API based sequence and statistical features in a combined malware detection architecture
LU Xiaofeng1, JIANG Fangshuo1, ZHOU Xiao1, CUI Baojiang1, YI Shengwei2, SHA Jing3
1. School of Cyberspace Security, Beijing University of Post and Telecommunications, Beijing 100876, China; 2. China Information Technology Security Evaluation Center, Beijing 100085, China; 3. The Third Research Institute of Ministry of Public Security, Shanghai 201204, China
摘要针对恶意样本行为分析,该文提出了一种组合机器学习框架,首先对应用程序编程接口(application programming interface,API)序列中调用的依赖关系进行功能层面上的分析,提取特征,使用随机森林进行检测;其次利用深度学习中的循环神经网络处理时间序列数据的特性,在冗余信息预处理的基础上,直接对序列进行学习和检测;最后对2种方法进行了组合。在恶意软件样本上进行的实验结果表明: 2种方法均可有效检测恶意样本,但是组合学习的效果更优,AUC (area under the curve of ROC)达到99.3%,优于现有的类似研究结果。
Abstract:This paper presents a combined machine learning framework for malware behavior analyses. One part of the framework analyzes the dependency relation in the API call sequence at the functional level to extract features to train and classify a random forest. The other part uses a recurrent neural network (RNN) to study the API sequence to identify malware with redundant information preprocessing using the RNN time series forecasting ability. Tests on a malware dataset show that both methods can effectively detect malwares. However, the combined framework is better with an AUC of 99.3%.
芦效峰, 蒋方朔, 周箫, 崔宝江, 伊胜伟, 沙晶. 基于API序列特征和统计特征组合的恶意样本检测框架[J]. 清华大学学报(自然科学版), 2018, 58(5): 500-508.
LU Xiaofeng, JIANG Fangshuo, ZHOU Xiao, CUI Baojiang, YI Shengwei, SHA Jing. API based sequence and statistical features in a combined malware detection architecture. Journal of Tsinghua University(Science and Technology), 2018, 58(5): 500-508.
[1] WANG X Z, LIU J W, CHEN X E. Say no to overfitting. (2017-05-31). https://www.kaggle.com/c/malware-classification/discussion/13897. [2] LIPTON Z C, BERKOWITZ J, ELKAN C. A critical review of recurrent neural networks for sequence learning[J]. arXiv preprint arXiv:1506.00019, 2015. [3] 黄全伟. 基于N-Gram系统调用序列的恶意代码静态检测[D]. 哈尔滨:哈尔滨工业大学, 2009.HUANG Q W. Malicious executables detection based on N-Gram system call sequences[D]. Harbin:Harbin Institute of Technology, 2009.(in Chinese) [4] 刘阳. 应用随机森林与神经网络算法检测与分析Android应用恶意样本[D]. 北京:北京交通大学, 2015.LIU Y. Employing the algorithms of random forest and neural networks for the detection and analysis of malicious code of Android applications[D]. Beijing:Beijing Jiaotong University, 2015. (in Chinese) [5] 杨宏宇, 徐晋. 基于改进随机森林算法的Android恶意软件检测[J]. 通信学报, 2017(4):8-16.YANG H Y, XU J. Android malware detection based on improved random forest[J]. Journal on Communications, 2017(4):8-16. (in Chinese) [6] 张家旺, 李燕伟. 基于机器学习算法的Android恶意程序检测系统[J]. 计算机应用研究, 2017(6):1-6.ZHANG J W, LI Y W. Malware detection system implementation of Android application based on machine learning[J]. Application Research of Computers, 2017(6):1-6. (in Chinese) [7] SANTOS I, BREZO F, UGARTE-PEDRERO X, et al. Opcode sequences as representation of executables for data-mining-based unknown malware detection[J]. Information Sciences, 2013, 231:64-82. [8] RAVI C, MANOHARAN R. Malware detection using windows API sequence and machine learning[J]. International Journal of Computer Applications, 2012, 43(17):12-16. [9] 廖国辉, 刘嘉勇. 基于数据挖掘和机器学习的恶意代码检测方法[J]. 信息安全研究, 2016(1):74-79.LIAO G H, LIU J Y. A malicious code detection method based on data mining and machine learning[J]. Journal of Information Security Research, 2016(1):74-79. (in Chinese) [10] DAHL G E, STOKES J W, DENG L, et al. Large-scale malware classification using random projections and neural networks[C]//2013 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). Vancouver, BC, Canada:IEEE, 2013:3422-3426. [11] SAXE J, BERLIN K. Deep neural network based malware detection using two dimensional binary program features[C]//201510th International Conference on Malicious and Unwanted Software (MALWARE). Fajardo, Puerto Rico:IEEE, 2015:11-20. [12] KOLOSNJAJI B, ZARRAS A, WEBSTER G, et al. Deep learning for classification of malware system call sequences[C]//Australasian Joint Conference on Artificial Intelligence. Hobart, TAS, Australia:Springer International Publishing, 2016:137-149. [13] TOBIYAMA S, YAMAGUCHI Y, SHIMADA H, et al. Malware detection with deep neural network using process behavior[C]//201640th Annual IEEE Conference on Computer Software and Applications (COMPSAC). Atlanta, GA, USA:IEEE, 2016, 2:577-582. [14] PASCANU R, STOKES J W, SANOSSIAN H, et al. Malware classification with recurrent networks[C]//2015 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). Brisbane, QLD, Australia:IEEE, 2015:1916-1920. [15] Tensorflow.. (2017-05-31). https://www.tensorflow.org/,2017. [16] VirusShare.. (2017-05-31). https://virusshare.com,2017. [17] VirusTotal.. (2017-05-31). http://www.virustotal.com,2017. [18] Scikit-Learn.. (2017-05-31). http://scikit-learn.org/,2017.
2018, Vol. 58 
