摘要
针对传统静态检测及动态检测方法无法应对基于大量混淆及未知技术的PDF文档攻击的缺陷,提出了一个基于系统调用和数据溯源技术的新型检测模型NtProvenancer。首先,使用系统调用捕获工具收集文档执行时产生的系统调用记录;其次,利用数据溯源技术构建基于系统调用的数据溯源图;而后,用图的路径筛选算法提取系统调用特征片段进行检测。实验数据集由528个良性PDF文档与320个恶意PDF文档组成。在Adobe Reader上展开测试,并使用词频-逆文档频率(TF-IDF)及PROVDETECTOR稀有度算法替换所提出的图的关键点算法来进行对比实验。结果表明NtProvenancer在精确率和F1分数等多项指标上均优于对比模型。在最佳参数设置下,所提模型的文档训练与检测阶段的平均用时分别为251.51 ms以及60.55 ms,同时误报率低于5.22%,F1分数达到0.989。可见NtProvenancer是一种高效实用的PDF文档检测模型。
Focused on the issue that the traditional static detection and dynamic detection methods cannot cope with malicious PDF document attacks using a lot of obfuscation and unknown technologies,a new detection model based on system calls and data provenance,called NtProvenancer,was proposed.Firstly,the system call records during execution of the document were collected by the system call tracing tool.Then,the data provenance technology was used to establish a data provenance graph based on the system calls.After that,the feature segments of system calls were extracted for detection by using the key point algorithm of the graph.The experimental dataset consists of 528 benign PDF documents and 320 malicious ones.The test was carried out on Adobe Reader,and the Term Frequency-Inverse Document Frequency(TF-IDF)and the rarity algorithm in PROVDETECTOR were used to replace the key point algorithm of the graph to conduct the comparative study.The results show that NtProvenancer has better performance on precision and F1 score.Under the optimal parameter setting,the proposed model has the average time of document training and detection stages of 251.51 ms and 60.55 ms respectively,the false alarm rate lower than 5.22%,and the F1 score reached 0.989,showing that NtProvenancer is an efficient and practical model for PDF document detection.
作者
雷靖玮
伊鹏
陈祥
王亮
毛明
LEI Jingwei;YI Peng;CHEN Xiang;WANG Liang;MAO Ming(Information Engineering University,Zhengzhou Henan 450001,China)
出处
《计算机应用》
CSCD
北大核心
2022年第12期3831-3840,共10页
journal of Computer Applications
基金
国防科技创新特区项目。
