| With the wide spread of the network and the development progress of computertechnology, computer information security is facing a great threat. The maliciouscode is the culprit. The growth of malicious code and the development of thetechnology, not only will bring much inconvenience to human life, but also make theenterprises and users suffer huge economic losses. Some can even harm thenational information security.With the development and confrontation of malicious code detection andanti-detection technology, the daily production of a large number of new maliciouscodes brings tremendous pressures to analysts. Today, malicious code detectioncapabilities have been far insufficient for demand. Malicious code detectiontechnology is divided into two approaches, static and dynamic. The static detectiongets the result based on the content and structure of the code, but the dynamicdetection is by executing code in a virtual environment. However, with thedevelopment of code obfuscation techniques, some static detection methods arefacing a challenge. Some malicious codes can hide their malicious behaviors toevade detection in virtual environment. Therefore, how to deal with the explosion ofmalicious code, especially in response to the variations of malicious code, becomesthe focus of the research of malicious code detection technology.In this paper, we propose a new method of static malicious code detectionbased on the opcode sequences. This method extracts the opcode sequences throughthe program’s control flow graph as the characteristic, which is different from othermethods. Firstly, shell malicious codes. Secondly, the disassembly of maliciouscodes, then build the program’s control flow graph by writing plugin and extractopcode sequences. Thirdly, extract the characteristics using n-gram algorithm andselect features using information gain and document frequency methods. Finally,detect the malicious code using machine learning classification algorithms such asK-Nearest Neighbor, Decision Tree and Support Vector Machine. In the experiment,we choose the different number of features and other methods to compare theexperimental results based on the correct rate, the rate of false positive, the rate offalse negative. It can come to a conclusion that our method is effective according tothe comparison and analysis of the experimental results. |
PDF Full Text Request