基于API函数序列的勒索病毒家族同源性研究

Research on Homology of Ransomware Family Based on API Sequences

近年来,勒索病毒数量的增长多为已知家族衍生的变种,鲜有出现新型勒索病毒家族。通过对勒索病毒动态提取的API函数序列进行研究,在原有基于序列比对分析勒索病毒家族同源性的方法上作出了改进。使用Cuckoo Sandbox监测勒索病毒的动态行为特征,提取病毒进程对应的API函数调用类别序列并对序列进行规范化处理,去除所有重复子序列后,对同一家族的勒索病毒样本序列使用Multalin、Clustal Omega、T-coffee 3种不同的多序列比对方法并分别设置不同的共性水平提取共性序列,结合局部比对算法计算同家族和家族间的相似性,以确定最佳共性序列并将其作为家族图谱序列。在验证该方案有效性时,设置了以家族样本代表序列和最佳共性序列分别作为家族图谱序列进行对比实验,实验结果表明,使用家族最佳共性序列作为家族图谱序列和局部比对方法计算相似性可以更好地区分勒索病毒家族。

In recent years,the increase in the number of ransomwares have mostly been variants derived from known families,and few new ransomware families have emerged.By studying the API sequences dynamically extracted from ransomware,some improvements have been made based on the method of sequence alignment for the homology of ransomware family.The Cuckoo Sandbox was used to monitor the dynamic behavior characteristics of the ransomware virus,and every API category sequence corresponding to the ransomware virus's process was extracted and normalized.After removing all repeated subsequences,three different methods of Multiple Sequence Alignment which are Multalin,Clustal Omega,and T-coffee were set different common levels to extracted consensus sequences,and then were used for ransomware sample sequences of the same family,and finally the local alignment algorithm was used to calculate the similarity in the same family and the similarity between different kind of families to determine the best consensus sequence and regard it as a family map sequence.For verifying the effectiveness of the scheme,a contrast experiment was set up using the best consensus sequence and the family representative sample sequence separately as the family map sequence.The experimental results show that using the best family consensus sequences as the family map sequence and the local alignment method to calculate the similarity can better distinguish the ransomware virus family.