微信服务号

微信订阅号

2025年3月29日 7:05 星期六
首页 > 过刊浏览>2012年第23卷第2期 >378-393. DOI:10.3724/SP.J.1001.2012.03953
PDF HTML阅读 XML下载 导出引用 引用提醒
基于语义的恶意代码行为特征提取及检测方法
作者:
基金项目:

国家自然科学基金(60703076, 61073179); 国家高技术研究发展计划(863)(2007AA01Z451, 2009AA01Z435)


Semantics-Based Malware Behavior Signature Extraction and Detection Method
Author:
  • 摘要
    • | |
  • 访问统计
    • |
  • 参考文献 [28]
    • |
  • 相似文献 [20]
    • |
  • 引证文献
    • | |
  • 文章评论
    摘要:

    提出一种基于语义的恶意代码行为特征提取及检测方法,通过结合指令层的污点传播分析与行为层的语义分析,提取恶意代码的关键行为及行为间的依赖关系;然后,利用抗混淆引擎识别语义无关及语义等价行为,获取具有一定抗干扰能力的恶意代码行为特征.在此基础上,实现特征提取及检测原型系统.通过对多个恶意代码样本的分析和检测,完成了对该系统的实验验证.实验结果表明,基于上述方法提取的特征具有抗干扰能力强等特点,基于此特征的检测对恶意代码具有较好的识别能力.

    Abstract:

    This paper proposes a semantic-based approach to malware behavioral signature extraction and detection. This approach extracts critical malware behaviors as well as dependencies among these behaviors, integrating instruction-level taint analysis and behavior-level semantics analysis. Then, it acquires anti-interference malware behavior signatures using anti-obfuscation engine to identify semantic irrelevance and semantically equivalence. Further, a prototype system based on this signature extraction and detection approach is developed and evaluated by multiple malware samples. Experimental results have demonstrated that the malware signatures extracted show good ability to anti obfuscation and the detection based on theses signatures could recognize malware variants effectively.

    参考文献
    [1] Symantec global Internet security threat report, trends for 2008. Vol.14, 2009. http://www.symantec.com/business/theme.jsp?themeid=threatreport
    [2] Li Y, Zuo ZH. An overview of object-code obfuscation technologies. Journal of Computer Technology and Development, 2007, 17(4):125-127 (in Chinese with English abstract).
    [3] Yin H, Song D, Egele M, Kruegel C, Kirda E. Panorama: Capturing system-wide information flow for malware detection and analysis. In: Proc. of the 14th ACM Conf. on Computer and Communications Security. Alexandria, 2007. [doi: 10.1145/1315245. 1315261]
    [4] Christodorescu M, Jha S. Testing malware detectors. In: Proc. of the 2004 ACM SIGSOFT Int’l Symp. on Software Testing and Analysis (ISSTA 2004). Boston, 2004. 34-44. [doi: 10.1145/1007512.1007518]
    [5] Jacob G, Debar H, Fillol E. Behavioral detection of malware: From a survey towards an established taxonomy. Journal in Computer Virology, 2008,4(3):251-266. [doi: 10.1007/s11416-008-0086-0]
    [6] Parampalli C, Sekar R, Johnson R. A practical mimicry attack against powerful system-call monitors. In: Proc. of the 2008 ACM Symp. on Information, Computer and Communications Security. New York, 2008. 156-167. [doi: 10.1145/1368310.1368334]
    [7] Sathyanarayan VS, Kohli P, Bruhadeshwar B. Signature generation and detection of malware families. In: Proc. of the 13th Austalasian Conf. on Information Security and Privacy. Wollongong, 2008. 336-349. [doi: 10.1007/978-3-540-70500-0_25]
    [8] Christodorescu M, Jha S, Seshia SA, Song DX, Bryant RE. Semantics-Aware malware detection. In: Proc. of the 2005 IEEE Symp. on Security and Privacy. 2005. 32-46. [doi: 10.1109/SP.2005.20]
    [9] Preda MD, Christodorescu M, Jha S, Debray S. A semantics-based approach to malware detection. In: Proc. of the Symp. on Principles of Programming Languages. New York: ACM Press, 2007. 377-388. [doi: 10.1145/1190216.1190270]
    [10] Kinder J, Katzenbeisser S, Schallhart C, Veith H. Detecting malicious code by model checking. In: Proc. of the 2nd Int’l Conf. on Intrusion and Malware Detection and Vulnerability Assessment (DIMVA 2005). LNCS 3548, Vienna: Springer-Verlag, 2005. 174-187. [doi: 10.1007/11506881_11]
    [11] Christodorescu M, Kinder J, Jha S, Katzenbeisser S, Veith H. Malware normalization. Technical Report, #1539, Madison: University of Wisconsin, 2005.
    [12] Moser A, Kruegel C, Kirda E. Exploring multiple execution paths for malware analysis. In: Proc. of the 2007 IEEE Symp. on Security and Privacy. 2007. 231-245. [doi: 10.1109/SP.2007.17]
    [13] Willems C, Holz T, Freiling F. Toward automated dynamic malware analysis using CWSandbox. IEEE Security and Privacy, 2007, 5(2):32-39. [doi: 10.1109/MSP.2007.45]
    [14] Bayer U, Kruegel C, Kirda E. TTAnalyze: A tool for analyzing malware. In: Proc. of the EICAR 2006. 2006. 180-192.
    [15] Bellard F. Qemu, A fast and portable dynamic translator. In: Proc. of the USENIX 2005 Annual Technical Conf. on FREENIX Track. 2005. 41-46.
    [16] Kirda E, Kruegel C, Banks G, Vigna G, Kemmerer RA. Behavior-Based spyware detection. In: Proc. of the 15th Conf. on USENIX Security Symp. Springer-Verlag, 2006. 273-288.
    [17] Bailey M, Oberheide J, Andersen J, Mao ZM, Jahanian F, Nazario J. Automated classification and analysis of Internet malware. In: Proc. of the 10th Symp. on Recent Advances in Intrusion Detection (RAID 2007). 2007. 178-197.
    [18] Bergeron J, Debbabi M, Desharnais J, Erhioui MM, Lavoie Y, Tawbi N. Static detection of malicious code in executable programs. In: Proc. of the Symp. on Requirements Engineering for Information Security. 2001.
    [19] Christodorescu M, Jha S. Static analysis of executables to detect malicious patterns. In: Proc. of the 12th USENIX Security Symp. 2003.
    [20] Bilar D. Statistical Structures: Tolerant fingerprinting for classification and analysis. In: Proc. of the Black Hat USA 2006. Las Vegas, 2006.
    [21] Christodorescu M, Jha S, Kruegel C. Mining specifications of malicious behavior. In: Proc. of the 6th Joint Meeting of the European Software Engineering Conf. and the ACM SIGSOFT Symp. on the Foundations of Software Engineering (ESEC/FSE). 2007. [doi: 10.1145/1287624.1287628]
    [22] Cogswell B, Russinovich M. Rootkit revealer. 2006. http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.mspx
    [23] Wang YM, Roussev R, Verbowski C, Johnson A, Wu MW, Huang YN, Kuo SY. Gatekeeper: Monitoring auto-start extensibility points (ASEPs) for spyware management. In: Proc. of the 18th Systems Administration Conf. (LISA 2004). 2004. 33-46.
    [24] Butler J, Hoglund G. VICE—Catch the hookers! In: Proc. of the Black Hat USA 2004. 2004. http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-butler/bh-us-04-butler.pdf
    [25] Newsome J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proc. of the 12th Annual Network and Distributed System Security Symp. (NDSS). 2005.
    [26] Sreedhar VC, Gao GR, Lee YF. Identifying loops using DJ graphs. ACM Trans. on Programming Languages and Systems (TOPLAS), 1996,18(6):649-658. [doi: 10.1145/236114.236115]
    [27] Hex-Rays. http://www.hex-rays.com
    [28] VX heavens. http://vx.netlux.org/
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

王蕊,冯登国,杨轶,苏璞睿.基于语义的恶意代码行为特征提取及检测方法.软件学报,2012,23(2):378-393

复制
分享
文章指标
  • 点击次数:6691
  • 下载次数: 16102
  • HTML阅读次数: 0
  • 引用次数: 0
历史
  • 收稿日期:2010-04-12
  • 最后修改日期:2010-09-10
  • 在线发布日期: 2012-02-07
文章二维码
友情链接:中国科学院软件研究所中国计算机学会中国科学院国家自然科学基金委员会CCF数字图书馆Int'l J of Softw Info计算机系统应用
您是第19748015位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号