基于高斯混合模型的增量聚类方法识别恶意软件家族

胡建伟; 车欣; 周漫; 崔艳鹏

doi:10.11959/j.issn.1000-436x.2019135

您当前的位置：

首页 >

文章列表页 >

基于高斯混合模型的增量聚类方法识别恶意软件家族

学术论文 | 更新时间：2024-06-05

- 基于高斯混合模型的增量聚类方法识别恶意软件家族
- Incremental clustering method based on Gaussian mixture model to identify malware family
- 通信学报 2019年40卷第6期页码：148-159
- 作者机构：
  
  1. 西安电子科技大学网络与信息安全学院，陕西西安 710071
  2. 华中科技大学网络空间安全学院，湖北武汉 430074
- 作者简介：
  
  [ "胡建伟（1973- ），男，浙江金华人，博士，西安电子科技大学副教授，主要研究方向为计算机网络、工业控制系统、网络软硬件设备的安全与攻防对抗等。" ]
  [ "车欣（1993- ），男，安徽芜湖人，西安电子科技大学硕士生，主要研究方向为信息安全、工控安全等。" ]
  [ "周漫（1994- ），女，湖北孝感人，华中科技大学博士生，主要研究方向为恶意代码检测、入侵检测、物联网安全等。" ]
  [ "崔艳鹏（1978- ），女，吉林长春人，博士，西安电子科技大学副教授，主要研究方向为电子战信号处理、电子战系统模拟、雷达目标识别等。" ]
- 基金信息：
  
  国家自然科学基金资助项目(61272033)
- DOI：10.11959/j.issn.1000-436x.2019135
  中图分类号： TP393
- 网络出版日期：2019-06，
  
  纸质出版日期：2019-06-25
- 稿件说明：
移动端阅览
胡建伟, 车欣, 周漫, 等. 基于高斯混合模型的增量聚类方法识别恶意软件家族[J]. 通信学报, 2019,40(6):148-159.

Jianwei HU, Xin CHE, Man ZHOU, et al. Incremental clustering method based on Gaussian mixture model to identify malware family[J]. Journal on communications, 2019, 40(6): 148-159.
胡建伟, 车欣, 周漫, 等. 基于高斯混合模型的增量聚类方法识别恶意软件家族[J]. 通信学报, 2019,40(6):148-159. DOI： 10.11959/j.issn.1000-436x.2019135.

Jianwei HU, Xin CHE, Man ZHOU, et al. Incremental clustering method based on Gaussian mixture model to identify malware family[J]. Journal on communications, 2019, 40(6): 148-159. DOI： 10.11959/j.issn.1000-436x.2019135.

摘要

针对属于同一个家族的恶意软件的行为特征具有逻辑相似性这一特点，从行为检测的角度通过追踪API函数调用的逻辑规则来提取恶意软件的特征，并利用静态分析与动态分析相结合的方法来分析恶意行为特征。此外，依据恶意软件家族的目的性、继承性与多样性，构建了恶意软件家族的传递闭包关系，并改进了基于高斯混合模型的增量聚类方法来识别恶意软件家族。实验证明，所提方法不仅能节省恶意软件检测的存储空间，还能显著提高检测的准确率与识别率。

Abstract

Aiming at the logical similarity of the behavioral characteristics of malware belonging to the same family

the characteristics of malware were extracted by tracking the logic rules of API function call from the perspective of behavior detection

and the static analysis and dynamic analysis methods were combined to analyze malicious behavior characteristics.In addition

according to the purpose

inheritance and diversity of the malware family

the transitive closure relationship of the malware family was constructed

and then the incremental clustering method based on Gaussian mixture model was improved to identify the malware family.Experiments show that the proposed method can not only save the storage space of malware detection

but also significantly improve the detection accuracy and recognition efficiency.

关键词

Keywords

references

POTTER B , DAY G . The effectiveness of anti-malware tools [J ] . Computer Fraud ＆ Security , 2009 ( 3 ): 12 - 13 .

KIM J Y , BU S J , CHO S B . Zero-day malware detection using transferred generative adversarial networks based on deep autoencoders [J ] . Information Sciences , 2018 ( 460 ): 83 - 102 .

PENG W , LI F , ZOU X , et al . Behavioral malware detection in delay tolerant networks [J ] . IEEE Transactions on Parallel and Distributed systems , 2014 , 25 ( 1 ): 53 - 63 .

PEKTAŞ A , ACARMAN T . Malware classification based on API calls and behaviour analysis [J ] . IET Information Security , 2017 , 12 ( 2 ): 107 - 117 .

HAN L , ZHOU M , HAN S , et al . Targeting malware discrimination based on reversed association task [J ] . Concurrency and Computation:Practice and Experience , 2018 :e4922.

