CN103778372B - A kind of spectral method identifying computer software behavior - Google Patents

Abstract

The invention discloses a kind of spectral method identifying computer software behavior: (1) structure software action represents model；(2) software action feature is extracted；(3) metric software behavioral similarity.The invention has the beneficial effects as follows: from the low-level image feature representing software action, take out the software action feature of high level, describe the behavior of software from semantic level；Modeled and spectral factorization method by the DHMM (discrete HMM) of computer program, express the software action feature that program is had quantitatively, according to representing model and the similarity identification Malware of behavior characteristics.

Description

A kind of spectral method identifying computer software behavior

Technical field:

The present invention relates to a kind of spectral method identifying computer software behavior.

Background technology:

Whether computer software Activity recognition technology is Malware for one computer program of auxiliary judgment (Malware).Current method uses the low-level image feature representing software action (to include condition code, API sequence Deng), mate to come forecasting software behavior by characteristic matching or sequence pattern based on machine learning, the former can only For known malware, once Malware mutates, and needs the condition code storehouse that upgrades in time；The latter deposits The shortcoming high in rate of false alarm, rate of failing to report is high.

Summary of the invention:

It is an object of the invention to overcome the deficiencies in the prior art, it is provided that a kind of identify computer software behavior Spectral method.

In order to solve above-mentioned technical problem, the present invention provides a kind of spectral method identifying computer software behavior, Comprise the following steps:

(1) structure software action represents model: represent S by the model parameter two tuple (A*, B*) of DHMM Or the software action of G；

(2) extract software action feature: matrix A * is carried out spectral factorization, extract software action feature D；

(3) metric software behavioral similarity: calculate between two computer programs according to B* and D or two Software action similarity between individual computer program group or between a computer program and a program groups.

Further, described step (1) structure software action represents model, in two kinds of situation:

The first situation: the software action of single computer program represents model

S has M kind software action, and every kind of behavior is corresponding with a hidden state of DHMM (S)；With model (A*, B*) represent the software action of S, be embodied as step as follows:

Set the number M of hidden state, and given initial state probabilities distribution C；

Input computer program S；

Call a kind of DHMM training algorithm and ask for making P [S | A, B, C] maximized model parameter A and B, point It is not designated as A* and B*；

The second situation: the software action of computer program group represents model

For computer program group G={S₁, S₂..., S_N, G has a M kind software action, every kind of behavior with DHMM(S₁), DHMM (S₂) ..., DHMM(S_N) a total hidden state is corresponding；With model (A*, B*) Represent the software action of G, be embodied as step as follows:

Set the number M of hidden state, and given initial state probabilities distribution C；

All computer program S in input G₁, S₂..., S_N；

Call a kind of DHMM training algorithm to ask for making P [S₁| A, B, C] × P[S₂| A, B, C] × ... × P [S_N| A, B, C] maximized model parameter A and B, it is designated as A* and B* respectively.

Further, described step (2) is extracted in software action feature, the software action feature square of M × M Battle array D={d_ij}_M×MRepresent, D i-th (i=1,2 ..., M) row element constitute a row vector D_i=<d_i1, d_i2..., d_iM>, it is embodied as step as follows:

Input computer program S or the software action model (A*, B*) of computer program group G；

Matrix A * is carried out spectral factorization operation, it is decomposed into A*=X ∑ X¹, wherein ∑ be one to angular moment Battle array, the element on each of which diagonal is an eigenvalue of A*, and each row vector of matrix X is and spy The characteristic vector that value indicative is corresponding；

M eigenvalue in ∑ is sorted by numerical values recited；

The characteristic vector of the 1st X corresponding to eigenvalue after sequence is designated as D₁, the 2nd eigenvalue institute is right The characteristic vector of the X answered is designated as D₂, by that analogy, the spy of the X corresponding to ith feature value after sequence Levy vector and be designated as D_i, i=1,2 ..., M.

Further, described step (3) uses step (1) the software action model (A*, B*) that exports and step Suddenly software action feature D that (2) export, calculates and (uses T respectively between two programs₁And T₂Represent), single Program (uses T₁Represent) (use T with a program groups₂Represent) between or two program groups (use T respectively₁ And T₂Represent) between software action similarity or distinctiveness ratio, the highest then similarity of distinctiveness ratio is the lowest, otherwise As the same；Similarity the highest expression T₁And T₂There is the most similar software action；Software action similarity measurement makes With two kinds of matrixes: software action represents the B* in model and software action feature D, for the sake of difference, T₁'s The two matrix is used₁B* and₁D represents, T₂Matrix use₂B* and₂D represents；It is embodied as step as follows:

Setting distinctiveness ratio dist (Y, Z) between matrix, wherein Y and Z represents arbitrary two same order matrixes；

Input₁B*、₁D、₂B* and₂D；

Use formula [dist (₁B*,₂B*)]^α×[dist(₁D,₂D)]^βWeigh T₁And T₂Between software action Distinctiveness ratio, wherein α and β is two real numbers more than or equal to 0.

Compared with prior art, the invention has the beneficial effects as follows: take out from the low-level image feature representing software action As going out the software action feature of high level, the behavior of software is described from semantic level；By computer program DHMM (discrete HMM) modeling and spectral factorization method, it is soft that program of expressing quantitatively is had Part behavior characteristics, according to representing model and the similarity identification Malware of behavior characteristics.

Accompanying drawing illustrates:

Fig. 1 is the flow chart of the present invention.

Fig. 2 is the principle schematic of the present invention

Detailed description of the invention:

The invention will be further described with detailed description of the invention below in conjunction with the accompanying drawings:

The present invention relates to a kind of method for computer software Activity recognition, it uses discrete Hidden Markov State transition probability (the State of model (Discrete Hidden Markov Model is called for short DHMM) Transition probabilities) matrix and emission probability (Emission probabilities) thereof The behavior of matrix description software, spectral factorization (Spectral based on state transition probability matrix Decomposition) result represents the behavior characteristics of software, finally according to behavior characteristics and emission probability matrix Identifying the similarity of software action, method flow is as it is shown in figure 1, comprise the following steps:

(1) structure software action represents model: represent S by the model parameter two tuple (A*, B*) of DHMM Or the software action of G；

(2) extract software action feature: matrix A * is carried out spectral factorization, extract software action feature D；

(3) metric software behavioral similarity: calculate between two computer programs according to B* and D or two Software action similarity between individual computer program group or between a computer program and a program groups.

The present invention processes the computer program represented with sequence of events (Event sequence).Sequence of events Being a kind of time or the event string that spatially there is ordering relation, when being used for representing computer program, event can To be that program comprises or the actual computer instruction performed or job sequence on CPU, it can be program bag What contain or program was called in the process of implementation is supplied to apply journey by computer operating system or computer equipment The api function that sequence is called, it is also possible to be other discrete symbols describing software features.The symbolism used

1. event set: V={V₁..., V_k..., V_K, each element in set (uses V_kRepresent, K=1,2 ..., K) represent an event (discrete symbols), K represents the number of event；

The most single computer program: S=(s₁..., s_t..., s_n), represent that this computer program is by n thing Part is constituted in order, and each event therein (uses s_tRepresent, t=1,2 ..., n) it is all the element of V, both s_t∈V；

3. computer program group: G={S₁, S₂..., S_N, represent that this group computer program is made up of N number of program, Each program is the sequence of events that 2. a use define；

4. one group of software action: U={ θ₁, θ₂..., θ_M, each element in set represents a kind of abstract Software action, M represents the number of behavior；

5. the discrete HMM DHMM(S of computer program S): DHMM(S)=(S, Q, A, B, C), Wherein:

The observed value sequence of-model is S=(s₁..., s_t..., s_n), s_t∈V={V₁..., V_k..., V_K}；

