恶意程序发布检测平台的设计与实现

设计了一种恶意程序发布检测平台,其中的检测方法为:从HTTP请求消息中提取摘要信息;将摘要信息与恶意、安全网站识别库中的识别信息进行匹配;如果匹配不成功,则使用决策分类器对摘要信息进行分类处理;如果确定为可疑恶意网站,则生成可疑恶意资源的下载连接信息;将多个可疑恶意资源的下载连接信息进行关联,确定可疑恶意资源的网络发布信息.该方法通过网络节点图可以更好地描述恶意程序发布网络的活动,关注恶意程序分发网络的机理和网络基础架构的属性,提高恶意程序的检出率,加强网络安全.     

一种检测网络攻击的方法

当今的网络攻击事件频繁发生,用户严重受到来自黑客攻击的威胁。因此为了出于保护用户的需要,网络安全人员不得不开发出多种网络安全措施。目前网络的安全设备主要有防火墙和入侵检测系统。入侵检测系统中有两种检测方法误用检测算法和异常检测算法。本文在参考了已有的误用检测算法后,提出了一种新的检测算法。该算法将某些智能性算法融入了其中。本文中首先通过计算未知程序的权值,通过权值的属性来判断该程序是恶意程序还是合法的程序,如果某种程序属于恶意程序,则再使用MMTD的算法对恶意程序的大小属性进行匹配,最后通过已知恶意程序的属性有未知程序属性的比较,最终来判断该网络攻击程序属于何种攻击手段。最后说明一点,本文提出的算法主要是针对变体攻击手段进行检测。     

基于机器学习算法的Android恶意程序检测系统

对于传统的恶意程序检测方法存在的缺点,针对将数据挖掘和机器学习算法被应用在未知恶意程序的检测方法进行研究。当前使用单一特征的机器学习算法无法充分发挥其数据处理能力,检测效果不佳。文中将语音识别模型与随机森林算法相结合,首次提出了综和APK文件多类特征统一建立N-gram模型,并应用随机森林算法用于未知恶意程序检测。首先,采用多种方式提取可以反映Android恶意程序行为的3类特征,包括敏感权限、DVM函数调用序列以及OpCodes特征;然后,针对每类特征建立N-gram模型,每个模型可以独立评判恶意程序行为;最后,3类特征模型统一加入随机森林算法进行学习,从而对Android程序进行检测。基于该方法实现了Android恶意程序检测系统,并对811个非恶意程序及826个恶意程序进行检测,准确率较高。综合各个评价指标,与其他相关工作对比,实验结果表明该系统在恶意程序检测准确率和有效性上表现更优。     

子图相似性的恶意程序检测方法

动态行为分析是一种常见的恶意程序分析方法,常用图来表示恶意程序系统调用或资源依赖等,通过图挖掘算法找出已知恶意程序样本中公共的恶意特征子图,并通过这些特征子图对恶意程序进行检测.然而这些方法往往依赖于图匹配算法,且图匹配不可避免计算慢,同时,算法中还忽视了子图之间的关系,而考虑子图间的关系有助于提高模型检测效果.为了解决这两个问题,提出了一种基于子图相似性恶意程序检测方法,即DMBSS.该方法使用数据流图来表示恶意程序运行时的系统行为或事件,再从数据流图中提取出恶意行为特征子图,并使用“逆拓扑标识”算法将特征子图表示成字符串,字符串蕴含了子图的结构信息,使用字符串替代图的匹配.然后,通过神经网络来计算子图间的相似性即将子图结构表示成高维向量,使得相似子图在向量空间的距离也较近.最后,使用子图向量构建恶意程序的相似性函数,并在此基础上,结合SVM分类器对恶意程序进行检测.实验结果显示,与其他方法相比,DMBSS在检测恶意程序时速度较快,且准确率较高.     

