A Hybrid Malicious Code Detection Method based on Deep Learning



Similar documents
The Research on Demand Forecasting of Supply Chain Based on ICCELMAN

Forecasting Trade Direction and Size of Future Contracts Using Deep Belief Network

Network Traffic Prediction Based on the Wavelet Analysis and Hopfield Neural Network

Predict Influencers in the Social Network

An Imbalanced Spam Mail Filtering Method

International Journal of Computer Science Trends and Technology (IJCST) Volume 3 Issue 3, May-June 2015

KEITH LEHNERT AND ERIC FRIEDRICH

Supporting Online Material for

Impact of Feature Selection on the Performance of Wireless Intrusion Detection Systems

AUTOMATION OF ENERGY DEMAND FORECASTING. Sanzad Siddique, B.S.

Chapter 1 Hybrid Intelligent Intrusion Detection Scheme

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

EM Clustering Approach for Multi-Dimensional Analysis of Big Data Set

LCs for Binary Classification

Intrusion Detection via Machine Learning for SCADA System Protection

LARGE-SCALE MALWARE CLASSIFICATION USING RANDOM PROJECTIONS AND NEURAL NETWORKS

A Survey on Intrusion Detection System with Data Mining Techniques

FRAUD DETECTION IN ELECTRIC POWER DISTRIBUTION NETWORKS USING AN ANN-BASED KNOWLEDGE-DISCOVERY PROCESS

Artificial Neural Network, Decision Tree and Statistical Techniques Applied for Designing and Developing Classifier

A Content based Spam Filtering Using Optical Back Propagation Technique

A Neural Network Based System for Intrusion Detection and Classification of Attacks

Introduction to Machine Learning CMU-10701

Neural Networks for Machine Learning. Lecture 13a The ups and downs of backpropagation

A STUDY ON DATA MINING INVESTIGATING ITS METHODS, APPROACHES AND APPLICATIONS

Neural Networks for Sentiment Detection in Financial Text

Comparison of K-means and Backpropagation Data Mining Algorithms

Spam Filtering Using Genetic Algorithm: A Deeper Analysis

Towards better accuracy for Spam predictions

Spam Detection Using Customized SimHash Function

Data Mining Algorithms Part 1. Dejan Sarka

A Health Degree Evaluation Algorithm for Equipment Based on Fuzzy Sets and the Improved SVM

A survey on Data Mining based Intrusion Detection Systems

Modelling, Extraction and Description of Intrinsic Cues of High Resolution Satellite Images: Independent Component Analysis based approaches

Predicting the Risk of Heart Attacks using Neural Network and Decision Tree

An analysis of suitable parameters for efficiently applying K-means clustering to large TCPdump data set using Hadoop framework

The Combination Forecasting Model of Auto Sales Based on Seasonal Index and RBF Neural Network

Feature Subset Selection in Spam Detection

An Introduction to Data Mining. Big Data World. Related Fields and Disciplines. What is Data Mining? 2/12/2015

Proactive Drive Failure Prediction for Large Scale Storage Systems

Application of Neural Network in User Authentication for Smart Home System

Social Media Mining. Data Mining Essentials

A SURVEY ON GENETIC ALGORITHM FOR INTRUSION DETECTION SYSTEM

Botnet Detection Based on Degree Distributions of Node Using Data Mining Scheme

A new Approach for Intrusion Detection in Computer Networks Using Data Mining Technique

LEUKEMIA CLASSIFICATION USING DEEP BELIEF NETWORK

Credit Card Fraud Detection Using Self Organised Map

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

UPS battery remote monitoring system in cloud computing

Spam Classification With Artificial Neural Network and Negative Selection Algorithm

Prediction of Heart Disease Using Naïve Bayes Algorithm

Bayesian networks - Time-series models - Apache Spark & Scala

Applying Deep Learning to Enhance Momentum Trading Strategies in Stocks

NEURAL NETWORKS A Comprehensive Foundation

A Dynamic Flooding Attack Detection System Based on Different Classification Techniques and Using SNMP MIB Data

Neural network software tool development: exploring programming language options

Network Intrusion Detection using Semi Supervised Support Vector Machine

AnalysisofData MiningClassificationwithDecisiontreeTechnique

Detection. Perspective. Network Anomaly. Bhattacharyya. Jugal. A Machine Learning »C) Dhruba Kumar. Kumar KaKta. CRC Press J Taylor & Francis Croup

Analecta Vol. 8, No. 2 ISSN

Data Mining using Artificial Neural Network Rules

EFFICIENT DATA PRE-PROCESSING FOR DATA MINING

Application of Data Mining based Malicious Code Detection Techniques for Detecting new Spyware

Learning to Process Natural Language in Big Data Environment

Customer Classification And Prediction Based On Data Mining Technique

Adaptive Framework for Network Traffic Classification using Dimensionality Reduction and Clustering

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

The Applications of Deep Learning on Traffic Identification

RESEARCH ON THE FRAMEWORK OF SPATIO-TEMPORAL DATA WAREHOUSE

Performance Evaluation On Human Resource Management Of China S Commercial Banks Based On Improved Bp Neural Networks

Intrusion Detection using Artificial Neural Networks with Best Set of Features

An Introduction to Data Mining

THREE DIMENSIONAL REPRESENTATION OF AMINO ACID CHARAC- TERISTICS

Research on the Performance Optimization of Hadoop in Big Data Environment

International Journal of Innovative Research in Advanced Engineering (IJIRAE) ISSN: Volume 1 Issue 11 (November 2014)

A Stock Pattern Recognition Algorithm Based on Neural Networks

CRITERIUM FOR FUNCTION DEFININING OF FINAL TIME SHARING OF THE BASIC CLARK S FLOW PRECEDENCE DIAGRAMMING (PDM) STRUCTURE

The multilayer sentiment analysis model based on Random forest Wei Liu1, Jie Zhang2

Adaptive Anomaly Detection for Network Security

A Survey on Outlier Detection Techniques for Credit Card Fraud Detection

Lecture 8 February 4

Research Article Distributed Data Mining Based on Deep Neural Network for Wireless Sensor Network

Choosing the Optimal Object-Oriented Implementation using Analytic Hierarchy Process

International Journal of Computer Science Trends and Technology (IJCST) Volume 2 Issue 3, May-Jun 2014

How To Prevent Network Attacks

Novelty Detection in image recognition using IRF Neural Networks properties

Programming Exercise 3: Multi-class Classification and Neural Networks

Face Recognition For Remote Database Backup System

Design call center management system of e-commerce based on BP neural network and multifractal

A simple application of Artificial Neural Network to cloud classification

1. Classification problems

Mobile Phone APP Software Browsing Behavior using Clustering Analysis

Application of Data Mining Techniques in Intrusion Detection

An Efficient Way of Denial of Service Attack Detection Based on Triangle Map Generation

An Evaluation of Machine Learning Method for Intrusion Detection System Using LOF on Jubatus

Fault Analysis in Software with the Data Interaction of Classes

Transcription:

, pp. 205-26 http://dx.doi.org/0.4257/isia.205.9.5.2 A Hybrid Malicious Code Detection Method based on Deep Learning Yuancheng Li, Rong Ma and Runhai Jiao School of Control and Computer Engineering, North China Electric Poer University, Beiing, China ycli@ncepu.edu.cn, acelin007@63.com, runhaiiao@ncepu.edu.cn Abstract In this paper, e propose a hybrid malicious code detection scheme based on AutoEncoder and DBN (Deep Belief Netorks). Firstly, e use the AutoEncoder deep learning method to reduce the dimensionality of data. his could convert complicated high-dimensional data into lo dimensional codes ith the nonlinear mapping, thereby reducing the dimensionality of data, extracting the main features of the data; then using DBN learning method to detect malicious code. DBN is composed of multilayer Restricted Boltzmann Machines (, Restricted Boltzmann Machine) and a layer of BP neural netork. Based on unsupervised training of every layer of, e make the output vector of the last layer of as the input vectors of BP neural netork, then conduct supervised training to the BP neural netork, finally achieve the optimal hybrid model by fine-tuning the entire netork. After inputting testing samples into the hybrid model, the experimental results sho that the detection accuracy getting by the hybrid detection method proposed in this paper is higher than that of single DBN. he proposed method reduces the time complexity and has better detection performance. Keyords: Malicious code Detection, AutoEncoder, DBN,, deep learning. Introduction Malicious code is the softare hich intentionally damage or destroy the function of system through adding, changing, deleting some code by unauthorized users in normal circumstances. In recent years, malicious code causing far-reaching influence mainly includes: viruses, Worm, roan horse, etc. According to the statistical results in [], in 200, Symantec recorded more than 3,000,000,000 malicious code attacks, and monitoring more than 280,000,000 independent variant malicious code samples. Compared to 2009, there is groth of 93% for the attack based on the Web. With the increase in the number of malicious code, this shos that the harm and loss is groing. As an important technology of netork security, intrusion detection discovers and recognizes intrusion behaviors or attempts in the system through the collection and analysis of key data in the netork and computer system. Efficient, accurate identification of malicious code can improve the efficiency of intrusion detection, therefore, malicious code analysis and detection is a key problem in intrusion detection technology. For detection of malicious code, according to the detected position it is currently divided into to approaches host-based and netork-based [2]: Netork-based detection methods, including Honeypot-based approach [3-4], and based on Deep packet Inspection [5]; Host-based detection methods, including check sum-based approach [6], signature-based approach [7-9], heuristic data mining approach [0]. he data mining method adopted many machine learning methods, hich had an effective detection of unknon malicious code through learning the characteristics of malicious code and the normal code [] revieed a variety of feature-extraction methods and machine learning ISSN: 738-9984 IJSIA Copyright c 205 SERSC

