一种基于混合学习的恶意代码检测方法

近年来,自动化沙箱被广泛部署并应用于恶意代码分析与检测,然而随着恶意代码数量的激增和抗分析能力的增强,如何有效应对海量恶意代码分析任务,提高沙箱系统分析效率,是增强网络安全防御能力的一个重要研究方向.本文利用不同学习方式以及恶意代码动、静态特征的特点,提出了一种基于混合学习模型的恶意代码检测方法,分别提取恶意代码的静态...     

基于逆向工程的Android恶意行为检测方法

由于Android系统应用市场的特性导致恶意软件传播迅速,对用户的手机乃至个人隐私造成了十分巨大的危害。本文首先介绍了Android应用的逆向技术,然后分析了恶意代码采用的多种Android代码隐藏技术及隐私获取的代码特征。针对这些情况,本文基于Android的逆向工程提出了一种静态检测和动态检测相结合的恶意行为检测方法,可以更加有效的检测代码中的恶意行为。最后通过对Android样本应用的分析表明此方法的可行性与有效性。     

基于行为分析的木马检测系统设计与实现

随着近年来网络技术的飞速发展,安全问题日益突出,病毒、木马、后门程序等恶意代码层出不穷,重大经济损失事件及重要泄密事件频频发生。传统的代码检查技术主要依靠特征码,静态分析等手段,对分析者的技术要求高,效率较低,难以实现批量检查。针对这些缺点,本文提出一种基于行为分析的木马检测技术,通过记录应用程序的动态行为,综合恶意代码的API调用序列,功能性行为特征、隐藏性行为特征、Rootkit行为特征等作为判别依据,分析其恶意危害性;同时给出详细的分析报告及关键行为记录,方便对恶意代码的手动查杀及深入分析。实验表明本文提出的检测方案能够有效地检测已知或未知的恶意代码,提高木马的检测准确率和检测效率,达到预期的研究目的。     

基于遗传算法的恶意代码对抗样本生成方法

机器学习已经广泛应用于恶意代码检测中,并在恶意代码检测产品中发挥重要作用。构建针对恶意代码检测机器学习模型的对抗样本,是发掘恶意代码检测模型缺陷,评估和完善恶意代码检测系统的关键。该文提出一种基于遗传算法的恶意代码对抗样本生成方法,生成的样本在有效对抗基于机器学习的恶意代码检测模型的同时,确保了恶意代码样本的可执行和恶意行为的一致性,有效提升了生成对抗样本的真实性和模型对抗评估的准确性。实验表明,该文提出的对抗样本生成方法使MalConv恶意代码检测模型的检测准确率下降了14.65%;并可直接对VirusTotal中4款基于机器学习的恶意代码检测商用引擎形成有效的干扰,其中,Cylance的检测准确率只有53.55%。     

基于恶意样本分析检测的沙箱技术研究

以不同恶意代码静态分析、行为特征、网络通联为底层模型和实现机制，研究一种基于样本行为特征分析的本地杀沙箱技术平台，解决传统互联网检测平台存在的保密性、时效性、准确性问题。通过分析关键函数、网络流量等特征，实现样本静态检测、行为分析、网络通联等功能，支撑安全研究人员对样本安全性进行研判。     

一种基于综合行为特征的恶意代码识别方法

基于行为的分析方法是恶意代码检测技术的发展方向,但现有的以孤立行为特征为依据的恶意代码识别方法误报率较高,本文提出了一种基于代码综合行为特征的恶意代码检测方法-IBC-DA.该算法通过改造的攻击树模型描述恶意代码执行过程中各相关主体间的关系,在此基础上计算得到的恶意性权值能够更加准确地反映代码执行过程对系统的影响.实验表明,利用本文算法进行病毒检测具有较低漏报率和误报率,并对未知恶意代码的防范具有积极意义.     

