943.)
[9] ZHANG B, YIN J, HAO J. Using RS and SVM to detect new malicious executable codes[C]// Proceedings of the First International Conference on Rough Sets and Knowledge Technology, LNCS 4062. Berlin: Springer-Verlag, 2006:574-579.
[10] ZHANG X, GU C, LIN J. Windows-hosted intrusion detection system based on support vector machines[J]. Journal of East China University of Science and Technology: Natural Science,2006,32(3):341-345.(张雪芹,顾春华,林家骏. 基于支持向量机的Windows主机入侵检测系统[J]. 华东理工大学学报:自然科学版,2006,32(3):341-345)
[11] LI H. Statistical learning methods[M]. Beijing:Tsinghua University Press,2012.(李航. 统计学习方法[M]. 北京:清华大学出版社, 2012.)
[12] DAI H. Application of support vector machine in intrusion detection[J]. Computer Engineering,2012,38(4):143-145.(代红. 支持向量机在入侵检测中的应用[J].计算机工程, 2012,38(4):143-145.)
[13] XU C, LIU X, WU J, et al. Software behavior evaluation system based on BP neural network[J]. Computer Engineering,2014,40(9):149-154.(徐婵,刘新,吴建,等. 基于BP神经网络的软件行为评估系统[J]. 计算机工程,2014,40(9):149-154.)
[14] LIN C. LIBSVM[EB/CP].[2014-05-01]. http://www.csie.ntu.edu.tw/~cjlin/libsvm/Index.html.)
[15] XIE L, ZHANG T, ZHAO B. Dual kernel support vector machine optimized by particle swarm optimization algorithm and its application[J]. Journal of Vibration, Measurement and Diagnosis,2011,34(3):565-569.(聂立新,张天侠,赵波. 粒子群算法优化双核支持向量机及应用[J]. 振动测试与诊断,2011,34(3):565-569.)
[16] DONG C, RAO X, YANG S, et al. Method for selecting the parameters of support vector machines[J]. Systems Engineering and Electronics,2004,26(8):1117-1120.(董春曦,饶鲜,杨绍全,等. 支持向量机参数选择方法研究[J].系统工程与电子技术,2004,26(8):1117-1120.)
[17] YANG L, HE G. Support vector machine fault diagnosis method based on improved particle swarm optimization[J]. Computer Engineering,2013,39(3):187-190,196.(杨柳松,何光宇. 基于改进粒子群优化的SVM故障诊断方法[J]. 计算机工程,2013,39(3):187-190,196.)
[18] LIN C. A practical guide to support vector classification [EB/OL].[2014-05-01].http://www.csie.ntu.edu.tw/~cjlin/papers/guide/guide.pdf.
[19] CHEN G, WANG X, ZHUANG Z, et al. Genetic algorithm and its application[M]. Beijing: Posts and Telecom Press,2001.(陈国良,王煦法,庄镇泉,等. 遗传算法及其应用[M].北京:人民邮电出版社,2001.)

基于支持向量机的恶意软件行为评估系统

Malware behavior assessment system based on support vector machine

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	张闻强, 邢征, 杨卫东. 基于多区域采样策略的混合粒子群优化求解多目标柔性作业车间调度问题[J]. 计算机应用, 2021, 41(8): 2249-2257.
[2]	张盟, 郭健全. 需求和回收不确定的闭环供应链渠道结构选择[J]. 计算机应用, 2021, 41(7): 2100-2107.
[3]	杨震, 马健霄, 王宝杰. 设置待行区条件下双环相位信号配时优化模型[J]. 计算机应用, 2021, 41(7): 2108-2112.
[4]	李进, 王凤, 杨沈宇. 换电模式下电动车货运路径优化模型与算法[J]. 计算机应用, 2021, 41(6): 1792-1798.
[5]	李舒仪, 韩晓龙. 海铁联运港口混合作业模式下轨道吊与集卡协同调度[J]. 计算机应用, 2021, 41(5): 1506-1513.
[6]	贾鹤鸣, 姜子超, 李瑶, 孙康健. 基于改进斑点鬣狗优化算法的同步优化特征选择[J]. 计算机应用, 2021, 41(5): 1290-1298.
[7]	周美玲, 陈淮莉. 基于负荷平衡的电动汽车模糊多目标充电调度算法[J]. 计算机应用, 2021, 41(4): 1192-1198.
[8]	王彬溶, 谭代伦, 郑伯川. 基于旅行商问题转化和遗传算法求解汽配件喷涂顺序[J]. 计算机应用, 2021, 41(3): 881-886.
[9]	马晓梅, 何非. 基于改进遗传算法的标签印刷生产调度技术[J]. 计算机应用, 2021, 41(3): 860-866.
[10]	袁芊芊, 邓洪敏, 王晓航. 基于超像素快速模糊C均值聚类与支持向量机的柑橘病虫害区域分割[J]. 计算机应用, 2021, 41(2): 563-570.
[11]	黄书召, 田军委, 乔路, 王沁, 苏宇. 基于改进遗传算法的无人机路径规划[J]. 计算机应用, 2021, 41(2): 390-397.
[12]	李凯, 李洁. 基于pinball损失的结构模糊多分类支持向量机算法[J]. 《计算机应用》唯一官方网站, 2021, 41(11): 3104-3112.
[13]	张阳, 王小宁. 基于Word2Vec词嵌入和高维生物基因选择遗传算法的文本特征选择方法[J]. 《计算机应用》唯一官方网站, 2021, 41(11): 3151-3155.
[14]	杨华龙, 王美玉, 辛禹辰. 横向整合战略下异质车辆库存路径优化模型[J]. 计算机应用, 2021, 41(10): 3040-3048.
[15]	黄晓祥, 胡咏梅, 吴丹, 任力杰. 基于变分自编码器的异常颈动脉早期识别和预测[J]. 计算机应用, 2021, 41(10): 3082-3088.