基于图像纹理聚类的恶意代码家族标注方法

针对传统恶意代码标注分析方法中特征提取能力不足以及家族标注不统一、不规范、不精确且时效性差等问题,通过对大量恶意样本PE文件纹理构成和分布的研究,提出了基于内容纹理聚类的恶意代码深度标注方法。该方法对恶意代码的纹理指纹进行统计分析,从基准标注和深度标注这2个步骤对恶意代码家族进行归纳和分析,并结合VirusTotal分析方法、基于GLCM纹理特征空间构建方法和基于P-Stable LSH的近邻增量聚类算法,对恶意代码家族进行深度标注。实验结果表明,基于上述方法开发的原型系统具有家族标注准确率高、支持增量标注等优势,通过深度标注生成的基准标签实用性强,且对未知恶意代码检测具有积极意义。

Malicious Code Family Tagging Based on Image Texture Clustering Technology

Through the study of the portable executable(PE)file texture structure and distribution of a large number of malicious samples, this paper proposes a malicious code in-depth annotation method based on the content texture clustering technology. After a statistical analysis of a large number of the malware texture fingerprint, the algorithm summarized and onalyzed the family of the malware from three steps: VirusTotal vote analysis method, texture feature space creation method based on the gray level co-occurence matrix(GLCM)feature and efficient incremental clustering algorithm based on the P-Stable locality sensitive hashing(LSH), and thus obtained the depth of annotations to malicious code family. Experimental results show that the prototype system developed based on the above method has marked a malware family with high accuracy,and supported incremental tagging, and has positive significance for the detection of unknown malicious code.