Abstract:

A new visualization method for malware analysis based on opcode frequency is proposed. In order to extract the opcodes of instruction sequences, this method requires static analysis to disassemble malware files. This method differentiates the most common and rare opcodes with different colors, then rearranges the opcodes in ascending order of the corresponding color value in the RGB space to accomplish the opcode frequency mapping. The method solves the problem that the existing visualization method has poor visual effect and low classification performance. This method is verified with an open malware set （BIG 2015|Kaggle） provided by Microsoft, and obtains 98.50% classification accuracy.

Key words: malware, visualization analysis, deep fusion networks

摘要：

提出了一种基于操作码频率的恶意代码可视化分析方法。该方法在静态反汇编的基础上，获取机器指令中的操作码序列，使用设计的色谱来区分常见的和罕见的操作码指令，并依据对应颜色向量在RGB空间中的次序来重排操作码的位置，以此实现关于操作码频率的映射，解决了现有可视化方法视觉区分度不强、分类精准度不高的问题。将该方法应用于微软提供的恶意样本集（BIG 2015|Kaggle），可视化结果经深度融合网络学习后，取得了98.50%的分类正确率。

关键词: 恶意代码, 可视化分析, 深度融合网络