The status switch of-model is Q=(q₁..., q_t..., q_n), each element therein (uses q_tTable Show, t=1,2 ..., n) it is the model hidden state corresponding with a software action, hidden state Number is M, both q_t∈U；

-state transition probability matrix A=(a_ij)_M×M, a_ij=P[q_t+1=θ_j|q_t=θ_i], 1≤i≤M, 1≤j≤M；

-state emission probability matrix B=(b_ik)_M×K, b_ik=P[v_k at t|q_t=θ_i], 1≤i≤M, 1≤k≤K；

-initial state probabilities distribution C={c₁..., c_j..., c_M, c_j=P[q₁=θ_j], 1≤j≤M.

Fig. 2 is the principle schematic of the present invention, is explained in detail in the detailed process of each step,

Further, described step (1) structure software action represents model, in two kinds of situation:

The first situation: the software action of single computer program represents model

S has a M kind software action, every kind of behavior withA hidden state corresponding；With model (A*, B*) represent the software action of S, be embodied as step as follows:

Set the number M of hidden state, and given initial state probabilities distribution C；

Input computer program S；

Call a kind of DHMM training algorithm and ask for making P [S | A, B, C] maximized model parameter A and B, point It is not designated as A* and B*；

The second situation: the software action of computer program group represents model

For computer program group G={S₁, S₂..., S_N, G has a M kind software action, every kind of behavior with DHMM(S₁), DHMM (S₂) ..., DHMM (S_N) a total hidden state is corresponding；With model (A*, B*) Represent the software action of G, be embodied as step as follows:

Set the number M of hidden state, and given initial state probabilities distribution C；

All computer program S in input G₁, S₂..., S_N；

Call a kind of DHMM training algorithm to ask for making P [S₁| A, B, C] × P[S₂| A, B, C] × ... × P [S_N| A, B, C] maximized model parameter A and B, it is designated as A* and B* respectively.

Further, described step (2) is extracted in software action feature, the software action feature square of M × M Battle array D={d_ij}_M×MRepresent, D i-th (i=1,2 ..., M) row element constitute a row vector D_i=<d_i1, d_i2..., d_iM>, it is embodied as step as follows:

Input computer program S or the software action model (A*, B*) of computer program group G；

Matrix A * is carried out spectral factorization operation, it is decomposed into A*=X ∑ X¹, wherein ∑ be one to angular moment Battle array, the element on each of which diagonal is an eigenvalue of A*, and each row vector of matrix X is and spy The characteristic vector that value indicative is corresponding；

M eigenvalue in ∑ is sorted by numerical values recited；

The characteristic vector of the 1st X corresponding to eigenvalue after sequence is designated as D₁, the 2nd eigenvalue institute is right The characteristic vector of the X answered is designated as D₂, by that analogy, the spy of the X corresponding to ith feature value after sequence Levy vector and be designated as D_i, i=1,2 ..., M.

Further, described step (3) uses step (1) the software action model (A*, B*) that exports and step Suddenly software action feature D that (2) export, calculates and (uses T respectively between two programs₁And T₂Represent), single Program (uses T₁Represent) (use T with a program groups₂Represent) between or two program groups (use T respectively₁ And T₂Represent) between software action similarity or distinctiveness ratio, the highest then similarity of distinctiveness ratio is the lowest, otherwise As the same；Similarity the highest expression T₁And T₂There is the most similar software action；Software action similarity measurement makes With two kinds of matrixes: software action represents the B* in model and software action feature D, for the sake of difference, T₁'s The two matrix is used₁B* and₁D represents, T₂Matrix use₂B* and₂D represents；It is embodied as step as follows:

Set distinctiveness ratio dist (Y, Z) between matrix, wherein Y and Z represent arbitrary two with valency matrix；

Input₁B*、₁D、₂B* and₂D；

Use formula [dist (₁B*,₂B*)]^α×[dist(₁D,₂D)]^βWeigh T₁And T₂Between software action Distinctiveness ratio, wherein α and β is two real numbers more than or equal to 0.

Last it should be noted that, above example is only with technical scheme is described, rather than to this The restriction of bright protection domain, although the present invention being described in detail with reference to specific embodiment, this area It is to be appreciated by one skilled in the art that technical solution of the present invention can be modified or equivalent, and not Depart from the spirit and scope of technical solution of the present invention.

Claims (1)

1. the spectral method identifying computer software behavior, it is characterised in that it is realized by following steps:

(1) structure software action represents model: represent the software row of S or G by the model parameter two tuple (A*, B*) of DHMM For；

(2) extract software action feature: matrix A * is carried out spectral factorization, extract software action feature D；

(3) software action similarity measurement: calculate between two computer programs according to B* and D or two computer program groups Between or a computer program and a program groups between software action similarity；

Described step (1) structure software action represents model, in two kinds of situation:

The first situation: the software action of single computer program represents model

S has M kind software action, and every kind of behavior is corresponding with a hidden state of DHMM (S)；Represent with model (A*, B*) The software action of S, is embodied as step as follows:

Set the number M of hidden state, and given initial state probabilities distribution C；

Input computer program S；

Call a kind of DHMM training algorithm and ask for making P [S | A, B, C] maximized model parameter A and B, be designated as A* respectively And B*；

The second situation: the software action of computer program group represents model

For computer program group G={S₁, S₂..., S_N), G has M kind software action, every kind of behavior and DHMM (S₁), DHMM(S₂) ..., DHMM (S_N) a total hidden state is corresponding；The software action of G is represented with model (A*, B*), It is embodied as step as follows:

Set the number M of hidden state, and given initial state probabilities distribution C；

All computer program S in input G₁, S₂..., S_N；

Call a kind of DHMM training algorithm to ask for making P [S₁| A, B, C] × P [S₂| A, B, C] × ... × P [S_N| A, B, C] maximize Model parameter A and B, be designated as A* and B* respectively；

Described step (2) is extracted in software action feature, the software action feature matrix D of M × M={ d_ij}_M×MRepresent, D I-th (i=1,2 ..., M) row element constitute row vector D_i=< d_i1, d_i2..., d_iM>, it is embodied as step as follows:

Input computer program S or the software action model (A*, B*) of computer program group G；

Matrix A * is carried out spectral factorization operation, it is decomposed into A*=X ∑ X¹, wherein ∑ is a diagonal matrix, and each of which is right Element on linea angulata is an eigenvalue of A*, and each row vector of matrix X is the characteristic vector corresponding with eigenvalue；

M eigenvalue in ∑ is sorted by numerical values recited；

The characteristic vector of the 1st X corresponding to eigenvalue after sequence is designated as D₁, the spy of the 2nd X corresponding to eigenvalue Levy vector and be designated as D₂, by that analogy, the characteristic vector of the X corresponding to ith feature value after sequence is designated as D_i, i=1,2 ..., M；

Described step (3) uses software action feature D that step (1) the software action model (A*, B*) that exports and step (2) export, Calculate and use T respectively between two programs₁And T₂Expression, single program T₁Represent and program groups T₂Between expression or Two program groups use T respectively₁And T₂Software action similarity between expression or distinctiveness ratio, the highest then similarity of distinctiveness ratio is the lowest, Vice versa；Similarity the highest expression T₁And T₂There is the most similar software action；Software action similarity measurement uses two kinds Matrix: software action represents the B* in model and software action feature D, for the sake of difference, T₁The two matrix use₁B* and₁D represents, T₂Matrix use₂B* and₂D represents；It is embodied as step as follows:

Setting distinctiveness ratio dist (Y, Z) between matrix, wherein Y and Z represents arbitrary two same order matrixes；

Input₁B*、₁D、₂B* and₂D；

Use formula [dist (₁B*,₂B*)]^α×[dist(₁D,₂D)]^βWeigh T₁And T₂Between software action distinctiveness ratio, wherein α and β It is two real numbers more than or equal to 0.