Research On Key Technology Of Malware Detection

With the continuous progress of the society, computers and network have been applied to all aspects of our human life, and people attach more importance to the problems of network security. In February.2014, the establishment of our national network security and IT application leading group shows that the network security has been promoted to the national strategy level. Malware is one of the main threats to today’s network security. Because of the drive of the economic benefits and the use of new technologies, the number of malware is growing exponentially. Meanwhile, all kinds of malware variants emerge in endlessly, which causes the security threats to increase year by year.This paper is devoted to the study of key technology of malware detection, and draws on and assimilates the related study on image texture. The malware binary executable files are transformed into the gray level image to make them visualized. According to the image texture features, malware and its variant labeling and detection methods are further discussed. The main work and contributions of this paper are summarized as follows:1) The paper proposed a kind of malware and its variant deep labeling methods based on the texture feature cluster. According to the problems of the analysis methods of traditional malware labeling, for example, the ability of the feature extraction is insufficient, the family labels are not unified, standardized or accurate, and the time is not effective and so on. through the statistical analysis of the malware image texture. I induce and analyze the malware family from these two steps:base labeling and deep labeling, and thus finish deep labeling to malware family.2) A kind of malware and its variant detection methods based on the texture features are posed. Aiming at some problems of the traditional detection methods, for instance, the false alarm rate and the false negative rate of the static detection methods are a little higher, and the scalability of the dynamic detection methods is insufficient and the detection results are not accurate, the related theories of image texture have been applied to malware and its variant detection area. According to the malware texture feature vectors, the texture feature index structures are constructed. By computing the sample image texture feature vectors to be detected, malware and its variant detection are realized based on locality sensitive hashing. Research on Key Technology of Malware Detection 3) The paper presented one kind of malware texture fingerprint construction method. The malware is mapped to uncompressed gray level image by combining image analysis technology with malware detection technology. The uncompressed gray level image is partitioned into blocks by the texture segmentation algorithm. The texture features for each uncompressed gray level image block are extracted by gray level co-occurrence matrix algorithm, and these texture features are used as the texture fingerprints of malware.4) The study proposed a kind of malware and its variant detection approach based on texture fingerprints. The index structure of the texture fingerprints is established according to the malware texture fingerprints. In the detection stage, according to the generation strategy of the malware texture fingerprint block, the prototype system for texture fingerprint extraction and detection was constructed by employing the integrated weight method to multi-segmented texture fingerprint similarity matching to detect malware and its variants.5) One kind of Malware and its variant distributed detection methods are proposed in this paper based on texture fingerprint. Aiming at the problems for the great amount of malware detection, we use the detection methods in the two stages, namely, the texture fingerprint retrieval and the detection program based on Bloom Filter and DELSH technology. Malware and its distributed detection methods are designed based on texture fingerprint. The complexity of the retrieval time is reduced to the sublinear level. Meanwhile, the complexity of the retrieval space is reduced to the linear level. And combining with Spark Map-Reduce programming framework, the system implementation is finished.