摘要
针对目前因勒索软件造成网络安全事故的问题,在对大量勒索软件样本进行分析的基础上,提出一种基于动态符号执行的勒索软件检测与分析方法。基于插桩工具Pin和约束求解器STP构建ADRAS系统模型,利用动态符号执行和可满足性模理论技术监控勒索软件的加密函数,同时捕捉勒索软件加密行为以及相关的加密信息,从而对多个家族的勒索软件进行检测。实验结果表明,ADRAS系统模型可检测15种已知勒索软件家族的样本,包括著名的CryptoLocker以及最近爆发的WannaCry。
Aiming at the problem of network security caused by ransomware,based on the analysis of a large number of ransomware samples,a method of detecting and analyzing ransomware based on dynamic symbol execution is proposed.A ADRAS system model is built based on piling tool Pin and constraint solver STP,by using dynamic symbol execution and Satisfiability Modulo Theories(SMT),the ADRAS system model can monitor the encryption function of the ransomware,and effectively capture ransomware’s encryption behavior and related information,and finally detect the ransomware of a number of families.Experimental results show that,the ADRAS system model can detect 15 samples from known ransomware families,including the famous CryptoLocker and the recent outbreak of WannaCry.
作者
陈政
方勇
刘亮
左政
CHEN Zheng 1,FANG Yong 2,LIU Liang 2,ZUO Zheng 1(1.College of Electronics and Information Engineering,Sichuan University,Chengdu 610065,China; 2.College of Cybersecurity,Sichuan University,Chengdu 610207,Chin)
出处
《计算机工程》
CAS
CSCD
北大核心
2018年第6期104-110,共7页
Computer Engineering