计算机科学

计算机科学 ›› 2024, Vol. 51 ›› Issue (12): 303-309.doi: 10.11896/jsjkx.231200041

• 信息安全 • 上一篇    下一篇

基于SDR句嵌入的挖矿恶意软件早期检测方法

钟凯1, 郭春1, 李显超2, 申国伟1   

  1. 1 贵州大学计算机科学与技术学院公共大数据国家重点实验室 贵阳 550025
    2 贵州省云计算与大数据专业硕士研究生工作站 贵阳 550014
  • 收稿日期:2023-12-06 修回日期:2024-04-30 出版日期:2024-12-15 发布日期:2024-12-10
  • 通讯作者: 郭春(gc_gzedu@163.com)
  • 作者简介:(boneink@126.com)
  • 基金资助:
    国家自然科学基金(62162009);贵州省高等学校大数据与网络安全创新团队(黔教技[2023]052);贵州省科技计划项目(黔科合平台人才GHB[2023]001)

Cryptomining Malware Early Detection Method Based on SDR

ZHONG Kai1, GUO Chun1, LI Xianchao2, SHEN Guowei1   

  1. 1 State Key Laboratory of Public Big Data, College of Computer Science and Technology, Guizhou University, Guiyang 550025, China
    2 Guizhou Cloud Computing and Big Data Professional Master’s Workstation, Guiyang 550014, China
  • Received:2023-12-06 Revised:2024-04-30 Online:2024-12-15 Published:2024-12-10
  • About author:ZHONG Kai,born in 1997,postgra-duate.His main research interests include computer network and information security.
    GUO Chun,born in 1986,Ph.D,professor.His main research interests include malicious code detection and intrusion detection.
  • Supported by:
    National Natural Science Foundation of China(62162009),Big Data and Network Security Innovation Team of Universities in Guizhou Province([2023]052) and Science and Technology Program of Guizhou Province(GHB[2023]001).

PDF (PC)

128

摘要: 挖矿恶意软件以盗用设备的计算资源来挖掘加密货币为目标,在大量消耗计算资源的同时还严重危害网络安全。当前的挖矿恶意软件动态检测方法主要依据样本长时间运行过程中收集的主机行为或网络流量来进行检测,未能兼顾检测的及时性和准确性。通过对挖矿恶意软件运行初期的DLL调用和API返回值进行分析,提出一种API句嵌入方法SDR,并基于SDR进一步提出一种基于SDR的挖矿恶意软件早期检测方法CEDS。CEDS利用SDR将软件运行初期的API名称序列、API返回值序列和DLL序列转化为句向量序列,使用TextCNN建立模型来进行挖矿恶意软件的早期检测。实验结果表明,CEDS能够以0.5106s的平均时长和96.75%的准确率判别一个软件样本是挖矿恶意软件还是良性软件。

关键词: 挖矿恶意软件, 动态分析, 早期检测, 句向量, 深度学习

Abstract: Cryptomining malware aims to steal computing resources from devices to mine cryptocurrency,seriously compromising network security while consuming a large amount of computing resources.Current dynamic detection methods for cryptomining malware mainly rely on host behavior or network traffic collected during a long sample run for detection,which does not balance the timeliness and accuracy of detection.By analyzing the DLL(dynamic link library) called and the return value of the API called by the cryptomining malware at the early stage of operation,we propose an API sentence embedding method based on DLL and API return value(SDR),and further propose a cryptomining malware early detection method based on SDR(CEDS).CEDS uses SDR to convert the API name sequences,API returns value sequences,and DLL sequences generated in the early stages of software operation into sentence vector sequences,and uses TextCNN to build a model for early detection of cryptomining malware.Experimental results show that CEDS can determine whether a software sample is cryptomining malware or benign software with an average time of 0.5106s and an accuracy of 96.75%.

Key words: Cryptomining malware, Dynamic analysis, Early detection, Sentence embedding, Deep learning

中图分类号: 

  • TP309
[1]TEKINER E,ACAR A,ULUAGAC A S,et al.SoK:cryptojacking malware[C]//IEEE European Symposium on Security and Privacy.2021:120-139.
[2]Malwarebytes.2022 THREAT REVIEW[EB/OL].[2023-08-18].https://www.malwarebytes.com/resources/malwarebytes-threat-review-2022/index.html.
[3]AHMAD A,SHAFIUDDIN W,KAMA M N,et al.A NewCryptojacking Malware Classifier Model Based on Dendritic Cell Algorithm[C]//International Conference on Vision,Image and Signal Processing.2019:84:1-84.
[4]MUÑOZ J Z I,SUÁREZ-VARELA J,BARLET-ROS P.Detecting cryptocurrency miners with NetFlow/IPFIX network mea-surements[C]//2019 IEEE International Symposium on Mea-surements & Networking(M&N).IEEE,2019:1-6.
[5]CAPROLU M,RAPONI S,OLIGERI G,et al.Cryptominingmakes noise:Detecting cryptojacking via Machine Learning[J].Computer Communications,2021,171:126-139.
[6]TANANA D,TANANA G.Advanced behavior-based technique for cryptojacking malware detection[C]//International Confe-rence on Signal Processing and Communication Systems.2019:84:1-84.
[7]BERECZ G J,CZIBULA I G.Hunting traits for cryptojackers[C]//Proceedings of the 16th International Joint Conference on e-Business and Telecommunications.2019:386-393.
[8]DARABIAN H,HOMAYOUNOOT S,DEHGHANTANHAA,et al.Detecting cryptomining malware:a deep learning approach for static and dynamic analysis[J].Journal of Grid Computing,2020,18(2):293-303.
[9]MANI G,PASUMARTI V,BHARGAVA B,et al.Decryptopro:deep learning based cryptomining malware detection using performance counters[C]//2020 IEEE International Conference on Autonomic Computing and Self-Organizing Systems(AC-SOS).IEEE,2020:109-118.
[10]KARN R R,KUDVA P,HUANG H,et al.Cryptomining detection in container clouds using system calls and explainable machine learning[J].IEEE Transactions on Parallel and Distributed Systems,2020,32(3):674-691.
[11]SUN P F,LYU M D,LI H,et al.An early stage convolutional feature extracting method using for mining traffic detection[J].Computer Communications,2022,193:346-354.
[12]CAO C B,GUO C,SHEN G W,et al.Cryptomining Malware Early Detection Method in Behavioral Diversity Period[J].Acta Electronica Sinica,2023,51(7):1850-1858.
[13]CAO C B,GUO C,LI X C,et al.Cryptomining Malware Early Detection Method Based on AECD Embedding[J].Journal of Frontiers of Computer Science and Technology,2024,18(4):1083-1093.
[14]Microsoft.Dynamic-Link Libraries(Dynamic-Link Libraries)[EB/OL].[2023-08-18].https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-libraries.
[15]IJAZ M,DURAD M H,ISMAIL M.Static and Dynamic Malware Analysis Using Machine Learning[C]//2019 16th International Bhurban Conference on Applied Sciences and Technology(IBCAST- 2019).2019.
[16]Microsoft.How to:Call Windows APIs(Visual Basic)[EB/OL].[2023-03-30].https://learn.microsoft.com/en-us/dotnet/visual-basic/programming-guide/com-interop/how-to-call-windows-apis.
[17]SHANNON C E.A Mathematical Theory of Communication[J].The Bell System Technical Journal,1948,27(3):379-423.
[18]Microsoft.Methods(C# Programming Guide)[EB/OL].[2023-03-30].https://learn.microsoft.com/en-us/dotnet/csharp/programming-guide/classes-and-structs/methods.
[19]MIKOLOVT,SUTSKEVER I,CHEN K,et al.Distributed representations of words and phrases and their compositionality[C]//Proceedings of the 26th International Conference on Neural Information Processing Systems. Curran Associates Inc., 2013:3111-3119.
[20]KIM Y.Convolutional neural networks for sentence classification[J].arXiv:1408.5882,2014.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发