摘要
基于图的恶意代码检测的方法必须为每个已知恶意软件建立行为依赖图,传统的基于动态污点分析技术恶意代码检测方法的行为依赖图的数量巨大,匹配很耗时间,很难运用于实际应用中.针对这个问题,提出一种基于恶意代码家族行为频繁子图挖掘的恶意代码检测方法,运用动态污点分析技术对系统调用API(application program interface)参数进行污点标记,通过追踪污点数据的轨迹得到系统API调用关系;其次使用动态污点分析方法生成单个样本的行为依赖图;然后,用频繁子图挖掘方法挖掘出恶意代码家族频繁行为子图;最后,以家族行为频繁子图作为家族行为特征,以随机森林算法建立分类器进行恶意代码检测.相对于传统的基于API序列和单一的基于恶意代码行为依赖图的检测方法,提出的方法不受代码混淆技术的影响,并且在很大程度上缩减了行为依赖图的数量,且不丢失恶意代码行为特征,提高了恶意代码检测的效率和分类准确率.
In graph-based malware detection methods, we must build a behavior dependency graph for each known malwarel therefore the number of behavior graphs is huge and the matching process is time-consuming, therefore, they are difficult to apply in practice. To solve this issue,we propose a malware detection method based on frequent subgraphs mining of malware family behavior, First, we use a dynamic taint analysis technique to mark the system call parameters with taint tags. Second, we build the system API call relational file by tracing the propagation of the taint datam and the behavior dependency graph of a single sample is then generated, we propose an algorithm to extract the behavior frequent subgraphs, which is used to represent the behavioral features of a malware family. Finally, compared with traditional malware detection methods based on API call sequence and single malware behavior dependency graphs, the detection effect of our method is not affected by code obfuscation technology, reduces the amount of behavior dependency graphs without losing the malicious behavior features and has a high detection rate and a high positive rate.
作者
朱雪冰
周安民
左政
Zhu Xuebing;Zhou Anmin;Zuo Zheng(College of Electronics and Information Engineering,Sichuan University,Chengdu 610065;College of Cybersecurity,Sichuan University,Chengdu 610065)
出处
《信息安全研究》
2019年第2期105-113,共9页
Journal of Information Security Research
基金
国家重点研发计划基金项目(2017YFB0802900)
关键词
恶意软件检测
行为依赖图
动态污点分析
频繁子图
分类
Malware detection
behavior graphs
dynamic taint analysis
frequent subgraphs
classification
