通信学报 ›› 2014, Vol. 35 ›› Issue (8): 125-136.doi: 10.3969/j.issn.1000-436x.2014.08.016

• 学术论文 • 上一篇    下一篇

基于纹理指纹的恶意代码变种检测方法研究

韩晓光1,曲武2,3,姚宣霞1,郭长友1,周芳1   

  1. 1 北京科技大学 计算机与通信工程学院,北京 100083
    2 北京启明星辰信息安全技术有限公司 核心研究院,北京 100193
    3 清华大学 计算机科学与技术系,北京 100084
  • 出版日期:2014-08-25 发布日期:2017-06-29
  • 基金资助:
    国家重点基础研究发展规划(“973计划)基金资助项目;国家自然科学重点基金资助项目;国家自然科学基金资助项目

Research on malicious code variants detection based on texture fingerprint

Xiao-guang HAN1,UWu Q2,3,AOXuan-xia Y1,UOChang-you G1,Fang ZHOU1   

  1. 1 School of Computer&Communication Engineer, University of Science&Technology Beijing, Beijing 10083, China
    2 Core Research Institute, Beijing Venustech Cybervision Co. Ltd., Beijing 100193, China
    3 Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China
  • Online:2014-08-25 Published:2017-06-29
  • Supported by:
    The National Basic Research Program of China (973 Program);The National Natural Science Foundation of China, Key Program;The National Natural Science Foundation of China, General Program

摘要:

提出一种基于纹理指纹的恶意代码特征提取及检测方法,通过结合图像分析技术与恶意代码变种检测技术,将恶意代码映射为无压缩灰阶图片,基于纹理分割算法对图片进行分块,使用灰阶共生矩阵算法提取各个分块的纹理特征,并将这些纹理特征作为恶意代码的纹理指纹;然后,根据样本的纹理指纹,建立纹理指纹索引结构;检测阶段通过恶意代码纹理指纹块生成策略,采用加权综合多分段纹理指纹相似性匹配方法检测恶意代码变种和未知恶意代码;在此基础上,实现恶意代码的纹理指纹提取及检测原型系统。通过对6种恶意代码样本数据集的分析和检测,完成了对该系统的实验验证。实验结果表明,基于上述方法提取的特征具有检测速度快、精度高等特点,并且对恶意代码变种具有较好的识别能力。

关键词: 网络安全, 恶意代码变种检测, 纹理指纹, 空间相似性检索

Abstract:

A texture-fingerprint-based approach is proposed to extract or detect the feature from malware content. The texture fingerprint of a malware is the set of texture fingerprints for each uncompressed gray-scale image block. The ma-licious code is mapped to uncompressed gray-scale image by integrating image analysis techniques and variants of mali-cious code detection technology. The uncompressed gray-scale image is partitioned into blocks by the texture segmen-tation algorithm. The texture fingerprints for each uncompressed gray-scale image block is extracted by gray-scale co-occurrence matrix algorithm. Afterwards, the index structure for fingerprint texture is built on the statistical analy-sis of general texture fingerprints of malicious code samples. In the detection phase, according to the generation policy for malicious code texture fingerprint, the prototype system for texture fingerprint extraction and detection is con-structed by employing the integrated weight method to multi-segmented texture fingerprint similarity matching to de-tect variants and unknown malicious codes. Experimental results show that the malware variants detection system based on the proposed approach has good performance not only in speed and accuracy but also in identifying malware variants.

Key words: network security, malware variants detection, texture fingerprint, spatial similarity retrieval

No Suggested Reading articles found!