基于虚拟机的恶意代码检测系统研究

在深入分析恶意代码及其检测技术特征的基础上,提出一种基于硬件虚拟机的恶意代码检测系统,轻量级虚拟机是基于硬件虚拟化技术实现的小型虚拟机,为文件检测提供环境。行为监控模块负责监控被检测文件的所有行为,并把这些行为记录下来为后面的分析提供依据。行为分析模块是系统的数据处理模块,需要对数据进行收集、分类、分析处理然后归纳得出测试结果。     

恶意代码异常检测系统的需求分析与架构设计

目前互联网恶意代码已经泛滥,各类检测工具和安全产品相继问世,但层出不穷的恶意代码依然不能完全被检测出来,并且恶意代码特征的检测会导致系统的处理速度越来越慢,影响了检测工作的效率。针对这一问题,文章提出了以异常检测规则精炼特征检测的方式,打破了传统的一条或者多条规则对应一条恶意代码的检测模式,而Apriori的关联规则分析算法的优势就在于可以在恶意代码发现之前就进行异常检测,更为高效和精准。     

基于网络的恶意代码检测技术

通过对传统分布式IDS的分析，指出基于详细协议分析的多引擎小规则集的系统结构用于网络级恶意代码检测的缺陷，设计了单引擎大特征集的网络级恶意代码检测模型及恶意代码特征描述语言；分析了网络数据流的特征，通过对特征串进行优化的方法，避免特征串后缀与数据流的频繁碰撞及链表分支不平衡的问题，大幅度提高了WM算法检测网络恶意代码的效率。     

基于Win32 API调用监控的恶意代码检测技术研究

论文首先分析了现有动态检测恶意代码技术的不足,指出其受恶意代码的旁路攻击和拟态攻击的可能。然后,提出了防范此类攻击的API陷阱技术和调用地址混淆技术。最后由此实现了一个基于Win32API调用监控的恶意代码检测系统,经实验证明,该系统能检测出已知和未知的恶意代码的攻击。     

移动恶意代码分析及检测技术研究

目前移动互联网产业重心逐渐向移动应用服务转移。产业界各方竞相角逐移动应用市场:移动应用数量飞速增加,移动应用功能不断加强,应用用户体验持续提升。但是移动应用在飞速发展的同时也滋生了众多的安全隐患,移动恶意代码分析及检测技术已经成为当前移动应用软件健康发展的重要保证之一。针对这些问题,文章首先对移动恶意代码现状进行研究,重点分析应用软件开放环境和检测躲避技术,然后具体介绍目前主要移动恶意代码检测技术并进行对比,最后展望未来移动恶意代码检测技术的应用和发展。     

针对恶意代码的行为阻断方法研究

Internet上的移动代码主要用于实现一些活动目标，它极大地丰富了网络的内容，但同时也带来了恶意代码对安全的威胁问题。传统的基于代码特征检测的方法已经不能阻止越来越多的未知恶意代码的攻击。文章主要讨论基于恶意行为阻断的反攻击方法，提出了行为阻断算法的体系结构和通用的阻断策略，以及下一步需要解决的问题。     

恶意代码自动分析系统的研究

恶意代码的网络行为分析是网络安全领域的一个重要研究视角。针对现有系统普遍存在的网络行为分析不全面、不深入的问题,归纳了恶意代码的功能模块,提出了较为全面的网络行为分析内容。通过对比已有系统的网络行为分析功能,选取合适的系统CUCKOO作为基础平台。通过实例对其网络行为分析功能进行详细分析,并提出了优化、扩展方案。     

基于分层语义认知的恶意代码检测方法研究

这里提出一种基于分层语义认知的恶意代码智能检测方法,该方法将待检测程序在虚拟捕获环境中获取的行为数据进行分层认知,逐层抽象为行为特征,最后使用贝叶斯分类器对其恶意性进行判定。在语义认知过程中采用分层和归一化的方式降低加密与混淆的干扰,采用动静结合方式提高检测效率,采用正负差集运算的方式降低误报率。经测试,该方法具有高检测率,抗混淆能力强,可以快速、有效地识别代码中的恶意行为。     

基于纹理指纹的恶意代码变种检测方法研究

提出一种基于纹理指纹的恶意代码特征提取及检测方法,通过结合图像分析技术与恶意代码变种检测技术,将恶意代码映射为无压缩灰阶图片,基于纹理分割算法对图片进行分块,使用灰阶共生矩阵算法提取各个分块的纹理特征,并将这些纹理特征作为恶意代码的纹理指纹;然后,根据样本的纹理指纹,建立纹理指纹索引结构;检测阶段通过恶意代码纹理指纹块生成策略,采用加权综合多分段纹理指纹相似性匹配方法检测恶意代码变种和未知恶意代码;在此基础上,实现恶意代码的纹理指纹提取及检测原型系统。通过对6种恶意代码样本数据集的分析和检测,完成了对该系统的实验验证。实验结果表明,基于上述方法提取的特征具有检测速度快、精度高等特点,并且对恶意代码变种具有较好的识别能力。     

中国移动恶意代码检测与治理方案

本文通过分析流行的恶意代码特征,结合中国移动恶意代码治理现状,提出中国移动进行恶意代码检测与治理新趋势。     

基于改进型循环神经网络的恶意代码分类检测

近年来,随着恶意代码检测技术的提升,网络攻击者开始倾向构建能自重写和重新排序的恶意代码,以避开安全软件的检测。传统的机器学习方法是基于安全人员自主设计的特征向量来判别恶意代码,对这种新型恶意代码缺乏检测能力。为此,文中提出了一种新的基于代码时序行为的检测模型,并采用回声状态网络、最大池化和半帧结构等方式对神经网络进行优化。与传统的检测模型相比,改进后的模型对恶意代码的检测率有大幅提升。     

基于iOS系统的恶意行为检测研究

首先列举了多个iOS平台的恶意应用的案例,通过剖析作案手法以及造成的恶劣影响,分析了iOS平台下移动应用的主要恶意行为特征,研究了恶意行为检测过程中的各项关键技术,提出了iOS应用恶意行为检测的模型.最后,给出了iOS应用恶意行为检测的解决方案.     

iOS恶意应用分析综述

介绍了iOS的安全架构和应用程序的分发模式,分析了iOS平台上恶意应用程序对用户数据安全和隐私构成的威胁,讨论了iOS上恶意应用少于Android系统恶意应用的原因,总结了已出现的iOS恶意应用的攻击方法,并对未来的缓解和对抗策略进行了展望.     

Distributed detection of mobile malicious node attacks in wireless sensor networks

In wireless sensor networks, sensor nodes are usually fixed to their locations after deployment. However, an attacker who compromises a subset of the nodes does not need to abide by the same limitation. If the attacker moves his compromised nodes to multiple locations in the network, such as by employing simple robotic platforms or moving the nodes by hand, he can evade schemes that attempt to use location to find the source of attacks. In performing DDoS and false data injection attacks, he takes advantage of diversifying the attack paths with mobile malicious nodes to prevent network-level defenses. For attacks that disrupt or undermine network protocols like routing and clustering, moving the misbehaving nodes prevents them from being easily identified and blocked. Thus, mobile malicious node attacks are very dangerous and need to be detected as soon as possible to minimize the damage they can cause. In this paper, we are the first to identify the problem of mobile malicious node attacks, and we describe the limitations of various naive measures that might be used to stop them. To overcome these limitations, we propose a scheme for distributed detection of mobile malicious node attacks in static sensor networks. The key idea of this scheme is to apply sequential hypothesis testing to discover nodes that are silent for unusually many time periods—such nodes are likely to be moving—and block them from communicating. By performing all detection and blocking locally, we keep energy consumption overhead to a minimum and keep the cost of false positives low. Through analysis and simulation, we show that our proposed scheme achieves fast, effective, and robust mobile malicious node detection capability with reasonable overhead.     

信息网络内生恶意行为检测框架

“内生安全”赋予信息网络自学习、自成长的能力,是构建可信智能通信网络不可或缺的重要组成部分。面向信息网络“内生安全”,提出了一种内生恶意行为检测框架,变被动防御为主动拦截。同时,对内生恶意行为检测框架中五大关键组件进行了建模分析,并对自学习、自成长的恶意行为检测机制进行了阐述。最后,搭建原型系统并进行了实验,实验结果表明了检测框架的可行性和有效性。     

Multitier ensemble classifiers for malicious network traffic detection

A malicious network traffic detection method based on multi-level distributed ensemble classifier was proposed for the problem that the attack model was not trained accurately due to the lack of some samples of attack steps for detecting attack in the current network big data environment,as well as the deficiency of the existing ensemble classifier in the construction of multilevel classifier.The dataset was first preprocessed and aggregated into different clusters,then noise processing on each cluster was performed,and then a multi-level distributed ensemble classifier,MLDE,was built to detect network malicious traffic.In the MLDE ensemble framework the base classifier was used at the bottom,while the non-bottom different ensemble classifiers were used.The framework was simple to be built.In the framework,big data sets were concurrently processed,and the size of ensemble classifier was adjusted according to the size of data sets.The experimental results show that the AUC value can reach 0.999 when MLDE base users random forest was used in the first layer,bagging was used in the second layer and AdaBoost classifier was used in the third layer.     

HTTP malicious traffic detection method based on hybrid structure deep neural network

In response to the HTTP malicious traffic detection problem,a preprocessing method based on cutting mechanism and statistical association was proposed to perform statistical information correlation as well as normalization processing of traffic.Then,a hybrid neural network was proposed based on the combination of raw data and empirical feature engineering.It combined convolutional neural network (CNN) and multilayer perceptron (MLP) to process text and statistical information.The effect of the model was significantly improved compared with traditional machine learning algorithms (e.g.,SVM).The F₁value reached 99.38% and had a lower time complexity.At the same time,a data set consisting of more than 450 000 malicious traffic and more than 20 million non-malicious traffic was created.In addition,prototype system based on model was designed with detection precision of 98.1%~99.99% and recall rate of 97.2%~99.5%.The application is excellent in real network environment.