Malicious PDF document detection based on mixed feature

Xuehui DU; Yangdong LIN; Yi SUN

doi:10.11959/j.issn.1000-436x.2019028

您当前的位置：

首页 >

文章列表页 >

Malicious PDF document detection based on mixed feature

Papers | 更新时间：2024-06-05

- Malicious PDF document detection based on mixed feature
- Journal on Communications Vol. 40, Issue 2, Pages: 118-128(2019)
- 作者机构：
  
  解放军战略支援部队信息工程大学河南省信息安全重点实验室，河南郑州 450001
- 作者简介：
- 基金信息：
  
  The National High Technology Research and Development Program of China (863 Program)(2015AA016006);The National Natural Science Foundation of China(61702550)
- DOI：10.11959/j.issn.1000-436x.2019028
  CLC： TP393
- Online First：2019-02，
  
  Published：25 February 2019
- 稿件说明：
移动端阅览
Xuehui DU, Yangdong LIN, Yi SUN. Malicious PDF document detection based on mixed feature[J]. Journal on Communications, 2019, 40(2): 118-128.
DOI：

Xuehui DU, Yangdong LIN, Yi SUN. Malicious PDF document detection based on mixed feature[J]. Journal on Communications, 2019, 40(2): 118-128. DOI： 10.11959/j.issn.1000-436x.2019028.

摘要

针对现有恶意PDF文档在检测方案存在特征顽健性差、易被逃避检测等问题，提出了一种基于混合特征的恶意PDF文档检测方法，采用动静态混合分析技术从文档中提取出其常规信息、结构信息以及API调用信息，并基于K-means算法设计了特征提取方法，聚合出表征文档安全性的核心混合特征，从而提高了特征的顽健性。在此基础上，利用随机森林算法构建分类器并设计实验，对所提方案的检测性能以及抵抗模拟攻击的能力进行了探讨。

Abstract

Aiming at the problem of poor robustness and easy to evade detection in the detection of malicious PDF document

a malicious PDF document detection method based on mixed features was proposed.It adopted dynamic and static analysis technology to extract the regular information

structure information and API calling information from the document

and then a feature extraction method based on K-means clustering algorithm was designed to filter and select the key mixed features that characterize the document security.Ultimately

it improved the robustness of features.On this basis

it used random forest algorithm to construct classifier and perform experiment to discuss the detection performance of the scheme and its ability to resist mimicry attacks.

关键词

Keywords

references

SYSTEMS A . PDF reference:adobe portable document format,version 1.3 [M ] . Addison-Wesley , 2000 .

BLONCE A , FILIOL E . Portable document format (PDF) security analysis and malware threats [J ] . Images Paediatr Cardiol , 2008 ( 2 ): 1 - 3 .

陈亮 , 陈性元 , 孙奕 , 等 . 基于结构路径的恶意 PDF 文档检测 [J ] . 计算机科学 , 2015 , 42 ( 2 ): 90 - 94 .

武雪峰 . 恶意PDF文档的分析 [D ] . 济南:山东大学 , 2012 .

Adobe Systems Incorporated . PDF reference:version 1.4 [J ] . Textile Research Journal , 2003 , 30 : 1 - 10 .

LI W J , STOLFO S , STAVROU A , et al . A study of malcode-bearing documents [C ] // International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment Springer-Verlag , 2007 : 231 - 250 .

WILLEMS C , HOLZ T , FREILING F . Toward automated dynamic malware analysis using CWSandbox [J ] . IEEE Security ＆ Privacy , 2007 , 5 ( 2 ): 32 - 39 .

COVA M , KRUEGEL C , VIGNA G . Detection and analysis of drive-by-download attacks and malicious JavaScript code [C ] // International Conference on World Wide Web . 2010 : 281 - 290 .

RIECK K , KRUEGER T , DEWALD A . Cujo:efficient detection and prevention of drive-by-download attacks [C ] // Twenty-Sixth Computer Security Applications Conference . 2010 : 31 - 39 .

