Anomaly Detection Method of Malicious Function Based on Binary Reconstruction
In recent years,work on malware detection has continued to progress,but methods for detecting malicious components inside malware are insufficient.Traditional detection methods based on manual signatures and machine learning are ineffective.Analysts must conduct tedious manual reverse analysis of malicious samples to locate malicious components.To improve the efficiency of reverse analysts,a malicious function anomaly detection method based on binary reconstruction,MalMiner,is proposed,which targets functions with potential malicious behavior inside malware generating interprocedural call graphs from samples and extracting features that can characterize the function,according to the statistical characteristics,structural characteristics and malicious characteristics of the function in the graph.Simultaneously,the characteristics of unsupervised autoencoder model compression and reconstruction are leveraged to understand the data characteristics of normal software functions.The reconstruction error serves as an anomaly score to detect malicious functions.The experimental results show that the recall rate is 0.801 0,and the accuracy rate of MalMiner on the ground truth dataset reaches 0.848 4.Compared with DeepReflect,the recall rate is the same,and the false positive rate is reduced by 0.157 8,and the accuracy rate increased by 0.145 7.Compared with CAPA,the recall rate is improved by 0.107 1,and the accuracy rate increased by 0.094 2,which verified the effectiveness of the MalMiner method.
NETL
NSTL
万方数据
