摘要
挖矿恶意软件是一种隐匿在受害主机中,在未经用户许可的情况下使用系统资源挖掘加密货币的恶意软件,其不仅影响计算机系统的正常运行也会危害系统安全.目前基于动态分析的挖矿恶意软件检测方法主要以挖矿恶意软件的工作量证明行为为检测对象,难以实现对此类软件的及时检测.针对上述问题,通过分析挖矿恶意软件的运行过程,发现挖矿恶意软件在建立网络连接前行为多样,由此提出“挖矿软件行为多样期(Behavioral Diversity Period of Cryptominer,BDP)”的概念并进一步提出面向行为多样期的挖矿恶意软件早期检测方法(Cryptomining Malware Early Detection Method in Behavioral Diversity Period,CEDMB). CEDMB使用n-gram模型和TF-IDF(Term Frequency-Inverse Document Frequency)算法从BDP内的API(Application Programming Interface)序列中提取特征以训练检测模型.实验结果显示,CEDMB使用随机森林算法时可以在软件开始运行后10 s内以96.55%的F1-score值判别其是良性软件还是挖矿恶意软件.
Hiding in victim hosts,cryptomining malware utilizes system resources to mine cryptocurrencies without permission.It not only affects the normal operations of computer systems but also endangers system security.The exist⁃ing dynamic analysis based cryptomining malware detection methods mainly focus on proof-of-work behaviors as the de⁃tection object,which can hardly prevent mining and other malicious behaviors from damaging the system in time.To tackle this issue,by analyzing the running process of cryptomining malware,we find that the cryptomining malware per⁃forms diverse behaviors before establishing a network connection.Based on this,we give a concept of behavioral diversi⁃ty period of cryptominer(BDP)and then propose a cryptomining malware early detection method in behavioral diversity period(CEDMB).CEDMB trains the detection model with features extracted from application programming interface se⁃quences following n-gram and TF-IDF.Experimental results show that when a random forest algorithm is adopted,the proposed CEDMB can determine whether a sample is a cryptomining malware sample in 10 seconds with an F1-score of 96.55%.
作者
曹传博
郭春
申国伟
崔允贺
平源
CAO Chuan-bo;GUO Chun;SHEN Guo-wei;CUI Yun-he;PING Yuan(State Key Laboratory of Public Big Data,College of Computer Science and Technology,Guizhou University,Guiyang,Guizhou 550025,China;School of Information Engineering,Xuchang University,Xuchang,Henan 461000,China)
出处
《电子学报》
EI
CAS
CSCD
北大核心
2023年第7期1850-1858,共9页
Acta Electronica Sinica
基金
国家自然科学基金(No.62162009)
贵州省科技支撑计划(No.黔科合支撑[2022]一般071)
河南省科技攻关计划项目(No.212102210084)。