摘要
随着恶意软件快速增长和传播,近年来网络安全生态面临极大威胁;同时不断发展的攻击技术,可以绕过安全防御系统的分析检测,对网络安全分析人员提出了新的挑战。传统的人工分析方式由于资源限制,即使借助自动化工具也难以挖掘恶意软件潜在的攻击载体和技术,发现恶意软件之间的共性。设计了一种恶意软件关联分析系统SimMal,通过异构图的方式清晰地展示恶意软件、恶意行为、攻击技术和利用漏洞等多种维度间的关联;同时基于异构图表示学习算法预测恶意软件关联的恶意软件家族和APT(高级持续威胁)组织,协助分析人员提前发现恶意软件相关的风险和意图并做出预先防御。该系统目前已应用在现网真实的恶意软件数据集上,实验结果验证了恶意软件家族分类和APT组织溯源分析的有效性。
With the rapid growth and spread of malware,cybersecurity system is facing great threat in recent years.Meanwhile,the continuous development of attack technology can bypass the threat analysis and detection of security system,which poses new challenges to security analysts.Due to the limitation of resources in traditional manual malware analysis,the traditional method faces difficulties in uncovering the potential attack vectors and technologies of malware even with the help of automated analysis tools,and it is difficult to find the commonality between malware.This paper designs a malware association analysis system called SimMal,which can clearly show the relationship between various dimensions of malware by heterogeneous network graph,such as malware instance,malicious behavior,attack techniques and exploits.Furtherly based on heterogeneous graph representation learning,SimMal can predict potential malware family and APT(Advanced Persistent Threats)groups associated with malware,and thus can assist analysts to discover malware-related risks and intentions in advance,and making advance defenses.The SimMal system currently is applied to real malware datasets and the experimental result has verified the effectiveness of malware family classification and APT groups traceability analysis.
作者
章瑞康
周娟
袁军
李文瑾
顾杜娟
Zhang Ruikang;Zhou Juan;Yuan Jun;Li Wenjin;Gu Dujuan(NSFOCUS Technologies Group Co.,Ltd.,Beijing 100089,China)
出处
《信息技术与网络安全》
2021年第11期8-15,共8页
Information Technology and Network Security
关键词
恶意软件
自动化分析
关联分析
异构图学习
malware
automated analysis
association analysis
heterogeneous graph learning
