基于纹理指纹的恶意代码变种检测方法研究

韩晓光; 曲武; 姚宣霞; 郭长友; 周芳

doi:10.3969/j.issn.1000-436x.2014.08.016

您当前的位置：

首页 >

文章列表页 >

基于纹理指纹的恶意代码变种检测方法研究

学术论文 | 更新时间：2024-10-11

- 基于纹理指纹的恶意代码变种检测方法研究
- Research on malicious code variants detection based on texture fingerprint
- 通信学报 2014年35卷第8期页码：125-136
- 作者机构：
- 作者简介：
  
  [ "韩晓光（1981-），男，河北邯郸人，北京科技大学博士生，主要研究方向为网络与信息安全和云计算。" ]
  [ "曲武（1981-），男，黑龙江大庆人，清华大学博士后，主要研究方向为自然语言理解、数据挖掘、大数据、网络安全和云计算。" ]
  [ "姚宣霞（1971-），女，河南洛阳人，博士，北京科技大学副教授，主要研究方向为网络与信息安全、计算机网络、无线传感器网络、P2P网络。" ]
  [ "郭长友（1976-），男，山东临沂人，北京科技大学博士生，主要研究方向为网络安全。" ]
  [ "周芳（1972-），女，四川达州人，博士，北京科技大学副教授，主要研究方向为网络安全和入侵检测。" ]
- 基金信息：
  
  国家重点基础研究发展规划（“973计划）基金资助项目;The National Basic Research Program of China (973 Program)(2007CB31080);国家自然科学重点基金资助项目;The National Natural Science Foundation of China, Key Program(61035004);国家自然科学基金资助项目;The National Natural Science Foundation of China, General Program(60875029)
- DOI：10.3969/j.issn.1000-436x.2014.08.016
  中图分类号： TP309.5
- 网络出版日期：2014-08，
  
  纸质出版日期：2014-08-25
- 稿件说明：
移动端阅览
韩晓光, 曲武, 姚宣霞, 等. 基于纹理指纹的恶意代码变种检测方法研究[J]. 通信学报, 2014,35(8):125-136.

Xiao-guang HAN, UWu Q, AOXuan-xia Y, et al. Research on malicious code variants detection based on texture fingerprint[J]. Journal on communications, 2014, 35(8): 125-136.
韩晓光, 曲武, 姚宣霞, 等. 基于纹理指纹的恶意代码变种检测方法研究[J]. 通信学报, 2014,35(8):125-136. DOI： 10.3969/j.issn.1000-436x.2014.08.016.

Xiao-guang HAN, UWu Q, AOXuan-xia Y, et al. Research on malicious code variants detection based on texture fingerprint[J]. Journal on communications, 2014, 35(8): 125-136. DOI： 10.3969/j.issn.1000-436x.2014.08.016.

摘要

提出一种基于纹理指纹的恶意代码特征提取及检测方法，通过结合图像分析技术与恶意代码变种检测技术，将恶意代码映射为无压缩灰阶图片，基于纹理分割算法对图片进行分块，使用灰阶共生矩阵算法提取各个分块的纹理特征，并将这些纹理特征作为恶意代码的纹理指纹；然后，根据样本的纹理指纹，建立纹理指纹索引结构；检测阶段通过恶意代码纹理指纹块生成策略，采用加权综合多分段纹理指纹相似性匹配方法检测恶意代码变种和未知恶意代码；在此基础上，实现恶意代码的纹理指纹提取及检测原型系统。通过对6种恶意代码样本数据集的分析和检测，完成了对该系统的实验验证。实验结果表明，基于上述方法提取的特征具有检测速度快、精度高等特点，并且对恶意代码变种具有较好的识别能力。

