基于纹理指纹的恶意代码变种检测方法研究  被引量：58

作　　者：韩晓光[1] 曲武[2,3] 姚宣霞[1] 郭长友[1] 周芳[1] 

机构地区：[1]北京科技大学计算机与通信工程学院,北京100083 [2]北京启明星辰信息安全技术有限公司核心研究院,北京100193 [3]清华大学计算机科学与技术系,北京100084

出　　处：《通信学报》2014年第8期125-136,共12页Journal on Communications

基　　金：国家重点基础研究发展规划("973"计划)基金资助项目(2007CB310803);国家自然科学重点基金资助项目(61035004);国家自然科学基金资助项目(60875029)~~

摘　　要：提出一种基于纹理指纹的恶意代码特征提取及检测方法,通过结合图像分析技术与恶意代码变种检测技术,将恶意代码映射为无压缩灰阶图片,基于纹理分割算法对图片进行分块,使用灰阶共生矩阵算法提取各个分块的纹理特征,并将这些纹理特征作为恶意代码的纹理指纹;然后,根据样本的纹理指纹,建立纹理指纹索引结构;检测阶段通过恶意代码纹理指纹块生成策略,采用加权综合多分段纹理指纹相似性匹配方法检测恶意代码变种和未知恶意代码;在此基础上,实现恶意代码的纹理指纹提取及检测原型系统。通过对6种恶意代码样本数据集的分析和检测,完成了对该系统的实验验证。实验结果表明,基于上述方法提取的特征具有检测速度快、精度高等特点,并且对恶意代码变种具有较好的识别能力。A texture-fingerprint-based approach is proposed to extract or detect the feature from malware content. The texture fingerprint of a malware is the set of texture fingerprints for each uncompressed gray-scale image block. The ma- licious code is mapped to uncompressed gray-scale image by integrating image analysis techniques and variants of malicious code detection technology. The uncompressed gray-scale image is partitioned into blocks by the texture segmen- tation algorithm. The texture fingerprints for each uncompressed gray-scale image block is extracted by gray-scale co-occurrence matrix algorithm. Afterwards, the index structure for fingerprint texture is built on the statistical analysis of general texture fingerprints of malicious code samples. In the detection phase, according to the generation policy for malicious code texture fingerprint, the prototype system for texture fingerprint extraction and detection is construtted by employing the integrated weight method to multi-segmented texture fingerprint similarity matching to detect variants and unknown malicious codes. Experimental results show that the malware variants detection system based on the proposed approach has good performance not only in speed and accuracy but also in identifying malware variants.

关 键 词：网络安全 恶意代码变种检测 纹理指纹 空间相似性检索 

分 类 号：TP309.5[自动化与计算机技术—计算机系统结构]