methods in a variety of malicious code detection applications, including naive Bayes, decision trees, artificial neural netorks, Support Vector Machine, etc., [2] proposed a static system call sequences based on N-gram and to automatic feature-selection methods, and adopted K-nearest neighbor algorithm, SVM, decision tree as the classifier. he literature [3] presented a malicious code behavior feature extraction and detection method based on semantics to obtain the behavior of malicious code hich has great anti-amming capabilities. Although the above methods have achieved certain results in the aspect of malicious code detection, there are still some problems. Such as, feature-extraction is not appropriate, the detection rate and the detection accuracy are not high, and the complexity of the algorithm is high. his paper selects KDDCUP 99 data set as experimental data, and proposes a hybrid malicious code detection model based on deep learning; Based on the AutoEncoder for data dimensionality reduction, this paper proposes to set DBN as a classifier. For the malicious code behavior, using multiple deep learning achieved better effects than surface learning model. Finally, this method improves the malicious code detection rate and detection accuracy, and reduces the time complexity of the hybrid model. 2. Hybrid Malicious Code Detection Model based on Deep Learning Netork data usually contains the normal data and the malicious data. Malicious code detection is to differentiate beteen the normal data and malicious code data separately, so essentially it belongs to binary classification problems. o get a good performance of the malicious code detection model, there are to aspects of ork need to be done: Firstly, finding the essential characteristics of malicious code data; secondly, constructing a good performance of classifier model to accurately differentiate the malicious data from the normal data. In this paper, e make use of the advantages of deep learning, the organic integration of to deep learning methods, AutoEncoder and DBN. his hybrid model extracts the essence of malicious code data, reduces the complexity of the model, and improves the detection accuracy of malicious code. 2. AutoEncoder Dimensionality Reduction AutoEncoder [4] is a kind of deep learning method for learning efficient code hich is proposed by G. E. Hinton in 2006. hrough the study of the compression coding of specified set of data, it can achieve the purpose of data dimensionality reduction. AutoEncoder structure is divided into part of encoder and decoder, including input layer, hidden layer, output layer. he cross section beteen encoder and decoder named code layer is the core of AutoEncoder that can reflect the essential characteristics of high dimensional data set ith nested structure, and to set the intrinsic dimensions of high-dimensional data sets. When the number of hidden layer neurons are less than the number of input layer and output layer neurons, e can get the compressed vector of input layer called the data dimensionality reduction. AutoEncoder consists of three steps, hich are pretraining, Unrolling and fine-tuning process [4], as shon in Figure. 206 Copyright c 205 SERSC

