一种基于主动学习的恶意代码检测方法

现有恶意代码的检测往往依赖于对足够数量样本的分析.然而新型恶意代码大量涌现,其出现之初,样本数量有限,现有方法无法迅速检测出新型恶意代码及其变种.本文在数据流依赖网络中分析进程访问行为异常度与相似度,引入了恶意代码检测估计风险,并提出一种通过最小化估计风险实现主动学习的恶意代码检测方法.该方法只需要很少比例的训练样本就可实现准确的恶意代码检测,较现有方法更适用于新型恶意代码检测.通过我们对真实的8,340个正常进程以及7,257个恶意代码进程的实验分析,相比于传统基于统计分类器的检测方法,本文方法明显地提升了恶意代码检测效果.即便在训练样本仅为总体样本数量1%的情况下,本文方法可以也可达到5.55%的错误率水平,比传统方法降低了36.5%.

Malware Detection Method Based on Active Learning

Existing techniques of malware detection depend on observations of sufficient malware samples. However, only a few samples can be found when novel malware first appears in the world wide web, which brings challenges to detect novel malware and its variants. In this paper, we study the anomaly and similarity of processes with respect to their access behaviors under data flow dependency network, and define estimated risk for malware detection. Furthermore, we propose an active learning based malware detection by minimizing the estimated risk, which achieves encouraging performance even with a few known samples, and is applicable to defending against current rapidly increasing novel malware. The experimental results on a real-world dataset, which consists of access behaviors of 8,340 benign and 7,257 malicious processes, demonstrate better performance of our method than traditional statistical classifier based malware detection. Even with only 1% known samples, our method achieves 5.55% error rate, which is 36.5% lower than the error rate of traditional statistical classifier based method.