Botnet software detection method based on API calling and network behaviors

A technology of API calling and software detection, applied in the field of computer science, can solve the problem of less malicious code identification, achieve the effect of improving accuracy, improving efficiency, and reducing the size of the graph

Pending Publication Date: 2022-07-05
GUILIN UNIV OF ELECTRONIC TECH
View PDF0 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] Therefore, most of the current research only focuses on one aspect of host behavior or network behavior, and there are few studies combining the two aspects to identify malicious code.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Botnet software detection method based on API calling and network behaviors
  • Botnet software detection method based on API calling and network behaviors
  • Botnet software detection method based on API calling and network behaviors

Examples

Experimental program
Comparison scheme
Effect test

Embodiment

[0028] like figure 1 As shown, a method for detecting bots based on API calls and network behaviors includes the following steps:

[0029] A method for detecting bots based on API calls and network behaviors, comprising a host behavior pattern extraction layer module, a network behavior pattern extraction layer module and an aggregation training module; wherein:

[0030] 1) The host behavior pattern extraction layer module, including the file parsing and identification sub-module, the static FCG extraction sub-module, the sample distribution sub-module and the calling context extraction sub-module, as follows:

[0031] 1-1) Analysis and identification of sample files: The file analysis and identification sub-module uses the signature database of various files to identify the type of executable program, and analyzes the sample to be analyzed using a specific file format to obtain its file meta information, import table and symbol table; and determine whether the sample file is e...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a zombie software detection method based on API (Application Program Interface) calling and network behaviors. The method comprises a host behavior pattern extraction layer module, a network behavior pattern extraction layer module and an aggregation training module, wherein the host behavior pattern extraction layer module comprises a file analysis and identification sub-module, a static FCG extraction sub-module, a sample distribution sub-module and a call context extraction sub-module, and sequentially performs analysis and identification of sample files, sample distribution, static analysis and dynamic analysis of samples, FCG call graph compression and node re-tagging; the network behavior mode advance layer module comprises a network behavior monitoring and data preprocessing sub-module and an LSTM representation learning sub-module, and is used for carrying out network behavior collection and data preprocessing and training the LSTM representation learning sub-module; and the aggregation training module performs aggregation training on output data of the host behavior pattern extraction layer module and the network behavior pattern extraction layer module, inputs the output data into the full-connection classification network, and finally obtains a classification result.

Description

technical field [0001] The invention relates to the technical field of computer science, in particular to a method for detecting zombie software based on API calling and network behavior. Background technique [0002] With the application of deep learning, end-to-end natural language processing-based text classification techniques and learning models are also applied in malicious code detection. X.Xiao and others regard binary code as the lowest-level feature. The binary code is similar to the image pixels or the first few bytes of traffic in other applications of deep learning, and then uses CNN, RNN or LSTM, auto-encoder, etc. to mine the code structure or time series The features on the upper layer are learned through multiple hidden layers to learn more advanced features. M.Yeo first extracts the features and inputs them into the neural network for training and classification, because the traffic sent by malicious codes such as botware often has different characteristic...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56G06N3/04G06N3/08
CPCG06F21/562G06F21/566G06N3/08G06N3/044
Inventor 黄永忠罗勇成秦韬
Owner GUILIN UNIV OF ELECTRONIC TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap