恶意代码同源性特征的粒子群关联分析  

作　　者：王慧[1] WANG Hui(School of Information Network Security,People's Public Security University of China,Beijing 100038,China)

机构地区：[1]中国人民公安大学信息网络安全学院,北京100038

出　　处：《中国人民公安大学学报（自然科学版）》2021年第3期61-65,共5页Journal of People’s Public Security University of China(Science and Technology)

基　　金：中央高校基本科研业务费专项资金资助(2020JKF103)。

摘　　要：恶意代码的行为特征及编程结构分析通常以其反汇编文件为基础,文件包含的基本指令序列刻画了程序设计目的及编写者的编程习惯,为挖掘恶意文件的家族行为特征,构造了汇编指令操作码字段简化序列表示形式,指出对于不等长二进制字节代码序列形成的简化代码种群,最大频繁序列集代表了家族的恶意行为模式。为加速恶意行为模式的提取进程,获得代码家族的同源特征,结合群智能优化算法及关联挖掘思想的技术优势,设计了基于简化代码集的粒子群频繁序列发现算法PSO-AMFIS,所设计关联分析过程可解决恶意模型的特征拟合,粒子迭代随机寻优过程可进行异常模式的增量式预测,将PSO-AMFIS算法应用于kaggle抽样数据集,所得频繁序列集的模式匹配结果验证了该算法对于恶意代码家族行为的特征分析具有高可信度。The behavior characteristics and programming structure of the malicious code are usually based on its disassembly file.The basic instruction sequences contained in the file describe the programming purpose and the writing habits.In order to mine the homologous characteristics of malicious files,a simplified sequence representation of opcodes contained in the assembly instructions is constructed.It is pointed out that for the population formed by unequal binary code sequences,the maximum frequent sets represent the malicious behavior pattern of the family.To accelerate the extraction process of malicious patterns and obtain the homologous features of malware family,combined with the technical advantages of swarm intelligence optimization and association mining idea,a particle swarm frequent sequence discovery algorithm named PSO-AMFIS is designed.The correlation analysis process can solve the feature fitting of malicious model,and the incremental prediction of abnormal patterns can be carried out by the particle random iterative process.The PSO-AMFIS is applied to the kaggle data set,and the pattern matching results of the frequent sequences verify that the algorithm has high credibility for the analysis of homologous characteristics hidden in malicious code.

关 键 词：恶意代码 特征提取 粒子群算法 关联规则 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]