Markov Logic Networks를 이용한 악성코드 행위 분류

Abstract

Malware producers employ various ways to make variants avoiding anti-virus programs. Existing anti-virus programs, however, detect or classify malware based on previously fixed signatures, so it is limited to detect variants with no signature information or detour codes inserted, which makes malware increase tremendously these days. In fact, malware detection technology used in previous signature-based methods is not sufficient, so to solve problems in malware variant detection, research is being done to detect and analyze malware variants themselves instead of detecting already discovered or new malware. One of the primary fields of it is heuristic-based detection. It is a way to detect malware variants by using the rules or patterns of its detection system. When signature-based methods fail to detect, it can consider similarities with known malware or detect malicious behavior of codes. At this time, by using the call-out frequency of API function operating and calling malware in virtual environment or particular information about API calls, it performs detection through comparison on similarities with existing malware. Even in similar malware, however, the order of calls in API function often differs, and besides, detection takes long and error may arise often, too. In order to solve such possibility of detection error, this author employs FP-Growth Algorithm and MLNs and suggests a method to overcome those limitations of existing methods. FP-Growth is one of the correlation analysis algorithms and can figure out correlation among data hidden in a big data set. Using it, this researcher creates malware’s behavior pattern and applies it to MLNs. MLNs is one of the typical models for learning statistical correlation. It classifies malware variants based on the fact that inferences can be made if correlation among complex probability variables expressed in network forms is used to establish an accurate prediction model for parameters and correlation patterns.