Research On Image-Based Organizations Attribution Methods For APT Malware

The frequent attacks of Advanced Persistent Threat(APT)pose a serious threat to network security.APT malware is a weapon developed by attackers for specific targets,which is active throughout the attack process.Therefore,the organizational attribution of APT malware is very important.The visualization of APT malware enables security personnel to visually observe the similarities between malware of the same APT organization and the differences between different organizations.At present,most of the image-based APT malware organization attribution methods directly converted binary file bytecodes into Gray or RGB images,which have problems such as single image source,poor anti-confusion ability and information loss.In addition,the new APT malware is emerging in an endless stream and the number is huge.The traditional organization attribution method is lagging behind,and it is difficult to take targeted defense measures in time.To address the above problems,this paper explores the image-based APT malware organization attribution method,which comprehensively considers the need to quickly and accurately attribute a large number of unpacked APT malware to the corresponding APT organization.The main research contents of this paper are as follows.(1)An APT malware organization attribution method based on binary file images is proposed.Firstly,the byte and string information of APT malware binary file is extracted.Secondly,RGB images composed of byte value,information entropy value and string statistics are constructed.Finally,the Res Net50 algorithm is used for training.Experimental results show that this method does not need disassembly and pre-processing steps,such as shelling and decompression,which effectively improves the efficiency of APT malware organization attribution.(2)An APT malware organization attribution method based on dynamic API sequence images is proposed.Firstly,multiple features such as API call category function,API call contribution and different API call values within the block are extracted.Secondly,these features are converted into RGB images.Finally,the organization attribution model of Res Net50-CBAM is constructed.Experimental results show that this method can accurately extract global and local features from malware images,and can accurately organize APT malware(3)An APT malware organization attribution prototype system is designed and implemented.The system APT malware and organization-related information are displayed on the home page,allowing users to upload APT malware samples,and select different organization attribution models according to whether they are shelled,and visualize the results.This paper analyzes the APT organization attribution of malware,which can support the traceability of APT attacks,improve the ability of network security defense,and effectively reduce the burden of security personnel in dealing with a large number of malware when preventing APT attacks.