一种基于语义分析的恶意代码攻击图生成方法

Generating Malicious Code Attack Graph Using Semantic Analysis

为深入分析恶意代码高层行为之间的逻辑关系,剖析恶意代码的工作机制,针对现有的基于语义的行为分析方法无法进一步抽象出更高层语义行为以及挖掘之间逻辑关系的缺陷,文中以行为事件为研究对象,提出了一种基于语义分析的恶意代码攻击图生成方法。首先,借助MITRE ATT&CK模型,设计了一种新的恶意代码行为分析模型——m-ATT&CK(Malware-Adversarial Tactics,Techniques,and Common Knowledges),该模型由恶意代码、行为事件、攻击战术及其之间的联系构成;然后,提出了基于F-MWTO(Fuzzy Method of Window Then Occurrence)的近似模式匹配行为映射算法,实现了恶意代码行为信息到m-ATT&CK模型的映射,并构建了隐马尔可夫模型挖掘攻击战术序列;最后,定义了恶意代码语义级攻击图并设计了其生成算法,结合已识别出的行为事件,还原恶意代码高层行为的上下文语义信息,生成恶意代码语义级攻击图。实验结果表明,基于以上方法得到的语义级攻击图能够清晰地展现恶意代码的工作机制以及攻击意图。

In order to deeply analyze the logical relationship between malicious code high-level behaviors and analyze the working mechanism of malicious code,this paper takes behavior events as the research object and proposes a method for generating malicious code attack graphs based on semantic analysis.First of all,with the help of the MITRE ATT&CK model,a m-ATT&CK(Malware-Adversarial Tactics,Techniques,and Common Knowledges)model which is more suitable for malicious code behavior analysis is established.This model is composed of malware,behavior events,attack tactics and relationships between them.Then,an approximate pattern matching behavior mapping algorithm based on F-MWTO(Fuzzy Method of Window Then Occurrence)is proposed to realize the mapping of malicious code behavior information to m-ATT&CK model,and a Hidden Markov Model is constructed to mine the sequences of attack tactics.Semantic-level malicious code attack graph is defined and designed semantic-level attack graph generation algorithm,combing with identified behavior events to restore the contextual semantic information of the malicious code high-level behaviors and generating the semantic-level malicious code attack graph.Experimental results show that the semantic-level attack graph obtained based on the proposed methods can clearly show the working mechanism and attack intention of malicious code.