摘要
针对当前恶意代码动态分析中存在的提取特征方式单一、检测率低、误报率高等问题,提出一种线程融合特征分析检测方法。基于传统沙箱分析报告,该方法利用线程号分别建立样本API调用序列,将API线程内的调用顺序及返回值作为API参数构建特征,在特征处理阶段分别用统计、计算两种方法构建两类特征,并将LR(Logistic Regression)算法改进的Vec-LR算法用于二分类判断,并与其他算法及软件进行比较。经实验证明,该方法准确率优于当前主流检测方法,可达94.37%。
Aiming at the problems of single feature extraction,low detection rate and high false alarm rate in the current dynamic analysis of malicious code,a thread fusion feature analysis and detection method is proposed.Based on the traditional sandbox analysis report,this method uses the thread number to establish the sample API call sequence,takes the call sequence and return value in the API thread as the characteristics of API parameter construction,uses the statistical and computational methods to construct the two types of characteristics in the feature processing stage,and uses the Vec-LR algorithm improved by LR algorithm for binary judgment,and compares it with other algorithms and software.Experimental results show that the accuracy of this method is better than the current mainstream detection method,up to 94.37%.
作者
周杨
芦天亮
杜彦辉
郭蕊
暴雨轩
李默
ZHOU Yang;LU Tianliang;DU Yanhui;GUO Rui;BAO Yuxuan;LI Mo(School of Police Information Engineering and Cyber Security,People’s Public Security University of China,Beijing 100038,China)
出处
《计算机工程与应用》
CSCD
北大核心
2020年第23期103-108,共6页
Computer Engineering and Applications
基金
“十三五”国家密码发展基金密码理论研究重点课题(No.MMJJ20180108)
中国人民公安大学2020年基本科研业务费重大项目(No.2020JKF101)。
关键词
恶意代码
动态分析
线程融合特征
malicious code
dynamic analysis
thread fusion feature
