| Input: executedOriginalData// the set of collected traffic data packets |
| Output: identifyMaliciousData// the set of identified malware |
(1) | Construct executedOriginalFeatureSet = nulll// store feature attributes extracted from network traffic packets |
(2) | Construct identifyMaliciousData = null;// the set of identified malware |
(3) | Construct executedNormalizationData = null;// store normalized data |
(4) | executedOriginalData = collectNetworkFlow();// use NetFlow to collect data packets for assignment |
(5) | for each data package p in executedOriginalDatatraindo |
(6) | executedNormalizationData = dataNormalization();// to complete data sampling and normalization |
(7) | end for |
(8) | for each data package p in executedNormalizationData do |
(9) | executedOriginalFeatureSet = useReliefFCompleteFeatureExtracted (executedNormalizationDatap); |
(10) | for each feature kexecutedOriginalFeatureSet do |
(11) | temp = compare(executedOriginalFeatureSetk, ∂);// compare each extracted feature attribute k with a threshold ∂ and return the value temp |
(12) | if (temp = = 1) then |
(13) | deleteFeature(executedOriginalFeatureSetk);// delete this feature attribute |
(14) | end if |
(15) | end for |
(16) | executedFirstFeatureSet = outputFeatureExtraction();// retain the feature attributes extracted from each packet |
(17) | end for |
(18) | for each feature j in executedFirstFeatureSet do |
(19) | use information gain technology to calculate and evaluate each feature; |
(20) | normalizedFeature = sencondExtraction(executedFirstFeatureSetj); // sort feature attributes and use Wrapper for second feature extraction |
(21) | end for |
(22) | realizeUnit();// convert to unitless values and keep the data at the same order of magnitude |
(23) | classifyModel = useOFSVMAlgorim(normalizedFeature);// generate the classification model |
(24) | identifyMalware (classifyModel, executedOriginalDatatest); |
(25) | return identifyMaliciousData; |