基於可疑行為及類神經網路之惡意軟體偵測機制

Abstract

惡意軟體在近幾年非常地盛行，已嚴重危害到電腦及網際網路的安全。雖然惡意軟體可被些微的修改來躲過傳統字串比對方法的偵測，但變形過後的惡意軟體仍然與原本的版本有著相同的行為，而這些行為同時也是其他惡意軟體經常會做的。為了偵測未知的惡意軟體及已知惡意軟體之變形，在本論文裡我們提出了一個基於可疑行為及類神經網路之惡意軟體偵測機制，簡稱ANN-MD。藉著在三個砂盒系統底下觀察多個已知惡意軟體樣本，我們蒐集並列出了13個惡意軟體常做之可疑行為。利用這13個可疑行為，我們提出一個惡意程度表示式。藉由這個惡意程度表示式，我們可計算出一個未知軟體的惡意程度值，並根據這個惡意程度值去判定該軟體是否為惡意的。實驗結果顯示，在測試階段，使用與訓練階段相同的樣本空間的情況下，我們提出的ANN-MD能以98.1%的正確率辨識出惡意軟體與正常軟體，而ANN-MD的誤判率(漏判率) 0.8% (3.0%) 也比MBF的誤判率5.6% (17.0%)及RADUX的誤判率14.2% (3.4%)小很多。此外，為了進一步驗證ANN-MD的有效性，我們在測試階段使用與訓練階段不相同的樣本空間來做測試。實驗結果顯示，即使使用與訓練階段不相同的樣本空間，ANN-MD的正確率(誤判率)仍可達到97.0% (5.0%)；然而，MBF與RADUX的正確率(誤判率)卻下降到77.5% (44.0%)以及66.0% (68.0%)。此證明我們所提的ANN-MD是一個有效的惡意軟體偵測機制。

In the recent years, malware has been widely spread and has caused severe threats against cyber security. Although malware may be made some changes to evade the traditional signature-based detection, the malware and its variations still have some similar behaviors, which most of the malware also intent to do. In order to detect unknown malware and variations of known ones, we propose a behavioral artificial neural network-based malware detection (ANN-MD) system. By observing runtime behaviors of some known malware samples using three sandboxes, we listed 13 suspicious behaviors that malware frequently did. Then based on these 13 suspicious behaviors, we constructed a malicious degree (MD) expression. By using the MD expression, we can calculate an unknown sample’s MD value and judge whether the sample is a malware according to its MD value. Experimental results indicate that, under the same sample space in the testing phase as well as the training phase, the proposed ANN-MD can correctly discriminate malware from benign software with the accuracy rate of 98.1%. In addition, the false positive rate (false negative rate) of ANN-MD is 0.8% (3.0%), which is much smaller than the false positive rate (false negative rate) of 5.6% (17.0%) of MBF and the false positive rate (false negative rate) of 14.2% (3.4%) of RADUX. To further verify the feasibility of the proposed ANN-MD, we conducted another experiment by using a different sample space in the testing phase from the sample space used in the training phase. Experimental results show that ANN-MD still has a high accuracy rate of 97.0%, even though the testing sample space is different from the training sample space. However, MBF and RADUX only have the accuracy rates of 77.5% and 66.0%, respectively. In addition, the false positive rate of ANN-MD is 5.0%, which is much smaller than the false positive rate of 44.0% of MBF and the false positive rate of 68.0% of RADUX. This is due to that MBF and RADUX use fixed weights in the training phase. The experimental results support that ANN-MD is a very promising algorithm for malware detection.