연관규칙 탐사기법과 SVM을 이용한 악성코드 탐지방법

Metadata Downloads
Issued Date
As open application programming interfaces (APIs) become popular, new industries such as cloud computing and Internet of Things (IoT) combined with network technologies have advanced. However, malicious codes have also been constantly increasing to steal information and attack other systems. Existing anti-virus programs detect malicious codes based on signature detection technology. However, new types of malicious codes are increasing, but the number of signatures is insufficient, thus requiring a long time to detect variant malicious codes. Furthermore, existing studies on detection of malicious and normal files through machine learning classify files based on the frequency of APIs, but they have a high false positive rate.

Therefore, this study proposes a new method of detecting malicious codes through machine learning to distinguish between malicious and normal files by extracting the APIs that control functions in application programs and using association rule patterns. The API was extracted through static analysis from portable executable (PE) files and an association rule pattern of the API was extracted using the direct hashing and pruning (DHP) algorithm. Then, the API was trained using support vector machine (SVM), which is one of the machine learning techniques, to classify malicious and normal files. The proposed method improves the detection rate of malicious and normal files by applying the lift, which is the result of the association rule pattern, as a weight when the files are classified through the SVM.

When the proposed method was used, the sensitivity and precision results that determined malicious codes using the SVM model only were 71% and 77%, respectively. On the contrary, when the results of the association rule pattern were used together with the proposed method, the sensitivity and precision results were 77% and 81%, indicating improved classification performance. This study also proved that when not only the SVM classification model proposed in this paper but also other classification models were performed, they showed better performance than that of a single classification model. The reason for the low classification performance of normal files compared to that of malicious files was that malicious files employ many APIs that are used in normal files for program execution, and the number of APIs that are extracted from normal files is larger than the number of APIs executed and extracted from malicious files. As a result, the detection rate of normal files is somewhat lower. Thus, it is necessary to study an extended hybrid model that can overcome the drawback of the classification model to detect malicious codes.

This study proposed a classification method using association rule patterns to detect malicious codes, which exhibited improved performance compared to the classification of malicious files through a single classification model. If a large amount of pattern data is activated through the proposed method, it can provide criteria for detecting malicious codes to identify the behaviors of malicious files that rapidly mutate and to recognize the abnormal behaviors of malicious files.
Alternative Title
Detection Method of Malicious Code using Association Rule Mining and SVM
Alternative Author(s)
Yeongji Ju
산업기술융합대학원 소프트웨어융합공학과
Awarded Date
2018. 2
Table Of Contents
Ⅰ. 서론 1
A. 연구 배경 및 목적 1
B. 연구 내용 및 구성 3
Ⅱ. 관련 연구 4
A. 악성코드 탐지 기반 연구 4
B. 연관규칙 탐사기법 11
Ⅲ. 연관규칙 탐사기법을 이용한 악성코드 탐지 방법 16
A. 시스템 구성도 16
B. 트랜잭션 데이터베이스 구축 18
C. 연관규칙패턴과 SVM을 이용한 악성코드 탐지 23
Ⅳ. 실험 및 결과 31
A. 데이터 수집 31
B. 데이터 셋 32
C. 실험 평가 및 분석 33
Ⅴ. 결론 및 제언 37
참고문헌 38
조선대학교 산업기술융합대학원
주영지. (2017). 연관규칙 탐사기법과 SVM을 이용한 악성코드 탐지방법
Appears in Collections:
Engineering > Theses(Master)(산업기술창업대학원)
Authorize & License
  • AuthorizeOpen
Files in This Item:

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.