一种改进的基于扩展攻击树模型的木马检测方法

木马作为恶意程序的一种,经常被作为黑客入侵利用的手段,这对网络安全和信息安全将造成极大的危害。提出一种改进的基于扩展攻击树模型的木马检测方法。通过分析PE文件,采用静态分析和动态行为监控技术相结合的检测方法提取程序API调用序列;并用信息增益的方法筛选出木马关键API短序列集合,作为构建扩展攻击树模型的特征库;将待检测程序以API短序列为行为特征与模型节点进行匹配、分析,同时改进了匹配节点的权值和危险指数的算法。最后给出扩展攻击树模型调整与优化的方法。实验结果表明,改进后的方法不仅在木马检测效率、准确度方面有较好的表现,还能检测出经过升级变种的木马。     

一种基于受体编辑的实值阴性选择算法

受生物免疫受体编辑理论的启发,提出了一种基于受体编辑的实值阴性选择算法RERNS(Receptor Editinginspired Real Negative Selection Algorithm).对于匹配自体的检测器,该算法采用定向受体编辑使之获得新生,而这些新生的检测器分布在自体与非自体的边界区域,从而增加了检测器的多样性,并改善了算法对边界区域的覆盖情况;对于不匹配自体的检测器,该算法采用识别相同最近自体的定向受体编辑,使检测器在包含原检测范围的情况下扩大了对非自体空间的覆盖.理论分析和实验验证表明,与实值阴性选择算法中具有代表性的RNS算法和V-detector算法相比,RERNS算法生成的未成熟检测器更少,且检测性能更好.     

改进的音频混合分割方法

针对基于距离和贝叶斯信息准则的混合分割算法在候选分割点确认时存在过于激进、容易造成分割点丢失的问题,提出一种保守的分割点确认方法,使被否定的候选分割点有多次机会被检验;针对固定的惩罚因子无法兼顾准确率和查全率的问题,提出了基于可检测度的惩罚因子自适应算法,并在一个启发式规则的基础上对基于可检测度的惩罚因子自适应进行扩充,实现了基于可检测度和启发式规则的惩罚因子自适应方法.实验结果表明,文中算法明显优于已有算法,且在性能上得到了很大提升.     

基于人工免疫的网络入侵检测模型的研究

针对现有的应用于网络入侵检测中的人工免疫系统存在的缺陷,在Kim小组的动态克隆选择算法的基础上,提出了改进的网络入侵检测模型.在该模型中,提出产生少量的自体模式类对正常访问数据进行处理,加快其访问速度;通过动态增减自体集合来适应网络环境的变化,并且解决传统AIS中自体集合庞大的问题;采用基于约束的检测器表示抗体,采取任意R位间隔匹配规则来判定抗体与抗原之间的匹配,使用分割算法来解决抗体与自体抗原的匹配情况.最后,对该模型进行了网络入侵检测仿真实验,并与相同实验条件下的动态克隆选择算法的实验结果进行了对比,验证了所提模型的有效性和可行性.     

免疫算法在入侵检测模型中的应用研究

在对常见的免疫算法原理进行分析的基础上,采用阴性选择算法和r-连续位匹配算法,提出一种改进的免疫检测机制,建立一个新的入侵检测模型。新的模型主要采取三点措施:改进候选检测集的生成规则;降低检测器冗余;引入协同检测机制等。在入侵识别阶段,采用基于编辑距离的匹配规则,提高了检测效率。试验仿真表明,该模型可有效提高入侵检测系统的检测率,降低误警率。     

新的否定选择算法及其在疾病诊断中的应用

针对现有的否定选择算法存在检测率较低,检测器集合过大等问题,提出了一种结合非自体信息和二次移动的实值否定选择算法(NTMV-detector)。该算法基于训练集中的非自体和随机的方法生成候选检测器中心。二次移动的主要思路是:如果候选检测器中心与成熟检测器匹配,把它移出成熟检测器集;然后通过离候选检测器中心最近的两个自体来微调检测器的位置,确定检测器半径。实验证明,该方法可以有效地提高疾病诊断的诊断率,降低误诊率。     

基于支持向量机的恶意软件行为评估系统

为解决恶意软件行为分析系统中分类准确率较低的问题,提出了一种基于支持向量机(SVM)的恶意软件分类方法。首先人工建立了一个以软件行为结果作为特征的危险行为库;然后捕获软件所有行为,并与危险行为库进行匹配,通过样本转换算法将匹配结果变成适合SVM处理的数据,再利用SVM进行分类。在SVM模型、核函数以及参数对(C,g)的选择方面先进行理论分析确定大致范围,再使用网格搜索和遗传算法(GA)相结合的方式进行寻优。为验证所提恶意软件分类方法的有效性,设计了一个基于SVM模型的恶意软件行为评估系统。实验结果表明,该系统的误报率和漏报率分别为5.52%和3.04%,比K近邻(KNN)、朴素贝叶斯(NB)算法更好,与反向传播(BP)神经网络相当,但比BP神经网络的训练和分类效率更高。     

