Research On Technology Of Cloud Unknown Threat Detection Based On Reinforcement Learning

In recent years,the concept of cloud computing has been widely popularized.Cloud-based application technology has also become a hot topic.Cloud data centers play an indispensable role in information and Internet technologies.At the same time,however,its rapid development has also highlighted potential security threats.The problems of cloud data center network performance overhead and cloud malware frequently update are becoming more and more serious.How to effectively improve our ability to proactively detect cloud malware plays a crucial role in today's cloud platform security protection.This paper mainly focus on the research of cloud-unknown threat detection technology based on reinforcement learning,realizing the active defense against Windows malware under the cloud platform.The innovations are as follows:1)Design a Windows malware static feature generation model based on cloud platform(Gym-plus).Targeted at complex PE file datasets,Gym-plus uses the LIFE library of Python to extract the static features such as its signature,the constant string,the static API calls and so on.The extracted features are detected using an existing high detection model to determine whether it is malicious or not.We use reinforcement learning to generate new anti-samples which can bypass detection.These samples will be added into original datasets for model re-training after being labeled with malicious tags.2)Design a Windows malware dynamic feature generation model based on cloud platform(Mal-RL).This model mainly focus on the extraction and detection of API calls dynamic features on the basic of cloud platform,which is directly related with the malicious degree of software.Mal-RL use virtual machine to establish effective detection model,extracting the API calls dynamic features of Windows malicious software.We apply reinforcement learning methods to modify the retrieved API calls feature set.Furtherly,we improve the modification efficiency and speed up the generation of adversarial examples by introducing the concepts of minimum modification cost,virtual benign sample and best confrontation sample.The experiments proves that the adversarial examples generated by Mal-RL has a higher attack success rate than the traditional random counterparts.3)Design a two-level training active defense system for cloud-based unknown threats.The two mentioned models are employed serially for reinforcement learning training,which makes up the shortcomings in the accuracy of Gym-plus and the speed of Mal-RL processing samples.The two models are efficiently integrated with a fast processing speed and a high accuracy.And for the problem that the existing detection model cannot effectively detect the 'disguised benign software'(namely adversarial examples),we propose a two-level training method based on the malware detection model.The method includes two steps:pre-training process which is based on large-scale data and re-training process which is based on small-scale anti-samples.The experiment proves that the detection accuracy of the detection model increases from 15.75%to 93.5%through the two-level training method.The active defense ability is remarked improved.