基于混合特征的恶意PDF文档检测
|
|
杜学绘,林杨东,孙奕
|
Malicious PDF document detection based on mixed feature
|
|
Xuehui DU,Yangdong LIN,Yi SUN
|
|
表8 嵌入的良性特征关键字
|
| |
|
| 特征关键字 | 正常样本集合 | | 恶意样本集合 | 良性表征度 | | 出现概率 | 平均次数 | 出现概率 | 平均次数 | | /Prev | 81.63% | 3.66 | | 1.52% | 3.98 | 0.98 | | /ColorSpace | 63.09% | 6.21 | | 2.00% | 4.63 | 0.98 | | /CropBox | 81.86% | 6.70 | | 3.70% | 3.53 | 0.98 | | /Linearized | 77.50% | 1.00 | | 1.42% | 2.45 | 0.96 | | /ProcSet | 97.50% | 15.50 | | 28.00% | 2.48 | 0.95 | | /PDF | 97.47% | 15.09 | | 27.70% | 2.48 | 0.95 | | /Metadata | 73.46% | 2.79 | | 1.75% | 5.87 | 0.95 | | /Font | 89.37% | 15.76 | | 21.11% | 3.39 | 0.95 | | /elements | 71.29% | 1.47 | | 1.34% | 4.34 | 0.94 | | /Resources | 99.59% | 15.42 | | 31.52% | 3.00 | 0.94 | | /Rotate | 82.02% | 6.72 | | 19.22% | 2.18 | 0.92 | | /Subtype | 99.74% | 26.60 | | 75.75% | 2.88 | 0.92 | | /Encoding | 63.37% | 6.06 | | 16.18% | 2.39 | 0.90 | | /BaseFont | 65.24% | 6.22 | | 17.34% | 2.37 | 0.90 | | /Length | 100.00% | 31.59 | | 98.99% | 4.40 | 0.86 | | /Contents | 99.41% | 5.49 | | 33.59% | 2.36 | 0.85 | | /FlateDecode | 97.52% | 22.83 | | 82.22% | 4.37 | 0.84 | | /Filter | 99.90% | 24.27 | | 95.14% | 4.30 | 0.83 | | /Type | 100.00% | 40.69 | | 99.92% | 7.75 | 0.81 | | /Parent | 99.16% | 11.74 | | 96.56% | 2.47 | 0.80 |
|
|
|