恶意文档检测研究综述

A Survey of Research on Malicious Document Detection

近年来,以窃取敏感数据、破坏国家重要基础设施为主要目标的高级持续威胁(Advanced Persistent Threat,APT)已经给国家安全带来了严重的威胁。与可执行文件相比,恶意文档具有涉及领域广、影响范围大、用户防范意识不足、攻击手段灵活多样、难以检测等诸多特点,已经成为实施APT攻击的重要载体。因此有必要关注恶意文档检测已有的研究成果与发展趋势。本文首先对文档类型及其结构进行了解析,然后阐述了文档的安全隐患、攻击技术以及传播途径等。将当前恶意文档检测方法归纳为静态检测法、动态检测法、动静态结合检测法以及其他相关研究等四类,分别对各类检测方法的研究状况、进展进行了分析和总结。最后,提出了当前恶意文档检测研究的性能评价方法,综述了代表性的数据、检测工具和平台,并展望了未来的研究方向。

In recent years,Advanced Persistent Threat(APT),which has the primary purpose of stealing sensitive data and undermining critical national infrastructure,has already brought serious threats to national security.Compared with executive files,malicious documents have several unique characteristics,such as wide range of coverage,large scope of influence,insufficient user awareness,flexible and diverse attack methods,and it is a challenge to detect.This has made it an important carrier for implementing APT attacks.Therefore,it is necessary to pay attention to the existing research results and development trends of malicious documents.This paper first analyzes the document type and its structure,and proposes the security risks,attack techniques and propagation paths of the document.The current malicious document detection methods are categorized into four groups:static detection methods,dynamic detection methods,hybrid detection methods and others.The research status and research progress of each field are analyzed and summarized.Finally,the performance evaluation methods,data sets,representative detection tools and platforms of current malicious document detection research are reviewed and proposed,and the future research directions are envisaged.