CN112149116A - Sandbox-based behavior detection method and system - Google Patents

Sandbox-based behavior detection method and system Download PDF

Info

Publication number
CN112149116A
CN112149116A CN202011153561.7A CN202011153561A CN112149116A CN 112149116 A CN112149116 A CN 112149116A CN 202011153561 A CN202011153561 A CN 202011153561A CN 112149116 A CN112149116 A CN 112149116A
Authority
CN
China
Prior art keywords
classifier
data set
sample
sandbox
classification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011153561.7A
Other languages
Chinese (zh)
Inventor
邢亚君
彭海龙
孟铭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing An Xin Tian Xing Technology Co ltd
Original Assignee
Beijing An Xin Tian Xing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing An Xin Tian Xing Technology Co ltd filed Critical Beijing An Xin Tian Xing Technology Co ltd
Priority to CN202011153561.7A priority Critical patent/CN112149116A/en
Publication of CN112149116A publication Critical patent/CN112149116A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2411Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • G06N20/20Ensemble learning

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Computation (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Medical Informatics (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Computer Hardware Design (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a sandbox-based behavior detection method and a sandbox-based behavior detection system, wherein the method comprises the following steps: inputting a training sample and a sample to be detected into a sandbox through a host for processing to obtain an API sequence corresponding to the training sample and an API sequence corresponding to the sample to be detected; extracting an API sequence corresponding to the training sample by adopting a 3-garam method to obtain M triples; performing data conversion on the M triples to obtain M characteristic vectors; constructing a training sample data set based on the M feature vectors; respectively inputting the training sample data set as input and the classification hyperplane corresponding to the training sample data set as output into a two-classifier for training to obtain a multi-classification model; and inputting the API sequence corresponding to the sample to be tested into the multi-classification model for prediction to obtain a behavior type. By adopting the scheme disclosed by the invention, the training speed can be improved, and the classification speed and accuracy can also be improved.

Description

Sandbox-based behavior detection method and system
Technical Field
The invention relates to the technical field of behavior detection, in particular to a sandbox-based behavior detection method and system.
Background
The rapidly developed internet technology brings convenience to the work and life of people, but is also threatened and influenced by the security of malicious programs such as viruses, worms, trojans and the like. In the age of rapid development of computer technology, malicious programs show a rapid growth trend under the drive of interests, techniques for anti-cracking analysis of malicious programs are continuously developed, and the rapid growth of traditional malicious program detection faces great challenges.
Existing methods based on behavior detection include: the method comprises the following steps of neural network-based behavior detection and Bayesian classifier-based behavior detection, wherein the neural network-based behavior detection is to extract pattern features of behaviors by utilizing the recognition, classification, induction and other capabilities of a neural network system, and then to create behavior feature profiles and establish detection models. The abnormal behavior detection technology based on the neural network is simple to realize, has a good processing effect on noise data, and is easy to fall into local small points due to long training time of the neural network. The Bayes classifier takes the premise that each attribute of the sample is independent with respect to the class, calculates the posterior probability of each class of the training sample through a Bayes formula, and selects the largest class as the class of the new sample. The precondition of the Bayesian classifier can cause the accuracy of the algorithm to be influenced to a certain extent.
Disclosure of Invention
Based on this, the invention aims to provide a sandbox-based behavior detection method and system to quickly and accurately predict the behavior type.
In order to achieve the above object, the present invention provides a sandbox-based behavior detection method, which includes:
step S1: inputting a training sample and a sample to be tested into a sandbox through a host;
step S2: processing the training sample and the sample to be detected by using the sandbox to obtain an API sequence corresponding to the training sample and an API sequence corresponding to the sample to be detected;
step S3: extracting an API sequence corresponding to the training sample by adopting a 3-garam method to obtain M triples;
step S4: performing data conversion on the M triples to obtain M characteristic vectors;
step S5: constructing a training sample data set based on the M feature vectors;
step S6: respectively inputting the training sample data set as input and the classification hyperplane corresponding to the training sample data set as output into a two-classifier for training to obtain a multi-classification model;
step S7: inputting the API sequence corresponding to the sample to be tested into the multi-classification model for prediction to obtain a behavior type; the behavior types are: virus, worm, backdoor program, trojan, or normal.
Optionally, the inputting the API sequence corresponding to the sample to be tested into the multi-classification model to obtain the behavior type specifically includes:
step S71: inputting the API sequence corresponding to the sample to be tested into the multi-classification model to obtain five classification hyperplane values;
step S72: and selecting the type corresponding to the maximum value from the five classification hyperplane values as the behavior type.
Optionally, the training sample data set is used as an input, and the classification hyperplane corresponding to the training sample data set is used as an output, and the input is respectively input to a two classifier for training, so as to obtain a multi-classification model, which specifically includes:
step S61: classifying the training sample data set to respectively obtain a normal data set, a virus data set, a worm data set, a backdoor program data set and a Trojan data set;
step S62: taking the normal data set as the input of a second classifier and the classification hyperplane corresponding to the normal data set as the output of the second classifier, and solving the second classifier by adopting an analysis method or an iteration method to obtain parameters corresponding to the normal classifier;
step S63: taking the virus data set as the input of a second classifier and the classification hyperplane corresponding to the virus data set as the output of the second classifier, and solving the second classifier by adopting an analytic method or an iterative method to obtain parameters corresponding to the virus classifier;
step S64: taking the worm data set as the input of a second classifier and the classification hyperplane corresponding to the worm data set as the output of the second classifier, and solving the second classifier by adopting an analysis method or an iteration method to obtain parameters corresponding to the worm classifier;
step S65: taking the back door program data set as the input of a two-classifier and the classification hyperplane corresponding to the back door program data set as the output of the two-classifier, and solving the two-classifier by adopting an analytic method or an iterative method to obtain parameters corresponding to the back door program classifier;
step S66: and taking the Trojan data set as the input of a two-classifier and the classification hyperplane corresponding to the Trojan data set as the output of the two-classifier, and solving the two-classifier by adopting an analytic method or an iterative method to obtain the parameters corresponding to the Trojan classifier.
Optionally, the classification hyperplane formula is:
f(X)=sign(g(X));
wherein the content of the first and second substances,
Figure BDA0002741909620000031
sign is a sign function, f (X) is an optimal classification hyperplane, n represents the number of samples,
Figure BDA0002741909620000032
parameter, y, representing an optimal classification hyperplaneiIndicates a class number, XiRepresents the behavior vector of the ith sample, X represents all XiVector total vector, K (X)iX) denotes the kernel inner product function, b*Representing the bias top one parameter.
Optionally, before step S1, the method further includes:
the sandbox environment is initialized.
The invention also provides a sandbox-based behavior detection system, which comprises:
the sample input module is used for inputting a training sample and a sample to be tested into the sandbox through the host;
the API sequence generating module is used for processing the training sample and the sample to be detected by using the sandbox to obtain an API sequence corresponding to the training sample and an API sequence corresponding to the sample to be detected;
the extraction module is used for extracting the API sequence corresponding to the training sample by adopting a 3-garam method to obtain M triples;
the data conversion module is used for performing data conversion on the M triples to obtain M characteristic vectors;
the training sample data set construction module is used for constructing a training sample data set based on the M characteristic vectors;
the multi-classification model training module is used for inputting the training sample data set as input and the classification hyperplane corresponding to the training sample data set as output, and respectively inputting the input to the two classifiers for training to obtain a multi-classification model;
the prediction module is used for inputting the API sequence corresponding to the sample to be tested into the multi-classification model for prediction to obtain a behavior type; the behavior types are: virus, worm, backdoor program, trojan, or normal.
Optionally, the prediction module specifically includes:
the prediction unit is used for inputting the API sequence corresponding to the sample to be tested into the multi-classification model for prediction to obtain five classification hyperplane values;
and the selecting unit is used for selecting the type corresponding to the maximum value from the five classification hyperplane values as the behavior type.
Optionally, the multi-classification model training module specifically includes:
the classification unit is used for classifying the training sample data set to respectively obtain a normal data set, a virus data set, a worm data set, a backdoor program data set and a Trojan data set;
a normal classifier parameter determining unit, configured to use the normal data set as an input of a second classifier, use a classification hyperplane corresponding to the normal data set as an output of the second classifier, and solve the second classifier by using an analysis method or an iteration method to obtain a parameter corresponding to the normal classifier;
the virus classifier parameter determining unit is used for taking the virus data set as the input of a second classifier and the classification hyperplane corresponding to the virus data set as the output of the second classifier, and solving the second classifier by adopting an analytic method or an iterative method to obtain parameters corresponding to the virus classifier;
a worm classifier parameter determining unit, configured to use the worm data set as an input of a second classifier, use a classification hyperplane corresponding to the worm data set as an output of the second classifier, and solve the second classifier by using an analysis method or an iteration method to obtain a parameter corresponding to the worm classifier;
the back door program classifier parameter determining unit is used for taking the back door program data set as the input of a two-classifier and the classification hyperplane corresponding to the back door program data set as the output of the two-classifier, and solving the two classifiers by adopting an analytic method or an iterative method to obtain the parameters corresponding to the back door program classifier;
and the Trojan classifier parameter determining unit is used for taking the Trojan data set as the input of a two-classifier and the classification hyperplane corresponding to the Trojan data set as the output of the two-classifier, and solving the two-classifier by adopting an analytic method or an iterative method to obtain the parameter corresponding to the Trojan classifier.
Optionally, the classification hyperplane formula is:
f(X)=sign(g(X));
wherein the content of the first and second substances,
Figure BDA0002741909620000041
sign is a sign function, f (X) is an optimal classification hyperplane, n represents the number of samples,
Figure BDA0002741909620000042
parameter, y, representing an optimal classification hyperplaneiIndicates a class number, XiRepresents the behavior vector of the ith sample, X represents all XiVector total vector, K (X)iX) denotes the kernel inner product function, b*Shows a deviationA parameter is set.
Optionally, the system further comprises:
and the initialization module is used for initializing the sandbox environment.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects:
the invention discloses a sandbox-based behavior detection method and a sandbox-based behavior detection system, wherein the method comprises the following steps: inputting a training sample and a sample to be detected into a sandbox through a host for processing to obtain an API sequence corresponding to the training sample and an API sequence corresponding to the sample to be detected; extracting an API sequence corresponding to the training sample by adopting a 3-garam method to obtain M triples; performing data conversion on the M triples to obtain M characteristic vectors; constructing a training sample data set based on the M feature vectors; respectively inputting the training sample data set as input and the classification hyperplane corresponding to the training sample data set as output into a two-classifier for training to obtain a multi-classification model; and inputting the API sequence corresponding to the sample to be tested into the multi-classification model for prediction to obtain a behavior type. By adopting the scheme disclosed by the invention, the training speed can be improved, and the classification speed and accuracy can also be improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
