+高级检索
首页 > 过刊浏览>2023年第46卷第3期 >129-136. DOI:10.11835/j.issn.1000-582X.2023.03.012
PDF HTML阅读 XML下载 导出引用 引用提醒
基于动态行为特征加权聚类的加壳恶意软件未知变种检测方法
作者:
基金项目:

国家电网有限公司科技资助项目(5700-202124182A-0-0-00)。


A packed malware variants detection method based on weighted dynamic behaviour feature clustering
Author:
  • 摘要
    • | |
  • 访问统计
    • |
  • 参考文献 [16]
    • |
  • 相似文献 [20]
    • | | |
  • 文章评论
    摘要:

    攻击者为了逃避检测,常利用加壳技术对恶意软件进行加密或压缩,使得安全分析人员以及传统基于静态分析的恶意软件检测方法在恶意软件运行前难以利用反汇编等逆向工具对其进行静态分析。为检测加壳恶意软件,当前主要采用动态分析方法检测加壳恶意软件,然而受限于加壳工具种类和样本规模,以及恶意软件加壳行为带来的混淆噪声,导致传统基于机器学习检测方法存在准确率不足等问题。研究提取并分析加壳恶意软件运行时的系统调用行为特征,识别并筛选出敏感行为,旨在过滤脱壳行为噪声产生的影响;通过对系统调用行为特征加权降维,提升行为特征的有效性;通过对加权降维的行为特征进行聚类分析,最终实现加壳恶意软件未知变种检测和检测模型增量更新。实验结果表明,提出的基于动态行为特征加权聚类的加壳恶意软件未知变种检测方法检测误报率3.9%,相较几种典型机器学习检测方法呈显著降低。

    Abstract:

    In order to avoid malware detection, attackers often use packing techniques to encrypt or compress malware binaries, which makes it difficult for security analysts and malware detectors based on traditional static analysis to use reverse tools, such as disassembly tools, to statically analyze malware before it runs. Currently, to detect packed malware, dynamic analysis methods are mainly used. However, due to the limitation of the types of packing tools and packed samples, as well as the confusion noise caused by malware packers, traditional machine learning based detection methods have insufficient accuracy. In this paper, to filter the packing behavior, the system call behavior features of packed malware are extracted and analyzed, and then sensitive behaviors are identified and filtered out. Next, the feature dimensions of system call behaviours are reduced by weighting to improve the contribution of each feature. Finally, these behaviours are analyzed by using density-based clustering, realizing the detection of unknown variants of packed malware and the update of the detection model. The experimental results show that the proposed packed malware variants detection method based on weighted clustering of sensitive behavior features achieves 3.9 % false alter rate and significantly reduces the false alter rate compared with that of some other machine learning-based detection methods.

    参考文献
    [1] 国家计算机网络应急技术处理协调中心.2018年中国互联网网络安全报告[R].2020. CNCERT/CC. 2018 China Internet cyber-security report[R].2020.
    [2] VirusTotal.VirusTotal's 2021 malware trends report[R/OL]. (2022-03-01)[2022-05-01]//https://assets.virustotal.com/reports/2021trends.pdf.
    [3] 汪嘉来, 张超, 戚旭衍, 等. Windows平台恶意软件智能检测综述. 计算机研究与发展, 2021, 58(5):977-994.Wang J L, Zhang C, Qi X Y, et al. A survey of intelligent malware detection on windows platform. Journal of Computer Research and Development, 2021, 58(5):977-994.(in Chinese)
    [4] Wang W, Gao Z Z, Zhao M C, et al. DroidEnsemble:detecting android malicious applications with ensemble of string and structural static features. IEEE Access, 2018, 6:31798-31807.
    [5] 杨鸣坤, 罗锦光, 欧跃发, 等. 基于API和Permission的Android恶意软件静态检测方法研究. 计算机应用与软件, 2020, 37(4):53-58, 104.Yang M K, Luo J G, Ou Y F, et al. Android malware static detection method based on api and permission. Computer Applications and Software, 2020, 37(4):53-58, 104.(in Chinese)
    [6] Fan M, Liu J, Luo X P, et al. Android malware familial classification and representative sample selection via frequent subgraph analysis. IEEE Transactions on Information Forensics and Security, 2018, 13(8):1890-1905.
    [7] Tian K, Yao D F, Ryder B G, et al. Detection of repackaged android malware with code-heterogeneity features. IEEE Transactions on Dependable and Secure Computing, 2020, 17(1):64-77.
    [8] Yan P, Yan Z. A survey on dynamic mobile malware detection. Software Quality Journal, 2018, 26(3):891-919.
    [9] Suaboot J, Tari Z, Mahmood A, et al. Sub-curve HMM:a malware detection approach based on partial analysis of API call sequences. Computers & Security, 2020, 92:101773.
    [10] 林鑫. 基于沙盒的Android恶意软件检测技术研究. 电子设计工程, 2016, 24(12):48-50, 53.Lin X. Malware detection technology research of Android platform based on sand box. Electronic Design Engineering, 2016, 24(12):48-50, 53.(in Chinese)
    [11] 陈志锋, 李清宝, 张平, 等. 基于数据特征的内核恶意软件检测. 软件学报, 2016, 27(12):3172-3191.Chen Z F, Li Q B, Zhang P, et al. Data characteristics-based kernel malware detection. Journal of Software, 2016, 27(12):3172-3191.(in Chinese)
    [12] Zhang J X, Zhang K H, Qin Z, et al. Sensitive system calls based packed malware variants detection using principal component initialized MultiLayers neural networks.Cybersecurity, 2018, 1(1):1-13.
    [13] Wang W, Wang X, Feng D W, et al. Exploring permission-induced risk in android applications for malicious application detection. IEEE Transactions on Information Forensics and Security, 2014, 9(11):1869-1882.
    [14] Zhang J X, Qin Z, Yin H, et al. A feature-hybrid malware variants detection using CNN based opcode embedding and BPNN based API embedding. Computers & Security, 2019, 84:376-392.
    [15] Darem A A, Ghaleb F A, Al-Hashmi A A, et al. An adaptive behavioral-based incremental batch learning malware variants detection model using concept drift detection and sequential deep learning. IEEE Access, 2021, 9:97180-97196.
    [16] Won D O, Jang Y N, Lee S W. PlausMal-GAN:plausible malware training based on generative adversarial networks for analogous zero-day malware detection. IEEE Transactions on Emerging Topics in Computing, 2022, PP(99):1.
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

陈岑,李暖暖,蔡军飞,郭志民,吕卓.基于动态行为特征加权聚类的加壳恶意软件未知变种检测方法[J].重庆大学学报,2023,46(3):129-136.

复制
分享
文章指标
  • 点击次数:370
  • 下载次数: 812
  • HTML阅读次数: 772
  • 引用次数: 0
历史
  • 收稿日期:2022-05-12
  • 在线发布日期: 2023-03-28
文章二维码
您是第11642241 位访问者
主管单位:中华人民共和国教育部
主办单位:重庆大学
地址:重庆市沙坪坝正街174号
电话:
重庆大学学报 ® 2025 版权所有