JP2017004123A - Determination apparatus, determination method, and determination program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To determine whether an execution file is malware or not, in consideration of a file type of the execution file.SOLUTION: A malware determination apparatus 10 determines a file type of each of execution files including a file known as malware and a file known as goodware. The malware determination apparatus 10 extracts features from the execution files, to generate feature vectors of the execution files, on the basis of the features of the execution files and the determined file types. The malware determination apparatus 10 inputs the generated feature vectors of the execution files as teacher data, generates a classifier to determine whether the file is malware, and calculates a score indicating malware likelihood of a file to be determined, by use of the generated classifier, to determine whether the file to be determined is malware or not, on the basis of the calculated score.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a determination device, a determination method, and a determination program.

  In recent years, two methods are used to determine whether an executable file is malware: dynamic determination by executing an executable file and static determination that determines without executing the executable file. Static determination is used when required.

  Representative examples of static determination methods include hash value match determination and pattern match determination (signature scan). The hash value match determination has a hash value of MD5, SHA1, SHA256, etc. of known malware in advance as a database, and if the hash value of the file to be inspected matches the database, the hash value match determination is made. The pattern match judgment has a specific character string or byte code included in known malware in advance as a database, and if any of the character strings and byte codes registered in the database is included in the inspection target file, To do.

  These methods were difficult to detect variants and new types of malware that were modified from existing malware. For this reason, heuristic determination has been proposed as a method for determining sub-species / new-type malware. This is based on the experience so far, defining the malware likeness and judging according to the definition.

  For example, a method using machine learning technology for heuristic determination has been proposed (see, for example, Patent Document 1). In such a method using machine learning technology, for example, a human-readable character string included in an execution file is learned in advance, and the malware-likeness is determined based on how many words frequently used in malware are included in the inspection file. judge.

  In machine learning, data to be learned (learning data) is first converted into a set of several parameters, and then learning is performed using a machine learning algorithm. Each individual parameter is referred to as a feature, and a set of parameters represented by a number vector is referred to as a feature vector.

JP 2012-27710 A

  However, with the above-mentioned conventional technology, the executable file is a malware without considering the file types such as 32-bit application, Visual Basic application, 32-bit device driver, 32-bit dynamic link library file, and 64-bit application. Since it has been determined whether or not there is a problem, there is a problem that the accuracy of the determination may be lowered. In other words, since the characteristics of the executable files having different file types often conflict with each other, the determination accuracy may be lowered when the file type is not considered.

  For example, in a 32-bit application, a feature that frequently appears only in malware may appear in goodware in the case of a 64-bit application. In such a case, if the determination is made without considering the file type, it is difficult to accurately classify the 32-bit application malware and the 64-bit application goodware having this characteristic.

  Therefore, the present invention has been made to solve the above-described problems of the prior art, and in consideration of the file type of the executable file, it is possible to determine with high accuracy whether or not the executable file is malware. Objective.

  In order to solve the above-described problems and achieve the object, the determination device determines a file type of each executable file including a file known to be malware and a file known to be goodware. And an extractor that extracts features from each executable file and creates a feature vector of each executable file based on the features of each executable file and the file type determined by the determiner; and A feature unit of each created executable file is input as teacher data, a creation unit that creates a classifier that determines whether or not it is malware, and a classifier created by the creation unit, Based on the score calculated by the calculation unit that calculates a score indicating the likelihood of malware, the determination target file Le characterized in that the and a judging section that judges whether malware.

  Further, the determination device extracts a feature from each execution file, a determination unit for determining the file type of each execution file including a file known to be malware and a file known to be goodware, respectively. An extraction unit that creates a feature vector of each executable file based on the features of each executable file; and the feature vector is input as teacher data for each file type determined by the determination unit, and for each file type A creation unit that creates each classifier, a calculation unit that selects a classifier corresponding to the file type of the determination target file, and calculates a score indicating the malware likeness of the determination target file using the classifier; And determining whether the determination target file is malware based on the score calculated by the calculation unit Characterized in that it comprises a tough, the.

  The determination method is a determination method executed by the determination device, and a determination step of determining the file type of each executable file including a file known to be malware and a file known to be goodware. And extracting a feature from each executable file, and creating a feature vector of each executable file based on the feature of each executable file and the file type determined by the determining step, and by the extracting step A feature step of each created executable file is input as teacher data, and a creation step for creating a classifier for judging whether it is malware or not, and using the classifier created by the creation step, Based on the calculation step of calculating a score indicating the likelihood of malware and the score calculated by the calculation step, Determining the target file is characterized in that it includes a determination step of determining whether a malware, the.

  Further, the determination method includes a determination step of determining each file type of each executable file including a file known to be malware and a file known to be goodware, and extracts features from each executable file. Based on the features of each executable file, the feature vector of each executable file is created, and the feature vector is input as teacher data for each file type determined by the determining step, and for each file type A creation step of creating each classifier, a calculation step of selecting a classifier corresponding to the file type of the determination target file, and calculating a score indicating the malware likeness of the determination target file using the classifier; Whether the file to be determined is malware based on the score calculated by the calculation step Characterized in that including a determination step of determining.

  The determination program also determines a file type of each executable file including files known to be malware and files known to be goodware, and extracts features from the executable files. An extraction step for creating a feature vector of each executable file based on the characteristics of each executable file and the file type determined by the determination step; and a feature vector of each executable file generated by the extraction step A creation step for creating a classifier that is input as data and determines whether or not it is malware, and a calculation step for calculating a score indicating the malware likeness of the file to be determined using the classifier created by the creation step; , Based on the score calculated by the calculating step, Serial determination target file is equal to or to execute a determining step of determining whether or not a malware, to the computer.

  The determination program also determines a file type of each executable file including files known to be malware and files known to be goodware, and extracts features from the executable files. Based on the features of each executable file, an extraction step of creating a feature vector of each executable file, and the feature vector is input as teacher data for each file type determined by the determining step, and for each file type A creation step for creating each classifier, a calculation step for selecting a classifier corresponding to the file type of the determination target file, and calculating a score indicating the malware likeness of the determination target file using the classifier; , Based on the score calculated by the calculation step, Airu is characterized in that to execute a determining step of determining whether or not a malware, to the computer.

  The determination apparatus, the determination method, and the determination program disclosed in the present application have an effect that it is possible to determine with high accuracy whether or not the execution file is malware in consideration of the file type of the execution file.

FIG. 1 is a configuration diagram illustrating an outline of the malware determination device according to the first embodiment. FIG. 2 is a diagram illustrating processing for determining the file type of the executable file by the file type determination unit. FIG. 3 is a diagram illustrating processing for extracting features of an executable file by the feature extraction unit. FIG. 4 is a diagram for explaining processing for adding a character string representing a file type to each feature by the feature extraction unit. FIG. 5 is a diagram illustrating a process for creating a feature vector by the feature extraction unit. FIG. 6 is a diagram for explaining the effect of creating a feature vector by adding a character string representing a file type to each feature by the feature extraction unit. FIG. 7 is a flowchart showing a flow of learning processing by the malware determination device according to the first embodiment. FIG. 8 is a flowchart showing a flow of determination processing by the malware determination device according to the first embodiment. FIG. 9 is a diagram illustrating processing for creating a feature vector using a character string representing a file type as one of features by a feature extraction unit. FIG. 10 is a diagram illustrating a process of creating a feature vector by adding a character string representing a file type and using a character string representing a file type as one of the features. FIG. 11 is a configuration diagram illustrating an outline of a malware determination device according to the third embodiment. FIG. 12 is a diagram illustrating a process of creating a classifier for each file type by the classifier creation unit. FIG. 13 is a flowchart illustrating the flow of the learning process performed by the malware determination device according to the third embodiment. FIG. 14 is a flowchart showing a flow of determination processing by the malware determination device according to the third embodiment. FIG. 15 is a diagram illustrating a computer that executes a determination program.

  Hereinafter, embodiments of a determination device, a determination method, and a determination program according to the present application will be described in detail with reference to the drawings. Note that the determination device, the determination method, and the determination program according to the present application are not limited by this embodiment.

[First embodiment]
In the following embodiments, the configuration and processing flow of the malware determination device according to the first embodiment will be described in order, and then the effects of the first embodiment will be described finally.

[Configuration of malware detection device]
First, the configuration of the malware determination device 10 will be described with reference to FIG. FIG. 1 is a configuration diagram illustrating an outline of the malware determination device according to the first embodiment. As shown in FIG. 1, the malware determination device 10 includes a learning unit 11, a classifier storage unit 12, and a determination control unit 13. The processing of each of these units will be described below.

  The learning unit 11 generates a feature vector from the learning data, creates a single classifier from the feature vector, and stores the classifier in the classifier storage unit 12. The learning unit 11 includes a file type determination unit 11a, a feature extraction unit 11b, and a classifier creation unit 11c.

  The file type determination unit 11a determines the file type of each executable file including a file known to be malware and a file known to be goodware. Specifically, the file type determination unit 11a receives an input of a learning data set including known malware and goodware 20 that is known malware and goodware, and determines the file type of each executable file included in the learning data set. Then, the learning data set to which the information of the discrimination result is added is output to the feature extraction unit 11b.

  Here, the process of determining the file type of the executable file by the file type determination unit 11a will be described using the example of FIG. FIG. 2 is a diagram illustrating processing for determining the file type of the executable file by the file type determination unit. As illustrated in FIG. 2, the learning data set is received as an input, the file type of each execution file is determined, and the learning data to which the information of the determination result (file type of the data) is added is the feature extraction unit 11b. Output to. In order to determine the file type, for example, a dedicated tool such as PeStudio or PEInfo may be used. However, the method is not limited to these as long as the file type can be determined.

  Here, the learning data set includes existing malware and goodware executable files, and information indicating the classification of whether the executable file is malware or goodware. Hereinafter, the constituent elements of the learning data set (the combination of the execution file and the classification information) are referred to as learning data. For example, in the example of FIG. 2, “learning data 1” includes “executable file 1” and “malware” indicating that the executable file 1 is malware.

  As illustrated in FIG. 2, for example, when the file type determination unit 11a determines that the file type is “32-bit application” for “learning data 1”, the information of the determination result is “learning data”. “Learning data 1 = (executable file 1, malware, 32-bit application)” added to “1” is output to the feature extraction unit 11b.

  The feature extraction unit 11b extracts features from each execution file, and creates a feature vector of each execution file based on the feature of each execution file and the file type determined by the file type determination unit 11a. Specifically, when the feature extraction unit 11b receives a learning data set to which file type information is added from the file type determination unit 11a, the feature extraction unit 11b extracts a feature from each execution file of the learning data set, Then, a character string indicating the file type is added, a feature vector to be applied to the classifier is created from the feature with the added character string indicating the file type, and the feature vector is output to the classifier creating unit 11c. In the following, feature extraction will be described in detail in two steps, a first step and a second step.

  The feature extraction process in the first step will be described using the example of FIG. FIG. 3 is a diagram illustrating processing for extracting features of an executable file by the feature extraction unit. First, in the first step, as an execution file characteristic, for example, an attribute value of PE (Portable Executable) header information can be considered. Some PE header information has a single value for one attribute, and some PE header information has a plurality of values for one attribute. For example, the attribute “base_of_code” has only one value, but the attribute “characteristics” has a plurality of values such as “Executable”, “32-bit word machine”, and “Debug information stripped”. These treat each as a feature. That is, in the example of characteristics, it is handled as three features extracted with one attribute.

  For example, in the example of FIG. 3, the “base_of_code” value “0x100” and the “characteristics” value “Executable” for “executable file 1” with file type information indicating that the file type is “32-bit application”. , “32-bit word machine” and “Debug information stripped” are extracted as the characteristics of the executable file.

  Next, the feature extraction process in the second step will be described using the example of FIG. FIG. 4 is a diagram for explaining processing for adding a character string representing a file type to each feature by the feature extraction unit. As illustrated in FIG. 4, the feature extraction unit 11 b adds a character string indicating the file type of the execution file to each extracted feature. To explain using the example in FIG. 4, the character string “32Bit_” is added to the top of each feature “0x100”, “Executable”, “32bit word machine”, and “Debug information stripped” of the executable file. The feature “{32Bit_0x100, 32Bit_Executable, 32Bit_32bit word machine, 32Bit_Debug information stripped}” is created. The character string may be anything as long as it can distinguish different file types.

  Next, creation of a feature vector will be described. For creating a feature vector, for example, a method generally used in supervised machine learning, such as a method of assigning a binary value of 1/0 depending on whether each feature has appeared or a method of assigning the number of appearances of each feature, is used. Use. In addition, what performed dimension reduction processing, such as feature selection and dimension compression, may be used as the feature vector of the execution file again. Here, the feature selection is a method of selecting each feature so that the target accuracy is improved. As a typical technique for dimensional compression, for example, there is principal component analysis, which automatically combines correlated features into one feature.