FIG. 1 is a flowchart of a sandbox-based behavior detection method according to an embodiment of the present invention;
fig. 2 is a structural diagram of a sandbox-based behavior detection system according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention aims to provide a sandbox-based behavior detection method and a sandbox-based behavior detection system to quickly and accurately predict behavior types.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
As shown in fig. 1, the present invention discloses a sandbox-based behavior detection method, which includes:
step S1: and inputting a training sample and a sample to be tested into the sandbox through the host.
Step S2: and processing the training sample and the sample to be detected by using the sandbox to obtain an API sequence corresponding to the training sample and an API sequence corresponding to the sample to be detected.
Step S3: extracting an API sequence corresponding to the training sample by adopting a 3-garam method to obtain M triples; .
Step S4: and performing data conversion on the M triples to obtain M characteristic vectors.
Step S5: and constructing a training sample data set based on the M feature vectors.
Step S6: and training by taking the training sample data set as input and the classification hyperplane corresponding to the training sample data set as output, and respectively inputting the training sample data set and the classification hyperplane into a two-classifier for training to obtain a multi-classification model.
Step S7: inputting the API sequence corresponding to the sample to be tested into the multi-classification model for prediction to obtain a behavior type; the behavior types are: virus, worm, backdoor program, trojan, or normal.
The individual steps are discussed in detail below:
step S1: and inputting a training sample and a sample to be tested into the sandbox through the host. The system cannot be damaged when the system runs in the sandbox, the sandbox uses a kernel level API Hook technology, and the sandbox can perform detection in the following aspects:
1) the system API call records of all malicious processes can be tracked.
2) And the malicious program creates, downloads and deletes files in the running process.
3) Memory usage of malicious programs.
4) And tracking network traffic of the malicious program.
The calling of the training samples and the samples to be tested in the sandbox is a data source for subsequent analysis, and therefore, the calling has a vital effect on the whole system. The API Hook technology is a general technology for realizing system call, and the aim of intercepting the API call is realized by customizing an API Hook function and calling the customized Hook function before executing the real system API function. The hook function obtains parameters transmitted in the calling process before the original function, and then the parameters transmitted in the calling process are recorded and processed in the hook function according to a predefined program processing flow.
The system calls under the Windows system are mostly encapsulated in DLL files, most of which are concentrated in DLL files such as kernel32.DLL, ws2_32.DLL and Advapi.dll. Two requirements need to be met for intercepting the system call, namely, a DLL file where a hook function is located is needed, and an interrupt point is set at an entry address of the function. Taking the example of obtaining the CreateFile function, firstly, a process P is created when a malicious program runs, when the process P calls the CreateFile function, a Hook DLL file is loaded firstly, and if the DLL file is found, an export function in the Hook DLL file is read. If a debug break point is set at the entry of the CreateFile function, the program enters the debug subroutine at this time. At this time, the system transmits the parameter state of the current function to the self-defined CreateFile function for processing, and the name of the function and the value of the parameter can be recorded at the self-defined function. After the custom function is executed, the system goes to the Createfile function to continue executing.
Step S4: performing data conversion on the M triples to obtain M eigenvectors, wherein the specific formula is as follows:
Xi={xi1,xi2,…,xiM};
wherein, XiA behavior vector, x, representing the ith sampleijThe call sequence numbered j is in vector XiThe frequency of occurrence in the corresponding sample.
The method finds out different 3-tuples of the API calling sequences corresponding to all the training samples through the 3-gram, for example, if the 3-tuples have M, the numbers are 1, 2. An M-dimensional vector is then created for each training sample. The ith element in this vector is the frequency of occurrence of the sequence numbered i in the API call sequence corresponding to this training sample. If a certain 3-tuple call sequence does not appear in the system call sequence of the process, the value of the element is 0; for example, the training data obtained here are the following two API call sequences:
sequence 1: CreateFile, CopyFile, OpenFile, CopyFile, OpenFile, DeleteFile.
Sequence 2: CreateFile, CopyFile, OpenFile, DeleteFile.
The 3-gram is used here, and is divided into 3 tuples and the numbers thereof are respectively:
ⅠCreateFile,CopyFile,OpenFile
ⅡCopyFile,OpenFile,OpenFile,
ⅢOpenFile,OpenFile,CopyFile
ⅣOpenFile,CopyFile,OpenFile
ⅤCopyFile,OpenFile,DeleteFile
ⅥCopyFile,OpenFile,CopyFile
from the above, M ═ 6, the feature vectors corresponding to these two sequences are:
(1/5,1/5,1/5,1/5,1/5,0),(1/4,0,0,1/4,1/4,1/4)。
