基于IRP的未知恶意代码检测方法  被引量:3

Unknown Malware Detection Based on IRP

在线阅读下载全文

作  者:张福勇[1] 齐德昱[1] 胡镜林[1] 

机构地区:[1]华南理工大学计算机系统研究所,广东广州510006

出  处:《华南理工大学学报(自然科学版)》2011年第4期15-20,共6页Journal of South China University of Technology(Natural Science Edition)

基  金:国家技术创新基金资助项目(08C26214411198);粤港关键领域重点突破项目(2008A011400010)

摘  要:目前采用的基于API的恶意代码检测方法只能检测运行在用户态的恶意代码,不能检测运行在内核态、采用内核API调用的恶意代码.为此,文中提出基于I/O请求包(IRP)的未知恶意代码检测方法.应用朴素贝叶斯、贝叶斯网络、支持向量机、C4.5决策树、Boosting、否定选择算法及针对IRP序列特点改进的人工免疫算法对捕获的IRP序列进行检测,并比较了各种算法在不同特征选择方法下的检测效果.结果表明:所提出的基于IRP的未知恶意代码检测方法是可行的;在所有方法中,采用Fisher score进行特征选择的Boosting决策树算法可获得最高的检测率(98.3%);采用改进的人工免疫算法,通过精选的少量仅在恶意代码中存在的IRP序列,可获得95.0%的检测率,且误检率为0.As the malware detection method based on API can only detect the malware running in user mode and is noneffective for the malware running in kernel mode and calling kernel APIs,a novel detection method of unknown malware is proposed based on IRP(I/O Request Packet).Then,the Nave Bayes,the Bayesian networks,the support vector machine,the C4.5 decision tree,the Boosting,the negative selection algorithm and an improved artificial immune system are used to classify IRP sequences for malware detection,and the detection rates of all the above-mentioned methods with different feature selection algorithms are compared.The results demonstrate that(1) the proposed method is effective in malware detection;(2) the Boosting decision tree with Fisher score feature selection algorithm outperforms other detection methods,with the highest detection rate of 98.3%;(3) the improved artificial immune system,which detects malware by selected IRP subsequences only existing in malware's IRP sequences,performs well,with a detection rate of 95.0% and a false detection rate of 0.

关 键 词:I/O请求包 人工免疫系统 数据挖掘 恶意代码检测 特征选择 检测率 误检率 

分 类 号:TP309[自动化与计算机技术—计算机系统结构]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象