Computer Engineering and Applications ›› 2020, Vol. 56 ›› Issue (23): 103-108.DOI: 10.3778/j.issn.1002-8331.2002-0353
Previous Articles Next Articles
ZHOU Yang, LU Tianliang, DU Yanhui, GUO Rui, BAO Yuxuan, LI Mo
Online:
Published:
周杨,芦天亮,杜彦辉,郭蕊,暴雨轩,李默
Abstract:
Aiming at the problems of single feature extraction, low detection rate and high false alarm rate in the current dynamic analysis of malicious code, a thread fusion feature analysis and detection method is proposed. Based on the traditional sandbox analysis report, this method uses the thread number to establish the sample API call sequence, takes the call sequence and return value in the API thread as the characteristics of API parameter construction, uses the statistical and computational methods to construct the two types of characteristics in the feature processing stage, and uses the Vec-LR algorithm improved by LR algorithm for binary judgment, and compares it with other algorithms and software. Experimental results show that the accuracy of this method is better than the current mainstream detection method, up to 94.37%.
Key words: malicious code, dynamic analysis, thread fusion feature
摘要:
针对当前恶意代码动态分析中存在的提取特征方式单一、检测率低、误报率高等问题,提出一种线程融合特征分析检测方法。基于传统沙箱分析报告,该方法利用线程号分别建立样本API调用序列,将API线程内的调用顺序及返回值作为API参数构建特征,在特征处理阶段分别用统计、计算两种方法构建两类特征,并将LR(Logistic Regression)算法改进的Vec-LR算法用于二分类判断,并与其他算法及软件进行比较。经实验证明,该方法准确率优于当前主流检测方法,可达94.37%。
关键词: 恶意代码, 动态分析, 线程融合特征
ZHOU Yang, LU Tianliang, DU Yanhui, GUO Rui, BAO Yuxuan, LI Mo. Detection and Analysis of Windows Malicious Code Based on Thread Fusion Feature[J]. Computer Engineering and Applications, 2020, 56(23): 103-108.
周杨,芦天亮,杜彦辉,郭蕊,暴雨轩,李默. 基于线程融合特征的Windows恶意代码检测与分析[J]. 计算机工程与应用, 2020, 56(23): 103-108.
0 / Recommend
Add to citation manager EndNote|Ris|BibTeX
URL: http://cea.ceaj.org/EN/10.3778/j.issn.1002-8331.2002-0353
http://cea.ceaj.org/EN/Y2020/V56/I23/103