fa آشکارسازی بدافزارها با استفاده از دسته‌بندی دنباله‌های با طول متغیر مقالات گروه امنیت اطلاعات Paper پژوهشي Research <p dir="RTL" style="text-align: justify;"><strong><span style="font-family:b nazanin;"><span style="font-size:10.0pt;">در این مقاله روشی مبتنی بر گراف به&shy;عنوان</span></span></strong> <strong><span style="font-family:b nazanin;"><span style="font-size:10.0pt;">استخراج</span></span></strong> <strong><span style="font-family:b nazanin;"><span style="font-size:10.0pt;">ویژگی&shy; برای دنباله&shy;های با طول متغیر</span></span></strong> <strong><span style="font-family:b nazanin;"><span style="font-size:10.0pt;">پیشنهاد</span></span></strong> <strong><span style="font-family:b nazanin;"><span style="font-size:10.0pt;">می&shy;شود. روش پیشنهادی بدون ثابت‌کردن طول دنباله&shy;ها، با تعیین پر تکرارترین دستورها و گذاشتن باقی دستورها در مجموعه </span></span></strong><strong><span dir="LTR"><span style="font-size:8.0pt;">&lsquo;other&rsquo;</span></span></strong><strong><span style="font-family:b nazanin;"><span style="font-size:10.0pt;"> از لحاظ سرعت و حافظه صرفه&shy;جویی می&shy;کند. با توجه به میزان شباهت ویژگی&shy;ها، هر نمونه امتیازی می&shy;گیرد و از امتیازات جهت دسته&shy;بندی استفاده می&shy;شود. برای بهبود نتایج، دو رویکرد پیشنهاد می‌شود. در رویکرد نخست، ویژگی‌های استخراج‌شده از روش&shy;های امتیازدهی بر روی آپکد، هگزادسیمال و فراخوانی سیستمی در ورودی دسته&shy;بندها ترکیب می&shy;شوند. در رویکرد دوم، خروجی دسته&shy;بندهای مختلف ترکیب شده و از رأی اکثریت استفاده می&shy;شود. رویکرد پیشنهادی با دقت 97 % بدافزارهای دگرگون‌شده رایانه‌ای از مجموعه </span></span></strong><strong><span dir="LTR"><span style="font-size:8.0pt;">vxheaven</span></span></strong> <strong><span style="font-family:b nazanin;"><span style="font-size:10.0pt;">را نه‌تنها شناسایی، بلکه دسته بدافزارها را نیز تعیین می&shy;کند؛ در‌‌حالی&shy;که روش&shy;های</span></span></strong><strong><span dir="LTR"><span style="font-size:8.0pt;">SSD</span></span></strong><strong><span style="font-family:b nazanin;"><span style="font-size:10.0pt;"> و</span></span></strong><strong><span dir="LTR"><span style="font-size:8.0pt;"> HMM</span></span></strong><strong><span style="font-family:b nazanin;"><span style="font-size:10.0pt;"> تحت شرایط یکسان با دقت 84 % و 80 % توانستند بدافزارها را شناسایی کنند.</span></span></strong><br> &nbsp;</p> <div style="text-align: justify;"><strong>In this paper, a novel method based on the graph is proposed to classify the sequence of variable length</strong> <strong>as feature extraction</strong><strong>.&nbsp;The proposed method overcomes the problems of the traditional graph with variable length of data, without fixing length of sequences, by determining the most frequent instructions and insertion the rest of instructions on the set of &ldquo;other&rdquo;, save speed and memory. According to features and the similarities of them, a score is given to each sample and that is used for classification.</strong> <strong>To improve the results, the method is not used alone, but in the two approaches, this method is combined with other existing Technique to get better results. In the first approach, which can be considered as a feature extraction,</strong><strong> extracted features from </strong><strong>scoring </strong><strong>techniques (Hidden Markov Model, simple substitution distance and similarity graph) on op-code sequences, hexadecimal sequences and system call</strong><strong>s</strong><strong> are combined at classifier input. The second approach consists of two steps, in the first step; the scores which obtained from each of the scoring Technique are given to the three support vector machine. The outcomes are combined according to the weight of each Technique and the final decision is taken based on the majority vote. Among the components of the support vector machine, when given a higher weight in the similarity graph method (the proposed method), the result is better, Because the similarity graph method is more accurate than the other two methods. Then, in the second section, considering the strengths and benefits of each classifier, classifier output</strong><strong>s</strong><strong> are combined and the majority voting is used.&nbsp;Three methods have been tested for group combinations, including </strong><strong>Ensemble Averaging, Bagging, and Boosting. Ensemble Averaging</strong><strong> consisting of the combination of four classifiers of random forests, a support vector machine (as obtained in the previous section), </strong><strong>K nearest neighbors</strong><strong> and </strong><em><strong>naive Bayes</strong></em><strong>, and the final decision is taken based on the majority vote; therefore, it is used as the proposed method. The proposed approach could detect metamorphic malware from Vxheaven set and also determines categories of malware with accuracy</strong> <strong>of</strong> <strong>97</strong><strong><span dir="RTL">%</span></strong><strong>, while the SSD and HMM methods under the same conditions could detect malware with an accuracy of 84% and 80% respectively.</strong><strong><span dir="RTL"></span></strong><br> &nbsp;</div> <p></p> آشکارسازی بدافزارها, روش‌های مبتنی بر گراف, ترکیب دسته‌بندها, دسته‌بندی با طول متغیر, ماشین بردار پشتیبان Malware Detection, Graph Techniques, Combining Classifiers, Variable Length Classification, Support vector machine 137 146 http://jsdp.rcisp.ac.ir/browse.php?a_code=A-10-1320-1&slc_lang=fa&sid=1 Fatemeh Hosseini فاطمه حسینی fatima.hosseini@srbiau.ac.ir 10031947532846007909 10031947532846007909 No Islamic Azad University, Science and Research Branch of Tehran دانشگاه آزاد اسلامی، واحد علوم و تحقیقات ، گروه مهندسی کامپیوتر Mitra Mirzarezaee میترا میرزارضایی mirzarezaee@srbiau.ac.ir 10031947532846007910 10031947532846007910 Yes Islamic Azad University, Science and Research Branch of Tehran دانشگاه آزاد اسلامی، واحد علوم و تحقیقات ، گروه مهندسی کامپیوتر Arash Sharifi آرش شریفی a.sharifi@srbiau.ac.ir 10031947532846007911 10031947532846007911 No Islamic Azad University, Science and Research Branch of Tehran دانشگاه آزاد اسلامی، واحد علوم و تحقیقات ، گروه مهندسی کامپیوتر