Research On Malware Multi-feature Detection Technology Based On Ensemble Learning

With the advancement of the information era,various mobile applications have been developed massively,the security of software has been paid more attention.Although the research on malware detection technology continues to deepen,the number of new malwares is still growing rapidly in recent years.At the same time,in order to evade detection and make illegal profits,malware itself is constantly evolving and becoming more destructive and contagious.Therefore,mobile phone application security is still an issue worthy of attention.At present,most of the researches on mobile phone malware detection are the binary classification of malicious and non-malicious software or the classification of malware families,and there is little research on the malware categories classification.Category classification refers to the classification that dividing malware into several categories according to its behavioral characteristics,and each category contains many malware families.Although the research on the malware category is relatively weak,the category research is of great significance,especially for unknown malware.It is difficult to classify unknown malware into a certain family,but it can be classified into certain category according to its behavior characteristics.Therefore,based on the study of binary classification of malware,this thesis analyzes and researches the classification of different categories of malicious software.This thesis designs new malware detection technology according to the running memory characteristics of specific processes and network traffic characteristics during the operation of malicious software.The main work of this thesis is as follows:(1)Through analysis of the behavior and purpose of different types of malware,this thesis finds the connection between different types of malware and some processes.Therefore,this thesis starts with these specific processes,and uses the memory data of these processes during the running of the software as the malware identification features to design a new malware identification algorithm.The experiment results show that the accuracy of binary classification can reach 99.73% by using the process memory feature.Compared with the existing methods,it is proved that process memory features can distinguish malware well.(2)A method based on process memory data to identify malware categories is proposed.This method converts the memory data of multiple specific processes into image data,and the malware detection problem is indirectly converted into image recognition problem.The image recognition method is used that send the memory image data into convolutional neural network to automatically learn features for classification.Furthermore,the idea of ensemble learning is introduced,and the classification accuracy is further improved by integrating the multiple results of convolutional neural network.It can achieve an accuracy of 93.67% on the category classification and it has a certain improvement compared with the work of others.(3)In order to prevent some malware from escaping detection by masquerading in single feature and cause interference to the classification results of malware,based on the analysis of malware by traffic characteristics,this thesis also combines the memory characteristics with traffic characteristics of samples to detect the category of malware,and compares the difference of recognition rate between different categories of malware.The experiment results show that the combination of process memory characteristics and network traffic characteristics can increase the detection rate of scareware by 6%,which proves that the categories of malware detected by choosing different features are different,and provides a new idea for selecting features in future malware detection.