摘要
为了提高特征有效性和扩大检测范围,提出在提取PDF文件的恶意结构特征的基础上再提取JavaScript的恶意特征;为了减少检测时间,提出在特征提取前,增加基于信息熵差异的预检测过程。先利用恶意PDF和良性PDF的信息熵差异筛选出可疑PDF文件和良性PDF文件;然后在检测过程中,提取可疑PDF文件的结构和JavaScript特征;再利用C5.0决策树算法进行分类;最后,通过实验检测,验证了提出的方法对恶意PDF文件检测有效。实验结果表明,与PJScan,PDFMS等模型做对比,该方法检测率比PJScan高27.79%,时间消耗低390 s,误检率比PDFMS低0.7%,时间消耗低473 s,综合性能更优。
A method that the JavaScript malicious features are extracted on the basis of extracting the malicious structural features of PDF files is proposed,so as to improve the feature validity and expand the scope of detection.A scheme that the pre⁃detecting process based on the information entropy difference is added before the feature extraction is proposed to shorten the detection time.The information entropy difference between malicious PDF and benign PDF is utilized to screen out the suspicious PDF files and benign PDF files in pre⁃detection process.The structures and JavaScript features of the suspicious PDF files are extracted during the detection process,and the C5.0 decision tree algorithm is adopted to classify them.The experimental results verify that the proposed method is effective for detecting malicious PDF files;in comparison with the PJScan,PDFMS and other detection models,the proposed method′s detection rate is 27.79%higher and the time consumption is 390 s lower than the PJScan,and the proposed method′s error detection rate is 0.7%lower and the time consumption is 473 s lower than PDFMS;its comprehensive performance is more superior.
作者
李国
黄永健
王静
徐俊洁
王鹏
LI Guo;HUANG Yongjian;WANG Jing;XU Junjie;WANG Peng(College of Computer Science and Technology,Civil Aviation University of China,Tianjin 300300,China;Tianjin Key Laboratory for Civil Aircraft Airworthiness and Maintenance,Civil Aviation University of China,Tianjin 300300,China)
出处
《现代电子技术》
北大核心
2020年第2期45-48,52,共5页
Modern Electronics Technique
基金
机载网络安全防护适航审定技术研究项目(AADSA0018)
关键词
恶意PDF文档
文档检测
文件筛选
文件特征提取
信息熵预检
实验验证
malicious PDF file
file detection
file screening
file feature extraction
information entropy predetection
experimental verification
