计算机科学 ›› 2015, Vol. 42 ›› Issue (2): 90-94.doi: 10.11896/j.issn.1002-137X.2015.02.019

• 信息安全 • 上一篇    下一篇

基于结构路径的恶意PDF文档检测

陈亮,陈性元,孙奕,杜学绘   

  1. 信息工程大学 郑州450001;数学工程与先进计算国家重点实验室 郑州450001,信息工程大学 郑州450001,信息工程大学 郑州450001;数学工程与先进计算国家重点实验室 郑州450001,信息工程大学 郑州450001;数学工程与先进计算国家重点实验室 郑州450001
  • 出版日期:2018-11-14 发布日期:2018-11-14
  • 基金资助:
    本文受国家863项目高技术研究发展计划(2012AA012704),河南省科技创新人才计划(114200510001),信息保障技术重点实验室开放基金课题(KJ-13-110)资助

Detection of Malicious PDF Based on Structural Path

CHEN Liang, CHEN Xing-yuan, SUN Yi and DU Xue-hui   

  • Online:2018-11-14 Published:2018-11-14

摘要: 恶意PDF文档依然是网络安全中的威胁,甚至造成了许多重大的安全事故。现有检测方法主要 分析 恶意代码提取及仿真执行两个方面,检测效率不高,缺乏对PDF文档的针对性。在分析PDF文档结构特性的基础上,定义文档结构路径,提出了一种基于恶意和正常文档之间潜在的结构差异特性的检测方法。大量实验数据结果表明,本方法在检测准确率和检测速率方面都有不错的表现。

关键词: 恶意软件检测,PDF文档,结构路径,决策树

Abstract: Malicious PDF document is still a network security threat,and even causes a number of significant security incidents.The existing methods mainly analyse malicious code extraction and simulation execution.The detection efficiency is not high.On the basis of analyzing the structural properties of PDF documents structure,a structure path was defined and a detection method based on the structure of the potential difference between the characteristics of malicious and benign documents was proposed.A large number of experimental data results show that the method has a good performance on the detection accuracy rate and detection speed.

Key words: Malware detection,PDF documents,Structural path,Decision tree

[1] 武雪峰.恶意PDF文档的分析[D].济南:山东大学,2012
[2] Akritidis P,Markatos E,Polychronakis M,et al.STRIDE:Polymorphic sled detection through instruction sequence analysis[C]∥20th International Conference on Information Security.2005:375-392
[3] Polychronakis M,Anagnostakis K,Markatos E.Comprehensive shellcode detection using runtime heuristics[C]∥Annual Computer Security Applications Conference (AC-SAC).2010:287-296
[4] Snow K Z,Krishnan S,Monrose F,et al.ShellOS:Enabling fast detection and forensic analysis of code injection attacks[C]∥USENIX Security Symposium.2011
[5] Cova M,Kruegel C,Vigna G.Detection and analysisof drive-by-download attacks and malicious JavaScript code[C]∥International Conference on World Wide Web (WWW).2010:281-290
[6] Rieck K,Krüger T,Dewald A.Cujo:Efficient detection and prevention of drive-by-download attacks[C]∥An-nual Computer Security Applications Conference (ACSAC).2010:31-39
[7] Li W-J,Stolfo S,Stavrou A,et al.A study of malcode-bearing documents[C]∥Detection of Intrusions and Malware & Vulnerability As-sessment (DIMVA).2007:231-250
[8] Shafiq Z,Khayam S,Farooq M.Embedded malware detectionusing markov n-grams[C]∥Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA).2008:88-107
[9] Laskov P,Srndi′c N.Static detection of malicious JavaScript-bearing PDF documents[C]∥Annual Computer Security Applications Conference (ACSAC).2011:373-382
[10] PDF Reference.http://www.adobe.com/devnet/pdf/pdfreference.html,2008
[11] Maiorca D,Giacinto G,Corona I.A pattern recognition system for malicious pdf files detection[J].Lecture Notes in Computer Science,2012,7376:510-524
[12] Tzermias Z,Sykiotakis G,Polychronakis M,et al.Combiningstatic and dynamic analysis for the detection of malicious documents[C]∥European Workshop on System Security (EuroSec).2011
[13] Curtsinger C,Livshits B,Zorn B,et al.ZOZZLE:Fast and precise in-browser JavaScript malware detection[C]∥USENIX Security Symposium.2011:33-48
[14] Kaplan S,Livshits B,Zorn B,et al.“nofus:Automatically detecting”+string.fromcharcode(32)+ “obfuscated ”.tolowercase()+“javascript code”[R].Technical Report,Microsoft Research,2011
[15] Smutz C,Stavrou A.Malicious PDF detection using metadata and structural features[C]∥Annual Computer Security Applications Conference (ACSAC).2012
[16] Detection of Malicious PDF Files Based on Hierarchical Document Structure[C]∥Proceedings of the Network and Distributed System Security Symposicum(NDSS).2013
[17] Lee W,Stolfo S,Mok K.A data mining framework for building intrusion detection models[C]∥IEEE Symposium on Security and Privacy.1999:120-132
[18] Mahoney M,Chan P.Learning rules for anomaly detection ofhostile network traffic[C]∥International Conference on Data Mining (ICDM).2003
[19] Gu G,Porras P,Yegneswaran V,et al.BotHunter:Detectingmalware infection through IDS-driven dialog correlation[C]∥USENIX Security Symposium.2007:167-182
[20] Canali D,Cova M,Vigna G,et al.Prophiler:a fast filter for the large-scale detection of malicious Web pages[C]∥International Conference on World Wide Web (WWW).2011:197-206
[21] Breiman L,Friedman J,Olshen J,et al.Classification and Re-gression Trees[M].Wadsworth,1984
[22] Cohen W.Fast effective rule induction[C]∥International Conference on Machine Learning (ICML).1995:115-123
[23] Quinlan J.C4.5:Programs for Machine Learning[M].Morgan Kaufmann,1992
[24] Duda R O,Hart P E,Stok D G.模式分类[M].李宏东,姚天翔,等译.北京:机械工业出版社,2003
[25] https://www.virustotal.com/

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!