BEHAVIOR-BASED MALICIOUS EXECUTABLES DETECTION BY MULTI-CLASS SVM

As more polymorphic malicious codes coming into being, traditional anti-virus methods can not satisfy the current need. In order to achieve some specific functions, malicious codes must have some behaviors which are different from that of the normal programs. Focus on the difference between normal programs and the malicious codes the paper applies Support Vector Machine (SVM) and creates a space of virus API feature vector and a hyper-plane to divide the API space into two parts: malicious codes and normal program. Moreover, behaviors of different kinds of malicious codes are collected and 1-v-1 Multi-class SVM is introduced to detect those behaviors. Furthermore the paper constructs the application structure and selects large amount of test executable samples. Through statistics, analysis and calculation on those samples, the results verify our method.