Research On Automatic Signature Generation Algorithms For Polymorphic Worms Based On Transfer Learning

With the development of Internet technology and the emergent application of cloud computing,cloud storage and other service frameworks,the security of the Internet is facing severe challenges.With the help of flexible polymorphic mechanisms,polymorphic worms can change their appearances every time with infecting their targets,which can effectively avoid the detection of traditional intrusion detection systems(IDS).Therefore,how to generate polymorphic worms' signatures accurately and quickly is essential for defenders to prevent its rapid propagation.The thesis mainly includes the following three aspects:(1)A polymorphic worm signature generation algorithm based on the improved term frequency-inverse document frequency(TF-IDF)is proposed.Firstly,the signature hashing method is used to assign different position weights to substrings in different positions,and the high-dimensional substrings are compressed into low-dimensional vectors.Secondly,the traditional IDF algorithm is modified by introducing the checksum to reduce the weight influence of the rare substring.Finally,substring sequence is obtained by the computed weight,and the worm signature is generated.The results show that this improved algorithm can generate all worm signatures quickly and accurately under the noise,which is better than other algorithms.(2)A polymorphic worm signature generation model based on Gram-RBM is proposed.This model firstly gives two selection strategies of improved smoothing methods under three different elements in the improved smoothing N-gram algorithm.Secondly,according to the improved TF-IDF algorithm,the signature sequences generated by the improved smooth N-gram is transformed,and then the Gaussian-Bernoulli RBM is used to further reduce the dimension of the high-dimensional signature sequence.The results show that the model can generate the signatures of multi-species polymorphic worms more quickly and accurately with less computer resources.(3)A multi-task neural network signature generation model based on transfer learning is proposed.MoE(Mixture of Experts)neural network was used to transfer and train some training parameters retained by Gaussian-Bernoulli RBM.Firstly,the MoE multi-task neural network model was built to determine the task distribution process.Secondly,the transfer learning is reused the existing Gram-RBM model and connect with the MoE neural network,so as to automatically generate the signatures of multi-species polymorphic worms.The results show that the proposed model can not only generate the signatures of polymorphic worms,but also classify other malware family,and the classification results are better than the similar methods.It is also verified that transfer learning can not only transfer the existing model to the new model to ensure efficient generation of polymorphic worm signatures,but also provide a new idea for multi-model fusion.