Novel file-static-structure-attribute-based malware detection method

Abstract

The invention discloses a novel file-static-structure-attribute-based malware detection method, in particular a detection method for portable execute (PE) files and executable and linkable format (ELF) files. The method comprises the following steps of: in a training phase, extracting a file sample static structure attribute; preprocessing data, performing selection filtering by using a selectionfiltering algorithm and training a classifier by using the data; and in a detecting phase, classifying detected files by using the trained classifier according to the filtered static structure attribute to obtain a result indicating whether the files are malware or normal files. The novel file-static-structure-attribute-based malware detection method detects known or unknown malware with the accuracy of over 99 percent, has short detection time, occupies a few system resources and can be actually deployed in antivirus software. The method is not influenced by technology such as packing, aliasing, deformation, polymorphism and the like, can be applied to Windows and Linux platforms at present and also can be applied to embedded platforms such as various mobile phones, palm computers and the like.

Description

technical field [0001] The invention relates to a malware detection method in information security, especially a novel and practical malware detection method for PE files and ELF files, which can detect known and unknown malware after training through a limited training set, Because it only needs to extract a small number of file static structure attributes, the detection time of a single file is about 0.25 seconds, and the detection accuracy rate is above 99%, which has reached the requirements of detection software that can be actually deployed and applied. Background technique [0002] According to the statistics of major anti-virus companies at home and abroad, the number of various new virus samples intercepted in 2008 has exceeded 10 million, with an average of tens of thousands of virus samples intercepted every day. The number of computer viruses has increased sharply, its transmission routes are diversified, and its ability to resist anti-virus software is strong. C...

AI Technical Summary

Problems solved by technology

Its disadvantages are: it can hardly detect new types of malware, the malware that can be detected cannot be detected after being simply packed, and specific malware can be easily exempted after being detected and killed by anti-virus software

[0009] First, whether it is a static analysis method or a dynamic analysis method, the feature extraction method is complicated, and the extracted features are many, resulting in a relatively long time for detecting each file, which is difficult to use in the actual deployment of anti-virus software;

[0010] Second, the above static detection methods are easily affected by packing and obfuscation techniques. After packing, the binary code and disassembled code of the malware are completely changed, which makes the detection accuracy drop. If the detection is performed, the detection time of each file will be lengthened, and under the influence of anti-unpacking technology, general-purpose unpacking software cannot automatically unpack all malicious software;

[0011] Third, if malware is detected through dynamic analysis, we can usually only analyze a single execution path of malware, and cannot traverse all execution paths of malware. At the same time, many malware already have anti-virtualization, anti-debugging, Tracking and anti-disassembly capabilities, all of which make dynamic detection of malware less accurate and time-consuming, and malicious execution;

[0012] Fourth, the software may cause damage to the system

Images