A Malware Detection Method Based on XGBoost and LightGBM Two-layer Model

doi:10.3969/j.issn.1671-1122.2020.12.008

Abstract

Abstract:

At present, most of the malware detection methods based on network traffic rely on expert experience to acquire features. This process is time-consuming and laborious, and less traffic features are extracted. At the same time, the complexity of traditional feature engineering will greatly increase when the feature dimension is high. According to the above problem, this paper presents a use of limit gradient tree (XGBoost) and lightweight gradient hoist (LightGBM) malware detection method of double model, in the access network traffic and extract the target software related characteristics, using the characteristics of filtering method and mutual information method, and the data set into the first floor training XGBoost model, combined with the grid search of ways to get the optimal parameter combination, for obtaining the best XGBoost model in each sample of each tree in the leaf node position, to create a new collection, The LightGBM model is used to train the new data set so as to obtain the final detection model. The experimental results show that compared with other detection methods, the accuracy and real-time performance of the malware detection proposed in this paper are significantly improved.

Key words: malware detection, flow characteristics, extreme gradient boosting, LightGBM, grid search

CLC Number:

TP309

XU Guotian, SHEN Yaotong. A Malware Detection Method Based on XGBoost and LightGBM Two-layer Model[J]. Netinfo Security, 2020, 20(12): 54-63.

Figures/Tables 15

References 13

[1]	CUI Yanpeng, YAN Bo, HU Jianwei. Android Malware Detection Method Based on Abstract API Call Sequence[J]. Computer Applications and Software, 2019,36(9):321-326.
	崔艳鹏, 颜波, 胡建伟. 基于抽象API调用序列的Android恶意软件检测方法[J]. 计算机应用与软件, 2019,36(9):321-326.
[2]	HOU Liuyang, LUO Senlin, PAN Limin, et al. Multi-feature Android Malware Detection Method[J]. Netinfo Security, 2020,20(1):67-74.
	侯留洋, 罗森林, 潘丽敏, 等. 融合多特征的Android恶意软件检测方法[J]. 信息网络安全, 2020,20(1):67-74.
[3]	ZHANG Zhen, CAO Tianjie. Detecting Android Malware Based on Matching Sequence of Behavioral Characteristic Value[J]. Computer Engineering and Applications, 2018,54(24):97-102.
	张震, 曹天杰. 行为特征值序列匹配检测Android恶意应用[J]. 计算机工程与应用, 2018,54(24):97-102.
[4]	ZHANG Chaoqin, HU Guangwu, WANG Zhenlong, et al. A Novel SVM-Based Detection Method For Android Malware[J]. Computer Applications and Software, 2018,35(10):292-298.
	张超钦, 胡光武, 王振龙, 等. 一种基于支持向量机的安卓恶意软件新型检测方法[J]. 计算机应用与软件, 2018,35(10):292-298.
[5]	LI Hao, MA Kun, CHEN Zhenxiang, et al. Unknown Malware Detection Based on Network Traffic Analysis[J]. Journal of Jinan University, 2019,33(6):500-505.
	李浩, 马坤, 陈贞翔, 等. 基于网络流量分析的未知恶意软件检测[J]. 济南大学学报(自然科学版), 2019,33(6):500-505.
[6]	WANG Shuwei, ZHANG Linjie, JIA Zhe, et al. Android Malware Recognition Based on Network Traffic[J]. Radio Engineering, 2020,50(7):612-618.
	王澍玮, 张林杰, 贾哲, 等. 基于网络流量的安卓恶意软件识别[J]. 无线电工程, 2020,50(7):612-618.
[7]	PENG Guojun, LI Jingwen, SUN Runkang, et al. Android Malware Detection Research and Development[J]. Journal of Wuhan University (Science Edition), 2015,61(1):21-33.
	彭国军, 李晶雯, 孙润康, 等. Android恶意软件检测研究与进展[J]. 武汉大学学报(理学版), 2015,61(1):21-33.
[8]	LI Zhanshan, LIU Zhaogeng. Feature Selection Algorithm Based on XGBoost[J]. Journal on Communications, 2019,40(10):101-108.
	李占山, 刘兆赓. 基于XGBoost的特征选择算法[J]. 通信学报, 2019,40(10):101-108.
[9]	WANG Shengwu, CHEN Hongmei. Feature Selection Method Based on Rough Sets and Improved Whale Optimization Algorithm[J]. Computer Science, 2020,47(2):44-50.
	王生武, 陈红梅. 基于粗糙集和改进鲸鱼优化算法的特征选择方法[J]. 计算机科学, 2020,47(2):44-50.
[10]	BIAN Lingyu, ZHANG Linlin, ZHAO Kai, et al. Ethereum Malicious Account Detection Method Based on LightGBM[J]. Netinfo Security, 2020,20(4):73-80.
	边玲玉, 张琳琳, 赵楷, 等. 基于LightGBM的以太坊恶意账户检测方法[J]. 信息网络安全, 2020,20(4):73-80.
[11]	HE X R, PAN J F, JIN O, et al. Practical Lessons from Predicting Clicks on Ads at Facebook[C]// ACM SIGKDD. The 8th International Workshop on Data Mining for Online Advertising, August 24, 2014, New York,USA. New York:ACM SIGKDD, 2014: 1-9.
[12]	WANG Yao, LI Wei, WU Kehe, et al. Application of Fusion Model of GBDT and LR in Encrypted Traffic Identification[J]. Computer and Modernization, 2020(3):93-98.
	王垚, 李为, 吴克河, 等. GBDT与LR融合模型在加密流量识别中的应用[J]. 计算机与现代化, 2020(3):93-98.
[13]	LAYA T H, ANDI F A, ARASH H L. Extensible Android Malware Detection and Family Classification Using Network-flows and API-calls[J]. The IEEE(53rd) International Carnahan Conference on Security Technology, 2019,4(1):26-30.

参数	最优值
n_estimators	88
eta	0.2
max_depth	6
min_child_weight	1
gamma	0
subsample	0.9
colsample_bytree	0.5

序号	特征名称	特征描述
1	fl_dur	数据流持续时间
2	tot_fw_pk	转发总包数
3	tot_bw_pk	反向转发总包数
4	tot_l_fw_pkt	报文总大小
5	fw_pkt_l_max	正向报文最大数据包大小
6	fw_pkt_l_min	正向报文最小数据包大小
7	fw_pkt_l_avg	正向报文平均大小
8	fw_pkt_l_std	数据包正向的标准偏差大小
9	Bw_pkt_l_max	反向最大包数
10	Bw_pkt_l_min	反向最小包数
…	…	…

真实类别	正例	反例
正例	TP（真正例）	FP（假正例）
反例	FN（假反例）	TN（真反例）

模型方法	Accuracy	Recall	F1	Precision
SVM	0.583	0.897	0.677	0.545
RF	0.814	0.859	0.821	0.802
AdaBoost	0.842	0.858	0.841	0.826
GBDT	0.880	0.896	0.879	0.864
XGBoost	0.886	0.900	0.885	0.871
LightGBM	0.875	0.904	0.876	0.851
MLP	0.816	0.837	0.816	0.800
本文模型	0.945	0.950	0.946	0.942

模型方法	Accuracy	Recall	F1	Precision
RF+LR	0.942	0.954	0.943	0.933
RF+XGBoost	0.904	0.925	0.906	0.893
RF+LightGBM	0.903	0.916	0.904	0.899
XGBoost+XGBoost	0.944	0.932	0.945	0.944
本文模型	0.945	0.950	0.946	0.942