Malicious code forensics based on data mining

According to the characteristics of electronic evidence generated by malicious codes, a weighted FP-Growth frequent pattern mining algorithm was proposed for malicious code forensics. Different API call sequences were assigned different weights according to their threaten degree to obtain frequent patterns of serious malicious codes and more accurate analysis results. Based on the weighted FP-Growth algorithm, an analysis and forensics method for malicious codes was proposed. By monitoring the malicious code processes, registry, file recording and port number to record its behavior, electronic evidence of malicious codes was obtained and analyzed to generate the forensics report. Compared with the original FP-Growth algorithm, the weighted algorithm can obtain higher accuracy when used for evidence analysis. Specific examples also verified the feasibility of the method and the effect of the host.

[1]  Jian Pei,et al.  Mining frequent patterns without candidate generation , 2000, SIGMOD 2000.

[2]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[3]  Jian Pei,et al.  Mining frequent patterns without candidate generation , 2000, SIGMOD '00.

[4]  Liu Lin Mining Specifications of Malicious Behaviors Based on Multiple Paths in Linux , 2010 .

[5]  Lilly Suriani Affendey,et al.  Intrusion detection using data mining techniques , 2010, 2010 International Conference on Information Retrieval & Knowledge Management (CAMP).

[6]  Salvatore J. Stolfo,et al.  Data mining methods for detection of new malicious executables , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[7]  Liang Hu,et al.  DDCFS: A Distributed Dynamic Computer Forensic System Based on Network , 2009, 2009 Second International Conference on Intelligent Computation Technology and Automation.

[8]  Yong Li,et al.  Dynamic Network Forensic Based Plug-In Architecture , 2009, 2009 International Conference on Management of e-Commerce and e-Government.

[9]  Ramakrishnan Srikant,et al.  Fast Algorithms for Mining Association Rules in Large Databases , 1994, VLDB.

[10]  Jau-Hwang Wang,et al.  Virus detection using data mining techinques , 2003, IEEE 37th Annual 2003 International Carnahan Conference onSecurity Technology, 2003. Proceedings..