恶意软件的操作码可视化方法研究

提出了一种基于操作码频率的恶意代码可视化分析方法。该方法在静态反汇编的基础上,获取机器指令中的操作码序列,使用设计的色谱来区分常见的和罕见的操作码指令,并依据对应颜色向量在RGB空间中的次序来重排操作码的位置,以此实现关于操作码频率的映射,解决了现有可视化方法视觉区分度不强、分类精准度不高的问题。将该方法应用于微软提供的恶意样本集（BIG 2015|Kaggle）,可视化结果经深度融合网络学习后,取得了98.50%的分类正确率。     

Auto-Sign: an automatic signature generator for high-speed malware filtering devices

This research proposes a novel automatic method (termed Auto-Sign) for extracting unique signatures of malware executables to be used by high-speed malware filtering devices based on deep-packet inspection and operating in real-time. Contrary to extant string and token-based signature generation methods, we implemented Auto-Sign an automatic signature generation method that can be used on large-size malware by disregarding signature candidates which appear in benign executables. Results from experimental evaluation of the proposed method suggest that picking a collection of executables which closely represents commonly used code, plays a key role in achieving highly specific signatures which yield low false positives.     

Using ontologies to perform threat analysis and develop defensive strategies for mobile security

Existing studies on the detection of mobile malware have focused mainly on static analyses performed to examine the code-structure signature of viruses, rather than the dynamic behavioral aspects. By contrast, the unidentified behavior of new mobile viruses using the self-modification, polymorphic, and mutation techniques for variants have largely been ignored. The problem of precision regarding malware variant detection has become one of the key concerns in mobile security. Accordingly, the present study proposed a threat risk analysis model for mobile viruses, using a heuristic approach incorporating both malware behavior analysis and code analysis to generate a virus behavior ontology associated with the Protégé platform. The proposed model can not only explicitly identify an attack profile in accordance with structural signature of mobile viruses, but also overcome the uncertainty regarding the probability of an attack being successful. This model is able to achieve this by extending frequent episode rules to investigate the attack profile of a given malware, using specific event sequences associated with the sandbox technique for mobile applications (apps) and hosts. For probabilistic analysis, defense evaluation metrics for each node were used to simulate the results of an attack. The simulations focused specifically on the attack profile of a botnet to assess the threat risk. The validity of the proposed approach was demonstrated numerically by using two malware cyber-attack examples. Overall, the results presented in this paper prove that the proposed scheme offers an effective countermeasure, evaluated using a set of security metrics, for mitigating network threats by considering the interaction between the attack profiles and defense needs.     

基于行为的分布式恶意代码检测技术

针对已有恶意代码检测技术存在不足,研究恶意代码网络传播行为,提取相应行为特征,在此基础上提出基于行为的分布式恶意代码检测技术,并进行NS-2仿真实验。实验结果表明该方法具有较低的误报率和漏报率,可有效检测恶意代码。     

Malware detection using assembly and API call sequences

One of the major problems concerning information assurance is malicious code. To evade detection, malware has also been encrypted or obfuscated to produce variants that continue to plague properly defended and patched networks with zero day exploits. With malware and malware authors using obfuscation techniques to generate automated polymorphic and metamorphic versions, anti-virus software must always keep up with their samples and create a signature that can recognize the new variants. Creating a signature for each variant in a timely fashion is a problem that anti-virus companies face all the time. In this paper we present detection algorithms that can help the anti-virus community to ensure a variant of a known malware can still be detected without the need of creating a signature; a similarity analysis (based on specific quantitative measures) is performed to produce a matrix of similarity scores that can be utilized to determine the likelihood that a piece of code under inspection contains a particular malware. Two general malware detection methods presented in this paper are: Static Analyzer for Vicious Executables (SAVE) and Malware Examiner using Disassembled Code (MEDiC). MEDiC uses assembly calls for analysis and SAVE uses API calls (Static API call sequence and Static API call set) for analysis. We show where Assembly can be superior to API calls in that it allows a more detailed comparison of executables. API calls, on the other hand, can be superior to Assembly for its speed and its smaller signature. Our two proposed techniques are implemented in SAVE) and MEDiC. We present experimental results that indicate that both of our proposed techniques can provide a better detection performance against obfuscated malware. We also found a few false positives, such as those programs that use network functions (e.g. PuTTY) and encrypted programs (no API calls or assembly functions are found in the source code) when the thresholds are set 50% similarity measure. However, these false positives can be minimized, for example by changing the threshold value to 70% that determines whether a program falls in the malicious category or not.     

Metamorphic malware identification using engine-specific patterns based on co-opcode graphs

A metamorphic virus is a type of malware that modifies its code using a morphing engine. Morphing engines are used to generate a large number of metamorphic malware variants by performing different obfuscation techniques. Since each metamorphic malware has its own unique structure, signature based anti-virus programs are ineffective to detect these metamorphic variants. Therefore, detection of these kind of viruses becomes an increasingly important task. Recently, many researchers have focused on extracting common patterns of metamorphic variants that can be used as micro-signatures to identify the metamorphic malware executables. With the similar motivation, in this work, we propose a novel metamorphic malware identification method, named HLES-MMI (Higher-level Engine Signature based Metamorphic Malware Identification). The proposed method firstly constructs a unique graph structure, called as co-opcode graph, for each metamorphic family, then extracts engine-specific opcode patterns from the graphs. Finally, it generates higher-level signature belonging to each family by representing the extracted opcode-patterns with a binary vector. Experimental results on four datasets produced by different morphing engines demonstrate the effectiveness and efficiency of the proposed method by comparing with several existing malware identification methods.     

一种基于签名和属性的可执行文件比较

可执行文件比较广泛应用于软件版权检测、恶意软件家族检测、异常检测的模式更新以及补丁分析.传统方法无法满足应用对速度和精度的要求.在函数、基本块和指令级别上设计了一元指令签名、基于函数控制流程图邻接矩阵的函数一元结构签名、指令的强/中/弱一元签名,并提出了融合签名和属性的函数匹配算法、基本块匹配算法,从而简化了已有指令比较,可抗指令重排,优于SPP.并通过匹配权统计以及严格的最大唯一匹配策略和Hash进一步降低误报,提高效率.最后,实现原型工具PEDiff,并通过实验证实了该比较方法在速度和精度上具有良好的性能.     

基于N-Gram的计算机病毒特征码自动提取的改进方法

随着计算机技术的发展和普及,计算机病毒带来的危害日趋严重。传统N-Gram算法难以提取不同长度的特征,导致有效特征缺失,并产生庞大的特征集合,造成空间的浪费。针对这些问题,提出一种改进的基于N-Gram的特征码自动提取方法。该方法在原有N-Gram 特征提取算法的基础上引入变长N-Gram特征,提取不同长度的有效特征,生成不定长病毒特征码。综合考虑特征频率的相关性,利用特征浓度对N-Gram特征进行有向筛选,生成数据字典,节省存储空间。实验结果表明,与单纯使用定长N-Gram的算法相比,该方法能有效降低特征码自动提取的误报率。     

Hybrids of support vector machine wrapper and filter based framework for malware detection

Malware replicates itself and produces offspring with the same characteristics but different signatures by using code obfuscation techniques. Current generation Anti-Virus (AV) engines employ a signature-template type detection approach where malware can easily evade existing signatures in the database. This reduces the capability of current AV engines in detecting malware. In this paper we propose a hybrid framework for malware detection by using the hybrids of Support Vector Machines Wrapper, Maximum-Relevance–Minimum-Redundancy Filter heuristics where Application Program Interface (API) call statistics are used as a malware features. The novelty of our hybrid framework is that it injects the filter’s ranking score in the wrapper selection process and combines the properties of both wrapper and filters and API call statistics which can detect malware based on the nature of infectious actions instead of signature. To the best of our knowledge, this kind of hybrid approach has not been explored yet in the literature in the context of feature selection and malware detection. Knowledge about the intrinsic characteristics of malicious activities is determined by the API call statistics which is injected as a filter score into the wrapper’s backward elimination process in order to find the most significant APIs. While using the most significant APIs in the wrapper classification on both obfuscated and benign types malware datasets, the results show that the proposed hybrid framework clearly surpasses the existing models including the independent filters and wrappers using only a very compact set of significant APIs. The performances of the proposed and existing models have further been compared using binary logistic regression. Various goodness of fit comparison criteria such as Chi Square, Akaike’s Information Criterion (AIC) and Receiver Operating Characteristic Curve ROC are deployed to identify the best performing models. Experimental outcomes based on the above criteria also show that the proposed hybrid framework outperforms other existing models of signature types including independent wrapper and filter approaches to identify malware.