摘要
针对恶意代码在网络空间中呈爆发式增长,但多数是已有代码变种的情况。通过研究恶意代码行为特征,提出一套新的判别恶意代码同源性的方法.从恶意代码行为入手,提取恶意代码行为指纹,通过指纹匹配算法来分析恶意样本是否是已知样本的变种.经研究分析,最终筛选3种特征来描绘恶意软件的动态行为指纹:一是字符串的命名特征;二是注册表的变化特征;三是围绕关键API函数的调用顺序的特征.通过指纹匹配算法计算不同恶意代码之间的相似性度量,进行同源性分析.实验结果表明,该方法能够有效地对不同恶意代码及其变种进行同源性分析.
With the explosive growth of malware in cyberspace, many malicious samples are just variations of previously encountered samples. This paper presents a novel approach to investigate the homology of malware based on dynamic-behavior characteristics. To distinguish whether a malware is variation, researchers extract the fingerprint among malwares, then use fingerprint matching algorithm to analyze similarity between them. Researchers select three different characteristics as malware fingerprint: the characteristic of the name strings, the characteristic of register changes, and the characteristic of the function sequence around key API calls. Finally, researchers compute the similarity value of different malwares to analyze the homology of malwares. Experiments show that this approach is effective to analyze the homology of malware.
出处
《四川大学学报(自然科学版)》
CAS
CSCD
北大核心
2016年第4期793-798,共6页
Journal of Sichuan University(Natural Science Edition)
关键词
恶意代码
同源性
动态行为
指纹特征
Malware
Homology
Dynamic behaviors
Fingerprint characteristics