基于Hilbert曲线-残差网络的勒索病毒分类方法  

作　　者：孙超远 蒋秋华 徐东平 李琪 SUN Chao-yuan;JIANG Qiu-hua;XU Dong-ping;LI Qi(Postgraduate Department,China Academy of Railway Sciences,Beijing 100081,China;Institute of Computing Technology,China Academy of Railway Sciences Corporation Limited,Beijing 100081,China)

机构地区：[1]中国铁道科学研究院研究生部,北京100081 [2]中国铁道科学研究院集团有限公司电子计算技术研究所,北京100081

出　　处：《计算机技术与发展》2023年第6期153-159,共7页Computer Technology and Development

基　　金：中国国家铁路集团有限公司科技研究开发计划课题(N2021S004-A)。

摘　　要：随着勒索病毒的日益猖獗,对勒索病毒进行检测并分类的工作越来越受到重视。对勒索病毒进行检测并分类能够及时应急响应,保护用户数据,降低企业用户损失。目前迁移学习等算法已渐用于勒索病毒检测,但分类多依赖于静态和动态分析,不仅需人工处理复杂的特征工程,步骤繁琐,且不利于大规模分类。为实现简单方便且准确度高的大规模分类,该文将病毒样本扩展到Windows和Linux两大平台,使用能够保留更多数据特征的Hilbert曲线将勒索病毒文件可视化,然后利用基于残差神经网络的三种改进迁移模型进行学习得到各自的分类结果,最后使用集成学习模块进行投票得到最终分类结果,并和常规方法Zigzag规则可视化进行了比较。通过实验验证,该方法对检测并分类勒索病毒的准确率达到了96.92%,并表明Hilbert可视化优于常规方法Zigzag规则可视化。With the increasing prevalence of ransomware,the work of detecting and classifying ransomware has received more and more attention.The detection and classification of ransomware can enable timely emergency response,protect user data and reduce the loss of business users.At present,algorithms such as transfer learning have gradually been used for the detecting of ransomware,but classification mostly relies on static and dynamic analysis,which requires manual processing of complex feature engineering and complicated steps,and is not conducive to large-scale classification.In order to achieve simple,convenient and accurate large-scale classification,we extend ransomware samples to Windows and Linux platforms,uses Hilbert curve which can retain more data features to visualize ransomware files,and then uses three improved migration models based on residual neural network to learn and get their respective classification results.Finally,the integrated learning module is used to vote to get the final classification result,and the comparison is made with the conventional method of Zigzag rule visualization.The experimental results show that the proposed method can detect and classify ransomware viruses with 96.92%accuracy,and the Hilbert visualization is superior to the conventional method of Zigzag rule visualization.

关 键 词：勒索病毒 勒索病毒家族分类 HILBERT曲线 残差神经网络 集成学习 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]