A Lightweight Program Anomaly Detection Method for Heterogeneous Platform

MA Hailong; YIN Zinuo; HU Tao

doi:10.11999/JEIT210152

Volume 44 Issue 2

Feb. 2022

Turn off MathJax

Article Contents

Article Navigation > Journal of Electronics & Information Technology > 2022 > 44(2): 602-610

MA Hailong, YIN Zinuo, HU Tao. A Lightweight Program Anomaly Detection Method for Heterogeneous Platform[J]. Journal of Electronics & Information Technology, 2022, 44(2): 602-610. doi: 10.11999/JEIT210152

Citation:

MA Hailong, YIN Zinuo, HU Tao. A Lightweight Program Anomaly Detection Method for Heterogeneous Platform[J]. Journal of Electronics & Information Technology, 2022, 44(2): 602-610. doi: 10.11999/JEIT210152

Citation:

PDF( 2109 KB)

A Lightweight Program Anomaly Detection Method for Heterogeneous Platform

doi: 10.11999/JEIT210152

Information Engineering University, PLA Strategic Support Force, Zhengzhou 450001, China

Funds: The National Key R&D Program of China(2018YFB0804002, 2017YFB0803204)

Received Date: 2021-02-18
Rev Recd Date: 2021-05-22

Available Online: 2021-06-04

Publish Date: 2022-02-25

Abstract

Abstract

The existing anomaly detection methods which require pre-learning and are sensitive to noise result in long detection time and high false positive rate. Based on the analysis of the existing anomaly detection cases, a new perspective is proposed from platform heterogeneity: programs are run on multiple heterogeneous platforms, normal programs are run on all platforms with the same result, while anomaly programs show heterogeneity on different platforms. So a lightweight program anomaly detection method for heterogeneous platforms is designed. System state data is collected. Feature engineering is used to construct a multidimensional vector with obvious representation of anomaly. The label code and max-min normalization are used to preprocess the data. The difference degree between the data is calculated and the threshold rule is used to compare, analyze and detect anomaly. Compared with the unsupervised feature clustering method, detection accuracy of the proposed method is improved by 13.12% with low false positive rate and short detection time.
- Program anomaly detection,
- Heterogeneous platforms,
- System status features,
- Diversity

FullText(HTML)

References(19)

References

[1]	张祖法. 网络流量中面向缓冲区溢出漏洞的恶意程序检测方法研究[D]. [硕士论文], 江苏大学, 2020. ZHANG Zufa. Research on malware detection method for buffer overflow vulnerability in network traffic[D]. [Master dissertation], Jiangsu University, 2020.
[2]	张雄冠, 邵培南. 基于textCNN模型的Android恶意程序检测[J]. 计算机系统应用, 2021, 30(1): 114–121. doi: 10.15888/j.cnki.csa.007722 ZHANG Xiongguan and SHAO Peinan. Android malware detection based on textCNN model[J]. Computer Systems &Applications, 2021, 30(1): 114–121. doi: 10.15888/j.cnki.csa.007722
[3]	吴震雄. Android恶意软件静态检测方案研究[D]. [硕士论文], 南京邮电大学, 2015. WU Zhenxiong. Research on android malware static detection system[D]. [Master dissertation], Nanjing University of Posts and Telecommunications, 2015.
[4]	MA Zhuo, GE Haoran, LIU Yang, et al. A combination method for android malware detection based on control flow graphs and machine learning algorithms[J]. IEEE Access, 2019, 7: 21235–21245. doi: 10.1109/ACCESS.2019.2896003
[5]	DINABURG A, ROYAL P, SHARIF M, et al. Ether: Malware analysis via hardware virtualization extensions[C]. The 15th ACM Conference on Computer and Communications Security, Alexandria, USA, 2008: 51–62. doi: 10.1145/1455770.1455779.
[6]	张若楠, 李红辉, 张骏温. 一种融合改进Kmeans和KNN的网络入侵检测方法[J]. 计算机科学, 2018, 10A(45): 172–176. ZHANG Ruonan, LI Honghui, and ZHANG Junwen. Hybrid improved Kmeans with improved KNN for network intrusion detection algorithm[J]. Compouter Science, 2018, 10A(45): 172–176.
[7]	汪洁, 王长青. 子图相似性的恶意程序检测方法[J]. 软件学报, 2020, 31(11): 3436–3447. doi: 10.13328/j.cnki.jos.005863 WANG Jie and WANG Changqing. Malware detection method based on subgraph similarity[J]. Journal of Software, 2020, 31(11): 3436–3447. doi: 10.13328/j.cnki.jos.005863
[8]	陈志峰, 李清宝, 张平, 等. 基于聚类分析的内核恶意软件特征选择[J]. 电子与信息学报, 2015, 37(12): 2821–2829. doi: 10.11999/JEIT150387 CHEN Zhifeng, LI Qingbao, ZHANG Ping, et al. Signature selection for kernel malware based on cluster analysis[J]. Journal of Electronics &Information Technology, 2015, 37(12): 2821–2829. doi: 10.11999/JEIT150387
[9]	YOO S, KIM S, KIM S, et al. AI-HydRa: Advanced hybrid approach using random forest and deep learning for malware classification[J]. Information Sciences, 2021, 546: 420–435. doi: 10.1016/j.ins.2020.08.082
[10]	邬江兴. 网络空间拟态防御原理[M]. 2版. 北京: 科学出版社, 2018: 148–149. WU Jiangxing. The Principle of Cyber Mimic Defence[M]. 2nd ed. Beijing: Science Press, 2018: 148–149. .
[11]	GARCIA M, BESSANI A, GASHI I, et al. Analysis of operating system diversity for intrusion tolerance[J]. Software: Practice and Experience, 2014, 44(6): 735–770. doi: 10.1002/spe.2180
[12]	ÖSTERLUND S, KONING K, OLIVIER P, et al. kMVX: Detecting kernel information leaks with multi-variant execution[C]. The Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems, Providence, USA, 2019: 559–572. doi: 10.1145/3297858.3304054.
[13]	KIRAT D, VIGNA G, and KRUEGEL C. BareCloud: Bare-metal analysis-based evasive malware detection[C]. The 23rd USENIX conference on Security Symposium, Berkeley, USA, 2014: 287–301.
[14]	XU Meng and KIM T. PLATPAL: Detecting malicious documents with platform diversity[C]. The 26th USENIX Conference on Security Symposium, Vancouver, Canada, 2017: 271–287.
[15]	张剑, 童言, 徐明迪, 等. 轻量级主机数据采集与实时异常事件检测方法研究[J]. 西安交通大学学报, 2017, 51(4): 97–102. doi: 10.7652/xjtuxb201704015 ZHANG Jian, TONG Yan, XU Mingdi, et al. A method for data collection and real-time anomaly detection of lightweight hosts[J]. Journal of Xi’an Jiaotong University, 2017, 51(4): 97–102. doi: 10.7652/xjtuxb201704015
[16]	张浚, 张凤荔, 罗琴, 等. 基于多特征相似度的大规模网络异常检测算法[J]. 计算机工程, 2007, 33(24): 181–183. doi: 10.3969/j.issn.1000-3428.2007.24.063 ZHANG Jun, ZHANG Fengli, LUO Qin, et al. Large-scale network anomaly detecting method based on multi-feature similarity[J]. Computer Engineering, 2007, 33(24): 181–183. doi: 10.3969/j.issn.1000-3428.2007.24.063
[17]	HU Shuai, XIAO Zhihua, RAO Qiang, et al. An anomaly detection model of user behavior based on similarity clustering[C]. Proceedings of 2018 IEEE 4th Information Technology and Mechatronics Engineering Conference, Chongqing, China, 2018. doi: 10.1109/ITOEC.2018.8740748.
[18]	缪祥华, 单小撤. 基于密集连接卷积神经网络的入侵检测技术研究[J]. 电子与信息学报, 2020, 42(11): 2706–2712. doi: 10.11999/JEIT190655 MIAO Xianghua and SHAN Xiaoche. Research on intrusion detection technology based on densely connected convolutional neural networks[J]. Journal of Electronics &Information Technology, 2020, 42(11): 2706–2712. doi: 10.11999/JEIT190655
[19]	董书琴, 张斌. 基于深度特征学习的网络流量异常检测方法[J]. 电子与信息学报, 2020, 42(3): 695–703. doi: 10.11999/JEIT190266 DONG Shuqin and ZHANG Bin. Network traffic anomaly detection method based on deep features learning[J]. Journal of Electronics &Information Technology, 2020, 42(3): 695–703. doi: 10.11999/JEIT190266