Malicious code clone detection technology based on deep learning

被引：0

作者：

Shen Y. ^{[1
]}

Yan H. ^{[2
]}

Xia C. ^{[1
]}

Han Z. ^{[2
]}

机构：

[1] School of Computer Science and Engineering, Beihang University, Beijing

[2] National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing

来源：

Beijing Hangkong Hangtian Daxue Xuebao/Journal of Beijing University of Aeronautics and Astronautics | 2022年 / 48卷 / 02期

基金：

中国国家自然科学基金;

关键词：

Advanced persistent threat (APT) groups; Clone detection; Control flow graph (CFG); Deep learning; System function call graph;

D O I：

10.13700/j.bh.1001-5965.2020.0400

中图分类号：

学科分类号：

摘要：

Malicious code clone detection has become an effective way to analyze malicious code homology and advanced persistent threat (APT) attacks. In this paper, we collect samples of different APT organizations from public threat intelligence, and propose a deep learning based malicious code clone detection framework to detect the similarity between the functions in newly discovered malicious code and the malicious code in known APT organizational resources in order to efficiently analyze malware and quickly identify the source of APT attacks. We perform static analysis of malicious code through disassembly technology, use its key function call graph and disassembly code as the features of the malicious code, and then classify the malicious code in the APT organization library according to the neural network model. Through extensive evaluation and comparison with our previous models (MCrab), the improved model is better than the previous model, which can effectively detect and classify malicious code clones and obtain higher detection rate. © 2022, Editorial Board of JBUAA. All right reserved.

引用

页码：282 / 290

页数：8

共 36 条

[1] TAMADA H, OKAMOTO K, NAKAMURA M, Et al., Dynamic software birthmarks to detect the theft of Windows applications, International Symposium on Future Software Technology, (2004)
[2] PFEFFER A, CALL C, CHAMBERLAIN J, Et al., Malware analysis and attribution using genetic information, 7th International Conference on Malicious and Unwanted Software, pp. 39-45, (2012)
[3] RUTTENBERG B, MILES C, KELLOGG L, Et al., Identifying shared software components to support malware forensics[C], International Conference on Detection of Intrusions, Malware and Vulnerability Assessment, pp. 21-40, (2014)
[4] BENCSATH B, PEK G, BUTTYAN L, Et al., The cousins of stuxnet:Duqu, Flame and Gauss[J], Future Internet, 4, 4, pp. 971-1003, (2012)
[5] BENCSATH B, PEK G, BUTTYAN L, Et al., Duqu:A Stuxnet-like malware found in the wild, Hungary:CrySyS Lab Technical Report, 14, pp. 1-60, (2011)
[6] GOSTEV A, KUZNETSOV I., Stuxnet/Duqu:The evolution of drivers
[7] CHIEN E, OMURCHU L, FALLIERE N., Duqu:The precursor to the next Stuxnet, LEET 12:Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats, (2012)
[8] AWAD Y, NASSAR M, SAFA H., Modeling malware as a language, IEEE International Conference on Communications (ICC), pp. 1-6, (2018)
[9] LIU J R, SHEN Y, YAN H B., Functions-based CFG embedding for malware homology analysis, 26th International Conference on Telecommunications (ICT), pp. 220-226, (2019)
[10] BAKER B S., On finding duplication and near-duplication in large software systems, Proceedings of 2nd Working Conference on Reverse Engineering, pp. 86-95, (1995)

← 1 2 3 4 →