Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Decision model used for detecting malicious programs and detecting method of malicious programs

A malicious program and judgment model technology, applied in the direction of instrumentation, electrical digital data processing, platform integrity maintenance, etc., can solve the problem that it is difficult to meet the strict requirements of low false detection rate, the 7 program features are too simple, and the generalization ability cannot be obtained Issues such as effective guarantee

Active Publication Date: 2014-07-16
西安电子科技大学重庆集成电路创新研究院
View PDF1 Cites 21 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Although this method uses fuzzy reasoning to obtain the ability to judge variants and obfuscated malicious programs, the limitations of the rule judgment method itself, and the 7 program features used in this method are too simple, and its generalization ability cannot be effectively guaranteed.
[0005] In the document "Peng Hong, Wang Jun. Virus program detection method based on support vector machine [J]. Electronic Journal, 33(2), 276-278(2005)." Although this method can improve the detection ability of unknown malicious programs by using machine learning algorithms, the experimental results show that its false detection rate is high, and it is difficult to meet the strict requirements of low false detection rate in practical applications.
[0006] In summary, malicious program methods based solely on signatures, rules, or machine learning algorithms have their own shortcomings, such as insufficient generalization detection capabilities and insufficient false detection control capabilities.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Decision model used for detecting malicious programs and detecting method of malicious programs
  • Decision model used for detecting malicious programs and detecting method of malicious programs
  • Decision model used for detecting malicious programs and detecting method of malicious programs

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0105] In this embodiment, 14863 malicious program samples collected from the VX-Heaven public malicious program database and 2623 non-malicious program samples collected from the original Windows XP system are used as training data. In addition, 1100 malicious programs and 1100 non-malicious programs collected from security forums on the Internet are used as test data.

[0106] In this example:

[0107] r 1 、r 2 、r 3 、r 4 、r 5 、r 6 、r 7 、r 8 、r 9 are equal to 0.005,

[0108] d 1 、d 4 、d 7 are equal to 0.4,

[0109] d 2 、d 5 、d 8 are equal to 0.35,

[0110] d 3 、d 6 、d 9 are equal to 0.3,

[0111] In the OCSVM algorithm, the kernel bandwidth of the RBF kernel function is 0.01.

[0112] The relevant parameters (ω and ρ) of the OCSVM algorithm model are the results of algorithm optimization. Due to the inherent randomness of the optimization algorithm, the performance of the algorithm model can be guaranteed by the parameter selection process, so ensuring t...

Embodiment 2

[0120] The difference between this embodiment and Embodiment 1 is that in the detection process, if the data, comparison algorithm and experimental process consistent with Embodiment 1 are used only when the rules and machine learning algorithms are judged as malicious programs, then the simulation experiment The results are shown in Table 2:

[0121] Table 2 Simulation experiment results

[0122]

[0123] As can be seen from the simulation experiment results in Table 2, the present invention, which adopts a more stringent control of the false detection rate detection process, has achieved a false detection rate significantly lower than that of all the comparison group algorithms, while the detection rate is at the middle level of the comparison group algorithms. Therefore, it can be further illustrated that the present invention is effective in controlling the false detection rate and ensuring the balance of the detection rate.

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention relates to a decision model used for detecting malicious programs and a detecting method of the malicious programs. The detecting method includes rule generation and machine learning algorithm training, the rule generation is characterized in that a training sample set composed of a 'malicious program' sample set and a 'non-malicious program' sample set is generated into a decision rule set in an API (application programming interface) calling layer, a basic abstraction layer and a business abstraction layer; the decision rule set includes an API calling layer decision rule, a basic abstraction layer decision rule and a business abstraction layer decision rule; the machine learning algorithm training is characterized in that an OCSVM algorithm training model is utilized to obtain an OCSVM algorithm model. The malicious program related detecting method is characterized in that the programs to be detected are subjected to decision by the aid of the related decision model. According to the technical scheme, multilevel and systematic features are achieved, false detection can be effectively controlled in the steps, and feasibility of application of the malicious program behavior detection in actual computer security is improved.

Description

technical field [0001] The invention belongs to the related fields of system security and network security, and further relates to a method for automatic analysis and detection of malicious programs. The invention utilizes a small number of samples of known malicious programs to automatically establish a rule base and a machine learning algorithm judgment module to detect unknown malicious programs with high accuracy through a multi-level and strictly controlled false detection judgment process. Background technique [0002] In the field of malicious program analysis and detection, in order to solve the problems of slow update of static feature codes, inability to cope with variants and confusing malicious programs, rule judgment or pattern recognition algorithms can be used to complete malicious program detection. [0003] The method and device for malicious file detection in Tencent Technology (Shenzhen) Co., Ltd.'s patent application "Method and device for detecting malic...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/56
CPCG06F21/562
Inventor 宋建锋苗启广刘家辰曹莹王维炜张浩杨晔汪梁
Owner 西安电子科技大学重庆集成电路创新研究院
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products