基于深度置信网络的恶意代码检测方法研究-《计算机技术与发展》

文章信息/Info

Author(s):: QIANG Han; GUO Ya-lan; TIAN Li-ming; Institute of Jiangnan Computing Technology,Wuxi 214000,China

Keywords:: malicious code detection; disassemble; n-gram; information gain; deep belief network

摘要:: 随着互联网的普及、信息技术的飞速发展,信息安全的问题也日益严重,恶意代码是其中主要威胁之一。当前恶意代码呈现出数量巨大,技术不断更新的现状,恶意代码检测技术面临严峻挑战。因此,文中提出了基于指令序列特征和深度置信网络的恶意代码检测方法,它包括三个部分:样本预处理模块、特征构造与约简模块以及深度置信网络分类模块。数据预处理模块使用 PEID、VMUNPACKER 对恶意代码样本进行查壳、脱壳处理并用 IDA pro 对样本进行反汇编获取操作码;特征提取模块使用 n-gram 窗口滑动获取特征并采用信息增益的方法对特征进行选择;深度置信网络模块使用深度置信网络(DBN)在训练集上进行训练生成深度学习网络,再使用训练好的网络对样本进行分类与检测。实验结果表明,该方法相较于传统的恶意代码检测方法,检测速度和效率有较大的提高。

Abstract:: With the popularity of the Internet and the rapid development of information technology,the information security is becoming more and more serious,and malicious code is one of the main threats. At present,due to a large amount of malicious code and its constantly updated technology,malicious code detection technology is facing severe challenges. Therefore,we propose a malicious code detection method based on deep belief network and instruction sequence features,which consists of three modules:sample preprocessing module,feature construction and reduction module and deep belief network classification module. The data preprocessing module uses PEID and VMUNPACKER to check shell and remove shell and disassemble the sample with IDA pro. The feature extraction module uses the n-gram window to get the feature and selects the feature by the method of information gain. The deep belief network module uses the deep belief network (DBN) to generate the deep learning network on the training set,and then the trained network is used to classify and detect the samples. Experiment shows that compared with traditional malicious code detection methods,the proposed method improves the detection speed and efficiency greatly.