计算机工程 ›› 2008, Vol. 34 ›› Issue (24): 172-174.doi: 10.3969/j.issn.1000-3428.2008.24.060

• 安全技术 • 上一篇    下一篇

基于关联规则的未知恶意程序检测技术

章 文,郑 烇,帅建梅,陈 超   

  1. (中国科学技术大学自动化系,合肥 230027)
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2008-12-20 发布日期:2008-12-20

New Malicious Executables Detection Based on Association Rules

ZHANG Wen, ZHENG Quan, SHUAI Jian-mei, CHEN Chao   

  1. (Department of Automation, University of Science & Technology of China, Hefei 230027)
  • Received:1900-01-01 Revised:1900-01-01 Online:2008-12-20 Published:2008-12-20

摘要: 针对当前基于特征码病毒检测技术不能检测出未知病毒的缺点,通过研究某些病毒及其变种版本在执行过程中应用程序接口(API)调用序列的规律,提出一种基于数据挖掘的检测技术,采用Apriori算法从已知病毒的API调用序列中提取有价值的关联规则,用于指导病毒检测。实验结果表明该方法对未知病毒检测有良好的效果。

关键词: 关联规则, 未知恶意程序, 应用程序接口

Abstract: In order to improve the current malicious detection technology based on signature, this paper presents a method based on data mining. By researching the rules of API calling sequences during executing viruses, the method uses Apriori algorithms to extract some valuable related rules which hide out in a lot of API calling sequences of viruses. These rules can be used to detect Viruses. Experimental results validate its effection.

Key words: association rules, new malicious executables, API

中图分类号: