Traditional signature-based method fails to identify the obfuscated malicious codes,while the dynamic method consumes a large amount of resources.Currently,most machine-learning-based detection methods cannot effectively distinguish trojan horses,worms and other malwares.Hence,we propose a new classification method based on malicious behavior features.The new method first learns specific malicious behavior sequential pattern of each malware category on the basis of the extraction of maliciousoriented instruction.The sample is projected to the new space which is composed of sequential patterns.Based on the new feature representation,a nearest neighbor classifier is constructed to classify the malicious codes.Experimental results show that the proposed method can effectively capture the malicious behavior and distinguish the differences among the behaviors of different malware categories,so as to improve the classification precision sharply.%传统的静态特征码检测方法无法识别迷惑型恶意代码,而动态检测方法则需要消耗大量资源;当前,大多数基于机器学习的方法并不能有效区分木马、蠕虫等恶意软件的子类别.为此,提出一种基于代码恶意行为特征的分类方法.新方法在提取代码恶意导向指令特征的基础上,学习每种代码类别特有的恶意行为序列模式,进而将代码样本投影到由恶意行为序列模式构成的新空间中.同时基于新特征表示法构造了一种近邻分类器对恶意代码进行分类.实验结果表明,新方法可以有效地捕捉代码的恶意行为并区分不同类别代码之间的行为差异,从而大幅提高了恶意代码的分类精度.
展开▼
