基于TensorFlow的恶意代码片段自动取证检测算法

doi:10.11959/j.issn.2096-109x.2021048

Abstract

Abstract:

In order to auto detect the underlying malicious code fragments in complex，heterogeneous and massive evidence data about digital forensic investigation, a framework for malicious code fragment detecting algorithm based on TensorFlow was proposed by analyzing TensorFlow model and its characteristics.Back-propagation training algorithm was designed through the training progress of deep learning.The underlying binary feature pre-processing algorithm of malicious code fragment was discussed and proposed to address the problem about different devices and heterogeneous evidence sources from storage media and such as AFF forensic containers.An algorithm which used to generate data set about code fragments was designed and implemented.The experimental results show that the comprehensive evaluation index F₁of the method can reach 0.922, and compared with CloudStrike, Comodo, FireEye antivirus engines, the algorithm has obvious advantage in dealing with the underlying code fragment data from heterogeneous storage media.

Key words: auto forensics, deep learning, full connected network, malicious code fragment

CLC Number:

TP309

Binglong LI, Jinlong TONG, Yu ZHANG, Yifeng SUN, Qingxian WANG, Chaowen CHANG. Auto forensic detecting algorithms of malicious code fragment based on TensorFlow[J]. Chinese Journal of Network and Information Security, 2021, 7(4): 154-163.

Figures/Tables 9

References 27

[1]	TEPE A N , BOYLAN A A , DAVIS D W . Analysis of digital forensic capabilities in texas law enforcement agencies[R]. The Bush School of Government ＆ Public Service, 2019.
[2]	CAVIGLIONE L , WENDZE S , MAZURCZKY W . The future of digital forensics:challenges and the road ahead[J]. IEEE Security＆ Privacy, 2017,15(6): 12-17.
[3]	LIN X D , CHEN T , ZHU T ,et al. Automated forensic analysis of mobile applications on Android devices[J]. Digital Investigation, 2018,26: S59-S66.
[4]	高元照, 李炳龙, 陈性元 . 基于MapReduce的HDFS数据窃取随机检测算法[J]. 通信学报, 2018,39(10): 11-21.
	GAO Y Z , LI B L , CHEN X Y . Stochastic algorithm for HDFS data detection based on MapReduce[J]. Journal on Communications, 2018,39(10): 11-21.
[5]	ZAWOAD S , HASAN R . Digital forensics in the age of big data:challenges,approaches,and opportunities[C]// IEEE Big Data Security 2015. 2015: 1-7.
[6]	SERVIDA F , CASEY E . IoT forensic challenges and opportunities for digital traces[J]. Digital Investigation, 2019,28: S22-S29.
[7]	韩宗达, 李炳龙 . 基于证据库的数据证据转换模型[J]. 计算机应用研究, 2015,32(7): 2140-2143.
	HAN Z D , LI B L . Evidence conversion model based on evidence database[J]. Application Research of Computers, 2015,32(7): 2140-2143.
[8]	JAMES J I , PAVEL G . Challenges with automation in digital forensic investigations[J]. arXiv:1303.4498, 2013.
[9]	Guidanc[EB].
[10]	AccessData[EB].
[11]	ZHU Y , JAMES J , GLADYSHEV P . A consistency study of the windows registry[C]// 6th IFIP WG 11.9 International Conference on Digital Forensics(DF). 2010: 77-90.
[12]	ROGERS M , GOLDMAN J ,et al. Computer forensics field triage process model[J]. Journal of Digital Forensics,Security and Law, 2006,1(2): 27-40.
[13]	MISLAN R P , CASEY E ,et al. The growing need for on-scene triage of mobile devices[J]. Digital Investigation, 2010,6(3-4): 112-124.
[14]	MARZIALE L , RICHARD G G , ROUSSEV V . Massive threading:using GPUs to increase the performance of digital forensics tools[J]. Digital Investigation, 2007,4S: S73-S81.
[15]	GARFINKEL S , NELSON A , WHITE D ,et al. Using purpose-built functions and block hashes to enable small block and sub-file forensics[J]. Digital Investigation, 2010,7: S13-S23.
[16]	QUICK D , CHOO K K R . Impacts of increasing volume of digital forensic data:a survey and future research challenges[J]. Digital Investigation, 2014,11(4): 273-294.
[17]	Federal Bureau of Investigation(FBI) . 2019 Internet Crime Report[R]. 2020.
[18]	McAfee Labs. 2019 Threats Report[EB]. 2019.
[19]	PIRSCOVEANU R , HANSEN S , CZECH A . Analysis of malware behavior:type classification using machine learning[C]// Proceedings of the 2015 International Conference on Cyber Situational Awareness,Data Analytics and Assessment (CyberSA). 2015.
[20]	MOHAISEN A , ALRAWI O , MOHAISEN M . Amal:High-fidelity,behavior-based automated malware analysis and classification[J]. Computers ＆ Security, 2015,52: 251-266.
[21]	LIN Y D , LAI Y C , LU C N ,et al. Three-phase behavior-based detection and classification of known and unknown malware[J]. Security and Communication Networks, 2015,8(11): 2004-2015.
[22]	KRIS C , MAREK R . A Joint model for word embedding and word morphology[C]// Proc of the 1st Workshop on Representation Learning for NLP,August 11th. 2016: 18-26.
[23]	陈翠平 . 基于深度信念网络的文本分类算法[J]. 计算机系统应用, 2015,24(2): 121-126.
	CHEN C P . Text Categorization based on deep belief network[J]. Computer System ＆ Application, 2015,24(2): 121-126.
[24]	黎亚雄, 张坚强, 潘登 ,等. 基于RNN-RBM语言模型的语音识别研究[J]. 计算机研究与发展, 2014,51(9): 1936-1944.
	LI Y X , ZHANG J Q , PAN D ,et al. A study of speech recognition based on RNN-RBM language model[J]. Journal of Computer Research and Development, 2014,51(9): 1936-1944.
[25]	LUKASZ K , AIDAN N.G , NOAM S ,et al. One model to learn them all[J]. arXiv:1706.05137v1, 2017.06:1-10.
[26]	Ponemon Institite . 2017 Cost of Data Breach Study[R].
[27]	RAFF E , ZAK R , MUNOZ G ,et al. Automatic yara rele generation using biclustering[C]// Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security. 2020: 71-82.

