基于改进哈里斯鹰算法同步优化特征选择的恶意软件检测方法

doi:10.3969/j.issn.1671-1122.2021.12.002

摘要/Abstract

摘要：

针对恶意软件检测领域存在特征选择与模型参数调优难度大的问题,文章提出一种基于改进哈里斯鹰（Improved Harris Hawks Optimization,IHHO）算法同步优化特征选择的恶意软件检测方法。首先,将自适应精英反向学习策略、正余弦位置更新方式、circle混沌能量因子以及随机维度量子旋转门变异策略引入HHO算法,增强其全局探索和局部开发能力,提升算法收敛精度和稳定性。然后,采用IHHO同步优化极端梯度提升树分类算法参数及特征选择,构建基于网络流量特征的恶意软件检测模型。最后,使用改进算法对CICInvesAndMal2019数据集进行特征子集提取与模型参数寻优仿真实验。实验结果表明,IHHO算法能选取更高质量特征子集并提升恶意软件检测模型分类能力。

关键词: 哈里斯鹰优化算法, 恶意软件检测, 流量特征, 精英反向学习, 正余弦策略

Abstract:

Aiming at the difficulty of feature selection and model parameter tuning in malware detection field, a malware detection method based on improved Harris Hawks Optimization (HHO) synchronous optimization feature selection is proposed. The adaptive elite reverse learning strategy, circle chaos energy factor and random dimensional quantum revolving door mutation strategy are introduced into HHO algorithm to enhance its global exploration and local development ability and improve the convergence accuracy and stability of the algorithm. Extreme Gradient Boosting (XGBoost) is an improved Harris Hawks optimization (IHHO) algorithm for simultaneous optimization of classification parameters and feature selection, in order to build a malware detection model based on network traffic characteristics. Finally, the improved algorithm is used to extract feature subset and optimize model parameters of CICInvesAndMal2019 dataset. The results show that IHHO can select higher quality feature subset and improve the classification ability of malware detection model.

Key words: Harris Hawks optimization algorithm, malware detection, flow characteristics, elite opposition based learning, sines and cosines strategy

中图分类号:

TP309

徐国天, 刘猛猛. 基于改进哈里斯鹰算法同步优化特征选择的恶意软件检测方法[J]. 信息网络安全, 2021, 21(12): 9-18.

XU Guotian, LIU Mengmeng. Malware Detection Method Based on Improved Harris Hawks Optimization Synchronization Optimization Feature Selection[J]. Netinfo Security, 2021, 21(12): 9-18.

