Research Of Malware Detection Technology Based On Attribute Order Reduction

How to effectively preventing and detecting complicated malware has become a hot topic in security research field. This thesis selects operation behavior features which include semantic informations from dynamic behaviors and API sequence features as source features. Rough set is used in malware intelligent detection in this thesis to get a reduction set from candidate features. It needs to accelerate the training procedure and the detection response speed while maintaining good detection accuracy. Main works of this thesis are summarized as follows:First, an overview of the classical rough set theory was introduced, and brief study of rough sets and data processing methods were given, focuses on the basic concepts of attribute reduction. And the types of malware, the trends of malware and the advantages and disadvantages of a variety of detection methods were summarized.Second, the research were mainly on excellent attribute reduction algorithms based on positive region. We found that the time complexity was higher when|U|was much smaller than|C|. So this thesis introduced the application of ordered attributes to reduce the time cost, and the algorithm based on information gain value was proposed. The algorithm sorted all attributes according to the information gain value and scale of each attribute. The space and time complexity of the algorithm was analyzed. Based on above study the malware detection model based on attributes order reduction was given. With the establishment of the detection model, designed and implemented a malware detection prototype system. It focused on the designing and implementation of the trace getting module, feature extraction module, feature selection module, feature reduction module, and classifier module.Finally, two real data sets of malware were used to test the prototype system. Experimental results show that the proposed method can get fewer reduction features in a short period of time, while maintaining a good classification accuracy using the set of reduction, which is important to improve the speed of training and response speed of detection.