Research And Implementation Of Unknown Threat Detection Technology Based On Behavior

Nowadays,mobile devices have become the mainstream electronic devices used by people.The threats against mobile devices are also increasing,including unknown threats that traditional signature-based analysis cannot detect..Unknown threat is an unreported attack threat.For the mobile devices,usually it is embedded into mobile devices by malicious software through the Internet,etc.,and uses zero-day loopholes to attack mobile devices,causing serious user losses.How to effectively detect mobile device malware and effectively prevent unknown threats has become an urgent need.In view of this,the main research contents of this thesis are as follows:(1)An unknown threat detection model based on feature selection algorithm is designed.This thesis uses support vector machine as a classification model to classify Android unknown software to determine whether it is malicious software.For the problem of poor model performance due to too many software behavior features,we analyze the recursive feature elimination algorithm and the genetic algorithm,and improve these algorithm.First,the lasso support vector machine is used to eliminate the useless features,reduce the number of iterations of the recursive feature elimination algorithm,and then fuses the recursive feature elimination algorithm with the genetic algorithm to improve the insufficiency of the two algorithms.Experiments show that the feature selection algorithm after fusion has a good effect of eliminating redundant and non-valued features and improves the detection accuracy of the detection model.(2)Improved an incremental algorithm of support vector machine.For the problem that the new sample detection will cause the detection rate to decrease,it is considered to use the incremental iterative detection model to maintain the detection accuracy.Firstly,the shortcoming of the incremental algorithm based on misclassification support vector machine is analyzed,and then improves this algorithm.For the original algorithm,only the samples near the misdivision point are selected as incremental samples and other possible sample problems are ignored.Consider using the KKT condition to replace the misclassification point judgment,and then use the nuclear density to estimate the distribution after the new sample,and consider the selection of violations.The KKT conditional samples and their similarly distributed samples and historical support vectors and their nearby samples are used as incremental samples.Using these samples instead of all the samples for training can greatly reduce training time and save storage space.Experiments show that the improved incremental algorithm is more suitable for the updating of the Android unknown threat detection model than the misclassification based algorithm.(3)Finally,an unknown threat detection system was designed and implemented.Taking Update Flash Player malware as an example,the system shows the behavior extracted through static analysis and dynamic analysis,as well as a comprehensive analysis of the malware.