TWI658372B - Abnormal behavior detection model building apparatus and abnormal behavior detection model building method thereof - Google Patents

Abstract

An abnormal behavior detection model generating device and an abnormal behavior detection model generating method thereof. The abnormal behavior detection model generating device performs part-of-speech analysis on the plural program operation sequence in the plural program operation sequence data associated with the abnormal behavior to generate a plural word vector and group the word vectors. Based on the results after clustering, the abnormal behavior detection model generating device obtains feature vectors of the operating sequence data of each program, and uses these feature vectors to perform supervised learning on a classification algorithm to generate an abnormal behavior detection model.

Description

Device for generating abnormal behavior detection model and method for generating abnormal behavior detection model

The invention relates to a device for generating abnormal behavior detection models and a method for generating abnormal behavior detection models. Specifically, the abnormal behavior detection model generating device of the present invention generates an abnormal behavior detection model based on a complex program operation sequence in a complex program operation sequence data associated with the abnormal behavior.

With the rapid development of technology, people's dependence on computers and the Internet has also increased. For a variety of purposes, people with intentions can invade servers / computers on the network through system vulnerabilities or malicious programs to steal data or paralyze the system.

In response to these intrusions, current known technologies use expert signature-based or static feature detection mechanisms to protect them. However, these detection mechanisms are based on pre-determined expert rules or static characteristics to determine abnormal program operation behaviors. Therefore, the detection methods are limited to fixed forms and difficult to resist malicious programs with confusing features. In addition, Dynamic Analysis is often limited by the Sandbox environment settings. Therefore, when the behavior sequence of malicious programs is different in length and rich in impurities, it is difficult to have general-purpose characteristic expressions. As a basis for judging abnormal program operation behavior.

In view of this, how to establish an abnormal behavior detection model does not need to rely on pre-determined expert rules or static features, and is not affected by the different settings of the sandbox environment. This is a problem that the industry needs to solve urgently.

The object of the present invention is to provide an abnormal behavior detection model. The present invention performs part-of-speech analysis on plural program operation sequences in plural program operation sequence data associated with abnormal behavior to generate plural word vectors and group the word vectors into groups. Based on the results after clustering, the present invention can obtain the feature vectors of the operating sequence data of each program, and perform supervised learning of a classification algorithm based on the feature vectors to generate an abnormal behavior detection model. Unlike the conventional technology, the abnormal behavior detection model generated by the present invention can obtain the feature vector of the program operation sequence data based on the part-of-speech clustering result of the program operation sequence, so it can effectively detect a malicious program that resists feature confusion and There is no need to rely on pre-determined expert rules or static characteristics, and it is not affected by the different sandbox environment settings.

To achieve the above object, the present invention discloses an abnormal behavior detection model generating device, which includes: a memory and a processor. The memory is used to store plural program operation sequence data and plural behavior tags. Each of the program operation sequence data records a plurality of program operation sequences. Each program operation sequence data corresponds to one of the behavior tags. The processor is electrically connected to the memory and is used to perform the following operations: the program operation sequence of the program operation sequence data is calculated by a word embedding model to generate a complex word vector, each of the words The vector corresponds to one of the program operation sequences; based on a group algorithm, the word vectors are grouped into a plurality of word vector groups; the program operation sequences of each program operation sequence data are respectively associated with the word vectors At least one such program operation corresponding to at least one of the word vectors contained in the group Make a comparison of the sequences to generate a feature vector of each program operation sequence data; based on the feature vectors and the behavior labels, perform a supervised learning of a classification algorithm to generate a classifier, the classification The classifier is used for classifying the feature vectors to correspond to the behavior labels; and generating an abnormal behavior detection model based on the word vector group and the classifier.

