面向行为多样期的挖矿恶意软件早期检测方法

Cryptomining Malware Early Detection Method in Behavioral Diversity Period

挖矿恶意软件是一种隐匿在受害主机中,在未经用户许可的情况下使用系统资源挖掘加密货币的恶意软件,其不仅影响计算机系统的正常运行也会危害系统安全.目前基于动态分析的挖矿恶意软件检测方法主要以挖矿恶意软件的工作量证明行为为检测对象,难以实现对此类软件的及时检测.针对上述问题,通过分析挖矿恶意软件的运行过程,发现挖矿恶意软件在建立网络连接前行为多样,由此提出“挖矿软件行为多样期(Behavioral Diversity Period of Cryptominer,BDP)”的概念并进一步提出面向行为多样期的挖矿恶意软件早期检测方法(Cryptomining Malware Early Detection Method in Behavioral Diversity Period,CEDMB). CEDMB使用n-gram模型和TF-IDF(Term Frequency-Inverse Document Frequency)算法从BDP内的API(Application Programming Interface)序列中提取特征以训练检测模型.实验结果显示,CEDMB使用随机森林算法时可以在软件开始运行后10 s内以96.55%的F1-score值判别其是良性软件还是挖矿恶意软件.

Hiding in victim hosts,cryptomining malware utilizes system resources to mine cryptocurrencies without permission.It not only affects the normal operations of computer systems but also endangers system security.The exist⁃ing dynamic analysis based cryptomining malware detection methods mainly focus on proof-of-work behaviors as the de⁃tection object,which can hardly prevent mining and other malicious behaviors from damaging the system in time.To tackle this issue,by analyzing the running process of cryptomining malware,we find that the cryptomining malware per⁃forms diverse behaviors before establishing a network connection.Based on this,we give a concept of behavioral diversi⁃ty period of cryptominer(BDP)and then propose a cryptomining malware early detection method in behavioral diversity period(CEDMB).CEDMB trains the detection model with features extracted from application programming interface se⁃quences following n-gram and TF-IDF.Experimental results show that when a random forest algorithm is adopted,the proposed CEDMB can determine whether a sample is a cryptomining malware sample in 10 seconds with an F1-score of 96.55%.