Operation code frequency-based malicious code visual analysis method

A technology of malicious code and analysis methods, applied in the direction of instrument, platform integrity maintenance, character and pattern recognition, etc., can solve problems such as lack of universality, dissimilar visual perception of image matrix, etc., to reduce time overhead and reduce computing overhead , the effect of reducing difficulty

Active Publication Date: 2018-08-14
DONGHUA UNIV
View PDF2 Cites 3 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] However, the method of Han K S, Lim J H, Im E G. Malware analysis method using visualization of binary files [C]. Research in Adaptive and Convergent Systems. ACM, 2013: 317-321. only selects part of the image matrix to calculate the similarity, And only 9 samples of the three types of malicious code families are analyzed, which makes it lack of universality in application; at the same time, in view of the uniqueness of the hash value, only identical basic blocks can appear in the image matrix with the same color The same position of the same malicious code, but the basic blocks that implement the same malicious function are not necessarily composed of the exact same opcode sequence, which will cause the image matrix generated by the same family of malicious code that implements similar functions to be visually dissimilar

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Operation code frequency-based malicious code visual analysis method
  • Operation code frequency-based malicious code visual analysis method
  • Operation code frequency-based malicious code visual analysis method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0032] A method for visual analysis of malicious code based on opcode frequency, specifically:

[0033] Step 1: Extract the opcode character sequence (PUSH-MOV-JMP-PUSH-INC-XOR-POP-INC-XOR-MOVZX) of the malicious code (type 5 sample Fnda3PuqJT6Ep5vjOWCk), and convert each opcode character according to the corresponding relationship D Into a constant sequence (198-178-153-198-138-253-193-138-253-183...);

[0034] Let the conversion relationship between each opcode character and constant be D:

[0035]('AAA',0),('AAD',1),('AAM',2),('AAS',3),('ADC',4),('ADD',5),(' AND',6),('ARPL',7),('BOUND',8),('BSF',9),('BSR',10),('BSWAP',11),('BT' ,12),('BTC',13),('BTR',14),('BTS',15),('CALL',16),('CBW',17),('CDQ',18 ),('CLC',19),('CLD',20),('CLI',21),('CLTS',22),('CMC',23),('CMOVcc',24), ('CMP',25),('CMPSB',26),('CMPSD',27),('CMPSW',28),('CMPXCHG',29),('CMPXCHG8B',30),(' CPUID',31),('CS',32),('CWD',33),('CWDE',34),('DAA',35),('DAS',36),('DEC' ,37),('DIV',38),('DS',39),('ENTER',40),('ES'...

Embodiment 2

[0041] Adopt the malicious code visual analysis method based on the operation code frequency described in embodiment 1, generate the image of the 2nd type sample 7VE6hScuodxAvTp0Nrnk, 8026Dh4VpfjPekaCgAYQ, DIrEPtygG8SeLJ5mvq2a, as Figure 3-5 As shown, the present invention can obviously find subtle differences among malicious samples of the same family when analyzing malicious samples of the same family, which provides a basis for understanding the evolution of the variant of the family and grasping the development trend of the variant of the family.

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to an operation code frequency-based malicious code visual analysis method. The method comprises the following steps of extracting operation code character sequences of maliciouscodes, and converting the operation code character sequences into constant sequences; performing normalization operation on the obtained constant sequences; converting the normalized constant sequences into RGB values to obtain RGB color sequences; rearranging the RGB color sequences according to a specified sequence and then filling pictures; and according to the obtained pictures, performing visual analysis. The method can improve the analysis efficiency and is suitable for similarity comparison of malicious samples.

Description

technical field [0001] The invention relates to the technical field of malicious code analysis, in particular to a visual analysis method of malicious code based on operation code frequency. Background technique [0002] Malicious codes can steal, modify or destroy data on the system by exploiting computer system vulnerabilities, and even destroy the entire system, which is the biggest threat to the security of current information systems. Therefore, in order to allow security analysts to quickly identify the nature of newly added suspicious files, introducing visualization technology into the field of malicious code analysis and taking advantage of the advantages of image classification in the field of artificial intelligence to solve the problem of malicious code classification is a frontier hotspot in current network security research. [0003] In 2013, KyongSoo Han et al. of Hanyang University in South Korea proposed the method of image matrix, which converts the binary ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56G06K9/62
CPCG06F21/563G06F18/24147
Inventor 任卓君任佳杰王鹏辉鲍萍萍陈光卢文科
Owner DONGHUA UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap