A Malicious Code Static Detection Framework Based on Multi-Feature Ensemble Learning

Yang Wang; Gao Mingzhe; Jiang Ting

doi:10.7544/issn1000-1239.2021.20200912

Journal of Computer Research and Development > 2021 > 58(5): 1021-1034. > DOI: 10.7544/issn1000-1239.2021.20200912 CSTR: 32373.14.issn1000-1239.2021.20200912

Yang Wang, Gao Mingzhe, Jiang Ting. A Malicious Code Static Detection Framework Based on Multi-Feature Ensemble Learning[J]. Journal of Computer Research and Development, 2021, 58(5): 1021-1034. DOI: 10.7544/issn1000-1239.2021.20200912

Citation:

PDF (2241 KB)

A Malicious Code Static Detection Framework Based on Multi-Feature Ensemble Learning

(School of Cyber Science and Engineering, Southeast University, Nanjing 211189) (Key Laboratory of Computer Network and Information Integration(Southeast University), Ministry of Education, Nanjing 211189) (Jiangsu Provincial Key Laboratory of Computer Network Technology (Southeast University), Nanjing 211189)

Funds: This work was supported by the National Natural Science Foundation of China (62072100).

More Information

Published Date: April 30, 2021

Graphical Abstract

Abstract

Abstract

With the popularity of the Internet and the rapid development of 5G communication technology, the threats to cyberspace are increasing, especially the exponential increase in the number of malware and the explosive increase in the number of variants of their families. The traditional signature-based malware detection is too slow to handle the millions of new malwares emerged every day, while the false positive and false negative rates of general machine learning classifiers are significantly too high. At the same time malware packing, obfuscation and other adversarial techniques have caused more trouble to the situation. Based on this, we propose a static malware detection framework based on multi-feature ensemble learning. By extracting the non-PE (Portable Executable) structure feature, visible string feature, sink assembly code sequences feature, PE structure feature and function call relationship feature from the malware, we construct models matching each feature, and use Bagging and Stacking ensemble algorithms to reduce the risk of overfitting. Finally we adopt the weighted voting algorithm to further aggregate the output results of the ensemble model. The experimental results show the detection accuracy of multi-feature multi-model aggregation algorithm can reach 96.99%, which prove the method has better malware identification ability than other static detection methods, and higher recognition rate for malwares using packing or obfuscation techniques.
- malicious code,
- multiple features,
- ensemble learning,
- policy voting,
- static detection

FullText(HTML)

References (0)

[1]	Pan Jianwen, Cui Zhanqi, Lin Gaoyi, Chen Xiang, Zheng Liwei. A Review of Static Detection Methods for Android Malicious Application[J]. Journal of Computer Research and Development, 2023, 60(8): 1875-1894. DOI: 10.7544/issn1000-1239.202220297
[2]	Yang Yi, Li Ying, Chen Kai. Vulnerability Detection Methods Based on Natural Language Processing[J]. Journal of Computer Research and Development, 2022, 59(12): 2649-2666. DOI: 10.7544/issn1000-1239.20210627
[3]	Guo Yingjie, Liu Xiaoyan, Wu Chenxi, Guo Maozu, Li Ao. U-Statistics and Ensemble Learning Based Method for Gene-Gene Interaction Detection[J]. Journal of Computer Research and Development, 2018, 55(8): 1683-1693. DOI: 10.7544/issn1000-1239.2018.20180365
[4]	Zhang Hu, Tan Hongye, Qian Yuhua, Li Ru, Chen Qian. Chinese Text Deception Detection Based on Ensemble Learning[J]. Journal of Computer Research and Development, 2015, 52(5): 1005-1013. DOI: 10.7544/issn1000-1239.2015.20131552
[5]	Zhou Quanqiang and Zhang Fuzhi. Ensemble Approach for Detecting User Profile Attacks Based on Bionic Pattern Recognition[J]. Journal of Computer Research and Development, 2014, 51(4): 789-801.
[6]	Zhao Yunshan, Gong Yunzhan, Zhou Ao, Wang Qian, and Zhou Hongbo. False Positive Elimination in Static Defect Detection[J]. Journal of Computer Research and Development, 2012, 49(9): 1822-1831.
[7]	Wang Yawen, Yao Xinhong, Gong Yunzhan, Yang Zhaohong. A Method of Buffer Overflow Detection Based on Static Code Analysis[J]. Journal of Computer Research and Development, 2012, 49(4): 839-845.
[8]	Huo Wei, Yu Hongtao, Feng Xiaobing, and Zhang Zhaoqing. Static Race Detection of Interrupt-Driven Programs[J]. Journal of Computer Research and Development, 2011, 48(12): 2290-2299.
[9]	Wang Zhaofei and Huang Chun. Static Detection of Deadlocks in OpenMP Fortran Programs[J]. Journal of Computer Research and Development, 2007, 44(3).
[10]	Wu Ping, Chen Yiyun, Zhang Jian. Static Data-Race Detection for Multithread Programs[J]. Journal of Computer Research and Development, 2006, 43(2): 329-335.

