摘要
通常杀毒软件基于静态检测,检测勒索软件时,存在检测率低的问题。对勒索软件行为进行分析时,发现勒索软件有频繁读取、加密和删除文件等特点。根据其特点,提出一种基于行为频繁度的检测方法。该方法基于动态分析,计算勒索软件对特定后缀、路径以及API调用等行为的频繁度,并结合内存行为构建特征,再使用优化参数后的随机森林算法构造勒索软件检测模型。测试数据集包括16类勒索软件家族的1 412个软件和379个正常软件。并与其他算法及多种杀毒软件进行比较。实验结果表明该方法能很好地检测勒索软件以及未知家族的勒索样本。
Antivirus software based on static detection have a low detection rate for ransomware.This paper discovered some kinds of characteristics of the behavior when analyzing the ransomware,such as hard disk frequently reading,encrypting and deleting the document,etc.According to those characteristic,this paper proposed a method which combined frequency based feature construction with memory feature.The method was based on dynamic analysis as well as combining memory behavior with frequency of behaviors such as specific suffix,path and API call.In addition,it used random forest algorithm with optimize parameters to construct the ransomware detection model.Experiment dataset includes 16 class family of 1 412 ransomware and 397 normal software.Compared with other algorithms as well as a variety of anti-virus software,the experimental results show that proposed method performs well in detecting ransomware and unknown types of extortion samples.
作者
龚琪
曹金璇
芦天亮
李丁蓬
Gong Qi;Cao Jinxuan;Lu Tianliang;Li Dingpeng(College of Information Technology & Network Security,People's Public Security University of China,Beijing 100038,China)
出处
《计算机应用研究》
CSCD
北大核心
2018年第8期2435-2438,共4页
Application Research of Computers
基金
国家自然科学基金资助项目(61602489)
国家科技部网络空间安全重点专项资助项目(SQ2017YFGX110081-04)
赛尔网络下一代互联网技术创新项目(NGII20160405)
