In order to detect malicious codes which utilize encryption technology and tunnels encapsulation, a new malicious code detection model based on traffic statistical fingerprinting is presented. The packet-level features and flow-level features are extracted from each flow in a training set. The flow-level features are filtered by the Principal Component Analysis. The detection model is constructed after malicious code's traffic statistical fingerprinting is got from these features' probability density functions. Experimental results indicate that this model can effectively detect encrypted or tunneled malicious codes.%采用加密和隧道技术的恶意代码难以检测.为此,提出基于流量统计指纹的恶意代码检测模型.提取恶意代码流量中的包层特征和流层特征,对高维流层特征采用主成分分析进行降维,利用两类特征的概率密度函数建立恶意代码流量统计指纹,使用该指纹检测网络中恶意代码通信流量.实验结果表明,该模型能有效检测采用加密和隧道技术的恶意代码.
展开▼
