基于分类器集成的网页恶意代码检测研究
发布时间:2018-12-10 12:37
【摘要】:在这个互联网飞速发展的时代,网络不仅丰富了人们娱乐生活,也在各个方面为人们做出了巨大贡献,改进了人们的生活。然而,网络在为人们的生活带来便捷的同时也带来了隐患。不法分子在网络的飞速发展中看到了可乘之机,利用恶意代码破坏网络安全,谋取经济利益。政府和国家对于恶意代码检测越来越重视。恶意代码检测一般分为静态检测和动态检测两种方法。静态检测[1]主要是基于规则和特征值匹配,提取网页特征。动态检测[2]是通过在虚拟环境中运行恶意代码,根据恶意代码的行为提取特征,本文主要是针对JavaScript恶意代码[3],基于机器学习对恶意代码检测进行研究。本文的主要工作和成果如下:1.本文对于混淆的JavaScript代码用V8引擎编译成机器码[4],并针对恶意代码特点将机器码中的操作数分类简化并与操作码混合。对处理后的机器码根据信息增益用Bi-Gram和Tri-Gram提取特征值。提出基于频率、距离和互信息的方法对样本处理找出断点,计算单个样本变长N-gram特征。经实验分析证实,处理后的操作数和操作码混合的特征提取能更细致的表达机器码行为,并且通过变长N-Gram统计的特征能避免将有效序列分开的问题,提升了分类效果。2.在研究常见的分类算法和分类器集成算法的基础上,针对输入单一的问题,提出集成分类器输入优化[5],对输入的数据集用不同方式处理,使得内部多种分类器能针对性训练形成分类模型进行集成[6]。并且通过加入次级分类器,将原本单层的分类器集成结构变成多层次分类器集成,引入权重,给每个分类器设定不同的权重,通过训练,找出效果最好的权值分配。实验证明经过多种优化的多层次加权分类器集成有更好的分类效果。3.在以上算法研究的基础上,设计并开发了在线恶意代码检测系统。用户可以在线提交恶意脚本代码或者网站地址,系统可以快速的进行检测。用户可以提交检测报告和查看别人提交的检测报告。被系统检测为恶意的代码,系统会自动保存到数据库。
[Abstract]:In this era of rapid development of the Internet, the Internet not only enriches people's entertainment life, but also makes great contributions to people in all aspects, and improves people's lives. However, the network not only brings convenience to people's life, but also brings hidden trouble. In the rapid development of the network, lawbreakers see the opportunity to use malicious code to destroy network security and seek economic benefits. Governments and countries pay more and more attention to malicious code detection. Malicious code detection is generally divided into two methods: static detection and dynamic detection. Static detection [1] is mainly based on matching rules and feature values to extract page features. Dynamic detection [2] is by running malicious code in virtual environment, according to the behavior of malicious code to extract features, this paper is mainly aimed at JavaScript malicious code [3], based on machine learning to detect malicious code. The main work and results of this paper are as follows: 1. In this paper, the confused JavaScript code is compiled into machine code by V8 engine, and the Operand classification in machine code is simplified and mixed with the opcode according to the characteristics of malicious code. The eigenvalues are extracted by Bi-Gram and Tri-Gram according to the information gain of the processed machine code. A method based on frequency, distance and mutual information is proposed to find breakpoints for sample processing and to calculate the variable length N-gram features of a single sample. The experimental results show that the feature extraction of the mixture of operands and opcodes can express the behavior of machine code more carefully, and the problem of separating effective sequences can be avoided by the feature of variable length N-Gram statistics, and the classification effect is improved. 2. On the basis of studying common classification algorithms and classifier ensemble algorithms, aiming at the problem of single input, an integrated classifier input optimization [5] is proposed, and the input data sets are processed in different ways. Internal multiple classifiers can be trained to form a classification model for integration [6]. And by adding the secondary classifier, the original single-layer classifier integration structure is transformed into multi-level classifier integration, and the weight is introduced to set different weights for each classifier. Through training, the best weight distribution is found. Experiments show that multi-level weighted classifier ensemble has better classification effect. Based on the above algorithms, an online malicious code detection system is designed and developed. Users can submit malicious script code or site address online, the system can quickly detect. Users can submit test reports and view test reports submitted by others. Detected by the system as malicious code, the system will automatically save to the database.
