摘要
针对同家族恶意软件行为具有相似性的特点进行研究,提出通过静态分析与动态运行程序相结合的方式度量软件行为的相似性。通过反编译和soot代码转换框架获取程序控制流图,利用行为子图匹配算法从静态方面对程序行为相似性进行度量;通过自动化测试框架运行程序,利用文本无关压缩算法将捕获到的trace文件压缩后进行相似性度量。该检测方法综合静态检测执行效率高和动态检测准确率高的优点,提高了软件行为相似性度量的效率和准确率。实验分析表明,该检测技术能够准确度量程序之间行为的相似性,在准确率上相较于Androguard有大幅提升。
According to the characteristics of similar behavior of racial malware,this paper presented a method to measure the similarity of software behaviors by means of static analysis and dynamic operation.It obtained the program control flow graph by decompiling and soot transcoding framework,and measured the behavior similarity of the program from the static aspect by using the behavior subgraph matching algorithm.Through an automated testing framework to run the program,using the text-independent compression algorithm to measure the similarity of the captured trace files.The method had the advantages of high static efficiency and high accuracy of dynamic detection,the efficiency and accuracy of software behavior similarity measurement had improved.Experimental analysis shows that the detection technique can accurately measure the similarity between programs and the accuracy rate compared to Androguard has greatly improved.
作者
陈鹏
赵荣彩
单征
韩金
孟曦
Chen Peng;Zhao Rongcai;Shan Zheng;Han Jin;Meng Xi(State Key Laboratory of Mathematical Engineering&Advanced Computing,Zhengzhou 450000,China)
出处
《计算机应用研究》
CSCD
北大核心
2018年第5期1534-1539,共6页
Application Research of Computers
基金
国家"863"计划资助项目(2009AA012201)
国家自然科学基金资助项目(61472447)