【打印本页】      【下载PDF全文】   查看/发表评论  下载PDF阅读器  关闭
←前一篇|后一篇→ 过刊浏览    高级检索
本文已被:浏览 148次   下载 111 本文二维码信息
码上扫一扫!
基于特征组合的Powershell恶意代码检测方法
刘岳,刘宝旭,赵子豪,刘潮歌,王晓茜,吴贤达
分享到: 微信 更多
(中国科学院信息工程研究所 北京 中国 100093;中国科学院大学网络空间安全学院 北京 中国 100049)
摘要:
近年来,Powershell由于其易用性强、隐蔽性高的特点被广泛应用于APT攻击中,传统的基于人工特征提取和机器学习方法的恶意代码检测技术在Powershell恶意代码检测中越来越难以有效。本文提出了一种基于随机森林特征组合和深度学习的Powershell恶意代码检测方法。该方法使用随机森林生成更好表征原始数据的新特征组合,随后使用深度学习神经网络训练并进行分类识别。该方法可以弥补人工特征工程经验不足的问题,更好表征原始数据从而提高检测效果。本文实验结果显示,利用本文提出方法构建的Powershell恶意代码检测系统性能良好,在真实数据集中的召回率、准确率均在99%以上,可以对Powershell恶意代码进行有效的检测识别。
关键词:  Powershell  恶意代码  APT  深度学习  随机森林
DOI:10.19363/J.cnki.cn10-1380/tn.2021.01.04
投稿时间:2020-09-29修订日期:2020-11-16
基金项目:国家自然科学基金项目(No.61902396),中国科学院战略性先导科技专项项目(No.XDC02040100),中国科学院网络测评技术重点实验室和网络安全防护技术北京市重点实验室资助。
Powershell malware detection method based on features combination
LIU Yue,LIU Baoxu,ZHAO Zihao,LIU Chaoge,WANG Xiaoxi,WU Xianda
Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China
Abstract:
In recent years, powershell is widely used in APT attack due to its ease of use and high concealment. Traditional malicious code detection technology based on artificial feature extraction and machine learning method is more and more difficult to be effective in the detection of malicious code in PowerShell. For this reason, this paper proposes a malicious Powershell code detection method based on random forest features combination and deep learning. This method uses random forest to generate new features which better characterize the original data, and uses deep neural network to build classifiers for classification and recognition. This method can make up for the lack of experience in artificial feature engineering, and characterize the original data better, so as to improve the detection effect. The experimental results in this article show that this method has a good performance, high recall rate and accuracy rate, which can effectively detect and identify malicious Powershell code.
Key words:  Powershell  malicious code  APT  deep learning  random forest