Open Access
Subscription Access
使用動態分析資料於卷積神經網路上進行惡意程式家族分類
Abstract
傳統上惡意程式的病毒碼特徵擷取與惡意行為分析需要耗費大量的人力與時間,分析過程通常需要借助資訊安全專家多年對於惡意程式分析的經驗。資安專家通常會比對過去已知的惡意特徵將新發現的惡意程式歸類到已知的惡意程式家族。然而現今新的惡意程式變種數量已經大幅超越人工分析的能力,面對如此資安挑戰,本論文的目的是藉助卷積神經網路對惡意程式進行家族進行自動分類並產生行為特徵,將過去人工的動作轉為自動,與其他過去的研究不同,本論文先對惡意程式進行動態側寫分析並產出其高階的Windows API呼叫序列紀錄,而卷積神經網路將視Windows API呼叫序列為輸入資料並最終輸出惡意程式家族分類的結果。本文亦利用卷積神經網路的學習結果來解釋其惡意程式之特徵行為。在實驗上我們採用國網中心以及資策會於真實世界蒐集的惡意程式,進行動態分析側寫後進行監督式的訓練以及驗證,其家族分類準確率超過99%。我們的實驗並證明可以使用有限的Windows API呼叫序列就能進行正確的家族分類,如此我們的研究成果可以進一步導入至入侵防禦系統,進行早期的入侵偵測。Conventionally, it takes lots of time and human resources to analyze malware to extract its byte signature and malicious behavior. Usually, such analysis process relies on years of experience of malware analysis by the cybersecurity domain experts. They usually classify the unseen malware sample into a known malware family by checking against known behavior characteristics. However, nowadays the number of new malware is too large for human experts to manually analyze them. To face such cybersecurity challenge, the purpose of this paper is to provide a method to automatically classify malware by using convolution neural network (CNN) and generate behavior characteristics with the help of CNN. Unlike previous research works, we firstly perform dynamic analysis on malware sample and produce its high-level Windows API call sequences as its behavior profile. Then, the API call sequences are fed into the convolution neural network as input to generate the malware family classification result. We also use the learning result of the convolution neural network to explain the behavior characteristics of the malware families. In our experiments, we use the malware samples collected from the real world by the National Center for High-Performance Computing (Taiwan) to generate malware profiles and perform supervised training and validation. The family classification accuracy is over 99%. Our experiments also show that we can use a limited number of Windows API call sequences to perform malware classification; in this case, our result can be used in an intrusion prevention system for early malware detection.
Keywords
惡意程式; 動態分析; 卷積神經網路; 行為分類; Malware; dynamic analysis; convolution neural network; behavior classification
Citation Format:
Shun-Wen Hsiao, "使用動態分析資料於卷積神經網路上進行惡意程式家族分類," Communications of the CCISA, vol. 24, no. 1 , pp. 41-60, Jan. 2018.
Shun-Wen Hsiao, "使用動態分析資料於卷積神經網路上進行惡意程式家族分類," Communications of the CCISA, vol. 24, no. 1 , pp. 41-60, Jan. 2018.
Refbacks
- There are currently no refbacks.
Published by Chinese Cryptology and Information Security Association (CCISA), Taiwan, R.O.C
CCCISA Editorial Office, No.1, Sec. 1, Shennong Rd., Yilan City, Yilan County 260, Taiwan (R.O.C.)
E-mail: ccisa.editor@gmail.com