基于行为的恶意程序检测
首发时间:2009-02-23
摘要:提出了一个基于35维特征向量的恶意程序检测方法。特征向量的每一维用于表示一种恶意行为事件,每一事件由相应的Win32 API调用及其参数表示。实现了一个自动化行为追踪系统(Argus)用于行为特征的提取。试验数据集从8223个恶意可执行程序和2821个正常可执行程序中获取,并依据程序发生事件数的不同设立事件阈值,建立不同的训练集,分别用于训练贝叶斯分类器。试验表明,当事件阈值为3时,分类器达到最佳检测效果。
关键词: 恶意程序 恶意行为 Win32 API调用
For information in English, please click here
Malicious Executables Detection Based on Run-time Behavior
Abstract:This paper proposes a malicious executable detecting method using 35-Dimension feature vector. Each dimension stands for a malicious behavior event represented by corresponding Win32 API calls and their certain parameters. An automatic executable behavior tracing system (Argus) is also implemented to dynamically capture the events. Experiments are performed on a data set extracted from 8223 malicious and 2821 benign executables. An event threshold is involved to build different training sets. These sets are then used to train different Na飗e Bayes classifiers. Experiment result suggests that classifier with a threshold of 3 is most efficient in detecting malicious executables.
Keywords: malicious executables malicious behavior Win32 API calls
基金:
论文图表:
引用
No.2945142701812353****
同行评议
勘误表
基于行为的恶意程序检测
评论
全部评论