Metrics

Recommended 0

No Suggested Reading articles found!

方法	P	R	F₁
CrowdStrike	0.667	0.096	0.168
Comodo	0.474	0.086	0.146
FireEye	1.000	0.096	0.175
ClamAV	1.000	0.102	0.185
McAfee	1.000	0.092	0.168
Kaspersky	1.000	0.094	0.172
本文方法	0.896	0.950	0.922

Auto forensic detecting algorithms of malicious code fragment based on TensorFlow

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 9

References 27

Related Articles 15

Metrics

Recommended 0

[1]	Xiaomeng LI, Daidou GUO, Xunfang ZHUO, Heng YAO, Chuan QIN. Carrier-independent screen-shooting resistant watermarking based on information overlay superimposition [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 135-149.
[2]	Rongna XIE, Zhuhong MA, Zongyu LI, Ye TIAN. Encrypted traffic classification method based on convolutional neural network [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 84-91.
[3]	Dengyong ZHANG, Huang WEN, Feng LI, Peng CAO, Lingyun XIANG, Gaobo YANG, Xiangling DING. Image inpainting forensics method based on dual branch network [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 110-122.
[4]	Jiaying LIN, Wenbo ZHOU, Weiming ZHANG, Nenghai YU. Lip forgery detection via spatial-frequency domain combination [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 146-155.
[5]	Jinyin CHEN, Changan WU, Haibin ZHENG. Novel defense based on softmax activation transformation [J]. Chinese Journal of Network and Information Security, 2022, 8(2): 48-63.
[6]	Baolin QIU, Ping YI. Adversarial examples defense method based on multi-dimensional feature maps knowledge distillation [J]. Chinese Journal of Network and Information Security, 2022, 8(2): 88-99.
[7]	Lijuan LI, Man LI, Hongjun BI, Huachun ZHOU. Multi-type low-rate DDoS attack detection method based on hybrid deep learning [J]. Chinese Journal of Network and Information Security, 2022, 8(1): 73-85.
[8]	Zhongyuan QIN, Zhaoxiang HE, Tao LI, Liquan CHEN. Adversarial example defense algorithm for MNIST based on image reconstruction [J]. Chinese Journal of Network and Information Security, 2022, 8(1): 86-94.
[9]	Deqing ZOU, Xiang LI, Minhuan HUANG, Xiang SONG, Hao LI, Weiming LI. Intelligent vulnerability detection system based on graph structured source code slice [J]. Chinese Journal of Network and Information Security, 2021, 7(5): 113-122.
[10]	Zhenglong WANG, Baowen ZHANG. Survey of generative adversarial network [J]. Chinese Journal of Network and Information Security, 2021, 7(4): 68-85.
[11]	Qingyin TAN, Yingming ZENG, Ye HAN, Yijing LIU, Zheli LIU. Survey on backdoor attacks targeted on neural network [J]. Chinese Journal of Network and Information Security, 2021, 7(3): 46-58.
[12]	Luhui YANG,Huiwen BAI,Guangjie LIU,Yuewei DAI. Lightweight malicious domain name detection model based on separable convolution [J]. Chinese Journal of Network and Information Security, 2020, 6(6): 112-120.
[13]	Ximeng LIU,Lehui XIE,Yaopeng WANG,Xuru LI. Adversarial attacks and defenses in deep learning [J]. Chinese Journal of Network and Information Security, 2020, 6(5): 36-53.
[14]	Sijia DU,Haining YU,Hongli ZHANG. Survey of text classification methods based on deep learning [J]. Chinese Journal of Network and Information Security, 2020, 6(4): 1-13.
[15]	Mingfang ZHAI,Xingming ZHANG,Bo ZHAO. Survey of encrypted malicious traffic detection based on deep learning [J]. Chinese Journal of Network and Information Security, 2020, 6(3): 66-77.