Static Virus Detection Based On Binary Opcode Semantic Optimization

Malware often uses computer system vulnerabilities and security defense mechanisms to achieve the purpose of malicious destruction or theft of information.The goal of the security defense mechanism is to detect malware,to kill and restore the damage it has caused,and to develop preventive measures,the most basic task of which is to detect malware.Traditional detection is usually based on the feature library formed by manual extraction.However,with the increasing number of malware,manual analysis and detection is far from achieving the goal of security defense mechanism.At this stage,the combination of feature extraction and classification algorithm has a good effect in malware detection.These features can reflect malware's behavior and information,including file structure information,system call API,operating code,sixteen byte and so on.This article mainly does the following two tasks:1.After the sample is preprocessed by software protection technology,the semantic obfuscation and redundancy of the binary operating code features are extracted and the N-Gram sequence is formed,the information gain is calculated to screen the better feature sequence of the classification effect,and the final detection effect is calculated using the support vector machine algorithm.2.On the basis of the preprocessing,feature form,filtering algorithm and classification algorithm of the first work,the Native Api N-gram sequence based on thread is dynamically extracted as the feature to compare the general Native Api sequence to participate in malware detection.The experiment proved that:1.The features of the binary operating code semantic optimization can get good results in the classification calculation,and the detection effect of the participation of the binary operating code features of the optimized semantic is better than the binary operating code characteristics,and generally it is slightly better than the classified calculation of the common assembly form of the operating code features.2.The thread based Native Api N-gram sequence is better than the general Native Api sequence in the classification of malicious software.