step S5: and constructing a training sample data set based on the M feature vectors.
The present invention addresses a multi-classification problem and therefore employs a one-to-many approach. The basic idea of the one-to-many method is to construct a plurality of two classifiers, where each two classifier separates this type of sample data from other sample data. For the m-class multi-classification problem, m 2-classifiers need to be trained, the ith sub-classifier regards the ith sample data as a positive sample, and other data which do not belong to the i-class sample as a negative sample. Inputting the positive samples into the sub-classifiers will determine a 2-classifier, so the specific summarizing step S6 specifically includes:
step S61: and classifying the training sample data set to respectively obtain a normal data set, a virus data set, a worm data set, a backdoor program data set and a Trojan data set.
Step S62: and taking the normal data set as the input of a second classifier, taking the classification hyperplane corresponding to the normal data set as the output of the second classifier, and solving the second classifier by adopting an analysis method or an iteration method to obtain the parameters corresponding to the normal classifier.
Step S63: and taking the virus data set as the input of a two-classifier and the classification hyperplane corresponding to the virus data set as the output of the two-classifier, and solving the two-classifier by adopting an analytic method or an iterative method to obtain the parameters corresponding to the virus classifier.
Step S64: and taking the worm data set as the input of a second classifier, taking the classification hyperplane corresponding to the worm data set as the output of the second classifier, and solving the second classifier by adopting an analysis method or an iteration method to obtain parameters corresponding to the worm classifier.
Step S65: and taking the back door program data set as the input of a two-classifier and the classification hyperplane corresponding to the back door program data set as the output of the two-classifier, and solving the two-classifier by adopting an analytic method or an iterative method to obtain the parameters corresponding to the back door program classifier.
Step S66: and taking the Trojan data set as the input of a two-classifier and the classification hyperplane corresponding to the Trojan data set as the output of the two-classifier, and solving the two-classifier by adopting an analytic method or an iterative method to obtain the parameters corresponding to the Trojan classifier.
The specific formula of the classification hyperplane is as follows: (x) sign (g (x));
wherein the content of the first and second substances,
Figure BDA0002741909620000081
sign is a sign function, f (X) is a classification hyperplane, n represents the number of samples,
Figure BDA0002741909620000082
parameter, y, representing an optimal classification hyperplaneiIndicates a class number, XiRepresents the behavior vector of the ith sample, X represents all XiVector total vector, K (X)iX) denotes the kernel inner product function, b*Representing the bias top one parameter.
Figure BDA0002741909620000083
Where σ represents the width parameter of the function.
In the following, the determination of the parameters corresponding to the Trojan classifier is discussed as an example, and the determination of the parameters corresponding to the normal classifier, the parameters corresponding to the virus classifier, the parameters corresponding to the worm classifier, and the parameters corresponding to the back-door program classifier are all similar to the determination of the parameters corresponding to the Trojan classifier, and are not described in detail herein.
Taking the Trojan data set as the input of a second classifier and the classification hyperplane corresponding to the Trojan data set as the output of the second classifier, and solving the second classifier by adopting an analytic method or an iterative method to obtain parameters corresponding to the Trojan classifier; the formula of the Trojan horse data set is as follows:
(Xi,yi),i=1,2,...n,;
wherein, yiIs numbered for class, yiA value of "1" indicates that the point corresponding to the sample is normal behavior, yiA value of "-1" indicates that the sample corresponding to the point is anomalous behavior, and n is the number of training samples.
If the classification hyperplane corresponding to the Trojan horse data set is '1', the process is a normal program; if it is "-1", this indicates that the program is an abnormal program.
The Trojan horse classifier corresponds to the parameters of
Figure BDA0002741909620000091
Step S7: inputting the API sequence corresponding to the sample to be tested into the multi-classification model for prediction to obtain a behavior type; the behavior types are: viruses, worms, backdoor programs, trojans, or normal; the method specifically comprises the following steps:
step S71: and inputting the API sequence corresponding to the sample to be tested into the multi-classification model to obtain five classification hyperplane values.
Step S72: and selecting the type corresponding to the maximum value from the five classification hyperplane values as the behavior type.
The sandbox-based abnormal behavior detection method has strong adaptability, can detect the existing malicious programs, and for the newly-appeared malicious programs, as long as the malicious programs use the conventional means of the existing malicious programs, the malicious programs can be detected, and meanwhile, the malicious programs are classified, so that the results are more perfect.
The main solutions to the multi-classification problem are a one-to-one method, a one-to-many method and a binary tree method. If the 'one-to-one' method is adopted, 10 classifiers are needed, the workload of the classifier training process is large, the training cost is high, and the detection process is complex. The binary tree method has an error accumulation effect, and the detection starting point is randomly selected during detection, so that the detection result has great uncertainty. The invention only needs to train 5 classifiers by adopting a one-to-many method, and the method has advantages in both training speed and classification speed.
