基于N-gram特征的恶意代码可视化方法

doi:10.3969/j.issn.0372-2112.2019.10.012

电子学报 ›› 2019, Vol. 47 ›› Issue (10): 2108-2115.DOI: 10.3969/j.issn.0372-2112.2019.10.012

基于N-gram特征的恶意代码可视化方法

任卓君, 陈光, 卢文科

东华大学信息科学与技术学院, 上海 201620

收稿日期:2018-05-04 修回日期:2019-03-10 出版日期:2019-10-25
- 作者简介:
- 任卓君 女,1984年2月出生,浙江湖州人.东华大学在读博士生,从事网络安全、恶意代码可视化方面的研究.E-mail:1129110@mail.dhu.edu.cn;陈光男,1958年5月出生,广东汕头人.华东理工大学博士,东华大学通信专业教授,中国通信协会高级会员,上海市电子电器协会理事.E-mail:gchen@dhu.edu.cn;卢文科 男,1962年5月出生,陕西西安人.西安交通大学博士,东华大学控制科学与工程学科教授、博导,主要从事小波变换相关技术的研究.E-mail:luwenke3@163.com
- 基金资助:
- 国家自然科学基金 (No.61671006）; 中央高校基本科研业务费专项资金 (No.14D310407）

Malware Visualization Methods Based on N-gram Features

REN Zhuo-jun, CHEN Guang, LU Wen-ke

College of Information Science and Technology, Donghua University, Shanghai 201620, China

Received:2018-05-04 Revised:2019-03-10 Online:2019-10-25 Published:2019-10-25

摘要/Abstract

摘要： 本文提出了两种基于N-gram特征的恶意代码可视化方法.方法一以空间填充曲线的形式表示，解决了灰度图方法不能定位字符信息进行交互分析的问题；方法二可视化恶意代码的2-gram特征，解决了重置代码段或增加冗余信息来改变全局图像特征的问题.经深度融合网络验证所提方法的识别与分类性能，取得了较优的结果.

关键词: 恶意代码, 可视化分析, 空间填充曲线, 卷积神经网络, 迁移学习

Abstract: We proposed two new methods for visualization analysis based on N-gram features of malware.Method 1 uses space filling curves to solve the problem that the existing grayscale method cannot locate character information for interactive analysis.Method 2 visualizes the bi-gram features of malware to solve the problem that the attackers may relocate code sections or add redundant data to change the global image features of the visualized results.We designed the deep fusion networks to validate the detection and classification performances of the proposed methods,and the experimental results are very promising.

Key words: malware, visualization analysis, space filling curves, convolution neural networks, transfer learning

中图分类号:

TP309.5

任卓君, 陈光, 卢文科. 基于N-gram特征的恶意代码可视化方法[J]. 电子学报, 2019, 47(10): 2108-2115.

REN Zhuo-jun, CHEN Guang, LU Wen-ke. Malware Visualization Methods Based on N-gram Features[J]. Acta Electronica Sinica, 2019, 47(10): 2108-2115.

参考文献

[1] LI J,WANG Z,WANG T,et al.An android malware detection system based on feature fusion[J].Chinese Journal of Electronics,2018,27(6):1206-1213.
[2] 张焕,武建亮,唐俊杰,等.NeighborWatcher:基于程序家族关系的附加恶意手机应用检测方法研究[J].电子学报,2014,42(8):1642-1646. ZHANG Huan,WU Jian-liang,TANG Jun-jie,et al.Neighbor watcher:Detecting piggybacked smartphone applications with their family members[J].Acta Electronica Sinica,2014,42(8):1642-1646.(in Chinese)
[3] YAN H,ZHOU H,ZHANG H.Automatic malware classification via PRICoLBP[J].Chinese Journal of Electronics,2018,27(4):852-859.
[4] 乔延臣,云晓春,张永铮,等.基于调用习惯的恶意代码自动化同源判定方法[J].电子学报,2016,44(10):2410-2414. QIAO Yan-chen,YUN Xiao-chun,ZHANG Yong-zheng,et al.An automatic malware homology identification method based on calling habits[J].Acta Electronica Sinica,2016,44(10):2410-2414.(in Chinese)
[5] RANVEER S,HIRAY S.Comparative analysis of feature extraction methods of malware detection[J].International Journal of Computer Applications,2015,120(9):1-7.
[6] GANDOTRA E,BANSAL D,SOFAT S.Malware analysis and classification:A survey[J].Journal of Information Security,2016,5(2):56-64.
[7] WEI Z,NADJIN Y.Malwarevis:Entity-based visualization of malware network traces[A].Proceedings of the Ninth International Symposium on Visualization for Cyber Security[C].USA:ACM,2012.41-47.
[8] TRINIUS P,HOLZ T,GÖBEL J,et al.Visual analysis of malware behavior using treemaps and thread graphs[A].International Workshop on Visualization for Cyber Security[C].USA:IEEE,2010.33-38.
[9] GOVE R,SAXE J,GOLD S,et al.SEEM:A scalable visualization for comparing multiple large sets of attributes for malware analysis[A].Eleventh Workshop on Visualization for Cyber Security[C].USA:ACM,2014.72-79.
[10] HAN K S,LIM J H,KANG B,et al.Malware analysis using visualized images and entropy graphs[J].International Journal of Information Security,2015,14(1):1-14.
[11] STRELKOV V V.A new similarity measure for histogram comparison and its application in time series analysis[J].Pattern Recognition Letters,2008,29(13):1768-1774.
[12] REN Z,CHEN G.Entropy vis:Malware classification[A].The 10th International Congress on Image and Signal Processing,BioMedical Engineering and Informatics(CISP-BMEI)[C].USA:IEEE,2017.1-6.
[13] YOO I S.Visualizing windows executable viruses using self-organizing maps[A].Workshop on Visualization and Data Mining for Computer Security[C].USA:ACM,2004.82-89.
[14] HAN K S,LIM J H,IM E G.Malware analysis method using visualization of binary files[A].Research in Adaptive and Convergent Systems[C].USA:ACM,2013.317-321.
[15] HAN K,KANG B,IM E G.Malware analysis using visualized image matrices[J/OL].The Scientific World Journal,2014.http://dx.doi.org/10.1155/2014/132713.
[16] PATURI A,CHERUKURI M,DONAHUE J,et al.Mobile malware visual analytics and similarities of attack toolkits(malware gene analysis)[A].International Conference on Collaboration Technologies and Systems[C].USA:IEEE,2013.149-154.
[17] ANDERSON B,STORLIE C,LANE T.Improving malware classification:bridging the static/dynamic gap[A].Workshop on Security and Artificial Intelligence[C].USA:ACM,2012.3-14.
[18] HASHEMI H,HAMZEH A.Visual malware detection using local malicious pattern[J/OL].Journal of Computer Virology and Hacking Techniques,2018.https://doi.org/10.1007/s11416-018-0314-1.
[19] ZHANG Y,et al.Visual analysis of android malware behavior profile based on PMC gdroid:A pruned lightweight APP call graph[A].Security and Privacy in Communication Networks[C].Berlin:Springer,2017.449-468.
[20] ANGELINI M,ANIELLO L,LENTI S,et al.The goods,the bads and the uglies:Supporting decisions in malware detection through visual analytics[A].Symposium on Visualization for Cyber Security[C].USA:IEEE,2017.1-8.
[21] WAGNER M,RIND A,THVRN,et al.A knowledge-assisted visual malware analysis system:Design,validation,and reflection of KAMAS[J].Computers & Security,2017,67:1-15.
[22] SORNIL O,LIANGBOONPRAKONG C.Malware classification using n-grams sequential pattern features[J].International Journal of Information Processing & Management,2013,4(5):59-67.
[23] TESAURO G J,KEPHART J O,SORKIN G B.Neural networks for computer virus recognition[J].IEEE Expert,1996,11(4):5-6.
[24] ABOU-ASSALEH T,CERCONE N,KESELJ V,et al.Detection of new malicious code using n-grams signatures[A].Proceedings of the Conference on Privacy,Security and Trust(DBLP)[C].New Brunswick,Canada:DBLP,2004.193-196.
[25] CONTI G,DEAN E,SINDA M,et al.Visual reverse engineering of binary and data files[A].Proceedings of International Workshop on Visualization for Computer Security[C].USA:DBLP,2008.1-17.
[26] NATARAJ L,KARTHIKEYAN S,JACOB G,et al.Malware images:visualization and automatic classification[A].International Symposium on Visualization for Cyber Security[C].USA:ACM,2011.1-7.
[27] DOUZE M,SANDHAWALIA H,AMSALEG L,et al.Evaluation of GIST descriptors for web-scale image search[A].ACM International Conference on Image and Video Retrieval[C].USA:ACM,2009.1-8.
[28] OLIVA A,TORRALBA A.Modeling the shape of the scene:A holistic representation of the spatial envelope[J].International Journal of Computer Vision,2001,42(3):145-175.
[29] AERAsec.Decompression Bomb Vulnerabilities[OL].http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html.2018.
[30] LIAO S,LOPEZ M A,LEUTENEGGER S T.High dimensional similarity search with space filling curves[A].International Conference on Data Engineering[C].USA:IEEE Computer Society,2001.615-622.
[31] MOKBEL M F,AREF W G.Irregularity in high-dimensional space-filling curves[J].Distributed & Parallel Databases,2011,29(3):217-238.
[32] NIEDERMEIER R,REINHARDT K,SANDERS P.Towards optimal locality in mesh-indexings[A].International Symposium on Fundamentals of Computation Theory[C].Berlin:Springer-Verlag,1997.364-375.
[33] DAI H K,SU H C.Approximation and analytical studies of inter-clustering performances of space-filling curves[A].Discrete Random Walks(Drw'03)[C].Paris,France:DBLP,2003.53-68.
[34] SCHRACK G,STOCCO L.Generation of spatial orders and space-filling curves[J].IEEE Transactions on Image Processing,2015,24(6):1791-800.
[35] MOKBEL M F,AREF W G.Space-filling curves for query processing[A].Encyclopedia of Database Systems[M].US:Springer,2009.2675-2680.
[36] ANOTAIPAIBOON W,MAKHANOV S S.Curvilinear space-filling curves for five-axis machining[J].Computer-Aided Design,2008,40(3):350-367.
[37] LECUN Y,BOSER B,DENKER J S,et al.Backpropagation applied to handwritten zip code recognition[J].Neural Computation,2014,1(4):541-551.
[38] SIMONYAN K,ZISSERMAN A.Very deep convolutional networks for large-scale image recognition[J/OL].Computer Science,2014,arXiv:1409.1556.
[39] Microsoft.Microsoft Malware Classification Challenge(BIG 2015)[OL].https://www.kaggle.com/c/malware-classification/data.2018.
[40] HE K,ZHANG X,REN S,et al.Deep residual learning for image recognition[A].IEEE Conference on Computer Vision and Pattern Recognition[C].USA:IEEE Computer Society,2016.770-778.
[41] GUYON I,BOSER B E,VAPNIK V.Automatic capacity tuning of very large VC-dimension classifiers[J].Advances in Neural Information Processing Systems,2008,5:147-155.
[42] CHIANG W L,LEE M C,LIN C J.Parallel dual coordinate descent method for large-scale linear classification in multi-core environments[A].The ACM SIGKDD International Conference[C].USA:ACM,2016.1485-1494.

基于N-gram特征的恶意代码可视化方法

Malware Visualization Methods Based on N-gram Features

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	吴靖, 叶晓晶, 黄峰, 陈丽琼, 王志锋, 刘文犀. 基于深度学习的单帧图像超分辨率重建综述[J]. 电子学报, 2022, 50(9): 2265-2294.
[2]	毛国君, 王者浩, 黄山, 王翔. 基于剪边策略的图残差卷积深层网络模型[J]. 电子学报, 2022, 50(9): 2205-2214.
[3]	袁海英, 曾智勇, 成君鹏. 面向灵活并行度的稀疏卷积神经网络加速器[J]. 电子学报, 2022, 50(8): 1811-1818.
[4]	邵志文, 周勇, 谭鑫, 马利庄, 刘兵, 姚睿. 基于深度学习的表情动作单元识别综述[J]. 电子学报, 2022, 50(8): 2003-2017.
[5]	王相海, 赵晓阳, 王鑫莹, 赵克云, 宋传鸣. 非抽取小波边缘学习深度残差网络的单幅图像超分辨率重建[J]. 电子学报, 2022, 50(7): 1753-1765.
[6]	张志文, 刘天歌, 聂鹏举. 基于实景数据增强和双路径融合网络的实时街景语义分割算法[J]. 电子学报, 2022, 50(7): 1609-1620.
[7]	张波, 陆云杰, 秦东明, 邹国建. 一种卷积自编码深度学习的空气污染多站点联合预测模型[J]. 电子学报, 2022, 50(6): 1410-1427.
[8]	丁毅, 沈薇, 李海生, 钟琼慧, 田明宇, 李洁. 面向CNN的区块链可信隐私服务计算模型[J]. 电子学报, 2022, 50(6): 1399-1409.
[9]	廖勇, 李玉杰. 一种轻量化低复杂度的FDD大规模MIMO系统CSI反馈方法[J]. 电子学报, 2022, 50(5): 1211-1217.
[10]	张云, 化青龙, 姜义成, 徐丹. 基于混合型复数域卷积神经网络的三维转动舰船目标识别[J]. 电子学报, 2022, 50(5): 1042-1049.
[11]	崔亚奇, 何友, 唐田田, 熊伟. 一种深度学习航迹关联方法[J]. 电子学报, 2022, 50(3): 759-763.
[12]	李维刚, 甘平, 谢璐, 李松涛. 基于样本对元学习的小样本图像分类方法[J]. 电子学报, 2022, 50(2): 295-304.
[13]	伍邦谷, 张苏林, 石红, 朱鹏飞, 王旗龙, 胡清华. 基于多分支结构的不确定性局部通道注意力机制[J]. 电子学报, 2022, 50(2): 374-382.
[14]	陈文俊, 杨春玲. 图像压缩感知的特征域优化及自注意力增强神经网络重构算法[J]. 电子学报, 2022, 50(11): 2629-2637.
[15]	魏钰轩, 陈莹. 基于自适应层信息熵的卷积神经网络压缩[J]. 电子学报, 2022, 50(10): 2398-2408.