基于分布式结构的网络恶意代码智能分析系统

对变形特征码进行归一化处理,改进WM算法,运用启发式扫描、仿真、虚拟化、主动防御等前沿的恶意代码分析技术,采用分布式的设计结构,设计了具有完备恶意代码特征码数据库、高效特征码匹配、自动捕获和控制恶意行为、平衡的资源消耗、较低误报率的网络恶意代码智能分析系统。     

软件代码的恶意行为学习与分类

传统的静态特征码检测方法无法识别迷惑型恶意代码,而动态检测方法则需要消 耗大量资源;当前,大多数基于机器学习的方法并不能有效区分木马、蠕虫等恶意软件的子类别。为此,提出一种基于代码恶意行为特征的分类方法。新方法在提取代码恶意导向指令特征的基础上,学习每种代码类别特有的恶意行为序列模式,进而将代码样本投影到由恶意行为序列模式构成的新空间中。同时基于新特征表示法构造了一种近邻分类器对恶意代码进行 分类。实验结果表明,新方法可以有效地捕捉代码的恶意行为并区分不同类别代码之间的行为差异,从而大幅提高了恶意代码的分类精度。     

基于API关联性的恶意行为层次化分析方法

为深入分析恶意代码的运行原理以及详细功能,减少恶意代码的分析周期,提出基于API关联的层次化行为分析方法。分析API的调用机制与参数的特征,给出基于API的行为定义;在此基础上,设计并实现API的行为关联算法,建立行为关联模型;通过行为关联模型,可以通过恶意代码的API数据信息提取出基本行为信息,并进一步提取对象行为以及进程行为,提供多维视角。设计恶意代码分析原型系统,使用实际测试样本集验证了该方法的可行性。     

基于Cuckoo平台的HDBSCAN恶意代码聚类算法

泛在网络日益受到各种各样的恶意代码攻击,已经严重威胁到各个领域的信息安全和网络安全。为了分析不同种类恶意代码之间的异同性,通过搭建Cuckoo沙箱平台模拟恶意代码运行环境研究其聚类情况,以此来获得恶意样本模拟运行的行为分析报告;在特征提取上为了全面覆盖恶意代码的主要行为,结合了动态行为特征和内存特征;之后利用t-SNE机器学习算法来对特征属性实现非线性降维;最后对传统的DBSCAN算法进行改进,将改进后的算法HDBSCAN结合恶意代码的行为特征来完成恶意代码的聚类。实验结果表明,相比于经典聚类算法,改进后的聚类算法提高了聚类质量,获得了更好的聚类效果,因此具有较高的可行性。     

基于动态行为和机器学习的恶意代码检测方法

目前恶意代码出现频繁且抗识别性加强,现有基于签名的恶意代码检测方法无法识别未知与隐藏的恶意代码。提出一种结合动态行为和机器学习的恶意代码检测方法。搭建自动化分析Cuckoo沙箱记录恶意代码的行为信息和网络流量,结合Cuckoo沙箱与改进DynamoRIO系统作为虚拟环境,提取并融合恶意代码样本API调用序列及网络行为特征。在此基础上,基于双向门循环单元（BGRU）建立恶意代码检测模型,并在含有12 170个恶意代码样本和5 983个良性应用程序样本的数据集上对模型效果进行验证。实验结果表明,该方法能全面获得恶意代码的行为信息,其所用BGRU模型的检测效果较LSTM、BLSTM等模型更好,精确率和F1值分别达到97.84%和98.07%,训练速度为BLSTM模型的1.26倍。     

基于语义的恶意代码行为特征提取及检测方法

提出一种基于语义的恶意代码行为特征提取及检测方法,通过结合指令层的污点传播分析与行为层的语义分析,提取恶意代码的关键行为及行为间的依赖关系;然后,利用抗混淆引擎识别语义无关及语义等价行为,获取具有一定抗干扰能力的恶意代码行为特征.在此基础上,实现特征提取及检测原型系统.通过对多个恶意代码样本的分析和检测,完成了对该系统的实验验证.实验结果表明,基于上述方法提取的特征具有抗干扰能力强等特点,基于此特征的检测对恶意代码具有较好的识别能力.     

P2P文件共享系统中的恶意代码防治策略

目前,P2P技术已经被广泛地应用在文件共享系统中,存在多个基于P2P的文件共享软件,拥有众多用户。与此同时,也出现了针对这些P2P文件共享系统的蠕虫和病毒等恶意代码。P2P系统的分布式控制、拓扑结构动态变化等特性使得恶意代码传播更快、更难防治。文章通过分析这些P2P恶意代码的传播方式,提出了一种基于恶意代码行为特征的恶意代码识别方法,并利用这种识别方法制定了一个适合P2P文件共享系统的恶意代码防治策略来减缓、遏制恶意代码的传播。     

基于静态结构的恶意代码同源性分析

由于变种和多态技术的出现,恶意代码的数量呈爆发式增长。然而涌现的恶意代码只有小部分是新型的,大部分仍是已知病毒的变种。针对这种情况,为了从海量样本中筛选出已知病毒的变种,从而聚焦新型未知病毒,提出一种改进的判定恶意代码所属家族的方法。从恶意代码的行为特征入手,使用反汇编工具提取样本静态特征,通过单类支持向量机筛选出恶意代码的代表性函数,引入聚类算法的思想,生成病毒家族特征库。通过计算恶意代码与特征库之间的相似度,完成恶意代码的家族判定。设计并实现了系统,实验结果表明改进后的方法能够有效地对各类家族的变种进行分析及判定。     

基于客户端的恶意网页收集系统

设计一个基于客户端的恶意网页收集系统。系统通过设置主题爬虫,有针对性地获取可能包含恶意脚本的网页文件,通过分析恶意代码常见的挂木马方式与恶意代码样本,设计正则表达式来提取网页恶意代码的特征码,利用相应算法扫描并匹配利用爬虫获取的网页文件,如发现网页文件中包含可疑的恶意脚本,则将它的域名URL、恶意网页路径与恶意代码脚本类型存入恶意网页库中,以实现恶意网页的搜集。     

恶意代码行为获取的研究与实现

分析对比了恶意代码的静态分析方法和动态分析方法,设计并实现了一种结合虚拟机技术和Windows操作系统自身所具有的调试功能来获取恶意代码行为的模块,该模块能够自动控制虚拟机运行监控程序来获取恶意代码的行为,并通过引入基于信息增益的特征权重算法来获得行为特征.     

基于机器学习算法的Android恶意程序检测系统

对于传统的恶意程序检测方法存在的缺点,针对将数据挖掘和机器学习算法被应用在未知恶意程序的检测方法进行研究。当前使用单一特征的机器学习算法无法充分发挥其数据处理能力,检测效果不佳。文中将语音识别模型与随机森林算法相结合,首次提出了综和APK文件多类特征统一建立N-gram模型,并应用随机森林算法用于未知恶意程序检测。首先,采用多种方式提取可以反映Android恶意程序行为的3类特征,包括敏感权限、DVM函数调用序列以及OpCodes特征;然后,针对每类特征建立N-gram模型,每个模型可以独立评判恶意程序行为;最后,3类特征模型统一加入随机森林算法进行学习,从而对Android程序进行检测。基于该方法实现了Android恶意程序检测系统,并对811个非恶意程序及826个恶意程序进行检测,准确率较高。综合各个评价指标,与其他相关工作对比,实验结果表明该系统在恶意程序检测准确率和有效性上表现更优。     

Fragmented malware through RFID and its defenses

Malware, in essence, is an infiltration to one’s computer system. Malware is created to wreak havoc once it gets in through weakness in a computer’s barricade. Anti-virus companies and operating system companies are working to patch weakness in systems and to detect infiltrators. However, with the advance of fragmentation, detection might even prove to be more difficult. Malware detection relies on signatures to identify malware of certain shapes. With fragmentation, functionality and size can change depending on how many fragments are used and how the fragments are created. In this paper we present a robust malware detection technique, with emphasis on detecting fragmentation malware attacks in RFID systems that can be extended to detect complex obfuscated and mutated malware. After a particular fragmented malware has been first identified, it can be analyzed to extract the signature, which provides a basis for detecting variants and mutants of similar types of malware in the future. Encouraging experimental results on a limited set of recent malware are presented.     

Malware analysis performance enhancement using cloud computing

Nowadays, computer based technology has taken a central role in every person life. Hence, damage caused by malicious software (malware) can reach and effect many people globally as what could be in the early days of computer. A close look at the current approaches of malware analysis shows that the respond time of reported malware to public users is slow. Hence, the users are unable to get prompt feedback when reporting suspicious files. Therefore, this paper aims at introducing a new approach to enhance malware analyzer performance. This approach utilizes cloud computing features and integrates it with malware analyzer. To evaluate the proposed approach, two systems had been prepared carefully with the same malware analyzer, one of them utilizes cloud computing and the other left without change. The evaluation results showed that the proposed approach is faster by 23 % after processing 3,000 samples. Furthermore, utilizing cloud computing can open door to crowd-source this service hence encouraging malware reporting and accelerate malware detection by engaging the public users at large. Ultimately this proposed system hopefully can reduce the time taken to detect new malware in the wild.     

基于三级签名的安卓恶意软件分析方法

智能手机上的恶意软件数量呈现爆炸式增长,目前迫切需要一个安全分析与检测方法.一个有效的检测与分析方法需要解决的最大问题就是如何从应用程序和恶意软件的汪洋大海中识别重新包装的应用程序.论文提出了基于三级签名的恶意软件分析方法MSAnalytics,根据API调用序列,提取在操作码级的恶意软件特征,生成应用程序三级签名.实验证明,MSAnalytics对重新包装恶意软件具有良好的分析能力.     

基于栈的恶意程序隐式系统调用的检测方法

提出了一种检测恶意程序中隐式系统调用的方法.该方法使用地址栈和地址栈图来检测恶意程序中隐式的系统调用信息,其中,地址栈将每个栈的元素和栈操作的指令相结合,而地址栈图抽象地表示可执行体并且检测恶意的系统调用.通过实验表明,这是一种有效的方法.     

基于归一化的变形恶意代码检测

许多未知恶意代码是由已知恶意代码变形而来。该文针对恶意代码常用的变形技术,包括等价指令替换、插入垃圾代码和指令重排,提出完整的归一化方案,以典型的变形病毒Win32.Evol对原型系统进行测试,是采用归一化思想检测变形恶意代码方面的有益尝试。     

HEMD: a highly efficient random forest-based malware detection framework for Android

Mobile phones are rapidly becoming the most widespread and popular form of communication; thus, they are also the most important attack target of malware. The amount of malware in mobile phones is increasing exponentially and poses a serious security threat. Google’s Android is the most popular smart phone platforms in the world and the mechanisms of permission declaration access control cannot identify the malware. In this paper, we proposed an ensemble machine learning system for the detection of malware on Android devices. More specifically, four groups of features including permissions, monitoring system events, sensitive API and permission rate are extracted to characterize each Android application (app). Then an ensemble random forest classifier is learned to detect whether an app is potentially malicious or not. The performance of our proposed method is evaluated on the actual data set using tenfold cross-validation. The experimental results demonstrate that the proposed method can achieve a highly accuracy of 89.91%. For further assessing the performance of our method, we compared it with the state-of-the-art support vector machine classifier. Comparison results demonstrate that the proposed method is extremely promising and could provide a cost-effective alternative for Android malware detection.

     

Automatic malware classification and new malware detection using machine learning

The explosive growth of malware variants poses a major threat to information security. Traditional anti-virus systems based on signatures fail to classify unknown malware into their corresponding families and to detect new kinds of malware programs. Therefore, we propose a machine learning based malware analysis system, which is composed of three modules: data processing, decision making, and new malware detection. The data processing module deals with gray-scale images, Opcode n-gram, and import functions, which are employed to extract the features of the malware. The decision-making module uses the features to classify the malware and to identify suspicious malware. Finally, the detection module uses the shared nearest neighbor (SNN) clustering algorithm to discover new malware families. Our approach is evaluated on more than 20 000 malware instances, which were collected by Kingsoft, ESET NOD32, and Anubis. The results show that our system can effectively classify the unknown malware with a best accuracy of 98.9%, and successfully detects 86.7% of the new malware.     

Intelligent OS X malware threat detection with code inspection

With the increasing market share of Mac OS X operating system, there is a corresponding increase in the number of malicious programs (malware) designed to exploit vulnerabilities on Mac OS X platforms. However, existing manual and heuristic OS X malware detection techniques are not capable of coping with such a high rate of malware. While machine learning techniques offer promising results in automated detection of Windows and Android malware, there have been limited efforts in extending them to OS X malware detection. In this paper, we propose a supervised machine learning model. The model applies kernel base Support Vector Machine and a novel weighting measure based on application library calls to detect OS X malware. For training and evaluating the model, a dataset with a combination of 152 malware and 450 benign were created. Using common supervised Machine Learning algorithm on the dataset, we obtain over 91% detection accuracy with 3.9% false alarm rate. We also utilize Synthetic Minority Over-sampling Technique (SMOTE) to create three synthetic datasets with different distributions based on the refined version of collected dataset to investigate impact of different sample sizes on accuracy of malware detection. Using SMOTE datasets we could achieve over 96% detection accuracy and false alarm of less than 4%. All malware classification experiments are tested using cross validation technique. Our results reflect that increasing sample size in synthetic datasets has direct positive effect on detection accuracy while increases false alarm rate in compare to the original dataset.