基于混合特征的恶意PDF文档检测

doi:10.11959/j.issn.1000-436x.2019028

摘要/Abstract

摘要：

针对现有恶意PDF文档在检测方案存在特征顽健性差、易被逃避检测等问题，提出了一种基于混合特征的恶意PDF文档检测方法，采用动静态混合分析技术从文档中提取出其常规信息、结构信息以及API调用信息，并基于K-means算法设计了特征提取方法，聚合出表征文档安全性的核心混合特征，从而提高了特征的顽健性。在此基础上，利用随机森林算法构建分类器并设计实验，对所提方案的检测性能以及抵抗模拟攻击的能力进行了探讨。

关键词: 恶意PDF文档, 混合特征, 机器学习, 检测

Abstract:

Aiming at the problem of poor robustness and easy to evade detection in the detection of malicious PDF document,a malicious PDF document detection method based on mixed features was proposed.It adopted dynamic and static analysis technology to extract the regular information,structure information and API calling information from the document,and then a feature extraction method based on K-means clustering algorithm was designed to filter and select the key mixed features that characterize the document security.Ultimately,it improved the robustness of features.On this basis,it used random forest algorithm to construct classifier and perform experiment to discuss the detection performance of the scheme and its ability to resist mimicry attacks.

Key words: malicious PDF document, mixed feature, machine learning, detection

中图分类号:

TP393

杜学绘,林杨东,孙奕. 基于混合特征的恶意PDF文档检测[J]. 通信学报, 2019, 40(2): 118-128.

Xuehui DU,Yangdong LIN,Yi SUN. Malicious PDF document detection based on mixed feature[J]. Journal on Communications, 2019, 40(2): 118-128.

