Malicious sample homology detection method based on image feature descriptor

Abstract

The invention discloses a malicious sample homology detection method based on an image feature descriptor. When the malicious sample homology detection method is used, malicious samples can be protected from confusion jamming, the homology of a malicious file can be quickly analyzed, and the method is high in efficiency, accuracy, robustness and expansibility. By use of the method, through a filevisualization algorithm, data preprocessing is carried out, the interference factors of a semantic level due to file decompiling or sand box operation are avoided, then, an image feature extraction technology is used in a homology analysis field to extract the feature descriptor of the malicious sample image, and a family feature description library is constructed by the image feature descriptor and is used for analyzing and comparing the homology of an unknown malicious program. The image feature descriptor obtained through the image feature extraction algorithm is high in robustness, and analysis efficiency and expansibility are high after the sample library is established.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a method for homologous detection of malicious samples based on image feature descriptors. Background technique [0002] In recent years, the number of malicious software has been increasing, the number of malicious code variants has also increased sharply, and the cost of variants has been continuously reduced. Malicious code production organizations are doing more and more work on evading detection or making minor changes. How to quickly and effectively analyze the types of malicious samples And homology has always been the focus and difficulty of network security research. [0003] At present, static analysis or dynamic analysis methods are mostly used for homology analysis, but the efficiency is low. The existing homology analysis method of malicious samples based on dynamic behavior capture can comprehensively analyze the file operation and network behavior of mali...

AI Technical Summary

Problems solved by technology

The existing homology analysis method of malicious samples based on dynamic behavior capture can comprehensively analyze the file operation and network behavior of malicious code, but its main disadvantages are large system overhead, weak scalability, and relatively short analysis cycle. The API call sequence diagram of the malicious code can be obtained through static disassembly, and the instruction information similarity and function call similarity between different samples can be compared, which can avoid the large system overhead of the dynamic behavior analysis method to a certain extent. The problem of long analysis period has also achieved some results, but this method has the problem that the analysis results are not accurate enough: through static decompilation and analysis of malicious samples, the API call graph obtained has an average of thousands of nodes, and some studies have used pruning methods Some

Images