基于静态多特征融合的恶意软件分类方法

doi:10.11959/j.issn.2096-109x.2017.00217

Abstract

Abstract:

In recent years,the amount of the malwares has tended to rise explosively.New malicious samples emerge as variability and polymorphism.By means of polymorphism,shelling and confusion,traditional ways of detecting can be avoided.On the basis of massive malicious samples,a safe and efficient method was designed to classify the mal-wares.Extracting three static features including file byte features,assembly features and PE features,as well as im-proving generalization of the model through feature fusion and ensemble learning,which realized the complementarity between the features and the classifier.The experiments show that the sample achieve a stable F1-socre (93.56%).

Key words: malware, family classification, static analysis, machine learning, model fusion

CLC Number:

TP309.5

Bo-wen SUN,Yan-yi HUANG,Qiao-kun WEN,Bin TIAN,Peng WU,Qi LI. Malware classification method based on static multiple-feature fusion[J]. Chinese Journal of Network and Information Security, 2017, 3(11): 68-76.

Figures/Tables 12

References 21

[1]	卡巴斯基年报[EB/OL]. .
	Kabasiji annual report[EB/OL]. .
[2]	赛门铁克年报[EB/OL]. .
	Symantec annual report[EB/OL]. .
[3]	SCHULTZ M G , ESKIN E , ZADOK E , et al. Data mining methods for detection of new malicious executables[C]// 2001 IEEE Sympo-sium on Security and Privacy(S＆P 2001), 2001: 38-49.
[4]	MEHDI B , AHMED F , KHAYYAM S A , et al. Towards a Theory of Generalizing System Call Representation for In-Execution Mal-ware Detection[C]// IEEE International Conference on Communica-tions, 2010: 1-4.
[5]	PARK Y , REEVES D , MULUKUTLA V , et al. Fast malware classi-fication by automated behavioral graph matching[C]// AMIA Annu Symp Proc, 2010: 1-4.
[6]	SANTOS I , BREZO F , UGARTE-PEDRERO X , et al. Opcode sequences as representation of executables for data-mining-based unknown malware detection[J]. Information Sciences, 2013,231(9): 64-82.
[7]	GRINI L S , SHALAGINOV A , FRANKE K . Study of soft compu-ting methods for large-scale multinomial malware types and fami-lies de-tection[C]// The World Conference on Soft Computing, 2016.
[8]	RIECK K , HOLZ T , WILLEMS C , et al. Learning and classifica-tion of malware behavior[C]// The International Conference on Detection of Intrusions ＆ Malware, 2008: 108-125.
[9]	SALEHI Z , SAMI A , GHIASI M . Using feature generation from API calls for malware detection[J]. Computer Fraud ＆ Security, 2014,2014(9): 9-18.
[10]	KOLOSNJAJI B , ZARRAS A , WEBSTER G ， et al. Deep learning for classi-fication of malware system call sequences[M]// AI 2016:Advances in Artificial Intelligence. Berlin： Springer， 2016.
[11]	韩晓光，曲武，姚宣霞，等. 基于纹理指纹的恶意代码变种检测方法研究[J]. 通信学报， 2014,35(8): 125-136.
	HAN X G , QU W , YAO X X , et al. Research on malicious code variants detection based on texture fingerprint[J]. Journal on Communications. 2014,35(8): 125-136.
[12]	Digital bread crumbs:seven clues to identifying who's behind advanced cyber attacks[EB/OL]. .
[13]	IDA pro website[EB/OL]. .
[14]	PE Exeinfo website[EB/OL]. .
[15]	Mastiff website[EB/OL]. .
[16]	Yara-rules website[EB/OL]. .
[17]	Top maliciously used APIs[EB/OL]. .
[18]	Scikit-learn website[EB/OL]. .
[19]	VirusShare website[EB/OL]. .
[20]	Naming scheme-caro-computer antivirus research organization[EB/OL]. .
[21]	Free online virus,malware and url scanner[EB/OL]. .

Metrics

Recommended 0

No Suggested Reading articles found!

特征名称	特征描述
hex_filesize	样本大小
hex_filelines	样本字节视图行数
hex_str_len_*	样本字符串相应长度的次数
hex_1gram_*	样本字符出现次数
hex_entropy_*	样本熵值
asm_register_*	寄存器出现次数
asm_opcode_*	操作码出现次数
asm_dd_*	dd出现次数
asm_dw_*	dw出现次数
asm_symbol_*	特殊符号出现次数
pe_API	API出现次数
pe_dll	dll出现次数
pe_imports	引用数量
pe_exports	导出数量
pe_mastiff_*	mastiff报告信息
pe_alertAPI	恶意API统计次数
pe_compile	编译环境类别

检测引擎	家族名称
Bkav	HW32.Packed.F519
McAfee	Ransomware-FUO!638C98B55FEE
Baidu	Win32.Trojan.WisdomEyes.16070401.9500.9925
Symantec	Trojan.Gen.2
Kaspersky	not-a-virus:HEUR:Downloader.Win32.LMN.gen
Microsoft	Ransom:Win32/Cerber!rfn
Tencent	Win32.Trojan.Cerber.Wnwm
Panda	Trj/GdSda.A
Qihoo-360	HEUR/QVM20.1.7BA9.Malware.Gen

卡巴斯基检测家族名称	数量
Backdoor.Win32.Hlux	27
HEUR:Trojan-Downloader.Win32.Generic	41
HEUR:Trojan.Win32.Generic	578
HEUR:Trojan.Win32.Invader	53
Packed.Win32.Tpyn	20
Trojan-Clicker.Win32.Agent	39
Trojan-Downloader.Win32.Agent	41
Trojan-Dropper.Win32.Injector	18
Trojan.Win32.Agent	196
Trojan.Win32.AntiFW	1 480
Trojan.Win32.Buzus	46
Trojan.Win32.Inject	28

预测类别	实际类别	次数
Trojan.Win32.AntiFW.a	HEUR:Trojan.Win32.Generic	271
Trojan.Win32.AntiFW.a	Trojan.Win32.Agent	93
Trojan.Win33.AntiFW.a	HEUR:Trojan.Win32.Invader	25
Trojan.Win34.AntiFW.a	Trojan.Win32.Inject.vbet	19
Trojan.Win35.AntiFW.a	Trojan-Downloader.	19
	Win32.Agent.hfug
HEUR:Trojan.Win32.Generic	Trojan.Win32.AntiFW.a	8
HEUR:Trojan.Win32.Generic	Trojan.Win32.Agent	4

特征类别	特征分数
asm_dd_para5	0.045 3
asm_opcode_wait	0.039 2
pe_alertapi_StartupInfoW	0.025 4
pe_alertapi_GetModuleHandleW	0.022 4
Colnitialize	0.010 7
asm_dd_para4	0.009 5
pe_alertapi_LoadLibraryW	0.008
asm_opcodes_fdiv	0.007 5
pe_compile	0.004 9
pe_alertapi_GetProcAddress	0.004 5
asm_opcodes_cwd	0.004 3
asm_regs_ecx	0.002 6

Malware classification method based on static multiple-feature fusion

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 12

References 21

Related Articles 15

Metrics

Recommended 0

分类器/特征集合	字节视图特征	汇编视图特征	PE视图特征	全部特征
GNB	61.467 2%	86.301 8%	52.026 4%	73.730 0%
RF	85.904 5%	89.977 6%	85.421 6%	87.520 0%
GBDT	85.124 5%	89.456 4%	83.751 4%	88.339 0%
ET	81.900 2%	90.152 7%	79.174 8%	85.582 7%
DT	77.506 1%	44.114 8%	57.567 0%	81.882 9%
SVM	65.399 9%	52.872 7%	60.235 7%	64.114 8%
KNN	78.561 6%	82.634 1%	78.797 2%	81.791 6%
AB	57.312 8%	64.015 7%	48.605 8%	64.913 2%

融合方法	集成策略	字节视图特征融合后	汇编视图特征融合后	PE视图特征融合后	全部特征融合后
	Average of Probabilities	78.4720%	82.4035%	86.1256%	87.7300%
Voting
	Majority Voting	63.5502%	71.7669%	69.7124%	67.1198%
	J48	80.2417%	87.1749%	81.6689%	92.0740%
Stacking
	BayesNet	87.6839%	88.3260%	81.3020%	93.5660%
Bagging	Random Forest	85.1330%	87.3974%	78.1261%	86.4870%
	Adaboost	84.6372%	79.1950%	86.4609%	90.7526%
Boosting	GBDT	76.4684%	89.8672%	79.2185%	86.3200%
	XGBoost	84.1474%	90.8446%	76.2524%	90.6736%

类别	数量/个	时间/s
卡巴斯基引擎检测时间	65 536	7 023
样本预处理时间	2 798	6 013
PE Exeinfo处理时间	11 651	1 141
字节视图特征提取时间	2 798	2 822
汇编视图特征提取时间	2 798	4 020
PE视图特征提取时间	2 798	2 035
特征融合时间	2 798	447
算法运行时间	2 798	＜5
算法融合时间	2 798	669

