摘要
木马是以获取主机控制权和窃取信息为主要目的恶意程序,对网络安全和信息安全造成极大危害。研究并总结了木马攻击行为的规律,提出了一种通过静态分析PE文件来发现木马的方法。对现有的攻击树模型进行改进,设计了扩展攻击树模型,以此对木马攻击中常见的危险系统调用序列进行建模,将分析PE文件得到的API调用集合与建模得到的攻击树作匹配,来预测程序中可能存在的攻击行为,并能有效地区分木马文件和正常文件。
Trojan is malicious program which is designed to obtain privilege and steal information; it seriously endangers the interact security and information security, The rules of Trojan's attack actions are researched, a new Trojan horse detection method based on executable static analysis is proposed. The present attack tree model is improved, an extended attack tree model is designed to describe the sequences of threatening system calls Trojan commonly used. Matched the set of APIs used in PE file with the original extended attack tree, to predict the attack actions may appear in the implementation of the PE file and estimate whether the PE file is a Trojan.
出处
《计算机工程与设计》
CSCD
北大核心
2008年第11期2711-2714,共4页
Computer Engineering and Design
基金
国家自然科学基金项目(60473093)。
关键词
木马检测
攻击树
静态分析
可执行文件
系统调用
Trojan horse detection
attack tree
static analysis
portable executable file
system call
