Abstract:

Aiming at the problems of single feature extraction, low detection rate and high false alarm rate in the current dynamic analysis of malicious code, a thread fusion feature analysis and detection method is proposed. Based on the traditional sandbox analysis report, this method uses the thread number to establish the sample API call sequence, takes the call sequence and return value in the API thread as the characteristics of API parameter construction, uses the statistical and computational methods to construct the two types of characteristics in the feature processing stage, and uses the Vec-LR algorithm improved by LR algorithm for binary judgment, and compares it with other algorithms and software. Experimental results show that the accuracy of this method is better than the current mainstream detection method, up to 94.37%.

Key words: malicious code, dynamic analysis, thread fusion feature

摘要：

针对当前恶意代码动态分析中存在的提取特征方式单一、检测率低、误报率高等问题，提出一种线程融合特征分析检测方法。基于传统沙箱分析报告，该方法利用线程号分别建立样本API调用序列，将API线程内的调用顺序及返回值作为API参数构建特征，在特征处理阶段分别用统计、计算两种方法构建两类特征，并将LR（Logistic Regression）算法改进的Vec-LR算法用于二分类判断，并与其他算法及软件进行比较。经实验证明，该方法准确率优于当前主流检测方法，可达94.37%。

关键词: 恶意代码, 动态分析, 线程融合特征