Malicious Code Visual Classification Algorithm Based on Behavior Knowledge Graph Sieve

doi:10.3969/j.issn.1671-1122.2021.10.008

Abstract

Abstract:

In recent years, the virus industry has gradually formed a well-organized market and involves a huge amount of money. The main challenge facing today’s anti malware is to evaluate a large number of data and file samples to determine the potential malicious intent. Based on this, this paper proposes a visual classification algorithm of malicious code based on behavior graph sieve. The algorithm analyzes the assembly instruction flow of malicious code samples, extracts the program behavior fingerprint, and uses the knowledge map to escape the fingerprint content, so as to generate the fingerprint screen of the specified samples. By locating the spots in the fingerprint screen, the algorithm cleans up the noise in the malware samples and generates the corresponding fingerprint after screening. On the premise of retaining the original fingerprint features, the compression rate of the sifted fingerprint is 76.3%. Finally, the algorithm carries out visual analysis and opcode sequence analysis on the sifted fingerprint, and uses random forest algorithm for classification, which achieves 98.8% accuracy. Experiments show that the visual classification algorithm of malicious code based on behavior graph sieve can achieve better results in the classification of malicious code.

Key words: knowledge graph, malicious code classification, visual classification algorithm

CLC Number:

TP309

ZHU Chaoyang, ZHOU Liang, ZHU Yayun, LIN Qingwen. Malicious Code Visual Classification Algorithm Based on Behavior Knowledge Graph Sieve[J]. Netinfo Security, 2021, 21(10): 54-62.

Figures/Tables 15

References 18

[1]	JI Tiantian, FANG Binxing, CUI Xiang, et al. Research Progress of Deep Learning Enabled Attack and Defense of Malicious Code[J]. Chinese Journal of Computers, 2021, 44(4):669-695.
	冀甜甜, 方滨兴, 崔翔, 等. 深度学习赋能的恶意代码攻防研究进展[J]. 计算机学报, 2021, 44(4):669-695.
[2]	REN Zhuojun, CHEN Guang, LU Wenke. Research on Visualization Method of Malware Opcode[EB/OL]. http://kns.cnki.net/kcms/detail/11.2127.TP.20201126.0907.002.html, 2021-06-20.
	任卓君, 陈光, 卢文科. 恶意软件的操作码可视化方法研究[EB/OL]. http://kns.cnki.net/kcms/detail/11.2127.TP.20201126.0907.002.html, 2021-06-20.
[3]	HE Tong, ZHANG Zhi, ZHANG Hang, et al. Bag of Tricks for Image Classification with Convolutional Neural Networks [C]//IEEE. 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), June 15-20, 2019, Long Beach, CA, USA. New York: IEEE, 2019: 558-567.
[4]	TAN Yang, LIU Jiayong, ZHANG Lei. Malware Family Classification of Deep Self Encoder Based on Mixed Features[J]. Information Network Security, 2020, 20(12):72-82.
	谭杨, 刘嘉勇, 张磊. 基于混合特征的深度自编码器的恶意软件家族分类[J]. 信息网络安全, 2020, 20(12):72-82.
[5]	LIU Yashu, WANG Zhihai, HOU Yueran, et al. Visualization and Automatic Classification of Malicious Code with Enhanced Information Density[J]. Journal of Tsinghua University (Natural Science Edition), 2019, 59(1):9-14.
	刘亚姝, 王志海, 侯跃然, 等. 信息密度增强的恶意代码可视化与自动分类方法[J]. 清华大学学报(自然科学版), 2019, 59(1):9-14.
[6]	ZENG Yaqin, ZHANG Linlin, ZHANG Ruonan, et al. Classification Model of Malware Family Based on Mobile Net[J]. Computer Engineering, 2020, 46(4):162-168.
	曾娅琴, 张琳琳, 张若楠, 等. 基于MobileNet的恶意软件家族分类模型[J]. 计算机工程, 2020, 46(4):162-168.
[7]	RAMAN K. Selecting Features to Classify Malware[EB/OL]. https://2012.infosecsouthwest.com/files/speaker_materials/ISSW2012_Selecting_Features_to_Classify_Malware.pdf, 2021-06-01.
[8]	KIM C H, KABANGA E K, KANG S J. Classifying Malware Using Convolutional Gated Neural Network [C]//ICACT. 2018 20th International Conference on Advanced Communication Technology (ICACT), February 11-14, 2018, Chuncheon, Korea (South). New York: IEEE, 2018: 40-44.
[9]	MA Xin, GUO Shize, LI Haiying, et al. How to Make Attention Mechanisms More Practical in Malware Classification[J]. IEEE Access, 2019, 7(10):155270-155280. doi: 10.1109/Access.6287639 URL
[10]	SHABTAI A, MOSKOVITCH R, FEHER C, et al. Detecting Unknown Malicious Code by Applying Classification Techniques on Opcode Patterns[J]. Security Informatics, 2012, 1(1):1-22. doi: 10.1186/2190-8532-1-1 URL
[11]	SUN Guosong, QIAN Quan. Deep Learning and Visualization for Identifying Malware Families[J]. IEEE Transactions on Dependable and Secure Computing, 2021, 18(1):283-295. doi: 10.1109/TDSC.8858 URL
[12]	ANDERSON B, QUIST D, NEIL J, et al. Graph-based Malware Detection Using Dynamic Analysis[J]. Journal in Computer Virology, 2011, 7(4):247-258. doi: 10.1007/s11416-011-0152-x URL
[13]	KOLOSNJAJI B, DEMONTIS A, BIGGIO B, et al. Adversarial Malware Binaries: Evading Deep Learning for Malware Detection in Executables [C]//IEEE. 2018 26th European Signal Processing Conference (EUSIPCO), September 3-7, 2018, Rome, Italy. Italy: IEEE, 2018: 533-537.
[14]	LIU Weijie, ZHOU Peng, ZHAO Zhe, et al. K-bert: Enabling Language Representation with Knowledge Graph[EB/OL]. https://ojs.aaai.org/index.php/AAAI/article/view/5681, 2021-06-01.
[15]	KANG B J, YERIMA S Y, SEZER S, et al. N-gram Opcode Analysis for Android Malware Detection[EB/OL].https://arxiv.org/abs/1612.01445, 2021-06-01.
[16]	LUO J S, LO D C T. Binary Malware Image Classification Using Machine Learning with Local Binary Pattern [C]//IEEE. 2017 IEEE International Conference on Big Data (Big Data). December 11-14, 2017, Boston, MA, USA. New York: IEEE, 2017: 4664-4667.
[17]	NATARAJ L, KARTHIKEYAN S, JACOB G, et al. Malware Images: Visualization and Automatic Classification [C]//ACM. Proceedings of the 8th International Symposium on Visualization for Cyber Security (VizSec ’11), July 20, 2011, New York, USA. USA: Association for Computing Machinery, 2011: 1-7.
[18]	LU Xidong, DUAN Zhemin, QIAN yekui, et al. A Malicious Code Classification Method Based on Deep Forest[J]. Journal of Software, 2020, 31(5):1454-1464.
	卢喜东, 段哲民, 钱叶魁, 等. 一种基于深度森林的恶意代码分类方法[J]. 软件学报, 2020, 31(5):1454-1464.

类别编号	类别名	样本数量
0	Ramnit	1541
1	Lollipop	2478
2	Kelihos_ver3	2942
3	Vundo	475
4	Simda	42
5	Tracur	751
6	Kelihos_ver1	398
7	Obfuscator.ACY	1228
8	Gatak	1013

项目	训练及分类环境
CPU	32v CPUs
内存	64 GB
硬盘	2 TB
操作系统	CentOS 7
软件环境	Python3.9 tensorflow2.5.0 Network 2.5.1