CN115292701A - Malicious code detection method and system based on combination of initiative and passivity - Google Patents

Malicious code detection method and system based on combination of initiative and passivity Download PDF

Info

Publication number
CN115292701A
CN115292701A CN202210920111.9A CN202210920111A CN115292701A CN 115292701 A CN115292701 A CN 115292701A CN 202210920111 A CN202210920111 A CN 202210920111A CN 115292701 A CN115292701 A CN 115292701A
Authority
CN
China
Prior art keywords
code
dynamic
initial
suspected
feature vector
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210920111.9A
Other languages
Chinese (zh)
Inventor
门嘉平
张小平
李铭晖
包涵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN202210920111.9A priority Critical patent/CN115292701A/en
Publication of CN115292701A publication Critical patent/CN115292701A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Biomedical Technology (AREA)
  • Computing Systems (AREA)
  • Molecular Biology (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Linguistics (AREA)
  • Biophysics (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a malicious code detection method and a system based on active and passive combination, belonging to the technical field of information security, wherein the malicious code detection method comprises the following steps: acquiring original characteristics of a system to be protected; establishing a trapping system according to the original characteristics; performing deep interaction with a program code in a system to be protected through a trapping system to determine a suspected code in the system to be protected; classifying each suspected code based on a static classifier, and determining a malicious code and an initial benign code in a system to be protected; for any initial benign code, executing the initial benign code in a dynamic sandbox, and determining a log file during execution; determining a dynamic characteristic image of the initial benign code according to the log file; and determining the final category of the initial benign code according to the dynamic characteristic image based on a dynamic classifier. The efficiency and the accuracy of malicious code detection are improved.

