Research On Detection Method Of Malicious Software Based On Combined Kernel And GA-SVM

The problem of software security is not only critical to both individuals and enterprises,but also serious especially under the condition of Windows operating system.Generally,it is difficult for the traditional malware detection method based on static and dynamic detection to adapt to the continuous variety of malware.As a result,machine learning method has been gradually applied to malware detection.Up to now,common detective method contains two steps.Firstly,the opcode features of malware are extracted.Secondly,random forest,SVM or other methods are utilized to classify the data.The existing detective methods have no conclusion on how to select malware feature set.Meanwhile,such detective accuracy also needs improvement.Therefore,this thesis mainly presents the study on the improvement of the GA-SVM method based on the composite kernel in terms of malware detection.The main study procedures are as follows:(1)The opcode text features of the malware were extracted based on N-Gram.Gist features were obtained after binary files were converted into gray images.After the feature combination,the GA-SVM method was adopted to reduce the feature dimension and optimize the parameters.(2)To solve the problem of earlier convergence or failed convergence of the fitness value in the traditional GA-SVM method,a new probability model was proposed to calculate cross probability and variation probability.Genetic generation and fitness value were applied to the new probability model to compute crossover probability and mutation probability dynamically,which had solved the problems of the slow individual evolution in the early stage and too many mutant individuals in the later stage of population evolution.(3)The combined kernel function was constructed to solve the problem of poor detection results using RBF kernel.The RBF kernel,Poly kernel,and Sigmoid kernel were combined to construct a new kernel function.The accuracy of malware detection was improved with the new combined kernel function.In accordance to the experimental results,the GA-SVM method based on the combined kernel would improve accuracy rate,recall rate,and F1 value by 1.78%,1.62%,and 1.81% respectively,compared with the traditional single RBF kernel function on the data set of MMCC(Microsoft Malware Classification Challenge).In other words,the GA-SVM method based on composite kernel has a good effect in detecting malware.