Abstract

A texture-fingerprint-based approach is proposed to extract or detect the feature from malware content. The texture fingerprint of a malware is the set of texture fingerprints for each uncompressed gray-scale image block. The ma-licious code is mapped to uncompressed gray-scale image by integrating image analysis techniques and variants of mali-cious code detection technology. The uncompressed gray-scale image is partitioned into blocks by the texture segmen-tation algorithm. The texture fingerprints for each uncompressed gray-scale image block is extracted by gray-scale co-occurrence matrix algorithm. Afterwards

the index structure for fingerprint texture is built on the statistical analy-sis of general texture fingerprints of malicious code samples. In the detection phase

according to the generation policy for malicious code texture fingerprint

the prototype system for texture fingerprint extraction and detection is con-structed by employing the integrated weight method to multi-segmented texture fingerprint similarity matching to de-tect variants and unknown malicious codes. Experimental results show that the malware variants detection system based on the proposed approach has good performance not only in speed and accuracy but also in identifying malware variants.

关键词

Keywords

references

SYMANTEC . Highlights from 2010 internet security threat report [EB/OL ] . http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=threat_report_16 http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=threat_report_16 , 2011 .

SYMANTEC . Highlights from 2012 internet security threat report [EB/OL ] . http://www.symantec.com/security_response/publications/threatreport.jsp http://www.symantec.com/security_response/publications/threatreport.jsp , 2013 .

LI Y , ZUO Z H . An overview of object-code obfuscation technolo-gies [J ] . Journal of Computer Technology and Development , 2007 , 17 ( 4 ): 125 - 127 .

NATARAJ L , KARTHIKEYAN S , JACOB G , et al . Malware images:visualization and automatic classification [A ] . Proceedings of VizSec [C ] . Pittsburgh, USA 2011 .

NATARAJ L , YEGNESWARAN V , PORRAS P , et al . A comparative assessment of malware classification using binary texture analysis and dynamic analysis [A ] . Proceedings of the 4th ACM Workshop on Secu-rity and Artificial Intelligence [C ] . Chicago, USA , 2011 . 21 - 30 .

王蕊，冯登国，杨轶等 . 基于语义的恶意代码行为特征提取及检测方法 [J ] . 软件学报， 2012 , 23 ( 2 ): 378 - 393 .

WANG R , FENG D G , YANG Y , et al . Semantics-based malware be-havior signature extraction and detection method [J ] . Journal of Soft-ware , 2012 , 23 ( 2 ): 378 - 393 .

COGSWELL B , RUSSINOVICH M . Rootkit revealer [EB/OL ] . http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.ms px http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.ms px , 2006 .

KIRDA E , KRUEGEL C , BANKS G , et al . Behavior-based spyware detection [A ] . Proceedings of the 15th USENIX Security Sympo-sium [C ] . Canada , 2006 . 273 - 288 .

CHRISTODORESCU M , JHA S , SESHIA S A , et al . Semantics-aware malware detection [A ] . Proc of the 2005 IEEE Symposium on Security and Privacy [C ] . California, USA , 2005 . 32 - 46 .

KINDER J , KATZENBEISSER S , SCHALLHART C , et al . Detecting malicious code by model checking [A ] . Detection of Intrusions and Malware, and Vulnerability Assessment , 2005 , 3548 : 174 - 187 .

SATHYANARAYAN V S , KOHLI P , BRUHADESHWAR B . Signa-ture generation and detection of malware families [A ] . Proc of the 13th Austalasian Conf on Information Security and Privacy [C ] . Wollon-gong, Australia , 2008 . 336 - 349 .

CHRISTODORESCU M , KINDER J , JHA S . Malware Nor-malization [R ] . Technical Report 1539, Madison: University of Wis-consin , 2005 .

WILLEMS C , HOLZ T , FREILING F . Toward automated dynamic malware analysis using CWSandbox [J ] . IEEE Security and Privacy , 2007 , 5 ( 2 ): 32 - 39 .

BAYER U , KRUEGEL C , KIRDA E . TTANALYZE. A tool for ana-lyzing malware [A ] . 15th European Institute for Computer Antivirus Research (EICAR 2006) [C ] . Hamburg, Germany , 2006 . 180 - 192 .

BELLARD F . QEMU, A fast and portable dynamic translator[A] [A ] . USENIX Annual Technical Conference, FREENIX Track [C ] . Califor-nia, USA , 2005 . 41 - 46 .

LI P , LIU L , GAO D , et al . On challenges in evaluating malware clustering [A ] . Recent Advances in Intrusion Detection[C] , Ottawa, Canada 2010 . 238 - 255 .

YOO I . Visualizing windows executable viruses using self-organizing maps [A ] . International Workshop on Visualization for Cyber Security (VizSec) [C ] . Washington DC, USA , 2004 . 82 - 89 .

QUIST D A , LIEBROCK L M . Visualizing compiled executables for malware analysis [A ] . International Workshop on Visualization for Cyber Security (VizSec) [C ] . Atlantic City, USA , 2009 . 27 - 32 .

TRINIUS P , HOLZ T , GOBEL J , et al . Visual analysis of malware behavior using treemaps and thread graphs [A ] . International Workshop on Visualization for Cyber Security (VizSec) [C ] . Atlantic City, USA , 2009 . 33 - 38 .

GOODALL J H , RANDWAN H , HALSETH L , et al . Visual analysis of code security [A ] . International Workshop on Visualization for Cyber Security (VizSec) [C ] . Ottawa, Canada , 2010 . 46 - 51 .

CONTI G , BRATUS S , SANGSTER B , et al . Automated mapping of large binary objects using primitive fragment type classification [J ] . Digital Forensics Research Conference (DFRWS) Ottawa, Canada , 2010 , 7 3 - 12 .

CONTI G , BRATUS S . Voyage of the reverser: a visual study of binary species [A ] . Black Hat [C ] . USA . 2010 .

KANCHERLA K , MUKKAMALA S . Image visualization based malware detection [A ] . Computational Intelligence in Cyber Security (CICS) [C ] . Singapore , 2013 . 40 - 44 .

HARALICK R M , SHANMUGAM K , DINSTEIN I H . Textural fea-tures for image classification [A ] . IEEE Transactions on Systems, Man and Cybernetics , 1973 , ( 6 ): 610 - 621 .

JOLLIFFE I . Principal Component Analysis [A ] . USA: John Wiley＆Sons, Ltd , 2005 .

PAOLO C , MARCO P , PAVEL Z . IM-tree: an efficient access method for similarity search in metric spaces [A ] . Proceedings of the 23rd In-ternational Conference on Very Large Data Bases [C ] . San Francisco, USA , 1997 . 426 - 435 .

INDYK P , MOTWANI R . Approximate nearest neighbors: towards removing the curse of dimensionality [A ] . Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing [C ] New York, USA , 1998 . 604 - 613 .

GIONIS A , INDYK P , MOTWANI R . Similarity search in high di-mensions via hashing [A ] . VLDB'99: Proceedings of the 25th Interna-tional Conference on Very Large Data Bases [C ] . San Francisco, CA, USA , 1999 . 518 - 529 .

DATAR M , IMMORLICA N , INDYK P , et al . Locality-sensitive hashing scheme based on p-stable distributions [A ] . SCG'04: Proceed-ings of the Twentieth Annual Symposium on Computational Geome-try [C ] . New York, USA , 2004 . 253 - 262 .

HOJJATOLESLAMI S A , KITTLER J . Region growing: a new ap-proach [J ] . IEEE Transactions on Image Processing , 1998 , 7 ( 7 ): 1079 - 1084 .

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于改进马尔可夫链的高效域名生成算法

基于信誉的域间路由选择机制的研究与实现

基于空间感知的多级损失目标跟踪对抗攻击方法

基于威胁情报的网络安全态势感知模型

移动设备加密流量的用户信息探测研究展望