基于图结构的恶意代码同源性分析

doi:10.11959/j.issn.1000-436x.2017259

Abstract

Abstract:

Malware detection and homology analysis has been the hotspot of malware analysis.API call graph of malware can represent the behavior of it.Because of the subgraph isomorphism algorithm has high complexity,the analysis of malware based on the graph structure with low efficiency.Therefore,this studies a homology analysis method of API graph of malware that use convolutional neural network.By selecting the key nodes,and construct neighborhood receptive field,the convolution neural network can handle graph structure data.Experimental results on 8 real-world malware family,shows that the accuracy rate of homology malware analysis achieves 93%,and the accuracy rate of the detection of malicious code to 96%.

Key words: malware, homology analysis, API call graph, convolutional neural network

CLC Number:

TP302

Bing-lin ZHAO,Xi MENG,Jin HAN,Jing WANG,Fu-dong LIU. Homology analysis of malware based on graph[J]. Journal on Communications, 2017, 38(Z2): 86-93.

Figures/Tables 9

References 24

[1]	SAXE J , BERLIN K . Deep neural network based malware detection using two dimensional binary program features[C]// International Conference on Malicious and Unwanted Software. 2015: 11-20.
[2]	SANTOS I , BREZO F,UGARTE-PEDRERO X ,et al. Opcode sequences as representation of executables for data-mining-based unknown malware detection[J]. Information Sciences, 2013,231(9): 64-82.
[3]	GUPTA S , SHARMA H , KAUR S . Malware characterization using windows API call sequences[C]// International Conference on Security,Privacy,and Applied Cryptography Engineering. Springer International Publishing, 2016: 271-280.
[4]	NARAYANAN A , MENG G , YANG L ,et al. Contextual Weisfeiler-Lehman graph kernel for malware detection[C]// International Joint Conference on Neural Networks. 2016: 4701-4708.
[5]	EPPSTEIN D . Subgraph isomorphism in planar graphs and related problems[J]. SODA'95 Proceedings of the sixth annual ACM-SIAM symposium on Discrete algorithms, 1999,3(3): 332-346.
[6]	NIEPERT M , AHMED M , KUTZKOV K . Learning convolutional neural networks for graphs[C]// International Conference on Machine Learning, 2016: 2014-2023.
[7]	DUVENAUD D K , MACLAURIN D , IPARRAGUIRRE J ,et al. Convolutional networks on graphs for learning molecular fingerprints[C]// Advances in Neural Information Processing Systems. 2015: 2224-2232.
[8]	KIPF T N , WELLING M . Semi-supervised classification with graph convolutional networks[J]. arXiv preprint arXiv:1609.02907, 2016.
[9]	DEFFERRARD M , BRESSON X , VANDERGHEYNST P . Convolutional neural networks on graphs with fast localized spectral filtering[C]// Advances in Neural Information Processing Systems, 2016: 3844-3852.
[10]	KI Y , KIM E , KIM H K . A novel approach to detect malware based on API call sequence analysis[J]. International Journal of Distributed Sensor Networks, 2015,11(6):659101.
[11]	THOMPSON J D , GIBSON T J , HIGGINS D G . Multiple sequence alignment using CrustalW and clustalX[J]. Current protocols in bioinformatics, 2002.
[12]	LEE T , CHOI B , SHIN Y ,et al. Automatic malware mutant detection and group classification based on the n-gram and clustering coefficient[J]. The Journal of Supercomputing, 2015: 1-15.
[13]	OKTAVIANTO D , MUHARDIANTO I . Cuckoo malware analysis[M]. Packt Publishing, 2013.
[14]	CESARE S , XIANG Y , ZHOU W . Malwise-an effective and efficient classification system for packed and polymorphic malware[J]. IEEE Transactions on Computers, 2013,62(6): 1193-1206.
[15]	PARK Y , REEVES D , MULUKUTLA V ,et al. Fast malware classification by automated behavioral graph matching[C]// AMIA Annu Symp Proc, 2010: 1-4.
[16]	KINABLE J , KOSTAKIS O . Malware classification based on call graph clustering[J]. Journal of Computer Virology and Hacking Techniques, 2011,7(4): 233-245.
[17]	HASSEN M , CHAN P K . scalable function call graph-based malware classification[C]// The Seventh ACM on Conference on Data and Application Security and Privacy. 2017: 239-248.
[18]	杨帆, 张焕国, 傅建明 ,等. 基于图编辑距离的恶意代码检测[J]. 武汉:武汉大学学报(理学版), 2013,59(5): 453-457.
	YANG F , ZHANG F G , FU J M ,et al. Malware Detection Based on Graph Edit Distance[J]. Wuhan:Wuhan Univ (Nat Sci Ed.) , 2013,59(5): 453-457.
[19]	刘星, 唐勇 . 恶意代码的函数调用图相似性分析[J]. 计算机工程与科学, 2014,36(3): 481-486.
	LIU X , TANG Y . Similarity analysis of malware’s function-call graphs[J]. Computer Engineering ＆ Science, 2014,36(3): 481-486.
[20]	ARASU A . Hector garcia-molina,andreas paepcke,and sriram raghavan.searching the Web[J]. ACM Transactions on Internet Technology, 2001,1: 2-43.
[21]	TOTAL V . VirusTotal-Free online virus,malware and URL scanner[J]. 2012.
[22]	WU H C , LUK R W P , WONG K F ,et al. Interpreting TF-IDF term weights as making relevance decisions[J]. ACM Transactions on Information Systems, 2008,26(3): 55-59.
[23]	SANTOS I , BREZO F UGARTE-PEDRERO X ,et al. Opcode sequences as representation of executables for data-mining-based unknown malware detection[J]. Information Sciences, 2013,231(9): 64-82.
[24]	SANTOS I , DEVESA J , BREZO F ,et al. OPEM:a static-dynamic approach for machine-learning-based malware detection[M]// International Joint Conference CISIS’12-ICEUTE’12-SOCO’12 Special Sessions. Springer Berlin Heidelberg, 2013: 271-280.

