基于动态行为指纹的恶意代码同源性分析

针对恶意代码在网络空间中呈爆发式增长,但多数是已有代码变种的情况。通过研究恶意代码行为特征,提出一套新的判别恶意代码同源性的方法.从恶意代码行为入手,提取恶意代码行为指纹,通过指纹匹配算法来分析恶意样本是否是已知样本的变种.经研究分析,最终筛选3种特征来描绘恶意软件的动态行为指纹:一是字符串的命名特征;二是注册表的变化特征;三是围绕关键API函数的调用顺序的特征.通过指纹匹配算法计算不同恶意代码之间的相似性度量,进行同源性分析.实验结果表明,该方法能够有效地对不同恶意代码及其变种进行同源性分析.     

恶意代码族群特征提取与分析技术

分析了当前对抗传统特征提取的主要技术特点,提出了恶意代码族群相关度的概念,根据同一恶意代码的不同变种的主体代码函数调用图的相似性和不同恶意代码为实现相同功能使用共同的内核函数的特点,给出了一种基于函数调用图和内核函数调用集合的恶意代码族群特征提取方法.该方法使用函数调用图中的节点度特征进行匹配比较,并使用集合运算获取函数特征.实验表明,利用该方法进行病毒检测具有较低漏报率和误报率,并对未知恶意代码的防范具有积极意义.     

基于BiTCNSA的恶意代码分类方法

当前恶意代码的对抗技术不断变化，恶意代码变种层出不穷，使恶意代码分类问题面临严峻挑战。针对目前基于深度学习的恶意代码分类方法提取特征不足和准确率低的问题，提出了基于双向时域卷积网络(BiTCN)和自注意力机制(Self-Attention)的恶意代码分类方法(BiTCNSA)。该方法融合恶意代码操作码特征和图像特征以展现不同的特征细节，增加特征多样性。构建BiTCN对融合特征进行处理，充分利用特征的前后依赖关系。引入自注意力机制对数据权值进行动态调整，进一步挖掘恶意代码内部数据间的关联性。在Kaggle数据集上对模型进行验证，实验结果表明:该方法准确率可达99.75%，具有较快的收敛速度和较低的误差。     

基于GPU加速的恶意代码字节码特征提取方法研究

随着恶意代码的数量和种类增长,快速有效地检测恶意代码显得十分有必要,其中关键技术就是恶意代码特征提取.针对现有恶意代码字节码序列特征提取速度的不足,提出了一种GPU加速提取恶意代码字节码序列特征的方法.使用目前比较成熟的统一计算设备架构CUDA,将传统恶意代码字节码序列特征提取方法中字节码N-Gram特征的提取、TFIDF特征的计算等密集计算型任务移交给GPU进行并行计算.实验表明,针对不同样本文件大小的数据集,该方法均有2～4倍以上的速度提升,大幅提高恶意代码字节码序列特征提取的速度.     

基于Ghost DenseNet SE的恶意代码检测方法

针对现有恶意代码检测模型对恶意代码及其变种识别率不高,且参数量过大这一问题,将轻量化卷积Ghost、密集连接网络DenseNet与通道域注意力机制SE相结合,提出一种基于Ghost-DenseNet-SE的恶意代码家族检测模型.该模型为压缩模型体积、提升识别速率,将DenseNet中的标准卷积层替换为轻量化Ghost模块;并引入通道域注意力机制,赋予特征通道不同权重,用以提取恶意代码的关键特征,提高模型检测精度.在M alim g数据集上的实验结果表明,该模型对恶意代码家族的识别准确率可以达到99.14％,与AlexNet、VGGNet等模型相比分别提高了1.34％ 和2.98％,且模型参数量更低.该算法在提升分类准确率的同时,降低了模型复杂度,在恶意代码检测中具有重要的工程价值和实践意义.     

基于图像纹理聚类的恶意代码家族标注方法

针对传统恶意代码标注分析方法中特征提取能力不足以及家族标注不统一、不规范、不精确且时效性差等问题,通过对大量恶意样本PE文件纹理构成和分布的研究,提出了基于内容纹理聚类的恶意代码深度标注方法。该方法对恶意代码的纹理指纹进行统计分析,从基准标注和深度标注这2个步骤对恶意代码家族进行归纳和分析,并结合VirusTotal分析方法、基于GLCM纹理特征空间构建方法和基于P-Stable LSH的近邻增量聚类算法,对恶意代码家族进行深度标注。实验结果表明,基于上述方法开发的原型系统具有家族标注准确率高、支持增量标注等优势,通过深度标注生成的基准标签实用性强,且对未知恶意代码检测具有积极意义。     

基于最长频繁序列挖掘的恶意代码检测

基于动态API序列挖掘的恶意代码检测方法未考虑不同类别恶意代码之间的行为差别,导致代表恶意行为的恶意序列挖掘效果不佳,其恶意代码检测效率较低.本文引入面向目标的关联挖掘技术,提出一种最长频繁序列挖掘算法,挖掘最长频繁序列作为特征用于恶意代码检测.首先,该方法提取样本文件的动态API序列并进行预处理;然后,使用最长频繁序列挖掘算法挖掘多个类别的最长频繁序列集合;最后,使用挖掘的最长频繁序列集合构造词袋模型,根据该词袋模型将样本文件的动态API序列转化为向量,使用随机森林算法构造分类器检测恶意代码.本文采用阿里云提供的数据集进行实验,恶意代码检测的准确率和AUC(Area Under Curve)值分别达到了95.6%和0.99,结果表明,本文所提出的方法能有效地检测恶意代码.     

