MACSPMD:基于恶意API调用序列模式挖掘的恶意代码检测

基于动态分析的恶意代码检测方法由于能有效对抗恶意代码的多态和代码混淆技术,而且可以检测新的未知恶意代码等,因此得到了研究者的青睐。在这种情况下,恶意代码的编写者通过在恶意代码中嵌入大量反检测功能来逃避现有恶意代码动态检测方法的检测。针对该问题,提出了基于恶意API调用序列模式挖掘的恶意代码检测方法MACSPMD。首先,使用真机模拟恶意代码的实际运行环境来获取文件的动态API调用序列；其次,引入面向目标关联挖掘的概念,以挖掘出能够代表潜在恶意行为模式的恶意API调用序列模式；最后,将挖掘到的恶意API调用序列模式作为异常行为特征进行恶意代码的检测。基于真实数据集的实验结果表明,MACSPMD对未知和逃避型恶意代码进行检测的准确率分别达到了94.55%和97.73%,比其他基于API调用数据的恶意代码检测方法 的准确率分别提高了2.47%和2.66%,且挖掘过程消耗的时间更少。因此,MACSPMD能有效检测包括逃避型在内的已知和未知恶意代码。

MACSPMD:Malicious API Call Sequential Pattern Mining Based Malware Detection

Researchers give preference to dynamic analysis based malware detection methods with capability of nullifying the effects of polymorphism and obfuscation on malware and detecting new and unseen malwares.In this case,malware authors embed numerous anti-detection functions in to malware to evade the detection of existing dynamic malware detection methods.To solve this problem,a malware detection method MACSPMD based on malicious API call sequential pattern mining was proposed.Firstly,dynamic API call sequences of the files are gotten by real machine which simu-lates the actual running environment of the malware.Secondly,the malicious API call sequence patterns that can represent the potential malicious behavior patterns are mined by introducing the concept of objective-oriented association mining.Finally,the malicious API call sequences are used as abnormal behavior feature to detect malware.The experimental results based on real data set show that MACSPMD achieves 94.55% and 97.73% of detection accuracy on unknown and evasive malware respectively.Compared with other malware detection methods based on API call data,the detection accuracy of unknown and evasive malware is improved by 2.47% and 2.66% respectively,and the time consumed in the mining process is less.MACSPMD can effectively detect known and unknown malware,including escape type.