KOLOSNJAJI B , ZARRAS A , WEBSTER G , et al . Deep learning for classification of malware system call sequences [C ] // Australasian Joint Conference on Artificial Intelligence . Springer , 2016 : 137 - 149 .

CHO I K , KIM T G , SHIM Y J , et al . Malware similarity analysis using API sequence alignments [J ] . Journal of Internet Services and Information Security. , 2014 , 4 ( 4 ): 103 - 114 .

SANTOS I , BREZO F , UGARTE-PEDRERO X , et al . Opcode sequences as representation of executables for data-mining-based unknown malware detection [J ] . Information Sciences , 2013 ( 231 ): 64 - 82 .

ARP D , SPREITZENBARTH M , HUBNER M , et al . DREBIN:effective and explainable detection of Android malware in your pocket [C ] // NDSS . 2014 : 23 - 26 .

XU K S , KLIGER M , HERO III A O . Adaptive evolutionary clustering [J ] . Data Mining and Knowledge Discovery , 2014 , 28 ( 2 ): 304 - 336 .

WAN Y , LIU X , WU Y , et al . ICGT:a novel incremental clustering approach based on GMM tree [J ] . Data ＆ Knowledge Engineering , 2018 ( 117 ): 71 - 86 .

PFEFFER A , CALL C , CHAMBERLAIN J . Malware analysis and attribution using genetic information [C ] // 2012 7th International Conference on Malicious and Unwanted Software (MALWARE) . IEEE , 2012 : 39 - 45 .

WU S , WANG P , LI X , et al . Effective detection of android malware based on the usage of data flow APIs and machine learning [J ] . Information and Software Technology , 2016 , 75 : 17 - 25 .

DAS S , LIU Y , ZHANG W . Semantics-based online malware detection:towards efficient real-time protection against malware [J ] . IEEE transactions on information forensics and security , 2016 , 11 ( 2 ): 289 - 302 .

ZHAO H , XU M , ZHENG N , et al . Malicious executables classification based on behavioral factor analysis [C ] // International Conference on e-Education,e-Business,e-Management,and e-Learning . IEEE , 2010 : 502 - 506 .

DENG Z , LLOYD H , XIA C , et al . Components of variation in female common cuckoo calls [J ] . Behavioural Processes , 2018 ( 158 ): 106 - 112 .

SARACINO A , SGANDURRA D , DINI G . Madam:effective and efficient behavior-based Android malware detection and prevention [J ] . IEEE Transactions on Dependable and Secure Computing , 2018 , 15 ( 1 ): 83 - 97 .

BOULEMNADJEL A , HACHOUF F , KHARFOUCHI S . GMM estimation of 2D-RCA models with applications to texture image classification [J ] . IEEE Transactions on Image Processing , 2016 , 25 ( 2 ): 528 - 539 .

ENGEL P M , HEINEN M R . Incremental learning of multivariate gaussian mixture models [C ] // Brazilian Symposium on Artificial Intelligence . Springer , 2010 : 82 - 91 .

SONG M Z , WANG H B . Highly efficient incremental estimation of Gaussian mixture models for online data stream clustering [J ] . Proceedings of SPIE-International Society for Optics and Photonics , 2005 ( 5803 ): 174 - 184 .

TANG Z , SHEN F , ZHAO J . Speaker recognition based on SOINN and incremental learning Gaussian mixture model [C ] // The 2013 International Joint Conference on Neural Networks . IEEE , 2013 : 1 - 6 .

LIU Y , PERRONNIN F . A similarity measure between unordered vector sets with application to image categorization [C ] // 2008 IEEE Conference on Computer Vision and Pattern Recognition . 2008 : 24 - 26 .

RONEN R , RADU M , FEUERSTEIN C , et al . Microsoft malware classification challenge [J ] . arXiv Preprint,arXiv:1802.10135 , 2018 .

LIPTON Z C , BERKOWITZ J , ELKAN C . A critical review of recurrent neural networks for sequence learning [J ] . arXiv Preprint,arXiv:1506.00019 , 2015 .

LU X F , XIAO Z , JIANG F S , et al . ASSCA:API based sequence and statistics features combined malware detection architecture [J ] . Procedia Computer Science , 2018 , 129 : 248 - 256 .

AHMED F , HAMEED H , SHAFIQ M Z , et al . Using spatio-temporal information in API calls with machine learning algorithms for malware detection [C ] // The 2nd ACM Workshop on Security and Artificial Intelligence . ACM , 2009 : 55 - 62 .

浏览量

1207

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于变分贝叶斯学习的音频水印盲检测方法

基于高斯混合模型的非视距定位算法

ODC——在线检测和分类全网络流量异常的方法