Software detection method, device, equipment and storage medium

Abstract

The invention discloses a software detection method, device and appartus and a storage medium. The method comprises the following steps of: extracting numerical type features and non-numerical type features contained in each sample in a software sample library; processing the non-numeric features by using the selected N non-encrypted hashing algorithms, and converting the processing results into numeric features; The N is an integer greater than 1; constructing a feature matrix according to the numeric feature contained in each sample and the numeric feature converted; training a machine learning classifier using the feature matrix; using the machine learning classifier, the target software is detected. The invention can convert the complex character string feature extracted from the malicious software sample into the hash feature which is easy to be processed by the machine learning algorithm, thereby reducing the difficulty of the model training, remarkably improving the training speed, reducing the space overhead and improving the malicious software discrimination accuracy.

Description

technical field [0001] The invention relates to the technical field of detection, in particular to a software detection method, device, equipment and storage medium. Background technique [0002] Malicious software mainly includes destructive computer viruses, worms, Trojan horse backdoors, exploit programs, advertising phishing codes, etc. These malicious software can be combined with various evasion techniques and security holes to break through the monitoring of existing traditional defense systems and threaten users. interests are greatly destructed. The purpose of a malware detection system is to discover malware mixed with normal files in a timely manner, take measures autonomously as much as possible before it produces destructive effects, and notify users in a timely manner. [0003] Currently, malware detection methods include static file analysis detection and dynamic behavior analysis detection. Existing malware static detection technologies mainly rely on artif...

AI Technical Summary

Problems solved by technology

[0006] 1. One-hot encoding is more effective when the number of strings in the string collection and the name of the string are determined. However, the string features extracted from malware are infinite because the total amount of malware is unlimited, and new malware emerges one after another. , so relying on the string set of training samples to estimate the string set of the overall sample will bring a large bias;

[0007] 2. Converting strings to AscII codes can indeed convert string-type features into numeric-type features, but since the lengths of string features extracted from different samples may be inconsistent, and thus the number of converted features is also inconsistent, how to convert strings in the form of AscII codes It is more difficult to perform word segmentation and segmenting, and it is still necessary to design an algorithm to convert the dimension of the feature matrix input into the machine learning model to be consistent, so the complexity is still high;

[0008] 3. It is difficult to cope with the massive confusion generated by the virus generator, string variants, artificial interference, sand mixing and other ways to resist the detection of the virus detection engine

[0009] It can be seen that the existing malware feature extraction methods based on machine learning detection methods cannot meet the requirements, so how to convert the complex character string features extracted from malware samples into features that are easy to be processed by machine learning algorithms, so as to reduce the Difficulty of model training, improve training speed, become the technical problem to be solved by the present invention

Images