一种基于深度学习的恶意代码克隆检测技术

doi:10.13700/j.bh.1001-5965.2020.0400

北京航空航天大学学报 ›› 2022, Vol. 48 ›› Issue (2): 282-290.doi: 10.13700/j.bh.1001-5965.2020.0400

一种基于深度学习的恶意代码克隆检测技术

沈元¹, 严寒冰², 夏春和¹, 韩志辉²

1. 北京航空航天大学计算机学院, 北京 100083;
2. 国家计算机网络应急技术处理协调中心, 北京 100029

收稿日期:2020-08-09 发布日期:2022-03-03
通讯作者: 严寒冰 E-mail:yhb@cert.org.cn
基金资助:
国家自然科学基金（U1736218）；国家科技重大专项（2018YFB0804704）；北航青年拔尖人才支持计划（YWF-20-BJ-J-1038）

Malicious code clone detection technology based on deep learning

SHEN Yuan¹, YAN Hanbing², XIA Chunhe¹, HAN Zhihui²

1. School of Computer Science and Engineering, Beihang University, Beijing 100083, China;
2. National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing 100029, China

Received:2020-08-09 Published:2022-03-03
Supported by:
National Natural Science Foundation of China (U1736218); National Science and Technology Major Project (2018YFB0804704); Beihang Youth Top Talent Support Program (YWF-20-BJ-J-1038)

摘要/Abstract

摘要： 恶意代码克隆检测已经成为恶意代码同源分析及高级持续性威胁（APT）攻击溯源的有效方式。从公共威胁情报中收集了不同APT组织的样本，并提出了一种基于深度学习的恶意代码克隆检测框架，目的是检测新发现的恶意代码中的函数与已知APT组织资源库中的恶意代码的相似性，以此高效地对恶意软件进行分析，进而快速判别APT攻击来源。通过反汇编技术对恶意代码进行静态分析，并利用其关键系统函数调用图及反汇编代码作为该恶意代码的特征。根据神经网络模型对APT组织资源库中的恶意代码进行分类。通过广泛评估和与MCrab模型的对比可知，改进模型优于MCrab模型，可以有效地进行恶意代码克隆检测与分类，且获得了较高的检测率。

关键词: 深度学习, 高级持续性威胁(APT)组织, 克隆检测, 控制流图(CFG), 系统函数调用图

Abstract: Malicious code clone detection has become an effective way to analyze malicious code homology and advanced persistent threat (APT) attacks. In this paper, we collect samples of different APT organizations from public threat intelligence, and propose a deep learning based malicious code clone detection framework to detect the similarity between the functions in newly discovered malicious code and the malicious code in known APT organizational resources in order to efficiently analyze malware and quickly identify the source of APT attacks. We perform static analysis of malicious code through disassembly technology, use its key function call graph and disassembly code as the features of the malicious code, and then classify the malicious code in the APT organization library according to the neural network model. Through extensive evaluation and comparison with our previous models (MCrab), the improved model is better than the previous model, which can effectively detect and classify malicious code clones and obtain higher detection rate.

Key words: deep learning, advanced persistent threat (APT) groups, clone detection, control flow graph (CFG), system function call graph

中图分类号:

TP391

沈元, 严寒冰, 夏春和, 韩志辉. 一种基于深度学习的恶意代码克隆检测技术[J]. 北京航空航天大学学报, 2022, 48(2): 282-290.

SHEN Yuan, YAN Hanbing, XIA Chunhe, HAN Zhihui. Malicious code clone detection technology based on deep learning[J]. Journal of Beijing University of Aeronautics and Astronautics, 2022, 48(2): 282-290.

参考文献

[1] TAMADA H, OKAMOTO K, NAKAMURA M, et al.Dynamic software birthmarks to detect the theft of Windows applications[C]//International Symposium on Future Software Technology, 2004.
[2] PFEFFER A, CALL C, CHAMBERLAIN J, et al.Malware analysis and attribution using genetic information[C]//7th International Conference on Malicious and Unwanted Software.Piscataway:IEEE Press, 2012:39-45.
[3] RUTTENBERG B, MILES C, KELLOGG L, et al.Identifying shared software components to support malware forensics[C]//International Conference on Detection of Intrusions, Malware and Vulnerability Assessment.Berlin:Springer, 2014:21-40.
[4] BENCSÁTH B, PÉK G, BUTTYÁN L, et al.The cousins of stuxnet:Duqu, Flame and Gauss[J].Future Internet, 2012, 4(4):971-1003.
[5] BENCSÁTH B, PÉK G, BUTTYÁN L, et al.Duqu:A Stuxnet-like malware found in the wild[R].Hungary:CrySyS Lab Technical Report, 2011, 14:1-60.
[6] GOSTEV A, KUZNETSOV I.Stuxnet/Duqu:The evolution of drivers[EB/OL].(2011-12-28)[2020-08-01].http://www.securelist.com/en/analysis/204792208/Stuxnet Duqu The Evolution of Drivers.
[7] CHIEN E, OMURCHU L, FALLIERE N.Duqu:The precursor to the next Stuxnet[C]//LEET 12:Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats, 2012.
[8] AWAD Y, NASSAR M, SAFA H.Modeling malware as a language[C]//IEEE International Conference on Communications (ICC).Piscataway:IEEE Press, 2018:1-6.
[9] LIU J R, SHEN Y, YAN H B.Functions-based CFG embedding for malware homology analysis[C]//26th International Conference on Telecommunications (ICT).Piscataway:IEEE Press, 2019:220-226.
[10] BAKER B S.On finding duplication and near-duplication in large software systems[C]//Proceedings of 2nd Working Conference on Reverse Engineering.Piscataway:IEEE Press, 1995:86-95.
[11] BILENKO M, MOONEY R J.Adaptive duplicate detection using learnable string similarity measures[C]//Proceedings of the 9th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining-KDD'03.New York:ACM, 2003:39-48.
[12] BROMLEY J, BENTZ J W, BOTTOU L, et al.Signature verification using a "Siamese" time delay neural network[J].International Journal of Pattern Recognition and Artificial Intelligence, 1993, 7(4):669-688.
[13] DEERWESTER S, DUMAIS S T, FURNAS G W, et al.Indexing by latent semantic analysis[J].Journal of the American Society for Information Science, 1990, 41(6):391-407.
[14] KAMIYA T, KUSUMOTO S, INOUE K.CCFinder:A multilinguistic token-based code clone detection system for large scale source code[J].IEEE Transactions on Software Engineering, 2002, 28(7):654-670.
[15] SCHLEIMER S, WILKERSON D S, AIKEN A.Winnowing:Local algorithms for document fingerprinting[C]//Proceedings of the 2003 ACM SIGMOD International Conference on Management of Data-SIGMOD'03.New York:ACM, 2003:76-85.
[16] PRECHELT L, MALPOHL G, PHILIPPSEN M.Finding plagiarisms among a set of programs with JPlag[J].Journal of Universal Computer Science, 2002, 8(11):1016-1038.
[17] JIANG L X, MISHERGHI G, SU Z D, et al.Deckard:Scalable and accurate tree-based detection of code clones[C]//29th International Conference on Software Engineering.Piscataway:IEEE Press, 2007:96-105.
[18] KOSCHKE R, FALKE R, FRENZEL P.Clone detection using abstract syntax suffix trees[C]//Proceedings of 13th Working Conference on Reverse Engineering.Piscataway:IEEE Press, 2006:253-262.
[19] PEWNY J, SCHUSTER F, BERNHARD L, et al.Leveraging semantic signatures for bug search in binary programs[C]//Proceedings of the 30th Annual Computer Security Applications Conference.New York:ACM, 2014.
[20] GABEL M, JIANG L, SU Z.Scalable detection of semantic clones[C]//30th International Conference on Software Engineering.Piscataway:IEEE Press, 2008:321-330.
[21] LIU C, CHEN C, HAN J W, et al.GPLAG:Detection of software plagiarism by program dependence graph analysis[C]//Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining-KDD'06.New York:ACM, 2006:872-881.
[22] CRUSSELL J, GIBLER C, CHEN H.Attack of the clones:Detecting cloned applications on Android markets[C]//Computer Security-ESORICS.Berlin:Springer, 2012:37-54.
[23] SCHULER D, DALLMEIER V, LINDIG C.A dynamic birthmark for Java[C]//22nd ACM International Conference on Automated Software Engineering.New York:ACM, 2007:274-283.
[24] WHITE M, TUFANO M, MARTINEZ M, et al.Sorting and transforming program repair ingredients via deep learning code similarities[C]//26th International Conference on Software Analysis, Evolution and Reengineering.Piscataway:IEEE Press, 2019:479-490.
[25] MOU L, LI G, ZHANG L, et al.Convolutional neural networks over tree structures for programming language processing[C]//Proceedings of the 30th AAAI Conference on Artificial Intelligence, 2016:1287-1293.
[26] LIU B C, HUO W, ZHANG C, et al.αDiff:Cross-version binary code similarity detection with DNN[C]//33th ACM/IEEE International Conference on Automated Software Engineering.New York:ACM, 2018:667-678.
[27] FENG Q, ZHOU R D, XU C C, et al.Scalable graph-based bug search for firmware images[C]//Proceedings of ACM SIGSAC Conference on Computer and Communications Security.New York:ACM, 2016:480-491.
[28] XU X J, LIU C, FENG Q, et al.Neural network-based graph embedding for cross-platform binary code similarity detection[C]//Proceedings of ACM SIGSAC Conference on Computer and Communications Security.New York:ACM, 2017:363-376.
[29] CHANDRAMOHAN M, XUE Y X, XU Z Z, et al.BinGo:Cross-architecture cross-OS binary search[C]//24th ACM SIGSOFT International Symposiumn.New York:ACM, 2016:678-689.
[30] ZHOU C T, SUN C L, LIU Z Y, et al.A C-LSTM neural network for text classification[J].Computer Science, 2015, 1(4):39-44.
[31] HOCHREITER S, SCHMIDHUBER J.Long short-term memory[J].Neural Computation, 1997, 9(8):1735-1780.
[32] GHOSH S, VINYALS O, STROPE B, et al.Contextual LSTM (CLSTM) models for large scale NLP tasks[EB/OL].(2016-05-31)[2020-08-01].https://arxiv.org/abs/1602.06291.
[33] KOLEN J F, KREMER S C.Gradient flow in recurrent nets:The difficulty of learning longterm dependencies[J].A Field Guide to Dynamical Recurrent Networks, 2001, 28(2):237243.
[34] DAI H J, DAI B, SONG L.Discriminative embeddings of latent variable models for structured data[C]//Proceedings of the 33rd International Conference on Machine Learning.New York:ACM, 2016:2702-2711.
[35] KALCHBRENNER N, GREFENSTETTE E, BLUNSOM P.A convolutional neural network for modelling sentences[C]//Proceedings of the 52nd Annual Meeting of the Asscociation for Computational Linguistics, 2014:655-665.
[36] TAI K S, SOCHER R, MANNING C D.Improved semantic representations from tree-structured long short-term memory networks[C]//Proceedings of the 53rd Annual Meeting of the Association for Computational Linguistics, 2015:1556-1566.

一种基于深度学习的恶意代码克隆检测技术

Malicious code clone detection technology based on deep learning

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价

[1]	兰凌强, 刘淇缘, 卢树华. 基于注意力机制与特征相关性的人脸表情识别[J]. 北京航空航天大学学报, 2022, 48(1): 147-155.
[2]	包壮壮, 赵学军. 基于EfficientDet的无预训练SAR图像船舶检测器[J]. 北京航空航天大学学报, 2021, 47(8): 1664-1672.
[3]	陆婷婷, 张尧, 阎岩, 杨利民, 杨卫东. 一种基于自动特征学习的陨石坑区域检测算法[J]. 北京航空航天大学学报, 2021, 47(5): 939-952.
[4]	徐晓华, 钱平, 王一达, 周昕悦, 徐汉麟, 徐李冰. 面向电力系统的多粒度隐患检测方法[J]. 北京航空航天大学学报, 2021, 47(3): 520-530.
[5]	李昊, 管荑, 王杉, 石玮, 刘子鑫, 刘晓川. 电力系统厂站接线图拓扑关系检测技术[J]. 北京航空航天大学学报, 2021, 47(3): 531-538.
[6]	李昊, 王杉, 耿玉杰, 王黎, 孙文昌, 苗纯源. 基于深度学习和图匹配的接线图检测与校核[J]. 北京航空航天大学学报, 2021, 47(3): 539-548.
[7]	谢彭宇, 徐新. 基于多尺度联合学习的行人重识别[J]. 北京航空航天大学学报, 2021, 47(3): 613-622.
[8]	马腾宇, 李孜, 刘日升, 樊鑫, 罗钟铉. 基于无监督学习的多模态可变形配准[J]. 北京航空航天大学学报, 2021, 47(3): 658-664.
[9]	茅剑, 刘泰康, 刘培国. 一种基于深度学习的电磁信息泄漏检测方法[J]. 北京航空航天大学学报, 2021, 47(11): 2200-2207.
[10]	张敏, 李赵红, 刘金豆, 张珍珍. 基于多尺度残差卷积网络的HEVC视频隐写分析[J]. 北京航空航天大学学报, 2021, 47(11): 2226-2233.
[11]	崔家礼, 曹衡, 张亚明, 罗嗣梧, 李锦涛, 王华峰. 一种复杂场景下的人眼检测算法[J]. 北京航空航天大学学报, 2021, 47(1): 38-44.
[12]	陈猛夫. 基于迁移学习的暴恐图像自动识别[J]. 北京航空航天大学学报, 2020, 46(9): 1677-1681.
[13]	杜雨佳, 李海生, 姚春莲, 蔡强. 基于三元组网络的单图三维模型检索[J]. 北京航空航天大学学报, 2020, 46(9): 1691-1700.
[14]	陶一宁, 苏峰, 袁培江, 王田苗, 钟涛, 郝静如. 联合足迹识别与监控视频分析的智能刑侦系统[J]. 北京航空航天大学学报, 2020, 46(9): 1730-1738.
[15]	张洁茹, 苏峰, 袁培江, 王田苗, 陶一宁, 丁东. 双光谱智能体温检测与健康大数据管理系统[J]. 北京航空航天大学学报, 2020, 46(9): 1739-1746.