基于SDR句嵌入的挖矿恶意软件早期检测方法  

作　　者：钟凯 郭春[1] 李显超 申国伟 ZHONG Kai;GUO Chun;LI Xianchao;SHEN Guowei(State Key Laboratory of Public Big Data,College of Computer Science and Technology,Guizhou University,Guiyang 550025,China;Guizhou Cloud Computing and Big Data Professional Master’s Workstation,Guiyang 550014,China)

机构地区：[1]贵州大学计算机科学与技术学院公共大数据国家重点实验室,贵阳550025 [2]贵州省云计算与大数据专业硕士研究生工作站,贵阳550014

出　　处：《计算机科学》2024年第12期303-309,共7页Computer Science

基　　金：国家自然科学基金(62162009);贵州省高等学校大数据与网络安全创新团队(黔教技[2023]052);贵州省科技计划项目(黔科合平台人才GHB[2023]001)。

摘　　要：挖矿恶意软件以盗用设备的计算资源来挖掘加密货币为目标,在大量消耗计算资源的同时还严重危害网络安全。当前的挖矿恶意软件动态检测方法主要依据样本长时间运行过程中收集的主机行为或网络流量来进行检测,未能兼顾检测的及时性和准确性。通过对挖矿恶意软件运行初期的DLL调用和API返回值进行分析,提出一种API句嵌入方法SDR,并基于SDR进一步提出一种基于SDR的挖矿恶意软件早期检测方法CEDS。CEDS利用SDR将软件运行初期的API名称序列、API返回值序列和DLL序列转化为句向量序列,使用TextCNN建立模型来进行挖矿恶意软件的早期检测。实验结果表明,CEDS能够以0.5106s的平均时长和96.75%的准确率判别一个软件样本是挖矿恶意软件还是良性软件。Cryptomining malware aims to steal computing resources from devices to mine cryptocurrency,seriously compromising network security while consuming a large amount of computing resources.Current dynamic detection methods for cryptomining malware mainly rely on host behavior or network traffic collected during a long sample run for detection,which does not balance the timeliness and accuracy of detection.By analyzing the DLL(dynamic link library)called and the return value of the API called by the cryptomining malware at the early stage of operation,we propose an API sentence embedding method based on DLL and API return value(SDR),and further propose a cryptomining malware early detection method based on SDR(CEDS).CEDS uses SDR to convert the API name sequences,API returns value sequences,and DLL sequences generated in the early stages of software operation into sentence vector sequences,and uses TextCNN to build a model for early detection of cryptomining malware.Experimental results show that CEDS can determine whether a software sample is cryptomining malware or benign software with an average time of 0.5106 s and an accuracy of 96.75%.

关 键 词：挖矿恶意软件 动态分析 早期检测 句向量 深度学习 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]