Malicious Code Detection Based on Image Feature Fusion

doi:10.3969/j.issn.1671-1122.2021.10.013

Abstract

Abstract:

With the continuous upgrading of malicious code obfuscation technology, the traditional detection methods are not enough to meet the security requirements. A malicious code detection method based on image feature fusion was proposed in this paper. The weighted-HOG features were used to extract the local texture features of the malicious code converted by B2M algorithm, and different weights were given according to the influence of different paragraph positions of malicious code on classification. At the same time, the Dense SIFT was used to extract the global texture structure features, which could not only reflect the detail of malicious code, but also not ignore the overall structure characteristics. SVM was used to classify the extracted features. The experimental results show that the performance of combined features is better than that of single features.

Key words: weighted-HOG, Dense SIFT features, feature fusion, SVM

CLC Number:

TP309

TAN Ruhan, ZUO Liming, LIU Ergen, GUO Li. Malicious Code Detection Based on Image Feature Fusion[J]. Netinfo Security, 2021, 21(10): 90-95.

Figures/Tables 9

References 15

[1]	SZOMSZOR M N, CANTADOR I, ALANI H. Correlating User Profiles from Multiple Folksonomies [C]//ACM. 19th ACM Conference on Hypertext and Hypermedia, June 19-21, 2008, Pittsburgh, USA. New York: ACM, 2008: 33-42.
[2]	BAN M. Ransomware Detection Using Random Forest Technique[J]. ICT Express, 2020, 6(4):325-331. doi: 10.1016/j.icte.2020.11.001 URL
[3]	TAKEUCHI Y, SAKAI K, FUKUMOTO S. Detecting Ransomware Using Support Vector Machines[C]//ICPP. 47th International Conference on Parallel Processing Companion (ICPP'18), August 13-16, 2018, Eugene, USA. New York: ACM, 2018(1): 1-6.
[4]	FIRDAUSI I, LIM C, ERWIN A, et al. Analysis of Machine Learning Techniques Used in Behavior-based Malware Detection[M]. Piscataway: IEEE Computer Society, 2010.
[5]	SHAUKAT S K, RIBEIRO V J. RansomWall: A Layered Defense System Against Cryptographic Ransomware Attacks Using Machine Learning [C]//IEEE. 2018 10th International Conference on Communication Systems & Networks (COMSNETS), January 3-7, 2018, Bengaluru, India. Piscataway: IEEE, 2018: 356-363.
[6]	SUBEDI K, BUDHATHOKI D, DASGUPTA D. Forensic Analysis of Ransomware Families Using Static and Dynamic Analysis [C]//IEEE. 2018 IEEE Security and Privacy Workshops (SPW), May 24-26, 2018, San Francisco, USA. Piscataway: IEEE, 2018: 180-185.
[7]	KANG Minggu, POOSANKAM P, YIN Heng. Renovo: A Hidden Code Extractor for Packed Executables [C]//ACM. 5th ACM Workshop on Recurring Malcode, November 2-3, 2007, Alexandria, USA. New York: ACM, 2007: 46-53.
[8]	ROYAL P, HALPIN M, DAGON D, et al. PolyUnpack: Automating the Hidden-code Extraction of Unpack-executing Malware [C]//IEEE. 22nd Computer Security Applications Conference, December 11-15, 2006, Miami, USA. Piscataway: IEEE, 2006: 289-300.
[9]	CUI Hong, YU Bo, FANG Ying. Analytical Method of High-dimensional Feature Fusion for Malware Classification[J]. Application Research of Computers, 2017, 34(4):1120-1123, 1150.
	崔弘, 喻波, 方莹. 恶意代码分类的一种高维特征融合分析方法[J]. 计算机应用研究, 2017, 34(4):1120-1123, 1150.
[10]	JIANG Qianyu, WANG Fengying, JIA Lipeng. Malware Detection Method Based on Perceptual Hash Algorithm and Feature Fusion[J]. Journal of Computer Applications, 2021, 41(3):780-785.
	姜倩玉, 王凤英, 贾立鹏. 基于感知哈希算法和特征融合的恶意代码检测方法[J]. 计算机应用, 2021, 41(3):780-785.
[11]	NATARAJ L, KARTHIKEYAN S, JACOB G, et al. Malware Images: Visualization and Automatic Classification[C]//VizSec. 8th International Symposium on Visualization for Cyber Security (VizSec'11), July 20-21, 2011, New York, USA. New York: ACM, 2011(4): 1-7.
[12]	HAN Xiaoguang, QU Wu, YAO Xuanxia, et al. Research on Malicious Code Variants Detection Based on Texture Fingerprint[J]. Journal on Communications, 2014, 35(8):125-136.
	韩晓光, 曲武, 姚宣霞, 等. 基于纹理指纹的恶意代码变种检测方法研究[J]. 通信学报, 2014, 35(8):125-136.
[13]	LOWE D G. Distinctive Image Features from Scale-invariant Keypoints[J]. International Journal of Computer Vision, 2004, 60(2):91-110. doi: 10.1023/B:VISI.0000029664.99615.94 URL
[14]	DALAL N, TRIGGS B. Histograms of Oriented Gradients for Human Detection[C]//IEEE. IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR'5), June 20-25, 2005, San Diego, USA. Piscataway: IEEE, 2005(1): 886-893.
[15]	LIU Zhigang, LI Deren, QIN Qianqing, et al. An Analytical Overview of Methods for Multi-category Support Vector Machines[J]. Computer Engineering and Applications, 2004, 40(7):10-13, 65.
	刘志刚, 李德仁, 秦前清, 等. 支持向量机在多类分类问题中的推广[J]. 计算机工程与应用, 2004, 40(7):10-13, 65.

恶意代码家族	训练集数量/个	测试集数量/个
Ramnit	626	97
Lolipop	825	99
Kelihos_ver3	852	100
Vundo	424	88
Simda	42	37
Tracur	563	93
Kelihos_ver1	353	89
ObfuscatorACY	668	87
Gatak	635	95
总数量	4988	785

特征组合	SVM/%	RF/%	KNN/%	DT/%	LR/%
1_HOG（原始HOG）特征	78.99	80.25	41.38	22.26	16.60
3_HOG特征	88.68	85.41	53.33	29.94	28.81
5_HOG特征	90.44	86.79	52.70	34.59	30.82
7_HOG特征	90.06	88.30	60.88	43.27	32.20
Dense SIFT	91.57	92.58	79.62	49.06	48.55
1_HOG+Dense SIFT	90.18	91.45	71.95	49.05	50.69
3_HOG+Dense SIFT	92.57	92.33	78.36	49.18	49.94
5_HOG+Dense SIFT	93.08	92.96	81.76	49.81	50.94
7_HOG+Dense SIFT	94.46	93.84	80.00	51.19	51.95

方法	特征	准确率/%
文献[9]的方法	GLCM	85.8
文献[10]的方法	Gist+LBP	93.4
本文方法	HOG+Dense SIFT	94.5