计算机科学与探索 ›› 2024, Vol. 18 ›› Issue (4): 1083-1093.DOI: 10.3778/j.issn.1673-9418.2307023

• 网络·安全 • 上一篇    下一篇

基于AECD词嵌入的挖矿恶意软件早期检测方法

曹传博,郭春,李显超,申国伟   

  1. 1. 贵州大学 计算机科学与技术学院 公共大数据国家重点实验室,贵阳 550025
    2. 贵州翔明科技有限责任公司,贵阳 550025
  • 出版日期:2024-04-01 发布日期:2024-04-01

Cryptomining Malware Early Detection Method Based on AECD Embedding

CAO Chuanbo, GUO Chun, LI Xianchao, SHEN Guowei   

  1. 1. State Key Laboratory of Public Big Data, College of Computer Science and Technology, Guizhou University, Guiyang
    550025, China
    2. Guizhou Xiangming Technology Co., Ltd., Guiyang 550025, China
  • Online:2024-04-01 Published:2024-04-01

摘要: 挖矿恶意软件会损害系统安全,缩减硬件寿命,以及造成大量电力消耗,实施对挖矿恶意软件的早期检测以及时阻止其损害对于维护系统安全至关重要。现有的基于动态分析的挖矿恶意软件早期检测方法未能兼顾检测的及时性和准确率。为及时且准确地检测挖矿恶意软件,将挖矿恶意软件运行初期所调用的一定长度的API(application programming interface)名称、API操作类别和调用API的DLL(dynamic link library)进行融合以更充分地描述其在运行初期的行为信息,提出AECD(API embedding based on category and DLL)词嵌入方法并进一步提出基于AECD词嵌入的挖矿恶意软件早期检测方法(CEDMA)。CEDMA以软件在运行初期所调用的一定长度的API序列为检测对象,使用AECD词嵌入和TextCNN(text convolutional neural network)建立检测模型来实施对挖矿恶意软件的早期检测。实验结果显示,CEDMA以软件运行后首次调用的长度为3 000的API序列作为输入时,可分别以98.21%、96.76%的Accuracy值检测实验中已知和未知的挖矿恶意软件样本。

关键词: 挖矿恶意软件, 动态分析, 早期检测, 深度学习

Abstract: Cryptomining malware can compromise system security, reduce hardware lifetime, and cause significant power consumption. Therefore, implementing cryptomining malware early detection to stop its damage in time is critical to system security. The existing dynamic analysis-based cryptomining malware early detection methods are hard to balance the timeliness and accuracy of detection. To detect cryptomining malware accurately and timely, this paper integrates a certain length of API (application programming interface) names, API operation categories and DLLs (dynamic link libraries) called by cryptomining malware in the early stage of operation to more fully describe its behavioral information in this stage, and proposes the AECD (API embedding based on category and DLL) embedding and further proposes a cryptomining malware early detection method based on AECD embedding (CEDMA). CEDMA uses the API sequence called by software in the early stage of operation as the object of detection and uses AECD embedding and TextCNN (text convolutional neural network) to build a detection model to implement cryptomining malware early detection. Experimental results show that when CEDMA takes the 3000 API sequence called for the first time after the software runs as input, it can detect the known and unknown cryptomining malware samples in the experiment with 98.21% and 96.76% accuracy values, respectively.

Key words: cryptomining malware, dynamic analysis, early detection, deep learning