Malicious code detection method and system

Abstract

The invention discloses a malicious code detection method and system, and the method comprises the steps: S1, enabling a Windows API action sequence in an operation process of each malicious code to serve as a text with a context relation, and respectively carrying out the feature extraction through TF-IDF and Doc2vec; s2, after a TF-IDF feature matrix and a Doc2vec feature matrix are obtained respectively, splicing the features extracted by the TF-IDF and the Doc2vec, and obtaining a feature matrix of the malicious code after dimensionality reduction; s3, constructing an integrated classification improved model based on clustering, classifying the data set by adopting a plurality of base learners; and S4, in a prediction stage, respectively inputting the samples into the nearest single class cluster/SVM classifier in each base learner, outputting a prediction class, and finally according to a voting principle, taking the class occupying the majority in the learner output classes as afinal prediction class. According to the method, the TF-IDF and the Doc2vec are combined, the API frequency in the malicious code action sequence is considered, the context association of the action sequence is also considered, and the malicious code detection accuracy is improved.

Description

technical field [0001] The invention belongs to the technical field of network security, and in particular relates to a malicious code detection method and system. Background technique [0002] Malicious code detection has always been one of the focuses of attention in the field of network security. Malicious programs such as Trojan horse virus, worm virus, mining virus, and ransomware virus invade the system, tamper with files, and steal information by stealthily injecting and running malicious code. , Enterprises, personal privacy security and property security are a huge threat. With the continuous confrontation and upgrading of malicious code attack and defense technologies, the development of malicious code gradually tends to be multi-variant, highly concealed, large in number, and updated quickly. At present, the analysis techniques for malicious code can be divided into static analysis and dynamic analysis. Among them, the dynamic analysis technology pays attention t...

AI Technical Summary

Problems solved by technology

[0004] However, the model proposed by Tian et al. only focused on the number and frequency of Windows APIs, without considering the context contained in the API call sequence, and lost some characteristics of the data.

The model proposed by Shifu Hou et al. merges the clusters containing multiple categories of data into a large mixed cluster after clustering. Some of these clusters are caused by the distribution of data as non-spherical clusters or fuzzy category boundaries. Part of the data points are doped with each other, but some clusters are reduced in purity due to the inclusion of a small number of outliers or noise points

For the latter, the data subsets corresponding to the mixed clusters are often highly unbalanced in data distribution, and there is no obvious improvement after the clusters are merged. The noise points generated in the process may also affect the accuracy of classification

Images