基于图结构的恶意代码同源性分析

赵炳麟; 孟曦; 韩金; 王婧; 刘福东

doi:10.11959/j.issn.1000-436x.2017259

您当前的位置：

首页 >

文章列表页 >

基于图结构的恶意代码同源性分析

学术论文 | 更新时间：2024-06-05

- 基于图结构的恶意代码同源性分析
- Homology analysis of malware based on graph
- 通信学报 2017年38卷第Z2期页码：86-93
- 作者机构：
  
  数学工程与先进计算国家重点实验室，河南郑州 450002
- 作者简介：
  
  [ "赵炳麟（1990-），男，河南洛阳人，数学工程与先进计算国家重点实验室博士生，主要研究方向为信息安全、代码安全性分析。" ]
  [ "孟曦（1992-），女，山东济宁人，数学工程与先进计算国家重点实验室硕士生，主要研究方向为信息安全、恶意代码分析。" ]
  [ "韩金（1993-），男，安徽蚌埠人，数学工程与先进计算国家重点实验室硕士生，主要研究方向为信息安全、恶意代码分析。" ]
  [ "王婧（1985-），男，陕西杨凌人，数学工程与先进计算国家重点实验室讲师，主要研究方向为计算机应用与技术。" ]
  [ "刘福东（1986-），男，辽宁沈阳人，博士，数学工程与先进计算国家重点实验室讲师，主要研究方向为并行与分布式系统。" ]
- 基金信息：
- DOI：10.11959/j.issn.1000-436x.2017259
  中图分类号： TP302
- 网络首发：2017-11，
  
  纸质出版：2017-11-25
- 稿件说明：
移动端阅览
赵炳麟, 孟曦, 韩金, 等. 基于图结构的恶意代码同源性分析[J]. 通信学报, 2017,38(Z2):86-93.

Bing-lin ZHAO, Xi MENG, Jin HAN, et al. Homology analysis of malware based on graph[J]. Journal on Communications, 2017, 38(Z2): 86-93.
赵炳麟, 孟曦, 韩金, 等. 基于图结构的恶意代码同源性分析[J]. 通信学报, 2017,38(Z2):86-93. DOI： 10.11959/j.issn.1000-436x.2017259.

Bing-lin ZHAO, Xi MENG, Jin HAN, et al. Homology analysis of malware based on graph[J]. Journal on Communications, 2017, 38(Z2): 86-93. DOI： 10.11959/j.issn.1000-436x.2017259.

摘要

恶意代码检测和同源性分析一直是恶意代码分析领域的研究热点。从恶意代码提取的API调用图，能够有效表示恶意代码的行为信息，但由于求解子图同构问题的算法复杂度较高，使基于图结构特征的恶意代码分析效率较低。为此，提出了利用卷积神经网络对恶意代码API调用图进行处理的方法。通过选择关键节点，以关键节点邻域构建感知野，使图结构数据转换为卷积神经网络能够处理的结构。通过对8个家族的恶意样本进行学习和测试，实验结果表明，恶意代码同源性分析的准确率达到93%，并且针对恶意代码检测的准确率达到96%。

Abstract

Malware detection and homology analysis has been the hotspot of malware analysis.API call graph of malware can represent the behavior of it.Because of the subgraph isomorphism algorithm has high complexity

the analysis of malware based on the graph structure with low efficiency.Therefore

this studies a homology analysis method of API graph of malware that use convolutional neural network.By selecting the key nodes

and construct neighborhood receptive field

the convolution neural network can handle graph structure data.Experimental results on 8 real-world malware family

shows that the accuracy rate of homology malware analysis achieves 93%

and the accuracy rate of the detection of malicious code to 96%.

关键词

Keywords

references

SAXE J , BERLIN K . Deep neural network based malware detection using two dimensional binary program features [C ] // International Conference on Malicious and Unwanted Software . 2015 : 11 - 20 .

SANTOS I , BREZO F,UGARTE-PEDRERO X , et al . Opcode sequences as representation of executables for data-mining-based unknown malware detection [J ] . Information Sciences , 2013 , 231 ( 9 ): 64 - 82 .

GUPTA S , SHARMA H , KAUR S . Malware characterization using windows API call sequences [C ] // International Conference on Security,Privacy,and Applied Cryptography Engineering . Springer International Publishing , 2016 : 271 - 280 .

NARAYANAN A , MENG G , YANG L , et al . Contextual Weisfeiler-Lehman graph kernel for malware detection [C ] // International Joint Conference on Neural Networks . 2016 : 4701 - 4708 .

EPPSTEIN D . Subgraph isomorphism in planar graphs and related problems [J ] . SODA'95 Proceedings of the sixth annual ACM-SIAM symposium on Discrete algorithms , 1999 , 3 ( 3 ): 332 - 346 .

NIEPERT M , AHMED M , KUTZKOV K . Learning convolutional neural networks for graphs [C ] // International Conference on Machine Learning , 2016 : 2014 - 2023 .

DUVENAUD D K , MACLAURIN D , IPARRAGUIRRE J , et al . Convolutional networks on graphs for learning molecular fingerprints [C ] // Advances in Neural Information Processing Systems . 2015 : 2224 - 2232 .

KIPF T N , WELLING M . Semi-supervised classification with graph convolutional networks [J ] . arXiv preprint arXiv:1609.02907 , 2016 .

DEFFERRARD M , BRESSON X , VANDERGHEYNST P . Convolutional neural networks on graphs with fast localized spectral filtering [C ] // Advances in Neural Information Processing Systems , 2016 : 3844 - 3852 .

KI Y , KIM E , KIM H K . A novel approach to detect malware based on API call sequence analysis [J ] . International Journal of Distributed Sensor Networks , 2015 , 11 ( 6 ):659101.

THOMPSON J D , GIBSON T J , HIGGINS D G . Multiple sequence alignment using CrustalW and clustalX [J ] . Current protocols in bioinformatics , 2002 .

LEE T , CHOI B , SHIN Y , et al . Automatic malware mutant detection and group classification based on the n-gram and clustering coefficient [J ] . The Journal of Supercomputing , 2015 : 1 - 15 .

OKTAVIANTO D , MUHARDIANTO I . Cuckoo malware analysis [M ] . Packt Publishing , 2013 .

CESARE S , XIANG Y , ZHOU W . Malwise-an effective and efficient classification system for packed and polymorphic malware [J ] . IEEE Transactions on Computers , 2013 , 62 ( 6 ): 1193 - 1206 .

PARK Y , REEVES D , MULUKUTLA V , et al . Fast malware classification by automated behavioral graph matching [C ] // AMIA Annu Symp Proc , 2010 : 1 - 4 .

KINABLE J , KOSTAKIS O . Malware classification based on call graph clustering [J ] . Journal of Computer Virology and Hacking Techniques , 2011 , 7 ( 4 ): 233 - 245 .

HASSEN M , CHAN P K . scalable function call graph-based malware classification [C ] // The Seventh ACM on Conference on Data and Application Security and Privacy . 2017 : 239 - 248 .

杨帆 , 张焕国 , 傅建明 , 等 . 基于图编辑距离的恶意代码检测 [J ] . 武汉:武汉大学学报(理学版) , 2013 , 59 ( 5 ): 453 - 457 .

YANG F , ZHANG F G , FU J M , et al . Malware Detection Based on Graph Edit Distance [J ] . Wuhan:Wuhan Univ (Nat Sci Ed.) , 2013 , 59 ( 5 ): 453 - 457 .

刘星 , 唐勇 . 恶意代码的函数调用图相似性分析 [J ] . 计算机工程与科学 , 2014 , 36 ( 3 ): 481 - 486 .

LIU X , TANG Y . Similarity analysis of malware’s function-call graphs [J ] . Computer Engineering ＆ Science , 2014 , 36 ( 3 ): 481 - 486 .

ARASU A . Hector garcia-molina,andreas paepcke,and sriram raghavan.searching the Web [J ] . ACM Transactions on Internet Technology , 2001 , 1 : 2 - 43 .

TOTAL V . VirusTotal-Free online virus,malware and URL scanner [J ] . 2012 .

WU H C , LUK R W P , WONG K F , et al . Interpreting TF-IDF term weights as making relevance decisions [J ] . ACM Transactions on Information Systems , 2008 , 26 ( 3 ): 55 - 59 .

SANTOS I , BREZO F UGARTE-PEDRERO X , et al . Opcode sequences as representation of executables for data-mining-based unknown malware detection [J ] . Information Sciences , 2013 , 231 ( 9 ): 64 - 82 .

SANTOS I , DEVESA J , BREZO F , et al . OPEM:a static-dynamic approach for machine-learning-based malware detection [M ] // International Joint Conference CISIS’12-ICEUTE’12-SOCO’12 Special Sessions . Springer Berlin Heidelberg , 2013 : 271 - 280 .

浏览量

2799

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于CNN-BiLSTM-Attention融合模型的差分隐私轨迹重构攻击

基于多尺度卷积融合编码网络的调制识别方法

基于神经网络的恶意DNS流量检测方法

基于同态密文转换的隐私保护卷积神经网络推理方案

基于函数加密的密文卷积神经网络模型