Malware detection has become mission sensitive as its threats spread from computer systems to Internet of things systems. Modern malware variants are generally equipped with sophisticated packers, which allow them bypass modern machine learning based detection systems. To detect packed malware variants, unpacking techniques and dynamic malware analysis are the two choices. However, unpacking techniques cannot always be useful since there exist some packers such as private packers which are hard to unpack. Although dynamic malware analysis can obtain the running behaviours of executables, the unpacking behaviours of packers add noisy information to the real behaviours of executables, which has a bad affect on accuracy. To overcome these challenges, in this paper, we propose a new method which first extracts a series of system calls which is sensitive to malicious behaviours, then use principal component analysis to extract features of these sensitive system calls, and finally adopt multi-layers neural networks to classify the features of malware variants and legitimate ones. Theoretical analysis and real-life experimental results show that our packed malware variants detection technique is comparable with the the state-of-art methods in terms of accuracy. Our approach can achieve more than 95.6\% of detection accuracy and 0.048 s of classification time cost.

中文翻译：

---

使用主成分初始化多层神经网络的基于敏感系统调用的打包恶意软件变种检测

随着恶意软件的威胁从计算机系统传播到物联网系统，恶意软件检测已成为任务敏感型。现代恶意软件变种通常配备复杂的加壳程序，这使它们能够绕过基于现代机器学习的检测系统。为了检测打包的恶意软件变种，解包技术和动态恶意软件分析是两种选择。然而，解包技术并不总是有用的，因为存在一些难以解包的打包器，例如私人打包器。虽然动态恶意软件分析可以获得可执行文件的运行行为，但加壳程序的解包行为给可执行文件的真实行为增加了噪声信息，对准确性产生了不良影响。为了克服这些挑战，在本文中，我们提出了一种新的方法，首先提取一系列对恶意行为敏感的系统调用，然后使用主成分分析提取这些敏感系统调用的特征，最后采用多层神经网络对恶意软件变体的特征进行分类，合法的。理论分析和现实生活中的实验结果表明，我们的打包恶意软件变种检测技术在准确性方面可与最先进的方法相媲美。我们的方法可以实现超过 95.6% 的检测精度和 0.048 秒的分类时间成本。理论分析和现实生活中的实验结果表明，我们的打包恶意软件变种检测技术在准确性方面可与最先进的方法相媲美。我们的方法可以实现超过 95.6% 的检测精度和 0.048 秒的分类时间成本。理论分析和现实生活中的实验结果表明，我们的打包恶意软件变种检测技术在准确性方面可与最先进的方法相媲美。我们的方法可以实现超过 95.6% 的检测精度和 0.048 秒的分类时间成本。