Research On Malware Detection Method Based On Behavior Analysis

Malware is one of the major threats to network security due to its rapid spread,wide variety,complexity and destructiveness.The increase in the number of malware variants and the escalation of evasion technologies make malware detection a difficult and challenging task.Malware detection faces the following three main challenges:first,traditional machine learning methods are difficult to extract essential characteristics of malware;second,the complex malware behavior is difficult to extract simple and effective representations of behavior;third,malware variants can evade malware detection.Behavior-based malware detection methods capture malicious activities of a program by tracking the behavior trajectory of malware execution.This article analyzes the challenges in malware detection based on behavioral analysis and achieves the following innovative results.1.In response to the challenge of the difficulty of extracting essential malware features by traditional machine learning methods,this paper designs and implements a Behavior-based Deep Learning Model(BDLM).In the proposed BDLM,an advanced abstract feature representation(Stacked AutoEncoder(SAE))containing 3 hidden layers is designed to extract features through layer-by-layer training.SAE transforms high-dimensional original features into 500 new low-dimensional abstract feature representations.In addition,BDLM uses SAE to combine different classifiers for malware detection and explores the optimal malware detection model.Experimental results show that the average Recall of BDLM improved by 2.5%compared with the traditional method.2.In response to the challenge that complex malware behavior is difficult to extract simple,efficient representations,this paper presents a graph repartition algorithm.The proposed graph repartition algorithm converts the API call graph into N-order subgraph(NSG)representation.NSG is a fragment behavior that preserves the dependencies in the API call graph and can be used to describe the behavior of malware families.The effective representation of fragment behavior avoids the graph matching problem during malware detection.This paper also improves the Term Frequency-Inverse Document Frequency(TF-IDF)index.This paper uses the improved TF-IDF measure to extract the Crucial N-order subgraph(CNSG).Experiments show that the accuracy of malware family classification based on key N-order subgraphs improved by 0.52%and 1.43%compared with methods based on subgraphs and API call sequence fragments.The method based on key N-order subgraphs provides better malware classification performance.3.In response to the challenge that malware variants can evade malware detection,this paper introduces homomorphic encryption technology to malware detection,and designs an encryption-based malware detection system(EMDS)based on encryption rules.EMDS constructs the privacy-preserving Naive Bayes Classifier(PP-NBC)using homomorphic encryption technology.PP-NBC can prevent malware from snooping on detection rules and generating new variants and escaping current detection by protecting detection rules.EMDS not only implements malware detection,but also ensures that malware detection rules are not compromised.EMDS is an important part of resisting malware escapes and can also drive malware detection towards security detection.Based on above three challenges,this paper designs and completes a malware detection research based on deep learning,a malware classification research based on key N-order subgraphs,and a malware detection research based on encryption rules.Malware detection research based on deep learning and malware classification research improve malware detection accuracy by extracting key malware behaviors.Malware detection research based on encryption rules protects malware detection rules while implementing malware detection.