基于梯度提升决策树的变形宏病毒检测

宏病毒在高级持续性威胁中被广泛运用.其变形成本低廉且方式灵活,导致传统的基于病毒规则库的反病毒系统难于有效对抗.提出一种基于梯度提升决策树的变形宏病毒检测方法.该方法以病毒专家经验为指导,实施大规模特征工程,基于词法分析对变形宏病毒做细粒度建模,并使用海量样本训练模型.实验表明,该方法能够准确检测企业级用户网络中传播的...

Obfuscated Macro Malware Detection Based on Gradient Boosting Decision Tree

Macro malware is widely used in advanced persistent threats. Macro obfuscation is low-cost and flexible, rendering traditional rule-based anti-malware systems insufficient. A gradient-boosting-decision-tree-based approach to detecting obfuscated macro malware is proposed. The approach performs large-scale feature engineering guided by the expertise of malware specialists, with fine-grained modeling for obfuscated macro malware carried out on top of lexical analysis, and massive samples are used to train the model. Experimental results show that the approach is able to precisely detect real-world obfuscated macro malware found in the network of enterprise customers, as well as those variants generated by mainstream obfuscation tools; 10-fold cross validation is carried out for a total of 4000 000 macro programs, giving a precision of 99.41% and a recall of 97.34%, which outperforms existing works.