基于空间关系特征的未知恶意代码自动检测技术研究

Research on Unknown Malicious Code Automatic Detection Based on Space Relevance Features

提出基于未知恶意代码样本空间关系特征的自动检测技术.针对量化的恶意代码样本字符空间的向量特征,基于区域生长的智能分块算法,划分恶意代码样本空间关系区域;根据区域分别计算恶意代码样本的字符矩、信息熵和相关系数等空间关系特征,分别提取特征向量,并归一化处理;通过分析恶意代码样本特征的共性,建立空间关系特征向量索引;采用综合多特征的相似优先匹配方法检测未知恶意代码,多个空间关系距离加权作为判别依据,提高检测的准确率.实验表明,提出的自动检测方法能够自动快速地匹配出未知恶意代码的样本,准确程度高,而且能够确定未知恶意代码的类型.

Unknown malicious code sample automatic detection scheme is proposed based on space relevance features. According to the characteristics quantitative vectors of character space, malicious code samples are divided into space relevance blocks based on the intelligence region growing segmentation algorithm. In each block of malicious code sample, the spatial relations of character moment, information entropy, and correlation coefficient are calculated, the feature vectors are extracted, and the normalization processes are manipulated. Then, the reference of spatial relational feature vectors have been set up through the analysis of general spatial properties of malicious code samples. In order to match the previous unknown malicious codes, the similarity preferred matching algorithm which is based on comprehensive analysis of multiple features is adopted. In addition, the spatial relational distances are weighted and considered together, so as to improve the accuracy of the search work. Experimental flow graph is designed, spatial relational feature vectors properties of multiple malicious code sample blocks are portrayed, and the comparisons of malicious code detection accuracy rate between single feature match method and comprehensive multiple features match method are drawn. Experiments result analyses show that the proposed automatic detection scheme can match the previous unknown malicious code with high accurate degree and can determine the corresponding subordinate type of malicious code samples.