Malware Classification

daemon程序

server：mcla_ser
Usage: mcla_ser [OPTION...] [STRING...]
    -h, --help                      display this help and exit
    -s, --start                     start mcla server(default ip: 127.0.0.1 port: 6758)
    -c, --conf                      set the config path(default: /polyhawk/mcla/mcla.cfg)

启动实例
    root@carl:/home/malware-lab/src/mcla# mcla_ser -s
    MCLA: mcla_ser_init success.
    SOCEKT: create socket ok.
    SOCKET: bind ip:127.0.0.1 port:6758 ok.
    SOCKET: listen success
    CONN: Waiting for incoming connections...

    client：mcla_cli
    Usage: mcla_cli [OPTION...] [STRING...]
        -h, --help                      display this help and exit
        -i, --ip                        set the server ip(default: 127.0.0.1)
        -p, --port                      set the server port(default: 6758)
        -s, --scan-pe                   scan PE file and check malware

测试实例
    root@carl:/home/pd_malware# mcla_cli -s /home/malware-lab/src/mcla/Test/Bad/noshell/1293aad51c11b289d9e8afb0609bf5a5.vir 
    Connected ok
    len: 93, cmd: 1, path: /home/malware-lab/src/mcla/Test/Bad/noshell/1293aad51c11b289d9e8afb0609bf5a5.vir
    Send ok.
    RECV: receive ok[20]
    recv data: result: 201

server配置说明：
    mcla : 
    {
      use = 1;
      ip = "127.0.0.1";
      port = 6758;
      max_wait_conn = 10;
      timeout_ser = 15;
      machine_learning = 1;                                            #是否使用机器学习，1是打开，0是关闭
      ml_model_path = "/polydata/content/mcla/mcla_svm.model";         #机器学习模型路径
      ml_normalized_para = "/polydata/content/mcla/normalized.para";   #机器学习特征向量归一化参数文件路径
      input_num = 24;                                                  #机器学习特征向量维度
      daemon = 0;                                                      #服务器是否为daemon，1是daemon
    };

识别结果说明：
非恶意：PE_MARWARE_OK = 0,
解析PE文件错误：1～100
非机器学习判断为恶意：101～200
机器学习判断为恶意：201~

训练学习步骤

"/polydata/content/mcla/mcla_svm.model"和"/polydata/content/mcla/normalized.para"的生成步骤

1、生成带标签的文件列表：
    python ./mcla_tools/add_lable_to_file.py /home/malware-lab/src/mcla/Test/Good/exe/ 0 1
    python ./mcla_tools/add_lable_to_file.py /home/malware-lab/src/mcla/Test/Good/dll/ 0 3
    python ./mcla_tools/add_lable_to_file.py /home/malware-lab/src/mcla/Test/Bad/ 1 10
2、生成原始特征值：
    图像特征值：./mcla_train -s trainfile.list -d mcla_data.csv -m
    PE文件特征值：./mcla_train -s trainfile.list -d mcla_data.csv -p
    ALL特征值：
    ./mcla_train -s trainfile.list -d mcla_data -t
    python ./mcla_tools/merge_csv.py mcla_data.img mcla_data.pe mcla_data.csv
3、特征值归一化：
    python ./mcla_tools/csv_normalizer.py mcla_data.csv mcla_data_norm.csv normalized.para
4、将归一化后的特侦向量转换为libsvm格式
    csv_to_svm mcla_data_norm.csv mcla_data_norm.svm
5、交叉验证
    svm-train -t 0 -v 5 mcla_data_norm.svm