Description

Malicious code detection method and system based on combination of initiative and passivity
Technical Field
The invention relates to the technical field of information security, in particular to a malicious code detection method and system based on active and passive combination.
Background
Malicious code refers to computer code that is purposely programmed or configured to pose a threat or potential threat to a network or computer system. Which itself contains malicious intent, is a malicious computer program and acts through program execution. Common malicious code includes computer viruses, trojan horses, computer worms, logical bombs, backdoors, and the like. Malicious code may be spread in a variety of forms, such as mail, web links, infected files, infected applications, and the like. With the continuous development of the technology, novel malicious codes are layered endlessly and spread rapidly, and a certain hysteresis exists in the traditional malicious code detection technology. Moreover, a certain detection 'blind spot' exists only by relying on a passive detection method or an active detection method, so that a computer system has long-term potential safety hazards.
In order to solve the problems, the Chinese patent application number 201910395810.4 provides a malicious code detection method based on a system behavior sequence, and the method is used for extracting the running information of an android sample; dynamically operating an android sample, extracting dynamic features to obtain a system behavior sequence, and constructing a feature vector; and constructing a classifier and detecting malicious codes. Chinese patent application number 201910638126.4 provides a method and a system for detecting malicious codes, which are used for extracting corresponding characteristics from binary data of a single PE file in a training data set and performing characteristic dimension reduction processing; extracting the characteristics of binary data as the first half part of a deep learning model through a gated convolution network; combining the dimensionality reduced features and the obtained feature vectors, and inputting the combined features and the obtained feature vectors into a fully-connected neural network serving as the rear half part of a deep learning model to generate final feature vectors to be classified; and after classifying all the feature vectors to be classified, comparing the classified feature vectors with the known classes in the test data set to verify the correctness of the deep learning model, and obtaining the optimal deep learning model by adjusting parameters. Chinese patent CN201710818737.8 presents a malicious code detection method and apparatus, which respectively collects static feature information and dynamic feature information of a program code in a behavior process, respectively establishes a static feature vector and a dynamic feature vector, detects the static feature vector and the dynamic feature vector by using a detection model obtained by training a rule base for storing a malicious program sample and a white sample by using a support vector machine, and determines whether the program code is a malicious code according to a detection result.
However, some malicious codes have a shell-adding hiding mechanism, so that the accuracy of static analysis is reduced, the accuracy of detection is influenced by the current malicious code detection method only adopting a static analysis method, the efficiency of malicious code detection is influenced by only adopting a dynamic analysis method, and the malicious code sample is generally subjected to sandbox operation simulation and feature vector extraction, lacks deep interaction with the malicious codes, and is difficult to fully expose the attack intention of the malicious codes.
Disclosure of Invention
The invention aims to provide a malicious code detection method and system based on active and passive combination, which can improve the detection efficiency and accuracy of malicious codes.
In order to achieve the purpose, the invention provides the following scheme:
a malicious code detection method based on combination of initiative and passivity comprises the following steps:
acquiring original characteristics of a system to be protected;
establishing a trapping system according to the original characteristics;
deeply interacting with a program code in the system to be protected through the trapping system to determine a suspected code in the system to be protected;
classifying each suspected code based on a static classifier, and determining a malicious code and an initial benign code in the system to be protected; the static classifier is obtained by adopting an AdaBoost algorithm to train in advance according to a first training sample set; the first training sample set comprises a plurality of sample codes and the category of each sample code; the category is malicious code or benign code;
for any initial benign code, executing the initial benign code in a dynamic sandbox, and determining a log file during execution;
determining a dynamic characteristic image of the initial benign code according to the log file;
determining a final category of the initial benign code according to the dynamic characteristic image based on a dynamic classifier; the final category is malicious code or benign code; the dynamic classifier is obtained by training a convolutional neural network in advance according to a second training sample set; the second training sample set comprises a plurality of sample dynamic characteristic images and the category of each sample dynamic image.
Optionally, the original features include network features, intranet asset features, system self features, and interaction features of the system to be protected.
Optionally, the determining the suspected code in the system to be protected through the deep interaction between the trapping system and the program code in the system to be protected specifically includes:
acquiring an attack path of a historical malicious code;
aiming at any program code in a system to be protected, performing deep interaction with the program code through the trapping system, and determining a running path of the program code;
and judging whether the program code is a suspected code or not according to the attack path and the running path of the program code.
Optionally, the classifying each suspected code based on the static classifier to determine a malicious code and an initial benign code in the system to be protected specifically includes:
for any suspected code, performing shell inspection on the suspected code, and judging whether the suspected code is shelled or not;
if the suspected code is shelled, carrying out shelling processing on the suspected code to obtain an original code; if the suspected code is not shelled, the suspected code is an original code;
and determining the category of the suspected code according to the original code based on a static classifier.
Optionally, the performing a shell-adding check on the suspected code to determine whether the suspected code is shell-added specifically includes:
and judging whether the quantity of the import functions in the suspected code is less than a set quantity threshold value or not, or whether the moisture content value of the suspected code is higher than a set moisture content value threshold value or not, if so, the suspected code is shelled, otherwise, the suspected code is not shelled.
Optionally, the shelling the suspected code to obtain an original code specifically includes:
acquiring a shell adding mode and a shell adding version of the suspected code;
determining a corresponding shelling script according to the shelling mode and the shelling version;
and shelling the suspected code according to the shelling script to obtain an original code.
Optionally, the dynamic sandbox is constructed based on a sandbox computer program and a BSA sandbox analysis tool.
Optionally, the log file includes operation information of each step in the execution process of the initial benign code;
the determining the dynamic characteristic image of the initial benign code according to the log file specifically comprises:
respectively carrying out one-hot coding on the operation information of each step to obtain an initial dynamic feature vector set of the log file; the initial dynamic feature vector set comprises initial dynamic feature vectors of each step of operation information;
determining a final dynamic feature vector set according to the dynamic feature vector set based on a feature extraction model; the final dynamic feature vector set comprises a final dynamic feature vector of each step of operation information; the feature extraction model is obtained by training a recurrent neural network in advance according to a third training sample set; the third training sample set comprises a plurality of sample dynamic feature vector sets;
normalizing the initial dynamic feature vector of the operation information of each step according to the initial dynamic feature vector set to obtain a normalized dynamic feature vector set;
and determining the characteristic image of the initial benign code according to the normalized dynamic characteristic vector set and the final dynamic characteristic vector set.
Optionally, the initial feature vector of the i-th operation information is normalized by using the following formula:
Figure BDA0003776849520000041
wherein the content of the first and second substances,
Figure BDA0003776849520000042
normalized dynamic feature vector, x, for the i-th operation information i The initial feature vector of the operation information of the ith step is defined, X is an initial dynamic feature vector set, min (X) is the initial dynamic feature vector with the minimum length in the initial dynamic feature vector set, and max (X) is the initial dynamic feature vector with the maximum length in the initial dynamic feature vector set.
In order to achieve the above purpose, the invention also provides the following scheme:
a malicious code detection system based on combination of active and passive modes comprises:
the original characteristic obtaining unit is used for obtaining the original characteristics of the system to be protected;
the trapping system establishing unit is connected with the original characteristic acquiring unit and used for establishing a trapping system according to the original characteristic;
the deep interaction unit is connected with the trapping system establishing unit and used for performing deep interaction with the program codes in the system to be protected through the trapping system to determine the suspected codes in the system to be protected;
the static classification unit is connected with the deep interaction unit and is used for classifying all suspected codes based on a static classifier and determining malicious codes and initial benign codes in the system to be protected; the static classifier is obtained by adopting an AdaBoost algorithm to train in advance according to a first training sample set; the first training sample set comprises a plurality of sample codes and the category of each sample code; the category is malicious code or benign code;
the dynamic execution unit is connected with the static classification unit and used for executing the initial benign code in a dynamic sandbox aiming at any initial benign code and determining a log file during execution;
the dynamic image determining unit is connected with the dynamic execution unit and is used for determining a dynamic characteristic image of the initial benign code according to the log file;
the dynamic classification unit is connected with the dynamic image determination unit and used for determining the final category of the initial benign code according to the dynamic characteristic image based on a dynamic classifier; the final category is malicious code or benign code; the dynamic classifier is obtained by training a convolutional neural network in advance according to a second training sample set; the second training sample set comprises a plurality of sample dynamic characteristic images and the category of each sample dynamic image.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects: the method comprises the steps of firstly, carrying out deep interaction with program codes in a system to be protected through a trapping system, determining suspected codes in the system to be protected, actively detecting the suspected codes, classifying the suspected codes based on a static classifier, determining malicious codes and initial benign codes in the system to be protected, executing the initial benign codes in a dynamic sandbox, and determining log files during execution. A dynamic feature image of the initial benign code is determined from the log file. And finally, based on a dynamic classifier, determining the final category of the initial benign code according to the dynamic characteristic image, carrying out passive detection through static classification and dynamic classification, improving the detection efficiency through static detection, and improving the detection accuracy through dynamic detection.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings required in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of a malicious code detection method based on a combination of active and passive methods according to the present invention;
FIG. 2 is a logic decision diagram of the malicious code detection method based on a combination of active and passive methods according to the present invention;
FIG. 3 is a framework diagram of a malicious code trapping system;
fig. 4 is a schematic structural diagram of a malicious code detection system based on combination of active and passive methods according to the present invention.
Description of the symbols:
the system comprises an original characteristic acquisition unit-1, a trapping system establishment unit-2, a deep interaction unit-3, a static classification unit-4, a dynamic execution unit-5, a dynamic image determination unit-6 and a dynamic classification unit-7.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention aims to provide a malicious code detection method and system based on active and passive combination, which are characterized in that suspected codes are actively detected through deep interaction between a trapping system and program codes in a system to be protected, then the suspected codes are classified based on a static classifier, malicious codes and initial benign codes in the system to be protected are determined, and then the initial benign codes are classified based on a dynamic classifier, so that the detection efficiency and accuracy are improved.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
As shown in fig. 1 and fig. 2, the malicious code detection method based on active and passive combination of the present invention includes:
s1: and acquiring the original characteristics of the system to be protected. Specifically, the original features include network features, intranet asset features, system self features, and interaction features of the system to be protected. The network characteristics include an external network IP (Internet Protocol) address, an internal network IP address, a port number, a service type, a base station, an operator, and the like. Intranet asset characteristics include asset type, asset vulnerability, asset type, etc. The characteristics of the system include an operating system, a Media Access Control (MAC) address, an Agent status, a browser version, a video card, a time zone, and the like. The interactive features include communication protocols, processing of different interactive modes.
S2: establishing a trapping system according to said original characteristics.
S3: and deeply interacting with the program code in the system to be protected through the trapping system to determine the suspected code in the system to be protected.
S4: and classifying each suspected code based on a static classifier, and determining a malicious code and an initial benign code in the system to be protected. The static classifier is obtained by training in advance according to a first training sample set by adopting an AdaBoost algorithm. The first training sample set comprises a plurality of sample codes and the category of each sample code. The categories are malicious code or benign code.
S5: for any initial benign code, the initial benign code is executed in a dynamic sandbox, and a log file during execution is determined. In this example, the dynamic sandbox is constructed based on the sandbox computer program and the BSA sandbox analysis tool. The log file includes operational information for each step in the execution of the initial benign code.
Specifically, by executing the initial benign code in a dynamic sandbox formed by sandbox and BSA, dynamic features such as API (Application Programming Interface), network access, system file modification, registry modification and the like during the execution of the initial benign code are generated, formatting is performed, and a log file for recording malicious code execution operations is generated.
S6: and determining a dynamic characteristic image of the initial benign code according to the log file.
S7: determining a final category of the initial benign code according to the dynamic characteristic image based on a dynamic classifier; the final class is malicious code or benign code. And the dynamic classifier is obtained by training the convolutional neural network in advance according to a second training sample set. The second training sample set comprises a plurality of sample dynamic characteristic images and the category of each sample dynamic image.
Further, step S2 includes: and removing redundancy from the original features, and constructing an original feature vector. And training GAN (generating countermeasure network) according to the original feature vector to obtain a feature generation model. And obtaining an extended feature vector based on the feature generation model according to the original feature vector. And expanding the feature vectors according to the original feature vector set to generate the trapping system with high simulation and high interaction.
Further, step S3 includes:
s31: and acquiring an attack path of the historical malicious code. Specifically, attack characteristics are collected through historical attacks and open source threat intelligence, an FP (Frequent Pattern tree) is generated, and each attack path is an item set. The item sets are stored in an FP tree in a path mode, frequent item sets of historical malicious code attack paths are obtained by using an FP-growth (Frequent Pattern-growth) algorithm, the Frequent item sets are sorted according to a set threshold value, and possibility sorting of the attack paths is obtained. And acquiring the current attack step of the program code in the system to be protected, and predicting the next possible attack position.
S32: aiming at any program code in a system to be protected, the trap system and the program code are subjected to deep interaction, and the running path of the program code is determined. Specifically, based on the predicted possible attack position, a Network topology structure of the trapping system is dynamically adjusted by using an SDN (Software Defined Network) algorithm, deep interaction between the program codes and the trapping system is induced, and the whole process of malicious code attack is recorded in real time. The generation and deep interaction process of the trapping system is shown in fig. 3.
S33: and judging whether the program code is a suspected code or not according to the attack path and the running path of the program code.
According to the invention, a high-simulation high-interaction active malicious code trapping system is constructed, deep interaction between the malicious codes and the trapping system is induced, the attack process of the malicious codes is recorded in real time, and the malicious codes are trapped.
Further, step S4 includes:
s41: and for any suspected code, performing shell inspection on the suspected code, and judging whether the suspected code is shelled or not. Specifically, whether the number of the import functions in the suspected code is smaller than a set number threshold or whether the moisture value of the suspected code is higher than a set moisture value threshold is judged, if yes, the suspected code is shelled, and otherwise, the suspected code is not shelled.
The invention realizes the discrimination of the shell adding type through the shell adding feature code. And calling corresponding shelling scripts according to the version of a shelling algorithm for common shell adding modes such as compressed shells, encrypted shells, pseudo shell filling and the like. The shelling program generally has the following features: 1) There are only a few import functions in the shell. 2) The entropy value of the shelled program is higher than that of the uncapped program, which shows that the data in the shelled program is closer to random data. 3) A shell typically has an exceptional section size, such as a text section with an original data size of 0, but a virtual size other than 0.
S42: and if the suspected code is shelled, shelling the suspected code to obtain an original code. And if the suspected code is not shelled, the suspected code is an original code.
Specifically, the shell adding mode and the shell adding version of the suspected code are obtained. And determining a corresponding shelling script according to the shelling mode and the shelling version. And shelling the suspected code according to the shelling script to obtain an original code. Specifically, a shelling script with the same name is searched for according to the shell adding mode and the shell adding version to conduct shelling processing on the suspected code.
S43: and determining the category of the suspected code according to the original code based on a static classifier.
In addition, the invention sends the successful shelling codes to the static classifier, and archives the failed shelling codes for further analysis. And when the shelling is successful, generating a successful shelling log, wherein the log contains the MD5-Hash value of the suspected code as the information of a unique identifier, a shelling version, shelling time and the like. And when the shelling is failed, generating a shelling failure log, wherein the log contains information such as the MD5-Hash value, the shelling version, the first shelling detection time and the like of the suspected code.
Furthermore, a strong learner is formed by constructing and combining a plurality of learners through an AdaBoost integrated learning algorithm to complete the tasks of detecting and classifying the malicious codes. The input of the training process of the AdaBoost ensemble learning algorithm is the existing sample codes, and the sample codes are marked with the categories manually. After the AdaBoost ensemble learning algorithm is trained to reach the expected classification accuracy, the trained static classifier can be obtained. Firstly, obtaining a PE structure of a sample code, and determining a static feature set according to the PE structure; the static feature set includes a plurality of static features. The static features include: a DLL (Dynamic Link Library) with a high frequency of occurrence, an API with a high frequency of occurrence, a total number of referencing DLLs, a total number of calling APIs,. Test section header,. Data section header,. Rsrc section header,. Rdata section header, and the like.
The AdaBoost ensemble learning algorithm is a combination of weak classifiers. The weak classifiers employed in the present invention are decision trees. The AdaBoost ensemble learning algorithm is specifically classified as follows:
firstly, the weight of the misclassified samples in the previous round of weak classifiers is increased, and the weight of the correctly classified sample codes is reduced. Therefore, a correctly classified sample code is not obtained, and the weight of the sample code is increased, so that the specific gravity of the weak classifier in the next round is increased.
Secondly, adaBoost adopts a method of weighting majority voting by a plurality of weak classifiers, and particularly, the weight of the classifier with small classification error rate is increased, so that the AdaBoost plays a great role in voting. The weight of the weak classifier of the classification error rate response is reduced, so that the weak classifier plays a smaller role in voting.
The method comprises the steps of forming a strong learner by constructing and combining a plurality of learners by utilizing an AdaBoost integrated learning algorithm, carrying out detection and classification tasks of malicious codes based on a static characteristic set, outputting the category of a program to be detected if the category is judged to be the malicious program, adding the category into a black-and-white list database, and otherwise, carrying out dynamic detection.
Further, step S6 includes:
s61: and respectively carrying out one-hot coding on the operation information of each step to obtain an initial dynamic feature vector set of the log file. The initial dynamic feature vector set comprises initial dynamic feature vectors of each step of operation information.
S62: determining a final dynamic feature vector set according to the dynamic feature vector set based on a feature extraction model; the final dynamic feature vector set comprises a final dynamic feature vector of each step of operation information; the feature extraction model is obtained by training a recurrent neural network in advance according to a third training sample set; the third training sample set comprises a plurality of sample dynamic feature vector sets.
Specifically, the feature extraction model of the invention comprises an input layer x, 7 hidden layers and an output layer y. Wherein the first hidden layer h 1 Is a common neural unit, the second to sixth hidden layers (h) 2 ~h 6 ) Is the LSTM neural unit.
Sequentially inputting the initial dynamic feature vectors into a feature extraction model to obtain each initial dynamic feature vector x i Sixth hidden layer of
Figure BDA0003776849520000101
Vector to obtain final dynamic feature vector set
Figure BDA0003776849520000102
The process of training the recurrent neural network comprises the following steps:
(1) And formatting sample dynamic characteristic vectors such as API call, network access, system file modification and registry modification during execution of the known malicious codes, and generating a log file for recording execution operation of the malicious codes. Each operation in the log file (including API calls, network accesses, system file modifications, and registry modifications) is denoted S i
(2) For each step of operation S in all collected log files i Obtaining corresponding initial dynamic characteristic vector x after one-hot coding i All initial dynamic feature vectors x i An initial set of dynamic feature vectors X is composed as input to an RNN (Recurrent Neural Network). Wherein the vector set of the log file operation steps is { S } 1 ,S 2 ,S 3 ,……,S t And encoding the initial dynamic feature vector set into one-hot as { x } 1 ,x 2 ,x 3 ,……,x t }。
(3) X in each input layer initial dynamic feature vector set i Final dynamic eigenvector y corresponding to the output layer prediction i Then by calculating y i And x i+1 The gap of (a) is obtained as a loss function.
(4) When all the t-step operations are run through RNN, all the final dynamic feature vectors { y }are obtained 1 ,y 2 ,y 3 ,……,y t The loss function case of.
(5) And updating all weights in the RNN by utilizing back propagation calculation to finish parameter tuning of the RNN.
(6) After a plurality of iterations, the final dynamic feature vector y is output i And the actual operation initial dynamic feature vector x i+1 Is within a set threshold. At this time, a feature extraction model is obtained.
S63: and normalizing the initial dynamic feature vector of the operation information of each step according to the initial dynamic feature vector set to obtain a normalized dynamic feature vector set.
Due to the fact that the lengths of different operation information in the log files are different, the lengths of corresponding initial dynamic feature vectors obtained after one-hot encoding are different. Therefore, the initial dynamic feature vectors need to be scaled first, and the value ranges of all the initial dynamic feature vectors are guaranteed to be [0,1].
Normalizing the initial characteristic vector of the operation information of the ith step by adopting the following formula:
Figure BDA0003776849520000111
wherein the content of the first and second substances,
Figure BDA0003776849520000112
normalized dynamic feature vector, x, for the i-th operation information i The initial feature vector of the operation information of the ith step is defined, X is an initial dynamic feature vector set, min (X) is the initial dynamic feature vector with the minimum length in the initial dynamic feature vector set, and max (X) is the initial dynamic feature vector with the maximum length in the initial dynamic feature vector set.
S64: and determining the characteristic image of the initial benign code according to the normalized dynamic characteristic vector set and the final dynamic characteristic vector set.
Specifically, the normalized dynamic feature vector is converted into a dynamic feature image matrix M with the same size, and the calculation formula is as follows:
Figure BDA0003776849520000121
to obtain f i Is a row vector, and f i =(f 11 f 12 … f 1W );
The characteristic image matrix M is
Figure BDA0003776849520000122
Wherein, N is the number of rows of the dynamic characteristic image matrix M, and W is the dimension of the 6 th hidden layer.
All elements f in the dynamic characteristic image matrix M ij Multiplied by 255 to form a 256-level gray scale image, resulting in a feature image of the original benign code.
Further, in step S7, the dynamic classifier includes an input layer, a first convolution layer, a first pooling layer, a second convolution layer, a second pooling layer, a full connection layer, and two output layers, which are connected in sequence. The first convolutional layer contains 5 cores, W for input of the process 0 ×W 0 Image x 1. The first pooling layer is used to reduce the size of the first convolution layer output image to half the original size, the first pooling layer reduces the image to (W) 0 /2)×(W 0 /2). Times.1, output W 1 ×W 1 Image x 1. The second convolutional layer contains 10 cores for W output from the first pooling layer 1 ×W 1 Image x 1. The second pooling layer is used to reduce the size of the second convolutional layer output image to half of the original size, and the second pooling layer reduces the image to (W) 1 /2)×(W 1 /2). Times.10. The step size for maximum pooling is 2 and the dynamic classifier is two classes, containing two output layers.
The training process of the convolutional neural network is as follows: the CNN network is trained using sample dynamic feature images with malicious, benign labels as input. Output y 0 、y 1 Respectively, benign code and malicious code. Using sigmoid function Sig (y) 1 ) The probability of being malicious code is calculated.
The method and the system can trap the suspected code and carry out deep interaction, fully expose the attack intention of the suspected code, record the attack path of the suspected code and capture the suspected code. And carrying out automatic shell checking and detection on the captured suspected code, and carrying out automatic shell removal on common compressed shells, encrypted shells, pseudo-packed shells and the like. The detection efficiency of the malicious codes is improved by adopting static detection, and the detection accuracy is improved by adopting dynamic detection, so that powerful data support is provided for effective detection and classification of the malicious codes. Meanwhile, sample support can be provided for timely updating of the malicious code library through a large amount of captured malicious codes.
As shown in fig. 4, the malicious code detection system based on active and passive combination of the present invention includes: the system comprises an original characteristic acquisition unit 1, a trapping system establishing unit 2, a depth interaction unit 3, a static classification unit 4, a dynamic execution unit 5, a dynamic image determination unit 6 and a dynamic classification unit 7.
The original feature acquiring unit 1 is configured to acquire an original feature of a system to be protected.
The trapping system establishing unit 2 is connected to the original characteristic obtaining unit 1, and the trapping system establishing unit 2 is configured to establish a trapping system according to the original characteristic.
The deep interaction unit 3 is connected with the trapping system establishing unit 2, and the deep interaction unit 3 is configured to perform deep interaction with the program code in the system to be protected through the trapping system to determine the suspected code in the system to be protected.
The static classification unit 4 is connected with the deep interaction unit 3, and the static classification unit 4 is configured to classify each suspected code based on a static classifier, and determine a malicious code and an initial benign code in the system to be protected. The static classifier is obtained by training in advance according to a first training sample set by adopting an AdaBoost algorithm. The first training sample set comprises a plurality of sample codes and the category of each sample code. The categories are malicious code or benign code.
The dynamic execution unit 5 is connected to the static classification unit 4, and the dynamic execution unit 5 is configured to execute, for any initial benign code, the initial benign code in a dynamic sandbox and determine a log file during execution. The log file includes operation information for each step in the execution process of the initial benign code.
The dynamic image determining unit 6 is connected to the dynamic executing unit 5, and the dynamic image determining unit 6 is configured to determine a dynamic feature image of the initial benign code according to the log file.
The dynamic classification unit 7 is connected to the dynamic image determination unit 6, and the dynamic classification unit 7 is configured to determine a final class of the initial benign code according to the dynamic feature image based on a dynamic classifier; the final category is malicious code or benign code. The dynamic classifier is obtained by training the convolutional neural network in advance according to a second training sample set. The second training sample set comprises a plurality of sample dynamic characteristic images and the category of each sample dynamic image.
Further, the depth interaction unit 3 includes: the device comprises a historical attack path acquisition module, an interaction module and a judgment module.
The historical attack path acquisition module is used for acquiring an attack path of a historical malicious code.
The interaction module is connected with the trapping system establishing unit 2, and the interaction module is used for carrying out deep interaction on any program code in the system to be protected through the trapping system and the program code and determining the running path of the program code.
The judging module is connected with the historical attack path acquiring module and the interaction module and is used for judging whether the program code is a suspected code according to the attack path and the running path of the program code.
Further, the static classification unit 4 includes: the device comprises a shell adding inspection module, a shell removing module and a static classification module.
The shell adding detection module is connected with the deep interaction unit 3, and is used for carrying out shell adding detection on any suspected code and judging whether the suspected code is added with a shell or not.
The shelling module is connected with the shell adding inspection module and is used for shelling the suspected code to obtain an original code if the suspected code is added with the shell; and if the suspected code is not shelled, the suspected code is an original code.
Specifically, the shelling module includes: the device comprises a mode version acquisition sub-module, a shelling script determination sub-module and a shelling sub-module. And the mode version acquisition sub-module is connected with the shell adding inspection module and is used for acquiring the shell adding mode and the shell adding version of the suspected code. And the shelling script determining submodule is connected with the mode version acquiring submodule and is used for determining a corresponding shelling script according to the shell adding mode and the shell adding version. And the shelling submodule is connected with the shelling script determining submodule and is used for shelling the suspected code according to the shelling script to obtain an original code.
And the static classification module is connected with the shelling module and is used for determining the category of the suspected code according to the original code based on a static classifier.
Further, the moving image determination unit 6 includes: the device comprises an encoding module, a characteristic vector determining module, a normalizing module and a characteristic image determining module.
And the encoding module is connected with the dynamic execution unit 5 and is used for respectively performing one-hot encoding on the operation information of each step to obtain an initial dynamic feature vector set of the log file. The initial dynamic feature vector set comprises initial dynamic feature vectors of each step of operation information.
The feature vector determining module is connected with the encoding module and is used for determining a final dynamic feature vector set according to the dynamic feature vector set based on the feature extraction model. And the final dynamic feature vector set comprises a final dynamic feature vector of each step of operation information. The feature extraction model is obtained by training the recurrent neural network in advance according to a third training sample set. The third training sample set comprises a plurality of sample dynamic feature vector sets.
And the normalization module is connected with the coding module and is used for normalizing the initial dynamic feature vector of the operation information of each step according to the initial dynamic feature vector set to obtain a normalized dynamic feature vector set.
The characteristic image determining module is connected with the normalizing module and the characteristic vector determining module, and the characteristic image determining module is used for determining the characteristic image of the initial benign code according to the normalized dynamic characteristic vector set and the final dynamic characteristic vector set.
Compared with the prior art, the malicious code detection system based on the combination of the initiative and the passivity has the same beneficial effects as the malicious code detection method based on the combination of the initiative and the passivity, and the details are not repeated herein.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description.
The principles and embodiments of the present invention have been described herein using specific examples, which are provided only to help understand the method and the core concept of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed. In view of the above, the present disclosure should not be construed as limiting the invention.

Claims (10)

1. A malicious code detection method based on active and passive combination is characterized by comprising the following steps:
acquiring original characteristics of a system to be protected;
establishing a trapping system according to the original characteristics;
deeply interacting with a program code in the system to be protected through the trapping system to determine a suspected code in the system to be protected;
classifying each suspected code based on a static classifier, and determining a malicious code and an initial benign code in the system to be protected; the static classifier is obtained by adopting an AdaBoost algorithm to train in advance according to a first training sample set; the first training sample set comprises a plurality of sample codes and the category of each sample code; the category is malicious code or benign code;
for any initial benign code, executing the initial benign code in a dynamic sandbox, determining a log file during execution;
determining a dynamic characteristic image of the initial benign code according to the log file;
determining a final category of the initial benign code according to the dynamic characteristic image based on a dynamic classifier; the final category is malicious code or benign code; the dynamic classifier is obtained by training a convolutional neural network in advance according to a second training sample set; the second training sample set comprises a plurality of sample dynamic characteristic images and the category of each sample dynamic image.
2. The active and passive combination-based malicious code detection method according to claim 1, wherein the original features include network features, intranet asset features, system self features, and interaction features of the system to be protected.
3. The active and passive combination-based malicious code detection method according to claim 1, wherein the determining the suspected code in the system to be protected through deep interaction between the trapping system and the program code in the system to be protected specifically comprises:
acquiring an attack path of historical malicious codes;
aiming at any program code in a system to be protected, performing deep interaction with the program code through the trapping system, and determining a running path of the program code;
and judging whether the program code is a suspected code or not according to the attack path and the running path of the program code.
4. The active-passive combination-based malicious code detection method according to claim 1, wherein the static classifier is used to classify suspected codes and determine malicious codes and initial benign codes in the system to be protected, and the method specifically comprises:
for any suspected code, performing shell inspection on the suspected code, and judging whether the suspected code is shelled;
if the suspected code is shelled, carrying out shelling processing on the suspected code to obtain an original code; if the suspected code is not shelled, the suspected code is an original code;
and determining the category of the suspected code according to the original code based on a static classifier.
5. The active-passive combination-based malicious code detection method according to claim 4, wherein the shell-adding inspection of the suspected code to determine whether the suspected code is shell-added specifically comprises:
and judging whether the number of the imported functions in the suspected code is smaller than a set number threshold or not, or whether the moisture value of the suspected code is higher than a set moisture value threshold or not, if so, covering the suspected code, and otherwise, uncovering the suspected code.
6. The active and passive combination-based malicious code detection method according to claim 4, wherein the removing shell processing is performed on the suspected code to obtain an original code, and specifically comprises:
acquiring a shell adding mode and a shell adding version of the suspected code;
determining a corresponding shelling script according to the shelling mode and the shelling version;
and shelling the suspected code according to the shelling script to obtain an original code.
7. The active and passive combination-based malicious code detection method according to claim 1, wherein the dynamic sandbox is constructed based on a sandbox computer program and a BSA sandbox analysis tool.
8. The active and passive combination-based malicious code detection method according to claim 1, wherein the log file includes operation information of each step in the execution process of the initial benign code;
the determining the dynamic characteristic image of the initial benign code according to the log file specifically comprises:
respectively carrying out one-hot coding on the operation information of each step to obtain an initial dynamic feature vector set of the log file; the initial dynamic feature vector set comprises initial dynamic feature vectors of each step of operation information;
determining a final dynamic feature vector set according to the dynamic feature vector set based on a feature extraction model; the final dynamic feature vector set comprises a final dynamic feature vector of each step of operation information; the feature extraction model is obtained by training a recurrent neural network in advance according to a third training sample set; the third training sample set comprises a plurality of sample dynamic feature vector sets;
normalizing the initial dynamic feature vector of the operation information of each step according to the initial dynamic feature vector set to obtain a normalized dynamic feature vector set;
and determining the characteristic image of the initial benign code according to the normalized dynamic characteristic vector set and the final dynamic characteristic vector set.
9. The active and passive combination-based malicious code detection method according to claim 8, wherein the initial feature vector of the i-th operation information is normalized by the following formula:
Figure FDA0003776849510000031
wherein, the first and the second end of the pipe are connected with each other,
Figure FDA0003776849510000032
normalized dynamic feature vector, x, for the i-th operation information i The initial feature vector of the operation information of the ith step is defined, X is an initial dynamic feature vector set, min (X) is the initial dynamic feature vector with the minimum length in the initial dynamic feature vector set, and max (X) is the initial dynamic feature vector with the maximum length in the initial dynamic feature vector set.
10. A malicious code detection system based on active and passive combination is characterized in that the malicious code detection system based on active and passive combination comprises:
the original characteristic obtaining unit is used for obtaining the original characteristics of the system to be protected;
the trapping system establishing unit is connected with the original characteristic acquiring unit and used for establishing a trapping system according to the original characteristic;
the deep interaction unit is connected with the trapping system establishing unit and used for performing deep interaction with the program codes in the system to be protected through the trapping system to determine the suspected codes in the system to be protected;
the static classification unit is connected with the deep interaction unit and is used for classifying all suspected codes based on a static classifier and determining malicious codes and initial benign codes in the system to be protected; the static classifier is obtained by adopting an AdaBoost algorithm to train in advance according to a first training sample set; the first training sample set comprises a plurality of sample codes and the category of each sample code; the category is malicious code or benign code;
the dynamic execution unit is connected with the static classification unit and used for executing the initial benign code in a dynamic sandbox aiming at any initial benign code and determining a log file during execution;
the dynamic image determining unit is connected with the dynamic execution unit and is used for determining a dynamic characteristic image of the initial benign code according to the log file;
the dynamic classification unit is connected with the dynamic image determination unit and is used for determining the final category of the initial benign code according to the dynamic characteristic image based on a dynamic classifier; the final category is malicious code or benign code; the dynamic classifier is obtained by training a convolutional neural network in advance according to a second training sample set; the second training sample set comprises a plurality of sample dynamic characteristic images and the category of each sample dynamic image.
CN202210920111.9A 2022-08-02 2022-08-02 Malicious code detection method and system based on combination of initiative and passivity Pending CN115292701A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210920111.9A CN115292701A (en) 2022-08-02 2022-08-02 Malicious code detection method and system based on combination of initiative and passivity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210920111.9A CN115292701A (en) 2022-08-02 2022-08-02 Malicious code detection method and system based on combination of initiative and passivity

Publications (1)

Publication Number Publication Date
CN115292701A true CN115292701A (en) 2022-11-04

Family

ID=83826337

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210920111.9A Pending CN115292701A (en) 2022-08-02 2022-08-02 Malicious code detection method and system based on combination of initiative and passivity

Country Status (1)

Country Link
CN (1) CN115292701A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117093996A (en) * 2023-10-18 2023-11-21 湖南惟储信息技术有限公司 Safety protection method and system for embedded operating system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117093996A (en) * 2023-10-18 2023-11-21 湖南惟储信息技术有限公司 Safety protection method and system for embedded operating system
CN117093996B (en) * 2023-10-18 2024-02-06 湖南惟储信息技术有限公司 Safety protection method and system for embedded operating system

Similar Documents

Publication Publication Date Title
Mahdavifar et al. Application of deep learning to cybersecurity: A survey
David et al. Deepsign: Deep learning for automatic malware signature generation and classification
RU2654146C1 (en) System and method of detecting malicious files accompanied with using the static analysis elements
CN110266647B (en) Command and control communication detection method and system
Ficco Malware analysis by combining multiple detectors and observation windows
Almomani et al. An automated vision-based deep learning model for efficient detection of android malware attacks
CN111600919B (en) Method and device for constructing intelligent network application protection system model
RU2697955C2 (en) System and method for training harmful container detection model
CN110704840A (en) Convolutional neural network CNN-based malicious software detection method
CN111931179B (en) Cloud malicious program detection system and method based on deep learning
CN112989358B (en) Method and device for improving robustness of source code vulnerability detection based on deep learning
CN111062036A (en) Malicious software identification model construction method, malicious software identification medium and malicious software identification equipment
CN113360912A (en) Malicious software detection method, device, equipment and storage medium
CN113194064B (en) Webshell detection method and device based on graph convolution neural network
CN111753290A (en) Software type detection method and related equipment
CN111866004A (en) Security assessment method, apparatus, computer system, and medium
CN111177731A (en) Software source code vulnerability detection method based on artificial neural network
CN115292701A (en) Malicious code detection method and system based on combination of initiative and passivity
CN115982706A (en) Malicious software detection method based on API call sequence behavior multi-view fusion
CN111898129A (en) Malicious code sample screener and method based on Two-Head anomaly detection model
TW202240453A (en) Method and computer for learning corredpondence between malicious behaviors and execution trace of malware and method for implementing neural network
Zhao et al. Natural backdoor attacks on deep neural networks via raindrops
Bountakas et al. Defense strategies for adversarial machine learning: A survey
Simao et al. A technique to reduce the test case suites for regression testing based on a self-organizing neural network architecture
US20220092176A1 (en) Apparatuses and methods for detecting malware

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination