摘要
目前,隐藏技术已被普遍应用于恶意软件中,以避免反病毒引擎的检测及研究人员的反向分析,所以有效识别恶意软件中的隐藏函数对于恶意软件代码检测和深度分析具有重要意义。但在该领域上,现有方法不同程度都存在一些问题,如无法取得高准确性、对样本量少或者样本类别分布不平衡的数据集的鲁棒性较差等。为实现实用的针对恶意软件隐藏函数的检测方法,文章提出一种新颖的基于Siamese架构的识别方法来检测隐藏函数的类型。该方法可以有效提高隐藏函数识别的准确性,Siamese架构的引入改善了小样本量数据集鲁棒性差的问题。针对从恶意软件中提取的15种常见类型的隐藏函数的数据集进行实验,结果表明,该方法生成的嵌入向量较嵌入神经网络SAFE具有更好的质量,该方法较几种常用的隐藏函数检测工具有更高的检测精度。
At present,hiding technology has been widely used in malware to avoid the detection of anti-virus engines and reverse analysis by researchers.Therefore,effective identification of hidden functions in malware is of great significance for malware code detection and in-depth analysis.However,in this field,the existing methods have more or less problems,such as inability to obtain high accuracy,poor robustness to data sets with small sample size or unbalanced distribution of sample categories.In order to implement a practical detection method for malicious software hidden functions,a novel identification method based on Siamese architecture is proposed to detect the type of hidden functions.This method can effectively improve the accuracy of hidden function recognition,and the introduction of Siamese architecture improves the problem of poor robustness of small sample size data sets.For the dataset of 15 common types of hidden functions extracted from malicious software,the experimental results show that the embedded vector generated by this method has better quality than the nearest embedded neural network SAFE,and this method has higher detection accuracy than several common hidden function detection tools.
作者
陈梓彤
贾鹏
刘嘉勇
CHEN Zitong;JIA Peng;LIU Jiayong(School of Cyber Science and Engineering,Sichuan University,Chengdu 610065,China)
出处
《信息网络安全》
CSCD
北大核心
2023年第5期62-75,共14页
Netinfo Security
基金
国家自然科学基金[61902265]。
关键词
二进制分析
隐藏函数检测
神经网络
指令嵌入
binary analysis
hidden function detection
neural network
instruction embedding