The invention adopts the SVM classifier without involving probability measure, law of majority and the like, thereby being different from the prior statistical method. The method essentially avoids the traditional process from induction to deduction, realizes efficient 'transduction reasoning' from the training sample to the forecast sample, and greatly simplifies the problems of common classification, regression and the like.
As shown in fig. 2, the present invention also discloses a sandbox-based behavior detection system, which comprises:
and the sample input module 1 is used for inputting a training sample and a sample to be tested into the sandbox through the host.
And the API sequence generating module 2 is used for processing the training sample and the sample to be detected by using the sandbox to obtain the API sequence corresponding to the training sample and the API sequence corresponding to the sample to be detected.
And the extraction module 3 is used for extracting the API sequence corresponding to the training sample by adopting a 3-garam method to obtain M triples.
The data conversion module 4 is used for performing data conversion on the M triples to obtain M feature vectors;
and the training sample data set constructing module 5 is used for constructing a training sample data set based on the M characteristic vectors.
And the multi-classification model training module 6 is used for inputting the training sample data set as input and the classification hyperplane corresponding to the training sample data set as output respectively to a two-classifier for training to obtain a multi-classification model.
The prediction module 7 is used for inputting the API sequence corresponding to the sample to be tested into the multi-classification model for prediction to obtain a behavior type; the behavior types are: virus, worm, backdoor program, trojan, or normal.
As an optional mode, the prediction module 7 of the present invention specifically includes:
and the prediction unit is used for inputting the API sequence corresponding to the sample to be tested into the multi-classification model for prediction to obtain five classification hyperplane values.
And the selecting unit is used for selecting the type corresponding to the maximum value from the five classification hyperplane values as the behavior type.
As an optional mode, the multi-classification model training module 6 of the present invention specifically includes:
and the classification unit is used for classifying the training sample data set to respectively obtain a normal data set, a virus data set, a worm data set, a backdoor program data set and a Trojan data set.
And the normal classifier parameter determining unit is used for taking the normal data set as the input of the two classifiers and the classification hyperplane corresponding to the normal data set as the output of the two classifiers, and solving the two classifiers by adopting an analytic method or an iterative method to obtain the parameters corresponding to the normal classifier.
And the virus classifier parameter determining unit is used for taking the virus data set as the input of the two classifiers and the classification hyperplane corresponding to the virus data set as the output of the two classifiers, and solving the two classifiers by adopting an analytic method or an iterative method to obtain the parameters corresponding to the virus classifier.
And the worm classifier parameter determining unit is used for taking the worm data set as the input of the two classifiers and the classification hyperplane corresponding to the worm data set as the output of the two classifiers, and solving the two classifiers by adopting an analysis method or an iteration method to obtain the parameters corresponding to the worm classifier.
And the back door program classifier parameter determining unit is used for taking the back door program data set as the input of a two-classifier and the classification hyperplane corresponding to the back door program data set as the output of the two-classifier, and solving the two classifiers by adopting an analytic method or an iterative method to obtain the parameters corresponding to the back door program classifier.
And the Trojan classifier parameter determining unit is used for taking the Trojan data set as the input of a two-classifier and the classification hyperplane corresponding to the Trojan data set as the output of the two-classifier, and solving the two-classifier by adopting an analytic method or an iterative method to obtain the parameter corresponding to the Trojan classifier.
As an optional mode, the classification hyperplane formula of the present invention is:
f(X)=sign(g(X));
wherein the content of the first and second substances,
Figure BDA0002741909620000111
sign is a sign function, f (X) is optimalA classification hyperplane, n represents the number of samples,
Figure BDA0002741909620000112
parameter, y, representing an optimal classification hyperplaneiIndicates a class number, XiRepresents the behavior vector of the ith sample, X represents all XiVector total vector, K (X)iX) denotes the kernel inner product function, b*Representing the bias top one parameter.
As an optional mode, the system of the present invention further includes:
and the initialization module is used for initializing the sandbox environment.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
The principles and embodiments of the present invention have been described herein using specific examples, which are provided only to help understand the method and the core concept of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed. In view of the above, the present disclosure should not be construed as limiting the invention.