In addition, the present invention further discloses an abnormal behavior detection model generation method for an abnormal behavior detection model generation device. The abnormal behavior detection model generating device includes a memory and a processor. The memory stores plural program operation sequence data and plural behavior tags. Each of the program operation sequence data records a plurality of program operation sequences. Each program operation sequence data corresponds to one of the behavior tags. The abnormal behavior detection model generation method is executed by the processor and includes the following steps: through a word embedding model, computing the program operation sequences of the program operation sequence data to generate plural word vectors, each of which The word vector corresponds to one of the program operation sequences; based on a group algorithm, the word vectors are grouped into plural word vector groups; the program operation sequences of each program operation sequence data are respectively associated with each of the words. Perform a comparison of at least one of the program operation sequences corresponding to at least one of the word vectors contained in the vector group to generate a feature vector of each of the program operation sequence data; based on the feature vectors and the behavior labels To perform a supervised learning of one of the classification algorithms to generate a classifier, which is used to classify the feature vectors to correspond to the behavior labels; and based on the word vector group and the classifier To generate an abnormal behavior detection model.

After referring to the drawings and the embodiments described later, those with ordinary knowledge in the technical field can understand other objectives of the present invention, as well as technical means and implementation modes of the present invention.

1‧‧‧ abnormal behavior detection model generating device

11‧‧‧Memory

13‧‧‧ processor

AL‧‧‧ Behavior Label

POSD‧‧‧Program operation sequence data

WVD‧‧‧Word Vector Distribution Space

G1-G4‧‧‧Word Vector Group

V1-V11‧‧‧ word vectors

S501-S509‧‧‧step

Figure 1 is a schematic diagram of the abnormal behavior detection model generating device 1 of the present invention; Figure 2A is a schematic diagram of a program operation sequence data; Figure 2B is a schematic diagram of another program operation sequence data; and Figure 3 is a drawing depicting each word The distribution of vectors in a two-dimensional space; FIG. 4 is a flowchart depicting groups of word vectors after grouping; and FIG. 5 is a flowchart of the method for generating an abnormal behavior detection model of the present invention.

The content of the present invention will be explained below through embodiments. The embodiments of the present invention are not intended to limit the present invention to be implemented in any specific environment, application or special manner as described in the embodiments. Therefore, the description of the embodiments is only for the purpose of explaining the present invention, rather than limiting the present invention. It should be noted that in the following embodiments and drawings, components not directly related to the present invention have been omitted and not shown, and the dimensional relationship between the components in the drawings is only for easy understanding, and is not intended to limit the actual proportion.

A first embodiment of the present invention is shown in Figs. 1-4. FIG. 1 is a schematic diagram of the abnormal behavior detection model generating device 1 of the present invention. The abnormal behavior detection model generating device 1 includes a memory 11 and a processor 13. The processor 13 is electrically connected to the storage 11. The memory 11 is used to store plural program operation sequence data POSD and plural behavior labels AL. Each program operation sequence data POSD records a plurality of program operation sequences. For example, the program operation sequence may be a dynamic program operation sequence, such as: an Application Programming Interface (API) sequence, a System Call sequence, but is not limited thereto. In one embodiment, the dynamic program operation sequence can be retrieved by a tracking program. For another example, the program operation sequences can also be a static program operation sequence, such as an Operation Code (Opcode) sequence. But it is not limited to this. In one embodiment, the static program operation sequence can be obtained by a decompiler.

The program operation sequence data POSD corresponds to the behavior labels AL (for example, a normal behavior label, an abnormal behavior label, etc., but is not limited thereto). In one embodiment, the program operation sequence data POSD includes a plurality of abnormal program operation sequence data, and each abnormal program operation sequence data is associated with a malicious program. In this case, the behavior labels AL may further include an Adware program, a Worm program, a Trojan program, and the like, but are not limited thereto.

