Homology Feature Extraction Method of Malware Based on Genetic Algorithm and Association Mining

摘要

The behavior characteristics and programming structures of malware are usually analyzed on the basis of its disassembly file. The basic instruction sequence of malicious disassembly file describes the purpose of program design and the programming habits of the writers. In order to mine the family behavior characteristics of malware, the simplified sequences of assembly instruction opcode field are constructed. It is pointed out that for the simplified code population formed by unequal length binary byte code sequence, the maximum frequent sequence set represents the family malicious behavior pattern. To accelerate the process of malicious pattern extraction and obtain the homologous characteristics of code family, a genetic frequent sequence discovery algorithm named AMFIS is designed for simplified code population. This algorithm combines the technical advantages of swarm intelligence optimization and association mining idea. The process of association analysis can solve the feature fitting of malicious models, and the process of genetic evolution can solve the incremental prediction of abnormal patterns. The AMFIS has been applied to the kaggle sampling data set, and the pattern matching results of the frequent sequence set verify that this algorithm has high credibility for the analysis of malicious family behavior.