| With the development of computer technology,the generation of malware is becoming simpler and more diverse,which has done harm to information security.It poses a serious threat to network security.Identifying malware automatically,quickly,and accurately has been a hotspot of major anti-virus researchers.Traditional methods of analyzing malware are in the process of combining machine learning algorithms,and the existing methods ignore the interpretation.This cannot meet the requirements of practicability and preciseness of information security.This article studies how to enhance the interpretability of the analysis process in malware analysis,focusing on two well-explained malware analysis methods and combining the two analysis methods for engineering implementation to produce a visual malware analysis tool.This article first combines the reverse analysis and visualization of malware.It proposes a method to visualize the simhash of opcode sequence in the ".text" function block of a portable executable(PE)file,which not only improves the efficiency of malware visualization,but also solves the problem because of the similarity of the simhash value of the opcode sequence which is difficult to determine.The experiment results show that this visualization method can obtain classification features with enhanced effective information density.Compared with traditional malware visualization methods,and method has more accuracy.This paper proposes an improved network structure API-PointNet for processing API sequence information.By constructing a three-dimensional point cloud data model describing executable code,the API-PointNet network is used to efficiently model API point cloud data and feature extraction.This method has achieved a good malware analysis effect and the ability to analyze key information of malware.This paper then according to the information obtained by dynamic analysis,this paper proposes a scheme to abstract the adjacency information of network nodes through heterogeneous networks and using CBOW word vectors.Through using of several paradigms,this paper obtains more information with different attributes in the complex network structure.It cleverly forms a fast and flexible way to handle complex heterogeneous networks.The API-PointNet and heterogeneous network analysis models are integrated together to implement the two-model projects.At the same time,the operating structure that can be semi-automatically iterated in the actual production environment is designed to form a set of visual analysis tools with high availability.It is convenient for malware analysts to analyze the key information of malware. |
PDF Full Text Request