Malicious Program Ontology Rule Set Based on Association Decision and Linear Discriminant

Aiming at the problems of poor scalability and long-time consumption in building inference rule sets manually for malware domain ontology, an automatic generation method for malware ontology rule sets is proposed. We extract the behaviour characteristics of malicious programs by defining a formal extended description method based on the frequency of API calls of malicious programs and combining the frequency of API functions. Based on association rules and decision trees, the behaviour characteristics of malicious programs are mined to form a fine-grained redefined rule set of malicious program categories, and SWRL rule language is used to semantic transform the rule set. In addition, the coarse granularity classification of program behaviour rules is implemented based on Fisher linear discriminant algorithm. The generation efficiency of malware ontology rules generated by us is 10.08 pieces/second, and the inference detection rate of unknown samples reaches 89.92%.