AdaBoost恶意程序行为检测新算法

doi:10.3969/j.issn.1001-2400.2013.06.021

Abstract

Abstract:

We present a new algorithm for abstracting features of a program from its API calls, network packages and static analysis characteristics. API calls are aggregated by a low level data dependence analysis to form the abstract behaviors．Network packages and static analysis characteristics are directly utilized as discrete value features．All of these abstract features are then embedded in a high dimension vector space. Besides, we further design a new behavior-based malware classification algorithm, which advances the AdaBoost boosted decision tree algorithm. Firstly, the new algorithm optimizes an anti-noise loss function to lower the probability of the noise data to train the next classifier, and thus improves the anti-noise ability of the AdaBoost algorithm. Secondly, to improve the algorithm's performance in multi-class classif bication problem, a vote vector is adopted to combine base classifiers, which discriminates the accuracy with which a classifier classifies samples from different classes.

Key words: malware, behavior abstraction, classification, decision tree, AdaBoost, loss function

CLC Number:

TP339

CAO Ying;LIU Jiachen;MIAO Qiguang;GAO Lin. Improved behavior-based malware detection algorithm with AdaBoost[J].J4, 2013, 40(6): 116-124.

References

［1］ Bayer U, Kruegel C, Kirda E. TTAnalyze: a Tool for Analyzing Malware［DB/OL］. ［2013-09-28］. https://www.auto.tuwien.ac.at/～chris/research/doc/eicar06_ttanalyze.pdf.
［2］ Willems C, Holz T, Freiling F. Toward Automated Dynamic Malware Analysis Using Cwsandbox［J］. IEEE Security ＆ Privacy, 2007, 5(2): 32-39.
［3］ Portokalidis G, Slowinska A, Bos H. Argos: an Emulator for Fingerprinting Zero-day Attacks for Advertised Honeypots with Automatic Signature Generation［J］. ACM SIGOPS Operating Systems Review, 2006, 40(4): 15-27.
［4］ Baecher P, Koetter M, Holz T, et al. The Nepenthes Platform: An Efficient Approach to collect malware［C］//Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection. Heidelberg: Springer, 2006: 165-184.
［5］ Jiang X, Xu D. Collapsar: A VM-based Architecture for Network Attack Detention Center［C］//Proceedings of the 13th conference on USENIX Security Symposium. Berkeley: USENIX Association, 2004: 15-28.
［6］ Christodorescu M, Jha S, Kruegel C. Mining Specifications of Malicious Behavior［C］//Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering. New York: ACM, 2007: 5-14.
［7］ Eskandari M, Hashemi S. A Graph Mining Approach for Detecting Unknown Malwares［J］. Journal of Visual Languages ＆ Computing, 2012, 23(3): 154-162.
［8］杨轶, 苏璞睿, 应凌云, 等. 基于行为依赖特征的恶意代码相似性比较方法［J］. 软件学报, 2011, 22(10): 2438-2453.
Yang Yi, Su Purui, Ying Lingyun, et al. Dependency-Based Malware Similarity Comparison Method［J］. Journal of Software, 2011, 22(10): 2438-2453.
［9］王蕊, 苏璞睿, 杨轶, 等. 一种抗混淆的恶意代码变种识别系统［J］. 电子学报, 2011, 39(10): 2322-2330.
Wang Rui, Su Purui, Yang Yi, et al. An Anti-obfuscation Malwaer Variants Identification System［J］. Acta Electronica Sinica, 2011, 39(10): 2322-2330.
［10］ Han K S, Kim I K, Im E G. Detection Methods for Malware Variant Using API Call Related Graphs［C］//Proceedings of the 3rd International Conference on Information Technology Convergence and Security. Heidelberg: Springer, 2011: 607-611.
［11］ Jain S, Meena Y K. Byte Level n-Gram Analysis for Malware Detection［C］//Proceedings of the 5th International Conference on Information Processing Computer Networks and Intelligent Computing. Heidelberg: Springer, 2011: 51.
［12］ Ye Y, Wang D, Li T, et al. An intelligent PE-malware Detection System Based on Association Mining［J］. Journal in Computer Virology, 2008, 4(4): 323-334.
［13］ Fredrikson M, Jha S, Christodorescu M, et al. Synthesizing Near-optimal Malware Specifications from Suspicious Behaviors［C］//Proceedings of the 2010 IEEE Symposium on Security and Privacy. New York: IEEE, 2010: 45-60.
［14］ Freund Y, Schapire R E. Experiments with a New Boosting Algorithm［C］//Proceedings of the 13th International Conference on Machine Learning. San Francisco: Morgan Kaufmann, 1996: 148-156.
［15］王勇, 陶晓玲. 分级结构的AdaBoost入侵检测方法研究［J］. 西安电子科技大学学报, 2008, 35(2): 345-350.
Wang Yong, Tao Xiaoling. Study of the Intrusion Detection Method Based on AdaBoost with a Hierarchical Structure［J］. Journal of Xidian University, 2008, 35(2): 345-350.
［16］ Mason L, Baxter J, Bartlett P, et al. Boosting Algorithms As Gradient Descent in Function Space［C］//Proceedings of the Advances in Neural Information Processing Systems. Cambridge: MIT Press, 1999: 512-518.
［17］ Hall M, Frank E, Holmes G, et al. The WEKA Data Mining Software: an Update［J］. ACM SIGKDD Explorations Newsletter, 2009, 11(1): 10-18.

[1]	CHEN Changchuan,WANG Haining,HUANG Lian,HUANG Tao,LI Lianjie,HUANG Xiangkang,DAI Shaosheng. Facial expression recognition based on local representation [J]. Journal of Xidian University, 2021, 48(5): 100-109.
[2]	ZHOU Jianyu,WEI Yinsheng,XU Rongqing. Improved ionospheric clutter classification method based on fuzzy C-means clustering [J]. Journal of Xidian University, 2021, 48(2): 35-41.
[3]	DUAN Chongdi,HAN Chaolei,YANG Zhiwei,ZHANG Qingjun. Inshore ambiguity clutter suppression method aided by clutter classification [J]. Journal of Xidian University, 2021, 48(2): 64-71.
[4]	LI Shan,ZHNAG Kun,SHUI Penglang. Ship length distribution modeling on China offshore and ability evaluation of radar ship classification [J]. Journal of Xidian University, 2021, 48(2): 84-91.
[5]	LI Hai,SHANG Jinlei,SUN Tingyi,FENG Qing,ZHUANG Zibo. Method for hydrometeor classification based on MC-DTSVMs [J]. Journal of Xidian University, 2020, 47(4): 132-140.
[6]	LIU Daohua,WANG Shasha,YANG Zhipeng,CUI Yushuang. Improved face image classification method based on the local embedding network [J]. Journal of Xidian University, 2020, 47(4): 18-23.
[7]	LI Jiang,FENG Cunqian,WANG Yizhe,XU Xuguang. Deep learning model for micro-motion classification of cone targets [J]. Journal of Xidian University, 2020, 47(3): 105-112.
[8]	ZHANG Zhichang,ZHANG Zhiman,ZHANG Zhenwen. Classifying health questions with local semantic and global structural information [J]. Journal of Xidian University, 2020, 47(2): 9-15.
[9]	YAN Lin,LIU Kai,DUAN Meiyu. Lightweight deep neural network for point cloud classification [J]. Journal of Xidian University, 2020, 47(2): 46-53.
[10]	SONG Jianfeng,WEI Yue,MIAO Qiguang,QUAN Yining,CHEN Yusheng. Urine cell image classification algorithm based on the squeeze and excitation mechanism [J]. Journal of Xidian University, 2020, 47(2): 39-45.
[11]	CAO Yi,HUANG Zilong,ZHANG Wei,LIU Chen,LI Wei. Urban sound event classification with the N-order dense convolutional network [J]. Journal of Xidian University, 2019, 46(6): 9-16.
[12]	XIAO Lijun,GUO Jichang,GU Xiangyuan. Algorithm for selection of features based on dynamic weights using redundancy [J]. Journal of Xidian University, 2019, 46(5): 155-161.
[13]	YANG Hongyu,NA Yuzhuo. Android malware detection model [J]. Journal of Xidian University, 2019, 46(3): 45-51.
[14]	SUN Chen, CHENG Liye. Spatial sensing matrix learning for PolSAR image classification [J]. Journal of Xidian University, 2018, 45(6): 92-98.
[15]	LI Xue, AI Lirong, ZHOU Xiaojing, ZHANG Kai. Automatic assessment of children's vision [J]. Journal of Xidian University, 2018, 45(6): 150-155.

Improved behavior-based malware detection algorithm with AdaBoost

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Metrics

Comments

Recommended 0