基于纹理指纹的恶意代码变种检测方法研究

doi:10.3969/j.issn.1000-436x.2014.08.016

Abstract

Abstract:

A texture-fingerprint-based approach is proposed to extract or detect the feature from malware content. The texture fingerprint of a malware is the set of texture fingerprints for each uncompressed gray-scale image block. The ma-licious code is mapped to uncompressed gray-scale image by integrating image analysis techniques and variants of mali-cious code detection technology. The uncompressed gray-scale image is partitioned into blocks by the texture segmen-tation algorithm. The texture fingerprints for each uncompressed gray-scale image block is extracted by gray-scale co-occurrence matrix algorithm. Afterwards, the index structure for fingerprint texture is built on the statistical analy-sis of general texture fingerprints of malicious code samples. In the detection phase, according to the generation policy for malicious code texture fingerprint, the prototype system for texture fingerprint extraction and detection is con-structed by employing the integrated weight method to multi-segmented texture fingerprint similarity matching to de-tect variants and unknown malicious codes. Experimental results show that the malware variants detection system based on the proposed approach has good performance not only in speed and accuracy but also in identifying malware variants.

Key words: network security, malware variants detection, texture fingerprint, spatial similarity retrieval

Xiao-guang HAN,UWu Q,AOXuan-xia Y,UOChang-you G,Fang ZHOU. Research on malicious code variants detection based on texture fingerprint[J]. Journal on Communications, 2014, 35(8): 125-136.

Figures/Tables 11

References 30

[1]	SYMANTEC. Highlights from 2010 internet security threat report[EB/OL]. , 2011.
[2]	SYMANTEC. Highlights from 2012 internet security threat report[EB/OL]. , 2013.
[3]	LI Y , ZUO Z H . An overview of object-code obfuscation technolo-gies[J]. Journal of Computer Technology and Development, 2007,17(4): 125-127.
[4]	NATARAJ L , KARTHIKEYAN S , JACOB G , et al. Malware images:visualization and automatic classification[A]. Proceedings of VizSec[C]. Pittsburgh, USA 2011.
[5]	NATARAJ L , YEGNESWARAN V , PORRAS P , et al. A comparative assessment of malware classification using binary texture analysis and dynamic analysis[A]. Proceedings of the 4th ACM Workshop on Secu-rity and Artificial Intelligence[C]. Chicago, USA, 2011. 21-30.
[6]	王蕊，冯登国，杨轶等. 基于语义的恶意代码行为特征提取及检测方法[J]. 软件学报， 2012,23(2):378-393. WANG R , FENG D G , YANG Y , et al. Semantics-based malware be-havior signature extraction and detection method[J]. Journal of Soft-ware, 2012,23(2):378-393.
[7]	COGSWELL B , RUSSINOVICH M . Rootkit revealer[EB/OL]. , 2006.
[8]	KIRDA E , KRUEGEL C , BANKS G , et al. Behavior-based spyware detection[A]. Proceedings of the 15th USENIX Security Sympo-sium[C]. Canada, 2006. 273-288.
[9]	CHRISTODORESCU M , JHA S , SESHIA S A , et al. Semantics-aware malware detection[A]. Proc of the 2005 IEEE Symposium on Security and Privacy[C]. California, USA, 2005. 32-46.
[10]	KINDER J , KATZENBEISSER S , SCHALLHART C , et al. Detecting malicious code by model checking[A]. Detection of Intrusions and Malware, and Vulnerability Assessment, 2005,3548: 174-187.
	SATHYANARAYAN V S , KOHLI P , BRUHADESHWAR B . Signa-ture generation and detection of malware families[A]. Proc of the 13th Austalasian Conf on Information Security and Privacy[C]. Wollon-gong, Australia, 2008. 336-349.
[12]	CHRISTODORESCU M , KINDER J , JHA S . Malware Nor-malization[R]. Technical Report 1539, Madison: University of Wis-consin, 2005.
[13]	WILLEMS C , HOLZ T , FREILING F . Toward automated dynamic malware analysis using CWSandbox[J]. IEEE Security and Privacy, 2007,5(2): 32-39.
[14]	BAYER U , KRUEGEL C , KIRDA E . TTANALYZE. A tool for ana-lyzing malware[A]. 15th European Institute for Computer Antivirus Research (EICAR 2006)[C]. Hamburg, Germany, 2006. 180-192.
[15]	BELLARD F . QEMU, A fast and portable dynamic translator[A][A]. USENIX Annual Technical Conference, FREENIX Track[C]. Califor-nia, USA, 2005. 41-46.
[16]	LI P , LIU L , GAO D , et al. On challenges in evaluating malware clustering[A]. Recent Advances in Intrusion Detection[C], Ottawa, Canada 2010. 238-255.
[17]	YOO I . Visualizing windows executable viruses using self-organizing maps[A]. International Workshop on Visualization for Cyber Security (VizSec)[C]. Washington DC, USA, 2004. 82-89.
[18]	QUIST D A , LIEBROCK L M . Visualizing compiled executables for malware analysis[A]. International Workshop on Visualization for Cyber Security (VizSec)[C]. Atlantic City, USA, 2009. 27-32.
[19]	TRINIUS P , HOLZ T , GOBEL J , et al. Visual analysis of malware behavior using treemaps and thread graphs[A]. International Workshop on Visualization for Cyber Security (VizSec)[C]. Atlantic City, USA, 2009. 33-38.
[20]	GOODALL J H , RANDWAN H , HALSETH L , et al. Visual analysis of code security[A]. International Workshop on Visualization for Cyber Security (VizSec)[C]. Ottawa, Canada, 2010. 46-51.
[21]	CONTI G , BRATUS S , SANGSTER B , et al. Automated mapping of large binary objects using primitive fragment type classification[J]. Digital Forensics Research Conference (DFRWS) Ottawa, Canada, 2010,7 3-12.
[22]	CONTI G , BRATUS S . Voyage of the reverser: a visual study of binary species[A]. Black Hat[C]. USA. 2010.
[23]	KANCHERLA K , MUKKAMALA S . Image visualization based malware detection[A]. Computational Intelligence in Cyber Security (CICS)[C]. Singapore, 2013.40-44.
[24]	HARALICK R M , SHANMUGAM K , DINSTEIN I H . Textural fea-tures for image classification[A]. IEEE Transactions on Systems, Man and Cybernetics, 1973, (6): 610-621.
[25]	JOLLIFFE I . Principal Component Analysis[A]. USA: John Wiley＆Sons, Ltd, 2005.
[26]	PAOLO C , MARCO P , PAVEL Z . IM-tree: an efficient access method for similarity search in metric spaces[A]. Proceedings of the 23rd In-ternational Conference on Very Large Data Bases[C]. San Francisco, USA, 1997.426-435.
[27]	INDYK P , MOTWANI R . Approximate nearest neighbors: towards removing the curse of dimensionality[A]. Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing[C] New York, USA, 1998. 604-613.
[28]	GIONIS A , INDYK P , MOTWANI R . Similarity search in high di-mensions via hashing[A]. VLDB'99: Proceedings of the 25th Interna-tional Conference on Very Large Data Bases[C]. San Francisco, CA, USA, 1999.518-529.
[29]	DATAR M , IMMORLICA N , INDYK P , et al. Locality-sensitive hashing scheme based on p-stable distributions[A]. SCG'04: Proceed-ings of the Twentieth Annual Symposium on Computational Geome-try[C]. New York, USA, 2004.253-262.
[30]	HOJJATOLESLAMI S A , KITTLER J . Region growing: a new ap-proach[J]. IEEE Transactions on Image Processing, 1998, 7(7): 1079-1084.

Metrics

Recommended 0

No Suggested Reading articles found!

