Malware Detection Based On Ontology

Malware usually has the characteristics of stealth and anti-antivirus,which poses great difficulties for security personnel in manual analysis and behavioral profiling and traceability of malicious attacks.In order to alleviate such problems,this thesis uses the Cuckoo sandbox to dynamically debug executable malware,extracts the characteristic behavior information during the operation of the malware,and constructs the malware ontology and malware characteristic behavior graph.Then,a malware family classification method based on graph structure is proposed.Finally,the malware knowledge graph is constructed on the basis of the ontology,the applicability of the malware knowledge graph is studied,and the malware in the same family is divided into more fine-grained categories.Aiming at the problem of malware knowledge extraction,we propose a layer-based malware knowledge extraction method.Firstly,the feature behavior extraction of malware based on dynamic analysis of Cuckoo sandbox system is carried out.Then,by setting sensitive information and key parameters,the semi-structured information in the sandbox analysis report is cleaned and extracted to obtain structured feature behavior information.Finally,the characteristic behavior information is combined with malware attribute enumeration and characterization(MAEC)to construct the malware ontology,which guides the subsequent knowledge extraction and knowledge graph construction process.Aiming at the problem of malware family classification,because the characteristic behavior information is a semi-structured data type,and each piece of data presents obvious graph structure characteristics to each other.This thesis proposes a malware family classification method based on graph structure.First,the characteristic behavior information obtained by knowledge extraction method is converted into graph data,and the optimized operations such as redundant nodes and edge merging are performed on the converted graph data to generate malware characteristic behavior graphs.Then,the family feature graph is constructed by the method of graph clustering.Finally,the malware detection is classified by graph matching.The method in this thesis is evaluated from three indicators: recall rate,precision and misclassification rate,and the average is 96.27%,96.66% and 3.33%.Compared with the existing methods,the indicators of the method proposed in this thesis are superior to the existing methods,and it is progressiveness.Aiming at the classification problem of malware subfamilies within the same family,we propose a knowledge mining method based on malware knowledge graph.Through sorting and collecting the technical points in the field of malware,we study the methods of malware classification and knowledge graph construction for knowledge extraction.We determine the knowledge model and node design,including storage methods such as entities,relationships,attributes and build a knowledge graph of malware and utilize PyQt to achieve its graphical interface display.Finally,we use the improved Louvin algorithm for knowledge mining.We use standardized mutual information(NMI)to measure the similarity of clustering results,and implements a finer grained sub family division of malware within the same family.