Journal on Communications ›› 2019, Vol. 40 ›› Issue (2): 118-128.doi: 10.11959/j.issn.1000-436x.2019028
• Papers • Previous Articles Next Articles
Xuehui DU,Yangdong LIN(),Yi SUN
Revised:
2018-05-11
Online:
2019-02-01
Published:
2019-03-04
Supported by:
CLC Number:
Xuehui DU,Yangdong LIN,Yi SUN. Malicious PDF document detection based on mixed feature[J]. Journal on Communications, 2019, 40(2): 118-128.
"
常规特征 | 安全相关性 |
文件大小 | 恶意PDF文档一般不包含有意义的文本图片等内容,文件大小一般较小 |
文件版本号 | 不同版本的漏洞数量及安全性存在差异 |
包含JavaScript代码的对象数量 | 一般情况下,恶意PDF文档中包含JavaScript的可能性远大于正常PDF文档 |
嵌入的文件数量 | 正常文档一般没有额外嵌入的文件,而部分类型的恶意文档通过嵌入恶意文件来实施攻击 |
不完整对象的数量 | 恶意文档中存在缺失结构字段的对象数量比例往往远大于正常文档 |
交叉引用表的数量 | 恶意文档中缺少交叉引用表或交叉引用表不可识别的比例往往远大于正常文档 |
特殊操作函数 | 恶意文档中出现OpenAction、Launch等操作函数的可能性较正常文档更大 |
"
特征关键字 | 正常样本集合 | 恶意样本集合 | 良性表征度 | |||
出现概率 | 平均次数 | 出现概率 | 平均次数 | |||
/Prev | 81.63% | 3.66 | 1.52% | 3.98 | 0.98 | |
/ColorSpace | 63.09% | 6.21 | 2.00% | 4.63 | 0.98 | |
/CropBox | 81.86% | 6.70 | 3.70% | 3.53 | 0.98 | |
/Linearized | 77.50% | 1.00 | 1.42% | 2.45 | 0.96 | |
/ProcSet | 97.50% | 15.50 | 28.00% | 2.48 | 0.95 | |
97.47% | 15.09 | 27.70% | 2.48 | 0.95 | ||
/Metadata | 73.46% | 2.79 | 1.75% | 5.87 | 0.95 | |
/Font | 89.37% | 15.76 | 21.11% | 3.39 | 0.95 | |
/elements | 71.29% | 1.47 | 1.34% | 4.34 | 0.94 | |
/Resources | 99.59% | 15.42 | 31.52% | 3.00 | 0.94 | |
/Rotate | 82.02% | 6.72 | 19.22% | 2.18 | 0.92 | |
/Subtype | 99.74% | 26.60 | 75.75% | 2.88 | 0.92 | |
/Encoding | 63.37% | 6.06 | 16.18% | 2.39 | 0.90 | |
/BaseFont | 65.24% | 6.22 | 17.34% | 2.37 | 0.90 | |
/Length | 100.00% | 31.59 | 98.99% | 4.40 | 0.86 | |
/Contents | 99.41% | 5.49 | 33.59% | 2.36 | 0.85 | |
/FlateDecode | 97.52% | 22.83 | 82.22% | 4.37 | 0.84 | |
/Filter | 99.90% | 24.27 | 95.14% | 4.30 | 0.83 | |
/Type | 100.00% | 40.69 | 99.92% | 7.75 | 0.81 | |
/Parent | 99.16% | 11.74 | 96.56% | 2.47 | 0.80 |
[1] | SYSTEMS A . PDF reference:adobe portable document format,version 1.3[M]. Addison-Wesley, 2000. |
[2] | BLONCE A , FILIOL E . Portable document format (PDF) security analysis and malware threats[J]. Images Paediatr Cardiol, 2008(2): 1-3. |
[3] | 陈亮, 陈性元, 孙奕 ,等. 基于结构路径的恶意 PDF 文档检测[J]. 计算机科学, 2015,42(2): 90-94. |
[4] | 武雪峰 . 恶意PDF文档的分析[D]. 济南:山东大学, 2012. |
[5] | Adobe Systems Incorporated. PDF reference:version 1.4[J]. Textile Research Journal, 2003,30: 1-10. |
[6] | LI W J , STOLFO S , STAVROU A ,et al. A study of malcode-bearing documents[C]// International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment Springer-Verlag, 2007: 231-250. |
[7] | WILLEMS C , HOLZ T , FREILING F . Toward automated dynamic malware analysis using CWSandbox[J]. IEEE Security & Privacy, 2007,5(2): 32-39. |
[8] | COVA M , KRUEGEL C , VIGNA G . Detection and analysis of drive-by-download attacks and malicious JavaScript code[C]// International Conference on World Wide Web. 2010: 281-290. |
[9] | RIECK K , KRUEGER T , DEWALD A . Cujo:efficient detection and prevention of drive-by-download attacks[C]// Twenty-Sixth Computer Security Applications Conference. 2010: 31-39. |
