A malware detection method based on access frequency of sensitive file names
By analyzing host machine file access logs, cleaning and preprocessing file paths, identifying sensitive filenames, and calculating information gain, this technology solves the detection challenges of rapid iteration and diversity of APT software in existing technologies, achieving fast and clear malware identification.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SUN YAT SEN UNIV
- Filing Date
- 2026-01-16
- Publication Date
- 2026-06-05
AI Technical Summary
Existing APT malware detection technologies based on static features are ill-equipped to handle the rapid iteration and diversity of APT software, making identification difficult.
By analyzing the file access logs of normal and malicious software on the host operating system, cleaning and preprocessing file paths, identifying sensitive filenames, calculating the information gain of filenames, and using a threshold matrix to make classification decisions, the nature of the software is determined.
It significantly reduces feature dimensionality and computational complexity, outputs results quickly, meets real-time requirements, provides clear and transparent decision-making criteria, and can cope with the rapid iteration of APT software and cross-platform use.
Smart Images

Figure CN122153885A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of cyberspace security, and more specifically, to a method for detecting malware based on the access frequency of sensitive filenames. Background Technology
[0002] Diverse malware is a crucial weapon for APT groups to achieve their objectives, and effectively identifying APT malware is a key step in combating APT activities. However, APT groups often possess toolkits of malware with varying methods, coupled with mature and stable operational teams, enabling them to rapidly iterate and upgrade software and exploit zero-day vulnerabilities. This poses a significant challenge to widely used static feature-based APT malware identification technologies. Although APT groups differ in their tactics, software, and methods, one constant is that their software must access and utilize various resources of the host system to complete its functions. Malware's access patterns to sensitive files on the host machine will differ from those of normal software. If access logs of sensitive files on the host machine can be obtained during the runtime of normal and abnormal software, these differences can be modeled, providing new insights for malware detection and identification.
[0003] A sandbox is a security isolation mechanism that provides an isolated environment for running programs and is often used to analyze the dynamic behavior of malware. Common sandboxes such as Cuckoo, VirusTotal, and QiAnXin Network Sandbox all support returning the behavior logs of a given APT malware sample. An important component of these logs is the malware's access to files on the host operating system, including which files were loaded, run, modified, and deleted. If a malware sample is available, or even just its hash value, the corresponding behavioral data can be retrieved. If the infected host can be accessed, access records of malware to sensitive system paths on the operating system can also be extracted from the infected host's logs. These abundant and readily available data sources provide data support for modeling the patterns of APT malware accessing sensitive operating system files.
[0004] Chinese invention application No. 202410451466.7 discloses "A method and system for detecting malware based on convolutional neural networks," which includes: establishing a deep learning network to extract multiple features of the software; extracting static and dynamic features of the software separately, and converting the extracted features into grayscale images A and B respectively, and fusing A and B to generate grayscale image c; using a pre-trained network to obtain the depth, detail, and semantic features of c, fusing the obtained features to generate fused features D; inputting D into the classification layer and fully connected layer of the deep learning network for feature classification; training the deep learning network using the fused features D to obtain network parameters and train a classifier, which is used to classify and detect unknown software. Summary of the Invention
[0005] To address the challenge that existing APT malware detection technologies based on static features struggle to cope with the rapid iteration and diversity of APT software, this invention provides a malware detection method based on the access frequency of sensitive filenames. The technical solution adopted by this invention is as follows:
[0006] The first aspect of this invention provides a method for detecting malware based on the access frequency of sensitive filenames, the method comprising: S1: Input file access logs of normal and malicious software on the host operating system during operation; S2: Clean and preprocess the file paths in the file access log; S3: Identify sensitive paths from the preprocessed file paths and extract the accessed file names; S4: Based on the statistical information of the extracted filenames being accessed by normal software and malicious software, calculate the information gain of each filename, and select key filenames according to the information gain; S5: Based on the access history of the software to be detected to the key file names, and combined with a preset threshold matrix, a classification decision is made to determine whether the software to be detected is malicious software.
