基于图结构的恶意代码同源性分析

doi:10.11959/j.issn.1000-436x.2017259

摘要/Abstract

摘要：

恶意代码检测和同源性分析一直是恶意代码分析领域的研究热点。从恶意代码提取的API调用图，能够有效表示恶意代码的行为信息，但由于求解子图同构问题的算法复杂度较高，使基于图结构特征的恶意代码分析效率较低。为此，提出了利用卷积神经网络对恶意代码API调用图进行处理的方法。通过选择关键节点，以关键节点邻域构建感知野，使图结构数据转换为卷积神经网络能够处理的结构。通过对8个家族的恶意样本进行学习和测试，实验结果表明，恶意代码同源性分析的准确率达到93%，并且针对恶意代码检测的准确率达到96%。

关键词: 恶意代码, 同源性分析, API调用图, 卷积神经网络

Abstract:

Malware detection and homology analysis has been the hotspot of malware analysis.API call graph of malware can represent the behavior of it.Because of the subgraph isomorphism algorithm has high complexity,the analysis of malware based on the graph structure with low efficiency.Therefore,this studies a homology analysis method of API graph of malware that use convolutional neural network.By selecting the key nodes,and construct neighborhood receptive field,the convolution neural network can handle graph structure data.Experimental results on 8 real-world malware family,shows that the accuracy rate of homology malware analysis achieves 93%,and the accuracy rate of the detection of malicious code to 96%.

Key words: malware, homology analysis, API call graph, convolutional neural network

中图分类号:

TP302

赵炳麟,孟曦,韩金,王婧,刘福东. 基于图结构的恶意代码同源性分析[J]. 通信学报, 2017, 38(Z2): 86-93.

Bing-lin ZHAO,Xi MENG,Jin HAN,Jing WANG,Fu-dong LIU. Homology analysis of malware based on graph[J]. Journal on Communications, 2017, 38(Z2): 86-93.

图/表 9

图2

图1

表1

图3

图4

图5

图6

表2

表3

参考文献 24

[1]	SAXE J , BERLIN K . Deep neural network based malware detection using two dimensional binary program features[C]// International Conference on Malicious and Unwanted Software. 2015: 11-20.
[2]	SANTOS I , BREZO F,UGARTE-PEDRERO X ,et al. Opcode sequences as representation of executables for data-mining-based unknown malware detection[J]. Information Sciences, 2013,231(9): 64-82.
[3]	GUPTA S , SHARMA H , KAUR S . Malware characterization using windows API call sequences[C]// International Conference on Security,Privacy,and Applied Cryptography Engineering. Springer International Publishing, 2016: 271-280.
[4]	NARAYANAN A , MENG G , YANG L ,et al. Contextual Weisfeiler-Lehman graph kernel for malware detection[C]// International Joint Conference on Neural Networks. 2016: 4701-4708.
[5]	EPPSTEIN D . Subgraph isomorphism in planar graphs and related problems[J]. SODA'95 Proceedings of the sixth annual ACM-SIAM symposium on Discrete algorithms, 1999,3(3): 332-346.
[6]	NIEPERT M , AHMED M , KUTZKOV K . Learning convolutional neural networks for graphs[C]// International Conference on Machine Learning, 2016: 2014-2023.
[7]	DUVENAUD D K , MACLAURIN D , IPARRAGUIRRE J ,et al. Convolutional networks on graphs for learning molecular fingerprints[C]// Advances in Neural Information Processing Systems. 2015: 2224-2232.
[8]	KIPF T N , WELLING M . Semi-supervised classification with graph convolutional networks[J]. arXiv preprint arXiv:1609.02907, 2016.
[9]	DEFFERRARD M , BRESSON X , VANDERGHEYNST P . Convolutional neural networks on graphs with fast localized spectral filtering[C]// Advances in Neural Information Processing Systems, 2016: 3844-3852.
[10]	KI Y , KIM E , KIM H K . A novel approach to detect malware based on API call sequence analysis[J]. International Journal of Distributed Sensor Networks, 2015,11(6):659101.
[11]	THOMPSON J D , GIBSON T J , HIGGINS D G . Multiple sequence alignment using CrustalW and clustalX[J]. Current protocols in bioinformatics, 2002.
[12]	LEE T , CHOI B , SHIN Y ,et al. Automatic malware mutant detection and group classification based on the n-gram and clustering coefficient[J]. The Journal of Supercomputing, 2015: 1-15.
[13]	OKTAVIANTO D , MUHARDIANTO I . Cuckoo malware analysis[M]. Packt Publishing, 2013.
[14]	CESARE S , XIANG Y , ZHOU W . Malwise-an effective and efficient classification system for packed and polymorphic malware[J]. IEEE Transactions on Computers, 2013,62(6): 1193-1206.
[15]	PARK Y , REEVES D , MULUKUTLA V ,et al. Fast malware classification by automated behavioral graph matching[C]// AMIA Annu Symp Proc, 2010: 1-4.
[16]	KINABLE J , KOSTAKIS O . Malware classification based on call graph clustering[J]. Journal of Computer Virology and Hacking Techniques, 2011,7(4): 233-245.
[17]	HASSEN M , CHAN P K . scalable function call graph-based malware classification[C]// The Seventh ACM on Conference on Data and Application Security and Privacy. 2017: 239-248.
[18]	杨帆, 张焕国, 傅建明 ,等. 基于图编辑距离的恶意代码检测[J]. 武汉:武汉大学学报(理学版), 2013,59(5): 453-457.
	YANG F , ZHANG F G , FU J M ,et al. Malware Detection Based on Graph Edit Distance[J]. Wuhan:Wuhan Univ (Nat Sci Ed.) , 2013,59(5): 453-457.
[19]	刘星, 唐勇 . 恶意代码的函数调用图相似性分析[J]. 计算机工程与科学, 2014,36(3): 481-486.
	LIU X , TANG Y . Similarity analysis of malware’s function-call graphs[J]. Computer Engineering ＆ Science, 2014,36(3): 481-486.
[20]	ARASU A . Hector garcia-molina,andreas paepcke,and sriram raghavan.searching the Web[J]. ACM Transactions on Internet Technology, 2001,1: 2-43.
[21]	TOTAL V . VirusTotal-Free online virus,malware and URL scanner[J]. 2012.
[22]	WU H C , LUK R W P , WONG K F ,et al. Interpreting TF-IDF term weights as making relevance decisions[J]. ACM Transactions on Information Systems, 2008,26(3): 55-59.
[23]	SANTOS I , BREZO F UGARTE-PEDRERO X ,et al. Opcode sequences as representation of executables for data-mining-based unknown malware detection[J]. Information Sciences, 2013,231(9): 64-82.
[24]	SANTOS I , DEVESA J , BREZO F ,et al. OPEM:a static-dynamic approach for machine-learning-based malware detection[M]// International Joint Conference CISIS’12-ICEUTE’12-SOCO’12 Special Sessions. Springer Berlin Heidelberg, 2013: 271-280.

编号	家族名称
1	Backdoor.Win32.Hupigon
2	Backdoor.Win32.Agent
3	Backdoor.Win32.PcClient
4	Trojan.Win32.Agent
5	Backdoor.Win32.Bifrose
6	Backdoor.Win32.Poison
7	Rootkit.Win32.Agent
8	Hoax.Win32.Renos

训练集规模/个	准确率	误报率
200	0.91	0.07
400	0.923	0.062
600	0.942	0.05
800	0.967	0.041

使用方法	准确率
Byte Code n-gram + Opcode n-gram	0.96
Opcode n-gram + API	0.962
API graph + CNN	0.967