Research on malicious code variants detection based on texture fingerprint

Xiao-guang HAN; UWu Q; AOXuan-xia Y; UOChang-you G; Fang ZHOU

doi:10.3969/j.issn.1000-436x.2014.08.016

您当前的位置：

首页 >

文章列表页 >

Research on malicious code variants detection based on texture fingerprint

Academic paper | 更新时间：2024-10-11

- Research on malicious code variants detection based on texture fingerprint
- Journal on Communications Vol. 35, Issue 8, Pages: 125-136(2014)
- 作者机构：
- 作者简介：
- 基金信息：
- DOI：10.3969/j.issn.1000-436x.2014.08.016
  CLC： TP309.5
- Online First：2014-08，
  
  Published：25 August 2014
- 稿件说明：
移动端阅览
Xiao-guang HAN, UWu Q, AOXuan-xia Y, et al. Research on malicious code variants detection based on texture fingerprint[J]. Journal on Communications, 2014, 35(8): 125-136.
DOI：

Xiao-guang HAN, UWu Q, AOXuan-xia Y, et al. Research on malicious code variants detection based on texture fingerprint[J]. Journal on Communications, 2014, 35(8): 125-136. DOI： 10.3969/j.issn.1000-436x.2014.08.016.

摘要

提出一种基于纹理指纹的恶意代码特征提取及检测方法，通过结合图像分析技术与恶意代码变种检测技术，将恶意代码映射为无压缩灰阶图片，基于纹理分割算法对图片进行分块，使用灰阶共生矩阵算法提取各个分块的纹理特征，并将这些纹理特征作为恶意代码的纹理指纹；然后，根据样本的纹理指纹，建立纹理指纹索引结构；检测阶段通过恶意代码纹理指纹块生成策略，采用加权综合多分段纹理指纹相似性匹配方法检测恶意代码变种和未知恶意代码；在此基础上，实现恶意代码的纹理指纹提取及检测原型系统。通过对6种恶意代码样本数据集的分析和检测，完成了对该系统的实验验证。实验结果表明，基于上述方法提取的特征具有检测速度快、精度高等特点，并且对恶意代码变种具有较好的识别能力。

Abstract

A texture-fingerprint-based approach is proposed to extract or detect the feature from malware content. The texture fingerprint of a malware is the set of texture fingerprints for each uncompressed gray-scale image block. The ma-licious code is mapped to uncompressed gray-scale image by integrating image analysis techniques and variants of mali-cious code detection technology. The uncompressed gray-scale image is partitioned into blocks by the texture segmen-tation algorithm. The texture fingerprints for each uncompressed gray-scale image block is extracted by gray-scale co-occurrence matrix algorithm. Afterwards

the index structure for fingerprint texture is built on the statistical analy-sis of general texture fingerprints of malicious code samples. In the detection phase

according to the generation policy for malicious code texture fingerprint

the prototype system for texture fingerprint extraction and detection is con-structed by employing the integrated weight method to multi-segmented texture fingerprint similarity matching to de-tect variants and unknown malicious codes. Experimental results show that the malware variants detection system based on the proposed approach has good performance not only in speed and accuracy but also in identifying malware variants.

关键词

Keywords

references

SYMANTEC . Highlights from 2010 internet security threat report [EB/OL ] . http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=threat_report_16 http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=threat_report_16 , 2011 .

SYMANTEC . Highlights from 2012 internet security threat report [EB/OL ] . http://www.symantec.com/security_response/publications/threatreport.jsp http://www.symantec.com/security_response/publications/threatreport.jsp , 2013 .

LI Y , ZUO Z H . An overview of object-code obfuscation technolo-gies [J ] . Journal of Computer Technology and Development , 2007 , 17 ( 4 ): 125 - 127 .

NATARAJ L , KARTHIKEYAN S , JACOB G , et al . Malware images:visualization and automatic classification [A ] . Proceedings of VizSec [C ] . Pittsburgh, USA 2011 .

NATARAJ L , YEGNESWARAN V , PORRAS P , et al . A comparative assessment of malware classification using binary texture analysis and dynamic analysis [A ] . Proceedings of the 4th ACM Workshop on Secu-rity and Artificial Intelligence [C ] . Chicago, USA , 2011 . 21 - 30 .

王蕊，冯登国，杨轶等 . 基于语义的恶意代码行为特征提取及检测方法 [J ] . 软件学报， 2012 , 23 ( 2 ): 378 - 393 .

WANG R , FENG D G , YANG Y , et al . Semantics-based malware be-havior signature extraction and detection method [J ] . Journal of Soft-ware , 2012 , 23 ( 2 ): 378 - 393 .

COGSWELL B , RUSSINOVICH M . Rootkit revealer [EB/OL ] . http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.ms px http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.ms px , 2006 .

KIRDA E , KRUEGEL C , BANKS G , et al . Behavior-based spyware detection [A ] . Proceedings of the 15th USENIX Security Sympo-sium [C ] . Canada , 2006 . 273 - 288 .

CHRISTODORESCU M , JHA S , SESHIA S A , et al . Semantics-aware malware detection [A ] . Proc of the 2005 IEEE Symposium on Security and Privacy [C ] . California, USA , 2005 . 32 - 46 .