针对恶意代码的行为阻断方法研究

Internet上的移动代码主要用于实现一些活动目标，它极大地丰富了网络的内容，但同时也带来了恶意代码对安全的威胁问题。传统的基于代码特征检测的方法已经不能阻止越来越多的未知恶意代码的攻击。文章主要讨论基于恶意行为阻断的反攻击方法，提出了行为阻断算法的体系结构和通用的阻断策略，以及下一步需要解决的问题。     

基于逆向工程的Android特征库提取研究

随着智能手机的快速普及,智能手机恶意APP的数量与日俱增。恶意行为代码的二次复用开发、恶意APP的自动生成技术使得具有恶意行为的APP开发效率大大提高,恶意程序的数量急剧上升,现有的恶意行为特征库分类繁杂、良莠不齐,不利于对恶意APP进行恶意行为分析。一个全面、稳定、可扩展的恶意行为特征库,能有效地提高对恶意行为软件的检测精度,有利于分析恶意行为的不断演化的特征。文中基于APP逆向工程研究提出了一个基于文本挖掘以及信息检索的恶意特征库构建方法,并通过构建恶意行为演化关系树对恶意行为簇之间的演化关系进行了分析,经过实验验证本文提出的构建恶意行为特征库方法对静态分析恶意应用提供了可靠的基础,提高了恶意行为检测精度。     

基于分层语义认知的恶意代码检测方法研究

这里提出一种基于分层语义认知的恶意代码智能检测方法,该方法将待检测程序在虚拟捕获环境中获取的行为数据进行分层认知,逐层抽象为行为特征,最后使用贝叶斯分类器对其恶意性进行判定。在语义认知过程中采用分层和归一化的方式降低加密与混淆的干扰,采用动静结合方式提高检测效率,采用正负差集运算的方式降低误报率。经测试,该方法具有高检测率,抗混淆能力强,可以快速、有效地识别代码中的恶意行为。     

一种基于深度学习的强对抗性Android恶意代码检测方法

针对现有Android恶意代码检测方法容易被绕过的问题,提出了一种强对抗性的Android恶意代码检测方法.首先设计实现了动静态分析相结合的移动应用行为分析方法,该方法能够破除多种反分析技术的干扰,稳定可靠地提取移动应用的权限信息、防护信息和行为信息.然后,从上述信息中提取出能够抵御模拟攻击的能力特征和行为特征,并利用一个基于长短时记忆网络（Long Short-Term Memory,LSTM）的神经网络模型实现恶意代码检测.最后通过实验证明了本文所提出方法的可靠性和先进性.     

Malware variants detection based on ensemble learning

Application programming interface (API) is a procedure call interface to operation system resource. API-based behavior features can capture the malicious behaviors of malware variants. However, existing malware detection approaches have a deal of complex operations on constructing and matching. Furthermore, graph matching is adopted in many approaches, which is a nondeterministic polynominal (NP)-complete problem because of computational complexity. To address these problems, a novel approach is proposed to detect malware variants. Firstly, the API of the malware are divided by their functions and parameters. Then, the classified behavior graph (CBG) is constructed from the API call sequences. Finally, the signature based on CBGs for each malware family is generated. Besides, the malware variants are classified by ensemble learning algorithm. Experiments on 1 220 malware samples show that the true positive rate (TPR) is up to 89.0% with the low false positive rate (FPR) 3.7% by ensemble learning.     

Homology analysis of malware based on graph

Malware detection and homology analysis has been the hotspot of malware analysis.API call graph of malware can represent the behavior of it.Because of the subgraph isomorphism algorithm has high complexity,the analysis of malware based on the graph structure with low efficiency.Therefore,this studies a homology analysis method of API graph of malware that use convolutional neural network.By selecting the key nodes,and construct neighborhood receptive field,the convolution neural network can handle graph structure data.Experimental results on 8 real-world malware family,shows that the accuracy rate of homology malware analysis achieves 93%,and the accuracy rate of the detection of malicious code to 96%.     

基于改进贝叶斯分类的Android恶意软件检测

针对Android手机安全受恶意软件威胁越来越严重这一问题,提出一种改进的Android恶意软件检测算法。监控从Android移动设备应用程序获取的多种行为特征值,应用机器学习技术,通过与卡方检验滤波测试结合的方式改进传统的朴素贝叶斯算法,检测Android系统中的恶意软件。通过实验仿真,结果表明在采取朴素贝叶斯分类模型之前,使用卡方检验过滤应用程序的行为特征,可以使基于Android的恶意软件检测技术拥有较低的误报率和较高的精度。     

基于权限频繁模式挖掘算法的Android恶意应用检测方法

Android应用所申请的各个权限可以有效反映出应用程序的行为模式,而一个恶意行为的产生需要多个权限的配合,所以通过挖掘权限之间的关联性可以有效检测未知的恶意应用。以往研究者大多关注单一权限的统计特性,很少研究权限之间关联性的统计特性。因此,为有效检测Android平台未知的恶意应用,提出了一种基于权限频繁模式挖掘算法的Android恶意应用检测方法,设计了能够挖掘权限之间关联性的权限频繁模式挖掘算法—PApriori。基于该算法对49个恶意应用家族进行权限频繁模式发现,得到极大频繁权限项集,从而构造出权限关系特征库来检测未知的恶意应用。最后,通过实验验证了该方法的有效性和正确性,实验结果表明所提出的方法与其他相关工作对比效果更优。     

Incremental clustering method based on Gaussian mixture model to identify malware family

Aiming at the logical similarity of the behavioral characteristics of malware belonging to the same family,the characteristics of malware were extracted by tracking the logic rules of API function call from the perspective of behavior detection,and the static analysis and dynamic analysis methods were combined to analyze malicious behavior characteristics.In addition,according to the purpose,inheritance and diversity of the malware family,the transitive closure relationship of the malware family was constructed,and then the incremental clustering method based on Gaussian mixture model was improved to identify the malware family.Experiments show that the proposed method can not only save the storage space of malware detection,but also significantly improve the detection accuracy and recognition efficiency.     

DroidEnemy: Battling adversarial example attacks for Android malware detection

In recent years, we have witnessed a surge in mobile devices such as smartphones, tablets, smart watches, etc., most of which are based on the Android operating system. However, because these Android-based mobile devices are becoming increasingly popular, they are now the primary target of mobile malware, which could lead to both privacy leakage and property loss. To address the rapidly deteriorating security issues caused by mobile malware, various research efforts have been made to develop novel and effective detection mechanisms to identify and combat them. Nevertheless, in order to avoid being caught by these malware detection mechanisms, malware authors are inclined to initiate adversarial example attacks by tampering with mobile applications. In this paper, several types of adversarial example attacks are investigated and a feasible approach is proposed to fight against them. First, we look at adversarial example attacks on the Android system and prior solutions that have been proposed to address these attacks. Then, we specifically focus on the data poisoning attack and evasion attack models, which may mutate various application features, such as API calls, permissions and the class label, to produce adversarial examples. Then, we propose and design a malware detection approach that is resistant to adversarial examples. To observe and investigate how the malware detection system is influenced by the adversarial example attacks, we conduct experiments on some real Android application datasets which are composed of both malware and benign applications. Experimental results clearly indicate that the performance of Android malware detection is severely degraded when facing adversarial example attacks.     

Static and Dynamic Integrated Analysis Scheme for Android Malware

The Android platform is the most popular mobile operating system. With the increase of the number of Android users, a lot of security issues have occurred. In order to detect the malicious behaviors for the installed Android Apps, in this paper, we propose an Android malware detecting scheme by integrating static and dynamic analysis methods. We use Androguard and DroidBox to extract the features, and then remove the irrelevant features. Then we employ the support vector machine (SVM) to classify the Android malware and benignware. From the result of our proposed scheme, the proposed integrated static and dynamic analysis scheme with SVM can effectively detect the Android malware.     

N-gram MalGAN: Evading machine learning detection via feature n-gram

In recent years, many adversarial malware examples with different feature strategies, especially GAN and its variants, have been introduced to handle the security threats, e.g., evading the detection of machine learning detectors. However, these solutions still suffer from problems of complicated deployment or long running time. In this paper, we propose an n-gram MalGAN method to solve these problems. We borrow the idea of n-gram from the Natural Language Processing (NLP) area to expand feature sources for adversarial malware examples in MalGAN. Generally, the n-gram MalGAN obtains the feature vector directly from the hexadecimal bytecodes of the executable file. It can be implemented easily and conveniently with a simple program language (e.g., C++), with no need for any prior knowledge of the executable file or any professional feature extraction tools. These features are functionally independent and thus can be added to the non-functional area of the malicious program to maintain its original executability. In this way, the n-gram could make the adversarial attack easier and more convenient. Experimental results show that the evasion rate of the n-gram MalGAN is at least 88.58% to attack different machine learning algorithms under an appropriate group rate, growing to even 100% for the Random Forest algorithm.