Figure. AutoEncoder Structure In the pretraining process, e set the output of each hidden layer neuron as the input of the next. consists of the visible units and hidden units. We use the vectorv and H represent the visible units and the hidden unit state respectively. he structure is shon in Figure 2. eights hi Hidden layer unit h v Hidden layer unit v Figure 2. he Netork Structure of Where vi denotes the state of the i visible unit, h denotes the state of the hidden unit, visible and hidden units meet the energy formula (): E v h b v b h v h (), i i i i iv H i, In the process of adustment of eight training, firstly e update the state of the hidden layer neuron, and then update the state of the visible layer, thus get the adusting eights. he eight updating rule as shon in formula (2): Where i t t t v h v h (2) i i i i i i denotes the eight adustment, i () t denotes the connection eights(hen in step t beteen the i, neuron), denotes the learning rate, vh i denotes the average forard correlation (Equal to the output of product of neurons in the hidden and visible neurons), vh i denotes the average reverse correlation. After the pre-training is completed, combining the current output unit ith the next input unit as the independent layer. Unrolling process is to connect these independent into a multi-layered AutoEncoder, the Unrolling process as shon in Figure 3. Copyright c 205 SERSC 207

30 4 Decoder Reconstructed data 00 00 3 500 200 2 3 200 00 4 30 Code layer 200 2 00 4 3 500 200 2 500 500 Initial data Initial data Encoder Pretraining Unrolling Figure 3. he Unrolling Process of AutoEncoder Fine-tuning process is the process that does the further adustments to the initial eights after pretraining process to get optimal eights. We mainly use the multiclass cross-entropy error function [5] for evaluation. he multiclass cross-entropy error function is the difference beteen the measurement of target probability distribution and the actual probability distribution, that the smaller, the to distributions are similar, and the better. AutoEncoder uses BP algorithm to adust the eights of the multiclass cross-entropy error function, as shon in formula (3): H [ y log y ˆ ( y )log( y ˆ )] (3) i i i i i i Where yi denotes the characteristics of the data sample values, yˆi denotes the Characteristics of the data sample after reconstruction. AutoEncoder adusts the eights in the fine-tuning process, out layer eight adustment rules shon as formula (4): H m i ti yi O (4) i Hidden layer eights adustment rules shon as formula (5): Where H m H m neti H m i O net net i i i i H m Oi H m O O ( O )O O net O i i i denotes the adustment step, 2. 2 DBN Deep Learning Structure O denotes the upper output neurons. DBN is a deep learning machine hich consists of an unsupervised multi-layer netork and a supervised BP netork. Each layer unit captures highly relevant implicit correlations from the hidden units of the front layer. he adacent layers of the DBN can be decomposed into a single limited, shon as Figure 4. In Figure 4, deep belief netorks shon as Figure (), and Figure (2) indicated that the use of each lo layer as input data for the training of the next, get a set of by the greedy learning. (5) 208 Copyright c 205 SERSC

Figure 4. he Structure and the Corresponding DBN Netork DBN training process is divided into to steps: he first step, train each layer of separately by the unsupervised ay; he second step, BP neural netork in the last layer of DBN, e set the output vector of the last as the input vector of BP neural netork, then do the supervised training to entity relation classifier. he paper [5] believes that, in the typical DBN hich has one hidden layer the relationship beteen visual layer v and hidden layer h can be expressed as formula (6): l2 l k k,,, 2 l 2 l P v h h P h h P h, h (6) k As Figure 2 shon, are mutually connected by the visible and the hidden layers. he connection matrix and the biases beteen the layers are get by unsupervised greedy algorithm. In specific training process, firstly, mapping the visual unit v i to the hidden layer unit h ; then, reversely reconstructing the v i using h ; Repeating this process, and updating the values of the connection matrix and the biases unless the reconstruction error is acceptable. Associated difference beteen hidden layer units and visual layer units ill form the basis for each eight update. Mapping probability of hidden layer units and visual layer units shon as formula (7) and (8): I ph v; i vi a (7) i Where i layer units, I pvi h; i hi b (8) denotes the connection eights beteen the visual layer units and hidden bi and a denotes biases respectively, sigmoid function denotes the incentive function. By using the gradient of the log likelihood probability log, ; e derive the eight update rule, as shon in formula (9): - mod i data i el i p v h, E v h E v h (9) Where denotes the expectation value, Edata vi h denotes the expectation value defined in the model. Because Emod el vih is difficult to calculate, e alays use the Gibbs sampling replace Emod el vih by using the contrast gradient divergence algorithm hich is similar to the gradient. hrough a combination of bottom-up s hich have carried out massive learnings layer by layer can construct an initial DBN. Copyright c 205 SERSC 209