Claims (10)

1. A sandbox-based behavior detection method, comprising:
step S1: inputting a training sample and a sample to be tested into a sandbox through a host;
step S2: processing the training sample and the sample to be detected by using the sandbox to obtain an API sequence corresponding to the training sample and an API sequence corresponding to the sample to be detected;
step S3: extracting an API sequence corresponding to the training sample by adopting a 3-garam method to obtain M triples;
step S4: performing data conversion on the M triples to obtain M characteristic vectors;
step S5: constructing a training sample data set based on the M feature vectors;
step S6: respectively inputting the training sample data set as input and the classification hyperplane corresponding to the training sample data set as output into a two-classifier for training to obtain a multi-classification model;
step S7: inputting the API sequence corresponding to the sample to be tested into the multi-classification model for prediction to obtain a behavior type; the behavior types are: virus, worm, backdoor program, trojan, or normal.
2. The sandbox-based behavior detection method according to claim 1, wherein the step of inputting the API sequence corresponding to the sample to be detected into the multi-classification model to obtain the behavior type specifically includes:
step S71: inputting the API sequence corresponding to the sample to be tested into the multi-classification model to obtain five classification hyperplane values;
step S72: and selecting the type corresponding to the maximum value from the five classification hyperplane values as the behavior type.
3. The sandbox-based behavior detection method according to claim 1, wherein the training sample data set is used as an input, the classification hyperplane corresponding to the training sample data set is used as an output, and the input is respectively input to a classifier to perform training, so as to obtain a multi-classification model, which specifically includes:
step S61: classifying the training sample data set to respectively obtain a normal data set, a virus data set, a worm data set, a backdoor program data set and a Trojan data set;
step S62: taking the normal data set as the input of a second classifier and the classification hyperplane corresponding to the normal data set as the output of the second classifier, and solving the second classifier by adopting an analysis method or an iteration method to obtain parameters corresponding to the normal classifier;
step S63: taking the virus data set as the input of a second classifier and the classification hyperplane corresponding to the virus data set as the output of the second classifier, and solving the second classifier by adopting an analytic method or an iterative method to obtain parameters corresponding to the virus classifier;
step S64: taking the worm data set as the input of a second classifier and the classification hyperplane corresponding to the worm data set as the output of the second classifier, and solving the second classifier by adopting an analysis method or an iteration method to obtain parameters corresponding to the worm classifier;
step S65: taking the back door program data set as the input of a two-classifier and the classification hyperplane corresponding to the back door program data set as the output of the two-classifier, and solving the two-classifier by adopting an analytic method or an iterative method to obtain parameters corresponding to the back door program classifier;
step S66: and taking the Trojan data set as the input of a two-classifier and the classification hyperplane corresponding to the Trojan data set as the output of the two-classifier, and solving the two-classifier by adopting an analytic method or an iterative method to obtain the parameters corresponding to the Trojan classifier.
4. The sandbox-based behavior detection method of claim 3, wherein the classification hyperplane formula is:
f(X)=sign(g(X));
wherein the content of the first and second substances,
Figure FDA0002741909610000021
sign is a sign function, f (X) is an optimal classification hyperplane, n represents the number of samples,
Figure FDA0002741909610000022
parameter, y, representing an optimal classification hyperplaneiIndicates a class number, XiRepresents the behavior vector of the ith sample, X represents all XiVector total vector, K (X)iX) denotes the kernel inner product function, b*Representing the bias top one parameter.
5. The sandbox-based behavior detection method according to claim 1, further comprising, before step S1:
the sandbox environment is initialized.
6. A sandbox-based behavior detection system, comprising:
the sample input module is used for inputting a training sample and a sample to be tested into the sandbox through the host;
the API sequence generating module is used for processing the training sample and the sample to be detected by using the sandbox to obtain an API sequence corresponding to the training sample and an API sequence corresponding to the sample to be detected;
the extraction module is used for extracting the API sequence corresponding to the training sample by adopting a 3-garam method to obtain M triples;
the data conversion module is used for performing data conversion on the M triples to obtain M characteristic vectors;
the training sample data set construction module is used for constructing a training sample data set based on the M characteristic vectors;
the multi-classification model training module is used for inputting the training sample data set as input and the classification hyperplane corresponding to the training sample data set as output, and respectively inputting the input to the two classifiers for training to obtain a multi-classification model;
the prediction module is used for inputting the API sequence corresponding to the sample to be tested into the multi-classification model for prediction to obtain a behavior type; the behavior types are: virus, worm, backdoor program, trojan, or normal.
7. The sandbox-based behavior detection system according to claim 6, wherein the prediction module specifically comprises:
the prediction unit is used for inputting the API sequence corresponding to the sample to be tested into the multi-classification model for prediction to obtain five classification hyperplane values;
and the selecting unit is used for selecting the type corresponding to the maximum value from the five classification hyperplane values as the behavior type.
8. The sandbox-based behavior detection system according to claim 6, wherein the multi-classification model training module specifically includes:
the classification unit is used for classifying the training sample data set to respectively obtain a normal data set, a virus data set, a worm data set, a backdoor program data set and a Trojan data set;
a normal classifier parameter determining unit, configured to use the normal data set as an input of a second classifier, use a classification hyperplane corresponding to the normal data set as an output of the second classifier, and solve the second classifier by using an analysis method or an iteration method to obtain a parameter corresponding to the normal classifier;
the virus classifier parameter determining unit is used for taking the virus data set as the input of a second classifier and the classification hyperplane corresponding to the virus data set as the output of the second classifier, and solving the second classifier by adopting an analytic method or an iterative method to obtain parameters corresponding to the virus classifier;
a worm classifier parameter determining unit, configured to use the worm data set as an input of a second classifier, use a classification hyperplane corresponding to the worm data set as an output of the second classifier, and solve the second classifier by using an analysis method or an iteration method to obtain a parameter corresponding to the worm classifier;
the back door program classifier parameter determining unit is used for taking the back door program data set as the input of a two-classifier and the classification hyperplane corresponding to the back door program data set as the output of the two-classifier, and solving the two classifiers by adopting an analytic method or an iterative method to obtain the parameters corresponding to the back door program classifier;
and the Trojan classifier parameter determining unit is used for taking the Trojan data set as the input of a two-classifier and the classification hyperplane corresponding to the Trojan data set as the output of the two-classifier, and solving the two-classifier by adopting an analytic method or an iterative method to obtain the parameter corresponding to the Trojan classifier.
9. The sandbox-based behavior detection system of claim 8, wherein the classification hyperplane formula is:
f(X)=sign(g(X));
wherein the content of the first and second substances,
Figure FDA0002741909610000041
sign is a sign function, f (X) is an optimal classification hyperplane, n represents the number of samples,
Figure FDA0002741909610000042
parameter, y, representing an optimal classification hyperplaneiIndicates a class number, XiRepresents the behavior vector of the ith sample, X represents all XiVector total vector, K (X)iX) denotes the kernel inner product function, b*Representing the bias top one parameter.
10. The sandbox-based behavior detection system of claim 6, further comprising:
and the initialization module is used for initializing the sandbox environment.
CN202011153561.7A 2020-10-26 2020-10-26 Sandbox-based behavior detection method and system Pending CN112149116A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011153561.7A CN112149116A (en) 2020-10-26 2020-10-26 Sandbox-based behavior detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011153561.7A CN112149116A (en) 2020-10-26 2020-10-26 Sandbox-based behavior detection method and system