恶意代码的分析与检测技术的研究

随着网络技术的飞速发展,恶意代码严重威胁着计算机及网络安全。病毒、蠕虫等恶意代码不断变种,快速传播,信息安全受到了巨大的挑战,恶意代码分析及检测问题成为当前网络研究工作的重点。本文在分析恶意软件相关理论基础上,探讨了恶意代码分析技术和分析工具相关问题。     

基于虚拟化环境恶意代码检测系统的设计与实现

本课题利用虚拟机自省技术和内存取证分析技术通过机器学习实现云环境下的恶意代码检测.随着云计算的广泛应用,针对云环境的恶意软件种类与数量也与日俱增.鉴于此,本课题围绕着"基于虚拟化环境恶意代码检测系统"进行研究,通过调用LibVMI自省库以及Volatility内存取证工具获取恶意代码的行为数据,而后使用KNN算法实现恶意代码的检测功能.在提取恶意代码的行为特征时,本系统结合了虚拟机自省技术和内存取证分析技术,一次性可获取大量不同种类特征.基于多特征的数据获取方法也有效的降低了目前高级别恶意软件常采用的混淆技术的影响.     

恶意代码的符号执行树分析方法

在恶意代码分析中,动态监测虚拟环境中的恶意代码行为是一种常用的方法。但是,由于可执行的路径分支众多,极易产生路径爆炸问题,造成某些可执行路径无法被覆盖,严重影响分析的全面性。为了解决恶意代码分析中路径爆炸问题,提出了一种基于符号执行树的恶意代码分析方法。通过构造符号执行树,引入汇聚节点,对恶意代码的执行路径进行约束求解,减少分析路径,从而缓解路径爆炸的影响,提高分析的全面性。恶意代码样本分析的实验表明,该方法能够有效地提升分析效率,同时拥有较小的时间复杂度。     

Characterization of Ordovician carbonate reservoirs, southeastern Saskatchewan, Canada

The discovery of the prolific Ordovician Red River reservoirs in 1995 in southeastern Saskatchewan was the catalyst for extensive exploration activity which resulted in the discovery of more than 15 new Red River pools. The best yields of Red River production to date have been from dolomite reservoirs. Understanding the processes of dolomitization is, therefore, crucial for the prediction of the connectivity, spatial distribution and heterogeneity of dolomite reservoirs.The Red River reservoirs in the Midale area consist of 3～4 thin dolomitized zones, with a total thickness of about 20 m, which occur at the top of the Yeoman Formation. Two types of replacement dolomite were recognized in the Red River reservoir: dolomitized burrow infills and dolomitized host matrix. The spatial distribution of dolomite suggests that burrowing organisms played an important role in facilitating the fluid flow in the backfilled sediments. This resulted in penecontemporaneous dolomitization of burrow infills by normal seawater. The dolomite in the host matrix is interpreted as having occurred at shallow burial by evaporitic seawater during precipitation of Lake Almar anhydrite that immediately overlies the Yeoman Formation. However, the low δ18O values of dolomited burrow infills (-5.9‰～ -7.8‰, PDB) and matrix dolomites (-6.6‰～ -8.1‰, avg. -7.4‰ PDB) compared to the estimated values for the late Ordovician marine dolomite could be attributed to modification and alteration of dolomite at higher temperatures during deeper burial, which could also be responsible for its 87Sr/86Sr ratios (0.7084～0.7088) that are higher than suggested for the late Ordovician seawaters (0.7078～0.7080). The trace amounts of saddle dolomite cement in the Red River carbonates are probably related to "cannibalization" of earlier replacement dolomite during the chemical compaction.     

An Index mechanism for multi-scale view in spatial databases

There are numerous geometric objects stored in the spatial databases. An importance function in a spatial database is that users can browse the geometric objects as a map efficiently. Thus the spatial database should display the geometric objects users concern about swiftly onto the display window. This process includes two operations:retrieve data from database and then draw them onto screen. Accordingly, to improve the efficiency, we should try to reduce time of both retrieving object and displaying them. The former can be achieved with the aid of spatial index such as R-tree, the latter require to simplify the objects. Simplification means that objects are shown with sufficient but not with unnecessary detail which depend on the scale of browse. So the major problem is how to retrieve data at different detail level efficiently. This paper introduces the implementation of a multi-scale index in the spatial database SISP (Spatial Information Shared Platform) which is generalized from R-tree. The difference between the generalization and the R-tree lies on two facets: One is that every node and geometric object in the generalization is assigned with a importance value which denote the importance of them, and every vertex in the objects are assigned with a importance value,too. The importance value can be use to decide which data should be retrieve from disk in a query. The other difference is that geometric objects in the generalization are divided into one or more sub-blocks, and vertexes are total ordered by their importance value. With the help of the generalized R-tree, one can easily retrieve data at different detail levels.Some experiments are performed on real-life data to evaluate the performance of solutions that separately use normal spatial index and multi-scale spatial index. The results show that the solution using multi-scale index in SISP is satisfying.     