The Opcode sequence is used as an illustration. As shown in FIG. 2A, it is an example of the program operation sequence data POSD, and the program operation sequences contained therein are Opcode sequences. It should be noted that, due to layout restrictions, the Opcode sequence shown in Figure 2A is only a part of the program operation sequence data POSD. The processor 13 uses the word embedding model, for example, a Word2Vec model or a One-Hot Encoding model, to calculate the program operation sequences of the program operation sequence data POSD. To generate a plural word vector. Each word vector corresponds to one of the program operation sequences.

For example, these program operation sequences include "xor", "sub", "add", "and", "push", "pop", "xchg", "inc", "cmp", "jmp", "Jz", the processor 13 operates on these program operation sequences through the word embedding model, and generates word vectors V1-V11 corresponding to the program operation sequences. It is assumed here that the word vector V1 corresponds to "xor", the word vector V2 corresponds to "sub", the word vector V3 corresponds to "add", the word vector V4 corresponds to "and", the word vector V5 corresponds to "push", and the word vector V6 corresponds to "pop", word vector V7 corresponds to "xchg", word vector V8 corresponds to "inc", word vector V9 corresponds to "cmp", word vector V10 corresponds to "jmp", and word vector V11 corresponds to "jz" ".

In addition, the API sequence is used as an illustration. As shown in Figure 2B, it is a program operation. An example of sequence data POSD, the sequence of program operations contained in it is an API sequence. It should be noted that the API sequence shown in Figure 2B is only a part of the program operation sequence data POSD due to layout restrictions. Similarly, the processor 13 may calculate the program operation sequence of the program operation sequence data POSD through the word embedding model to generate a complex word vector. Each word vector corresponds to one of the program operation sequences.

For example, these program operation sequences include "GetSystemInfo", "GetFileSize", "GetSystemDirectoryW", "GetSystemMetrics", "RegQueryValueExA", "RegOpenKeyExA", "LdrLoadDll", "NtCreatFile", "NtReadfile", "NtClose", "NtOpenDirectoryObject", the processor 13 operates on these program operation sequences through the word embedding model, and generates word vectors V1-V11 corresponding to each program operation sequence. Here it is assumed that the word vector V1 corresponds to "GetSystemInfo", the word vector V2 corresponds to "GetFileSize", the word vector V3 corresponds to "GetSystemDirectoryW", the word vector V4 corresponds to "GetSystemMetrics", the word vector V5 corresponds to "RegQueryValueExA", and the word vector V6 corresponds to "RegOpenKeyExA", word vector V7 corresponds to "LdrLoadDll", word vector V8 corresponds to "NtCreatFile", word vector V9 corresponds to "NtReadfile", word vector V10 corresponds to "NtClose", and word vector V11 corresponds to "NtOpenDirectoryObject ".

Figure 3 shows the word vector distribution space WVD. It should be noted that, in order to simplify the description, the word vector distribution space WVD in this embodiment represents the distribution of word vectors in a two-dimensional space. However, in actual operation, based on the type of program operation sequence data, the developer can determine the dimension of the word vector distribution space WVD. Since a person having ordinary knowledge in the technical field can understand how to set the spatial dimension of the output, it will not be repeated here.

In word vector distribution space WVD, word vectors that are closer to each other have similar Part of speech or semantics. Therefore, the present invention is based on a group algorithm based on unsupervised learning to group these word vectors as a basis for subsequently extracting the characteristics of each program operation sequence data POSD. In the present invention, the grouping algorithm can be an attractor propagation (AP) grouping algorithm, a spectral grouping algorithm, a fuzzy C-means (FCM) grouping algorithm, and iterative Iterative Self-Organizing Data Analysis Technique Algorithm (ISODATA) grouping algorithm, a K-means grouping algorithm, a Complete-linkage (CL) grouping algorithm, a single link (Single-Linkage (SL)) One of the grouping algorithm and a Ward's method grouping algorithm, but it is not limited to this.

For example, the processor 13 groups the word vectors into four word vector groups G1-G4 based on the AP clustering algorithm, as shown in FIG. 4. The word vector group G1 contains word vectors V1-V4, the word vector group G2 contains word vectors V5-V6, the word vector group G3 contains word vectors V7, and the word vector group G4 contains word vectors V8-V11. It should be noted that the number of word vector groups can be determined by the developer by setting parameters of the grouping algorithm (for example, directly setting the number of required groups or setting the number of iterations of the grouping algorithm). Since a person with ordinary knowledge in the technical field can understand how to perform a detailed operation of clustering based on a clustering algorithm, it will not be repeated here.

After obtaining the word vector groups, the processor 13 compares the program operation sequences of each program operation sequence data POSD with at least one of the programs corresponding to at least one of the word vectors included in each word vector group. The operation sequences are compared to generate a feature vector of each program operation sequence data POSD. For example, if there is a program operation sequence corresponding to word vector V2, word vector V6, word vector V8, and word vector V11 in a program operation sequence data POSD, it means that this program operation sequence data POSD corresponds to the word vector group G1. Characteristic value is 1, corresponding word The eigenvalue of the vector group G2 is 1, the eigenvalue of the corresponding word vector group G3 is 0, and the eigenvalue of the corresponding word vector group G4 is 2, so the feature vector of the sequence operation data POSD is (1,1, 0,2). For another example, suppose that there is a program operation sequence corresponding to word vector V1, word vector V2, word vector V4, word vector V5, word vector V7, word vector V9, and word vector V10 in another program operation sequence data POSD, then Represents this other program operation sequence data. The POSD corresponding word vector group G1 has a feature value of 3, the corresponding word vector group G2 has a feature value of 1, the corresponding word vector group G3 has a feature value of 1, and the corresponding word vector group. The feature value of group G4 is 2, so the feature vector of another program operation sequence data POSD is (3,1,1,2).

It should be noted that the aforementioned comparison of generating feature vectors is based on whether or not there is at least one such program operation sequence corresponding to at least one of the word vectors included in each word vector group in the program operation sequence data POSD; However, in other embodiments, the comparison performed by generating the feature vectors may also be based on the program operation sequence data POSD. At least one of the word vector sequences corresponding to at least one of the word vectors contained in each word vector group exists. To achieve. For example, suppose that there are 5 program operation sequences corresponding to the word vector V2, 3 program operation sequences corresponding to the word vector V6, 1 program operation sequence corresponding to the word vector V8, and 3 in the program operation sequence data POSD. A program operation sequence corresponding to the word vector V11 indicates that the program operation sequence data POSD corresponds to a feature value of the word vector group G1 of 5, a feature value of the corresponding word vector group G2 of 3, and a corresponding word vector group G3. The eigenvalue is 0 and the eigenvalue of the corresponding word vector group G4 is 4, so the feature vector of the sequence operation data POSD is (5,3,0,4).

After generating the feature vectors of the program operation sequence data POSD, based on the feature vectors and the behavior labels AL, the processor 13 performs a supervised learning of a classification algorithm to generate a classifier. For example, the classification algorithm can be a support vector machine (support vector machine) machine (SVM) algorithm, a decision tree (DT) algorithm, a Bayes algorithm, and a Nearest Neighbors (NN) algorithm, but not limited thereto. The aforementioned supervised learning is to ensure that the feature vectors can be reliably classified into the appropriate categories after classification algorithm operations, so as to correspond to the behavior labels AL, such as the program operations corresponding to the malicious advertising program labels. The sequence data POSD can be definitely classified into the same category, and the program operation sequence data POSD corresponding to the worm program label can be surely classified into the same category, the program operation sequence data POSD corresponding to the Trojan program label. The program operation sequence data POSD which can be surely classified into the same category, and the program operation sequence data POSD corresponding to the normal behavior label can be definitely classified into the same category. Finally, the processor 13 generates an abnormal behavior detection model based on the word vector groups and the classifier.

In other embodiments, after generating the abnormal behavior detection model, the processor 13 may test the abnormal behavior detection model by using a plurality of test program operation sequence data, and judge the abnormal behavior detection based on a detection rate. The test model identifies the accuracy of the operating sequence data of these test programs for developers to adjust the relevant parameter settings of the aforementioned word embedding model, group algorithm and classification algorithm based on the accuracy, and re-train the aforementioned training to generate an abnormal behavior detection model. Operation. Accordingly, the present invention can generate different abnormal behavior detection models for different types of program operation sequence data through the foregoing operations, so as to detect abnormal behaviors of various dynamic program operation sequences or static program operation sequences.

Furthermore, the abnormal behavior detection model generated by the present invention can be compiled into an executable program and run in an operating system to provide the operating system to detect abnormal behavior (e.g., detecting malicious programs, detecting illegal operations, etc.) ). In addition, the program operation sequence data POSD used to generate the abnormal behavior detection model of the present invention can also be all abnormal program operation sequence data (for example, For example, all program operation sequence data is associated with a malicious program), so that the abnormal behavior detection model is generated to perform class discrimination solely on the program operation sequence data that has been identified as abnormal. In other words, the abnormal behavior detection model generated by the present invention can be used in combination with other abnormal behavior detection programs, and when other abnormal behavior detection programs detect abnormal programs, further classify the program operation sequence data of the abnormal programs. Judge. For example, the other abnormal behavior detection program can be an anti-virus program. When the anti-virus program detects an abnormal program, the abnormal behavior detection model of the present invention can further help determine the type of the abnormal program.

Please refer to FIG. 5 for a second embodiment of the present invention, which is a flowchart of a method for generating an abnormal behavior detection model of the present invention. The abnormal behavior detection model generation method is applicable to an abnormal behavior detection model generation device (for example, the abnormal behavior detection model generation device 1 of the foregoing embodiment). The abnormal behavior detection model generating device includes a memory and a processor. The memory stores plural program operation sequence data and plural behavior labels. Each program operation sequence data records a plurality of program operation sequences. Each program operation sequence data corresponds to one of these behavior tags. The abnormal behavior detection model generation method is executed by the processor.

First, in step S501, the program operation sequences of the program operation sequence data are calculated through a word embedding model to generate a plural word vector (for example, the word vectors V1-V11 shown in FIG. 3). ). As mentioned earlier, each word vector corresponds to one of the program operation sequences. Next, in step S503, the word vectors are grouped into plural word vector groups (for example, the word vector groups G1-G4 shown in FIG. 4) based on a group algorithm.

In step S505, the program operation sequences of each program operation sequence data are respectively compared with at least one of the program operation sequences corresponding to at least one of the word vectors included in each word vector group to generate A feature vector of sequence operation data for each program. after that, In step S507, based on the feature vectors and the behavior labels, a supervised learning of a classification algorithm is performed to generate a classifier. A classifier is used to classify the feature vectors to correspond to the behavior labels. Finally, in step S509, an abnormal behavior detection model is generated based on the word vector groups and the classifier.

In other embodiments, the program operation sequences are one of a dynamic program operation sequence and a static program operation sequence. The dynamic program operation sequence is an application programming interface (API) sequence or a system call sequence. The static program operation sequence is an operation code (Opcode) sequence. In one embodiment, the dynamic program operation sequence is retrieved through a tracking program. In other embodiments, the word embedding model is one of a Word2Vec model and a One-Hot Encoding model.

In other embodiments, the clustering algorithm is an Affinity Propagation (AP) clustering algorithm, a Spectral clustering algorithm, a Fuzzy C-means (FCM) clustering algorithm, a Iterative Self-Organizing Data Analysis Technique Algorithm (ISODATA) grouping algorithm, a K-means grouping algorithm, a complete-linkage (CL) grouping algorithm, a single Link (Single-Linkage; SL) grouping algorithm and a Ward's method grouping algorithm.

