基于特征聚类的海量恶意代码在线自动分析模型

doi:10.3969/j.issn.1000-436x.2013.08.019

Abstract

Abstract:

In order to improve the effectiveness and efficiency of mass malicious code analysis,an online analytical model was proposed including feature space construction,automatic feature extraction and fast clustering.Our research focused on the law of malware behavior and code string distribution by dynamic and static techniques.In this model,a sample was described with its API and key code fragment.This model proposed a fast clustering approach to identify group samples that exhibit similar feature when applied this model to real-world malware collections.The result demonstrates that the proposed model is able to extract feature automatically,support streaming data clustering on large-scale,and achieve better precision.

Key words: malware, on-line analytical, fast clustering, feature extraction

Xiao-lin XU,Xiao-chun YUN,Yong-lin ZHOU,Xue-bin KANG. Online analytical model of massive malware based on feature clusting[J]. Journal on Communications, 2013, 34(8): 146-153.

Figures/Tables 7

References 22

[1]	EGELE M , SCHOLTE T , KIRDA E ,et al. A survey on automated dynamic malware-analysis techniques and tools[J]. ACM Computing Surveys (CSUR), 2012,44(2): 1-42.
[2]	KEPHART J O , ARNOLD W C . Automatic extraction of computer virus signatures[A]. Proceedings of the 4th Virus Bulletin International Conference[C]. 1994. 178-184.
[3]	SATHYANARAYAN V S , KOHLI P , BRUHADESHWAR B . Signature generation and detection of malware families[A]. Information Security and Privacy[C]. Springer Berlin Heidelberg, 2008. 336-349.
[4]	SATISH S , PEREIRA S . Behavioral Signature Generation Using Clustering:WIPO Patent 2011137083[P]. 2011.
[5]	KOLBITSCH C , COMPARETTI P M , KRUEGEL C ,et al. Effective and efficient malware detection at the end host[A]. Proceedings of the 18th Conference on USENIX Security Symposium USENIX Association[C]. 2009. 351-366.
[6]	RAMACHANDRAN A , FEAMSTER N . Understanding the network-level behavior of spammers[J]. ACM Sigcomm Computer Communication Review, 2006,36(4): 291-302.
[7]	INOUE D , YOSHIOKA K , ETO M ,et al. Malware behavior analysis in isolated miniature network for revealing malware's network activity[A]. IEEE International Conference on Communications[C]. 2008. 1715-1721.
[8]	MORALES J A,AL-BATAINEH A , AL-BATAINEH A , XU S ,et al. Analyzing and exploiting network behaviors of malware[A]. Security and Privacy in Communication Networks[C]. Springer Berlin Heidelberg, 2010. 20-34.
[9]	PERDISCI R , LEE W , FEAMSTER N . Behavioral clustering of HTTP-based malware and signature generation using malicious network traces[A]. Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation USENIX Association[C]. 2010. 26-26.
[10]	RIECK K , HOLZ T , WILLEMS C ,et al. Learning and classification of malware behavior[A]. Detection of Intrusions and Malware,and Vulnerability Assessment[C]. Springer Berlin Heidelberg, 2008. 108-125.
[11]	BAILEY M , OBERHEIDE J , ANDERSEN J ,et al. Automated classification and analysis of internet malware[A]. Recent Advances in Intrusion Detection[C]. Springer Berlin Heidelberg, 2007. 178-197.
[12]	RIECK K , HOLZ T , WILLEMS C ,et al. Learning and classification of malware behavior[A]. Detection of Intrusions and Malware,and Vulnerability Assessment[C]. Springer Berlin Heidelberg, 2008. 108-125.
[13]	SATHYANARAYAN V S , KOHLI P , BRUHADESHWAR B . Signature generation and detection of malware families[A]. Information Security and Privacy[C]. Springer Berlin Heidelberg, 2008. 336-349.
[14]	BRANCO R R , SHAMIR U . Architecture for automation of malware analysis[A]. The 5th International Conference on Malicious and Unwanted Software (MALWARE)[C]. 2010. 106-112.
[15]	YE Y , LI T , CHEN Y ,et al. Automatic malware categorization using cluster ensemble[A]. Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining[C]. ACM, 2010. 95-104.
[16]	CESARE S , XIANG Y , ZHOU W . Malwise——an effective and efficient classification system for packed and polymorphic malware[J]. IEEE Trans on Computer, 2013,62(6): 1193-1206.
[17]	MASUD M M , AL-KHATEEB T M , HAMLEN K W ,et al. Cloud-based malware detection for evolving data streams[J]. ACM Transactions on Management Information Systems (TMIS), 2011,2(3): 1-27.
[18]	PAULEVE L , JEGOU H , AMSALEG L . Locality sensitive hashing:a comparison of hash function types and querying mechanisms[J]. Pattern Recognition Letters, 2010,31(11): 1348-1358.
[19]	KOGA H , ISHIBASHI T , WATANABE T . Fast agglomerative hierarchical clustering algorithm using locality-sensitive hashing[J]. Knowledge and Information Systems, 2007,12(1): 25-53.
[20]	BAYER U , COMPARETTI P M , HLAUSCHEK C ,et al. Scalable,behavior-based malware clustering[A]. Network and Distributed System Security Symposium (NDSS)[C]. 2009. 8-11.
[21]	INDYK P , MOTWANI R . Approximate nearest neighbors:towards removing the curse of dimensionality[A]. Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing[C]. 1998. 604-613.
[22]	MIN K , YANG L , WRIGHT J ,et al. Compact projection:simple and efficient near neighbor search with practical memory requirements[A]. IEEE Conference on Computer Vision and Pattern Recognition (CVPR)[C]. 2010. 3477-3484.

Metrics

Recommended 0

No Suggested Reading articles found!

名称	样本组成	数量
黑样本集	活体病毒库	838 864
	Windows XP 系统文件、软件	8 244
白样本集	Windows 2003 系统文件、软件	8 298
	Windows Vista 系统文件、软件	15 832

聚类方法	聚类样本	未聚类样本	家族数	准确率
OMA	15 765	3 769	905	78%
卡巴斯基	13 385	6 149	483	69%

案例号	聚类ID	数量	卡巴识别	家族样本数量
			Packed.Win32.Krap	9
1	174	71	Trojan-Spy.Win32.Zbot	44
			NULL	17
			Trojan.Win32.BHO (num :10)	10
2	303	25	Trojan-Dropper.Win32.Agent (num :2)	2
			NULL (num :13)	13
			Trojan.Win32.Buzus (num :7)	7
3	73	12	NULL (num :5)	5
			HEUR:Trojan.Win32.Generic	1
			Trojan.Win32.StartPage.balfnot-a-virus	70
			AdWare.WinLNK.Clicker.c	4
			HEUR:Trojan.RAR.Clicker.a	3
			Backdoor.Win32.Ruskill.fix	1
4	49	92	UPX'}}	1
			Virus.Win32.Neshta.b	1
			Trojan-Downloader.Win32.Agent.usxo	1
			Trojan.Win32.Hosts2.gen	1
			Trojan-Downloader.Win32.Small.cmj	1

样本编号	样本MD5	卡巴对照命名
1.1	845DF5E5821477BDAE21B1F7BC90AD41	NULL
1.2	359971A23F67694CB20F6F107E245139	NULL
1.3	E94E167187F6BCC700CEE5A32295B967	Packed.Win32.Krap.iu
1.4	480C18B817BD344FE441BAFA7805508C	Packed.Win32.Krap.iu
1.5	C9D42C22F8F6B02C7C504E02443B9733	Trojan-Spy.Win32.Zbot.efaw
1.6	CE3FAEBDCFC702FCE49C943957D376F2	Trojan-Spy.Win32.Zbot.eibr
1.7	3AC709F98C7CBDAC073FA84BFE5C2D06	Trojan-Spy.Win32.Zbot.eeoj

Online analytical model of massive malware based on feature clusting

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 7

References 22

Related Articles 15

Metrics

Recommended 0

[1]	Feibo JIANG, Yubo PENG, Li DONG. Deep image semantic communication model for 6G [J]. Journal on Communications, 2023, 44(3): 198-208.
[2]	Julong LAN, Di ZHU, Dan LI. Intelligent prediction method of virtual network function resource capacity for polymorphic network service slicing [J]. Journal on Communications, 2022, 43(6): 143-155.
[3]	Xiaodan WANG, Jingtai LI, Yafei SONG. DDAC: a feature extraction method for model of image steganalysis based on convolutional neural network [J]. Journal on Communications, 2022, 43(5): 68-81.
[4]	Jie LAI, Xiaodan WANG, Qian XIANG, Yafei SONG, Wen QUAN. Review on autoencoder and its application [J]. Journal on Communications, 2021, 42(9): 218-230.
[5]	Limin XIAO,Xiangrong XU,Zhuangkun WEI,Shenghan LIU,Yiwen LIU. Channel impulse response insensitive feature for non-coherent signal detection in molecular communication [J]. Journal on Communications, 2020, 41(9): 49-58.
[6]	Chunxiang GU,Weisen WU,Ya’nan SHI,Guangsong LI. Method of unknown protocol classification based on autoencoder [J]. Journal on Communications, 2020, 41(6): 88-97.
[7]	Hanxun ZHOU,Chen CHEN,Runze FENG,Junkun XIONG,Hong PAN,Wei GUO. Mobile malware traffic detection approach based on value-derivative GRU [J]. Journal on Communications, 2020, 41(1): 102-113.
[8]	HU Jianwei,CHE Xin,ZHOU Man,CUI Yanpeng. Incremental clustering method based on Gaussian mixture model to identify malware family [J]. Journal on Communications, 2019, 40(6): 148-159.
[9]	Jingyi QU,Meng YE,Xing QU. Airport delay prediction model based on regional residual and LSTM network [J]. Journal on Communications, 2019, 40(4): 149-159.
[10]	Yuan XU,Chao YANG,Li YANG. Single password authentication method for remote user based on mobile terminal assistance [J]. Journal on Communications, 2019, 40(2): 174-187.
[11]	Shan GAI. Feature extraction algorithm based on quaternion common spatial pattern for banknote recognition [J]. Journal on Communications, 2018, 39(12): 40-46.
[12]	Yashu LIU,Zhihai WANG,Hanbing YAN,Yueran HOU,Yukun LAI. Method of anti-confusion texture feature descriptor for malware images [J]. Journal on Communications, 2018, 39(11): 44-53.
[13]	Wei-guo SHEN,Wei WANG. Keystroke features recognition based on stable linear discriminant analysis [J]. Journal on Communications, 2017, 38(Z2): 26-29.
[14]	Bo CHEN,Yong-tao PAN,Tie-ming CHEN. Android malware detection method based on SimHash [J]. Journal on Communications, 2017, 38(Z2): 30-36.
[15]	Bing-lin ZHAO,Xi MENG,Jin HAN,Jing WANG,Fu-dong LIU. Homology analysis of malware based on graph [J]. Journal on Communications, 2017, 38(Z2): 86-93.