恶意代码自动分析系统的研究

恶意代码的网络行为分析是网络安全领域的一个重要研究视角。针对现有系统普遍存在的网络行为分析不全面、不深入的问题,归纳了恶意代码的功能模块,提出了较为全面的网络行为分析内容。通过对比已有系统的网络行为分析功能,选取合适的系统CUCKOO作为基础平台。通过实例对其网络行为分析功能进行详细分析,并提出了优化、扩展方案。     

Incremental clustering method based on Gaussian mixture model to identify malware family

Aiming at the logical similarity of the behavioral characteristics of malware belonging to the same family,the characteristics of malware were extracted by tracking the logic rules of API function call from the perspective of behavior detection,and the static analysis and dynamic analysis methods were combined to analyze malicious behavior characteristics.In addition,according to the purpose,inheritance and diversity of the malware family,the transitive closure relationship of the malware family was constructed,and then the incremental clustering method based on Gaussian mixture model was improved to identify the malware family.Experiments show that the proposed method can not only save the storage space of malware detection,but also significantly improve the detection accuracy and recognition efficiency.     

基于图卷积的视网膜血管轮廓及高不确定度区域细化框架

针对传统卷积神经网络(convolutional neural network, CNN)受感受野大小的限制,无法直接有效地获取空间结构及全局语义等关键信息,导致宽血管边界及毛细血管区域特征提取困难,造成视网膜血管分割表现不佳的问题,提出一种基于图卷积的视网膜血管分割细化框架。该框架通过轮廓提取及不确定分析方法,选取CNN粗分割结果中潜在的误分割区域,并结合其提取的特征信息构造出合适的图数据,送入残差图卷积网络(residual graph convolutional network, Res-GCN)二次分类,得到视网膜血管细化分割结果。该框架可以作为一个即插即用模块接入任意视网膜血管分割网络的末端,具有高移植性和易用性的特点。实验分别选用U型网络(U-neural network, U-Net)及其代表性改进网络DenseU-Net和AttU-Net作为基准网络,在DRIVE、STARE和CHASEDB1数据集上进行测试,本文框架的Sp分别为98.28%、99.10%和99.04%,Pr分别为87.97%、88.87%和90.25%,证明其具有提升基准网络分割效果的细化能力。     

基于多通道的边学习图卷积网络

通常图的边包含了图的重要信息，然而目前大多数用于图学习的深度学习模型（如图卷积网络（graph convolutional network，GCN）和图注意力网络（graph attention network，GAT））没有充分利用多维边特征的特性；另一个问题是图中可能存在噪声，影响图学习的性能。使用多层感知机对图数据进行去噪优化处理，在GCN的基础上引入了多通道学习边特征的方法，对图的多维边属性进行编码，按原始图所包含的属性分别建模为多通道，每个通道对应一种边特征属性对图节点进行约束训练，可以让算法更合理地学习图中多维边特征，在Cora、Tox21、Freesolv等数据集上的实验证明了去噪方法与多通道方法的有效性。     

基于图卷积神经网络的胸部放射影像疾病分类方法北大核心CSCD

医学X射线作为胸部疾病的常规检查手段,可以对早期不明显的胸部疾病进行诊断,并且观察出病变部位。但是,同一张放射影像上呈现出多种疾病特征,对分类任务而言是一个挑战。此外,疾病标签之间存在着不同的对应关系,进一步导致了分类任务的困难。针对以上问题,本文将图卷积神经网络(graph convolutional neural network,GCN)与传统卷积神经网络(convolutional neural network,CNN)相结合,提出了一种将标签特征与图像特征融合的多标签胸部放射影像疾病分类方法。该方法利用图卷积神经网络对标签的全局相关性进行建模,即在疾病标签上构建有向关系图,有向图中每个节点表示一种标签类别,再将该图输入图卷积神经网络以提取标签特征,最后与图像特征融合以进行分类。本文所提出的方法在ChestX-ray14数据集上的实验结果显示对14种胸部疾病的平均AUC达到了0.843,与目前3种经典方法以及先进方法进行比较,本文方法能够有效提高分类性能。     

Mobile malware traffic detection approach based on value-derivative GRU

For the dramatic increase in the number and variety of mobile malware had created enormous challenge for information security of mobile network users,a value-derivative GRU-based mobile malware traffic detection approach was proposed in order to solve the problem that it was difficult for a RNN-based mobile malware traffic detection approach to capture the dynamic changes and critical information of abnormal network traffic.The low-order and high-order dynamic change information of the malicious network traffic could be described by the value-derivative GRU approach at the same time by introducing the concept of “accumulated state change”.In addition,a pooling layer could ensure that the algorithm can capture key information of malicious traffic.Finally,simulation were performed to verify the effect of accumulated state changes,hidden layers,and pooling layers on the performance of the value-derivative GRU algorithm.Experiments show that the mobile malware traffic detection approach based on value-derivative GRU has high detection accuracy.     

