基于图标相似性分析的恶意代码检测方法
|
摘要
据统计,在大量的恶意代码中,有相当大的一部分属于诱骗型的恶意代码,它们通常使用与常用软件相似的图标来伪装自己,通过诱骗点击达到传播和攻击的目的。针对这类诱骗型的恶意代码,鉴于传统的基于代码和行为特征的恶意代码检测方法存在的效率低、代价高等问题,提出了一种新的恶意代码检测方法。首先,提取可移植的执行体(PE)文件图标资源信息并利用图像哈希算法进行图标相似性分析;然后,提取PE文件导入表信息并利用模糊哈希算法进行行为相似性分析;最后,采用聚类和局部敏感哈希的算法进行图标匹配,设计并实现了一个轻量级的恶意代码快速检测工具。实验结果表明,该工具对恶意代码具有很好的检测效果。
According to statistics, a large part of large amount of malicious codes belong to deceptive malicious codes. They usually use icons which are similar to those icons commonly used softwares to disguise themselves and deceive users to click to achieve the purpose of communication and attack. Aiming at solving the problems of low efficiency and high cost of traditional malicious code detection methods based on code and behavior characteristics on the deceptive malicious codes, a new malicious code detection method was proposed. Firstly, Portable Executable(PE) file icon resource information was extracted and icon similarity analysis was performed by image hash algorithm. Then, the PE file import table information was extracted and a fuzzy hash algorithm was used for behavior similarity analysis. Finally, clustering and local sensitive hash algorithms were adopted to realize icon matching, designing and implementing a lightweight and rapid malicious code detection tool. The experimental results show that the designed tool has a good detection effect on malicious code.
According to statistics, a large part of large amount of malicious codes belong to deceptive malicious codes. They usually use icons which are similar to those icons commonly used softwares to disguise themselves and deceive users to click to achieve the purpose of communication and attack. Aiming at solving the problems of low efficiency and high cost of traditional malicious code detection methods based on code and behavior characteristics on the deceptive malicious codes, a new malicious code detection method was proposed. Firstly, Portable Executable(PE) file icon resource information was extracted and icon similarity analysis was performed by image hash algorithm. Then, the PE file import table information was extracted and a fuzzy hash algorithm was used for behavior similarity analysis. Finally, clustering and local sensitive hash algorithms were adopted to realize icon matching, designing and implementing a lightweight and rapid malicious code detection tool. The experimental results show that the designed tool has a good detection effect on malicious code.
引文
[1]徐婵.基于行为的恶意软件自动分类方法的研究[D].湘潭:湘潭大学,2014:7-9.(XU C.Research on automatic classification method of behavior-based malware[D].Xiangtan:Xiangtan University,2014:7-9.)
[2]王毅,唐勇,卢泽新,等.恶意代码聚类中的特征选取研究[J].信息网络安全,2016,16(9):64-68.(WANG Y,TANG Y,LUZ X,et al.Research on features selection in malicious clustering[J].Netinfo Security,2016,16(9):64-68.)
[3]蔡林,陈铁明.Android移动恶意代码检测的研究概述与展望[J].信息网络安全,2016,16(9):218-222.(CAI L,CHEN TM.Research review and outlook on Android mobile malware detection[J].Netinfo Security,2016,16(9):218-222.)
[4]SILVA P,AKHAVAN-MASOULEH S,LI L.Improving malware detection accuracy by extracting icon information[C]//MIPR2018:Proceedings of the 2018 IEEE Conference on Multimedia Information Processing and Retrieval.Piscataway,NJ:IEEE,2018:408-411.
[5]王文,芮国胜,王晓东,等.图像多尺度统计模型综述[J].中国图象图形学报,2007,12(6):961-969.(WANG W,RUI G S,WANG X D,et al.A review of multiscale statistical image models[J].Journal of Image and Graphics,2007,12(6):961-969.)
[6]傅红普,邹北骥.方向梯度直方图及其扩展[J].计算机工程,2013,39(5):212-217.(FU H P,ZOU B W.Histogram of oriented gradient and its extension[J].Computer Engineering,2013,39(5):212-217.)
[7]张定会,江平,单俊涛.卷积码的神经网络编码方法[J].数据通信,2011(4):33-34,39.(ZHANG D H,JIANG P,SHAN J T.Neural network coding method for convolutional codes[J].Data Communications,2011(4):33-34,39.)
