关键词: 恶意软件, 静态特征, 灰度图, 结构特征, Lst文件, LightGBM

Abstract:

Aiming at the problems that the staticfusion feature of existing malware classification methods is high in dimension, time-consuming feature extraction, and the long training time of the Boosting algorithm for a large number of high-dimensional feature samples, a classification method based on static fusion feature is proposed. The grayscale pixel features of the original file and its decompiled Lst file, the structural features of the original file and the content features of the Lst file are extracted, and then the features are merged and classified. When the training set is sampled, the GOSS algorithm is enabled to reduce the sampling of the training samples, and LightGBM is used as the classifier. The classifier reduces the dimensionality of the exclusive features through EFB. The experiment proves that the classification accuracy rate reaches 97.04% under the fusing of three types feature, and the training time is reduced by 29% by enabling GOSS sampling. The fusion feature is better than the feature fusing Opcode n-gram in classification, and LightGBM has better classification effect than traditional deep learning and machine learning algorithms.

Key words: malware, static features, grayscale image, structural features, Lst file, LightGBM