基于空间关系特征的未知恶意代码自动检测技术研究  被引量：5

作　　者：李鹏[1,2] 王汝传[1,2] 武宁[1] 

机构地区：[1]南京邮电大学计算机学院,南京210003 [2]南京邮电大学计算机研究所,南京210003

出　　处：《计算机研究与发展》2012年第5期949-957,共9页Journal of Computer Research and Development

基　　金：国家自然科学基金项目(60973139;60773041);江苏省自然科学基金项目(BK2008451);国家博士后基金项目(20090451240;20090451241;20100471353;20100471355;20100471356);江苏高校科技创新计划项目(CX09B-153Z;CX10B-260Z;CX10B-261Z;CX10B-262Z;CX10B-263Z);江苏省六大高峰人才项目(2008118);江苏省计算机信息处理技术重点实验室基金项目(2010)

摘　　要：提出基于未知恶意代码样本空间关系特征的自动检测技术.针对量化的恶意代码样本字符空间的向量特征,基于区域生长的智能分块算法,划分恶意代码样本空间关系区域;根据区域分别计算恶意代码样本的字符矩、信息熵和相关系数等空间关系特征,分别提取特征向量,并归一化处理;通过分析恶意代码样本特征的共性,建立空间关系特征向量索引;采用综合多特征的相似优先匹配方法检测未知恶意代码,多个空间关系距离加权作为判别依据,提高检测的准确率.实验表明,提出的自动检测方法能够自动快速地匹配出未知恶意代码的样本,准确程度高,而且能够确定未知恶意代码的类型.Unknown malicious code sample automatic detection scheme is proposed based on space relevance features. According to the characteristics quantitative vectors of character space, malicious code samples are divided into space relevance blocks based on the intelligence region growing segmentation algorithm. In each block of malicious code sample, the spatial relations of character moment, information entropy, and correlation coefficient are calculated, the feature vectors are extracted, and the normalization processes are manipulated. Then, the reference of spatial relational feature vectors have been set up through the analysis of general spatial properties of malicious code samples. In order to match the previous unknown malicious codes, the similarity preferred matching algorithm which is based on comprehensive analysis of multiple features is adopted. In addition, the spatial relational distances are weighted and considered together, so as to improve the accuracy of the search work. Experimental flow graph is designed, spatial relational feature vectors properties of multiple malicious code sample blocks are portrayed, and the comparisons of malicious code detection accuracy rate between single feature match method and comprehensive multiple features match method are drawn. Experiments result analyses show that the proposed automatic detection scheme can match the previous unknown malicious code with high accurate degree and can determine the corresponding subordinate type of malicious code samples.

关 键 词：网络安全 恶意代码 智能分块 空间关系特征 相似性匹配 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]