CN102142068A - Method for detecting unknown malicious code - Google Patents

Abstract

The invention discloses a method for detecting an unknown malicious code in the technical field of information safety, which can detect the malicious code in a file in advance under the situation that a malicious code library is not updated. The method comprises the following steps: extracting the feature vector of a file in a training set by utilizing a Byte n-grams method; carrying out the dimension reduction to the extracted feature vector of the file in the training set by adopting a local linear embedding algorithm; taking the feature vector after being subjected to dimension reduction as input, training a kernel cover classifier by utilizing a kernel cover learning algorithm; extracting the feature vector of the file in a test set by utilizing the Byte n-grams method again; carrying out the dimension reduction to the extracted feature vector of the file in the test set by adopting the local linear embedding algorithm; inputting a result after being subjected to dimension reduction into the kernel cover classifier for classification; and calculating the classification result and determining whether the file in the test set contains the malicious code. With the adoption of the method, the detection speed of the file is improved, and the advanced accuracy detection of the malicious code is realized.

Description

A kind of detection method of unknown malicious code

Technical field

The invention belongs to field of information security technology, relate in particular to a kind of detection method of unknown malicious code.

Background technology

At present, malicious code is ubiquitous on the internet, and it is propagated, harmfulness, hide property etc. and also improving constantly, thereby makes the computer malevolence code testing be faced with great challenge.Existing computer malevolence code detection technique mainly contains two kinds, a kind of mode-matching technique that is based on condition code, and another kind is based on the detection technique of malicious code rule of conduct.

Mode-matching technique based on condition code is by the analyst it to be carried out manual analysis after the malicious code file occurs, extract the condition code of this malicious code file of energy unique identification, and condition code upgraded to malicious code condition code storehouse, then the condition code storehouse is offered the user, be used for malicious code in the killing computer program.Based on the detection technique of malicious code rule of conduct, be to come the detection of malicious code according to the more predefined malicious code rule of conduct of expert.The shortcoming of above-mentioned two kinds of detection methods is to bring in constant renewal in the malicious code data storehouse, otherwise the malicious code of newtype just can be walked around detection.In addition, these two kinds of technology are a kind of detection techniques afterwards, can not detect it before emerging malicious code is carried out, and have only after malicious code occurs, it is carried out feature extraction and its condition code is upgraded to property data base by the analyst, just can detect.Yet during this period, malicious code can obtain operation and damage.

Summary of the invention

The objective of the invention is to, deficiency at present malicious code detection technique existence, a kind of detection method of unknown malicious code is proposed, with the sample set that comprises malice file and non-malice file simultaneously as training set, utilize the classification algorithm training sorter, utilize the sorter that trains that unknown file is classified then, to determine whether it is the malicious code file.

In order to realize purpose of the present invention, the technical scheme that provides of the present invention is that a kind of detection method of unknown malicious code is characterized in that described method comprises the following steps:

Step 1: utilize Byte n-grams method to extract the proper vector of the file in the training set;

Step 2: adopt the local linear algorithm that embeds that the proper vector of the file in the training set that extracts is carried out dimensionality reduction;

Step 3: as input, utilize nuclear to cover learning algorithm training nuclear cover classification device the proper vector behind the dimensionality reduction;

Step 4: utilize Byte n-grams method to extract the proper vector of the file in the test set;

Step 5: adopt the local linear algorithm that embeds that the proper vector of the file in the test set that extracts is carried out dimensionality reduction;

Step 6: the cover classification of the input nucleus as a result device behind the dimensionality reduction is classified, after classification results is added up, determine whether the file in the test set contains malicious code.

The local linear embedding algorithm of described employing carries out dimensionality reduction to proper vector and specifically comprises:

Step 21: as sample point, utilize the k nearest neighbor method to seek K neighbour's point of each sample point proper vector, wherein K is a setting value;

Step 22: utilize formula

Construct the partial reconstruction weight matrix of each sample point xi, wherein N is the number of sample point;

Step 23: by each sample point x _iPartial reconstruction weight matrix and neighbour thereof put and calculate its low-dimensional output valve.

In the described step 23, sample point x _iLow-dimensional output y _iSatisfy following mapping condition:

And

Wherein I is the unit matrix of m * m, and m is the dimension behind the dimensionality reduction.

Described step 3 specifically comprises:

Step 31: in the sample space that sample point constitutes, structure covering field system;

Step 32: the covering field is merged, will belong to the sphere that similar covering field is fused into feature space;

Step 33: construct blend surface f (x), to each sample point x _iCalculate f (x _i) value, if f (x _i) value greater than zero, this sample point x then _iRepresentative does not contain the file of malicious code; If f is (x _i) value less than zero, this sample point x then _iRepresentative contains the file of malicious code.

