武汉大学学报(理学版)2024,Vol.70Issue(4) :463-472.DOI:10.14188/j.1671-8836.2023.0023

基于二进制重构的恶意函数异常检测方法

Anomaly Detection Method of Malicious Function Based on Binary Reconstruction

田杨 彭国军 杨秀璋 刘思德
武汉大学学报(理学版)2024,Vol.70Issue(4) :463-472.DOI:10.14188/j.1671-8836.2023.0023
  • NETL
  • NSTL
  • 万方数据

基于二进制重构的恶意函数异常检测方法

Anomaly Detection Method of Malicious Function Based on Binary Reconstruction

田杨 1彭国军 1杨秀璋 1刘思德1
扫码查看

作者信息

  • 1. 空天信息安全与可信计算教育部重点实验室,武汉大学国家网络安全学院,湖北武汉 430072
  • 折叠

摘要

近年来,恶意软件检测方面的工作不断取得进展,但缺乏深入检测恶意软件内部恶意组件的方法.传统的基于人工签名与基于机器学习的检测方法难以生效,分析人员需对恶意样本进行漫长的人工逆向分析,再定位恶意组件.为提高逆向分析人员的工作效率,以恶意软件内部具有潜在恶意行为的函数为检测目标,提出一种基于二进制重构的恶意函数异常检测方法:MalMiner.对样本生成过程间控制流程图,根据图中函数具备的统计特点、结构特点和恶意特点提取能够表征该函数的特征.利用无监督的自编码器模型压缩重构的特点,学习正常软件函数的数据特征,并以重构误差为异常分数检测恶意函数.实验结果表明,MalMiner在真实数据集上召回率为0.8010时准确率达到了 0.848 4;与DeepReflect相比,召回率相同而误报率降低了 0.157 8,准确率提升了 0.145 7;与CAPA相比召回率提高了 0.107 1,准确率提升了 0.094 2,验证了 MalMiner方法的有效性.

Abstract

In recent years,work on malware detection has continued to progress,but methods for detecting malicious components inside malware are insufficient.Traditional detection methods based on manual signatures and machine learning are ineffective.Analysts must conduct tedious manual reverse analysis of malicious samples to locate malicious components.To improve the efficiency of reverse analysts,a malicious function anomaly detection method based on binary reconstruction,MalMiner,is proposed,which targets functions with potential malicious behavior inside malware generating interprocedural call graphs from samples and extracting features that can characterize the function,according to the statistical characteristics,structural characteristics and malicious characteristics of the function in the graph.Simultaneously,the characteristics of unsupervised autoencoder model compression and reconstruction are leveraged to understand the data characteristics of normal software functions.The reconstruction error serves as an anomaly score to detect malicious functions.The experimental results show that the recall rate is 0.801 0,and the accuracy rate of MalMiner on the ground truth dataset reaches 0.848 4.Compared with DeepReflect,the recall rate is the same,and the false positive rate is reduced by 0.157 8,and the accuracy rate increased by 0.145 7.Compared with CAPA,the recall rate is improved by 0.107 1,and the accuracy rate increased by 0.094 2,which verified the effectiveness of the MalMiner method.

关键词

恶意软件检测/恶意代码/逆向分析/深度学习/二进制重构

Key words

malware detection/malicious code/reverse analysis/deep learning/binary reconstruction

引用本文复制引用

基金项目

国家自然科学基金(62172308)

国家自然科学基金(61972297)

国家自然科学基金(62172144)

国家自然科学基金(U1636107)

出版年

2024
武汉大学学报(理学版)
武汉大学

武汉大学学报(理学版)

CSTPCDCSCD北大核心
影响因子:0.814
ISSN:1671-8836
参考文献量21
段落导航相关论文