基于文件指令的聚类及聚类融合在恶意软件检测中的算法设计与实现  

作　　者：郑涛 邓永强[1] ZHENG Tao;DENG Yongqiang(Guangdong Vocational College of Science and Technology,Guangdong 510640,China)

机构地区：[1]广东科学技术职业学院,广东519090

出　　处：《电子技术（上海）》2024年第6期56-61,共6页Electronic Technology

基　　金：广东科学技术职业学院校级课程思政示范课程项目(Photoshop图像处理);广东科学技术职业学院校级金课项目(图像处理教法示范);2023年度广东省委员会青少年研究共建课题(2023GJ051);2023年度广东省新媒体产教融合创新平台项目(2023CJPT002)。

摘　　要：阐述基于文件指令的恶意软件特征表达方法。针对不相关的指令序列特征提出加权子空间的聚类方法WKM,解决传统聚类很难在全特征空间搜索到被淹没的族。针对指令频度特征提出一种混合聚类方法PFHK,解决仅靠层次或划分方法无法处理的恶意软件的形状失真和密度不均匀现象。并引入聚类融合方法CCE,对不同聚类算法进行融合,还可以加入用户自定义的约束条件。相较其他常用反恶意软件,每日检出的病毒数量是它们检出的1.2~1.3倍,性能上在耗时超过30s以上时明显优与常用反恶意软件。This paper describes that the traditional antivirus and antivirus methods based on the client as the battlefield can no longer keep up with security requirements in today's explosive growth of malicious software.how to automatically,quickly,and accurately identify,analyze,and process a large number of unknown files poses new requirements and challenges for data mining.This article focuses on the method of expressing malicious software features based on file instructions;A weighted subspace clustering method WKM is proposed for irrelevant instruction sequence features,which solves the difficulty of traditional clustering in finding submerged families in the full feature space.A hybrid clustering method PFHK is proposed for instruction frequency characteristics,which solves the shape distortion and uneven density of malicious software that cannot be handled solely by hierarchical or partitioning methods;And introduce the clustering fusion method CCE to fuse different clustering algorithms,and can also add user-defined constraints.Compared to other commonly used anti malware software,the number of viruses detected per day is 1.2 to 1.3 times that of them,and its performance is significantly better than that of commonly used anti malware software when it takes more than 30 seconds.

关 键 词：聚类 聚类融合 恶意软件聚类 文件指令 指令频度 

分 类 号：TP18[自动化与计算机技术—控制理论与控制工程] TP311.13[自动化与计算机技术—控制科学与工程]