The present invention introduces manifold learning arithmetic file is carried out feature selecting, can find significant low dimensional structures from high dimensional data and carry out dimensionality reduction, has improved the detection speed of file; In addition, introducing nuclear covering learning algorithm can construct once and just can accurately divide the kernel function of sample set in the classification learning algorithm, thereby has realized the target of the emerging malicious code of accurate detection.

Description of drawings

Fig. 1 is the process synoptic diagram of the detection method of unknown malicious code;

Fig. 2 adopts local linear algorithm carries out dimensionality reduction to the proper vector of extracting the process flow diagram that embeds;

Fig. 3 utilizes nuclear to cover the process flow diagram of learning algorithm training nuclear cover classification device.

Embodiment

Below in conjunction with accompanying drawing, preferred embodiment is elaborated.Should be emphasized that following explanation only is exemplary, rather than in order to limit the scope of the invention and to use.

The thinking that the present invention deals with problems is: with file that contains malicious code simultaneously and the file set that does not contain malicious code is training sample, adopt manifold learning arithmetic that the training set file is carried out feature selecting, thereby the corresponding proper vector of each file, proper vector is trained nuclear cover classification device as the input of nuclear cover classification algorithm.At last unknown file being carried out feature selecting and produce the characteristic of correspondence vector, as the input of sorter it is classified, is malice file or non-malice file thereby tell it.

Below in conjunction with the description of drawings specific implementation of the present invention.Fig. 1 is the testing process synoptic diagram of the intelligent detecting method of unknown malicious code provided by the present invention.This method comprises following step:

Step 1: utilize Byte n-grams method to extract the proper vector of the file in the training set.

Training set can be constructed by the standard data set of online download., can download to the standard data set that is used for carrying out the malicious code detection specially on the net, data centralization can comprise malicious code file and normal file, can concentrate select File construct training set from normal data according to ad hoc rules.

Byte n-grams method is to adopt the moving window of a n byte-sized to get speech to binary word throttling or text, and each speech all is a n byte-sized.Content such as a text is " abcdef ", and its 2-grams sequence is so: ab bc cd de ef, the 3-grams sequence is: abc bcd cde def.

Content with a file is that " abcd " is example, this document is extracted the 2-grams sequence be: ab bccd, so just say that this file has three attributes, and the vector that can utilize these three attributes to form is represented this file, vector is: { ab, bc, cd}.

Each attribute is quantized, can obtain the proper vector of this document.Be changed to 1 such as a at the alphabet meta, b is 2 ..., so we can with the position and rule quantize, quantized result be 3,5,7}.{ 3,5,7} is the proper vector of this document to vector.

Step 2: adopt the local linear algorithm that embeds that the proper vector of the file in the training set that extracts is carried out dimensionality reduction.Fig. 2 adopts the local linear algorithm that embeds that the proper vector of extracting is carried out the process flow diagram of dimensionality reduction, among Fig. 2, adopts the local linear algorithm that embeds the proper vector of the file in the training set that extracts is carried out dimensionality reduction to comprise:

Step 21: as sample point, utilize the k nearest neighbor method to seek K neighbour's point of each sample point proper vector, wherein K is a setting value.

K the sample point nearest with respect to asking sample point is defined as K neighbour's point of the sample point of asking, and wherein K is a value given in advance, and the calculating of distance can be adopted the Euclidean distance computing method.The Euclidean distance algorithm is as follows: establish x, y ∈ R ^N, x then, the Euclidean distance of y can be tried to achieve by following formula:

${\left(\underset{i=1}{\overset{N}{\mathrm{\Σ}}}{(x^i-y^i)}^2\right)}^{\frac{1}{2}}$

Step 22: utilize formula

Construct each sample point x _iThe partial reconstruction weight matrix

Wherein

N is the number of sample point.

W=(w _Ij) ∈ M _{N, n}Be such weight matrix, if x _iWith x _jNon-conterminous, w then _Ij=0, establish x _iWith x _j(j=1,2 ..., be adjacent K), constraint is then arranged

Use XW approximate representation X, can have certain error, the Frobenius norm that defines matrix here is as follows: A=(a _{I, j}) ∈ M _{M, m}, be a m rank matrix, then

Seek W by the following formula constraint:

Promptly

This is equivalent to ask separating of a series of least square problems.As to x _i, can obtain by following system of equations

$w_{\mathrm{jk},i}:\left\{\begin{array}{c}\underset{k=1}{\overset{K}{\mathrm{\Σ}}}{w}_{\mathrm{jk},i}=1\\ X{w}_i=x_i\end{array}\right.$

Step 23: by each sample point x _iPartial reconstruction weight matrix and neighbour thereof put and calculate its low-dimensional output valve.