图/表 10

图1

表1

表2

表3

表4

表5

表6

表7

表8

图2

参考文献 24

[1]	SYSTEMS A . PDF reference:adobe portable document format,version 1.3[M]. Addison-Wesley, 2000.
[2]	BLONCE A , FILIOL E . Portable document format (PDF) security analysis and malware threats[J]. Images Paediatr Cardiol, 2008(2): 1-3.
[3]	陈亮, 陈性元, 孙奕 ,等. 基于结构路径的恶意 PDF 文档检测[J]. 计算机科学, 2015,42(2): 90-94.
[4]	武雪峰 . 恶意PDF文档的分析[D]. 济南:山东大学, 2012.
[5]	Adobe Systems Incorporated. PDF reference:version 1.4[J]. Textile Research Journal, 2003,30: 1-10.
[6]	LI W J , STOLFO S , STAVROU A ,et al. A study of malcode-bearing documents[C]// International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment Springer-Verlag, 2007: 231-250.
[7]	WILLEMS C , HOLZ T , FREILING F . Toward automated dynamic malware analysis using CWSandbox[J]. IEEE Security ＆ Privacy, 2007,5(2): 32-39.
[8]	COVA M , KRUEGEL C , VIGNA G . Detection and analysis of drive-by-download attacks and malicious JavaScript code[C]// International Conference on World Wide Web. 2010: 281-290.
[9]	RIECK K , KRUEGER T , DEWALD A . Cujo:efficient detection and prevention of drive-by-download attacks[C]// Twenty-Sixth Computer Security Applications Conference. 2010: 31-39.
[10]	CURTSINGER C , LIVSHITS B , ZORN B ,et al. ZOZZLE:fast and precise in-browser JavaScript malware detection[C]// Usenix Conference on Security. 2011:3.
[11]	CANALI D , COVA M , VIGNA G ,et al. Prophiler:a fast filter for the large-scale detection of malicious Web pages categories and subject descriptors[C]// International Conference Companion on World Wide Web. 2012: 197-206.
[12]	ENGELBERTH M , WILLEMS C , HOLZ T . MalOffice-detecting malicious documents with combined static and dynamic analysis[C]// Virus Bulletin International Conference. 2009: 1-37.
[13]	SNOW K Z , KRISHNAN S , PROVOS N ,et al. SHELLOS:enabling fast detection and forensic analysis of code injection attacks[C]// Usenix Conference on Security. 2011:9.
[14]	TZERMIAS Z , SYKIOTAKIS G , POLYCHRONAKIS M ,et al. Combining static and dynamic analysis for the detection of malicious documents[C]// The Fourth European Workshop on System Security. 2011: 1-6.
[15]	LASKOV P , . Static detection of malicious JavaScript-bearing PDF documents[C]// Twenty-Seventh Computer Security Applications Conference. 2011: 373-382.
[16]	MAIORCA D , GIACINTO G , CORONA I . A pattern recognition system for malicious PDF files detection[C]// International Conference on Machine Learning and Data Mining in Pattern Recognition. 2012: 510-524.
[17]	SMUTZ C , STAVROU A . Malicious PDF detection using metadata and structural features[C]// Computer Security Applications Conference. 2012: 239-248.
[18]	?RNDIC N , LASKOV P . Detection of malicious pdf files based on hierarchical document structure[C]// The 20th Annual Network ＆ Distributed System Security Symposium. 2013: 1-17.
[19]	MAIORCA D , CORONA I , GIACINTO G . Looking at the bag is not enough to find the bomb:an evasion of structural methods for malicious pdf files detection[C]// The 8th ACM SIGSAC Symposium on Information,Computer and Communications Security. 2013: 119-130.
[20]	LIU D , WANG H , STAVROU A . Detecting malicious Javascript in PDF through document instrumentation[C]// IEEE/IFIP International Conference on Dependable Systems and Networks. 2014: 100-111.
[21]	CORONA I , MAIORCA D , ARIU D ,et al. Lux0R:detection of malicious PDF-embedded JavaScript code through discriminant analysis of API references[C]// The Workshop on Artificial Intelligent and Security Workshop. 2014: 47-57.
[22]	MAASS M , SCHERLIS W L , ALDRICH J . In-nimbo sandboxing[C]// Symposium and Bootcamp on the Science of Security. 2014: 1-13.
[23]	MAIORCA D , ARIU D , CORONA I ,et al. A structural and content-based approach for a precise and robust detection of malicious PDF files[C]// International Conference on Information Systems Security and Privacy. 2015: 27-36
[24]	VATAMANU C , GAVRILU? D , BENCHEA R . A practical approach on clustering malicious PDF documents[J]. Journal in Computer Virology, 2012,8(4): 151-163.

常规特征	安全相关性
文件大小	恶意PDF文档一般不包含有意义的文本图片等内容，文件大小一般较小
文件版本号	不同版本的漏洞数量及安全性存在差异
包含JavaScript代码的对象数量	一般情况下，恶意PDF文档中包含JavaScript的可能性远大于正常PDF文档
嵌入的文件数量	正常文档一般没有额外嵌入的文件，而部分类型的恶意文档通过嵌入恶意文件来实施攻击
不完整对象的数量	恶意文档中存在缺失结构字段的对象数量比例往往远大于正常文档
交叉引用表的数量	恶意文档中缺少交叉引用表或交叉引用表不可识别的比例往往远大于正常文档
特殊操作函数	恶意文档中出现OpenAction、Launch等操作函数的可能性较正常文档更大

真实情况	预测结果
真实情况	恶意文档	良性文档
恶意文档	D_MM'	D_MB'
良性文档	D_BM'	D_BB'

漏洞编号	样本数量/个
CVE-2016-4255	12
CVE-2015-5090	31
CVE-2014-0512	17
CVE-2014-0496	39
CVE-2013-0640	21
CVE-2012-0754	3
CVE-2011-2462	25
CVE-2010-2883	49
CVE-2010-0188	25
其他未归类样本	5 708

类别	样本数量/个
包含3D图像的文档	28
包含JavaScript代码的文档	219
包含flash的文档	61
PDF格式的jar文件	3
包含视频的文档	35
内嵌文件的文档	16
其他未归类样本	5 519

硬件配置	软件配置
2个英特尔至强处理器（E5 2600V4）	Ubuntu
RAM（90 GB）	PyCharm