Cited By

Cited by

Periodical cited type(19)

1.	李梅，朱明宇. 基于PSO-KM聚类分析的通信网络恶意攻击代码检测方法. 计算机测量与控制. 2024(01): 8-15 .
2.	彭秋华. 移动式计算机中恶意软件感染预测分析. 软件. 2024(02): 120-122 .
3.	李思聪，王坚，宋亚飞，王硕. TriCh-LKRepNet:融合三通道映射与结构重参数化的大核卷积恶意代码分类网络. 电子学报. 2024(07): 2331-2340 .
4.	钱丽萍，王大伟. 基于图像可视化的恶意软件分类技术综述. 信息安全学报. 2024(05): 139-161 .
5.	官斌. 基于静态逆向的工控软件函数调用获取技术. 计算机与数字工程. 2024(09): 2745-2751+2777 .
6.	王春东，刘驰. 一种利用低秩多模态融合的恶意软件分类方法. 小型微型计算机系统. 2024(12): 3008-3015 .
7.	熊其冰. 一种基于多图像特征融合和GA-Stacking的恶意代码检测模型. 通信技术. 2024(12): 1305-1310 .
8.	王硕，王坚，王亚男，宋亚飞. 一种基于特征融合的恶意代码快速检测方法. 电子学报. 2023(01): 57-66 .
9.	乔梦晴，李琳，王颉，万振华. 基于遗传规划和集成学习的恶意软件检测. 计算机应用研究. 2023(03): 898-904 .
10.	熊其冰，王世豪，谢冰. 基于操作码序列和Stacking集成的恶意代码检测方法. 警察技术. 2023(03): 64-67 .
11.	邓希桢，蒋明，岑明灿，罗玉玲. 基于熵图像静态分析技术的勒索软件分类研究. 广西师范大学学报(自然科学版). 2023(03): 91-104 .
12.	轩勃娜，李进. 基于改进CNN的恶意软件分类方法. 电子学报. 2023(05): 1187-1197 .
13.	袁子龙，吴秋新，刘韧，秦宇. 一种基于改进差分进化算法的源码漏洞检测模型的冷启动方法. 计算机应用研究. 2023(07): 2170-2178 .
14.	轩勃娜，李进，宋亚飞，马泽煊. 基于改进MobileNetV2的恶意代码分类方法. 计算机应用. 2023(07): 2217-2225 .
15.	熊其冰，郭洋，王世豪. 基于多特征融合和增强模型的恶意代码检测方法. 通信技术. 2023(05): 640-646 .
16.	顾风军. 基于多核集成学习的静态软件安全漏洞识别. 电子设计工程. 2023(19): 73-76+81 .
17.	龚卫华，陈凯，王百城. 基于监督学习的分类器自适应融合方法. 传感技术学报. 2022(02): 195-201 .
18.	何平，刘晓毅，王进，崔阳，李茹欢. 容器云的API安全技术研究. 保密科学技术. 2022(07): 41-46 .
19.	肖添明，管剑波，蹇松雷，任怡，张建锋，李宝. 基于代码属性图和Bi-GRU的软件脆弱性检测方法. 计算机研究与发展. 2021(08): 1668-1685 . 本站查看