hen fine tune the hole DBN from the back to the front by the supervised learning method hich is similar to the traditional BP neural netork. Finally, e can establish the trained DBN model. 2. 3 Hybrid Malicious Code Detection based on DBN and AutoEncoder Deep learning has nonlinear mapping of the deep structure ith the multilayer hich has the benefits complex function can be expressed ith feer parameters. Compared ith surface learning, it can realize complex function approximation, and has strong ability for the massed learning of the essential characteristics of data set from a fe samples. Based on the above considerations, this paper proposes a hybrid malicious code detection model based on deep learning; Reducing dimensionality of the data by using the AutoEncoder s space mapping ability of different dimensionality, then abstracting the main characteristics. Based on this, setting DBN as the classifier for several times deep learnings. hen improving the detection accuracy, and reducing the time complexity of the hybrid model. Figure 5 depicts the process of mixing pre-trained detection algorithm. Begin Input raining sample dataset Set layer i= raining netork according Learning rules Data preprocessing AutoEncoder dimensionality reduction dimensionality reduction Output raining sample Dataset after dimensionality reduction Classification Reserve eights and biases If i<=max layer NO BP neural netork classification(supervised learning) YES Set layer i=i+ Netork parameters Normal code Malicious code stop Figure 5. A DBN Malicious Code Detection Method based on AutoEncoder Dimensionality Reduction he hybrid detection algorithm is described as follos: () Initialization, input training samples; then digitizing and normalizing the input data; (2) Reducing the dimension, AutoEncoder as used to realize the feature mapping; (3) Input eigenvector ith dimensionality reduction, netork parameter to initialize DBN classifier; (4) Set the layer i=; (5) rain the netork layer by layer according to learning rules, then save the result including the eights and biases; (6) If i<=max layer, set i=i+; hen i>max layer, do the supervised learning for BP netork; (7) Input the test samples into the trained classifier to detect malicious code and the normal code. 3. Experimental Results and Analysis 3. Analysis and Pretreatment of Experimental Data In this paper, KDDCUP'99 dataset [6] as used to detect malicious code data. hey include five categories: probe, UZR (User to Root), RZL (Remote to Local), DoS (Denial-of-Service) as ell as Normal data. his paper adopted 0% of the samples of KDDCUP'99 as a dataset, containing a total of 494,02 training data and 3,029 testing 20 Copyright c 205 SERSC

data. In the dataset of KDDCUP'99, each data contains 4 properties. here are to types of data: numerical and character type. For numerical data, e can treat it directly as number; for the character of character data, e can achieve numeric in the standard method of keyords. o eliminate the effects caused by differences of the magnitude, and to reduce the excessive reliance on individual characteristics in the process of classification, e need to normalize data. Firstly, each feature as standardized according to the formula (0) xi AVERAGE x ' i (0) SAND AVERAGE x x2 xn () n SAND x AVERAGE xn AVERAGE (2) n AVERAGE 0,' x 0; SAND 0,' x 0 i Secondly, the standardized features need to be normalized, as shon in the formula (3): x' i min x x ' i (3) max x x' i Where x denotes the value of the original training sample, max (or min) denotes the maximum value for the sample data in the condition of same indicator (or minimum). 3.2 Evaluation Index Experimental Results his paper uses the folloing indexes to evaluate experimental results, hich are PR (rue Positive Rate), FPR (False Positive Rate), Accuracy, CPU time consumption. hey are defined as follos: PR = the number of correct results of normal code samples/the actual number of normal code samples, FPR = the number of malicious code samples hich are predicted to be normal code/the actual number of malicious code samples. 3.3 Comparison of Experimental esults Experimental test environment: the platform of Intel Core Duo CPU 2.0GHz and 2.00G RAM's, Matlab v7.. his paper uses 2000 samples extracted from 0% samples in proportion hich contain the 4 attacks recorded test data and additional 4 types of experiments. he experiment designed the AutoEncoder hich consists of five layers. he numbers of neurons in the previous four-layer netork are 4, 300, 50, 75, respectively. Furthermore, the number of neurons in the last layer is variable, hich determine the dimension of data number after dimensionality reduction. After the pretraining process of the training and testing data, e use AutoEncoder for data dimensionality reduction. hrough changing the iterations of the pretraining and fine-tuning, e could get different models, including AutoEncoder + DBN 5-5 (pretraining iterations 5 times, fine-tuning5 times); AutoEncoder + DBN 0-0 (pre-training iterations 0 times, fine-tuning 0 times); AutoEncoder + DBN 0-5 (pre-training iterations 0 times, fine-tuning five times). he detection results of malicious code as shon in able. able. he Results of the Different Detection Methods Model PR FPR Accuracy CPU time(s) i DBN 95.34% 9.02% 9.4%.26 Copyright c 205 SERSC 2