By weight matrix W, we can find suitable y in lower dimensional space _i, can finish by following constraint:

Y wherein _iBe x _iOutput vector, y _{Jk, i}(k=1,2 ..., K) be y _iNeighbour's point, and to satisfy two conditions:

With

Wherein I is the unit matrix of m * m.Thus, loss function can be rewritten as: Wherein M is the symmetric matrix of n * n: M=(I-W) ^T(I-W).

Make the loss function value reach minimum, then getting Y is minimum m the pairing proper vector of nonzero eigenvalue of M.In processing procedure, the eigenwert of M to be arranged from small to large, first eigenwert almost approaches zero, casts out first eigenwert so.Usually get the pairing proper vector of eigenwert from the 2nd to m+1 as the output result.

Step 3: as input, utilize nuclear to cover learning algorithm training nuclear cover classification device the proper vector behind the dimensionality reduction.

It is to introduce kernel function in covering algorithm that nuclear covers learning algorithm.At first, get a kernel function K (x, y)=＜T (x), T (y)＞do, x ∈ D with down conversion T:D → Z; Wherein D is the bounded set of n-dimensional space for the field of definition of input, total p sample, and this conversion is exactly that the point on the D is mapped on the P dimension nuclear space.The input set of note nuclear space is P _t, t=1,2 ..., p.In nuclear space, preceding k value might as well establishing output collection Y is all inequality.Make all be output as Y _j(set of the specimen number of j≤k) is I _j, the input set of its correspondence is designated as P _j(j=0,1 ..., k-1).Through after top a series of initialization, can begin to ask for the covering in a collection of nuclear space.Fig. 3 utilizes nuclear to cover the process flow diagram of learning algorithm training nuclear cover classification device, among Fig. 3, utilizes nuclear to cover learning algorithm training nuclear cover classification device and comprises the steps:

Step 31: in the sample space that sample point constitutes, structure covering field system.

(1) in sample set, appoints and get a some x who is not capped as yet _j∈ P _t, by formula

$d_j^{\left(1\right)}=\underset{m\∉I_j}{\min }\left\{K(x_j,x_m)\right\}$

$d_j^{\left(2\right)}=\underset{m\&Element;I_j}{\max }\left\{K(x_j,x_m)\right|K(x_j,x_m)<d_j^{\left(1\right)}\}$

$d_j=[d_j^{\left(1\right)}+d_j^{\left(2\right)}]/2$

${\mathrm{\&theta;}}_j=[d_j^{\left(1\right)}-d_j^{\left(2\right)}]/2$

Calculate, according to x _iAnd d _jConstruct a covering

The center of this covering is x _i, covering radius is d _j, the class interval is d _jWherein, I _jBe a following target set, x _mRepresent a sample point, in first formula, x _mThe value of expression m does not belong to I _j

(2)

After obtaining, with P _tIn all by

The point that covers is from P _tMiddle deletion is again from P _tX of middle selection _j(j ∈ I _j), repeat the operation of (1) step, up to all x _j∈ I _jTill all deleted.So just, construct all covering fields of a class.

Step 32: the covering field is merged, will belong to the sphere that similar covering field is fused into feature space.

To all covering fields of being obtained, order

D wherein _iExpression is with x _iBe the radius in the field at center, ask quadratic programming problem:

$\left\{\begin{array}{c}\max w\left(\mathrm{\&alpha;}\right)=\underset{i=1}{\overset{m}{\mathrm{\&Sigma;}}}{a}_i-\frac{1}{2}\underset{i,j=1}{\overset{m}{\mathrm{\&Sigma;}}}{\mathrm{\&alpha;}}_i{\mathrm{\&alpha;}}_j{y}_i{y}_j(K(d_i,d_j)+K(d_j,d_i)/2)\\ \underset{i=1}{\overset{m}{\mathrm{\&Sigma;}}}{\mathrm{\&alpha;}}_i{y}_i=0,{\mathrm{\&alpha;}}_i\&GreaterEqual;0,i=\mathrm{1,2},...m\end{array}\right.$

Obtain optimum solution α ^*={ α ₁α ₂α _m.

Step 33: construct blend surface f (x), to each sample point x _iCalculate f (x _i) value, if f (x _i) value greater than zero, this sample point x then _iDo not contain the malice file; If f is (x _i) value less than zero, this sample point x then _iContain the malice file.

With the α that obtains in the step 32 ^*The structure lineoid:

$f\left(x\right)=\underset{i=1}{\overset{m}{\mathrm{\&Sigma;}}}{\mathrm{\&alpha;}}_i{y}_{i}K(d_i,x)$

Its discriminant function is: F (x)=Sign (f (x)+b ₀), b wherein ₀Be decision-making value.

Sample is carried out the branch time-like, to each sample, calculate the value of f (x), if f (x)＞0, then x belongs to positive class (promptly not containing the malice file), if f (x)＜0, then x belongs to negative class (promptly containing the malice file), if f (x)=0 claims that then x is refused to know.Can set a threshold epsilon, when | f (x) | think during＜ε that x is refused to know, can reduce error like this.

Step 4: utilize Byte n-grams method to extract the proper vector of the file in the test set.

As step 1, utilize Byte n-grams method to extract the proper vector of the file in the test set.Test set can be chosen from the data centralization that network provides.

Step 5: adopt the local linear algorithm that embeds that the proper vector of the file in the test set that extracts is carried out dimensionality reduction.

As step 1, adopt the local linear algorithm that embeds that the proper vector of step 4 extraction is carried out dimensionality reduction.

Step 6: the cover classification of the input nucleus as a result device behind the dimensionality reduction is classified, after classification results is added up, determine whether the file in the test set contains the malice file.

With the dimensionality reduction result of step 5 as input, the nuclear cover classification device that use step 3 obtains is classified to the dimensionality reduction result of step 5, classification results is added up, and then, the result determines whether the file in the test set contains the malice file according to nuclear cover classification device statistic of classification.

The present invention as training set, utilizes the classification algorithm training sorter with the sample set that comprises malice file and non-malice file simultaneously, utilizes the sorter that trains that unknown file is classified then, to determine whether it is the malice file.In the process of file being carried out feature selecting, introduce manifold learning arithmetic, a large amount of file characteristic attributes is carried out analyzing and processing, be hidden in significant low dimensional structures in the high dimensional data with discovery, thereby reach the purpose that higher-dimension file characteristic attribute is carried out dimension-reduction treatment, improved processing speed.In the classification learning algorithm, introduce nuclear and cover learning algorithm, this algorithm is a notion of introducing the kernel function in the support vector machine in covering algorithm, compare with algorithm of support vector machine, this algorithm is to any given sample set, can construct the kernel function that once just can accurately divide sample set, thereby guaranteed that system still has classification accuracy rate and less operand preferably under priori deficiency and small sampling condition.

The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection domain of claim.

Claims (3)

1. the detection method of a unknown malicious code is characterized in that described method comprises the following steps:

Step 1: utilize Byte n-grams method to extract the proper vector of the file in the training set;

Step 2: adopt the local linear algorithm that embeds that the proper vector of the file in the training set that extracts is carried out dimensionality reduction;

Step 3: as input, utilize nuclear to cover learning algorithm training nuclear cover classification device the proper vector behind the dimensionality reduction;

Step 4: utilize Byte n-grams method to extract the proper vector of the file in the test set;

Step 5: adopt the local linear algorithm that embeds that the proper vector of the file in the test set that extracts is carried out dimensionality reduction;

Step 6: the cover classification of the input nucleus as a result device behind the dimensionality reduction is classified, after classification results is added up, determine whether the file in the test set contains malicious code.

2. the detection method of a kind of unknown malicious code according to claim 1 is characterized in that the local linear algorithm that embeds of described employing carries out dimensionality reduction to proper vector and specifically comprises:

Step 21: as sample point, utilize the k nearest neighbor method to seek K neighbour's point of each sample point proper vector, wherein K is a setting value;

Step 22: utilize formula

Construct each sample point x _iThe partial reconstruction weight matrix, wherein

N is the number of sample point;

Step 23: by each sample point x _iPartial reconstruction weight matrix and neighbour thereof put and calculate its low-dimensional output valve.

In the described step 23, sample point x _iLow-dimensional output y _iSatisfy following mapping condition:

And

Wherein I is the unit matrix of m * m, and m is the dimension behind the dimensionality reduction.

3. the detection method of a kind of unknown malicious code according to claim 1 is characterized in that described step 3 specifically comprises:

Step 31: in the sample space that sample point constitutes, structure covering field system;

Step 32: the covering field is merged, will belong to the sphere that similar covering field is fused into feature space;

Step 33: construct blend surface f (x), to each sample point x _iCalculate f (x _i) value, if f (x _i) value greater than zero, this sample point x then _iRepresentative does not contain the file of malicious code; If f is (x _i) value less than zero, this sample point x then _iRepresentative contains the file of malicious code.

Images