基于高斯混合模型的增量聚类方法识别恶意软件家族

doi:10.11959/j.issn.1000-436x.2019135

通信学报 ›› 2019, Vol. 40 ›› Issue (6): 148-159.doi: 10.11959/j.issn.1000-436x.2019135

基于高斯混合模型的增量聚类方法识别恶意软件家族

胡建伟¹,车欣¹,周漫²(),崔艳鹏¹

¹ 西安电子科技大学网络与信息安全学院，陕西西安 710071
² 华中科技大学网络空间安全学院，湖北武汉 430074

修回日期:2019-05-21 出版日期:2019-06-25 发布日期:2019-07-04
作者简介:胡建伟（1973- ），男，浙江金华人，博士，西安电子科技大学副教授，主要研究方向为计算机网络、工业控制系统、网络软硬件设备的安全与攻防对抗等。|车欣（1993- ），男，安徽芜湖人，西安电子科技大学硕士生，主要研究方向为信息安全、工控安全等。|周漫（1994- ），女，湖北孝感人，华中科技大学博士生，主要研究方向为恶意代码检测、入侵检测、物联网安全等。|崔艳鹏（1978- ），女，吉林长春人，博士，西安电子科技大学副教授，主要研究方向为电子战信号处理、电子战系统模拟、雷达目标识别等。
基金资助:
国家自然科学基金资助项目(61272033)

Incremental clustering method based on Gaussian mixture model to identify malware family

HU Jianwei¹,CHE Xin¹,ZHOU Man²(),CUI Yanpeng¹

¹ School of Network and Information Security,Xidian University,Xi’an 710071,China
² Institute of Cyberspace Security,Huazhong University of Science and Technology,Wuhan 430074,China

Revised:2019-05-21 Online:2019-06-25 Published:2019-07-04
Supported by:
The National Natural Science Foundation of China(61272033)

摘要/Abstract

摘要：

针对属于同一个家族的恶意软件的行为特征具有逻辑相似性这一特点，从行为检测的角度通过追踪API函数调用的逻辑规则来提取恶意软件的特征，并利用静态分析与动态分析相结合的方法来分析恶意行为特征。此外，依据恶意软件家族的目的性、继承性与多样性，构建了恶意软件家族的传递闭包关系，并改进了基于高斯混合模型的增量聚类方法来识别恶意软件家族。实验证明，所提方法不仅能节省恶意软件检测的存储空间，还能显著提高检测的准确率与识别率。

关键词: 恶意软件家族, 高斯混合模型, 增量聚类, API函数调用, 逻辑规则

Abstract:

Aiming at the logical similarity of the behavioral characteristics of malware belonging to the same family,the characteristics of malware were extracted by tracking the logic rules of API function call from the perspective of behavior detection,and the static analysis and dynamic analysis methods were combined to analyze malicious behavior characteristics.In addition,according to the purpose,inheritance and diversity of the malware family,the transitive closure relationship of the malware family was constructed,and then the incremental clustering method based on Gaussian mixture model was improved to identify the malware family.Experiments show that the proposed method can not only save the storage space of malware detection,but also significantly improve the detection accuracy and recognition efficiency.

Key words: malware family, Gaussian mixture model, incremental clustering, API function call, logic rule

中图分类号:

TP393

胡建伟,车欣,周漫,崔艳鹏. 基于高斯混合模型的增量聚类方法识别恶意软件家族[J]. 通信学报, 2019, 40(6): 148-159.

HU Jianwei,CHE Xin,ZHOU Man,CUI Yanpeng. Incremental clustering method based on Gaussian mixture model to identify malware family[J]. Journal on Communications, 2019, 40(6): 148-159.