[0007] As a preferred embodiment, in step S1, the file access log includes at least records of file loading, modification, and deletion operations.
[0008] As a preferred embodiment, the method for cleaning and preprocessing the file paths in the file access log in step S2 includes: S21: Filter access records for non-system disks and non-remote paths; S22: By using a file path normalization mapping table based on regular expressions, the environment variables, short filenames, and de-identification tags in the path string are normalized and replaced, converting them into standard absolute paths.
[0009] As a preferred embodiment, in step S21, a preset regular expression is used to match and retain the system disk path and remote path.
[0010] As a preferred embodiment, in step S3, the method for identifying sensitive paths from the preprocessed file paths and extracting the accessed filenames includes: S31: Based on the predefined sensitive path library, filter out access records belonging to sensitive paths; S32: Perform string splitting on the filtered paths and extract the specific filenames accessed.
[0011] As a preferred embodiment, in step S4, the method for calculating the information gain of each filename based on the extracted statistical information of filenames accessed by normal software and malicious software, and selecting key filenames according to the information gain, includes: S41: Count the number of times each filename is accessed by normal software and malicious software under loading, modification, and deletion operations, and obtain statistical data; S42: Obtain a statistical matrix based on the statistical data, and calculate the information gain for each filename in the statistical matrix; S43: Sort the filenames according to their information gain values and select the ones with the highest information gain. T One filename is used as the key filename.
[0012] As a preferred embodiment, in step S42, a statistical matrix is obtained based on the statistical data. For the statistical matrix, the method for calculating the information gain of each filename includes: A statistical matrix is obtained based on the statistical data. M n ,in , , , These represent the number of times each filename was accessed under the three operations of loading, modifying, and deleting; the statistical matrix... M i The dimension is Behavior tag values This indicates whether the software is normal or malicious; the filenames listed are all those included in the statistics. ,total Item, value Indicates that the name is The file was accessed by legitimate software. Second-rate, ,value Indicates that the name is The file was accessed by malware. Second-rate, ; For statistical matrices M i First, calculate the normal software's... The total number of accesses to each file, which is the sum of the first line, is as follows: ; Then calculate malware pairs The total number of accesses to each file, which is the sum in the second line, is as follows: ; Total visits: ; Ignoring the specific filename, normal software... The access probability of each file in the middle is Malware against The access probability of each file in the middle is ; The original entropy can be obtained as shown in (I): (I) This can be simplified to equation (II): (II) Define the following notation for statistical matrices. The Column, that is, for a file : (1) Event Occurrence is equivalent to an event This indicates that both legitimate and malicious software accessed the file. ; (2) Event Occurrence is equivalent to an event This indicates that neither legitimate nor malicious software accesses the file. ; (3) Consider Files were accessed by normal software. The count, The file was accessed by malware. From the count, it can be deduced that... The file was not accessed by the normal software. The count, Malware did not access the file The count; (4) Then the file The total number of times the software has been accessed by both malicious and legitimate software, i.e., the number of times the software has been accessed by malicious and legitimate software. The sum of the columns is , and the file The number of times it was not visited was ; (5) In this case, both normal software and malicious software accessed the file. probability ; (6) Then neither normal software nor malicious software will access the file. The probability is: ; (7) The file was accessed by both known normal software and malicious software. Under the premise that the event Occurrence, that is The probability that the software is normal software is The probability that the software is malicious is ; (8) The file is not accessed by either known normal software or malicious software. Under the premise that the event Occurrence, that is The probability that the software is normal software is The probability that the software is malicious is ; (9) From (7), we get The entropy below is: Substituting this into the equation, we get (III); (III) (10) From (8), we get The entropy below is: Substituting this into the equation, we get (IV); (IV) The conditional entropy (V) is then synthesized. (V) Substituting equations (5), (6), (9), and (10) and simplifying, we get (VI): (VI) For each file Information gain is defined as in equation (VII): (VII) in, The original entropy is defined as in equation (II); Let be the conditional entropy, as defined in equation (VI).
[0013] As a preferred embodiment, in step S5, the method for determining whether the software to be detected is malware by performing a classification decision based on the access behavior of the key filenames by the software to be detected, combined with a preset threshold matrix, includes: Construct a size of 2× T threshold matrix B , of which elements bi , j Indicates in software category i Below are the key file names j The threshold for the number of visits; The number of times the software under test accesses each key file name is counted, forming an access count vector; Compare the access count vector with the threshold matrix B Comparisons are made using a preset index function. ci , j Determine whether the number of visits exceeds the corresponding threshold; The number of times the threshold is exceeded is accumulated for both normal software and malicious software categories. Based on the accumulated results and the preset comprehensive decision rules, the category of the software to be detected is determined.
[0014] A second aspect of the present invention provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of the aforementioned malware detection method based on the access frequency of sensitive filenames.
[0015] A third aspect of the present invention provides a computer device, including a storage medium, a processor, and a computer program stored in the storage medium and executable by the processor, wherein the computer program, when executed by the processor, implements the steps of the aforementioned method for detecting malware based on the access frequency of sensitive filenames.
[0016] Compared with the prior art, the beneficial effects of this invention are: This invention utilizes information gain to filter out the most representative key filenames for distinguishing between benign and malicious software, focusing the monitoring target from massive file access behaviors to a limited number of core sensitive files. This significantly reduces feature dimensionality and computational complexity, enabling the detection method to output results quickly without complex calculations, meeting the high real-time requirements of APT defense scenarios. By constructing an access count matrix based on frequency statistics and directly using filenames with clear system semantics as features, the decision-making basis of the entire detection process is clear and transparent, avoiding the decision ambiguity problems caused by "black box" models such as deep learning, making it easier for security analysts to understand and verify the detection results. By designing a universal file path cleaning and standardization process, path variables, short filenames, environment variables, etc., under different systems and environments (such as sandboxes) are unified into a standard form, so that the core features (key filenames) of the detection model do not depend on specific system versions or static features, effectively addressing the challenges of rapid iteration and cross-platform use of APT software. Attached Figure Description
[0017] Figure 1 A flowchart of a malware detection method based on the access frequency of sensitive filenames provided for this implementation. Detailed Implementation
[0018] The accompanying drawings are for illustrative purposes only and should not be construed as limiting the invention. It should be understood that the described embodiments are merely some, not all, of the embodiments of this application. All other embodiments obtained by those skilled in the art based on the embodiments of this application without creative effort are within the scope of protection of the embodiments of this application.
[0019] The terminology used in the embodiments of this application is for the purpose of describing particular embodiments only and is not intended to limit the embodiments of this application. The singular forms “a,” “the,” and “the” used in the embodiments of this application and the appended claims are also intended to include the plural forms unless the context clearly indicates otherwise. It should also be understood that the term “and / or” as used herein refers to and includes any or all possible combinations of one or more of the associated listed items.
[0020] In the following description, when referring to the accompanying drawings, unless otherwise indicated, the same numbers in different drawings represent the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with this application. Rather, they are merely examples of apparatuses and methods consistent with some aspects of this application as detailed in the appended claims. In the description of this application, it should be understood that the terms "first," "second," "third," etc., are used only to distinguish similar objects and are not necessarily used to describe a specific order or sequence, nor should they be construed as indicating or implying relative importance. Those skilled in the art can understand the specific meaning of the above terms in this application according to the specific circumstances.
[0021] Furthermore, in the description of this application, unless otherwise stated, "multiple" means two or more. "And / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, or B alone. The character " / " generally indicates that the preceding and following related objects are in an "or" relationship. The invention will be further described below with reference to the accompanying drawings and embodiments.
[0022] The present invention will be further described below with reference to the accompanying drawings and embodiments.
[0023] Example 1 Please refer to Figure 1 This embodiment provides a malware detection method based on the access frequency of sensitive filenames, the method comprising: S1: Input file access logs of normal and malicious software on the host operating system during operation; In one specific embodiment, in step S1, the file access log includes at least records of file loading, modification, and deletion operations.
[0024] Specifically, it receives logs of access to host machine files during normal and malware operation, comprising three sub-tables: Load (Read), Modify (Edit and Write), and Delete. Each table entry provides a path, indicating that a file under that path was operated on during software operation; the path format is like "C:\\Windows\\System32\\api-ms-win-crt-runtime-l1-1-0.dll". For each sub-table, all path information is extracted, and subsequent operations are performed accordingly.
[0025] S2: Clean and preprocess the file paths in the file access log; In a specific embodiment, the method for cleaning and preprocessing the file paths in the file access log in step S2 includes: S21: Filter access records for non-system disks and non-remote paths; In one specific embodiment, in step S21, a preset regular expression is used to match and retain the system disk path and the remote path; Specifically, considering that sensitive system files are mainly located on the system drive or remote network paths, to simplify processing and reduce the number of paths, files with root directories other than the system drive or remote paths are removed during input. The specific removal method uses regular expressions to match the root path "C:\\" and the remote path "...". \\remote hostname\\ For remote hostnames that are not specified, such as "" or "\\?\\", the regular expression used is: "^\s*C:\s*\\+|^\s*\\\\[a-zA-Z\?\d\-]*\\|", with a case-insensitive matching mode.
[0026] It should be noted that after removing non-system drive paths, the remaining paths may have the following problems: (1) The path is damaged or incomplete. Some software uses asynchronous calls, multi-threaded delays, etc. to make some operations outside the monitoring window, or the data in some buffers is not written back in time when the sandbox rolls back transactions. All of these reasons may lead to incomplete access path records.
[0027] (2) The path is a relative path. To ensure universality, some software uses relative paths to access system resources, resulting in multiple root directories and first-level directories, but all pointing to the same directory. For example, "%HOMEPATH%" is used instead of "C:\Users\admin", and "%SYSTEM32%" is used instead of "C:\Windows\System32", etc.
[0028] (3) Different hosts have different names for the same directory. For example, "Administrator" and "Admin" both point to the administrator directory.
[0029] (4) Different sandboxes have different path desensitization rules. Some paths may contain host machine username information, and different sandboxes use different desensitization methods for this part. Common methods include " <username>"Desensitization was performed, but some parts were not desensitized, or were desensitized using other symbols, such as "xxx".
[0030] (5) The path uses Windows 8.3 short file name system to be compatible with older systems, such as "C:\Users\ADMINI~1\AppData\Local\Temp".
[0031] This part of the path must be processed and cleaned before it can be used; otherwise, it will introduce noise and affect the selection of critical filenames.
[0032] S22: By using a file path normalization mapping table based on regular expressions, the environment variables, short filenames, and de-identification tags in the path string are normalized and replaced, converting them into standard absolute paths; Specifically, to further clean up the paths, this invention introduces a file path normalization mapping table based on regular expressions, which is used to replace the part of the path string that satisfies the "matching pattern" column with the string in the "replacement pattern" column. The matching rule is to ignore case matching, as shown in Table 1.
[0033] Table 1 File path normalization table based on regular expressions
[0034] S3: Identify sensitive paths from the preprocessed file paths and extract the accessed file names; In one specific embodiment, in step S3, the method for identifying sensitive paths from the preprocessed file paths and extracting the accessed filenames includes: S31: Based on the predefined sensitive path library, filter out access records belonging to sensitive paths; Specifically, after completing path cleaning, a sensitive path database can be built as needed to further filter sensitive paths. For example, Windows versions of APT software often reside in system folders, such as "C:\ProgramData\Microsoft\Windows", or reside as temporary files in "C:\Users\ <username>"\AppData\TEMP", or "C:\Users\" where downloaded files are temporarily stored. <username>Clues are left in the "Downloads" folder. APT software often involves modifying logs for persistence, so it will write to "C:\Windows\System32\winevt\Logs"; it will also create Python programs in the root directory to run for various specific purposes. Sensitive path libraries can be configured as needed to further preserve sensitive paths.
