基于带有惩罚因子的阴性选择算法的恶意程序检测模型  被引量：7

作　　者：张鹏涛[1,2] 王维[1,2] 谭营[1,2] 

机构地区：[1]北京大学信息科学技术学院智能科学系,北京100871 [2]北京大学机器感知与智能教育部重点实验室,北京100871

出　　处：《中国科学：信息科学》2011年第7期798-812,共15页Scientia Sinica(Informationis)

基　　金：国家自然科学基金(批准号:60673020;60875080);国家高技术研究发展计划(批准号:2007AA01Z453)资助项目

摘　　要：提出了一个基于带有惩罚因子的阴性选择算法的恶意程序检测模型.该模型从指令频率和包含相应指令的文件频率两个角度出发,对指令进行了深入的趋向性分析,提取出了趋向于代表恶意程序的恶意程序指令库.利用这些指令,有序切分程序比特串,模型提取得到恶意程序候选特征库和合法程序类恶意程序特征库.在此基础上,文中提出了一种带有惩罚因子的阴性选择算法(negative selection algorithm with penalty factor,NSAPF),根据"异体"和"自体"的匹配情况,采用惩罚的方式,对恶意程序候选特征进行划分,组成了恶意程序检测特征库1(malware detection signature library 1,MDSL1)和恶意程序检测特征库2(MDSL2),以此作为检测可疑程序的二维参照物.综合可疑程序和MDSL1,MDSL2的匹配值,文中模型将可疑程序分类到合法程序和恶意程序.通过在阴性选择算法中引入惩罚因子C,摆脱了传统阴性选择算法中对"自体"和"异体"有害性定义的缺陷,继而关注程序代码本身的危险性,充分挖掘和调节了特征的表征性,既提高了模型的检测效果,又使模型可以满足用户对识别率和虚警率的不同要求.综合实验结果表明,模型在保持较低虚警率的前提下,对完全未知的恶意程序具有较高的识别率,泛化能力较强.通过调整惩罚因子C,模型可以权衡并调整识别率和虚警率,从而取得更好的检测效果.A malware detection model based on a negative selection algorithm with penalty factor（NSAPF） is proposed in this paper.This model extracts a malware instruction library（MIL）,containing instructions that tend to appear in malware,through deep instruction analysis with respect to instruction frequency and file frequency. From the MIL,the proposed model creates a malware candidate signature library（MCSL） and a benign program malware-like signature library（BPMSL） by splitting programs orderly into various short bit strings.Depending on whether a signature matches＂self＂,the NSAPF further divides the MCSL into two malware detection signature libraries（MDSL1 and MDSL2）,and uses these as a two-dimensional reference for detecting suspicious programs. The model classifies suspicious programs as malware and benign programs by matching values of the suspicious programs with MDSL1 and MDSL2.Introduction of a penalty factor C in the negative selection algorithm enables this model to overcome the drawback of traditional negative selection algorithms in defining the harmfulness of＂self＂and＂nonself＂,and focus on the harmfulness of the code,thus greatly improving the effectiveness of the model and also enabling the model to satisfy the different requirements of users in terms of true positive and false positive rates.Experimental results confirm that the proposed model achieves a better true positive rate on completely unknown malware and a better generalization ability while keeping a low false positive rate.The model can balance and adjust the true positive and false positive rates by adjusting the penalty factor C to achieve better performance.

关 键 词：惩罚因子 阴性选择算法 特征提取 人工免疫系统 恶意程序检测 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]