Research On Software Behavior Detection Method Based On System Call

With the rapid development of the Internet,a variety of software has become an indispensable part of social life,providing various conveniences for life,but the rampant malware also always threatens the network and information security,a variety of malicious software to enterprises and individuals caused losses of the incident is not uncommon.Relying on the detection of malicious software to detect and effectively control the spread of malicious software is an important means to ensure the security of network and information.This paper starts from the malware behavior,combines the dynamic analysis method with ontology and machine learning algorithm,and realizes the detection of malware behavior based on the system call information in the software running process.This paper mainly carries out the following research work:(1)Aiming at the difficulty of description and detection in malicious software semantic methods,a malicious software semantic description model based on multiple ontologies was proposed.The knowledge representation method based on OWL ontology was proposed to describe malicious software semantics through system call information and software structure information during software operation.The model of object-oriented knowledge representation method in combination with ontology definition of malicious software related to the concept of ontology classes,objects,attributes,and malware behavior semantic ontology representation method,using multiple software automatic generation software ontology semantic description ontology,both can represent the semantic information of malicious software,also can use the mixed reasoning method of marking software malicious behavior.(2)A software behavior detection model based on system calls and machine learning algorithms is proposed,and Hidden Markov Model(HMM)and Recurrent Neural Network(RNN)are used for software behavior detection.Drawing lessons from the application of the HMM model in Chinese and English word segmentation,mining the latent semantic and contextual information between software behaviors and splitting the system call sequence,effectively solving the system call sequence-based software behavior detection method in the fixed-length interception sequence for detection the problem of missing contextual information exists in the method.Then refer to the application of the RNN model in sentiment analysis to call short sequence processing on the system processed by the HMM model,add an attention mechanism to the RNN to improve the model's ability to extract local feature information,and improve the model's tendency to predict malicious behavior through complete information accuracy.In order to improve the detection effect of the model,this paper dynamically establishes the threshold of the model through the method of multi-batch training,finds the best threshold of the current batch through the ROC curve of different training sets,and then calculates the variance of the relevant parameters in the threshold to find the best threshold.Effectively improve the scope of application and detection accuracy of the model.The experimental results show the feasibility of using semantic description of multiple ontology to detect malware behavior,which can not only guarantee the quality and efficiency of the generation of semantic description ontology of detected software,but also effectively complete the marking of malware behavior through ontology reasoning method.Among the malware behavior detection methods based on HMM-RNN,HMM and RNN can effectively play their advantages in sequential information mining and propensity prediction,and this method can effectively detect malware behavior through system call sequences.