Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Local entropy-based visualized analysis method for malicious codes

A malicious code and analysis method technology, applied in the direction of computer parts, instruments, platform integrity maintenance, etc., can solve the problems of inability to meet the classification premise, accurate positioning of the comparison range, incomplete features, etc., to reduce the difficulty and achieve accurate classification and judgment. , the comprehensive effect of classification features

Active Publication Date: 2018-08-14
DONGHUA UNIV
View PDF1 Cites 8 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

1. Because the length of the entropy graph is affected by the size of the malicious code file, there are differences, so only part of equal-length regions can be intercepted to calculate the similarity, which makes the features used for classification incomplete; 2. The histogram based on the maximum entropy value as the basis for interception The graph similarity algorithm cannot accurately locate the comparison range in the local entropy area formed by similar functional modules, so it cannot meet the classification premise of this method, that is, similar modules can be used to detect malicious variants
These factors affect the accuracy of this method in the application of malicious code classification

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Local entropy-based visualized analysis method for malicious codes
  • Local entropy-based visualized analysis method for malicious codes
  • Local entropy-based visualized analysis method for malicious codes

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0028] A method for visual analysis of malicious code based on local entropy, specifically:

[0029] Step 1: Same as the entropy map method proposed by KyongSoo Han et al., the present invention also needs to calculate the entropy value of every 256-byte block in the malicious code. The difference is that in order to generate a local entropy square diagram in the subsequent steps, the present invention needs to fill in 0 entropy values ​​after the generated entropy value sequence, so that the length of the final entropy value sequence can be square rooted. Take Trojan-Downloader.Win32.QQHelper sample .gfk as an example, the size of the malicious code file is 636471 bytes, the entropy sequence is 1.23619305365, 0.730780826873, 3.61392762918, ..., the length is 2487, add 13 0 entropy values, add The back length is 2500;

[0030] Step 2: Calculate the djb2 hash value of each entropy value in characters from the entropy value sequence obtained in the previous step, and its decima...

Embodiment 2

[0036] Adopt the malicious code visual analysis method based on local entropy described in embodiment 1, generate the image of Trojan-Spy.Win32.WinSpy class sample .fq, .ou, .tz, as Figure 3-5 As shown, when the present invention analyzes the malicious samples of the same family, it can discover the subtle differences among them through the local entropy square diagram, which provides a basis for grasping the development and change trend of the variants of the same family.

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention relates to a local entropy-based visualized analysis method for malicious codes. The method comprises the following steps of: calculating local entropy of a malicious code, recording a sequence length of the generated entropy value as L, and supplementing 0 entropy values; calculating a djb2 hash value of the local entropy; converting the djb2 hash value into an RGB value; generatinga square graph of the local entropy on the basis of an RGB value sequence; and extracting Gist features of the square graph of the local entropy, and carrying out classification and verification by using a KNN algorithm. The method can be used for malicious code detection and classification.

Description

technical field [0001] The invention relates to the technical field of visual analysis of malicious codes, in particular to a method for visual analysis of malicious codes based on local entropy. Background technique [0002] Malicious code writers usually use automated means to develop malicious code variants, causing their number to increase rapidly, which greatly endangers the security of information systems. The automatic development method often reuses the core functional modules of the same family of malicious codes, and the similarity of these modules can be reflected in the form of local entropy, which provides a favorable basis for identifying malicious code families. [0003] In 2015, KyongSoo Han et al. of Hanyang University in South Korea proposed an entropy map method, which calculates the entropy value of each 256-byte block in malicious code to generate a histogram of local entropy, and then uses the histogram comparison algorithm (Strelkov V V.A new similari...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56G06K9/62
CPCG06F21/563G06F18/24147
Inventor 任卓君谢锐敏刘忠利陈光卢文科
Owner DONGHUA UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com