In addition, in other embodiments, the classification algorithm is a support vector machine (SVM) algorithm, a decision tree (DT) algorithm, a Bayes algorithm, and a proximity ( Nearest Neighbors (NN) algorithm.

In one embodiment, the program operation sequence data includes a plurality of abnormal programs. The operation sequence data and each abnormal program operation sequence data are associated with a malicious program. In addition to the above steps, the method for generating an abnormal behavior detection model in this embodiment can also perform all operations described in the foregoing embodiments and have all corresponding functions. Those with ordinary knowledge in the technical field can directly understand how this embodiment performs these operations and has these functions based on the foregoing embodiments, so it will not be repeated here.

In addition, the aforementioned abnormal behavior detection model generation method of the present invention can be implemented by a computer program product. The computer program product stores a computer program including one of a plurality of program instructions. After the computer program is loaded and installed in an electronic computing device (for example, an abnormal behavior detection model generating device 1), the processing of the electronic computing device is performed. The computer executes the program instructions included in the computer program to execute the abnormal behavior detection model generation method of the present invention. The computer program product may be, for example: a read only memory (ROM), a flash memory, a floppy disk, a hard disk, a compact disk (CD), a portable disk, a magnetic tape 1. A database accessible by a network or any other storage medium known to those skilled in the art to which the present invention pertains and having the same function.

In summary, the present invention is to perform a word embedding operation on a complex program operation sequence in the complex program operation sequence data to generate a plural word vector and group the word vectors. After clustering, the feature vectors of the operation sequence data of each program are obtained, and the classification algorithm is trained according to the feature vectors to generate an abnormal behavior detection model. According to this, the abnormal behavior detection model of the present invention can obtain the feature vector of the program operation sequence data based on the part-of-speech clustering result of the program operation sequence, so it can effectively detect malicious programs or abnormal program operation behaviors that are resistant to feature confusion Without relying on pre-determined expert rules or static features, and without being affected by different Sandbox environment settings.

The above embodiments are only used to exemplify the implementation aspects of the present invention, and to explain the technical features of the present invention, and are not intended to limit the protection scope of the present invention. Any change or equivalence arrangement that can be easily accomplished by those skilled in the art belongs to the scope claimed by the present invention, and the scope of protection of the rights of the present invention shall be subject to the scope of patent application.

Claims (20)

An abnormal behavior detection model generating device includes: a memory for storing plural program operation sequence data and plural behavior labels, each of the program operation sequence data records a plural program operation sequence, and each of the program operation sequence data corresponds to these One of the behavior tags; and a processor, electrically connected to the memory, and configured to perform the following operations: the program operation sequence of the program operation sequence data is calculated by a word embedding model to generate Plural word vectors, each of which corresponds to one of the program operation sequences; based on a grouping algorithm, the word vectors are grouped into plural word vector groups; the program operations of each program operation sequence data The sequences are respectively compared with at least one of the program operation sequences corresponding to at least one of the word vectors included in each of the word vector groups to generate a feature vector of each of the program operation sequence data; based on the features Vector and these behavior labels, supervised learning of a classification algorithm is performed to generate a classifier. The classifier is used to classify the feature vectors to correspond to the behavior labels; and to generate an abnormal behavior detection model based on the word vector groups and the classifier. The abnormal behavior detection model generating device according to claim 1, wherein the program operation sequence is one of a dynamic program operation sequence and a static program operation sequence. The abnormal behavior detection model generating device according to claim 2, wherein the dynamic program operation sequence is an Application Programming Interface (API) sequence. The abnormal behavior detection model generating device according to claim 2, wherein the dynamic program operation sequence is a system call sequence. The abnormal behavior detection model generating device according to claim 2, wherein the static program operation sequence is an operation code (Opcode) sequence. The abnormal behavior detection model generating device according to claim 2, wherein the dynamic program operation sequence is acquired through a tracking program. The abnormal behavior detection model generating device according to claim 1, wherein the word embedding model is one of a word to vector (Word2Vec) model and a one-hot encoding model. The abnormal behavior detection model generating device according to claim 1, wherein the clustering algorithm is an Affinity Propagation (AP) clustering algorithm, a Spectral clustering algorithm, and a fuzzy average C-means (FCM) clustering algorithm, an Iterative Self-Organizing Data Analysis Technique Algorithm (ISODATA) clustering algorithm, a K-means clustering algorithm, a complete link (Complete-linkage (CL) grouping algorithm, a single-linkage (SL) grouping algorithm and a Ward's method) grouping algorithm. The abnormal behavior detection model generating device according to claim 1, wherein the classification algorithm is a support vector machine (SVM) algorithm, a decision tree (DT) algorithm, and a Bayesian algorithm (Bayes) algorithm and a Nearest Neighbors (NN) algorithm. The abnormal behavior detection model generating device according to claim 1, wherein the program operation sequence data includes a plurality of abnormal program operation sequence data, and each of the abnormal program operation sequence data is associated with a malicious program. An abnormal behavior detection model generation method for an abnormal behavior detection model generation device. The abnormal behavior detection model generation device includes a memory and a processor. The memory stores plural program operation sequence data and plural behavior labels. Each of the program operation sequence data records a plurality of program operation sequences, each of the program operation sequence data corresponds to one of the behavior labels, and the abnormal behavior detection model generation method is executed by the processor and includes the following steps: through the word The word embedding model calculates the program operation sequences of the program operation sequence data to generate plural word vectors, each of which corresponds to one of the program operation sequences; based on a group algorithm, the The equal word vectors are grouped into plural word vector groups; the program operation sequences of each of the program operation sequence data are respectively associated with at least one of the program operations corresponding to at least one of the word vectors included in each of the word vector groups. A sequence comparison is performed to generate a feature vector of each program operation sequence data; based on the characteristics The feature vectors and the behavior labels, supervised learning of a classification algorithm to generate a classifier, the classifier is used to classify the feature vectors to correspond to the behavior labels; and based on the words The vector group and the classifier generate an abnormal behavior detection model. The method for generating an abnormal behavior detection model according to claim 11, wherein the program operation sequence is one of a dynamic program operation sequence and a static program operation sequence. The abnormal behavior detection model generating method according to claim 12, wherein the dynamic program operation sequence is an Application Programming Interface (API) sequence. The method for generating an abnormal behavior detection model according to claim 12, wherein the dynamic program operation sequence is a system call sequence. The method for generating an abnormal behavior detection model according to claim 12, wherein the static program operation sequence is an Operation Code (Opcode) sequence. The method for generating an abnormal behavior detection model according to claim 12, wherein the dynamic program operation sequence is acquired through a tracking program. The abnormal behavior detection model generating method according to claim 11, wherein the word embedding model is one of a word-to-vector (Word2Vec) model and a one-hot encoding model. The method for generating an abnormal behavior detection model according to claim 11, wherein the clustering algorithm is an Affinity Propagation (AP) clustering algorithm, a Spectral clustering algorithm, and a fuzzy average C-means (FCM) clustering algorithm, an Iterative Self-Organizing Data Analysis Technique Algorithm (ISODATA) clustering algorithm, a K-means clustering algorithm, a complete link (Complete-linkage (CL) grouping algorithm, a single-linkage (SL) grouping algorithm and a Ward's method) grouping algorithm. The method for generating an abnormal behavior detection model according to claim 11, wherein the classification algorithm is a support vector machine (SVM) algorithm, a decision tree (DT) algorithm, and a Bayesian algorithm (Bayes) algorithm and a Nearest Neighbors (NN) algorithm. The method for generating an abnormal behavior detection model according to claim 11, wherein the program operation sequence data includes a plurality of abnormal program operation sequence data, and each of the abnormal program operation sequence data is associated with a malicious program.