基于动态行为和机器学习的恶意代码检测方法

目前恶意代码出现频繁且抗识别性加强，现有基于签名的恶意代码检测方法无法识别未知与隐藏的恶意代码。提出一种结合动态行为和机器学习的恶意代码检测方法。搭建自动化分析Cuckoo沙箱记录恶意代码的行为信息和网络流量，结合Cuckoo沙箱与改进DynamoRIO系统作为虚拟环境，提取并融合恶意代码样本API调用序列及网络行为特征。在此基础上，基于双向门循环单元（BGRU）建立恶意代码检测模型，并在含有12 170个恶意代码样本和5 983个良性应用程序样本的数据集上对模型效果进行验证。实验结果表明，该方法能全面获得恶意代码的行为信息，其所用BGRU模型的检测效果较LSTM、BLSTM等模型更好，精确率和F1值分别达到97.84%和98.07%，训练速度为BLSTM模型的1.26倍。

Malicious Code Detection Method Based on Dynamic Behavior and Machine Learning

As the malicious codes with increasing anti-recognition ability emerge in an endless stream,the existing signature-based malicious code detection methods fail to identify unknown and hidden malicious codes.To address the problem,this paper proposes a malicious code detection method combining dynamic behavior and machine learning.In this method,a Cuckoo sandbox for automatic analysis is built to record the behavior information and network traffic of malicious code.Then the Cuckoo sandbox is integrated with the improved DynamoRIO system as a virtual environment,which enables the extraction and fusion of the Application Programming Interface(API)call sequence and network behavior characteristics of malicious code samples.On this basis,a malicious code detection model based on Bidirectional Gated Recurrent Unit(BGRU)is established,whose performance is tested on the dataset containing 12170 malicious code samples and 5983 benign application samples.Experimental results show that the proposed method can obtain the behavior information of malicious code comprehensively,the detection effect of BGRU model is better than Long Short-Term Memory(LSTM),Bidirectional Long Short-Term Memory(BLSTM)and other models,the accuracy and F1 value are 97.84%and 98.07%respectively,and the training speed is 1.26 times of BLSTM model.