Publications (1)

Publication Number Publication Date
CN112149116A true CN112149116A (en) 2020-12-29

Family

ID=73955025

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011153561.7A Pending CN112149116A (en) 2020-10-26 2020-10-26 Sandbox-based behavior detection method and system

Country Status (1)

Country Link
CN (1) CN112149116A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107832611A (en) * 2017-10-21 2018-03-23 北京理工大学 The bot program detection and sorting technique that a kind of dynamic static nature combines
CN108304720A (en) * 2018-02-06 2018-07-20 恒安嘉新(北京)科技股份公司 A kind of Android malware detection methods based on machine learning
CN108376220A (en) * 2018-02-01 2018-08-07 东巽科技(北京)有限公司 A kind of malice sample program sorting technique and system based on deep learning
CN109063478A (en) * 2018-07-19 2018-12-21 中国人民解放军61660部队 Method for detecting virus, device, equipment and the medium of transplantable executable file

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107832611A (en) * 2017-10-21 2018-03-23 北京理工大学 The bot program detection and sorting technique that a kind of dynamic static nature combines
CN108376220A (en) * 2018-02-01 2018-08-07 东巽科技(北京)有限公司 A kind of malice sample program sorting technique and system based on deep learning
CN108304720A (en) * 2018-02-06 2018-07-20 恒安嘉新(北京)科技股份公司 A kind of Android malware detection methods based on machine learning
CN109063478A (en) * 2018-07-19 2018-12-21 中国人民解放军61660部队 Method for detecting virus, device, equipment and the medium of transplantable executable file

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张丽萍: "基于二叉树多层分类SVM的手写体汉字识别方法研究", 基于二叉树多层分类SVM的手写体汉字识别方法研究, no. 2008, 15 November 2008 (2008-11-15), pages 138 - 755 *
黄全伟: "基于N-Gram系统调用序列的恶意代码静态检测", 中国优秀硕士学位论文全文数据库信息科技辑, no. 2012, 15 March 2012 (2012-03-15), pages 139 - 359 *

Similar Documents

Publication Publication Date Title
Gibert Convolutional neural networks for malware classification
Jian et al. A novel framework for image-based malware detection with a deep neural network
Ding et al. Application of deep belief networks for opcode based malware detection
US9762593B1 (en) Automatic generation of generic file signatures
Xue et al. Malware classification using probability scoring and machine learning
CN110704840A (en) Convolutional neural network CNN-based malicious software detection method
Morales-Molina et al. Methodology for malware classification using a random forest classifier
CN113360912A (en) Malicious software detection method, device, equipment and storage medium
US20210377282A1 (en) Detecting Malware with Deep Generative Models
Li et al. An adversarial machine learning method based on OpCode N-grams feature in malware detection
Sanz et al. Mads: malicious android applications detection through string analysis
Alazab et al. Detecting malicious behaviour using supervised learning algorithms of the function calls
Anandhi et al. Malware visualization and detection using DenseNets
Kumar et al. Deep residual convolutional neural network: an efficient technique for intrusion detection system
Kakisim et al. Sequential opcode embedding-based malware detection method
Luckett et al. Identifying stealth malware using CPU power consumption and learning algorithms
Anshori et al. Comparison of machine learning methods for android malicious software classification based on system call
Xu et al. Falcon: malware detection and categorization with network traffic images
Fu et al. An LSTM-based malware detection using transfer learning
Asam et al. Malware classification using deep boosted learning
Habibi et al. Performance evaluation of CNN and pre-trained models for malware classification
Fuyong et al. Run-time malware detection based on positive selection
Aravamudhan A novel adaptive network intrusion detection system for internet of things
Singh et al. Performance enhancement of SVM-based ML malware detection model using data preprocessing
De Paola et al. Malware Detection through Low-level Features and Stacked Denoising Autoencoders.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination