计算机工程与应用 ›› 2016, Vol. 52 ›› Issue (21): 121-125.

• 网络、通信与安全 • 上一篇    下一篇

像素归一化方法在恶意代码可视分析中的应用

任卓君,韩秀玲,孔德凤,陈  光   

  1. 东华大学 信息科学与技术学院,上海 201620
  • 出版日期:2016-11-01 发布日期:2016-11-17

Pixel normalization method applied in malware visualization analysis

REN Zhuojun, HAN Xiuling, KONG Defeng, CHEN Guang   

  1. College of Information Science and Technology, Donghua University, Shanghai 201620, China
  • Online:2016-11-01 Published:2016-11-17

摘要: 恶意代码的编写者通常采用自动化的手段开发恶意代码变种,使得恶意代码的数量呈现迅猛增长的态势。由于自动化的方式会重复利用恶意代码中的核心模块,因此也为病毒研究人员辨识和区分恶意代码族提供了有利依据。借鉴灰度图的思想,利用K-Nearest Neighbor(KNN)分类算法,给出了一种新的研究恶意代码谱系分类的可视化方法。其基本思想是,通过将二进制文件转换成双色通道的位图和像素归一图,从可视化的角度标识恶意样本特性,以此实现恶意代码族的相似度比较及分类。实验结果表明采用了像素归一化的降维映射机制能显著地减小文件可视特征的呈现时间开销,且该方法以自动化操作的方式运用Jaccard距离算法进行快速相似度比较,实现了恶意代码样本的有效分类,提高了分析人员的识别效率。

关键词: 恶意代码, 可视化, 谱系分析, Jaccard距离, K最邻近节点算法(KNN)

Abstract: Malware programmers often create malware variants with automatic methods, which makes the number of malwares increase exponentially. Automatic methods use similar modules, which provide valuable evidences for malware analysts to recognize and distinguish. This paper proposes a new visualization method for malware pedigree analysis, which converts binary files into double-color-channel bitmaps and normalized pixel images taking advantage of K-Nearest Neighbor algorithm in a visualization mode. The experimental results show that the dimensionality reduction scheme of pixel normalization decreases time overheads of display greatly. And by means of applying Jaccard distance to rapid similarity comparison automatically, the proposed method can classify malware families effectively and improve recognition efficiency.

Key words: malware, visualization, pedigree analysis, Jaccard distance, K-Nearest Neighbor(KNN) algorithm