基于属性相似度的恶意代码检测方法

针对未知恶意代码数量急剧增长,现有的检测方法不能有效检测的问题,提出一种基于属性相似度的恶意代码检测方法.该方法将样本文件转换成十六进制格式,提取样本文件的所有n-gram,计算每个n-gram的信息增益,并选择具有最大信息增益的N个n-gram作为特征属性,分别计算恶意代码和正常文件每一维属性的平均值,通过比较待测样本属性与恶意代码和正常文件两类别属性均值的相似度来判断待测样本类别.结果表明,该方法对未知恶意代码的检测性能优于基于n-gram的恶意代码检测方法.

Malware detection method based on attribute similarity

Aiming at the problem that the number of unknown malware has dramatically increased and the existing detection methods can not effectively detect them, a malware detection method based on attribute similarity was proposed. In the proposed method, the sample files were converted into the hexadecimal format, and all n-grams of sample files were extracted. The information gain of each n-gram was calculated, and N n-grams with the maximum information gains were selected as the feature attributes. In addition, the average value of each dimension attribute in malware and normal files was calculated, respectively. The categories of samples to be detected were determined through comparing the attribute similarity of samples to be detected as well as the similarity of avarage attribute values of both malware and normal files. The results reveal that the proposed method is superior to the malware detection method based on n-grams for unknown malware detection.