[0035] S32: Perform string splitting on the filtered paths and extract the specific filenames accessed; Specifically, the retained sensitive paths take the form of: The path "C:\\Windows\\Globalization\\Sorting\\SortDefault.nls" can be split using the string splitting method, retaining only the accessed filename SortDefault.nls.
[0036] S4: Based on the statistical information of the extracted filenames being accessed by normal software and malicious software, calculate the information gain of each filename, and select key filenames according to the information gain; In one specific embodiment, in step S4, the method for calculating the information gain of each filename based on the extracted statistical information of filenames accessed by normal software and malicious software, and selecting key filenames according to the information gain, includes: S41: Count the number of times each filename is accessed by normal software and malicious software under loading, modification, and deletion operations, and obtain statistical data; S42: Obtain a statistical matrix based on the statistical data, and calculate the information gain for each filename in the statistical matrix; S43: Sort the filenames according to their information gain values and select the ones with the highest information gain. T Each filename is used as a key filename; Specifically, the files are sorted in descending order based on their information gain values.
[0037] In a specific embodiment, in step S42, a statistical matrix is obtained based on the statistical data. The method for calculating the information gain of each filename for the statistical matrix includes: A statistical matrix is obtained based on the statistical data. M n ,in , , , These represent the number of times each filename was accessed under the three operations of loading, modifying, and deleting; the statistical matrix... M i The dimension is Behavior tag values This indicates whether the software is normal or malicious; the filenames listed are all those included in the statistics. ,total Item, value Indicates name The file was accessed by legitimate software. Second-rate, ,value Indicates that the name is The file was accessed by malware. Second-rate, ; For statistical matrices M i First, calculate the normal software's... The total number of accesses to each file, which is the sum of the first line, is as follows: ; Then calculate malware pairs The total number of accesses to each file, which is the sum in the second line, is as follows: ; Total visits: ; Ignoring the specific filename, normal software... The access probability of each file in the middle is Malware against The access probability of each file in the middle is ; The original entropy can be obtained as shown in (I): (I) This can be simplified to equation (II): (II) Define the following notation for statistical matrices. The Column, that is, for a file : (1) Event Occurrence is equivalent to an event This indicates that both legitimate and malicious software accessed the file. ; (2) Event Occurrence is equivalent to an event This indicates that neither legitimate nor malicious software accesses the file. ; (3) Consider Files were accessed by normal software. The count, The file was accessed by malware. From the count, it can be deduced that... The file was not accessed by the normal software. The count, Malware did not access the file The count; (4) Then the file The total number of times the software has been accessed by both malicious and legitimate software, i.e., the number of times the software has been accessed by malicious and legitimate software. The sum of the columns is , and the file The number of times it was not visited was ; (5) In this case, both normal software and malicious software accessed the file. probability ; (6) Then neither normal software nor malicious software will access the file. The probability is: ; (7) The file was accessed by both known normal software and malicious software. Under the premise that... that is, the event... Occurrence, that is The probability that the software is normal software is The probability that the software is malicious is ; (8) The file is not accessed by either known normal software or malicious software. Under the premise that the event Occurrence, that is The probability that the software is normal software is The probability that the software is malicious is ; (9) From (7), we get The entropy below is: Substituting this into the equation, we get (III); (III) (10) From (8), we get The entropy below is: Substituting this into the equation, we get (IV); (IV) The conditional entropy (V) is then synthesized. (V) Substituting equations (5), (6), (9), and (10) into equation (VI) simplifies to (VI).
[0038] (VI) For each file Information gain is defined as in equation (VII): (VII) in, The original entropy is defined as in equation (II); Let be the conditional entropy, as defined in equation (VI).
[0039] S5: Based on the access history of the software to be detected to the key file names, and combined with a preset threshold matrix, a classification decision is made to determine whether the software to be detected is malicious software. In a specific embodiment, in step S5, the method for determining whether the software to be detected is malware by performing a classification decision based on the access behavior of the key file names by the software to be detected and in conjunction with a preset threshold matrix includes: Construct a size of 2× T threshold matrix B , of which elements bi , j Indicates in software category i Below are the key file names j The threshold for the number of visits; The number of times the software under test accesses each key file name is counted, forming an access count vector; Compare the access count vector with the threshold matrix B Comparisons are made using a preset index function. ci , j Determine whether the number of visits exceeds the corresponding threshold; Specifically, the index function is: ,in, Then, the software that accesses each critical file more than the threshold number of times is considered normal: Malware that accessed critical files more than the threshold number of times was: .
