计算机应用 ›› 2019, Vol. 39 ›› Issue (6): 1728-1734.DOI: 10.11772/j.issn.1001-9081.2018112259

• 网络空间安全 • 上一篇    下一篇

基于图标相似性分析的恶意代码检测方法

杨萍1, 赵冰2, 舒辉1   

  1. 1. 数学工程与先进计算国家重点实验室(信息工程大学), 郑州 450001;
    2. 郑州工程技术学院 信息工程学院, 郑州 450001
  • 收稿日期:2018-11-13 修回日期:2019-01-17 发布日期:2019-06-17 出版日期:2019-06-10
  • 通讯作者: 杨萍
  • 作者简介:杨萍(1995-),女,江西上饶人,硕士研究生,主要研究方向:逆向工程;赵冰(1972-),男,河南邓州人,副教授,硕士,主要研究方向:计算机应用、信息安全;舒辉(1974-),男,江苏盐城人,教授,博士,主要研究方向:逆向工程。
  • 基金资助:
    国家重点研发计划项目(2016YFB08011601)。

Malicious code detection method based on icon similarity analysis

YANG Ping1, ZHAO Bing2, SHU Hui1   

  1. 1. State Key Laboratory of Mathematical Engineering and Advanced Computing(Information Engineering University), Zhengzhou Henan 450001, China;
    2. Institute of Information and Engineering, Zhengzhou Institute of Technology, Zhengzhou Henan 450001, China
  • Received:2018-11-13 Revised:2019-01-17 Online:2019-06-17 Published:2019-06-10
  • Supported by:
    This work is partially supported by the National Key R&D Program of China (2016YFB08011601).

摘要: 据统计,在大量的恶意代码中,有相当大的一部分属于诱骗型的恶意代码,它们通常使用与常用软件相似的图标来伪装自己,通过诱骗点击达到传播和攻击的目的。针对这类诱骗型的恶意代码,鉴于传统的基于代码和行为特征的恶意代码检测方法存在的效率低、代价高等问题,提出了一种新的恶意代码检测方法。首先,提取可移植的执行体(PE)文件图标资源信息并利用图像哈希算法进行图标相似性分析;然后,提取PE文件导入表信息并利用模糊哈希算法进行行为相似性分析;最后,采用聚类和局部敏感哈希的算法进行图标匹配,设计并实现了一个轻量级的恶意代码快速检测工具。实验结果表明,该工具对恶意代码具有很好的检测效果。

关键词: 图标相似性, 哈希算法, 导入表比对, 局部敏感哈希, 恶意代码检测

Abstract: According to statistics, a large part of large amount of malicious codes belong to deceptive malicious codes. They usually use icons which are similar to those icons commonly used softwares to disguise themselves and deceive users to click to achieve the purpose of communication and attack. Aiming at solving the problems of low efficiency and high cost of traditional malicious code detection methods based on code and behavior characteristics on the deceptive malicious codes, a new malicious code detection method was proposed. Firstly, Portable Executable (PE) file icon resource information was extracted and icon similarity analysis was performed by image hash algorithm. Then, the PE file import table information was extracted and a fuzzy hash algorithm was used for behavior similarity analysis. Finally, clustering and local sensitive hash algorithms were adopted to realize icon matching, designing and implementing a lightweight and rapid malicious code detection tool. The experimental results show that the designed tool has a good detection effect on malicious code.

Key words: icon similarity, hash algorithm, import table comparison, local sensitive hash, malicious code detection

中图分类号: