Online Malware Detection Based On Network Behavior Analysis

As smartphones carry more and more private information,it has become the main target of malware attacks.At present,the detection technology for malware in academia is mainly divided into static,dynamic and network behavior analysis.Static analysis is to analyze the static code of malware to identify the malicious nature of the application,but it cannot detect the unknown malware.Dynamic analysis is to analyze the information such as API calls in the running process of malware to determine whether the application generates malicious behavior,but it requires relatively high detection cost.Network behavior analysis is to analyze the malicious of network interaction based on network traffic generated by application software.However,network traffic is characterized by rapid growth and constant change.In order to guarantee the detection performance of the model,the model needs to be updated constantly.At present,most detection methods of network behavior analysis mostly adopt machine learning algorithms with batch learning settings.However,this method requires a lot of time,storage resources and execution memory,making the unsuitable for large-scale online malware detection scenarios.In order to solve the problem of online malware detection based on network behavior analysis under the big data scenario,this paper carried out the following research work:(1)To solve the problem of online malware detection model updating,this paper proposes a detection method based on ensemble learning,the core of which is dual ensemble strategy.Specifically,the first level of ensemble strategy is that multiple classifiers form a temporary ensemble,which can be updated by removing and adding classifiers.The second level of ensemble strategy is that multiple temporary ensembles constitute the detection model,which can be further updated by removing and adding temporary ensembles.(2)To solve the problem of online malware detection model updating,this paper proposes a detection method based on two-tier architecture.The first layer of this method identifies uncertain samples in the training set through a preliminary classification,whereas the second layer builds an improved classifier by filtering out such samples.This method realizes the online updating of the model based on the incremental learning technique.(3)Aiming at the problem of online malware detection,this paper proposes a deep neural network rule extraction method,which uses the extracted rules to detect malicious network behavior,so as to improve the efficiency of online detection.Specifically,an input-hidden tree is constructed for each hidden layer to represent the rules between the input of deep neural network and the output of each hidden layer.Then a hidden-output tree is constructed to represent the rules between the output of each hidden layer and the output of deep neural network.Finally,the hidden layer is used as a bridge to merge these trees into an overall rule tree.In conclusion,this paper proposes an effective solution for online malware model update and online malware detection based on network behavior analysis,and proves the effectiveness of the proposed method through experiments.The research work of this paper has certain theoretical significance and application value to promote the field of online malware detection.