[8]潘宣辰,肖新光.基于应用图标的移动终端恶意代码检测方法及系统:CN 103902906 A[P].2014-07-02.(PAN X C,XIAO XG.Mobile terminal malicious code detection method and system based on application icon:CN 103902906 A[P].2014-07-02.)
[9]王立新,刘彤宇,李阳.SSDA图像匹配算法的研究及实现[J].光电技术应用,2005,20(3):53-55.(WANG L X,LIU T Y,LIY.Research and implementation of SSDA[J].Electro-Optic Technology Application,2005,20(3):53-55.)
[10]李强,张钹.一种基于图像灰度的快速匹配算法[J].软件学报,2006,17(2):216-222.(LI Q,ZHANG B.A fast matching algorithm based on image gray value[J].Journal of Software,2006,17(2):216-222.)
[11]陈磊.图像配准中基于特征提取和匹配的方法研究[D].长春:吉林大学,2016:1-2.(CHEN L.Research of image registration based on feature extraction and matching method[D].Changchun:Jilin University,2016:1-2.)
[12]杨薇.基于模型的图像变形及应用[D].无锡:江南大学,2013:32-44.(YANG W.Research on the technology and application of image deformation based on the model[D].Wuxi:Jiangnan U-niversity,2013:32-44.)
[13]曾勇.图像感知哈希算法及应用[D].杭州:浙江理工大学,2012:3-9.(ZENG Y.Image perceptual hashing algorithm and application[D].Hangzhou:Zhejiang Sci-Tech University,2012:3-9.)
[14]肖梓航,李柏松,肖新光.基于模糊哈希算法的恶意代码检测系统及方法:CN 102811213A[P].2012-12-05.(XIAO Z H,LI B S,XI-AO X G.Malicious code detection system and method based on fuzzy hash algorithm:CN 102811213A[P].2012-12-05.)
[15]吴悠漾,孟祥兆,田颖.基于模糊哈希的恶意代码检测[J].信息系统工程,2017(1):62.(WU Y Y,MENG X Z,TIAN Y.Malicious code detection based on fuzzy hash[J].China CIONews,2017(1):62.)
[16]伍育红.聚类算法综述[J].计算机科学,2015,42(S1):491-499.(WU Y H.General overview on clustering algorithms[J].Computer Science,2015,42(S1):491-499.)
[17]史世泽.局部敏感哈希算法的研究[D].西安:西安电子科技大学,2013:5-9.(SHI S Z.Research on the locality sensitive hashing[D].Xi'an:Xidian University,2013:5-9.)
[18]叶卫国,韩水华.基于内容的图像Hash算法及其性能评估[J].东南大学学报(自然科学版),2007,37(S1):109-113.(YE W G,HAN S H.Performance evaluation for content-based image authentication[J].Journal of Southeast University(Natural Science Edition),2007,37(S1):109-113.)
[19]乔端瑞.基于K-means算法及层次聚类算法的研究与应用[D].长春:吉林大学,2016:5-17.(QIAO D R.Research and application based on K-means algorithm and hierarchical clustering algorithm[D].Changchun:Jilin University,2016:5-17.)
[20]DATAR M,IMMORLICA N,INDYK P,et al.Locality-sensitive hashing scheme based on p-stable distributions[C]//SCG 2004:Proceedings of the 2004 Twentieth Annual Symposium on Computational Geometry.New York:ACM,2004:253-262.
[2]王毅,唐勇,卢泽新,等.恶意代码聚类中的特征选取研究[J].信息网络安全,2016,16(9):64-68.(WANG Y,TANG Y,LUZ X,et al.Research on features selection in malicious clustering[J].Netinfo Security,2016,16(9):64-68.)
[3]蔡林,陈铁明.Android移动恶意代码检测的研究概述与展望[J].信息网络安全,2016,16(9):218-222.(CAI L,CHEN TM.Research review and outlook on Android mobile malware detection[J].Netinfo Security,2016,16(9):218-222.)
[4]SILVA P,AKHAVAN-MASOULEH S,LI L.Improving malware detection accuracy by extracting icon information[C]//MIPR2018:Proceedings of the 2018 IEEE Conference on Multimedia Information Processing and Retrieval.Piscataway,NJ:IEEE,2018:408-411.
[5]王文,芮国胜,王晓东,等.图像多尺度统计模型综述[J].中国图象图形学报,2007,12(6):961-969.(WANG W,RUI G S,WANG X D,et al.A review of multiscale statistical image models[J].Journal of Image and Graphics,2007,12(6):961-969.)
[6]傅红普,邹北骥.方向梯度直方图及其扩展[J].计算机工程,2013,39(5):212-217.(FU H P,ZOU B W.Histogram of oriented gradient and its extension[J].Computer Engineering,2013,39(5):212-217.)
[7]张定会,江平,单俊涛.卷积码的神经网络编码方法[J].数据通信,2011(4):33-34,39.(ZHANG D H,JIANG P,SHAN J T.Neural network coding method for convolutional codes[J].Data Communications,2011(4):33-34,39.)
[8]潘宣辰,肖新光.基于应用图标的移动终端恶意代码检测方法及系统:CN 103902906 A[P].2014-07-02.(PAN X C,XIAO XG.Mobile terminal malicious code detection method and system based on application icon:CN 103902906 A[P].2014-07-02.)
[9]王立新,刘彤宇,李阳.SSDA图像匹配算法的研究及实现[J].光电技术应用,2005,20(3):53-55.(WANG L X,LIU T Y,LIY.Research and implementation of SSDA[J].Electro-Optic Technology Application,2005,20(3):53-55.)
[10]李强,张钹.一种基于图像灰度的快速匹配算法[J].软件学报,2006,17(2):216-222.(LI Q,ZHANG B.A fast matching algorithm based on image gray value[J].Journal of Software,2006,17(2):216-222.)
[11]陈磊.图像配准中基于特征提取和匹配的方法研究[D].长春:吉林大学,2016:1-2.(CHEN L.Research of image registration based on feature extraction and matching method[D].Changchun:Jilin University,2016:1-2.)
[12]杨薇.基于模型的图像变形及应用[D].无锡:江南大学,2013:32-44.(YANG W.Research on the technology and application of image deformation based on the model[D].Wuxi:Jiangnan U-niversity,2013:32-44.)
[13]曾勇.图像感知哈希算法及应用[D].杭州:浙江理工大学,2012:3-9.(ZENG Y.Image perceptual hashing algorithm and application[D].Hangzhou:Zhejiang Sci-Tech University,2012:3-9.)
[14]肖梓航,李柏松,肖新光.基于模糊哈希算法的恶意代码检测系统及方法:CN 102811213A[P].2012-12-05.(XIAO Z H,LI B S,XI-AO X G.Malicious code detection system and method based on fuzzy hash algorithm:CN 102811213A[P].2012-12-05.)
[15]吴悠漾,孟祥兆,田颖.基于模糊哈希的恶意代码检测[J].信息系统工程,2017(1):62.(WU Y Y,MENG X Z,TIAN Y.Malicious code detection based on fuzzy hash[J].China CIONews,2017(1):62.)
[16]伍育红.聚类算法综述[J].计算机科学,2015,42(S1):491-499.(WU Y H.General overview on clustering algorithms[J].Computer Science,2015,42(S1):491-499.)
[17]史世泽.局部敏感哈希算法的研究[D].西安:西安电子科技大学,2013:5-9.(SHI S Z.Research on the locality sensitive hashing[D].Xi'an:Xidian University,2013:5-9.)
[18]叶卫国,韩水华.基于内容的图像Hash算法及其性能评估[J].东南大学学报(自然科学版),2007,37(S1):109-113.(YE W G,HAN S H.Performance evaluation for content-based image authentication[J].Journal of Southeast University(Natural Science Edition),2007,37(S1):109-113.)
[19]乔端瑞.基于K-means算法及层次聚类算法的研究与应用[D].长春:吉林大学,2016:5-17.(QIAO D R.Research and application based on K-means algorithm and hierarchical clustering algorithm[D].Changchun:Jilin University,2016:5-17.)
[20]DATAR M,IMMORLICA N,INDYK P,et al.Locality-sensitive hashing scheme based on p-stable distributions[C]//SCG 2004:Proceedings of the 2004 Twentieth Annual Symposium on Computational Geometry.New York:ACM,2004:253-262.