基于区块重组和双通道可视化的恶意代码分类

CLASSIFICATION OF MALICIOUS CODE BASED ON BLOCK REORGANIZATION AND DUAL CHANNEL VISUALIZATION

针对恶意代码在变种过程中存在许多内联性和相似性,同类恶意家族采用相同或相似的区块标签命名法,现有恶意代码可视化的灰度图像不能全面包含恶意攻击信息,因此提出基于区块重组和双通道的恶意代码可视化分类方法。统计每类家族样本的区块标签分布,找出该类家族的目标标签,重组恶意代码样本的区块数据。将重组后的样本可视化为方阵BR彩色图像,利用高斯核的核主成分分析法对图像进行特征降维,输入多种机器学习分类器中进行训练及分类检测。在标准数据集上的实验结果表明,分类准确率可达到97.00%,稳定性好且有效性高于其他恶意代码检测算法。

There are many intrinsic relations and similarities among malicious code variant,and similar malicious families adopt the same or similar block label nomenclature.The existing grayscale image-based visualization of malicious code cannot fully contain malicious attack information.This paper proposes a classification method of malicious code based on block reorganization and dual-channel visualization.It computed the block labels distribution of each category of family samples,found out the target labels,and reorganized the block data of the malicious code sample.It visualized the reorganized sample as a square matrix BR color image,used Gaussian kernel principal component analysis method to perform feature reduction on the image,and inputted these features into a variety of machine learning classifiers for training and classification.The experimental results on the standard data set show that the classification accuracy rate can reach 97.00%and remains stable.The effectiveness is higher than other malicious code detection algorithms.