Mean Squared Error Mean Squared Error International Journal of Security and Its Applications AutoEncoder+DBN 5-5 96.79% 5.79% 89.75% 2.625 AutoEncoder+DBN 0-5 93.35 % 9.7% 88.95%.47 AutoEncoder+DBN 0-0 92.20%.58% 92.0%.243 he experimental results sho that ith the increase in the number of iterations, in the respect of detection accuracy, the proposed method is superior to the method of single DBN, hich as used in the first experiment. Apparently, using AutoEncoder to achieve data dimension reduction is effective, it can improve the detection accuracy, for using AutoEncoder can capture the essential characteristics of date efficiently. Meanhile, the accuracy of detection (P) is reduced. Overall, in the respect of prediction accuracy, the mentioned method described in the paper is superior to the single DBN method. It can adapt to the complex environment, achieve effective detection of malicious code, moreover, it consumes less time. Figures 6 and 7 sho the error rate in the process of pretraining and fine-tuning. After to iterations, the error rate is maintained at a loer level stably. 8 x 04 7 6 Reconstruction Error for pre-training 4-300 300-50 50-75 75-9 5 4 3 2 0.5 2 2.5 3 3.5 4 4.5 5 Iteration Figure 6. Pretraining Reconstruction Error 7 6.5 Reconstruction Error for fine-tuning raining esting 6 5.5 5 4.5 4 3.5 3.5 2 2.5 3 3.5 4 4.5 5 Iteration Figure 7. Fine-tuning Reconstruction Error 22 Copyright c 205 SERSC

Detecting accuracy raining time (in seconds) Accuracy International Journal of Security and Its Applications 0.93 0.92 0.9 Detecting accuracy ith differet dimension [5 5] iterations [0 0] iterations [0 5] iterations 0.9 0.89 0.88 0.87 0.86 0.85 0.84 2 4 6 8 0 2 4 6 8 20 dimension Figure 8. Effect of Dimensions on the Correct Detecting Accuracy 5 4.5 4 raining time ith differet dimension [5 5] iterations [0 0] iterations [0 5] iterations 3.5 3 2.5 2.5 2 4 6 8 0 2 4 6 8 20 Dimension Figure 9. Effect of Dimensions on the ime Consumption here are many parameters in the AutoEncoder, such as netork structure, output dimension of data after dimensionality reduction, the number of iterations for pretraining and fine-tuning, etc. he output dimension of data after dimensionality reduction is one of the maor parameters among them. his paper explores the impact of these parameters on these mentioned methods. Figures 8 and 9 respectively sho the effect on the detection accuracy and the time consumption of the method. In figure 8, detection accuracy increases ith increasing number of iterations. In Figure 9, ith the increase of the number of iterations, CPU time consumption varies, but the dimension and training time consumption have no direct correlation, because AutoEncoder can restore data based on less information loss and error. 0.93 Detecting accuracy ith different iteration 0.92 0.9 0.9 0.89 0.88 0.87 0.86 Pretraining iterations Fine-tuning iterations 0.85 5 6 7 8 9 0 2 3 4 5 iteration Figure 0. he Relations beteen the Correct Detecting Accuracy and Iterations Copyright c 205 SERSC 23

