Malicious Code Homology Analysis Method Based on ATT&CK Framework and Bert Model

doi:10.3969/j.issn.1006-2475.2025.08.008

Abstract

Abstract:
Abstract: At present， malware attacks are one of the main threats to cyberspace security. By analyzing malicious programs from known organizations and determining the homology of unknown malicious programs based on similar characteristics， it is helpful to identify unknown malicious programs and attribution attack organizations. However， the existing homology analysis models have some problems， such as high complexity of manual feature extraction， inadaptability to large-scale analysis scenarios， low efficiency， and lack of in-depth consideration of the transmission relationship between attack behaviors. This paper proposes a homology recognition model based on the ATT&CK framework and the Bert（bidirectional encoder representation from transformers） model， which solves the problem of low homology recognition accuracy caused by code confusion and polymorphism in the face of static features through high-dimensional attack techniques and tactics in the ATT&CK framework. The Bert model is used to effectively integrate the multi-dimensional features of malicious code， and solve the problem of insufficient sequence modeling by recurrent neural network-based analysis methods. Experimental results show that the proposed scheme can effectively identify the homology between malicious codes.

Key words: Key words: malicious code； homology analysis； ATT&, CK framework； Bert model ,

CLC Number:

中图分类号：TP309

ZHENG Xiaoyu, LIN Jiuchuan, CHEN Wenxuan, YAO Xinyu. Malicious Code Homology Analysis Method Based on ATT&CK Framework and Bert Model[J]. Computer and Modernization, 2025, 0(08): 57-62.

References

［1］瑞星. 瑞星发布《2023年中国网络安全报告》病毒数量上涨15% ［EB/OL］. （2024-01-31）［2024-05-15］. https://www.freebuf.com/news/391053.html.
［2］宋文纳，彭国军，傅建明，等. 恶意代码演化与溯源技术研究［J］. 软件学报， 2019，30（8）:2229-2267.
［3］ CHEN Q， JIANG G P， XIA L L. Homology analysis of malware based on function structure［J］. Computer Engineering and Applications， 2017，53（14）:93-98.
［4］杨望，高明哲，蒋婷. 一种基于多特征集成学习的恶意代码静态检测框架［J］. 计算机研究与发展， 2021，58（5）:1021-1034.
［5］ KWON Y M， AN J J， LIM M J， et al. Malware classification using simhash encoding and PCA （MCSP）［J］. Symmetry， 2020，12（5）. DOI: 10.3390/sym12050830.
［6］ ZHOU E， HOU X L， ZHANG Z， et al. A preamble structure and synchronization method based on central-symmetric sequence for OFDM systems［C］// VTC Spring 2008 IEEE Vehicular Technology Conference. IEEE， 2008:1478-1482.
［7］赵炳麟，孟曦，韩金等. 基于图结构的恶意代码同源性分析［J］. 通信学报， 2017，38（增2）:86-93.
［8］ JIA J Y. Deep learning and open set malware classification: A survey［J］. arXiv preprint arXiv:2004.04272， 2020.
［9］陈雁佳. 恶意软件组织的开集识别模型研究［D］. 广州:暨南大学， 2020.
［10］刘亚倩. 基于开集识别的恶意代码家族同源性分析［J］. 信息安全研究， 2023，9（8）:762-770.
［11］王慧. 恶意代码同源性特征的粒子群关联分析［J］. 中国人民公安大学学报（自然科学版）， 2021，27（3）:61-65.
［12］ ZHAO B L， SHAN Z， LIU F D， et al. Malware homology identification based on a gene perspective［J］. Frontiers of Information Technology & Electronic Engineering， 2019，20（6）:801-815.
［13］ CHEN W X， HELU X H， JIN C J， et al. Advanced persistent threat organization identification based on software gene of malware［J］. Transactions on Emerging Telecommunications Technologies， 2020，31（12）. DOI: 10.1002/ett.3884.
［14］ WANG R Z， GAO J， HUANG S H. AIHGAT: A novel method of malware detection and homology analysis using assembly instruction heterogeneous graph［J］. International Journal of Information Security， 2023，22（5）:1423-1443.
［15］ ROSENBERG I， SICARD G， DAVID E O. End-to-end deep neural networks and transfer learning for automatic analysis of nation-state malware［J］. Entropy， 2018，20（5）. DOI: 10.3390/e20050390.
［16］ BOOT C. Applying Supervised Learning on Malware Authorship Attribution［D］. Radboud University Nijmegen， 2019.
［17］陈涵泊，吴越，邹福泰. 基于Asm2Vec的恶意代码同源判定方法［J］. 通信技术， 2019，52（12）:3010-3015.
［18］王润正. 基于注意力机制的恶意代码同源性研究［D］. 北京：中国人民公安大学， 2022.
［19］陈实. 基于Transformer的恶意代码分类研究与实现［D］.北京：北京邮电大学， 2022.
［20］ RAHALI A， AKHLOUFI M A. MalBERTv2: Code aware BERT-based model for malware identification［J］. Big Data and Cognitive Computing， 2023，7（2）. DOI: 10.3390/bdcc7020060.
［21］ ZHU X J， HUANG J， WANG B， et al. Malware homology determination using visualized images and feature fusion［J］. PeerJ Computer Science， 2021，7. DOI: 10.7717/peerj-cs.494.
［22］ STROM B E， APPLEBAUM A， MILLER D， et al. MITRE ATT&CK: Design and Philosophy［R］. The MITRE Corporation， 2018.
［23］杨萍，舒辉，康绯，等. 一种基于语义分析的恶意代码攻击图生成方法［J］. 计算机科学， 2021，48（增1）:448-458.
［24］葛雨玮，康绯，彭小详. 基于动态BP神经网络的恶意代码同源性分析［J］. 小型微型计算机系统， 2016，37（11）:2527-2531.
［25］ XIONG W J， LEGRAND E， ÅBERG O， et al. Cyber security threat modeling based on the MITRE Enterprise ATT&CK Matrix［J］. Software and Systems Modeling， 2022，21（1）:157-177.
［26］冀俊涛，石磊. 基于ATT&CK框架的实战分析［J］. 网络安全技术与应用， 2021（2）:6-8.
［27］张福，程度，鄢曲，等. 基于ATT&CK框架的网络安全评估和检测技术研究［J］. 信息安全研究， 2022，8（8）:751-759.
［28］ BALLENTHIN W， HUNHOFF M， GÓMEZ A M M， et al. CAPA［CP/OL］. （2024-03-15）［2024-03-24］. https://github.
com/mandiant/capa.
［29］ VX-Underground. Samples and Families［DS/OL］. （2024-03-09）［2024-03-24］.

[1]	YU Zhiwen, ZHAO Ruifeng, LAN Tian, LI Qian, LI Haobin . An Active Distribution Network Dynamic Fault Recovery Method Based on Rolling Optimization [J]. Computer and Modernization, 2025, 0(08): 1-9.
[2]	WEI Huimin1, 2, ZHOU Jiake1, 2, WEN Yongjun1, 2, TANG Lijun1, 2. Chinese Entity Relation Joint Extraction Method Based on Deep Learning [J]. Computer and Modernization, 2025, 0(08): 10-15.
[3]	JING Qingwu, CHEN Hongjun, GAO Di, ZHOU Meimei. Goal Driven Recommendation-oriented Dialog Generation Method [J]. Computer and Modernization, 2025, 0(08): 16-23.
[4]	SHI Fengyuan1, 2, MAO Yi3, JIAO Lei4. Cross-domain Book Recommendation Method Based on Heterogeneous Information Network [J]. Computer and Modernization, 2025, 0(08): 24-30.
[5]	. Discovery of Fine-grained Subjective Perception of Urban Blocks in User Comment Data [J]. Computer and Modernization, 2025, 0(08): 31-38.
[6]	LI Yan, MAO Jiaming, WANG Ziying, GU Zhimin, JIANG Haitao. Anomalous Event Prediction Approach Using Graph Neural Network [J]. Computer and Modernization, 2025, 0(08): 39-47.
[7]	XIE Shanyi1, 2, WANG Zhongao1, 2, ZHAN Congcong1, 2, LI Xingwang1, 2, XIA Haoran3. A Intrusion Detection Method Based on Imbalanced Power Communication Traffic [J]. Computer and Modernization, 2025, 0(08): 48-56.
[8]	CHENG Yuwen, JING Yijun, SHI Zicheng, JING Changqiang, GUO Feng, WU Chuankun. A Data Privacy Protection Scheme Based on Federated Learning [J]. Computer and Modernization, 2025, 0(08): 63-69.
[9]	LIANG Zhantao1, HUANG Guohao1, HUANG Chengzi1, YIN Jianxin3, GAO Xingyu2, HUANG Yang1. Machine-vision based Geometric and Color-difference Inspection System for Solid Wood Floor [J]. Computer and Modernization, 2025, 0(08): 70-75.
[10]	SU Yansen, MOU Li. Improved Classroom Behavior Detection Algorithm for YOLOv8 [J]. Computer and Modernization, 2025, 0(08): 76-81.
[11]	GAO Lisha1, PENG Guozheng2, WANG Chong1, HAN Shuo1, XIANG Nan1, ZHANG Qizhe2, ZHU Yuefei3, CHENG Xu3. Dual-backbone Network Insulator Defect Detection Algorithm Based on YOLOv5 [J]. Computer and Modernization, 2025, 0(08): 82-88.
[12]	LI Jia. Classification and Diagnosis of Breast Cancer Histopathological Images Based on Transfer Learning [J]. Computer and Modernization, 2025, 0(08): 89-96.
[13]	HU Shaowen, HUANG Langxin, YU Lihui, SHI Weili, JIANG Nan, SUN Wu, LUO Shuhuan. Optimizing Wavelet Neural Network for Pure Milk Recognition using Improved Genetic Algorithm [J]. Computer and Modernization, 2025, 0(08): 97-103.
[14]	WANG Rongchen, LIU Junhua. Two Level Double Association-Based Evolutionary Algorithm for Multi-Objective Optimization [J]. Computer and Modernization, 2025, 0(08): 104-114.
[15]	WEI Xiaogang1, MEI Wenming2, HU Youjun1, TU Zhengwei1, WANG Rui3 . 5G Terminal Signaling Outlier Detection Algorithm Based on Joint Distance and Density [J]. Computer and Modernization, 2025, 0(08): 115-118.