摘要
可执行文件比较广泛应用于软件版权检测、恶意软件家族检测、异常检测的模式更新以及补丁分析.传统方法无法满足应用对速度和精度的要求.在函数、基本块和指令级别上设计了一元指令签名、基于函数控制流程图邻接矩阵的函数一元结构签名、指令的强/中/弱一元签名,并提出了融合签名和属性的函数匹配算法、基本块匹配算法,从而简化了已有指令比较,可抗指令重排,优于SPP.并通过匹配权统计以及严格的最大唯一匹配策略和Hash进一步降低误报,提高效率.最后,实现原型工具PEDiff,并通过实验证实了该比较方法在速度和精度上具有良好的性能.
Comparison of executable objects is widely used for software copyright, malware family, updating pattern of abnormity detection and software patch analysis. The traditional comparison methods can not meet the requirements of these applications in terms of speed and accuracy. A function unary structural signature based on adjacency matrix of a CFC-, and an unary instruction signature are designed to consider the instruction on a function; according to instruction code and operand, strong/medium/weak signatures about instruction sequences are designed to make instruction comparison easy, and weak signature can handle instruction reorder outweighing small primes product (SPP); three kinds of properties are appended to partition all objects into more groups. And then, comparison methods for functions and basic code blocks are presented using the above Signatures and proproties, and the matching policies using both statistical weights and the largest exclusive are exploited to decrease the false match. Furthermore,the Hash of signtures and properties is used to speed up the match. Finally, a protocol tool PEDiff is implemented using the above methods. Experimental results demonstrate that the method has better performance in terms of matching speed and rich analysis results.
出处
《计算机研究与发展》
EI
CSCD
北大核心
2009年第11期1868-1876,共9页
Journal of Computer Research and Development
基金
国家自然科学基金项目(90718005)
国家"九七三"重点基础研究发展计划基金项目(2007CB310800)
国家"八六三"高技术研究发展计划基金项目(2007AA01Z411)~~
关键词
二进制分析
反汇编
结构签名
指令签名
控制流程图
binary analysis
disassemble
structural signature
instruction signature
control flow graph