raining time (in seconds) International Journal of Security and Its Applications 2.8 raining time ith different iteration 2.6 2.4 2.2 Pretraining iterations Fine-tuning iterations 2.8.6.4.2 5 6 7 8 9 0 2 3 4 5 iteration Figure. he Relations beteen the ime Consumption and Iterations Figure 0 and Figure sho the effect on the detection accuracy of the number of iterations and the time consuming. Figure 0 sho that hen pretraining iterations increased to 0 times, the detection accuracy reached the highest point. Figure shos that hen pretraining iterations increased to 0 times, most of the time consumption is maintained at a lo level. Fine-tuning process is to adust the eights using back-propagation, for lo-dimensional data, the netork is over-learning. he iterations of fine-tuning do not affect to assessed value directly. AutoEncoder reduces the data dimensions and extracts the main features of data through the nonlinear mapping for complex multidimensional data; this makes the effectiveness of the experiment increased hen applying DBN to classify. In short, for the detection of malicious code, the hybrid method mentioned in this paper is apparently superior to the single DBN method in the first experiment on the hole. 4. Conclusion Against the problem of detecting malicious code, e propose a hybrid method of detecting malicious code based on deep learning, hich combines the advantages of AutoEncoder and DBN respectively. Firstly, the method used AutoEncoder for data dimensionality reduction to extract the main feature of data. hen the method uses DBN to detect malicious code. Finally, the experiment as verified by KDDCUP'99 dataset. Experimental results sho that compared ith the detection method using single DBN, the proposed method improves detection accuracy, hile reducing the time complexity of the model. Hoever, in practical application, according to actual situation, the method proposed in this paper needs to have further improvements in order to improve its performance. Acknoledgements his ork as supported in part by he Fundamental Research Funds for the Central Universities (No. 204MS29). References [] Symantec Corporation, Symantec Internet security threat report trends for 200 [EB/OL] (20-04) [202-07-0], (20), http://msisac.cisecurity.org/resources/reports/documents/symantec, Internet Security hreat report 200.pdf. [2] N. Idika and A. P Mathur, Survey of malare detection technical, echnical Report, Department of Computer Science, Purdue University, (2007). [3] C. L. sai, C. C. seng and C. C. Han, Editors, Intrusive behavior analysis based on honey pot tracking and ant algorithm analysis, 43rd Annual 2009 International Carnahan Conference, (2009) October 5-8, Zurich, Sitzerland. [4] W. Wang and I. Murynets, J. Security and Communication Netorks, vol. 6, no., (203). [5] P. C. Lin, Y. D. Lin, Y. C. Laiand and. H. Lee, J. Computer Practices, vol. 4, no. 4, (2008). 24 Copyright c 205 SERSC

[6] Y. Saaya, A. Kubota and Y. Miyake, Editors, Detection of attackers in services using anomalous host behavior based on traffic flo statistics, IEEE/IPSJ th International Symposium, (20) July 8-2, Munich, Bavaria, Germany. [7] M. Milenkovic, A. Milenkovic and E. Jovanov, J. ACM SIGARCH Computer Architecture Nes, vol. 33, no., (2005). [8] M. Christodorescu, S. Jha, S. A. Seshia, D. Song and R. E. Bryant, Editors, Proceedings of the 2005 IEEE Symposium Security and Privacy, (2005) May 8-; Oakland, California. [9] M. Christodorescu and S. Jha, Static analysis of executables to detect malicious patterns, Wisconsin: University of Wisconsin, (2006). [0] D. G. Kong, X. B. an, H. S. Xi,. Gong and J. M. Shuai, J. Journal of Softare, vol. 22, no. 3, (20). [] A. Shabtai, R. Moskovitch, Y. Elovici and C. Glezer, J. Information Security echnical Report, vol. 4, no., (2009). [2] Y. X. Ding, X. B. Yuan, D. Zhou, L. Dong and Z. C. An, J. Computers &Security, vol. 30, no. 6, (20). [3] R. Wang, D. G. Feng, Y. Yang and P. R. Su, J. Journal of Softare, vol. 23, no. 2, (202). [4] G. E. Hinton and R. R. Salakhutdinov, J. Science, vol. 33, no. 5786, (2006). [5] G. E. Hinton, Distributed representations, ech. Report, University of oronto, (984). [6] KDDCUP99, Available on, (2007), http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html. Authors Yuancheng Li, received the Ph.D. degree from University of Science and echnology of China, Hefei, China, in 2003. From 2004 to 2005, he as a postdoctoral research fello in the Digital Media Lab, Beihang University, Beiing, China. Since 2005, he has been ith the North China Electric Poer University, here he is a professor and the Dean of the Institute of Smart Grid and Information Security. From 2009 to 200, he as a postdoctoral research fello in the Cyber Security Lab, Pennsylvania State University, Pennsylvania, USA. His current research interests include Smart Grid operation and control, information security in Smart Grid. Copyright c 205 SERSC 25

26 Copyright c 205 SERSC

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information