KINDER J , KATZENBEISSER S , SCHALLHART C , et al . Detecting malicious code by model checking [A ] . Detection of Intrusions and Malware, and Vulnerability Assessment , 2005 , 3548 : 174 - 187 .

SATHYANARAYAN V S , KOHLI P , BRUHADESHWAR B . Signa-ture generation and detection of malware families [A ] . Proc of the 13th Austalasian Conf on Information Security and Privacy [C ] . Wollon-gong, Australia , 2008 . 336 - 349 .

CHRISTODORESCU M , KINDER J , JHA S . Malware Nor-malization [R ] . Technical Report 1539, Madison: University of Wis-consin , 2005 .

WILLEMS C , HOLZ T , FREILING F . Toward automated dynamic malware analysis using CWSandbox [J ] . IEEE Security and Privacy , 2007 , 5 ( 2 ): 32 - 39 .

BAYER U , KRUEGEL C , KIRDA E . TTANALYZE. A tool for ana-lyzing malware [A ] . 15th European Institute for Computer Antivirus Research (EICAR 2006) [C ] . Hamburg, Germany , 2006 . 180 - 192 .

BELLARD F . QEMU, A fast and portable dynamic translator[A] [A ] . USENIX Annual Technical Conference, FREENIX Track [C ] . Califor-nia, USA , 2005 . 41 - 46 .

LI P , LIU L , GAO D , et al . On challenges in evaluating malware clustering [A ] . Recent Advances in Intrusion Detection[C] , Ottawa, Canada 2010 . 238 - 255 .

YOO I . Visualizing windows executable viruses using self-organizing maps [A ] . International Workshop on Visualization for Cyber Security (VizSec) [C ] . Washington DC, USA , 2004 . 82 - 89 .

QUIST D A , LIEBROCK L M . Visualizing compiled executables for malware analysis [A ] . International Workshop on Visualization for Cyber Security (VizSec) [C ] . Atlantic City, USA , 2009 . 27 - 32 .

TRINIUS P , HOLZ T , GOBEL J , et al . Visual analysis of malware behavior using treemaps and thread graphs [A ] . International Workshop on Visualization for Cyber Security (VizSec) [C ] . Atlantic City, USA , 2009 . 33 - 38 .

GOODALL J H , RANDWAN H , HALSETH L , et al . Visual analysis of code security [A ] . International Workshop on Visualization for Cyber Security (VizSec) [C ] . Ottawa, Canada , 2010 . 46 - 51 .

CONTI G , BRATUS S , SANGSTER B , et al . Automated mapping of large binary objects using primitive fragment type classification [J ] . Digital Forensics Research Conference (DFRWS) Ottawa, Canada , 2010 , 7 3 - 12 .

CONTI G , BRATUS S . Voyage of the reverser: a visual study of binary species [A ] . Black Hat [C ] . USA . 2010 .

KANCHERLA K , MUKKAMALA S . Image visualization based malware detection [A ] . Computational Intelligence in Cyber Security (CICS) [C ] . Singapore , 2013 . 40 - 44 .

HARALICK R M , SHANMUGAM K , DINSTEIN I H . Textural fea-tures for image classification [A ] . IEEE Transactions on Systems, Man and Cybernetics , 1973 , ( 6 ): 610 - 621 .

JOLLIFFE I . Principal Component Analysis [A ] . USA: John Wiley＆Sons, Ltd , 2005 .

PAOLO C , MARCO P , PAVEL Z . IM-tree: an efficient access method for similarity search in metric spaces [A ] . Proceedings of the 23rd In-ternational Conference on Very Large Data Bases [C ] . San Francisco, USA , 1997 . 426 - 435 .

INDYK P , MOTWANI R . Approximate nearest neighbors: towards removing the curse of dimensionality [A ] . Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing [C ] New York, USA , 1998 . 604 - 613 .

GIONIS A , INDYK P , MOTWANI R . Similarity search in high di-mensions via hashing [A ] . VLDB'99: Proceedings of the 25th Interna-tional Conference on Very Large Data Bases [C ] . San Francisco, CA, USA , 1999 . 518 - 529 .

DATAR M , IMMORLICA N , INDYK P , et al . Locality-sensitive hashing scheme based on p-stable distributions [A ] . SCG'04: Proceed-ings of the Twentieth Annual Symposium on Computational Geome-try [C ] . New York, USA , 2004 . 253 - 262 .

HOJJATOLESLAMI S A , KITTLER J . Region growing: a new ap-proach [J ] . IEEE Transactions on Image Processing , 1998 , 7 ( 7 ): 1079 - 1084 .

Views

473

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Multi-type honeypot deployment scheme based on Stackelberg game and DQN

Survey of research on Tor-based anonymous networking technologies

Domain name generation algorithm based on improved Markov chain

Research and implementation of reputation-based inter-domain routing selection mechanism

Multi-level loss object tracking adversarial attack method based on spatial perception

Related Author

Han Yu

Chen Yuanheng

Wang Yichuan

Ma Yibin

Hei Xinhong

ZHU Yufei

HU Yuxiang

CHEN Bo

Related Institution

School of Computer Science and Engineering, Xi’an University of Technology

School of Cyberspace Security, Zhengzhou University

Institute of Information Technology, Information Engineering University

National Key Laboratory of Advanced Communication Networks

Key Laboratory of Cyberspace Security, Ministry of Education of China

AI问答

⁰