基于敏感路径的精确行为依赖图跟踪检测恶意代码

Sensitive Path Tracking Malicious Code Based on Precise Behavior Dependency Graph

恶意代码及其变种在行为上具有相似性和某些依赖关系.针对Web应用程序函数调用生成行为依赖图存在路径爆炸和虚警等问题,提出了基于恶意代码间依赖关系的提取与验证的精确行为依赖图方法.首先通过自定义污点传播规则获得敏感数据的行为关系以用于污点跟踪,再利用污点源黑名单过滤建立索引文件改善存储空间和指令定位能力;然后采用活跃变量路径验证算法逆向遍历污点源Source→污点汇聚点Sink路径,同时净化虚假污点以进一步克服路径空间问题;最后结合路径敏感的污点分析方法,特别关注函数的调用过程,基于污点文件生成应用于恶意代码识别和漏洞分析的恶意代码精确行为依赖图.实验结果表明,该方法可以有效提高恶意代码的辨识率,在降低报告漏洞的假阴性率的同时,能提高漏洞检测的准确率,为解决恶意软件尤其是Web漏洞检测的误报率和有效性等问题提供了一种可行的解决途径.

Malicious code and its variants have similarities and some dependencies in behavior.Aiming at the problems of path explosion and false alarm in the generation of behavior dependency graph by function call of web application,a precise behavior dependency graph(PBDG)method based on the extraction and verification of dependencies between malicious codes is proposed.Firstly,the behavior relationship of sensitive data is obtained through custom stain propagation rules for stain tracking,and then the blacklist of stain sources is used to filter and establish index files to improve storage space and instruction positioning ability.Secondly,the active variable path verification algorithm is used to reverse traverse the stain source→stain sink path generated by the index,and purify the false stains to further overcome the path space problem.Finally,combined with the path sensitive stain analysis method,we pay special attention to the function call process,and generate the accurate behavior dependency graph of malicious code applied to malicious code identification and vulnerability analysis based on the stain file.Experimental results show that this method can effectively improve the identification rate of malicious code,reduce the false negative rate of reporting vulnerabilities,and improve the accuracy of vulnerability detection.It provides a feasible way to solve the problems of false positive rate and effectiveness of malware,especially Web vulnerability detection.