دسته‌بندی بدافزارها بر اساس بصری‌سازی محتوای دودویی نمونه‌ها

خزایی, اسماعیل; حسن زاده, محمدرضا

دسته‌بندی بدافزارها بر اساس بصری‌سازی محتوای دودویی نمونه‌ها

نوع مقاله : مقاله پژوهشی

نویسندگان

¹ کارشناسی ارشد، دانشگاه صنعتی نوشیروانی بابل، بابل، ایران

² استادیار، دانشگاه صنعتی نوشیروانی بابل، بابل، ایران

چکیده

بدافزارها از چالش‌های همیشگی دنیای مدرن محسوب می‌شوند که به علت آزار کاربران و خساراتی که به وجود می‌آورند، از اهمیت ویژه‌ای برخوردارند. در دهه اخیر، رشد سریع و پیچیده‌تر شدن سازوکار مخرب بدافزارها سبب شده است، ابزارها و روش‌های امنیتی فعلی نتوانند با این اندازه از وسعت و تنوع تهدیدها مقابله کنند. بصری ساختن محتوای دودویی بدافزار و جستجوی عناصر مخرب از بین الگوهای تصویری مشکوک، از روش‌های نوین محسوب می‌شود که در دهه گذشته، به لطف الگوریتم‌های پردازش تصویر به پیشرفت و کارایی بالایی دست پیدا کرده است. در این پژوهش با ترکیب ایده‌های متنوعی که در زمینه تحلیل تصویری بدافزارها وجود دارد، یک روش مناسب برای دسته‌بندی بدافزارها به خانواده‌های متناظرشان ارائه‌شده است. بصری‌سازی محتوای دودویی فایل اجرایی بدافزار، اعمال توصیفگر GIST¹ و دسته‌بندی ویژگی‌های استخراج‌شده با استفاده از طبقه‌بند SVM، روش پیشنهادی این پژوهش را تشکیل می‌دهد که می‌تواند تنها با به‌کارگیری روش‌های سنتی یادگیری ماشین، به نتایجی برابر با پژوهش‌های پیشین دست پیدا کند و در مجموعه‌داده‌های Malimg و مایکروسافت، به میانگین دقت طبقه‌بندی 72/99 و 16/99 درصد برسد.

کلیدواژه‌ها

موضوعات

آسیب پذیری ها و تهدیدات فضای سایبری

عنوان مقاله [English]

Malware Classification Based On Visualizing Binary Content of Samples

نویسندگان [English]

Esmail Khazai ¹
Mohammadreza Hassanzadeh ²

¹ Master's degree, Babol Noshirvani University of Technology, Babol, Iran

² Assistant Professor, Babol Noshirvani University of Technology, Babol, Iran

چکیده [English]

Malware is one of the constant challenges of the modern world, which has particular importance due to the harm it causes to users. In the last decade, there has been a great increase in malware number and complexity that caused the current security tools and methods not able to defend against. Visualizing binary content of malware and searching for malicious elements among suspicious image patterns is one of the new methods that have achieved high progress and efficiency in the last decade thanks to deep learning algorithms. In this research, by combining various ideas that exist in the field of malware image analysis, a suitable algorithm has been presented for classifying malware into their corresponding families. Visualizing the binary content of the malware executable file, applying the GIST descriptor and classifying the extracted features using the SVM classifier forms the proposed algorithm of this research, which can achieve the same results as previous researches by using traditional machine learning methods and obtain average classification accuracy of 99.72 and 99.16% on Malimg and Microsoft datasets.

کلیدواژه‌ها [English]

Malware Family
Static Analysis
Visualization
Image Classification

مراجع

[1] R. Moir, “Defining Malware: FAQ,” 2009. [Online]. Available: https://technet.microsoft.com/en-us/library/dd632948.aspx

[2] C. C. Elisan, Advanced malware analysis. McGraw Hill Professional, 2015.

[3] AV-TEST - The Independent IT-Security Institute, “Malware Statistics & Trends Report,” 2022. [Online]. Available: https://www.av-test.org/en/statistics/malware/

[4] D. Simpson, “Malware names.” [Online]. Available: https://docs.microsoft.com/en-us/microsoft-365/security/intelligence/malware-naming

[5] D. Gibert, C. Mateu, and J. Planes, “The rise of machine learning for detection and classification of malware: Research developments, trends and challenges,” J. Netw. Comput. Appl., vol. 153, p. 102526, 2020, doi: 10.1016/j.jnca.2019.102526.

[6] L. Nataraj, S. Karthikeyan, G. Jacob, and B. S. Manjunath, “Malware images: visualization and automatic classification,” in Proceedings of the 8th international symposium on visualization for cyber security, 2011, pp. 1–7. doi: 10.1145/2016904.2016908.

[7] L. Chen, R. Sahita, J. Parikh, and M. Marino, “STAMINA: Scalable Deep Learning Approach for Malware Classification,” 2020. [Online]. Available: https://www.intel.com/content/dam/www/public/us/en/ai/documents/stamina-scalable-deep-learning-whitepaper.pdf

[8] D. Vasan, M. Alazab, S. Wassan, B. Safaei, and Q. Zheng, “Image-Based malware classification using ensemble of CNN architectures (IMCEC),” Comput. \& Secur., vol. 92, p. 101748, 2020, doi: 10.1016/j.cose.2020.101748.

[9] L. Chen, “Deep transfer learning for static malware classification,” arXiv Prepr. arXiv1812.07606, 2018.

