PE病毒文件聚类技术研究与实现

发布时间：2018-12-14 08:28

【摘要】：当前,互联网已经成为人们生活中不可或缺的一部分。但互联网给人们生活带来便利的同时,互联网安全问题就像悬在头上的一把利剑,随时都可能对社会生活造成巨大的危害。由于Windows操作系统还是主流的操作系统,所以PE病毒的危害范围也是最广的。而且每年新出现病毒的数量急剧增多,安全厂商应接不暇。因此,将PE病毒文件按照其所属家族自动化聚类的研究有重要的现实意义。本文针对从PE病毒文件中提取静态特征时没有考虑其n-gram时序特征的问题,在分析Word2vec原理的基础上,提出了 PE病毒文件时序特征提取算法。研究了 PE文件结构和聚类算法原理,设计了 PE病毒文件聚类系统,并使用该系统对本文中提出的算法进行了验证。本文的主要研究内容及成果如下:(1)分析了从PE病毒文件提取特征时没有考虑其时序特征的问题,提出了 PE病毒文件时序特征提取算法。目前PE文件提取静态特征的研究集中在使用信息增益选择n-gram特征以及提取API函数调用、字符串信息等,忽略了其时序特征。因此,本文在详细分析了 PE文件结构的基础上提出了一种时序特征提取算法。(2)设计并实现了 PE病毒文件时序特征提取算法。本文中采用Word2vec将PE文件的n-gram词转换成词向量,之后使用词向量作为衡量词与词间相似度的依据,通过K-means算法将上下文语义相近的词划分为一类,以降低时序特征向量的维度。(3)设计并实现了 PE病毒文件聚类系统。该系统主要有两部分组成,第一部分是对时序特征有效性的验证,采用的是SGD多分类算法,第二部分是将时序特征应用到PE病毒文件的聚类中,并对比了 K-means和密度峰值算法的聚类效果。(4)综合评测了本文提出PE病毒文件聚类系统。使用了一批病毒样本对本文设计的PE病毒文件聚类系统进行了测试,测试结果显示该系统达到了预期的聚类效果,时序特征提取算法具有一定的实用性。
[Abstract]:At present, the Internet has become an indispensable part of people's lives. However, the Internet brings convenience to people's life at the same time, Internet security is like a sword hanging on the head, which may cause great harm to social life at any time. Because the Windows operating system is still the mainstream operating system, so the scope of PE virus is also the most extensive. And every year the number of new viruses increased dramatically, security manufacturers are overwhelmed. Therefore, it is of great practical significance to study the automatic clustering of PE virus files according to their families. In order to solve the problem of extracting static features from PE virus files without considering their n-gram temporal features, this paper proposes an algorithm for extracting temporal features of PE virus files based on the analysis of Word2vec principle. This paper studies the structure of PE files and the principle of clustering algorithm, designs the PE virus file clustering system, and verifies the algorithm proposed in this paper. The main contents and achievements of this paper are as follows: (1) after analyzing the problem that the temporal features of PE virus files are not considered, an algorithm for extracting temporal features of PE virus files is proposed. At present, the research on extracting static features of PE files focuses on the use of information gain to select n-gram features and extract API function calls, string information, etc. Therefore, based on the detailed analysis of the structure of PE files, a timing feature extraction algorithm is proposed. (2) A timing feature extraction algorithm for PE virus files is designed and implemented. In this paper, Word2vec is used to convert n-gram words in PE files into word vectors, and word vectors are then used as the basis for measuring the similarity between words and words. By using K-means algorithm, the words with similar context and semantics are divided into a class. In order to reduce the dimension of temporal feature vector. (3) the PE virus file clustering system is designed and implemented. The system consists of two parts. The first part is to verify the validity of temporal features, and the SGD multi-classification algorithm is used. The second part is to apply the temporal features to the clustering of PE virus files. The clustering effects of K-means and peak density algorithm are compared. (4) A PE virus file clustering system is proposed in this paper. A group of virus samples are used to test the PE virus file clustering system designed in this paper. The test results show that the system achieves the expected clustering effect and the timing feature extraction algorithm is practical.
【学位授予单位】：北京邮电大学
【学位级别】：硕士
【学位授予年份】：2016
【分类号】：TP393.08;TP311.13

【参考文献】