Sample homology analysis method based on data slice and image hash combination

Abstract

The invention provides a sample homology analysis method based on data slice and image hash combination, which comprises the following steps: 1, collecting a malicious sample of known APT organization; 2, filtering and restoring the sample of that training data set; 3, carrying out static analysis on that sample and extracting data slice; 4, dynamically analyzing samples and other training data sets, and extracting data slices; 5, filtering the white list data slices and manually reviewing and arranging the slice format for all the data slices; 6, formatting all data slices into grayscale image form and classify according to functions; 7, calculating all gray images and classify and storing that calculated results to a fingerprint database; 8, testing organization of the sample in the testdataset. Through the above steps, a sample homology analysis method based on data slice and image hash combination is realized, the labor and time cost are reduced, and the problem of lag and highlydependent on manual analysis in the existing APT homology sample analysis is solved.

Description

1. Technical field [0001] The invention provides a sample homology analysis method based on data slice and image hash combination, which relates to a malicious sample homology analysis method and belongs to the technical field of network security. 2. Background technology [0002] In recent years, the network security situation has become more and more serious. APT-Advanced Persistent Threat (APT-Advanced Persistent Threat) incidents targeting the government, military industry, education departments, scientific research institutions and enterprises have continued to increase. Malicious sample variants and new malicious Samples emerge in endlessly. By studying the correlation and homology analysis between malicious samples, revealing the relationship between developers or attacking organizations behind malicious code attacks can provide more comprehensive data support for network attack traceability. [0003] In the face of more and more APT incidents, attacker source tracing...

AI Technical Summary

Problems solved by technology

[0004] 1. Manual identification of homologous samples has high requirements for analysts, who need to be familiar with the characteristics of known APT samples. Faced with today's massive high-risk samples, the number of analysts is far from enough, and it is impossible to efficiently analyze recent samples, which is prone to lag problems, increasing the difficulty of tracing the source of attack events

[0005] 2. The method of using machine learning algorithms to train a model through a large number of similar samples for homologous sample identification has become the mainstream in recent years. However, in the real environment of APT sample identification, due to the limited known samples of each APT organization, training The quality of the set is often not guaranteed, and the final training result is prone to overfitting (Overfit), which has limitations

Images