• 中国计算机学会会刊
  • 中国科技核心期刊
  • 中文核心期刊

J4 ›› 2007, Vol. 29 ›› Issue (9): 19-22.

• 论文 • 上一篇    下一篇

基于SVM的计算机病毒检测系统

张波云[1,2] 殷建平[1] 蒿敬波[1]   

  • 出版日期:2007-09-01 发布日期:2010-06-02

  • Online:2007-09-01 Published:2010-06-02

摘要:

自从第一例计算机病毒被发现以来,特征码法一直是病毒检测的基本方法。但是,病毒的复杂化和变形病毒的出现,限制了该法的有效应用。本文提出一种基于支持SVM的通用病毒智能检测方法,通过支持SVM算法的应用,使得检测系统在小样本的情形下仍具有良好的泛化能力。然后,以系统API函数调用执行迹为例,测试了该法的检测性能,并
将实验结果与其他检测方法进行了比较。实验表明,API函数调用序列在区分正常与恶意PE格式程序文件上有很好的辨别力,发现基于支持SVM的病毒检测系统所需要的先验知
知识小于其他方法。而且,当检测性能相当时,系统的训练时间将会缩短。

关键词: 计算机病毒 支持向量机 病毒检测

Abstract:

Since the first computer virus was found, scanning detection has been used as a primary method in virus detection systems. As viruses become more comp lex and sophisticated, the scanning detection method is no longer able to detect the various forms of malicious code effectively. We explore the idea of automatically detecting viruses based on Support Vec- tor Machine (SVM) and not strictly dependent on certain viruses. By utilizing SVM, the generali izing ability of virus detection systems is still good when the sample size is small An experiment using the system API function call trace is given to  illustrate the performance of this method. Finally, the comparison of detection abilities between the above detection method and others is given. Eviden ce shows that the sequences of the operating system API function calls executed by the running programs are a good discriminator between benign and malicious PE files, the detection system based on SVM needs less priori knowledge than other methods, and can shorten the training time under the same detection performance condition.

Key words: computer virus, support vector machine, virus detection