恶意代码测试样本集	规模	总大小/MB	大小范围
Hacktool	126	98.5	4.1 kB～22.0 MB
EvilJs	168	7.5	1.1 kB～2.0 MB
Packed	326	211.7	39 kB～9.8 MB
Trojan-Dropper	339	423.1	11 kB～9.9 MB
Worm	452	256.5	10.9 kB～9.9 MB
Backdoor	537	505.4	2.4 kB～22.2 MB

恶意代码测试样本集	规模	未分块/%	分块/%
Hacktool	126	71.72	79.20
EvilJs	168	77.10	81.18
Packed	326	51.22	60.10
Trojan-Dropper	339	74.00	80.18
Worm	452	76.49	85.47
Backdoor	537	79.81	85.77

[1]	Shiqi ZHAO, Xiaohong HUANG, Zhigang ZHONG. Research and implementation of reputation-based inter-domain routing selection mechanism [J]. Journal on Communications, 2023, 44(6): 47-56.
[2]	Haiyan KANG, Molan LONG. Research on network attack analysis method based on attack graph of absorbing Markov chain [J]. Journal on Communications, 2023, 44(2): 122-135.
[3]	Hongbin ZHANG, Yan YIN, Dongmei ZHAO, Bin LIU. Network security situational awareness model based on threat intelligence [J]. Journal on Communications, 2021, 42(6): 182-194.
[4]	Tengfei ZHANG, Shunzheng YU. Research prospects of user information detection from encrypted traffic of mobile devices [J]. Journal on Communications, 2021, 42(2): 154-167.
[5]	Xu CHENG, Yingying WANG, Nianjie ZHANG, Zhangjie FU, Beijing CHEN, Guoying ZHAO. Multi-level loss object tracking adversarial attack method based on spatial perception [J]. Journal on Communications, 2021, 42(11): 242-254.
[6]	Tao HUANG, Jiang LIU, Shuo WANG, Chen ZHANG, Yunjie LIU. Survey of the future network technology and trend [J]. Journal on Communications, 2021, 42(1): 130-150.
[7]	Zhiyong LUO,Xu YANG,Jiahui LIU,Rui XU. Network intrusion intention analysis model based on Bayesian attack graph [J]. Journal on Communications, 2020, 41(9): 160-169.
[8]	Hanxun ZHOU,Chen CHEN,Runze FENG,Junkun XIONG,Hong PAN,Wei GUO. Mobile malware traffic detection approach based on value-derivative GRU [J]. Journal on Communications, 2020, 41(1): 102-113.
[9]	JIANG Lyu,ZHANG Hengwei,WANG Jindong. Optimal strategy selection method for moving target defense based on signaling game [J]. Journal on Communications, 2019, 40(6): 128-137.
[10]	Zhiyong LUO, Xu YANG, Guanglu SUN, Zhiqiang XIE, Jiahui LIU. Finite automaton intrusion tolerance system model based on Markov [J]. Journal on Communications, 2019, 40(10): 79-89.
[11]	Shirui HUANG,Hengwei ZHANG,Jindong WANG,Ruiyu DOU. Network security threat warning method based on qualitative differential game [J]. Journal on Communications, 2018, 39(8): 29-36.
[12]	Xiaodong ZANG,Jian GONG,Xiaoyan HU. Detecting malicious domain names based on AGD [J]. Journal on Communications, 2018, 39(7): 15-25.
[13]	Le-yi SHI,Hui SUN,Yu-wen CUI,Hong-bin GUO,Jian-lan LI. Web plug-in paradigm for anti-DoS attack based on end hopping [J]. Journal on Communications, 2017, 38(Z1): 19-24.
[14]	Tao WANG,Hong-chang CHEN,Guo-zhen CHENG. Research on software-defined network and the security defense technology [J]. Journal on Communications, 2017, 38(11): 133-160.
[15]	Tao YIN,Shi-cong LI,Yu-peng TUO,Yong-zheng ZHANG. Modeling and countermeasures of a social network-based botnet with strong destroy-resistance [J]. Journal on Communications, 2017, 38(1): 97-105.

Research on malicious code variants detection based on texture fingerprint

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 11

References 30

Related Articles 15

Metrics

Recommended 0