Malicious Code Forensics based on Data Mining

According to the characteristics of electronic evidence generated by malicious codes, a weighted FP-Growth frequent pattern mining algorithm was proposed for malicious code forensics. Different API call sequences were assigned different weights according to their threaten degree to obtain frequent patterns of serious malicious codes and more accurate analysis results. Based on the weighted FP-Growth algorithm, an analysis and forensics method for malicious codes was proposed. By monitoring the malicious code processes, registry, file recording and port number to record its behavior, electronic evidence of malicious codes was obtained and analyzed to generate the forensics report. Compared with the original FP-Growth algorithm, the weighted algorithm can obtain higher accuracy when used for evidence analysis. Specific examples also verified the feasibility of the method and the effect of the host.