基于深度学习的恶意软件早期特征识别方法研究

In the early stage of the emergence of new malware or malware variants, it is impossible to know exactly which features should be extracted for classification. Besides, there are some problems in the classification phase, such as the lack of labeled samples and the unbalance of positive and negative samples distribution. As a result, new malware and malware variants can not be detected quickly and effectively. Firstly, this project explores a new automatic feature extraction technology, which aims to automatically learn and extract hidden and representative features in malware by using the outstanding feature learning ability of the deep learning algorithms. Secondly, this project seeks a reliable semi-supervised malware prediction model with stable performance, and it aims at improving the generalization performance of classification model by using the distribution information of a large number of unlabeled samples. Finally, based on Spark technology, this project proposes a parallel distributed computing framework running in the cloud, to realize the automatic feature extraction method and reliable semi-supervised malware prediction model proposed by this project, which can effectively save the computational resource consumption of the terminal, and realize the analysis and detection of massive malware efficiently and quickly.

新型恶意软件以及恶意软件变种在出现初期，是无法确切地知道需要抽取哪些特征来进行分类，且在分类过程中也存在有标记样本不足和样本分类不均衡，因此，无法迅速有效地检测出新型恶意软件和恶意软件变种。本项目探索一种新型的自动特征提取技术，运用深度学习算法优异的特征学习能力自动学习和提取恶意软件隐藏的且具代表性的特征；其次，寻求一种性能稳定的可靠半监督恶意软件预测模型，旨在利用大量未标记样本的分布信息来辅助提高分类模型的泛化性能；最后，基于Spark技术，提出了一种运行于云端的并行分布式计算框架来实现本项目提出的自动特征提取方法和可靠半监督恶意软件预测模型，从而有效节省终端的资源消耗，并实现对大规模恶意软件高效、快速的分析与检测。

新型恶意软件以及恶意软件变种在出现初期，是无法确切地知道需要抽取哪些特征来进行分类，且在分类过程中也存在样本分类不均衡，因此，无法迅速有效地检测出新型恶意软件和恶意软件变种。本项目提出一种基于混合深度学习的自动特征提取方法，旨在运用深度学习算法优异的特征学习能力自动学习和提取恶意软件隐藏的且具代表性的特征；本项目提出一种基于堆叠式集成学习的恶意软件检测模型，可在正负样本不均衡的情况下获得强泛化性能；本项目提出一种基于聚类的软件家族自动化分类方法，在该工作的基础上进一步挖掘正常软件样本的工作模式，并提出一种多步异常点检测方法来检测新型恶意软件及变种，最终实现不依赖已知恶意软件高质量标注的情况下在恶意软件出现初期做到有效预警。