【学位授予单位】:浙江工业大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP393.08
本文编号:2370581
[Abstract]:In this era of rapid development of the Internet, the Internet not only enriches people's entertainment life, but also makes great contributions to people in all aspects, and improves people's lives. However, the network not only brings convenience to people's life, but also brings hidden trouble. In the rapid development of the network, lawbreakers see the opportunity to use malicious code to destroy network security and seek economic benefits. Governments and countries pay more and more attention to malicious code detection. Malicious code detection is generally divided into two methods: static detection and dynamic detection. Static detection [1] is mainly based on matching rules and feature values to extract page features. Dynamic detection [2] is by running malicious code in virtual environment, according to the behavior of malicious code to extract features, this paper is mainly aimed at JavaScript malicious code [3], based on machine learning to detect malicious code. The main work and results of this paper are as follows: 1. In this paper, the confused JavaScript code is compiled into machine code by V8 engine, and the Operand classification in machine code is simplified and mixed with the opcode according to the characteristics of malicious code. The eigenvalues are extracted by Bi-Gram and Tri-Gram according to the information gain of the processed machine code. A method based on frequency, distance and mutual information is proposed to find breakpoints for sample processing and to calculate the variable length N-gram features of a single sample. The experimental results show that the feature extraction of the mixture of operands and opcodes can express the behavior of machine code more carefully, and the problem of separating effective sequences can be avoided by the feature of variable length N-Gram statistics, and the classification effect is improved. 2. On the basis of studying common classification algorithms and classifier ensemble algorithms, aiming at the problem of single input, an integrated classifier input optimization [5] is proposed, and the input data sets are processed in different ways. Internal multiple classifiers can be trained to form a classification model for integration [6]. And by adding the secondary classifier, the original single-layer classifier integration structure is transformed into multi-level classifier integration, and the weight is introduced to set different weights for each classifier. Through training, the best weight distribution is found. Experiments show that multi-level weighted classifier ensemble has better classification effect. Based on the above algorithms, an online malicious code detection system is designed and developed. Users can submit malicious script code or site address online, the system can quickly detect. Users can submit test reports and view test reports submitted by others. Detected by the system as malicious code, the system will automatically save to the database.
【学位授予单位】:浙江工业大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP393.08
【参考文献】
相关期刊论文 前10条
1 修扬;刘嘉勇;;基于操作码序列频率向量和行为特征向量的恶意软件检测[J];信息安全与通信保密;2016年09期
2 贺鸣;孙建军;成颖;;基于朴素贝叶斯的文本分类研究综述[J];情报科学;2016年07期
3 张凯;王东安;李超;贾冰;;基于协同采样主动学习的恶意代码检测[J];高技术通讯;2016年05期
4 卢晓勇;陈木生;;基于随机森林和欠采样集成的垃圾网页检测[J];计算机应用;2016年03期
5 廖国辉;刘嘉勇;;基于数据挖掘和机器学习的恶意代码检测方法[J];信息安全研究;2016年01期
6 付垒朋;张瀚;霍路阳;;基于多类特征的JavaScript恶意脚本检测算法[J];模式识别与人工智能;2015年12期
7 向涛;李涛;赵雪专;李旭冬;;基于随机森林的精确目标检测方法[J];计算机应用研究;2016年09期
8 李盟;贾晓启;王蕊;林东岱;;一种恶意代码特征选取和建模方法[J];计算机应用与软件;2015年08期
9 徐青;朱焱;唐寿洪;;分析多类特征和欺诈技术检测JavaScript恶意代码[J];计算机应用与软件;2015年07期
10 宣以广;周华;;基于字符熵的JavaScript代码混淆自动检测方法[J];计算机应用与软件;2015年01期
相关博士学位论文 前3条
1 解男男;机器学习方法在入侵检测中的应用研究[D];吉林大学;2015年
2 孙鑫;机器学习中特征选问题研究[D];吉林大学;2013年
3 罗瑜;支持向量机在机器学习中的应用研究[D];西南交通大学;2007年
相关硕士学位论文 前3条
1 王宇恒;推荐系统中随机森林算法的优化与应用[D];浙江大学;2016年
2 李运;机器学习算法在数据挖掘中的应用[D];北京邮电大学;2015年
3 李洋;基于机器学习的网页恶意代码检测技术研究[D];西安电子科技大学;2013年
,本文编号:2370581
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2370581.html
