A Malicious Code Classification Method Combining Global Feature Visualization and Local Features

Abstract

The invention discloses a malicious code classification method combining global feature visualization and local features, and calculates three feature values ​​for the blocks of malicious code binary files, and each feature value corresponds to filling a color channel, so that the malicious code binary files It is visualized as an RGB color image; then the global features of the RGB color image are extracted, and the local features are extracted from the core area of ​​the malicious code binary file, and the malicious code family is classified by combining the global and local features. Using the present invention increases the amount of information represented by the malicious code image, improves the image stability and the fault tolerance rate of the classification model, and extracts local features from the core area of ​​the malicious code to make up for the insufficient classification ability of the global feature when the malicious code variant changes greatly. Further, the combination of global features and local features has stronger robustness in the face of changing malicious code variants, which greatly improves the accuracy of malicious code classification.

Description

technical field [0001] The invention relates to the technical field of malicious code classification, in particular to a malicious code classification method combining global feature visualization and local features. Background technique [0002] The widespread use of malicious code automatic generation tools has resulted in a sharp increase in the number of malicious code variants on the Internet, which poses a huge threat to Internet security. At the same time, a large amount of malicious codes also brings a huge challenge to malicious code analysts. Traditional malicious code analysis methods are mostly based on static analysis and dynamic analysis. Static analysis uses disassembly to analyze the relationship between assembly instructions and function calls. This method does not need to execute malicious samples, but it needs to disassemble the samples, and is extremely vulnerable to code obfuscation and packing. Dynamic analysis runs a malicious sample in a virtual env...

AI Technical Summary

Problems solved by technology

This method only uses byte values ​​in the visualization process, resulting in a small amount of generated image information, and is not suitable for the classification of complex malicious sample families

At the same time, directly mapping bytes into grayscale images lacks the abstraction of the intermediate layer, resulting in unstable images and is easily affected by bytes. Even a small number of byte changes can easily cause overall texture changes.

Moreover, this method is not comprehensive in extracting features, and only extracts the global features of the image, ignoring the role of local features

When the malicious code changes greatly (such as modifying the resource section to generate new variants), since the modified part accounts for a large proportion of the overall file, it is easy to cause the overall performance of the samples of the same family to be different and cause classification errors

Images