  Here, the process of creating a feature vector by the feature extraction unit 11b will be described using the example of FIG. FIG. 5 is a diagram illustrating a process for creating a feature vector by the feature extraction unit. In the example of FIG. 5, it is assumed that a feature vector is created by the feature extraction unit using a method of assigning a binary value of 1/0 depending on whether each feature appears or not, and dimension compression processing is not performed. Further, as illustrated in FIG. 5, for “executable file 1” with file type information indicating that the file type is “32-bit application”, the value “0x100” of “base_of_code” and the value “characteristics” “ “Executable”, “32-bit word machine”, and “Debug information stripped” are extracted as features, and as described in the example of FIG. 4, a feature “{32Bit_0x100, 32Bit_Executable” in which a character string “32Bit_” is added to each feature is described. , 32Bit_32bit word machine, 32Bit_Debug information stripped} ”.

  And in the characteristics of the executable file 1, "32Bit_0x100", "32Bit_Executable", "32Bit_32bit word machine", "32Bit_Debug information stripped", "32Bit_INIT", "32Bit_0x2000", "64Bit_0x100", "64Bit_Executable" ... A value is assigned according to whether or not a feature vector “(1, 1, 1, 1, 0, 0, 0, 0...)” Is created.

  Here, the effect of creating a feature vector by adding a character string representing a file type to each feature by the feature extraction unit 11b will be described with reference to FIG. FIG. 6 is a diagram for explaining the effect of creating a feature vector by adding a character string representing a file type to each feature by the feature extraction unit.

  In the malware determination apparatus 10 according to the first embodiment, the executable files having different file types can be always converted into different feature vectors by incorporating the information indicating the file types into the feature vectors. For example, when the file type is not considered as in the conventional method, malware and goodware having different file types have the same feature or feature vector. For example, as illustrated in FIG. 6, in the conventional method, the feature vector related to the execution file A of the 32-bit application and the feature vector related to the execution file A of the 64-bit application are both “feature vector = (0x100, Executable) = (1, 1) ", the same feature vector is obtained. That is, when the file type is not taken into account, the feature vector of the execution file A of the 32-bit application and the execution file A of the 64-bit application are both {0x100, Executable}, and therefore the feature vectors are the same.

  On the other hand, since the malware determination apparatus 10 according to the first embodiment converts each other into completely different feature vectors, it becomes easy to accurately determine malware / goodware. For example, as illustrated in FIG. 6, the feature vector related to the execution file A of a 32-bit application is “feature vector = (32Bit_0x100, 32Bit_Executable, 64Bit_0x100, 64Bit_Executable) = (1, 1, 0, 0)”. The feature vector relating to the execution file A is “feature vector = (32Bit_0x100, 32Bit_Executable, 64Bit_0x100, 64Bit_Executable) = (0, 0, 1, 1)”. For this reason, since the feature vectors of the executable files having different file types are completely different from each other, it is possible to accurately perform the malware determination process by the determination control unit 13 described later.

  The classifier creation unit 11c inputs the feature vector of each executable file created by the feature extraction unit 11b as teacher data, and creates a classifier that determines whether it is malware. Specifically, when the classifier creating unit 11c receives the feature vector from the feature extracting unit 11b, the classifier creating unit 11c inputs the feature vector as teacher data, creates a classifier that determines whether it is malware, and the created classifier Are stored in the classifier storage unit 12. Here, supervised learning is used to create the classifier. As supervised learning, for example, logistic regression, support vector machine (SVM), decision tree, naive Bayes, perceptron, Passive-Aggressive (PA), Adaptive Regularization of Weight Vectors (AROW), etc. can be used.

  The classifier storage unit 12 stores the classifier created by the classifier creation unit 11c. The classifier storage unit 12 may use a general database (for example, MySQL, PostgreSQL, etc.), and the type of the method such as storage in a table format or a text format is not limited.

  The determination control unit 13 determines malware using the created classifier. The determination control unit 13 includes a file type determination unit 13a, a feature extraction unit 13b, a score calculation unit 13c, and a determination unit 13d.

  The file type determination unit 13a receives, as an input, a determination target file 30 that is an execution file for which it is desired to determine whether it is malware or goodware, and determines the file type. After the determination, the file type determination unit 13a outputs the determination target file 30 to which information on the determination result (file type) is added to the feature extraction unit 13b.

  The feature extraction unit 13b converts the determination target file 30 into a feature vector by the same method as the feature extraction unit 11b described above. Then, the feature extraction unit 13b outputs the determination target file 30 converted into the feature vector to the score calculation unit 13c.

  The score calculation unit 13c calculates a score indicating the malware likeness of the determination target file 30 using the classifier created by the classifier creation unit 11c. Specifically, the score calculation unit 13 c calculates a score representing the malware likeness of the determination target file 30 using the classifier stored in the classifier storage unit 12. In addition, as a method of calculating a score of malware likeness, for example, a known method such as a method of performing determination based on how much of a feature often used in malware is included in a feature vector of an execution file to be determined Can be used.

  The determination unit 13d determines whether the determination target file is malware based on the score calculated by the score calculation unit 13c. Specifically, the determination unit 13d determines whether the score is equal to or greater than a predetermined threshold. If the score is equal to or greater than the threshold, the determination target file 30 is determined to be malware, and if the score is less than the threshold, the determination target is determined. The file 30 is determined as goodware, and the determination result 40 is output. Note that the determination result 40 may be only the classification of malware or goodware, or information of score and file type may be added thereto.

  In this way, the malware determination device 10 creates a feature vector in consideration of the file type of the executable file in the malware determination using machine learning, and creates a classifier using the feature vector. Compared to the case where no consideration is given, it is possible to achieve higher determination accuracy for the determination processing of malware.

[Processing by malware detection device]
Next, processing performed by the malware determination apparatus 10 according to the first embodiment will be described with reference to FIGS. 7 and 8. FIG. 7 is a flowchart showing a flow of learning processing by the malware determination device according to the first embodiment. FIG. 8 is a flowchart showing a flow of determination processing by the malware determination device according to the first embodiment.

  First, the flow of the learning process performed by the malware determination apparatus 10 according to the first embodiment will be described with reference to FIG. As shown in FIG. 7, the file type determination unit 11a of the malware determination device 10 determines the file type of each executable file of the learning data set (step S101). Then, the feature extraction unit 11b generates a feature vector from the learning data (step S102). For example, when the feature extraction unit 11b receives a learning data set to which file type information is added from the file type determination unit 11a, the feature extraction unit 11b extracts a feature from each executable file of the learning data set, Is added, and a feature vector to be applied to the classifier is created from the feature added with the character string indicating the file type.

  Subsequently, the classifier creating unit 11c creates a single classifier (step S103), and stores the classifier in the classifier storage unit 12 (step S104). For example, when the classifier creation unit 11c receives a learning vector from the feature extraction unit 11b, the classifier creation unit 11c inputs the feature vector as teacher data, creates a classifier that determines whether or not it is malware, and creates the classifier as a classifier. Store in the storage unit 12.

  Next, the flow of determination processing by the malware determination apparatus 10 according to the first embodiment will be described with reference to FIG. As shown in FIG. 8, the file type determination unit 13a of the malware determination apparatus 10 determines the file type of the determination target file 30 (step S201). Then, the feature extraction unit 13b generates a feature vector from the determination target file 30 by the same method as the feature extraction unit 11b (step S202).

  Subsequently, the score calculation unit 13c calculates a score representing the likelihood of malware using the classifier stored in the classifier storage unit 12 (step S203). And the determination part 13d performs malware determination from a score (step S204). Specifically, the determination unit 13d determines whether the score is equal to or greater than a predetermined threshold. If the score is equal to or greater than the threshold, the determination target file 30 is determined to be malware, and if the score is less than the threshold, the determination target is determined. The file 30 is determined as goodware.

[Effect of the first embodiment]
As described above, the malware determination device 10 determines the file type of each executable file including a file known to be malware and a file known to be goodware. Then, the malware determination device 10 extracts features from each executable file, and creates a feature vector of each executable file based on the feature of each executable file and the determined file type. Subsequently, the malware determination device 10 inputs the created feature vector of each executable file as teacher data, creates a classifier that determines whether or not it is malware, and uses the created classifier to determine the target of determination. A score indicating the malware likeness of the file is calculated, and it is determined whether or not the determination target file is malware based on the calculated score. For this reason, the malware determination apparatus 10 can determine whether or not the execution file is malware in consideration of the file type of the execution file.

[Second Embodiment]
In the first embodiment described above, a feature is extracted from each executable file, a character string indicating the file type is added to the feature, and a feature vector is calculated from the feature added with the character string indicating the file type. The case of creating is described, but the present invention is not limited to this. Features are extracted from each executable file, and a feature vector of each executable file is created using the feature and a character string indicating the file type as the feature. You may make it do.

  Therefore, in the following, as a second embodiment, a feature is extracted from each executable file, and a feature vector of each executable file is created using the feature and a character string indicating the file type as one of the features. explain. In addition, description is abbreviate | omitted about the structure and process similar to 1st embodiment.

  The feature extraction unit 11b extracts features from each execution file, and creates a feature vector of each execution file using the feature and a character string indicating the file type determined by the file type determination unit 11a. That is, in the second embodiment, the process of the second step in the feature extraction described above is different from the first embodiment.

  Specifically, in addition to the feature extracted from the executable file itself, that is, the feature extracted in the first step, the feature extraction unit 11b uses a character string representing the file type of the file as one of the features, Create a feature vector. Here, the process of creating a feature vector will be described using the example of FIG. FIG. 9 is a diagram illustrating processing for creating a feature vector using a character string representing a file type as one of features by a feature extraction unit. In the example of FIG. 9, a case will be described in which an executable file whose file type is a 32-bit application is converted into a feature vector. As shown in FIG. 9, for example, when the file type is not taken into consideration as in the prior art, “feature vector = (number of sections, executable,..., INIT)” is created as the feature vector. On the other hand, in the second embodiment, “characteristic vector = (number of sections, executable,..., INIT, 32 bits)” is created as a feature vector in which the character string representing the file type is also used as one of the features. To do.

  Note that, as illustrated in FIG. 10, a feature vector may be created by combining the feature vector creation methods of the first embodiment and the second embodiment. That is, a feature is extracted from each executable file, a character string indicating the file type is added to the feature, and a feature vector of each executable file is created using the character string indicating the file type as a feature. You may do it.

  As described above, in the malware determination device according to the second embodiment, by using the information indicating the file type as one of the features, executable files having different file types have different features. It is possible to improve the resolution of the malware and the determination accuracy.

[Third embodiment]
In the first embodiment and the second embodiment described above, a feature vector of each executable file is created based on the feature and file type of each executable file, and a classifier is created using the feature vector as teacher data. Although the case has been described, the present invention is not limited to this, and a classifier may be created for each file type by inputting a feature vector for each file type as teacher data.

  Therefore, in the following, as a third embodiment, a case will be described in which a classifier is created for each file type by inputting a feature vector for each file type as teacher data. In addition, description is abbreviate | omitted about the structure and process similar to 1st embodiment.

  First, the configuration of the malware determination device 10A according to the third embodiment will be described with reference to FIG. FIG. 11 is a configuration diagram illustrating an outline of a malware determination device according to the third embodiment. As shown in FIG. 11, the classifier storage unit 12 stores a plurality of classifiers 1 to N. In the following, a case where N classifiers are created and N classifiers are stored will be described as an example.

  The feature extraction unit 11b extracts features from each executable file, and creates a feature vector of each executable file based on the features of each executable file. Here, in the third embodiment, the process of the second step in the feature extraction of the first embodiment is not executed. That is, the file type information is not used to create the feature vector.

  The classifier creating unit 11c inputs feature vectors for each file type determined by the file type determining unit 11a as teacher data, and creates N classifiers for each file type. Specifically, the classifier creation unit 11c receives as input a learning data set with file type information that has been converted into feature vectors, and individually creates a classifier that determines malware / goodware for each file type. .

  For example, as illustrated in FIG. 12, the classifier creating unit 11c creates a classifier for a 32-bit application with a learning data set for a 32-bit application as an input. The classifier creating unit 11c creates a classifier for a 64-bit application with the learning data set for the 64-bit application as an input. Further, the classifier creating unit 11c creates a classifier for the VisualBasic application by using the learning data set of the VisualBasic application as an input.

  The classifier creating unit 11c may create a classifier using all the learning data without considering the file type when there is a file type having a learning data count equal to or less than a certain threshold. For example, the classifier creating unit 11c determines whether or not the number of learning data is greater than or equal to a predetermined threshold for the learning data for each file type determined by the file type determining unit 11a. Then, when it is determined that the number of learning data is equal to or greater than a predetermined threshold, the classifier creation unit 11c individually classifies the classifier using only the learning data of the file type as in the above processing. create. In addition, when it is determined that the number of learning data is less than a predetermined threshold, the classifier creating unit 11c creates a classifier using all the learning data without considering the file type. In other words, if the number of learning data is too small, it may not be possible to create a classifier with high accuracy. To create a classifier.

  The score calculation unit 13c selects a classifier corresponding to the file type of the determination target file 30, and calculates a score indicating the malware likeness of the determination target file 30 using the classifier. Specifically, the score calculation unit 13c selects and reads out a classifier that matches the file type of the determination target file 30 from the classifier storage unit 12, and uses the read classifier to determine the malware likeness of the determination target file 30. Calculate the score to represent.

  Next, processing performed by the malware determination apparatus 10A according to the third embodiment will be described with reference to FIGS. FIG. 13 is a flowchart illustrating the flow of the learning process performed by the malware determination device according to the third embodiment. FIG. 14 is a flowchart showing a flow of determination processing by the malware determination device according to the third embodiment.

  First, the flow of the learning process performed by the malware determination apparatus 10A according to the third embodiment will be described with reference to FIG. As illustrated in FIG. 13, the file type determination unit 11a of the malware determination apparatus 10A determines the file type of each execution file of the learning data set (step S301). Then, the feature extraction unit 11b generates a feature vector from the learning data (step S302).

  Subsequently, the classifier creating unit 11c creates a separate classifier for each file type (step S303), and stores each classifier in the classifier storage unit 12 (step S304). For example, the classifier creation unit 11c receives, as an input, a learning data set with file type information that has been converted into a feature vector, and creates and creates a classifier that determines malware / goodware for each file type. The classifier is stored in the classifier storage unit 12.

  Next, the flow of determination processing performed by the malware determination apparatus 10A according to the third embodiment will be described with reference to FIG. As illustrated in FIG. 14, the file type determination unit 13a of the malware determination apparatus 10A determines the file type of the determination target file 30 (step S401). Then, the feature extraction unit 13b generates a feature vector from the determination target file 30 by the same method as the feature extraction unit 11b (step S402).

  Subsequently, the score calculation unit 13c selects a classifier that matches the file type of the determination target file from the classifier storage unit 12, and uses the selected classifier to calculate a score representing the likelihood of malware (step S403). ). And the determination part 13d performs malware determination from a score (step S404).

  As described above, in the malware determination device according to the third embodiment, a different classifier is created for each file type of the execution file, and the classifier corresponding to the file type of the determination target file 30 is used. Therefore, it is possible to realize highly accurate malware determination.

[System configuration, etc.]
Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. Further, all or any part of each processing function performed in each device is realized by a CPU (Central Processing Unit) and a program analyzed and executed by the CPU, or hardware by wired logic. Can be realized as

  In addition, among the processes described in the present embodiment, all or part of the processes described as being automatically performed can be manually performed, or the processes described as being manually performed can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above-described document and drawings can be arbitrarily changed unless otherwise specified.

[program]
In addition, a program described in a language that can be executed by a computer can be created for the processing executed by the malware determination device described in the above embodiment. For example, a determination program described in a language that can be executed by a computer can be created for the process executed by the malware determination apparatus according to the first embodiment. In this case, when the computer executes the determination program, the same effect as in the above embodiment can be obtained. Further, the same processing as in the above embodiment may be realized by recording the determination program on a computer-readable recording medium, and reading and executing the determination program recorded on the recording medium. . Below, an example of the computer which performs the determination program which implement | achieves the function similar to a malware determination apparatus is demonstrated.

  FIG. 15 is a diagram illustrating a computer 1000 that executes a determination program. As illustrated in FIG. 15, the computer 1000 includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012 as illustrated in FIG. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090 as illustrated in FIG. The disk drive interface 1040 is connected to the disk drive 1041 as illustrated in FIG. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive. The serial port interface 1050 is connected to, for example, a mouse 1110 and a keyboard 1120 as illustrated in FIG. The video adapter 1060 is connected to a display 1130, for example, as illustrated in FIG.

  Here, as illustrated in FIG. 15, the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, the above determination program is stored in, for example, the hard disk drive 1090 as a program module in which a command to be executed by the computer 1000 is described.

  In addition, various data described in the above embodiment is stored as program data in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 as necessary, and executes the acquisition procedure, the comparison procedure, and the distribution control procedure.

