摘要
据统计,在大量的恶意代码中,有相当大的一部分属于诱骗型的恶意代码,它们通常使用与常用软件相似的图标来伪装自己,通过诱骗点击达到传播和攻击的目的。针对这类诱骗型的恶意代码,鉴于传统的基于代码和行为特征的恶意代码检测方法存在的效率低、代价高等问题,提出了一种新的恶意代码检测方法。首先,提取可移植的执行体(PE)文件图标资源信息并利用图像哈希算法进行图标相似性分析;然后,提取PE文件导入表信息并利用模糊哈希算法进行行为相似性分析;最后,采用聚类和局部敏感哈希的算法进行图标匹配,设计并实现了一个轻量级的恶意代码快速检测工具。实验结果表明,该工具对恶意代码具有很好的检测效果。
According to statistics, a large part of large amount of malicious codes belong to deceptive malicious codes. They usually use icons which are similar to those icons commonly used softwares to disguise themselves and deceive users to click to achieve the purpose of communication and attack. Aiming at solving the problems of low efficiency and high cost of traditional malicious code detection methods based on code and behavior characteristics on the deceptive malicious codes, a new malicious code detection method was proposed. Firstly, Portable Executable(PE) file icon resource information was extracted and icon similarity analysis was performed by image hash algorithm. Then, the PE file import table information was extracted and a fuzzy hash algorithm was used for behavior similarity analysis. Finally, clustering and local sensitive hash algorithms were adopted to realize icon matching, designing and implementing a lightweight and rapid malicious code detection tool. The experimental results show that the designed tool has a good detection effect on malicious code.
作者
杨萍
赵冰
舒辉
YANG Ping;ZHAO Bing;SHU Hui(State Key Laboratory of Mathematical Engineering and Advanced Computing (Information Engineering University),Zhengzhou Henan 450001,China;Institute of Information and Engineering,Zhengzhou Institute of Technology,Zhengzhou Henan 450001,China)
出处
《计算机应用》
CSCD
北大核心
2019年第6期1728-1734,共7页
journal of Computer Applications
基金
国家重点研发计划项目(2016YFB08011601)~~
关键词
图标相似性
哈希算法
导入表比对
局部敏感哈希
恶意代码检测
icon similarity
hash algorithm
import table comparison
local sensitive hash
malicious code detection