• 文献检索
  • 文档翻译
  • 深度研究
  • 学术资讯
  • Suppr Zotero 插件Zotero 插件
  • 邀请有礼
  • 套餐&价格
  • 历史记录
应用&插件
Suppr Zotero 插件Zotero 插件浏览器插件Mac 客户端Windows 客户端微信小程序
定价
高级版会员购买积分包购买API积分包
服务
文献检索文档翻译深度研究API 文档MCP 服务
关于我们
关于 Suppr公司介绍联系我们用户协议隐私条款
关注我们

Suppr 超能文献

核心技术专利:CN118964589B侵权必究
粤ICP备2023148730 号-1Suppr @ 2026

文献检索

告别复杂PubMed语法,用中文像聊天一样搜索,搜遍4000万医学文献。AI智能推荐,让科研检索更轻松。

立即免费搜索

文件翻译

保留排版,准确专业,支持PDF/Word/PPT等文件格式,支持 12+语言互译。

免费翻译文档

深度研究

AI帮你快速写综述,25分钟生成高质量综述,智能提取关键信息,辅助科研写作。

立即免费体验

基于多特征融合的 APT 恶意软件归因分类方法。

Attribution classification method of APT malware based on multi-feature fusion.

机构信息

School of Computer Science and Technology, Xinjiang University, Xinjiang Uygur Autonomous Region, Urumqi, People's Republic of China.

出版信息

PLoS One. 2024 Jun 27;19(6):e0304066. doi: 10.1371/journal.pone.0304066. eCollection 2024.

DOI:10.1371/journal.pone.0304066
PMID:38935673
原文链接:https://pmc.ncbi.nlm.nih.gov/articles/PMC11210823/
Abstract

In recent years, with the development of the Internet, the attribution classification of APT malware remains an important issue in society. Existing methods have yet to consider the DLL link library and hidden file address during the execution process, and there are shortcomings in capturing the local and global correlation of event behaviors. Compared to the structural features of binary code, opcode features reflect the runtime instructions and do not consider the issue of multiple reuse of local operation behaviors within the same APT organization. Obfuscation techniques more easily influence attribution classification based on single features. To address the above issues, (1) an event behavior graph based on API instructions and related operations is constructed to capture the execution traces on the host using the GNNs model. (2) ImageCNTM captures the local spatial correlation and continuous long-term dependency of opcode images. (3) The word frequency and behavior features are concatenated and fused, proposing a multi-feature, multi-input deep learning model. We collected a publicly available dataset of APT malware to evaluate our method. The attribution classification results of the model based on a single feature reached 89.24% and 91.91%. Finally, compared to single-feature classifiers, the multi-feature fusion model achieves better classification performance.

摘要

近年来,随着互联网的发展,APT 恶意软件的归因分类仍然是社会上的一个重要问题。现有方法在执行过程中尚未考虑 DLL 链接库和隐藏文件地址,并且在捕获事件行为的本地和全局相关性方面存在缺陷。与二进制代码的结构特征相比,操作码特征反映了运行时指令,并且不考虑同一 APT 组织内本地操作行为的多次重用问题。基于单一特征的混淆技术更容易影响归因分类。针对上述问题,(1)构建了基于 API 指令和相关操作的事件行为图,使用 GNNs 模型捕获主机上的执行轨迹。(2)ImageCNTM 捕获操作码图像的局部空间相关性和连续长期依赖关系。(3)将单词频率和行为特征进行串联和融合,提出了一种多特征、多输入深度学习模型。我们收集了一个公开的 APT 恶意软件数据集来评估我们的方法。基于单一特征的模型归因分类结果达到了 89.24%和 91.91%。最后,与单特征分类器相比,多特征融合模型实现了更好的分类性能。

https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/c65e46623e38/pone.0304066.g012.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/80ff37e5a38e/pone.0304066.g001.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/53543d37e801/pone.0304066.g002.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/8309e8100f6c/pone.0304066.g003.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/95d752fa4602/pone.0304066.g004.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/d29eadc83ba1/pone.0304066.g005.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/189642dc473a/pone.0304066.g006.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/ec7b0915d09c/pone.0304066.g007.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/838e0f8d9d00/pone.0304066.g008.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/362ccd5543ae/pone.0304066.g009.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/fd867f5230c2/pone.0304066.g010.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/18fc2d308e03/pone.0304066.g011.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/c65e46623e38/pone.0304066.g012.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/80ff37e5a38e/pone.0304066.g001.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/53543d37e801/pone.0304066.g002.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/8309e8100f6c/pone.0304066.g003.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/95d752fa4602/pone.0304066.g004.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/d29eadc83ba1/pone.0304066.g005.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/189642dc473a/pone.0304066.g006.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/ec7b0915d09c/pone.0304066.g007.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/838e0f8d9d00/pone.0304066.g008.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/362ccd5543ae/pone.0304066.g009.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/fd867f5230c2/pone.0304066.g010.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/18fc2d308e03/pone.0304066.g011.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/ad20/11210823/c65e46623e38/pone.0304066.g012.jpg

相似文献

1
Attribution classification method of APT malware based on multi-feature fusion.基于多特征融合的 APT 恶意软件归因分类方法。
PLoS One. 2024 Jun 27;19(6):e0304066. doi: 10.1371/journal.pone.0304066. eCollection 2024.
2
Malware homology determination using visualized images and feature fusion.使用可视化图像和特征融合进行恶意软件同源性判定。
PeerJ Comput Sci. 2021 Apr 15;7:e494. doi: 10.7717/peerj-cs.494. eCollection 2021.
3
End-to-End Deep Neural Networks and Transfer Learning for Automatic Analysis of Nation-State Malware.用于自动分析国家恶意软件的端到端深度神经网络与迁移学习
Entropy (Basel). 2018 May 22;20(5):390. doi: 10.3390/e20050390.
4
OpCode-Level Function Call Graph Based Android Malware Classification Using Deep Learning.基于 OpCode 级函数调用图的深度学习的安卓恶意软件分类。
Sensors (Basel). 2020 Jun 29;20(13):3645. doi: 10.3390/s20133645.
5
A Malicious Code Detection Method Based on FF-MICNN in the Internet of Things.基于 FF-MICNN 的物联网恶意代码检测方法。
Sensors (Basel). 2022 Nov 12;22(22):8739. doi: 10.3390/s22228739.
6
Channel Features and API Frequency-Based Transformer Model for Malware Identification.基于通道特征和API频率的恶意软件识别变压器模型
Sensors (Basel). 2024 Jan 17;24(2):580. doi: 10.3390/s24020580.
7
Malware analysis using visualized image matrices.使用可视化图像矩阵进行恶意软件分析。
ScientificWorldJournal. 2014;2014:132713. doi: 10.1155/2014/132713. Epub 2014 Jul 16.
8
An ensemble approach for imbalanced multiclass malware classification using 1D-CNN.一种使用一维卷积神经网络(1D-CNN)的不平衡多类恶意软件分类集成方法。
PeerJ Comput Sci. 2023 Nov 14;9:e1677. doi: 10.7717/peerj-cs.1677. eCollection 2023.
9
GSB: GNGS and SAG-BiGRU network for malware dynamic detection.GSB:用于恶意软件动态检测的 GNGS 和 SAG-BiGRU 网络。
PLoS One. 2024 Apr 18;19(4):e0298809. doi: 10.1371/journal.pone.0298809. eCollection 2024.
10
Cyber Code Intelligence for Android Malware Detection.用于安卓恶意软件检测的网络代码智能技术
IEEE Trans Cybern. 2023 Jan;53(1):617-627. doi: 10.1109/TCYB.2022.3164625. Epub 2022 Dec 23.

引用本文的文献

1
Research on APT groups malware classification based on TCN-GAN.基于TCN-GAN的高级持续性威胁(APT)组织恶意软件分类研究
PLoS One. 2025 Jun 10;20(6):e0323377. doi: 10.1371/journal.pone.0323377. eCollection 2025.

本文引用的文献

1
TagSeq: Malicious behavior discovery using dynamic analysis.TagSeq:使用动态分析发现恶意行为。
PLoS One. 2022 May 16;17(5):e0263644. doi: 10.1371/journal.pone.0263644. eCollection 2022.
2
End-to-End Deep Neural Networks and Transfer Learning for Automatic Analysis of Nation-State Malware.用于自动分析国家恶意软件的端到端深度神经网络与迁移学习
Entropy (Basel). 2018 May 22;20(5):390. doi: 10.3390/e20050390.
3
Homology analysis of malware based on ensemble learning and multifeatures.基于集成学习和多特征的恶意软件同源分析。
PLoS One. 2019 Aug 26;14(8):e0211373. doi: 10.1371/journal.pone.0211373. eCollection 2019.