A computer generator for randomly layered structures

AcomputergeneratorforrandomlylayeredstructuresYUJia shun1,2,HEZhen hua2(1.TheInstituteofGeologicalandNuclearSciences,NewZealand;2.StateKeyLaboratoryofOilandGasReservoirGeologyandExploitation,ChengduUniversityofTechnology,China)Abstract:Analgorithmisintrod…     

海南岛地体及其毗邻陆缘晚中生代—新生代古地磁研究和构造演化

本文叙述了对海南岛及其毗邻大陆边缘白垩纪到第四纪地层岩石进行古地磁研究的全部工作过程。通过分析岩石中剩余磁矢量的磁偏角及磁倾角的变化,提出海南岛白垩纪以来经历的构造演化模式如下:早期伴随顺时针旋转而向南迁移,后期伴随逆时针转动并向北运移。联系该地区及邻区的地质、地球物理资料,对海南岛上述的构造地体运动提出以下认识:北部湾内早期有一拉张作用,主要是该作用使湾内地壳显著伸长减薄,形成北部湾盆地。从而导致了海南岛的早期构造运动,而海南岛后期的构造运动则主要是受南海海底扩张的影响。海南地体运动规律的阐明对于了解北部湾油气盆地的形成演化有重要的理论和实际意义。     

Exciton Seebeck in Molecular Systems

Various applications relevant to the exciton dynamics,such as the organic solar cell,the large-area organic light-emitting diodes and the thermoelectricity,are operating under temperature gradient.The potential abnormal behavior of the exicton dynamics driven by the temperature difference may affect the efficiency and performance of the corresponding devices.In the above situations,the exciton dynamics under temperature difference is mixed with     

Achieving Unusual States of Matter Under High Pressure

The elongation method,originally proposed by Imamura was further developed for many years in our group.As a method towards O(N)with high efficiency and high accuracy for any dimensional systems.This treatment designed for one-dimensional(ID)polymers is now available for three-dimensional(3D)systems,but geometry optimization is now possible only for 1D-systems.As an approach toward post-Hartree-Fock,it was also extended to     

《Chinese Science Bulletin》SUBJECT INDEX TO VOLUME 59(2014)

正~~     

An on-line scaling method for improving scalability of a database cluster

The explosive growth of the Internet and database applications has driven database to be more scalable and available, and able to support on-line scaling without interrupting service. To support more client's queries without downtime and degrading the response time, more nodes have to be scaled up while the database is running. This paper presents the overview of scalable and available database that satisfies the above characteristics. And we propose a novel on-line scaling method. Our method improves the existing on-line scaling method for fast response time and higher throughputs. Our proposed method reduces unnecessary network use, i.e. , we decrease the number of data copy by reusing the backup data. Also, our on-line scaling operation can be processed parallel by selecting adequate nodes as new node. Our performance study shows that our method results in significant reduction in data copy time.     

An improved R-tree based on childnode''s probability

R-Tree is a good structure for spatial searching. But in this indexing structure,either the sequence of nodes in the same level or sequence of traveling these nodes when queries are made is random. Since the possibility that the object appears in different MBR which have the same parents node is different, if we make the subnode who has the most possibility be traveled first, the time cost will be decreased in most of the cases. In some case, the possibility of a point belong to a rectangle will shows direct proportion with the size of the rectangle. But this conclusion is based on an assumption that the objects are symmetrically distributing in the area and this assumption is not always coming into existence. Now we found a more direct parameter to scale the possibility and made a little change on the structure of R-tree, to increase the possibility of founding the satisfying answer in the front sub trees. We names this structure probability based arranged R-tree (PBAR-tree).     

Integrating GIS Web services based on mediating architecture

The geographic information service is enabled by the advancements in general Web service technology and the focused efforts of the OGC in defining XML-based Web GIS service. Based on these models, this paper addresses the issue of services chaining,the process of combining or pipelining results from several interoperable GIS Web Services to create a customized solution. This paper presents a mediated chaining architecture in which a specific service takes responsibility for performing the process that describes a service chain. We designed the Spatial Information Process Language (SIPL) for dynamic modeling and describing the service chain, also a prototype of the Spatial Information Process Execution Engine (SIPEE) is implemented for executing processes written in SIPL. Discussion of measures to improve the functionality and performance of such system will be included.