[10] | CURTSINGER C , LIVSHITS B , ZORN B ,et al. ZOZZLE:fast and precise in-browser JavaScript malware detection[C]// Usenix Conference on Security. 2011:3. |
[11] | CANALI D , COVA M , VIGNA G ,et al. Prophiler:a fast filter for the large-scale detection of malicious Web pages categories and subject descriptors[C]// International Conference Companion on World Wide Web. 2012: 197-206. |
[12] | ENGELBERTH M , WILLEMS C , HOLZ T . MalOffice-detecting malicious documents with combined static and dynamic analysis[C]// Virus Bulletin International Conference. 2009: 1-37. |
[13] | SNOW K Z , KRISHNAN S , PROVOS N ,et al. SHELLOS:enabling fast detection and forensic analysis of code injection attacks[C]// Usenix Conference on Security. 2011:9. |
[14] | TZERMIAS Z , SYKIOTAKIS G , POLYCHRONAKIS M ,et al. Combining static and dynamic analysis for the detection of malicious documents[C]// The Fourth European Workshop on System Security. 2011: 1-6. |
[15] | LASKOV P , . Static detection of malicious JavaScript-bearing PDF documents[C]// Twenty-Seventh Computer Security Applications Conference. 2011: 373-382. |
[16] | MAIORCA D , GIACINTO G , CORONA I . A pattern recognition system for malicious PDF files detection[C]// International Conference on Machine Learning and Data Mining in Pattern Recognition. 2012: 510-524. |
[17] | SMUTZ C , STAVROU A . Malicious PDF detection using metadata and structural features[C]// Computer Security Applications Conference. 2012: 239-248. |
[18] | ?RNDIC N , LASKOV P . Detection of malicious pdf files based on hierarchical document structure[C]// The 20th Annual Network & Distributed System Security Symposium. 2013: 1-17. |
[19] | MAIORCA D , CORONA I , GIACINTO G . Looking at the bag is not enough to find the bomb:an evasion of structural methods for malicious pdf files detection[C]// The 8th ACM SIGSAC Symposium on Information,Computer and Communications Security. 2013: 119-130. |
[20] | LIU D , WANG H , STAVROU A . Detecting malicious Javascript in PDF through document instrumentation[C]// IEEE/IFIP International Conference on Dependable Systems and Networks. 2014: 100-111. |
[21] | CORONA I , MAIORCA D , ARIU D ,et al. Lux0R:detection of malicious PDF-embedded JavaScript code through discriminant analysis of API references[C]// The Workshop on Artificial Intelligent and Security Workshop. 2014: 47-57. |
[22] | MAASS M , SCHERLIS W L , ALDRICH J . In-nimbo sandboxing[C]// Symposium and Bootcamp on the Science of Security. 2014: 1-13. |
[23] | MAIORCA D , ARIU D , CORONA I ,et al. A structural and content-based approach for a precise and robust detection of malicious PDF files[C]// International Conference on Information Systems Security and Privacy. 2015: 27-36 |
[24] | VATAMANU C , GAVRILU? D , BENCHEA R . A practical approach on clustering malicious PDF documents[J]. Journal in Computer Virology, 2012,8(4): 151-163. |
[1] | Yang GAO, Hongli ZHANG. Survey on community detection method based on random walk [J]. Journal on Communications, 2023, 44(6): 198-210. |
[2] | Jinzhi ZHENG, Ruyi JI, Libo ZHANG, Chen ZHAO. End-to-end scene text detection and recognition algorithm based on Transformer decoders [J]. Journal on Communications, 2023, 44(5): 64-78. |
[3] | Xin SUN, Guifu ZHANG, Hongyan XING, Wang Zenghui. Research on intrusion detection for maritime meteorological sensor network based on balancing generative adversarial network [J]. Journal on Communications, 2023, 44(4): 124-136. |
[4] | Qianyi DAI, Bin ZHANG, Song GUO, Kaiyong XU. Blockchain network layer anomaly traffic detection method based on multiple classifier integration [J]. Journal on Communications, 2023, 44(3): 66-80. |
[5] | Bingpeng ZHOU, Shanshan MA. Simultaneous vehicular location and velocity detection towards 6G integrated communication and sensing [J]. Journal on Communications, 2023, 44(3): 81-92. |
[6] | Helin SUN, Hongyuan GAO, Yanan DU, Jianhua CHENG, Yapeng LIU. Joint estimation method of target number and orientation parameters for FDA-MIMO radar [J]. Journal on Communications, 2023, 44(2): 41-51. |
[7] | Weigang HUO, Rui LIANG, Yonghua LI. Anomaly detection model for multivariate time series based on stochastic Transformer [J]. Journal on Communications, 2023, 44(2): 94-103. |
[8] | Guojun LI, Cuiling XIANG, Changrong YE, Zunli WANG. Fast link-establishment method of integrated of communication and detection based on short-wave digital channelization [J]. Journal on Communications, 2023, 44(1): 89-102. |
[9] | Hongyu YANG, Haiyun YANG, Liang ZHANG, Xiang CHENG. Feature dependence graph based source code loophole detection method [J]. Journal on Communications, 2023, 44(1): 103-117. |
[10] | Yanhua LIU, Jiaqi LI, Zhengui OU, Xiaoling GAO, Ximeng LIU, Weizhi MENG, Baoxu LIU. Adversarial training driven malicious code detection enhancement method [J]. Journal on Communications, 2022, 43(9): 169-180. |
[11] | Chengsheng YUAN, Qiang GUO, Zhangjie FU. Copyright protection algorithm based on differential privacy deep fake fingerprint detection model [J]. Journal on Communications, 2022, 43(9): 181-193. |
[12] | Rui JIANG, Jun LI, Youyun XU, Xiaoming WANG, Dapeng LI. Fault tolerant GPS-AOA-SINS integrated navigation algorithm based on federated Kalman filter [J]. Journal on Communications, 2022, 43(8): 78-89. |
[13] | Weiyu CHEN, Junshan LUO, Fanggang WANG, Haiyang DING, Shilian WANG, Guojiang XIA. Survey of capacity limits and implementation techniques in wireless covert communication [J]. Journal on Communications, 2022, 43(8): 203-218. |
[14] | Jianxin LIAO, Xiaoyuan FU, Qi QI, Jingyu WANG, Haifeng SUN. 6G-ADM: knowledge based 6G network management and control architecture [J]. Journal on Communications, 2022, 43(6): 3-15. |
[15] | Zhengyu ZHU, Yu LIN, Zixuan WANG, Kexian GONG, Pengfei CHEN, Zhongyong WANG, Jing LIANG. Fast blind detection of short-wave frequency hopping signal based on MeanShift [J]. Journal on Communications, 2022, 43(6): 200-210. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||
|