[0040] The number of times the threshold is exceeded is accumulated for both normal software and malicious software categories. Based on the accumulated results and the preset comprehensive decision rules, the category of the software to be detected is determined. Specifically, two preset hyperparameters are determined. ,Will The hyperparameters serve as comprehensive decision-making parameters. It can be specified based on experience or determined based on the actual situation of training data (known file path access records of good and bad software during runtime); By comparison The relationship between the four parameters is used to complete the classification decision, specifically: when At any time, regardless and Regardless of the relationship, the software is judged to be malicious; when When the software is deemed benign, it is considered healthy. At that time, it was impossible to determine whether the software was good or bad. Specifically, it was necessary to determine the comprehensive decision parameters. By comparison The relationship between the four parameters is used to complete the classification decision.
[0041] Example 2 This embodiment provides a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, it implements the steps of the malware detection method based on the access frequency of sensitive filenames described in Embodiment 1.
[0042] Example 3 This embodiment provides a computer device, including a storage medium, a processor, and a computer program stored in the storage medium and executable by the processor. When the computer program is executed by the processor, it implements the steps of the malware detection method based on the access frequency of sensitive filenames described in Embodiment 1.
[0043] Obviously, the above embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the implementation of the present invention. Those skilled in the art can make other variations or modifications based on the above description. It is neither necessary nor possible to exhaustively describe all embodiments here. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of the present invention should be included within the scope of protection of the claims of the present invention.< / username> < / username> < / username>
Claims
1. A method for detecting malware based on the access frequency of sensitive filenames, characterized in that, The method includes: S1: Input file access logs of normal and malicious software on the host operating system during operation; S2: Clean and preprocess the file paths in the file access log; S3: Identify sensitive paths from the preprocessed file paths and extract the accessed file names; S4: Based on the statistical information of the extracted filenames being accessed by normal software and malicious software, calculate the information gain of each filename, and select key filenames according to the information gain; S5: Based on the access history of the software to be detected to the key file names, and combined with a preset threshold matrix, a classification decision is made to determine whether the software to be detected is malicious software.
2. The malware detection method based on the access frequency of sensitive filenames according to claim 1, characterized in that, In step S1, the file access log includes at least records of file loading, modification, and deletion operations.
3. The malware detection method based on the access frequency of sensitive filenames according to claim 1, characterized in that, In step S2, the method for cleaning and preprocessing the file paths in the file access log includes: S21: Filter access records for non-system disks and non-remote paths; S22: By using a file path normalization mapping table based on regular expressions, the environment variables, short filenames, and de-identification tags in the path string are normalized and replaced, converting them into standard absolute paths.
4. The malware detection method based on the access frequency of sensitive filenames according to claim 3, characterized in that, In step S21, a preset regular expression is used to match and preserve the system disk path and remote path.
5. The malware detection method based on the access frequency of sensitive filenames according to claim 1, characterized in that, In step S3, the method for identifying sensitive paths from the preprocessed file paths and extracting the accessed filenames includes: S31: Based on the predefined sensitive path library, filter out access records belonging to sensitive paths; S32: Perform string splitting on the filtered paths and extract the specific filenames accessed.
6. The malware detection method based on the access frequency of sensitive filenames according to claim 1, characterized in that, In step S4, the method for calculating the information gain of each filename based on the extracted statistical information of filename access by normal software and malicious software, and selecting key filenames according to the information gain, includes: S41: Count the number of times each filename is accessed by normal software and malicious software under loading, modification, and deletion operations, and obtain statistical data; S42: Obtain a statistical matrix based on the statistical data, and calculate the information gain for each filename in the statistical matrix; S43: Sort the filenames according to their information gain values and select the ones with the highest information gain. T One filename is used as the key filename.
