Research Of Multi-engine Cloud Security Mechanism Based On Conditional Random Fields

Nowadays,cloud security is a hot research direction where it makes use of multi-engines for malware detection and locates its virus database into the clouds. Forone hand, it overcomes the disadvantages of traditional anti-virus software’s singledetection strategy which are at a loss what to do for quite a number of virus. Forthe other, it shares viruses’ data through the clouds which makes the new virus bedetected once it appears. This mechanism shorten the time of finding and clearingthe new virus which reduces loss made by virus. However, there are still someshortcomings in current cloud security architecture.Firstly, the common technologies for multi-engines are the N-grams feature ex-traction and behavioral analysis. Normally, they base on the frequencies of N-gramsand system calls, make use of data mining methods and classification algorithm tomodel viruses’ information and apply the model to detect viruses. The main short-age of them is that they just make use of the frequencies of N-grams sequences andsystem calls sequences, but ignore the sequential relationship among each sequence.Secondly, for the large sequence information of malware, the usually used method isto choose part of sequences with highest frequencies. However, normally the viruscode in a virus file will not appear so frequently. Thus, this choosing method will ig-nore some features of virus. Thirdly, the decision based on multi-engines’ detectionresults mainly uses voting classification method which takes the majority engines’results as the final results. Furthermore, this method just considers the diferencesof engines but ignores the detection accuracy of each engine, which will result inhigh false positives.This paper mainly do research on the cloud security mechanism based on Condi-tional Random Fields. Firstly, this paper improves the current methods of N-gramsfeature extraction and behavioral analysis. In the modeling, besides of N-gramsand system calls’ own frequencies, it also uses frequencies of their orders which arerespectively called pair of sequential N-grams and pair of sequential system callsin our research. Secondly, this paper puts the sifted information into the featurevector of such virus using the information gain theory. Thirdly, this paper modelson these features using Conditional Random Fields and gets diferent virus models.If used for recognizing test files, the models will give diferent results which will betaken as the final results of static and dynamic engines. At last, this paper adds some usual detecting softwares into the known two engines and puts them togetheras the engine group in our experiment. This paper uses D-S evidence theory inwhich it takes each engine’s detection accuracy as their basic beliefs and uses D-Scombination rule to get the final results, reducing the false positives.