HoneyBow: 一个基于高交互式蜜罐技术的恶意代码自动捕获器

恶意代码已成为互联网最为严重的安全威胁之一，自动化捕获恶意代码样本是及时有效地应对恶意代码传播的必要前提，提出了一个基于高交互式蜜罐技术的恶意代码自动捕获器HoneyBow。相比较于基于低交互式蜜罐技术的Nepenthes恶意代码捕获器，HoneyBow具有恶意代码捕获类型更为全面、能够捕获未知恶意代码的优势，互联网上的实际恶意代码捕获记录对比和Mocbot蠕虫的应急响应处理实例对其进行了充分验证。     

Android malware detection method based on SimHash

A new similarity detection scheme based on hierarchical SimHash algorithm was proposed.The scheme extractd contents from different aspects to represent the APK file,then used the improved SimHash to respectively represent the file.The scheme analyzed the APK file by extracting the AndroidManifest.xml file in it,the sum of the Smali code from the decompilation of dex file,instructions extracted in Smali files,Java code set,and instructions extracted in Java code files.Through the study of Voted Perceptron voting algorithm,the scheme used trust weight method,by valuating a trust weight in every layer,then combined all the result with weight in every layer as a resule of scheme,the result can be more reasonable and more convincing.     

基于字符级联合网络特征融合的中文文本情感分析

针对传统卷积神经网络(CNN)同层神经元之间信息不能互传,无法充分利用同一层次上的特征信息,以及无法提取长距离上下文相关特征的问题.该文针对中文文本,提出字符级联合网络特征融合的模型进行情感分析,在字符级的基础上采用BiGRU和CNN-BiGRU并行的联合网络提取特征,利用CNN的强学习能力提取深层次特征,再利用双向门限循环神经网络(BiGRU)进行深度学习,加强模型对特征的学习能力.另一方面,利用BiGRU提取上下文相关的特征,丰富特征信息.最后在单方面上引入注意力机制进行特征权重分配,降低噪声干扰.在数据集上进行多组对比实验,该方法取得92.36%的F1值,结果表明本文提出的模型能有效的提高文本分类的准确率.     

Android malware detection based on improved random forest

Aiming at the defect of vote principle in random forest algorithm which is incapable of distinguishing the differences between strong classifier and weak classifier,a weighted voting improved method was proposed,and an improved random forest classification (IRFCM) was proposed to detect Android malware on the basis of this method.The IRFCM chose Permission information and Intent information as attribute features from AndroidManifest.xml files and optimized them,then applied the model to classify the final feature vectors.The experimental results in Weka environment show that IRFCM has better classification accuracy and classification efficiency.     

基于特征聚类的海量恶意代码在线自动分析模型

针对传统海量恶意代码分析方法中自动特征提取能力不足以及家族判定时效性差等问题,通过动静态方法对大量样本行为构成和代码片段分布规律的研究,提出了基于特征聚类的海量恶意代码在线自动分析模型,包括基于API行为和代码片段的特征空间构建方法、自动特征提取算法和基于LSH的近邻聚类算法。实验结果表明该模型具有大规模样本自动特征提取、支持在线数据聚类、家族判定准确率高等优势,依据该模型设计的原型系统实用性较强。     

Network intrusion intention analysis model based on Bayesian attack graph

Aiming at the problem of ignoring the impact of attack cost and intrusion intention on network security in the current network risk assessment model,in order to accurately assess the target network risk,a method of network intrusion intention analysis based on Bayesian attack graph was proposed.Based on the atomic attack probability calculated by vulnerability value,attack cost and attack benefit,the static risk assessment model was established in combination with the quantitative attack graph of Bayesian belief network,and the dynamic update model of intrusion intention was used to realize the dynamic assessment of network risk,which provided the basis for the dynamic defense measures of attack surface.Experiments show that the model is not only effective in evaluating the overall security of the network,but also feasible in predicting attack paths.     

基于关系图卷积神经网络的多标签事件预测

事件预测需要综合考虑的要素众多,现有预测模型多数存在数据稀疏、事件的组合特征及时序特征考虑不足、预测类型单一等问题。为此,提出了基于关系图卷积神经网络的多标签事件预测方法,通过节点特征聚合技术实现数据的稠密化表示。模型利用卷积神经网络的卷积和池化运算,提取预测数据的组合时间段特征信息,并结合长短期记忆网络的时序特征提取能力,进一步提取预测数据的时序规律特征;最后,模型通过全连接的多标签分类器,输出多种类型事件发生的概率值。实验结果表明,所提模型可以支持进行多日期、多类型事件预测,在特定数据集上最高F1值可以达到0.85。     

Global relational reasoning with spatial temporal graph interaction networks for skeleton-based action recognition

With the prevalence of accessible depth sensors, dynamic skeletons have attracted much attention as a robust modality for action recognition. Convolutional neural networks (CNNs) excel at modeling local relations within local receptive fields and are typically inefficient at capturing global relations. In this article, we first view the dynamic skeletons as a spatio-temporal graph (STG) and then learn the localized correlated features that generate the embedded nodes of the STG by message passing. To better extract global relational information, a novel model called spatial–temporal graph interaction networks (STG-INs) is proposed, which perform long-range temporal modeling of human body parts. In this model, human body parts are mapped to an interaction space where graph-based reasoning can be efficiently implemented via a graph convolutional network (GCN). After reasoning, global relation-aware features are distributed back to the embedded nodes of the STG. To evaluate our model, we conduct extensive experiments on three large-scale datasets. The experimental results demonstrate the effectiveness of our proposed model, which achieves the state-of-the-art performance.     

基于深层-浅层双流学习图模型的无监督少样本红外空中目标识别网络

在军事空中目标识别领域,由于样本数量缺失,现有人工智能算法无法完成准确识别。文章利用已有足量辅助域图像辅助少样本应用域进行跨域目标识别,解决因标签缺失与样本稀疏导致的识别模型泛化能力不强及性能不佳问题。文章提出一种基于深层-浅层双流学习图模型（D-SLGM）的跨域目标识别算法。首先,提出一种深层-浅层双流特征提取算法,解决无监督少样本条件下特征表示困难的问题;同时,提出一种基于图模型的特征融合算法,实现特征间高精度融合;基于融合后的特征训练识别模型,提升算法的泛化能力。使用自建空中目标数据集,设计三种应用场景。实验结果表明,D-SLGM平均识别准确率均值达到78.2%,优于对比方法,在实际空中目标识别应用中具有较大潜力。     

基于云计算和动态贝叶斯博弈的WSN恶意程序传播优化抑制方法

为有效地应用入侵检测系统检测WSN（wireless sensor network,无线传感网络）恶意程序从而抑制WSN恶意程序传播,在考虑WSN节点资源有限和云计算平台资源几乎无限的现状基础上,借助云计算平台提出WSN入侵检测网络结构。依据传感节点和WSN入侵检测代理之间博弈过程的分析,使用动态贝叶斯博弈建立了考虑WSN入侵检测代理监控数据发送能耗和传感节点隐私保护需求的WSN恶意程序传播抑制博弈模型。依据建立的博弈类型,并基于精炼贝叶斯均衡提出抑制WSN恶意程序传播的优化策略,并给出具体的算法。实验分析了影响WSN入侵检测代理选择优化策略的因素,为具体应用提供了实验依据。     

一种恶意软件分析中检测虚拟环境的方法

安全厂商普遍使用虚拟环境来分析恶意软件,但是很多恶意软件都使用了检测虚拟机的技术来对抗对其的分析。文章介绍了3种主要的检测虚拟环境方法,给出了相应的对抗措施来防止对虚拟环境的检测。设计了一种新的基于性能比较的检查虚拟机和模拟器的方法,实验结果表明,该方法能够有效地检测出虚拟机和模拟器,如VMware软件和模拟器Qemu。     

二值化身份感知图卷积神经网络北大核心CSCD

针对有限的内存资源导致图神经网络(graph neural network, GNN)无法完全加载属性图的问题,文中提出了二值化身份感知图卷积神经网络(binary identify-aware graph convolutional network, BID-GCN)。该网络通过在消息传递过程中递归地考虑节点的信息,为了获得一个给定的节点的嵌入,BID-GCN将提取以该节点为中心的自我网络,并进行多轮的异构消息传递,在自我网络的中心节点上应用与其他节点不同的参数。在消息传递过程中,对网络参数和输入节点特征进行二值化,并将原始的矩阵乘法修改为二值化以加速运算。通过理论分析和实验评估,BID-GCN可以减少网络参数和输入数据的平均约36倍的内存消耗,并加快引文网络上平均约49倍的推理速度,可以提供与全精度基线相当的性能,较好地解决内存资源有限的问题。     

基于组合式算法的Android恶意软件检测方法

为解决当前恶意软件静态检测方法中适用面较窄、实用性较低的问题,通过组合式算法筛选出最优分类器,并以此为基础实现了一个检测系统。首先使用逆向工程技术提取软件的特征库,并通过多段筛选得到分类器的初步结果。提出了一种基于最小风险贝叶斯的分类器评价标准,并以此为核心,通过对初步结果赋权值的方式得到最优分类器结果。最后以最优结果为核心实现了一个Android恶意软件检测系统原型。实验结果表明,该检测系统的分析精度为86.4%,并且不依赖于恶意代码的特征。     

Fast reused code tracing method based on simhash and inverted index

A novel method for fast and accurately tracing reused code was proposed. Based on simhash and inverted in-dex, the method can fast trace similar functions in massive code. First of all, a code database with three-level inverted in-dex structures was constructed. For the function to be traced, similar code blocks could be found quickly according to simhash value of the code block in the function code. Then the potential similar functions could be fast traced using in-verted index. Finally, really similar functions could be identified by comparing jump relationships of similar code blocks. Further, malware samples containing similar functions could be traced. The experimental results show that the method can quickly identify the functions inserted by compilers and the reused functions based on the code database under the premise of high accuracy and recall rate.