期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

基于动态行为指纹的恶意代码同源性分析 被引量:12

Homology analysis of malicious code based on dynamic-behavior fingerprint
下载PDF
导出
摘要 针对恶意代码在网络空间中呈爆发式增长,但多数是已有代码变种的情况。通过研究恶意代码行为特征,提出一套新的判别恶意代码同源性的方法.从恶意代码行为入手,提取恶意代码行为指纹,通过指纹匹配算法来分析恶意样本是否是已知样本的变种.经研究分析,最终筛选3种特征来描绘恶意软件的动态行为指纹:一是字符串的命名特征;二是注册表的变化特征;三是围绕关键API函数的调用顺序的特征.通过指纹匹配算法计算不同恶意代码之间的相似性度量,进行同源性分析.实验结果表明,该方法能够有效地对不同恶意代码及其变种进行同源性分析. With the explosive growth of malware in cyberspace, many malicious samples are just variations of previously encountered samples. This paper presents a novel approach to investigate the homology of malware based on dynamic-behavior characteristics. To distinguish whether a malware is variation, researchers extract the fingerprint among malwares, then use fingerprint matching algorithm to analyze similarity between them. Researchers select three different characteristics as malware fingerprint: the characteristic of the name strings, the characteristic of register changes, and the characteristic of the function sequence around key API calls. Finally, researchers compute the similarity value of different malwares to analyze the homology of malwares. Experiments show that this approach is effective to analyze the homology of malware.
作者 郑荣锋 方勇 刘亮
机构地区 四川大学电子信息学院
出处 《四川大学学报(自然科学版)》 CAS CSCD 北大核心 2016年第4期793-798,共6页 Journal of Sichuan University(Natural Science Edition)
关键词 恶意代码 同源性 动态行为 指纹特征 Malware Homology Dynamic behaviors Fingerprint characteristics
分类号 TP309 [自动化与计算机技术—计算机系统结构]
  • 相关文献

参考文献12

  • 1Wang Z, Pierce K, McFarling S. Bmat-a binary matching tool for stale profile propagation[J]. The Journal of Instruction-Level Parallelism (ILP), 2000, 2 : 1.
  • 2Flake. H. Structural comparison of executable objects [C]//Proceedings of the IEEE Conference on Detec- tion of Intrusions, Malware and Vulnerability Assess- ment(DIMVA). Dortmund, Germany: IEEE, 2004.
  • 3Dullien T, Rolles R. Graph-based comparison of ex- ecutable objects ( English version) [J]. SSTIC, 2005, 5 : 1.
  • 4杨洪深,赵宗渠,王俊峰.基于中间代码的恶意软件检测技术研究[J].四川大学学报(自然科学版),2013,50(6):1216-1222. 被引量:6
  • 5Gao D, Reiter M K, Song D. Binhunt: Automati- cally finding semantic differences in binary pro- grams[C]//Information and Communications Secu- rity. Berlin Heidelberg: Springer, 2008.
  • 6Bailey M, Oberheide J, Andersen J, etal. Automa- ted classification and analysis of internet matware [C]//Recent advances in intrusion detection. Berlin Heidelberg: Springer, 2007.
  • 7Lee T, Mody J J. Behavioral classification[C]//EIC- AR Conference. Hamburg, Germany.. [s. n.], 2006.
  • 8杨轶,苏璞睿,应凌云,冯登国.基于行为依赖特征的恶意代码相似性比较方法[J].软件学报,2011,22(10):2438-2453. 被引量:21
  • 9钱雨村,彭国军,王滢,梁玉.恶意代码同源性分析及家族聚类[J].计算机工程与应用,2015,51(18):76-81. 被引量:18
  • 10董志强,肖新光,张栗伟.编码心理学分析病毒同源性[J].信息安全与通信保密,2005(8):55-59. 被引量:9

二级参考文献63

  • 1董志强,肖新光,张栗伟.编码心理学分析病毒同源性[J].信息安全与通信保密,2005(8):55-59. 被引量:9
  • 2Microsoft security intelligence report. 2007. http://www.microsoft.com/downloads/details.aspx?FamilylD=4EDE2572-1D39-46EA- 94C6-4851750A2CB0.
  • 3Wang Z, Pierce K, McFarling S. BMAT--A binary matching tool for stale profile propagation. The Journal of Instruction-Level Parallelism, 2000,2:23-43.
  • 4Bayer U, Comparetti PM, Hlauscheck C, Kruegel C, Kirda E. Scalable, behavior-based malware clustering. In: Proc. of the Network and Distributed System Security Symp. (NDSS). San Diego, 2009. http://www.isoc.org/isoc/conferences/ndss/09/ proceedings.shtml.
  • 5Flake H. Structural comparison of executable objects. In: Proc. of the Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2004). 2004.83-97.
  • 6Dullien T, Rolles R. Graph-Based comparison of executable objects (English version). In: Proc. of the SSTIC 2005. 2005. http://www.sstic.org/2005/programme/.
  • 7Rabek JC, Khazan RI, Lewandowski SM, Cunningham RK. Detection of injected, dynamically generated, and obfuscated malicious code. In: Staniford S, Savage S, eds. Proc. of the 2003 ACM Workshop on Rapid Malcode. New York: Association for Computing Machinery, 2003.76-82. [doi: 10.1145/948187.948201].
  • 8Gao DB, Reiter MK, Song D. Binhunt: Automatically finding semantic differences in binary programs. In: Proc. of the Int'l Conf. on Information and Communications Security. Berlin, Heidelberg: Springer-Verlag, 2008. 238-255. [doi: 10.1007/978-3-540- 88625-9].
  • 9Bayer U, Moser A, Kruegel C, Kirda E. Dynamic analysis of malicious code. Journal in Computer Virology, 2006,2(1):67 77. [doi: 10.1007/s11416-006-0012-2].
  • 10Yin H, Song D, Egele M, Kruegel C, Kirda E. Panorama: Capturing system-wide information flow for malware detection and analysis. In: Ning P, ed. Proc. of the 14th ACM Conf. on Computer and Communications Security. New York: Association for Computing Machinery, 2007. 116 -127. [doi: 10.1145/1315245.1315261].

共引文献44

同被引文献65

引证文献12

二级引证文献38

四川大学学报(自然科学版)
2016年 第4期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部