图/表 12

表1

表2

图1

图2

表3

图3

图4

表4

图5

表5

表6

表7

参考文献 26

[1]	POTTER B , DAY G . The effectiveness of anti-malware tools[J]. Computer Fraud ＆ Security, 2009(3): 12-13.
[2]	KIM J Y , BU S J , CHO S B . Zero-day malware detection using transferred generative adversarial networks based on deep autoencoders[J]. Information Sciences, 2018(460): 83-102.
[3]	PENG W , LI F , ZOU X ,et al. Behavioral malware detection in delay tolerant networks[J]. IEEE Transactions on Parallel and Distributed systems, 2014,25(1): 53-63.
[4]	PEKTA? A , ACARMAN T . Malware classification based on API calls and behaviour analysis[J]. IET Information Security, 2017,12(2): 107-117.
[5]	HAN L , ZHOU M , HAN S ,et al. Targeting malware discrimination based on reversed association task[J]. Concurrency and Computation:Practice and Experience, 2018:e4922.
[6]	KOLOSNJAJI B , ZARRAS A , WEBSTER G ,et al. Deep learning for classification of malware system call sequences[C]// Australasian Joint Conference on Artificial Intelligence. Springer, 2016: 137-149.
[7]	CHO I K , KIM T G , SHIM Y J ,et al. Malware similarity analysis using API sequence alignments[J]. Journal of Internet Services and Information Security., 2014,4(4): 103-114.
[8]	SANTOS I , BREZO F , UGARTE-PEDRERO X ,et al. Opcode sequences as representation of executables for data-mining-based unknown malware detection[J]. Information Sciences, 2013(231): 64-82.
[9]	ARP D , SPREITZENBARTH M , HUBNER M ,et al. DREBIN:effective and explainable detection of Android malware in your pocket[C]// NDSS. 2014: 23-26.
[10]	XU K S , KLIGER M , HERO III A O . Adaptive evolutionary clustering[J]. Data Mining and Knowledge Discovery, 2014,28(2): 304-336.
[11]	WAN Y , LIU X , WU Y ,et al. ICGT:a novel incremental clustering approach based on GMM tree[J]. Data ＆ Knowledge Engineering, 2018(117): 71-86.
[12]	PFEFFER A , CALL C , CHAMBERLAIN J . Malware analysis and attribution using genetic information[C]// 2012 7th International Conference on Malicious and Unwanted Software (MALWARE). IEEE, 2012: 39-45.
[13]	WU S , WANG P , LI X ,et al. Effective detection of android malware based on the usage of data flow APIs and machine learning[J]. Information and Software Technology, 2016,75: 17-25.
[14]	DAS S , LIU Y , ZHANG W . Semantics-based online malware detection:towards efficient real-time protection against malware[J]. IEEE transactions on information forensics and security, 2016,11(2): 289-302.
[15]	ZHAO H , XU M , ZHENG N ,et al. Malicious executables classification based on behavioral factor analysis[C]// International Conference on e-Education,e-Business,e-Management,and e-Learning. IEEE, 2010: 502-506.
[16]	DENG Z , LLOYD H , XIA C ,et al. Components of variation in female common cuckoo calls[J]. Behavioural Processes, 2018(158): 106-112.
[17]	SARACINO A , SGANDURRA D , DINI G . Madam:effective and efficient behavior-based Android malware detection and prevention[J]. IEEE Transactions on Dependable and Secure Computing, 2018,15(1): 83-97.
[18]	BOULEMNADJEL A , HACHOUF F , KHARFOUCHI S . GMM estimation of 2D-RCA models with applications to texture image classification[J]. IEEE Transactions on Image Processing, 2016,25(2): 528-539.
[19]	ENGEL P M , HEINEN M R . Incremental learning of multivariate gaussian mixture models[C]// Brazilian Symposium on Artificial Intelligence. Springer, 2010: 82-91.
[20]	SONG M Z , WANG H B . Highly efficient incremental estimation of Gaussian mixture models for online data stream clustering[J]. Proceedings of SPIE-International Society for Optics and Photonics, 2005(5803): 174-184.
[21]	TANG Z , SHEN F , ZHAO J . Speaker recognition based on SOINN and incremental learning Gaussian mixture model[C]// The 2013 International Joint Conference on Neural Networks. IEEE, 2013: 1-6.
[22]	LIU Y , PERRONNIN F . A similarity measure between unordered vector sets with application to image categorization[C]// 2008 IEEE Conference on Computer Vision and Pattern Recognition. 2008: 24-26.
[23]	RONEN R , RADU M , FEUERSTEIN C ,et al. Microsoft malware classification challenge[J]. arXiv Preprint,arXiv:1802.10135, 2018.
[24]	LIPTON Z C , BERKOWITZ J , ELKAN C . A critical review of recurrent neural networks for sequence learning[J]. arXiv Preprint,arXiv:1506.00019, 2015.
[25]	LU X F , XIAO Z , JIANG F S ,et al. ASSCA:API based sequence and statistics features combined malware detection architecture[J]. Procedia Computer Science, 2018,129: 248-256.
[26]	AHMED F , HAMEED H , SHAFIQ M Z ,et al. Using spatio-temporal information in API calls with machine learning algorithms for malware detection[C]// The 2nd ACM Workshop on Security and Artificial Intelligence. ACM, 2009: 55-62.

阶段	恶意代码形式实现方式	反分析机制
	GetKeyState	无
初级	键盘记录器GetAsyncKeyState
中级	鼠标记录器和钓鱼木马DdeQueryString LocalAlloc	修改host文件
	DdeQueryString
高级	浏览器帮助对象SetSite	代码混淆、反调试技术、反虚拟机技术
	RetrieveBrowserWindow FindConnectionPoint

分类	目的
间谍程序	未经用户允许的情况下控制系统资源
蠕虫	可主动自我传播和自我执行
木马	盗取被感染主机的敏感信息
后门	对受害者的计算机进行远程秘密访问
Rootkit	自我复制并感染其他程序
病毒	在用户不知情的情况下控制系统资源
勒索	加密和劫持用户主机的关键文件以骗取赎金
恶意挖矿	未经授权使用别人的计算机挖掘“加密货币”

恶意代码家族	行为特征API调用逻辑规则
Wannacy	读取资源F=f₁+ f₂+ f₃+ f₄
	f₁:hRsrc=FindResource(…);
	f₂:hGlobal=LoadResource(…,hRsrc);
	f₃:hGlobal=LoadResource(hGlobal);
	f₄:SizeofResource(…,hRsrc);
NotPetya	进程提权F=f₁+ f₂+ f₃+ f₄
	f₁:OpenProcessToken(…,＆hToken);
	f₂:LookupPrivilegeValue(…);
	f₃:AdjustTokenPrivileges(hToken,…);
	f₄:CloseHandle(hToken);
Kuzzle	读取网页源码 F=f₁+ f₂+ f₃+ f₄
	f₁:hInt1=InttOpen(…);
	f₂:hInt2=OpenUrl(hInt1,…);
	f₃:IntReadFile(hInt2,…);
	f₄:CloseHandle(hInt1,hInt2);

家族	样本总数/个	训练集/个	测试集/个
Kelihos_verl	398	200	198
Kelihos_ver3	2 942	200	2 742
Obfuscator	1 228	200	1 028
Ramnit	1 541	200	1 341
Vundo	475	200	275
Lollopop	2 478	200	2 278
Tracur	751	200	551
Gatak	1 013	200	813

家族	ICGM		ASSCA		OSDM		NCLN
家族	TPR	FPR	TPR	FPR	TPR	FPR	TPR	FPR
Kelihos_verl	90%	0	90%	2.4%	75%	8.3%	84%	9.1%
Kelihos_ver3	64%	0.4%	63%	1.4%	56%	4.6%	50%	6.5%
Obfuscator	89%	0.2%	89%	2.6%	68%	7.4%	72%	7.3%
Ramnit	84%	0%	84%	1.6%	75%	5.73%	79%	3.41%
Vundo	85%	0.6%	84%	3.8%	61%	6.52%	66%	7.2%
Lollopop	78%	0	76%	2.6%	48%	7.24%	53%	5.63%
Tracur	75%	1.0%	75%	4.5%	70%	9.3%	72%	8.6%
Gatak	84%	0	84%	2.8%	79%	8.2%	64%	7.8%

基于高斯混合模型的增量聚类方法识别恶意软件家族

Incremental clustering method based on Gaussian mixture model to identify malware family

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 12

参考文献 26

相关文章 6

Metrics

推荐阅读 0

家族	ICGM		STAM
家族	T/min	S/KB	T/min	S/KB
Kelihos_verl	0.9	46.3	1.2	52.5
Kelihos_ver3	2.9	91.5	3.4	93
Obfuscator	2.1	78	2.9	85
Ramnit	2.7	80	3.9	84
Vundo	1.2	50.6	1.5	72
Lollopop	3.1	90.3	4.5	86.2
Tracur	2.6	72	3.4	81
Gatak	2.9	78	3.7	85

[1]	赵泉华,石雪,王玉,李玉. 可变类空间约束高斯混合模型遥感图像分割[J]. 通信学报, 2017, 38(2): 34-43.
[2]	唐鑫,马兆丰,钮心忻,杨义先. 基于变分贝叶斯学习的音频水印盲检测方法[J]. 通信学报, 2015, 36(1): 121-128.
[3]	崔玮,吴成东,张云洲,贾子熙,程龙. 基于高斯混合模型的非视距定位算法[J]. 通信学报, 2014, 35(1): 99-106.
[4]	陈明生,梁光明,孙即祥,刘东华,赵键. 复杂背景下H.264压缩域运动目标检测算法[J]. 通信学报, 2011, 32(3): 91-97.
[5]	赵凌,冯镔,邱锦波. 基于自适应分块外观模型的视觉跟踪[J]. 通信学报, 2011, 32(10): 166-173.
[6]	钱叶魁,陈鸣,郝强,刘凤荣,商文忠. ODC——在线检测和分类全网络流量异常的方法[J]. 通信学报, 2011, 32(1): 111-120.

家族	ICGM		ASSCA
家族	F₁	ACC	F₁	ACC
Kelihos_verl	86%	92%	72.5%	81.8%
Kelihos_ver3	91.5%	94%	74%	82%
Obfuscator	89%	90.7%	78%	75%
Ramnit	90%	87.5%	69%	72%
Vundo	85%	84%	81%	71%
Lollopop	92%	86%	63%	69%
Tracur	84%	91%	76%	82%
Gatak	90%	93%	65%	74%