The Study Of Automatic Generation Of Malware Behavior Ontology

With the rapid development of computer science and Internet,more and more important information is stored in computers and transmitted by Internet.While it brings much convenience,security threats follow.Malware is one kind of the main threats.By stealing confidential data,spreading spams,and devastating the computer systems,it brings users great loss,which makes malware detection more urgent.Currently,the malware detection methods based on static analysis are easily defeated by the code obfuscation technologies,while the methods based on dynamic analysis can bypass th is problem by analyzing malware's running behaviors to identify its real intent.Using ontology to model malware's running behaviors and detect them is promising,and also helps understand the evolving trends of malware.However,an effective and efficient method of constructing malware behavior ontology is still missing.In this thesis,the author proposed a method of mining malware family behaviors and constructing malware behavior ontology by using machine learning algorithms.By deeply studying the characteristics of malware behaviors,a method that extracts features from the interaction information between malware and operating system,and filters them by occurrence frequency,had been designed.Various algorithms had been tried in mining knowledge of malware family behaviors.Some algorithms were improved to cope with the problems in the actual mining process.By analyzing the output of each algorithm and taking the complementarity and diversity of the algorithms into consideration,a method combining decision tree algorithm and improved association rules mining algorithm had been proposed.The method also comprises a subprocess that uses those two algorithms to build several individual learners and ensembles them.Meanwhile,the author had designed a representation method of class hierarchy and malware behavior knowledge in terms of the structural characteristics of ontology.An ontology-based malware analysis and detection process had then been built,which can not only predict the class of unknown samples but also output their dangerous behaviors.All these previous described processes constitute a whole procedure of the automatic generation of malware behavior ontology and ontology-based malware analysis and detection.Some experiments had been conducted,and the result shows that the proposed methods are effective for constructing ontologies that models the characteristics of malware behaviors.