信息密度增强的恶意代码可视化与自动分类方法

刘亚姝; 王志海; 侯跃然; 严寒冰

doi:10.16511/j.cnki.qhdxxb.2018.22.054

PDF(1463 KB)

清华大学学报（自然科学版） ›› 2019, Vol. 59 ›› Issue (1) : 9-14. DOI: 10.16511/j.cnki.qhdxxb.2018.22.054

信息安全

信息密度增强的恶意代码可视化与自动分类方法

刘亚姝^1,2, 王志海¹, 侯跃然³, 严寒冰⁴

作者信息 +

Malware visualization and automatic classification with enhanced information density

LIU Yashu^1,2, WANG Zhihai¹, HOU Yueran³, YAN Hanbing⁴

Author information +

文章历史 +

摘要

计算机及网络技术的发展致使恶意代码数量每年以指数级数增长，对网络安全构成了严重的威胁。该文将恶意代码逆向分析与可视化相结合，提出了将可移植可执行（PE）文件的“.text”段函数块的操作码序列simHash值可视化的方法，不仅提高了恶意代码可视化的效率，而且解决了操作码序列simHash值相似性判断困难的问题。实验结果表明：该可视化方法能够获得有效信息密度增强的分类特征；与传统恶意代码可视化方法相比，该方法更高效，分类结果更准确。

Abstract

The development of computers and networking has been accompanied by exponential increases in the amount of malware which greatly threaten cyber space applications. This study combines the reverse analysis of malicious codes with a visualization method in a method that visualizes operating code sequences extracted from the ".text" section of portable and excutable (PE) files. This method not only improves the efficiency of malware, but also solves the difficulty of simHash similarity measurements. Tests show that this method identifies more effective features with higher information densities. This method is more efficient and has better classification accuracy than traditional malware visualization methods.

导出引用

刘亚姝, 王志海, 侯跃然, 严寒冰. 信息密度增强的恶意代码可视化与自动分类方法[J]. 清华大学学报（自然科学版）. 2019, 59(1): 9-14 https://doi.org/10.16511/j.cnki.qhdxxb.2018.22.054

LIU Yashu, WANG Zhihai, HOU Yueran, YAN Hanbing. Malware visualization and automatic classification with enhanced information density[J]. Journal of Tsinghua University(Science and Technology). 2019, 59(1): 9-14 https://doi.org/10.16511/j.cnki.qhdxxb.2018.22.054

参考文献

[1] 百度百科. 恶意代码[R/OL].[2018-07-12]. https://baike.baidu.com/item/%E6%81%B6%E6%84%8F%E4%BB%A3%-E7%A0%81. Baidu Encyclopedia. Malware entry[R/OL].[2018-07-12]. https://baike.baidu.com/item/%E6%81%B6%E6%84%-8F%E4%BB%A3%E7%A0%81. (in Chinese)
[2] 国家互联网应急中心. 网络安全信息与动态周报[R/OL].[2018-07-12]. http://www.cert.org.cn/publish/main/upload/File/2018CNCERT12.pdf. National Internet Emergency Center. Network security information and trends weekly report[R/OL].[2018-07-12]. http://www.cert.org.cn/publish/main/upload/File/2018CN-CERT12.pdf. (in Chinese)
[3] 陈娟英. 基于亲缘性分析的恶意代码检测技术研究与实现[D]. 成都:电子科技大学, 2014. CHEN J Y. Research and implementation of malicious code detection technology based on affinity analysis[D]. Chengdu:University of Electronic Science and Technology of China, 2014. (in Chinese)
[4] ZHANG Y N, HUANG Q J, MA X J, et al. Using multi-features and ensemble learning method for imbalanced malware classification[C]//2016 IEEE Trustcom/BigDataSE/ISPA. Tianjin, China, 2017:965-973.
[5] EISNER J. Understanding heuristics:Symantec's bloodhound technology[R]. Mountain View, USA:Symantec, 1997.
[6] FIRDAUSI I, LIM C, ERWIN A, et al. Analysis of machine learning techniques used in behavior-based malware detection[C]//2nd International Conference on Advances in Computing, Control, and Telecommunication Technologies. Jakarta, Indonesia, 2010:201-203.
[7] RIECK K, TRINIUS P, WILLEMS C, et al. Automatic analysis of malware behavior using machine learning[J]. Journal of Computer Security, 2011, 19(4):639-668.
[8] 王蕊, 冯登国, 杨轶, 等. 基于语义的恶意代码行为特征提取及检测方法[J]. 软件学报, 2012, 23(2):378-393. WANG R, FENG D G, YANG Y, et al. Semantics-based malware behavior signature extraction and detection method[J]. Journal of Software, 2012, 23(2):378-393. (in Chinese)
[9] SAXE J, BERLIN K. Deep neural network based malware detection using two dimensional binary program features[C]//10th International Conference on Malicious and Unwanted Software. Fajardo, Puerto Rico, 2015:11-20.
[10] CONTI G, BRATUS S, SANGSTER B, et al. Automated mapping of large binary objects using primitive fragment type classification[J]. Digital Investigation, 2010, 7:S3-S12.
[11] NATARAJ L, KARTHIKEYAN S, JACOB G, et al. Malware images:Visualization and automatic classification[C]//8th International Symposium on Visualization for Cyber Security. Pittsburgh, USA, 2011:21-29.
[12] HAN K S, LIM J H, KANG B, et al. Malware analysis using visualized images and entropy graphs[J]. International Journal of Information Security, 2015, 14(1):1-14.
[13] CHARIK M S. Similarity estimation techniques from rounding algorithms[C]//34th Annual ACM Symposium on the Theory of Computing. Montreal, Canada, 2002:380-388.
[14] MANKU G S, JAIN A, SARMA A D. Detecting near-duplicates for web crawling[C]//16th International Conference on World Wide Web. Banff, Canada, 2007:141-150.
[15] UDDIN M S, ROY C K, SCHNEIDER K A, et al. On the effectiveness of simHash for detecting near-miss clones in large scale software systems[C]//18th Working Conference on Reverse Engineering. Limerick, Ireland, 2011:13-22.
[16] 乔延臣. 恶意代码同源判断技术研究[D]. 北京:中国科学院大学, 2016. QIAO Y C. Research on malware homologous judgment technology[D]. Beijing:University of Chinese Academy of Sciences, 2016. (in Chinese)
[17] OLIVA A, TORRALBA A. Modeling the shape of a scene:A holistic representation of the spatial envelope[J]. International Journal of Computer Vision, 2001, 42(3):145-175.
[18] OJALA T, PIETIKÄINEN M, HARWOOD D. A comparative study of texture measures with classification based on feature distribution[J]. Pattern Recognition, 1996, 29(1):51-59.