Static Detection Model of Malware Based on Image Recognition

doi:10.3969/j.issn.1671-1122.2021.10.004

Abstract

Abstract:

Malware is one of the main threats to Internet security at present. This paper took the rapid and effective detection of malware as the research purpose, proposed SIC model,which used SimHash method to transform malware into feature vector by using the location and quantity characteristics of the opcode of malware,and finally converted it into gray-scale image. Then, the convolutional neural network CNN was used to identify the family of the malware. During this period, this paper used MutiHash and block selection algorithm to optimize the SIC model. The malware classification challenge data set released by Microsoft in 2015 was selected for model training. The experimental results show that the detection and recognition accuracy of the SIC model can reach 96.774%, which is improved to a certain extent compared with other traditional machine learning malware classification methods and achieves good results.

Key words: malware, static analysis, SimHash, CNN

CLC Number:

TP309

YANG Ming, ZHANG Jian. Static Detection Model of Malware Based on Image Recognition[J]. Netinfo Security, 2021, 21(10): 25-32.

Figures/Tables 10

References 15

[1]	Symatec Corporation. Internet Security Threat Report[EB/OL]. https://xueshu.baidu.com/usercenter/paper/show?paperid=e4f762cca6e121c932226ec3b49ec9b6&site=xueshu_se, 2021-02-26.
[2]	National Computer Network Emergency Technical Processing Coordination Center. China’s Internet Network Security Monitoring Data Analysis Report in the First Half of 2020[EB/OL]. http://www.cac.gov.cn/2020-09/26/c_1602682854845452.htm, 2020-09-30.
	国家计算机网络应急技术处理协调中心. 2020 年上半年我国互联网网络安全监测数据分析报告[EB/OL]. http://www.cac.gov.cn/2020-09/26/c_1602682854845452.htm, 2020-09-30.
[3]	DANIEL B. Opcodes as Predictor for Malware[J]. International Journal of Electronic Security and Digital Forensics, 2007, 1(2):156-168. doi: 10.1504/IJESDF.2007.016865 URL
[4]	YE Yanfang, LI Tao, CHEN Yong, et al. Automatic Malware Categorization Using Cluster Ensemble [C]//ACM. 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, July 25-28, 2010, Washington DC, USA. New York: ACM, 2010: 95-104.
[5]	YUAN Zhenlong, LU Yongqiang, WANG Zhaoguo, et al. Droid-Sec: Deep Learning in Android Malware Detection[J]. ACM Sigcomm Computer Communication Review, 2014, 44(4):371-372. doi: 10.1145/2740070.2631434 URL
[6]	SUN Guosong, QIAN Quan. Deep Learning and Visualization for Identifying Malware Families[J]. IEEE Transactions on Dependable and Secure Computing, 2018, 18(1):283-295. doi: 10.1109/TDSC.8858 URL
[7]	AGHAKHANI H, GRITTI F, MECCA F, et al. When Malware is Packin’Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features [C]//ISOC. 27th Network and Distributed System Security Symposium, February 23-26, 2020, San Diego, CA, USA. Reston: ISOC, 2020: 1-20.
[8]	QIAO Yong, YANG Yuexiao, HE Jie, et al. CBM: Free, Automatic Malware Analysis Framework Using API Call Sequences[EB/OL]. https://xueshu.baidu.com/usercenter/paper/show?paperid=2f9a98813da9302381169505621a5a1d, 2021-02-28.
[9]	ANDERSON B, QUIST D, NEIL J, et al. Graph-based Malware Detection Using Dynamic Analysis[J]. Journal in Computer Virology, 2011, 7(4):247-258. doi: 10.1007/s11416-011-0152-x URL
[10]	FUJINO A, MURAKMI J, MORI T. Discovering Similar Malware Samples Using API Call Topics [C]//IEEE. 12th Annual IEEE Consumer Communications and Networking Conference, January 9-12, 2015, Las Vegas, NV, USA. Piscataway: IEEE, 2015: 140-147.
[11]	AMER E, ZELINKA I. A Dynamic Windows Malware Detection and Prediction Method Based on Contextual Understanding of API Call Sequence[EB/OL]. https://xueshu.baidu.com/usercenter/paper/show?paperid=184b0mv0v2710c503t410e10nv535705&site=xueshu_se, 2020-12-28.
[12]	ZHANG Jixin, ZHENG Qin, HUI Yin, et al. IRMD: Malware Variant Detection Using Opcode Image Recognition [C]// IEEE. International Conference on Parallel & Distributed Systems, December 13-16, 2016, Wuhan, China.Piscataway: IEEE, 2017: 1175-1180.
[13]	KIM T, KANG B, KWON H. Malware Classification Method via Binary Content Comparison [C]// ACM. 2012 ACM Research in Applied Computation Symposium, October 23-26, 2012, San Antonio, USA. New York: ACM, 2012: 316-321.
[14]	SANTONS I, DEVESA J, BREZO F, et al. OPEM: A Static-dynamic Approach for Machine- learning-based Malware Detection[EB/OL]. https://xueshu.baidu.com/usercenter/paper/show?paperid=73e0e66daef64a6f5d40ec7348d14e34&site=xueshu_se&sc_from=nju, 2021-02-26.
[15]	NATARAJ L, KARTHIKEYAN S, JACOB G, et al. Malware Images: Visualization and Automatic Classification [C]// ACM. 8th International Symposium on Visualization for Cyber Security, Pittsburgh Pennsylvania, USA, July 20, 2011. New York: ACM, 2011: 1-7.

输入特征图大小	第一层	第二层	第三层
16×24	in =300,out=256	in =256,out=64	in =64,out=9
24×32	in=600,out=256	in =256,out=64	in =64,out=9
32×32	in=980,out=512	in =512,out=128	in =128,out=9

样本家族名称	样本数量
Ramnit	1541
Lollipop	2478
Kelihos_ver3	2942
Vundo	475
Simda	42
Tracur	751
Kelihos_ver1	398
Obfuscator.ACY	1228
Gatak	1013