嵌入型恶意代码以其高隐蔽性和难检测性,成为计算机安全的新威胁.文中针对以往的统计分析法没有充分考虑嵌入型恶意代码所占字节数小、信息增益大的特点提出一种采用C4.5决策树的嵌入型恶意代码检测方法,即通过提取训练样本中信息增益最大的500个3-gram作为属性特征,建立决策树,实现对未知嵌入型恶意代码的检测.实验结果表明,文中方法在检测率和分类准确率上均具有明显优势,对感染了嵌入型恶意代码的Word文档的检测率达99.80%.

Embedded malware has become a novel computer security threat due to its high concealment and poor detectability.However,the existing statistical analysis methods are ineffective because they do not fully consider the small number of malicious bytes and the high information gain of embedded malware.In order to solve this problem,a new detection method of embedded malware is proposed based on C4.5 decision tree,which implements the detection by establishing a decision tree with 500 high-information-gain 3-grams extracted from training samples as the attribute.Experimental results show that the proposed method is superior to the existing methods in terms of detection rate and classification accuracy,and that it may achieve a detection rate of 99.80% for infected Word.