Malicious code detection method and system based on information gain

Abstract

The invention discloses a malicious code detection method based on information gain. The method comprises the following steps of collecting samples to form a training sample set; selecting splitting criteria to form an attribute set; intensively extracting samples from the training sample set in a returning random extraction form to form a test sample set; randomly extracting features by aiming at the test sample set to form a feature sample set; selecting the splitting criterion of each splitting node from the attribute set based on the information gain maximization criterion; performing layer-by-layer splitting on the feature sample set until the splitting cannot continue; finally combining the splitting criteria of all of the splitting nodes to form a decision-making tree; repeating the processes to obtain the required quantity of decision-making trees; giving judging results for data to be detected by each decision-making tree; and giving the final detection result by integrating all judging results. The invention also discloses a malicious code detection method based on information gain. By using the technical scheme, unknown malicious code can be effectively recognized; and the detection efficiency can be improved.

Description

technical field [0001] The invention relates to the technical field of information security, in particular to a malicious code detection method and system based on information gain. Background technique [0002] At present, although the detection technology of malicious code is constantly developing, the detection technology and ability of malicious code still lag behind the development of malicious code, especially the ability to detect unknown malicious code poses a huge challenge to malicious code detection technology. Currently commonly used detection technologies include: signature-based pattern matching technology and detection technology based on malicious code behavior rules, wherein the signature-based pattern matching technology is to combine the signature code of the detected file with the malicious code signature string in the signature database Matching is performed. When the match is successful, it means that the detected file contains malicious code, otherwise...

AI Technical Summary

Problems solved by technology

The disadvantage of this technology is that it is necessary to manually find and obtain malicious code samples and extract signatures to add to the malicious code signature database; while the detection technology based on malicious code behavior rules is to detect malicious codes based on the common behavior rules of malicious codes predefined by experts.

There is a lag in this method, especially as the operating speed of the computer is greatly improved, by the time malicious code behavior is detected, it has often brought irreparable losses to the system

The above two detection technologies are post-mortem detection technologies that can only detect known malicious code, or can only be detected after the malicious code is executed, but during this period the malicious code has already caused damage

There are also some malicious code detection methods that have high computer overhead and often slow down the normal operation of the system.

Images