  Note that the program module 1093 and the program data 1094 related to the determination program are not limited to being stored in the hard disk drive 1090, but may be stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive or the like. Good. Alternatively, the program module 1093 and the program data 1094 related to the determination program are stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.), and via the network interface 1070. May be read by the CPU 1020.

DESCRIPTION OF SYMBOLS 10, 10A Malware determination apparatus 11 Learning part 11a, 13a File type discrimination | determination part 11b, 13b Feature extraction part 11c Classifier creation part 12 Classifier memory | storage part 13 Judgment control part 13c Score calculation part 13d Determination part 20 Known malware / goodware 30 Judgment target file 40 Judgment result

Claims (8)

A discriminator for discriminating the file type of each executable file including a file known to be malware and a file known to be goodware;
An extraction unit that extracts features from each executable file and creates a feature vector of each executable file based on the features of each executable file and the file type determined by the determination unit;
A creation unit that inputs a feature vector of each executable file created by the extraction unit as teacher data and creates a classifier that determines whether it is malware;
Using the classifier created by the creation unit, a calculation unit that calculates a score indicating the malware likeness of the determination target file;
A determination unit that determines whether the determination target file is malware based on the score calculated by the calculation unit;
A determination apparatus comprising:   The extraction unit extracts a feature from each execution file, adds a character string indicating the file type determined by the determination unit to the feature, and adds a character string indicating the file type The determination apparatus according to claim 1, wherein the feature vector is created from the information.   The extraction unit extracts a feature from each execution file, and creates a feature vector of each execution file using the feature and a character string indicating the file type determined by the determination unit. The determination apparatus according to claim 1. A discriminator for discriminating the file type of each executable file including a file known to be malware and a file known to be goodware;
An extractor that extracts features from each of the executable files and creates a feature vector of each executable file based on the features of each executable file;
For each file type determined by the determination unit, the feature vector is input as teacher data, and a creation unit that creates a classifier for each file type,
Select a classifier corresponding to the file type of the determination target file, and using the classifier, a calculation unit that calculates a score indicating the malware likeness of the determination target file;
A determination unit that determines whether the determination target file is malware based on the score calculated by the calculation unit;
A determination apparatus comprising: A determination method executed by a determination device,
A discriminating step for discriminating the file type of each executable file including a file known to be malware and a file known to be goodware;
Extracting a feature from each executable file, and creating a feature vector of each executable file based on the feature of each executable file and the file type determined by the determining step;
A creation step of inputting a feature vector of each executable file created by the extraction step as teacher data and creating a classifier that determines whether or not it is malware;
Using the classifier created by the creation step, a calculation step for calculating a score indicating the malware likeness of the determination target file;
A determination step of determining whether or not the determination target file is malware based on the score calculated by the calculation step;
The determination method characterized by including. A discriminating step for discriminating the file type of each executable file including a file known to be malware and a file known to be goodware;
Extracting the features from each executable file, and creating a feature vector of each executable file based on the features of each executable file;
For each file type determined by the determination step, the feature vector is input as teacher data, and a creation step for creating a classifier for each file type,
Selecting a classifier corresponding to the file type of the determination target file, and using the classifier, calculating a score indicating the malware likeness of the determination target file; and
A determination step of determining whether or not the determination target file is malware based on the score calculated by the calculation step;
The determination method characterized by including. A discriminating step for discriminating the file type of each executable file including a file known to be malware and a file known to be goodware;
Extracting a feature from each executable file, and extracting a feature vector of each executable file based on the feature of each executable file and the file type determined by the determining step;
A creation step of creating a classifier that inputs the feature vector of each executable file created by the extraction step as teacher data and determines whether or not it is malware;
Using the classifier created in the creating step, a calculating step for calculating a score indicating the malware likeness of the determination target file;
A determination step of determining whether the determination target file is malware based on the score calculated by the calculation step;
Judgment program for causing a computer to execute A discriminating step for discriminating the file type of each executable file including a file known to be malware and a file known to be goodware;
Extracting the features from each executable file, and creating a feature vector of each executable file based on the features of each executable file;
A step of inputting the feature vector as teacher data for each file type determined by the determination step, and creating a classifier for each file type,
Selecting a classifier corresponding to the file type of the determination target file, and using the classifier, calculating a score indicating the malware likeness of the determination target file; and
A determination step of determining whether the determination target file is malware based on the score calculated by the calculation step;
Judgment program for causing a computer to execute

Images