基于聚类分析的内核恶意软件特征选择

陈志锋; 李清宝; 张平; 冯培钧

doi:10.11999/JEIT150387

基于聚类分析的内核恶意软件特征选择

doi: 10.11999/JEIT150387

基金项目:

核高基国家科技重大专项(2013JH00103)和国家863计划目标导向项目(2009AA01Z434)

计量
- 文章访问数: 1478
- HTML全文浏览量: 116
- PDF下载量: 813
- 被引次数: 0
出版历程
- 收稿日期: 2015-04-02
- 修回日期: 2015-07-30
- 刊出日期: 2015-12-19

Signature Selection for Kernel Malware Based on Cluster Analysis

Funds:

The National Science and Technology Major Project of China (2013JH00103)

摘要

摘要: 针对现有基于数据特征的内核恶意软件检测方法存在随特征的增多效率较低的问题，该文提出一种基于层次聚类的特征选择方法。首先，分析相似度计算方法应用于数据特征相似度计算时存在的困难，提出最长公共子集并设计两轮Hash求解法计算最长公共子集；其次，设计基于最长公共子集的层次聚类算法，有效地将相似特征聚类成簇；在此基础上，设计基于不一致系数的内核恶意软件特征选择算法，大大减少特征数，提高检测效率。实验结果验证了方法的有效性，且时间开销在可接受的范围内。
- 数据特征 /
- 最长公共子集 /
- 层次聚类 /
- 特征选择 /
- 内核恶意软件
Abstract: As current kernel malware detection method based on data signature exists the problem that its efficiency decreases with the growth of the number of signatures, a signature selection method for kernel malware based on hierarchical cluster is presented. First, since current similarity calculation methods are difficult to be applied to data signature selection, a longest common subset based method and a 2-round Hash computation algorithm are introduced. Second, a longest common subset based hierarchical cluster algorithm is presented, thereby performing similar signature aggregation effectively. Finally, a signature selection algorithm based on inconsistent coefficient is designed to reduce the number of signatures. Experimental results show the effectiveness of the method, and performance evaluations indicate that algorithm runtime is acceptable.
- Data signature /
- Longest common subset /
- Hierarchical cluster /
- Signature selection /
- Kernel malware

HTML全文

参考文献(22)

Yin H, Song D, Egele M, et al.. Panorama: capturing system-wide information flow for malware detection and analysis[C]. Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, USA, 2007: 116-127.

王蕊, 冯登国, 杨轶, 等. 基于语义的恶意代码行为特征提取及检测方法[J]. 软件学报, 2012, 23(2): 378-393.

Wang Rui, Feng Deng-guo, Yang Yi, et al.. Semantics-based malware behavior signature extraction and detection method[J]. Journal of Software, 2012, 23(2): 378-393.

Nataraj L, Karthikeyan S, Jacob G, et al.. Malware images: visualization and automatic classification[C]. Proceedings of the 8th International Symposium on Visualization for Cyber Security, Pittsburg, PA, USA, 2011: 4-10.

Nataraj L, Yegneswaran V, Porras P, et al.. A comparative assessment of malware classification using binary texture analysis and dynamic analysis[C]. Proceedings of the 4th ACM Workshop on Security and Artificial Intelligence, Chicago, USA, 2011: 21-30.

韩晓光, 曲武, 姚宣霞, 等. 基于纹理指纹的恶意代码变种检测方法研究[J]. 通信学报, 2014, 35(8): 125-136.

Han Xiao-guang, Qu Wu, Yao Xuan-xia, et al.. Research on malicious code variants detection based on texture fingerprint [J]. Journal of Communications, 2014, 35(8): 125-136.

Ding Yun-xin, Dai Wei, Yan Sheng-li, et al.. Control flow- based opcode behavior analysis for malware detection[J]. Computer Security, 2014, 44: 65-74.

Wang X and Karri R. NumChecker: detecting kernel control- flow modifying rootkits by using hardware performance counters[C]. Proceedings of the 50th Annual Design Automation Conference, Austin, TX, USA, 2013: 79-86.

Debbabi M, Desharnais J, et al.. Static detection of malicious code in executable programs[J]. Intermational Journal of Requirement Engineering, 2001(184-189): 79-86.

Baliga A, Ganapathy V, and Iftode L. Detecting kernel-level rootkits using data structure invariants[J]. IEEE Transactions on Dependable and Secure Computing, 2011, 8(5): 670-684.

Zhu F. Integrity-based kernel malware detection[D]. [Ph.D. dissertation], Florida International University, 2014.

Rhee J, Riley R, Lin Z Q, et al.. Data-centric OS kernel malware characterization[J]. IEEE Transactions on Information Forensics and Security, 2014, 9(1): 72-87.

Tumer D, Entwisle S, Fossi M, et al.. Symantec Internet security thread report 2014[R]. Symantec Corporation, 2014.

陈季梦, 陈佳俊, 刘杰, 等. 基于结构相似度的大规模社交网络聚类算法[J]. 电子与信息学报, 2015, 37(2): 449-454.

Chen Ji-meng, Chen Jia-jun, Liu Jie, et al.. Clustering algorithms for large-scale social networks based on structural similarity[J]. Journal of Electronics Information Technology, 2015, 37(2): 449-454.

Ciprian O, George C, and Gheorghe S. Malware clustering using suffix trees[J]. Journal of Computer Virology Hacking Techniques, 2014, DOI: 10.1007/s11416-014-0227-6.

戚树慧. 基于指令分析的恶意代码分类与检测研究[D]. [硕士论文], 杭州电子科技大学, 2012.

Qi Shu-hui. Research into malware classification and detection based on instruction analysis[D]. [Master dissertation], Hangzhou Dianzi University, 2012.

罗养霞, 房鼎益. 基于聚类分析的软件胎记特征选择[J]. 电子学报, 2013, 41(12): 2334-2338.

Luo Yang-xia and Fang Ding-yi. Feature selection for software birthmark based on cluster analysis[J]. Acta Electronica Sinica, 2013, 41(12): 2334-2338.

Bailey M, Oberheide J, Andersen J, et al.. Automated classification and analysis of internet malware[C]. Proceedings of the 10th Symposium on Recent Advances in Intrusion Detection, Gold Coast, Australia, 2007: 178-197.

施引文献

资源附件(0)

访问统计