Global characteristic visulization and local characteristic combined malicious code classification method

Abstract

The invention discloses a global characteristic visulization and local characteristic combined malicious code classification method. The method comprises the steps of calculating three characteristicvalues for blocking of a malicious code binary file, wherein each characteristic value correspondingly fills one color channel and the malicious code binary file is visualized into an RGB (Red, Greenand Blue) color image; then extracting global characteristics of the RGB color image, and extracting local characteristics from a core region of the malicious code binary file; and performing family classification on malicious codes in combination with the global and local characteristics. With the global characteristic visulization and local characteristic combined malicious code classification method, the amount of information represented by the malicious codes is increased, the image stability and an error-tolerant rate of a classification model are improved, the local characteristics are extracted from the core region of the malicious code binary file to make up for the defect that the grouping capability of the global characteristics is inadequate when a malicious code variant changesgreatly; furthermore, the combination of the global characteristics and the local characteristics has stronger robustness when the changeful malicious code variant is faced, and the classification accuracy of the malicious codes is improved to a great extent.

Description

technical field [0001] The invention relates to the technical field of malicious code classification, in particular to a malicious code classification method combining global feature visualization and local features. Background technique [0002] The widespread use of malicious code automatic generation tools has resulted in a sharp increase in the number of malicious code variants on the Internet, which poses a huge threat to Internet security. At the same time, a large amount of malicious codes also brings a huge challenge to malicious code analysts. Traditional malicious code analysis methods are mostly based on static analysis and dynamic analysis. Static analysis uses disassembly to analyze the relationship between assembly instructions and function calls. This method does not need to execute malicious samples, but it needs to disassemble the samples, and is extremely vulnerable to code obfuscation and packing. Dynamic analysis runs a malicious sample in a virtual env...

AI Technical Summary

Problems solved by technology

This method only uses byte values ​​in the visualization process, resulting in a small amount of generated image information, and is not suitable for the classification of complex malicious sample families

At the same time, directly mapping bytes into grayscale images lacks the abstraction of the intermediate layer, resulting in unstable images and is easily affected by bytes. Even a small number of byte changes can easily cause overall texture changes.

Moreover, this method is not comprehensive in extracting features, and only extracts the global features of the image, ignoring the role of local features

When the malicious code changes greatly (such as modifying the resource section to generate new variants), since the modified part accounts for a large proportion of the overall file, it is easy to cause the overall performance of the samples of the same family to be different and cause classification errors

Images