Research On Author Organization Features Of Malware On Windows

With the rapid development and application of the Internet,the number and type of malware have been increasing.In recent years,malicious code with national or hacker organization background has become a serious threat to cyberspace security,and the author organization tracing of malware has become one of the focuses of security practitioners at home and abroad.Tracing the author organization of malware not only helps to understand the modus operandi of criminal organizations,so as to formulate better defense strategies,but also helps to accumulate criminal evidence,deter related hacker organizations,and fundamentally curb the emergence of malware.At present,security practitioners mainly conduct author organization tracing of malware through manual means,and automated organization tracing technology has just started.The research on the organization features of malware is the foundation of the organization tracing technology based on machine learning and has important research value.This thesis delves into the organization features of malware on Windows and related feature engineering methods,including the extraction and representation of organization features.This thesis studies the static organization features,without the aid of sandboxes to run malware.The organization features of malicious code include the features of code programming style and development tool chain,therefore,this thesis proposes multi-level and multi-granularity malware organization features,including instruction-level,basic block-level,function-level,and file-level features.This thesis also develops feature extraction algorithms and tools for the above-mentioned organization features,and expresses the features as feature vector.This thesis further constructs a Light GBM classification model based on decision trees,and performs feature selection based on ablation experiments and mutual information methods to obtain malware organization features that can be effectively used for organization tracing.This thesis establishes an advanced persistent threat(APT)software data set with organization label,and verifies the effectiveness of the constructed organization features through comparative experiments.The result shows that,compared with the organization features used in the existing APT malware author organization tracing method,the organization features constructed in this thesis achieves a better classification effect.Thisthesis also discloses the established malware features data set with organization label for the research community to share.