• 主题
高级搜索  >
历史搜索 清空历史
首页> 外文期刊>Journal in computer virology >A practical approach on clustering malicious PDF documents
【24h】

A practical approach on clustering malicious PDF documents

机译:群集恶意PDF文档的实用方法

获取原文
获取原文并翻译 | 示例
           
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

Starting with 2009, the number of advanced persistent threat attacks has increased. In all of the researched cases, this kind of attacks use a zero-day exploit usually found in a frequently used application. Most of the times, the user has to visit a malicious page or open an infected document sent via e-mail. Even though the attack vector can be found in many forms, this paper addresses the case in which the attack relies on PDF files to deliver the payload. We chose PDF format both because of the high number of attacks it was used in and the key advantages it offers to the attacker. From an attackers perspective, the advantage of this attack is clear in that the PDF-files can be opened by an application on the users computer or in a browser, as most of the browsers support plug-ins that can render PDF files. The use of JavaScript inside PDF files offers two further advantages. The first is that code can be executed on the victims computer while the attack avoids different protection methods. The second benefit is that the JavaScript code can be polymorphic in that two files with the same functionality may look very different. This paper unveils a clustering method based on tokenization of the JavaScript code inside PDF files resistant to most of the obfuscation techniques used in script-based malware pieces. Our clustering method is based on the fact that most of the infected PDF-files (over 93 %) are using JavaScript code. By tokenizing the JavaScript code, describing it in an abstract manner and eliminating different operators used in polymorphism, we are able to obtain classes of files, very similar syntax-wise that can be easily clustered using different methods. Given the fact that virus analysts would likely analyse classes of files rather than isolated files, their work will be significantly reduced. The method of abstraction can be taken one step further and used as a detection mechanism—a technique to evaluate prevalent data or to obtain a subset from a large set without losing data variability.
机译:从2009年开始,高级持续威胁攻击的数量有所增加。在所有研究的案例中,这种攻击都使用零时漏洞,通常在经常使用的应用程序中发现。大多数情况下,用户必须访问恶意页面或打开通过电子邮件发送的受感染文档。尽管可以以多种形式找到攻击媒介,但本文还是解决了攻击依赖PDF文件传递有效载荷的情况。我们之所以选择PDF格式,不仅是因为使用了很多攻击,还因为它为攻击者提供了关键优势。从攻击者的角度来看,这种攻击的优势很明显,因为大多数用户都支持可呈现PDF文件的插件,因此可以通过用户计算机或浏览器中的应用程序打开PDF文件。在PDF文件中使用JavaScript具有另外两个优点。首先是可以在受害者计算机上执行代码,而攻击则避免了不同的保护方法。第二个好处是JavaScript代码可以是多态的,因为具有相同功能的两个文件看起来可能非常不同。本文提出了一种基于PDF文件中JavaScript代码标记化的聚类方法,该方法可抵抗基于脚本的恶意软件片段中使用的大多数混淆技术。我们的聚类方法基于以下事实:大多数受感染的PDF文件(超过93%)都使用JavaScript代码。通过标记JavaScript代码,以抽象的方式对其进行描述并消除多态性中使用的不同运算符,我们能够获得文件类,其语法非常相似,可以使用不同的方法轻松地将其聚类。考虑到病毒分析人员可能会分析文件类别而非隔离文件的事实,他们的工作将大大减少。抽象方法可以更进一步,并用作一种检测机制-一种评估流行数据或从大型集中获取子集而不丢失数据可变性的技术。

著录项

  • 来源
    《Journal in computer virology》 |2012年第4期|151-163|共13页
  • 作者

    Cristina Vatamanu; Drago? Gavrilu?; R?zvan Benchea;

  • 作者单位

    1.BitDefender AntiMalware Laboratory 37 Sfântul Lazăr Street Solomons Building Iaşi Romania 2.Gheorghe Asachi University Iaşi Romania;

    1.BitDefender AntiMalware Laboratory 37 Sfântul Lazăr Street Solomons Building Iaşi Romania 3.Alexandru Ioan Cuza University Iaşi Romania;

    1.BitDefender AntiMalware Laboratory 37 Sfântul Lazăr Street Solomons Building Iaşi Romania 3.Alexandru Ioan Cuza University Iaşi Romania;

  • 收录信息
  • 原文格式 PDF
  • 正文语种 eng
  • 中图分类
  • 关键词

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号