基于异质信息网络的恶意代码检测

恶意代码对网络安全、信息安全造成了严重威胁。如何快速检测恶意代码，阻止和降低恶意代码产生的危害一直是亟需解决的问题。通过获取恶意应用的动态信息、构造异质信息网络(HIN)，提出了描述恶意代码动态特征的方法，实现了恶意代码检测与分类。构建了FILE、API、DLL三类对象的4种元图，刻画了恶意代码HIN的网络模式。经过改进的随机游走策略，尽可能多地获取元图中对象节点的上下文信息，将其作为连续词包(CBOW)模型的输入，从而得到词向量的网络嵌入。通过投票方法改进主角度分析模型，得到多元图特征融合的分类结果。在仅可获得有限信息的情况下，大大提高了基于单元图特征的恶意样本分类准确率。 

Malicious code detection based on heterogeneous information network

Malicious codes poses serious threats to network and information security. How to detect malware rapidly and how to eliminate and reduce the hazard caused by malware are important research topics. The paper presents a method to get dynamic features of malware using dynamic information and heterogeneous information network (HIN), and implements malicious codes detection and classification. Four meta graph schemes about FILE, API and DLL are proposed and malicious code HIN network pattern is described. An improved random walk strategy is used to obtain the context information of the object nodes in the meta graph schemes, which is used as the input of continuous bag of words (CBOW) model in order to get network embedding of word vectors. The method of principal angle is improved by voting to get the classification result of multiple meta graph schemes with feature fusion. The proposed method greatly improves the classification accuracy of malware based on the features of each meta graph when limited information is available.