Malware Visualization Methods Based on N-gram Features

doi:10.3969/j.issn.0372-2112.2019.10.012

PDF(3416 KB)

ACTA ELECTRONICA SINICA ›› 2019, Vol. 47 ›› Issue (10) : 2108-2115. DOI: 10.3969/j.issn.0372-2112.2019.10.012

Malware Visualization Methods Based on N-gram Features

REN Zhuo-jun, CHEN Guang, LU Wen-ke

Author information +

History +

Abstract

We proposed two new methods for visualization analysis based on N-gram features of malware. Method 1 uses space filling curves to solve the problem that the existing grayscale method cannot locate character information for interactive analysis. Method 2 visualizes the bi-gram features of malware to solve the problem that the attackers may relocate code sections or add redundant data to change the global image features of the visualized results. We designed the deep fusion networks to validate the detection and classification performances of the proposed methods,and the experimental results are very promising.

Key words

malware / visualization analysis / space filling curves / convolution neural networks / transfer learning

Cite this article

EndNote

Ris (Procite)

Bibtex

Download Citations

REN Zhuo-jun, CHEN Guang, LU Wen-ke. Malware Visualization Methods Based on N-gram Features[J]. Acta Electronica Sinica, 2019, 47(10): 2108-2115. https://doi.org/10.3969/j.issn.0372-2112.2019.10.012

References

[1] LI J,WANG Z,WANG T,et al.An android malware detection system based on feature fusion[J].Chinese Journal of Electronics,2018,27(6):1206-1213.
[2] 张焕,武建亮,唐俊杰,等.NeighborWatcher:基于程序家族关系的附加恶意手机应用检测方法研究[J].电子学报,2014,42(8):1642-1646. ZHANG Huan,WU Jian-liang,TANG Jun-jie,et al.Neighbor watcher:Detecting piggybacked smartphone applications with their family members[J].Acta Electronica Sinica,2014,42(8):1642-1646.(in Chinese)
[3] YAN H,ZHOU H,ZHANG H.Automatic malware classification via PRICoLBP[J].Chinese Journal of Electronics,2018,27(4):852-859.
[4] 乔延臣,云晓春,张永铮,等.基于调用习惯的恶意代码自动化同源判定方法[J].电子学报,2016,44(10):2410-2414. QIAO Yan-chen,YUN Xiao-chun,ZHANG Yong-zheng,et al.An automatic malware homology identification method based on calling habits[J].Acta Electronica Sinica,2016,44(10):2410-2414.(in Chinese)
[5] RANVEER S,HIRAY S.Comparative analysis of feature extraction methods of malware detection[J].International Journal of Computer Applications,2015,120(9):1-7.
[6] GANDOTRA E,BANSAL D,SOFAT S.Malware analysis and classification:A survey[J].Journal of Information Security,2016,5(2):56-64.
[7] WEI Z,NADJIN Y.Malwarevis:Entity-based visualization of malware network traces[A].Proceedings of the Ninth International Symposium on Visualization for Cyber Security[C].USA:ACM,2012.41-47.
[8] TRINIUS P,HOLZ T,GÖBEL J,et al.Visual analysis of malware behavior using treemaps and thread graphs[A].International Workshop on Visualization for Cyber Security[C].USA:IEEE,2010.33-38.
[9] GOVE R,SAXE J,GOLD S,et al.SEEM:A scalable visualization for comparing multiple large sets of attributes for malware analysis[A].Eleventh Workshop on Visualization for Cyber Security[C].USA:ACM,2014.72-79.
[10] HAN K S,LIM J H,KANG B,et al.Malware analysis using visualized images and entropy graphs[J].International Journal of Information Security,2015,14(1):1-14.
[11] STRELKOV V V.A new similarity measure for histogram comparison and its application in time series analysis[J].Pattern Recognition Letters,2008,29(13):1768-1774.
[12] REN Z,CHEN G.Entropy vis:Malware classification[A].The 10th International Congress on Image and Signal Processing,BioMedical Engineering and Informatics(CISP-BMEI)[C].USA:IEEE,2017.1-6.
[13] YOO I S.Visualizing windows executable viruses using self-organizing maps[A].Workshop on Visualization and Data Mining for Computer Security[C].USA:ACM,2004.82-89.
[14] HAN K S,LIM J H,IM E G.Malware analysis method using visualization of binary files[A].Research in Adaptive and Convergent Systems[C].USA:ACM,2013.317-321.
[15] HAN K,KANG B,IM E G.Malware analysis using visualized image matrices[J/OL].The Scientific World Journal,2014.http://dx.doi.org/10.1155/2014/132713.
[16] PATURI A,CHERUKURI M,DONAHUE J,et al.Mobile malware visual analytics and similarities of attack toolkits(malware gene analysis)[A].International Conference on Collaboration Technologies and Systems[C].USA:IEEE,2013.149-154.
[17] ANDERSON B,STORLIE C,LANE T.Improving malware classification:bridging the static/dynamic gap[A].Workshop on Security and Artificial Intelligence[C].USA:ACM,2012.3-14.
[18] HASHEMI H,HAMZEH A.Visual malware detection using local malicious pattern[J/OL].Journal of Computer Virology and Hacking Techniques,2018.https://doi.org/10.1007/s11416-018-0314-1.
[19] ZHANG Y,et al.Visual analysis of android malware behavior profile based on PMC gdroid:A pruned lightweight APP call graph[A].Security and Privacy in Communication Networks[C].Berlin:Springer,2017.449-468.
[20] ANGELINI M,ANIELLO L,LENTI S,et al.The goods,the bads and the uglies:Supporting decisions in malware detection through visual analytics[A].Symposium on Visualization for Cyber Security[C].USA:IEEE,2017.1-8.
[21] WAGNER M,RIND A,THVRN,et al.A knowledge-assisted visual malware analysis system:Design,validation,and reflection of KAMAS[J].Computers & Security,2017,67:1-15.
[22] SORNIL O,LIANGBOONPRAKONG C.Malware classification using n-grams sequential pattern features[J].International Journal of Information Processing & Management,2013,4(5):59-67.
[23] TESAURO G J,KEPHART J O,SORKIN G B.Neural networks for computer virus recognition[J].IEEE Expert,1996,11(4):5-6.
[24] ABOU-ASSALEH T,CERCONE N,KESELJ V,et al.Detection of new malicious code using n-grams signatures[A].Proceedings of the Conference on Privacy,Security and Trust(DBLP)[C].New Brunswick,Canada:DBLP,2004.193-196.
[25] CONTI G,DEAN E,SINDA M,et al.Visual reverse engineering of binary and data files[A].Proceedings of International Workshop on Visualization for Computer Security[C].USA:DBLP,2008.1-17.
[26] NATARAJ L,KARTHIKEYAN S,JACOB G,et al.Malware images:visualization and automatic classification[A].International Symposium on Visualization for Cyber Security[C].USA:ACM,2011.1-7.
[27] DOUZE M,SANDHAWALIA H,AMSALEG L,et al.Evaluation of GIST descriptors for web-scale image search[A].ACM International Conference on Image and Video Retrieval[C].USA:ACM,2009.1-8.
[28] OLIVA A,TORRALBA A.Modeling the shape of the scene:A holistic representation of the spatial envelope[J].International Journal of Computer Vision,2001,42(3):145-175.
[29] AERAsec.Decompression Bomb Vulnerabilities[OL].http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html.2018.
[30] LIAO S,LOPEZ M A,LEUTENEGGER S T.High dimensional similarity search with space filling curves[A].International Conference on Data Engineering[C].USA:IEEE Computer Society,2001.615-622.
[31] MOKBEL M F,AREF W G.Irregularity in high-dimensional space-filling curves[J].Distributed & Parallel Databases,2011,29(3):217-238.
[32] NIEDERMEIER R,REINHARDT K,SANDERS P.Towards optimal locality in mesh-indexings[A].International Symposium on Fundamentals of Computation Theory[C].Berlin:Springer-Verlag,1997.364-375.
[33] DAI H K,SU H C.Approximation and analytical studies of inter-clustering performances of space-filling curves[A].Discrete Random Walks(Drw'03)[C].Paris,France:DBLP,2003.53-68.
[34] SCHRACK G,STOCCO L.Generation of spatial orders and space-filling curves[J].IEEE Transactions on Image Processing,2015,24(6):1791-800.
[35] MOKBEL M F,AREF W G.Space-filling curves for query processing[A].Encyclopedia of Database Systems[M].US:Springer,2009.2675-2680.
[36] ANOTAIPAIBOON W,MAKHANOV S S.Curvilinear space-filling curves for five-axis machining[J].Computer-Aided Design,2008,40(3):350-367.
[37] LECUN Y,BOSER B,DENKER J S,et al.Backpropagation applied to handwritten zip code recognition[J].Neural Computation,2014,1(4):541-551.
[38] SIMONYAN K,ZISSERMAN A.Very deep convolutional networks for large-scale image recognition[J/OL].Computer Science,2014,arXiv:1409.1556.
[39] Microsoft.Microsoft Malware Classification Challenge(BIG 2015)[OL].https://www.kaggle.com/c/malware-classification/data.2018.
[40] HE K,ZHANG X,REN S,et al.Deep residual learning for image recognition[A].IEEE Conference on Computer Vision and Pattern Recognition[C].USA:IEEE Computer Society,2016.770-778.
[41] GUYON I,BOSER B E,VAPNIK V.Automatic capacity tuning of very large VC-dimension classifiers[J].Advances in Neural Information Processing Systems,2008,5:147-155.
[42] CHIANG W L,LEE M C,LIN C J.Parallel dual coordinate descent method for large-scale linear classification in multi-core environments[A].The ACM SIGKDD International Conference[C].USA:ACM,2016.1485-1494.