7. The malware detection method based on the access frequency of sensitive filenames according to claim 6, characterized in that, In step S42, a statistical matrix is obtained based on the statistical data. For the statistical matrix, the method for calculating the information gain of each filename includes: A statistical matrix is obtained based on the statistical data. M n ,in , , , These represent the number of times each filename was accessed under the three operations of loading, modifying, and deleting; the statistical matrix... M i The dimension is Behavior tag values This indicates whether the software is normal or malicious; the filenames listed are all those included in the statistics. ,total Item, value Indicates name The file was accessed by legitimate software. Second-rate, ,value Indicates name The file was accessed by malware. Second-rate, ; For statistical matrices M i First, calculate the normal software's... The total number of accesses to each file, which is the sum of the first line, is as follows: ; Then calculate malware pairs The total number of accesses to each file, which is the sum in the second line, is as follows: ; Total visits: ; Ignoring the specific filename, normal software... The access probability of each file in the middle is Malware against The access probability of each file in the middle is ; The original entropy can be obtained as shown in (I): (I) This can be simplified to equation (II): (II) Define the following notation for statistical matrices. The Column, that is, for a file : (1) Event Occurrence is equivalent to an event This indicates that both legitimate and malicious software accessed the file. ; (2) Event Occurrence is equivalent to an event This indicates that neither legitimate nor malicious software accesses the file. ; (3) Consider Files were accessed by normal software. The count, The file was accessed by malware. From the count, it can be deduced that... The file was not accessed by the normal software. The count, Malware did not access the file The count; (4) Then the file The total number of times the software has been accessed by both malicious and legitimate software, i.e., the number of times the software has been accessed by malicious and legitimate software. The sum of the columns is , and the file The number of times it was not visited was ; (5) In this case, both normal software and malicious software accessed the file. probability ; (6) Then neither normal software nor malicious software will access the file. The probability is: ; (7) The file was accessed by both known normal software and malicious software. Under the premise that the event Occurrence, that is The probability that the software is normal software is... The probability that the software is malicious is ; (8) The file is not accessed by either known normal software or malicious software. Under the premise that the event Occurrence, that is The probability that the software is normal software is... The probability that the software is malicious is ; (9) From (7), we get The entropy below is: Substituting this into the equation, we get (III); (III) (10) From (8), we get The entropy below is: Substituting this into the equation, we get (IV); (IV) The conditional entropy (V) is then synthesized. (V) Substituting equations (5), (6), (9), and (10) and simplifying, we get (VI): (WE) For each file Information gain is defined as in equation (VII): (VII) in, The original entropy is defined as in equation (II); Let be the conditional entropy, as defined in equation (VI).
8. The malware detection method based on the access frequency of sensitive filenames according to claim 7, characterized in that, In step S5, the method for determining whether the software to be detected is malware by performing a classification decision based on the access behavior of the key file names by the software to be detected and in conjunction with a preset threshold matrix includes: Construct a size of 2× T threshold matrix B , of which elements bi , j Indicates in software category i Below are the key file names j The threshold for the number of visits; The number of times the software under test accesses each key file name is counted, forming an access count vector; Compare the access count vector with the threshold matrix B Comparisons are made using a preset index function. ci , j Determine whether the number of visits exceeds the corresponding threshold; The number of times the threshold is exceeded is accumulated for both normal software and malicious software categories. Based on the accumulated results and the preset comprehensive decision rules, the category of the software to be detected is determined.
9. A computer-readable storage medium having a computer program stored thereon, characterized in that: When the computer program is executed by a processor, it implements the steps of a malware detection method based on the access frequency of sensitive filenames as described in any one of claims 1 to 8.
10. A computer device, characterized in that: The device includes a storage medium, a processor, and a computer program stored in the storage medium and executable by the processor, wherein the computer program, when executed by the processor, implements the steps of a malware detection method based on the access frequency of sensitive filenames as described in any one of claims 1 to 8.