[10] Z. Cui, F. Xue, X. Cai, Y. Cao, G. Wang, and J. Chen, “Detection of malicious code variants based on deep learning,” IEEE Trans. Ind. Informatics, vol. 14, no. 7, pp. 3187–3196, 2018, doi: 10.1109/TII.2018.2822680.

[11] E. Bastami, P. Keshavarzi, M. Rahmanimanesh, and H. Soltanizadeh, “A Malware Classification Method Using visualization and Word Embedding Features,” Electron. Cyber Def., 2023, https://dor.isc.ac/dor/20.1001.1.23224347.1402.11.1.1.2

[12] R. Lyda and J. Hamrock, “Using entropy analysis to find encrypted and packed malware,” IEEE Secur. \& Priv., vol. 5, no. 2, pp. 40–45, 2007, doi: 10.1109/MSP.2007.48.

[13] X. Ugarte-Pedrero, I. Santos, B. Sanz, C. Laorden, and P. G. Bringas, “Countering entropy measure attacks on packed software detection,” in 2012 IEEE Consumer Communications and Networking Conference (CCNC), 2012, pp. 164–168. doi: 10.1109/CCNC.2012.6181079.

[14] D.-L. Vu, T.-K. Nguyen, T. V Nguyen, T. N. Nguyen, F. Massacci, and P. H. Phung, “HIT4Mal: Hybrid image transformation for malware classification,” Trans. Emerg. Telecommun. Technol., vol. 31, no. 11, p. e3789, 2020, doi: 10.1002/ett.3789.

[15] J. Fu, J. Xue, Y. Wang, Z. Liu, and C. Shan, “Malware visualization for fine-grained classification,” IEEE Access, vol. 6, pp. 14510–14523, 2018, doi: 10.1109/ACCESS.2018.2805301.

[16] Z. Ren, G. Chen, and W. Lu, “Malware visualization methods based on deep convolution neural networks,” Multimed. Tools Appl., vol. 79, no. 15, pp. 10975–10993, 2020.

[17] J. Kim, J.-Y. Paik, and E.-S. Cho, “Attention-Based Cross-Modal CNN Using Non-Disassembled Files for Malware Classification,” IEEE Access, vol. 11, pp. 22889–22903, 2023, doi: 10.1109/ACCESS.2023.3253770.

[18] K. Shaukat, S. Luo, and V. Varadharajan, “A novel deep learning-based approach for malware detection,” Eng. Appl. Artif. Intell., vol. 122, p. 106030, 2023, doi: 10.1016/j.engappai.2023.106030.

[19] A. Oliva and A. Torralba, “Modeling the shape of the scene: A holistic representation of the spatial envelope,” Int. J. Comput. Vis., vol. 42, no. 3, pp. 145–175, 2001, doi: 10.1023/A:1011139631724.

[20] SARVAM Team, “Supervised Classification with k-fold Cross Validation on a Multi Family Malware Dataset.” [Online]. Available: https://sarvamblog.blogspot.com/2014/08/supervised-classification-with-k-fold.html

[21] R. Ronen, M. Radu, C. Feuerstein, E. Yom-Tov, and M. Ahmadi, “Microsoft malware classification challenge,” arXiv Prepr. arXiv1802.10135, 2018.

[22] H. Guo, S. Huang, C. Huang, Z. Pan, M. Zhang, and F. Shi, “File entropy signal analysis combined with wavelet decomposition for malware classification,” IEEE Access, vol. 8, pp. 158961–158971, 2020, doi: 10.1109/ACCESS.2020.3020330.

[23] E. Rezende, G. Ruppert, T. Carvalho, F. Ramos, and P. De Geus, “Malicious software classification using transfer learning of resnet-50 deep neural network,” in 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA), 2017, pp. 1011–1014. doi: 10.1109/ICMLA.2017.00-19.

[24] S. Yue, “Imbalanced malware images classification: a CNN based approach,” arXiv Prepr. arXiv1708.08042, 2017.

[25] D. Gibert, C. Mateu, J. Planes, and R. Vicens, “Using convolutional neural networks for classification of malware represented as images,” J. Comput. Virol. Hacking Tech., vol. 15, no. 1, pp. 15–28, 2019, doi: 10.1007/s11416-018-0323-0.

[26] H. Naeem, B. Guo, M. R. Naeem, F. Ullah, H. Aldabbas, and M. S. Javed, “Identification of malicious code variants based on image visualization,” Comput. \& Electr. Eng., vol. 76, pp. 225–237, 2019, doi: 10.1016/j.compeleceng.2019.03.015.

[27] D. Vasan, M. Alazab, S. Wassan, H. Naeem, B. Safaei, and Q. Zheng, “IMCFN: Image-based malware classification using fine-tuned convolutional neural network architecture,” Comput. Networks, vol. 171, p. 107138, 2020, doi: 10.1016/j.comnet.2020.107138.

[28] C. Wang, Z. Zhao, F. Wang, and Q. Li, “A novel malware detection and family classification scheme for IoT based on DEAM and DenseNet,” Secur. Commun. Networks, vol. 2021, 2021, doi: 10.1155/2021/6658842.

[29] B. N. Narayanan, O. Djaneye-Boundjou, and T. M. Kebede, “Performance analysis of machine learning and pattern recognition algorithms for malware classification,” in 2016 IEEE National Aerospace and Electronics Conference (NAECON) and Ohio Innovation Summit (OIS), 2016, pp. 338–342. doi: 10.1109/NAECON.2016.7856826.

[30] M. L. Santacroce, D. Koranek, and R. Jha, “Detecting malware code as video with compressed, time-distributed neural networks,” IEEE Access, vol. 8, pp. 132748–132760, 2020, doi: 10.1109/ACCESS.2020.3010706.