采用路径IRP的Windows恶意进程检测方法  被引量:5

Windows malicious process detection method with path IRP

在线阅读下载全文

作  者:张福勇[1] 赵铁柱[1] 

机构地区:[1]东莞理工学院计算机学院,广东东莞523808

出  处:《沈阳工业大学学报》2015年第4期434-439,共6页Journal of Shenyang University of Technology

基  金:国家自然科学基金资助项目(61402106)

摘  要:针对程序在同一操作系统的不同环境下运行产生的IRP(I/O request packets)序列不完全相同,对检测结果有一定影响的问题,提出了采用路径IRP的Windows恶意进程检测方法.单独提取每一个操作路径的IRP请求序列,应用朴素贝叶斯、贝叶斯网络、支持向量机、C4.5决策树及改进的人工免疫算法(IAIS)进行检测,并比较了各种算法在不同特征选择方法下的检测效果.实验结果表明,本文所提出的采用路径IRP的Windows恶意进程检测方法是有效可行的,在所有方法中,采用Fisher Score进行特征选择的朴素贝叶斯方法得到了最高的检测率99.2%,优于基于IRP序列的恶意进程检测方法.In order to solve the problem that the I/O request packets (IRP) sequences of programs are not fully identical in different environments of same operating system, which has a certain influence on the detection results, a Windows malicious process detection method with path IRP was proposed. Every single IRP request sequence on the same operation path was extracted, and the detection was carried out with the Naive Bayes, Bayesian networks, support vector machine, C4.5 decision tree and improved artificial immune system (IAIS). The detection results of all methods with different feature selection algorithms were compared. The results reveal that the Windows malicious process detection method with path IRP is effective. Among these methods, the Naive Bayes with Fisher score feature selection algorithm offers the highest detection rate of 99.2 %, which outperforms the malicious processes detection method based on IRP sequences.

关 键 词:网络与信息安全 入侵检测 人工免疫系统 恶意进程检测 机器学习 特征选择 I/O请求包 动态分析 

分 类 号:TP309[自动化与计算机技术—计算机系统结构]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象