图/表 10

图1

图2

图3

表1

表2

图4

表3

表4

图5

表5

参考文献 19

[1]	China Internet Network Information Center. The 48th Statistical Report on China’s Internet Development[EB/OL]. http://www.cnnic.net.cn/hlwfzyj/hlwxzbg/hlwtjbg/202109/t20210915_71543.htm, 2021-09-15.
	中国互联网络信息中心. 第48次中国互联网络发展状况统计报告[EB/OL]. http://www.cnnic.net.cn/hlwfzyj/hlwxzbg/hlwtjbg/202109/t20210915_71543.htm, 2021-09-15.
[2]	LI Wenjia, GE Jigang, DAI Guqian. Detecting Malware for Android Platform: an SVM-based Approach[C]// IEEE. 2015 2nd International Conference on Cyber Security and Cloud Computing, November 3-6, 2015, New Jersey, USA. New York: IEEE, 2016: 464-469.
[3]	ARP D, SPREITZENBARTH M, HUBNER M, et al. DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket[C]// NDSS. 21st Network and Distributed System Security Symposium, February 23-26, 2014, California, USA. California: NDSS, 2014: 23-26.
[4]	CHAN P P K, SONG Wenkai. Static Detection of Android Malware by Using Permissions and API calls[C]// IEEE. 2014 International Conference on Machine Learning and Cybernetics, July 13-16, 2014, Lanzhou, China. New York: IEEE, 2014: 82-87.
[5]	YU Yuaner, ZHANG Linlin, ZHAO Kai, et al. Android Malware Family Classification Method Based on Sensitive Permissions and API[J]. Journal of Zhengzhou University(Natural Science Edition), 2020, 52(3):75-79, 91.
	于媛尔, 张琳琳, 赵楷, 等. 基于敏感权限和API的Android恶意软件家族分类方法[J]. 郑州大学学报(理学版), 2020, 52(3):75-79,91.
[6]	XIAO Yunchang, SU Haifeng, QIAN Yucun, et al. A Behavior-based Family Clustering Method for Android Malware[J]. Journal of Wuhan University(Natural Science Edition), 2016, 62(5):429-436.
	肖云倡, 苏海峰, 钱雨村, 等. 一种基于行为的Android恶意软件家族聚类方法[J]. 武汉大学学报(理学版), 2016, 62(5):429-436.
[7]	SARACINO A, SCANDURRA D, DINI G, et al. MADAM: Effective and Efficient Behavior-based Android Malware Detection and Prevention[J]. IEEE Transactions on Dependable and Secure Computing, 2018, 15(1):83-97. doi: 10.1109/TDSC.2016.2536605 URL
[8]	HAO Jingwei, PAN Limin, LI Rui. Low Redundancy Feature Selection Method for Android Malware Detection[N]. Journal of Beijing University of Aeronautics and Astronautics, 2021-03-02(3)
	郝靖伟, 潘丽敏, 李蕊. Android恶意软件检测低冗余特征选择方法[N]. 北京航空航天大学学报, 2021-03-02（3）.
[9]	FATIMA A, MAURYA R, DUTTA M K, et al. Android Malware Detection Using Genetic Algorithm Based Optimized Feature Selection and Machine Learning[C]// IEEE. 2019 42nd International Conference on Telecommunications and Signal Processing (TSP), July 1-3, 2019, Budapest, Hungary. New York: IEEE, 2019: 220-223.
[10]	MOODI M, GHAZVINI M, MOODI H. A Hybrid Intelligent Approach to Detect Android Botnet Using Smart Self-adaptive Learning-based PSO-SVM[J]. Knowledge-Based Systems, 2021, 22(2):831-860.
[11]	JIA Heming, LI Yao, SUN Kangjian. Simultaneous Feature Selection Optimization Based on Hybrid Sooty Tern Optimization Algorithm and Genetic Algorithm[N]. Acta Automatica Sinica, 2021-09-08(9).
	贾鹤鸣, 李瑶, 孙康健. 基于遗传乌燕鸥算法的同步优化特征选择[N]. 自动化学报, 2021-09-08(9).
[12]	ALJARAH I, ALA’M A Z, FARIS H, et al. Simultaneous Feature Selection and Support Vector Machine Optimization Using the Grasshopper Optimization Algorithm[J]. Cognitive Computation, 2018, 10(2):478-495. doi: 10.1007/s12559-017-9542-9 URL
[13]	ALABERT A, BERTI A, CABALLERO R, et al. No-free-lunch Theorems in the Continuum[J]. Theoretical Computer Science, 2015, 60(2):98-106.
[14]	JIAO Shan, CHONG Guoshuang, HUANG Changcheng, et al. Orthogonally Adapted Harris Hawks Optimization for Parameter Estimation of Photovoltaic Models[J]. Energy, 2020, 20(3):732-763.
[15]	QAIS M H, HASANIEN H M, ALGHUWAINEM S. Parameters Extraction of Three-diode Photovoltaic Model Using Computation and Harris Hawks Optimization[J]. Energy, 2020, 19(5):649-670.
[16]	HEIDARI A A, MIRJALILI S, FARIS H, et al. Harris Hawks Optimization: Algorithm and Applications[J]. Future Generation Computer Systems, 2019, 32(3):849-872.
[17]	TIZHOOSH H R. Opposition-based Learning: A New Scheme for Machine Intelligence[C]// IEEE. Proceedings of Computational Intelligence for Modelling, November 28-30, 2005, Vienna, Austria. New York: IEEE, 2005: 695-701.
[18]	TANG Andi, HAN Tong, XU Dengwu, et al. Chaotic elite Harris Hawks Optimization Algorithm[J]. Journal of Computer Applications, 2021, 41(8):2265-2272.
	汤安迪, 韩统, 徐登武, 等. 混沌精英哈里斯鹰优化算法[J]. 计算机应用, 2021, 41(8):2265-2272.
[19]	TAHERI L, FITRIAH A, LASHKARI A. H. et al. Extensible Android Malware Detection and Family Classification Using Network-flows and API-Calls[C]// IEEE. 53rd International Carnahan Conference on Security Technology, October 1-3, 2019, Chennai, India. New York: IEEE, 2019: 1-8.

公式	维度	范围
$F1\left( x \right)=\underset{i=1}{\overset{n}{\mathop \sum }}\,{{x}_{i}}^{2}$	30	[-100,100]
$F2\left( x \right)=\underset{i=1}{\overset{n}{\mathop \sum }}\,\left\| {{x}_{i}} \right\|+\underset{i=1}{\overset{n}{\mathop \prod }}\,\left\| {{x}_{i}} \right\|$	30	[-10,10]
$F3\left( x \right)=\underset{i=1}{\overset{n}{\mathop \sum }}\,{{\left( \underset{j=i}{\overset{i}{\mathop \sum }}\,{{x}_{j}} \right)}^{2}}$	30	[-100,100]
$F4\left( x \right)=\text{ma}{{\text{x}}_{i}}\left\{ \left\| {{x}_{i}} \right\|,1\le i\le n \right\}$	30	[-100,100]
$F5\left( x \right)=\underset{i=1}{\overset{n-1}{\mathop \sum }}\,\left[ 100{{\left( {{x}_{i+1}}-{{x}_{i}}^{2} \right)}^{2}}+{{\left( {{x}_{i}}-1 \right)}^{2}} \right]$	30	[-1.28,1.28]
$F6\left( x \right)=\frac{1}{4000}\underset{i=1}{\overset{n}{\mathop \sum }}\,{{x}_{i}}^{2}-\underset{i=1}{\overset{n}{\mathop \prod }}\,\cos \left( \frac{{{x}_{i}}}{\sqrt{i}} \right)+1$	30	[-600,600]
$F7\left( x \right)=\underset{i=1}{\overset{d}{\mathop \sum }}\,\left\| {{x}_{i}}\text{sin}\left( {{x}_{i}} \right)+0.1{{x}_{i}} \right\|$	30	[-10,10]
$F8\left( x \right)=1-\text{cos}\left( 2\text{ }\!\!\pi\!\!\text{ }\sqrt{\underset{i=1}{\overset{d}{\mathop \sum }}\,{{x}_{i}}^{2}} \right)+0.1\sqrt{\underset{i=1}{\overset{d}{\mathop \sum }}\,{{x}_{i}}^{2}}$	30	[-100,100]

测试函数	算法	IHHO	HHO	SSA	WOA	CEHHO
F1	Average	0.00E+00	3.02E-98	5.11E-46	1.51E-71	9.64E-111
F1	St.d	0.00E+00	1.58E-98	2.67E-46	6.92E-71	4.58E-111
F2	Average	1.71E-258	7.56E-50	6.73E-28	8.94E-45	1.24E-57
F2	St.d	0.00E+00	2.10E-49	5.51E-28	2.34E-45	8.37E-57
F3	Average	0.00E+00	1.28E-77	4.35E-34	4.45E+04	3.54E-95
F3	St.d	0.00E+00	7.02E-77	1.54E-34	1.53E+04	5.81E-95
F4	Average	2.96E-258	1.86E-47	8.19E-31	4.91E+01	4.96E-61
F4	St.d	0.00E+00	9.19E-47	3.36E-31	3.08E+01	8.34E-61
F5	Average	5.56E-06	8.94E-05	1.70E-03	2.99E-03	8.64E-05
F5	St.d	8.92E-07	9.91E-05	1.01E-03	3.20E-03	2.29E-05
F6	Average	0.00E+00	9.02E-05	0.00E+00	0.00E+00	0.00E+00
F6	St.d	0.00E+00	1.85E-05	0.00E+00	0.00E+00	0.00E+00
F7	Average	2.78E-256	1.53E-56	7.35E-20	1.83E-46	3.28E-42
F7	St.d	0.00E+00	5.65E-56	2.52E-21	8.89E-46	7.15E-42
F8	Average	0.00E+00	3.36E-49	5.92E-35	1.34E-42	6.06E-77
F8	St.d	0.00E+00	1.38E-48	3.11E-35	6.87E-41	2.59E-77

数据集名	样本数	特征数	类别数
wine	178	13	3
segment	2310	19	7
spectfheart	267	44	2
sonar	208	60	2
CIAM	2000	65	2

算法	wine		segment		spectfheart		sonar		CICInvesAndMal
算法	特征数	Acc	特征数	Acc	特征数	Acc	特征数	Acc	特征数	Acc
卡方检验	4	0.907	5	0.910	14	0.814	15	0.777	15	0.725
互信息法	4	0.907	5	0.916	14	0.839	15	0.841	15	0.786
RFRFE	4	0.907	5	0.919	14	0.814	15	0.809	15	0.795
XGBoostF	4	0.907	5	0.975	14	0.862	15	0.841	15	0.801
WOA	5.6	0.963	4.8	0.972	17.2	0.887	18.9	0.929	14.3	0.828
SSA	3.7	0.957	5.5	0.935	17.3	0.895	25.8	0.938	14.9	0.816
HHO	4.5	0.968	4.6	0.973	15.7	0.889	21.1	0.942	13.5	0.820
CEHHO	3.8	0.968	5.1	0.981	16.5	0.912	18.9	0.936	13.8	0.825
IHHO	3.7	0.972	4.6	0.978	12.4	0.905	15.6	0.968	13.2	0.831

算法	特征数	Acc	适应度	运行时间/ms
NB	9.5	0.628	0.348	9.4
RF	30.5	0.808	0.215	317
SVM	25.8	0.633	0.387	164
LightGBM	21.2	0.827	0.185	86.3
XGBoost	13.6	0.832	0.171	88.3