[1]	Ruiqi XIA, Manman LI, Shaozhen CHEN. Identification on the structures of block ciphers using machine learning [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 79-89.
[2]	Nan WEI, Lihua YIN, Hong NING, Binxing FANG. Preliminary study on the reform of machine learning teaching [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 182-189.
[3]	Cheng HUANG, Mingxu SUN, Renyu DUAN, Susheng WU, Bin CHEN. Vulnerability identification technology research based on project version difference [J]. Chinese Journal of Network and Information Security, 2022, 8(1): 52-62.
[4]	Fan CHAO, Zhi YANG, Xuehui DU, Bing HAN. Classified risk assessment method of Android application based on multi-factor clustering selection [J]. Chinese Journal of Network and Information Security, 2021, 7(2): 161-173.
[5]	Yingjun ZHANG,Ushangqi LI,Mu YANG,Haixia ZHANG,Kezhen HUANG. Survey on anomaly detection technology based on logs [J]. Chinese Journal of Network and Information Security, 2020, 6(6): 1-12.
[6]	Tianyu ZHOU,Wenbo SHEN,Nanzi YANG,Jinku LI,Chenggang QIN,Wang YU. Analysis of DoS attacks on Docker inter-component stdio copy [J]. Chinese Journal of Network and Information Security, 2020, 6(6): 45-56.
[7]	Xi FU,Hui LI,Xingwen ZHAO. Survey on phishing detection research [J]. Chinese Journal of Network and Information Security, 2020, 6(5): 1-10.
[8]	Fan CHAO,Zhi YANG,Xuehui DU,Yan SUN. Android malware detection method based on deep neural network [J]. Chinese Journal of Network and Information Security, 2020, 6(5): 67-79.
[9]	Kang HE,Yuefei ZHU,Long LIU,Bin LU,Bin LIU. Improve the robustness of algorithm under adversarial environment by moving target defense [J]. Chinese Journal of Network and Information Security, 2020, 6(4): 67-76.
[10]	Fuxiang YUAN,Fenlin LIU,Chong LIU,Yan LIU,Xiangyang LUO. MLAR:large-scale network alias resolution for IP geolocation [J]. Chinese Journal of Network and Information Security, 2020, 6(4): 77-94.
[11]	Xiaokang YIN,Liu LIU,Long LIU,Shengli LIU. Function argument number identification in stripped binary under PPC and MIPS instruction set [J]. Chinese Journal of Network and Information Security, 2020, 6(4): 95-103.
[12]	Ziming LUO,Shubin XU,Xiaodong LIU. Scheme for identifying malware traffic with TLS data based on machine learning [J]. Chinese Journal of Network and Information Security, 2020, 6(1): 77-83.
[13]	Bin ZHANG,Lixun LI,Shuqin DONG. Malware detection approach based on improved SOINN [J]. Chinese Journal of Network and Information Security, 2019, 5(6): 21-30.
[14]	Wei HUANG,Cuncai LIU,Sibo QI. LSTM network traffic prediction and link congestion warning scheme for single port and single link [J]. Chinese Journal of Network and Information Security, 2019, 5(6): 50-57.
[15]	Lei SONG, Chunguang MA, Guanghan DUAN. Machine learning security and privacy:a survey [J]. Chinese Journal of Network and Information Security, 2018, 4(8): 1-11.

恶意API名称
API_GetProcAddress
API_LoadLibraryA
API_GetModuleHandleA
API_ExitProcess
API_VirtualAlloc
API_WriteFile
API_GetModuleFileNameA
API_CloseHandle
API_RegCloseKey
API_VirtualFree

分类器/特征集合	字节视图特征	汇编视图特征	PE视图特征	全部特征
GNB	62.677 0%	83.354 4%	48.371 8%	75.485 4%
RF	85.879 2%	89.184 0%	83.674 4%	92.694 2%
GBDT	85.534 7%	91.668 6%	83.897 3%	90.374 6%
ET	81.739 9%	91.234 9%	76.766 5%	86.940 2%
DT	79.534 0%	49.371 6%	57.130 9%	83.379 5%
SVM	69.568 6%	56.180 3%	66.807 0%	71.711 8%
KNN	74.747 9%	80.255 2%	74.232 4%	84.218 6%
AB	64.125 9%	68.835 9%	49.153 2%	71.271 1%