基于特征集聚和卷積神經(jīng)網(wǎng)絡(luò)的惡意PDF文檔檢測方法
信息技術(shù)與網(wǎng)絡(luò)安全
俞遠(yuǎn)哲,王金雙,鄒 霞
(陸軍工程大學(xué) 指揮控制工程學(xué)院,江蘇 南京210001)
摘要: 針對現(xiàn)有惡意PDF文檔檢測方法存在特征維度高、數(shù)據(jù)集樣本少導(dǎo)致模型欠擬合等問題,提出了一種基于特征集聚和卷積神經(jīng)網(wǎng)絡(luò)的惡意PDF文檔檢測方法。該方法以詞袋模型為基礎(chǔ),從PDF文檔中提取常規(guī)特征和結(jié)構(gòu)特征。然后以合并后特征簇最小方差為目標(biāo),使用Ward最小方差聚類方法實(shí)現(xiàn)特征集聚。最后,將聚合特征送入卷積神經(jīng)網(wǎng)絡(luò)分類模型進(jìn)行訓(xùn)練。根據(jù)不同聚合特征數(shù)下模型性能的好壞,確定最優(yōu)的聚合特征數(shù)。實(shí)驗(yàn)結(jié)果表明,該方法降低了特征維度,提升了模型的召回率,緩解了模型的欠擬合問題。縱向比較來看,在不同的良性樣本和惡意樣本比例下,遍歷得到最優(yōu)的聚合特征數(shù),召回率平均提升了53%,F(xiàn)-score平均提升了0.44,運(yùn)行時間平均縮短了27%;與PJScan、PDFrate、Luxor 3種檢測工具橫向相比,檢測的綜合性能平均提升了5%。
中圖分類號: TP309
文獻(xiàn)標(biāo)識碼: A
DOI: 10.19358/j.issn.2096-5133.2021.08.006
引用格式: 俞遠(yuǎn)哲,王金雙,鄒霞。 基于特征集聚和卷積神經(jīng)網(wǎng)絡(luò)的惡意PDF文檔檢測方法[J].信息技術(shù)與網(wǎng)絡(luò)安全,2021,40(8):35-41.
文獻(xiàn)標(biāo)識碼: A
DOI: 10.19358/j.issn.2096-5133.2021.08.006
引用格式: 俞遠(yuǎn)哲,王金雙,鄒霞。 基于特征集聚和卷積神經(jīng)網(wǎng)絡(luò)的惡意PDF文檔檢測方法[J].信息技術(shù)與網(wǎng)絡(luò)安全,2021,40(8):35-41.
A malicious PDF detection method based on feature agglomeration and convolutional neural network
Yu Yuanzhe,Wang Jinshuang,Zou Xia
(Command & Control Engineering College,Army Engineering University of PLA,Nanjing 210001,China)
Abstract: To solve the high feature dimension problems and under-fitting due to the small dataset size, a malicious PDF document detection method based on feature agglomeration and CNN was proposed. Based on the word bag model, the regular and structural features are extracted from PDF documents. Then Ward′s Minimum Variance Clustering Method is used to achieve feature agglomeration according to the combined minimum variance of feature clusters. Afterwards, the agglomerate features are sent into the CNN classification model for training and evaluation. The optimal number of agglomerate features is determined by a comparison with the performances of the model under different numbers of agglomerate features. It was shown that the model proposed in this paper can reduce the dimension of the feature, improve the recall rate of model and mitigate the under-fitting problem at the same time.With different benign and malicious sample proportions, the recall rate is increased by 53% and the F-score is increased by 0.44 on average. Meanwhile, compared with detection tools PJScan, PDFrate and Luxor, the comprehensive detection performance is improved by 5% on average.
Key words : malicious PDF document;feature agglomeration;static detection;Convolutional Neural Network(CNN)
0 引言
PDF(Portable Document Format)文檔的使用非常廣泛,但隨著版本的更新?lián)Q代,PDF文檔包含的功能也變得多種多樣,其中一些鮮為人知的功能(如文件嵌入、JavaScript代碼執(zhí)行、動態(tài)表單等)越來越多地被不法分子利用,來實(shí)施惡意網(wǎng)絡(luò)攻擊行為[1]。APT(Advanced Persistent Threat)攻擊[2]常常借助惡意PDF文檔這一媒介,通過社會工程學(xué)、水坑攻擊、釣魚攻擊等手段,構(gòu)造巧妙偽裝的惡意文檔,誘騙受害者下載,從而侵入或破壞計算機(jī)系統(tǒng)。相比傳統(tǒng)的可執(zhí)行惡意程序攻擊,惡意文檔攻擊具有更強(qiáng)的迷惑性。
近年來,基于機(jī)器學(xué)習(xí)的惡意PDF文檔檢測技術(shù)被廣泛使用。相比于傳統(tǒng)簽名匹配檢測,它能夠及時發(fā)現(xiàn)新型惡意文檔且檢測模型更新方便迅速。其中基于靜態(tài)檢測的機(jī)器學(xué)習(xí)方法,具有高效、成本低、解釋性強(qiáng)等特點(diǎn)。而深度學(xué)習(xí)相較于機(jī)器學(xué)習(xí)算法,更強(qiáng)調(diào)學(xué)習(xí)數(shù)據(jù)中的隱藏信息,如特征的相關(guān)性。
本文詳細(xì)內(nèi)容請下載:http://www.jysgc.com/resource/share/2000003722
作者信息:
俞遠(yuǎn)哲,王金雙,鄒 霞
(陸軍工程大學(xué) 指揮控制工程學(xué)院,江蘇 南京210001)
此內(nèi)容為AET網(wǎng)站原創(chuàng),未經(jīng)授權(quán)禁止轉(zhuǎn)載。