Metrics

Recommended 0

No Suggested Reading articles found!

编号	家族名称
1	Backdoor.Win32.Hupigon
2	Backdoor.Win32.Agent
3	Backdoor.Win32.PcClient
4	Trojan.Win32.Agent
5	Backdoor.Win32.Bifrose
6	Backdoor.Win32.Poison
7	Rootkit.Win32.Agent
8	Hoax.Win32.Renos

训练集规模/个	准确率	误报率
200	0.91	0.07
400	0.923	0.062
600	0.942	0.05
800	0.967	0.041

使用方法	准确率
Byte Code n-gram + Opcode n-gram	0.96
Opcode n-gram + API	0.962
API graph + CNN	0.967

Homology analysis of malware based on graph

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 9

References 24

Related Articles 15

Metrics

Recommended 0

[1]	Yurong LIAO, Haining WANG, Cunbao LIN, Yang LI, Yuqiang FANG, Shuyan NI. Research progress of deep learning-based object detection of optical remote sensing image [J]. Journal on Communications, 2022, 43(5): 190-203.
[2]	Fan ZHANG, Yun HUANG, Zizhuo FANG, Wei GUO. Lost-minimum post-training parameter quantization method for convolutional neural network [J]. Journal on Communications, 2022, 43(4): 114-122.
[3]	Zhengyu ZHU, Gengwang HOU, Chongwen HUANG, Gangcan SUN, Wanming HAO, Jing LIANG. Systems resource allocation algorithm for RIS-assisted D2D secure communication based on parallel CNN [J]. Journal on Communications, 2022, 43(3): 172-179.
[4]	Hongyan WANG, Libin ZHANG, Guoqiang CHEN, Zumin WANG, Zhiyuan GUAN. Approach of target tracking combining particle filter and metric learning [J]. Journal on Communications, 2021, 42(5): 98-110.
[5]	Nianwen SI, Wenlin ZHANG, Dan QU, Heyu CHANG, Shengxiang LI, Tong NIU. Generalized Grad-CAM attacking method based on adversarial patch [J]. Journal on Communications, 2021, 42(3): 23-35.
[6]	Hongmin GAO, Xueying CAO, Zhonghao CHEN, Zaijun HUA, Chenming LI, Yue CHEN. Hyperspectral image classification method based on multi-scale proximal feature concatenate network [J]. Journal on Communications, 2021, 42(2): 92-102.
[7]	Jun YANG,Jisheng DANG. Semantic segmentation of 3D point cloud based on contextual attention CNN [J]. Journal on Communications, 2020, 41(7): 195-203.
[8]	Hongmin GAO,Xueying CAO,Yao YANG,Zaijun HUA,Chenming LI. Application of bilateral fusion model based on CNN in hyperspectral image classification [J]. Journal on Communications, 2020, 41(11): 132-140.
[9]	Hanxun ZHOU,Chen CHEN,Runze FENG,Junkun XIONG,Hong PAN,Wei GUO. Mobile malware traffic detection approach based on value-derivative GRU [J]. Journal on Communications, 2020, 41(1): 102-113.
[10]	Meng ZHANG,Haoliang SUN,Peng YANG. Identification of DNS covert channel based on improved convolutional neural network [J]. Journal on Communications, 2020, 41(1): 169-179.
[11]	Xin ZHOU,Xiaoxin HE,Changwen ZHENG. Radio signal recognition based on image deep learning [J]. Journal on Communications, 2019, 40(7): 114-125.
[12]	HU Jianwei,CHE Xin,ZHOU Man,CUI Yanpeng. Incremental clustering method based on Gaussian mixture model to identify malware family [J]. Journal on Communications, 2019, 40(6): 148-159.
[13]	Yuan XU,Chao YANG,Li YANG. Single password authentication method for remote user based on mobile terminal assistance [J]. Journal on Communications, 2019, 40(2): 174-187.
[14]	Jia LI,Xiaochun YUN,Shuhao LI,Yongzheng ZHANG,Jiang XIE,Fang FANG. HTTP malicious traffic detection method based on hybrid structure deep neural network [J]. Journal on Communications, 2019, 40(1): 24-33.
[15]	Linhui LI,Bo QIAN,Jing LIAN,Weina ZHENG,Yafu ZHOU. Study on traffic scene semantic segmentation method based on convolutional neural network [J]. Journal on Communications, 2018, 39(4): 123-130.