Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

A malicious code detection method based on semantic mapping association

A malicious code detection and semantic mapping technology, which is applied in the direction of instruments, electronic digital data processing, platform integrity maintenance, etc., can solve the shortage of feature vector space, affect the detection accuracy, and cannot effectively evaluate the analysis code of static and dynamic features Malicious influence and other issues, to achieve the effect of improving accuracy and detection accuracy

Active Publication Date: 2019-03-29
BEIJING INSTITUTE OF TECHNOLOGYGY +1
View PDF5 Cites 8 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0003] Summarizing the published research results, it can be found that the current analysis and detection methods based on API call sequences have the following deficiencies: (1) Researchers usually only extract the static or dynamic API sequences of the code, that is, only analyze and utilize the static or dynamic features of the code to develop detection, but did not combine the two effectively, resulting in insufficient space for the generated feature vectors, and the detection process is easily affected by malicious code obfuscation methods, which ultimately affects the detection accuracy; (2) Researchers analyze the static or dynamic features of the code separately To carry out detection, there is a lack of effective fusion of static features and dynamic features, so that researchers cannot effectively evaluate the impact of static features and dynamic features on the maliciousness of the analyzed code, which will eventually affect the researchers' judgment on the maliciousness of the code

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A malicious code detection method based on semantic mapping association
  • A malicious code detection method based on semantic mapping association
  • A malicious code detection method based on semantic mapping association

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0049] 1. Data collection process:

[0050] We extract the program's static API sequence from its PE structure and its dynamic API sequence from the dynamic analysis report generated in the Cuckoo sandbox environment.

[0051] 2. Collection and purification of dynamic and static API sequences

[0052] In order to hide malicious intentions, malicious code authors usually deliberately insert a large number of redundant APIs in their normal API call sequences, thereby covering up their behavioral intentions and increasing the difficulty of analysis. Such as figure 2 As shown, the right side is the redundant API in the dynamic API sequence of the sample Backdoor.IRC.Agent.f.

[0053] In addition, malicious codes usually deliberately add some seemingly normal event noise APIs (that is, API substrings) in their behavior sequences to disguise their real malicious behaviors and increase the difficulty of analysis for researchers. Such as figure 2 As shown, the left side is the ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a malicious code detection method based on semantic mapping association fusion. Based on the semantic mapping between the dynamic and static API sequences of malicious code, malicious code samples are transformed into API-based feature vector samples, and the machine learning classifier is trained based on the feature vector of the obtained malicious code samples to realizethe detection of malicious code. As that type of code behavior is defined, a static and dynamic API sequence of code is converted to a semantic block sequence of behavior types, Through mapping between semantic blocks, the association and fusion of static and dynamic API sequences is realized, which generates more abundant feature vector space, realizes more systematic and comprehensive description of malicious code, and effectively improves the detection accuracy of meaning code. By taking the path length between semantic chunks as the weight of semantic chunks, we can accurately reflect theimportance of the semantic path and improve the accuracy of eigenvector space.

Description

technical field [0001] The invention relates to the field of malicious code detection, in particular to a method for detecting malicious code based on semantic mapping association. Background technique [0002] In the cyberspace environment, the security threats brought by malicious codes are increasing day by day, and the detection and protection of malicious codes is a focus of security research. Detecting whether a code is malicious based on behavioral characteristics is a commonly used malicious code detection method. In this regard, API call information can accurately reflect the behavior characteristics of the program, and can effectively resist anti-analysis methods such as malicious code obfuscation, so the method of detecting malicious code by extracting and analyzing API call sequences has been widely used. [0003] Summarizing the published research results, it can be found that the current analysis and detection methods based on API call sequences have the follo...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56
CPCG06F21/562G06F21/566G06F2221/033
Inventor 韩伟杰薛静锋王勇黄露钱克昌贾录良熊达鹏
Owner BEIJING INSTITUTE OF TECHNOLOGYGY
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com