Author Organization Feature Engineering Method for Windows Platform Malware

A malicious software and feature engineering technology, applied in the direction of platform integrity maintenance, computer components, instruments, etc., can solve problems such as long time spent, and achieve the effect of improving accuracy

Active Publication Date: 2022-05-24
JINAN UNIVERSITY
View PDF5 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, there is currently no research on the organizational characteristics of malware. Existing research on malware organization traceability and classification uses features mostly obtained from dynamic analysis of malware, or dynamic features plus a small amount of static features. , you need to use sandbox and other tools to run malware, which takes a long time

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Author Organization Feature Engineering Method for Windows Platform Malware
  • Author Organization Feature Engineering Method for Windows Platform Malware
  • Author Organization Feature Engineering Method for Windows Platform Malware

Examples

Experimental program
Comparison scheme
Effect test

Embodiment

[0073] This embodiment discloses an author organization feature engineering method of Windows platform malware, such as figure 1 shown, including the following steps:

[0074] S1. Obtain a certain number of APT malware of various organizations, and construct a sample set.

[0075] S2. For each sample in the sample set, extract multi-granularity and multi-level static features of malware, including features extracted from malicious binary files and features extracted from disassembly files of malicious binary files, specifically including PE file features , file byte characteristics, disassembly file characteristics, operand and instruction characteristics, function characteristics, program graph characteristics, and function centroid characteristics, as shown in Table 1:

[0076] Table 1

[0077]

[0078]

[0079] In this embodiment, the PE file features include PE file basic information features, header information features, import / export function information features...

Embodiment 2

[0125] This embodiment discloses an author organization feature engineering device for Windows platform malware, such as Figure 4 As shown, the device includes a sample acquisition module, a static feature extraction module, a feature processing module and a selection module, and the feature processing module includes a first conversion module, a second conversion module and a splicing module; the specific functions of each module are as follows:

[0126] The sample acquisition module is used to acquire APT malware of a certain number of known organizations and construct a sample set;

[0127] The static feature extraction module is used to extract multi-granularity and multi-level malware static features for each sample in the sample set, including features extracted from malicious binary files and features extracted from disassembly files of malicious binary files, Specifically, it includes PE file features, file byte features, disassembly file features, operand and instruc...

Embodiment 3

[0138] The present embodiment discloses a computing device, including a processor and a memory for storing executable programs of the processor, characterized in that, when the processor executes the program stored in the memory, the malicious Windows platform described in Embodiment 1 is implemented. The authors of the software organize the feature engineering approach as follows:

[0139] Obtain a certain number of APT malware of various organizations and construct a sample set;

[0140] For each sample in the sample set, extract multi-granularity and multi-level malware static features, including PE file features, file byte features, disassembly file features, operand and instruction features, function features, program graph features, and function centroid feature;

[0141] Among the static features extracted above, for the feature whose feature value type is string type, hash the string and map it to a vector of a certain dimension to obtain the feature of numerical type...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a feature engineering method of author organization of malicious software on Windows platform. First, a sample set is obtained; and for each sample in the sample set, multi-granularity and multi-level static features of malicious software are extracted, including PE file features and file byte features. , disassembly file features, operand and instruction features, function features, program graph features, and function centroid features; then the static features extracted above are spliced ​​after obtaining the numerical type features to obtain the feature vector of the sample; finally for For each sample, feature selection is performed based on the ablation experiment and the mutual information method, and the most suitable feature set for the author's organization traceability classification is selected. Through the static features determined by the method of the present invention, when the malicious software author organization is traced and classified, it has good effects on the detection accuracy, precision rate, recall rate, and F1 score, which can greatly improve the malicious software author organization. classification accuracy.

Description

technical field [0001] The invention relates to the technical field of identification and classification of Windows platform malicious software organizations, in particular to an author organization feature engineering method of Windows platform malicious software. Background technique [0002] With the rapid development and application of the Internet, the number and types of malware continue to grow. In recent years, malicious code with a certain organizational background has become an important security threat to the Windows platform, and the organizational traceability of malware has also received more and more attention from security analysts. Malware author organization traceability refers to extracting and analyzing the relevant features of the malware to reveal the homologous relationship between the malware, so as to locate the organization to which the malware author belongs. The traceability classification of malware organizations not only helps to understand and...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/56G06K9/62
CPCG06F21/562G06F18/24
Inventor 孙玉霞赵晶晶翁健林松
Owner JINAN UNIVERSITY
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap