摘要
针对现有恶意程序行为特征检测存在的不足,采用多轨迹检测方法,用文件操作、网络访问、内存资源访问的行为特征构建出三维恶意行为特征库。在构造投影数据库的过程中,结合AC自动机优化频繁序列查询,舍去不满足最小长度的频繁序列,得到改进的数据挖掘算法——Prefixspan-x,并将其应用于动态提取恶意软件行为特征库和阈值匹配,以克服静态反汇编方式获取软件行为轨迹时软件加壳、混淆带来的检测困难。实验结果表明,基于数据挖掘的多轨迹特征检测技术具有较高的准确率和较低的漏报率。
In order to solve the shortcomings of the malware behavior characteristic detection,we proposed a multiple tracks detection method which uses the behavior characteristics of file operation,network access and memory resources to construct a three-dimensional signatures of malicious behavior database.In the course of constructing projection database,we combined AC automation which can optimize frequent sequence query,deleted these frequent sequences which are shorter than the minimum length,and then got the improved data mining algorithm,called Prefixspan-x.We used the algorithm to dynamicly extract malicious behavior characteristic database and threshold match,in order to overcome the detection difficulties caused by software packers and confusion during static disassembly way to get the software behavior trajectories.Experimental results show that the proposed feature detection technology has high accuracy and low false negative rate.
出处
《计算机科学》
CSCD
北大核心
2016年第5期91-95,共5页
Computer Science
基金
国家自然科学基金(61472447)资助