CURTSINGER C , LIVSHITS B , ZORN B , et al . ZOZZLE:fast and precise in-browser JavaScript malware detection [C ] // Usenix Conference on Security . 2011 :3.

CANALI D , COVA M , VIGNA G , et al . Prophiler:a fast filter for the large-scale detection of malicious Web pages categories and subject descriptors [C ] // International Conference Companion on World Wide Web . 2012 : 197 - 206 .

ENGELBERTH M , WILLEMS C , HOLZ T . MalOffice-detecting malicious documents with combined static and dynamic analysis [C ] // Virus Bulletin International Conference . 2009 : 1 - 37 .

SNOW K Z , KRISHNAN S , PROVOS N , et al . SHELLOS:enabling fast detection and forensic analysis of code injection attacks [C ] // Usenix Conference on Security . 2011 :9.

TZERMIAS Z , SYKIOTAKIS G , POLYCHRONAKIS M , et al . Combining static and dynamic analysis for the detection of malicious documents [C ] // The Fourth European Workshop on System Security . 2011 : 1 - 6 .

LASKOV P , . Static detection of malicious JavaScript-bearing PDF documents [C ] // Twenty-Seventh Computer Security Applications Conference . 2011 : 373 - 382 .

MAIORCA D , GIACINTO G , CORONA I . A pattern recognition system for malicious PDF files detection [C ] // International Conference on Machine Learning and Data Mining in Pattern Recognition . 2012 : 510 - 524 .

SMUTZ C , STAVROU A . Malicious PDF detection using metadata and structural features [C ] // Computer Security Applications Conference . 2012 : 239 - 248 .

ŠRNDIC N , LASKOV P . Detection of malicious pdf files based on hierarchical document structure [C ] // The 20th Annual Network ＆ Distributed System Security Symposium . 2013 : 1 - 17 .

MAIORCA D , CORONA I , GIACINTO G . Looking at the bag is not enough to find the bomb:an evasion of structural methods for malicious pdf files detection [C ] // The 8th ACM SIGSAC Symposium on Information,Computer and Communications Security . 2013 : 119 - 130 .

LIU D , WANG H , STAVROU A . Detecting malicious Javascript in PDF through document instrumentation [C ] // IEEE/IFIP International Conference on Dependable Systems and Networks . 2014 : 100 - 111 .

CORONA I , MAIORCA D , ARIU D , et al . Lux0R:detection of malicious PDF-embedded JavaScript code through discriminant analysis of API references [C ] // The Workshop on Artificial Intelligent and Security Workshop . 2014 : 47 - 57 .

MAASS M , SCHERLIS W L , ALDRICH J . In-nimbo sandboxing [C ] // Symposium and Bootcamp on the Science of Security . 2014 : 1 - 13 .

MAIORCA D , ARIU D , CORONA I , et al . A structural and content-based approach for a precise and robust detection of malicious PDF files [C ] // International Conference on Information Systems Security and Privacy . 2015 : 27 - 36

VATAMANU C , GAVRILUŢ D , BENCHEA R . A practical approach on clustering malicious PDF documents [J ] . Journal in Computer Virology , 2012 , 8 ( 4 ): 151 - 163 .

Views

1821

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Fine-grained recognition method for encrypted FTP commands based on temporal dual-mode feature fusion

Survey on key technologies for native-intelligence-driven spectrum management towards 6G

Enhanced membership inference attack method leveraging data characteristics

Survey of IP geolocation: theory, methods, and innovative applications

Survey of research on encrypted traffic classification based on machine learning

Related Author

Fu Chunhui

Yang Zhi

Guo Yuanbo

Li Yongfei

Jin Shuyuan

Wang Xianmei

Ren Yuzheng

Jiang Tianyu

Related Institution

School of Cryptography, Information Engineering University

School of Cyberspace Security, Hainan University

School of Computer Science and Engineering, Sun Yat-sen University

Hebei Key Laboratory of Space-Air-Ground Intelligent Communication, University of Science and Technology Beijing

School of Cyber Engineering, Xidian University

AI问答

⁰