恶意代码的函数调用图相似性分析

恶意代码的相似性分析是当前恶意代码自动分析的重要部分。提出了一种基于函数调用图的恶意代码相似性分析方法,通过函数调用图的相似性距离ＳＤＭＦＧ来度量两个恶意代码函数调用图的相似性,进而分析得到恶意代码的相似性,提高了恶意代码相似性分析的准确性,为恶意代码的同源及演化特性分析研究与恶意代码的检测和防范提供了有力支持。     

基于非用户操作序列的恶意软件检测方法

针对Android恶意软件持续大幅增加的现状以及恶意软件检测能力不足这一问题,提出了一种基于非用户操作序列的静态检测方法。首先,通过对恶意软件进行逆向工程分析,提取出恶意软件的应用程序编程接口（API）调用信息;然后,采用广度优先遍历算法构建恶意软件的函数调用流程图;进而,从函数流程图中提取出其中的非用户操作序列形成恶意行为库;最后,采用编辑距离算法计算待检测样本与恶意行为库中的非用户操作序列的相似度进行恶意软件识别。在对360个恶意样本和300的正常样本进行的检测中,所提方法可达到90.8%的召回率和90.3%的正确率。与Android恶意软件检测系统Androguard相比,所提方法在恶意样本检测中召回率提高了30个百分点;与FlowDroid方法相比,所提方法在正常样本检测中准确率提高了11个百分点,在恶意样本检测中召回率提高了4.4个百分点。实验结果表明,所提方法提高了恶意软件检测的召回率,有效提升恶意软件的检测效果。     

基于程序双维度特征的恶意程序相似性分析

网络空间中充斥着大量的恶意代码,其中大部分恶意程序都不是攻击者自主开发的,而是在以往版本的基础上进行改动或直接组合多个恶意代码,因此在恶意程序检测中,相似性分析变的尤为重要.研究人员往往单一种类的信息对程序相似性进行分析,不能全面地考量程序的有效特征.针对以上情况,提出综合考虑动态指令基本块集合的语义特征和控制流图的结...     

A graph mining approach for detecting unknown malwares

Nowadays malware is one of the serious problems in the modern societies. Although the signature based malicious code detection is the standard technique in all commercial antivirus softwares, it can only achieve detection once the virus has already caused damage and it is registered. Therefore, it fails to detect new malwares (unknown malwares). Since most of malwares have similar behavior, a behavior based method can detect unknown malwares. The behavior of a program can be represented by a set of called API's (application programming interface). Therefore, a classifier can be employed to construct a learning model with a set of programs' API calls. Finally, an intelligent malware detection system is developed to detect unknown malwares automatically. On the other hand, we have an appealing representation model to visualize the executable files structure which is control flow graph (CFG). This model represents another semantic aspect of programs. This paper presents a robust semantic based method to detect unknown malwares based on combination of a visualize model (CFG) and called API's. The main contribution of this paper is extracting CFG from programs and combining it with extracted API calls to have more information about executable files. This new representation model is called API-CFG. In addition, to have fast learning and classification process, the control flow graphs are converted to a set of feature vectors by a nice trick. Our approach is capable of classifying unseen benign and malicious code with high accuracy. The results show a statistically significant improvement over n-grams based detection method.     

基于特征提取的二进制代码比较技术

二进制代码比较技术在病毒变种分析,安全补丁分析,版本信息导出等许多领域都有着广泛的应用。在定义了基于图的二进制代码描述方法的基础上,从函数和基本块两个层次对近似的二进制代码进行比较,分析出它们之间相同的部分和差异信息。讨论了基于图的二进制文件特征的选取,利用特征比较和固定点传播算法,建立两份代码在函数和基本块两个级别的对应关系。本文给出了这种基于特征提取的二进制代码比较技术的实现框架,并列举了它在恶意软件变种分析,公开漏洞定位方面的利用实例。     

Malware detection using assembly and API call sequences

One of the major problems concerning information assurance is malicious code. To evade detection, malware has also been encrypted or obfuscated to produce variants that continue to plague properly defended and patched networks with zero day exploits. With malware and malware authors using obfuscation techniques to generate automated polymorphic and metamorphic versions, anti-virus software must always keep up with their samples and create a signature that can recognize the new variants. Creating a signature for each variant in a timely fashion is a problem that anti-virus companies face all the time. In this paper we present detection algorithms that can help the anti-virus community to ensure a variant of a known malware can still be detected without the need of creating a signature; a similarity analysis (based on specific quantitative measures) is performed to produce a matrix of similarity scores that can be utilized to determine the likelihood that a piece of code under inspection contains a particular malware. Two general malware detection methods presented in this paper are: Static Analyzer for Vicious Executables (SAVE) and Malware Examiner using Disassembled Code (MEDiC). MEDiC uses assembly calls for analysis and SAVE uses API calls (Static API call sequence and Static API call set) for analysis. We show where Assembly can be superior to API calls in that it allows a more detailed comparison of executables. API calls, on the other hand, can be superior to Assembly for its speed and its smaller signature. Our two proposed techniques are implemented in SAVE) and MEDiC. We present experimental results that indicate that both of our proposed techniques can provide a better detection performance against obfuscated malware. We also found a few false positives, such as those programs that use network functions (e.g. PuTTY) and encrypted programs (no API calls or assembly functions are found in the source code) when the thresholds are set 50% similarity measure. However, these false positives can be minimized, for example by changing the threshold value to 70% that determines whether a program falls in the malicious category or not.     

识别恶意软件中的加密函数

针对恶意软件通过加密函数规避安全检测和流量分析这一问题,提出了一种识别恶意软件中加密函数的方法。通过识别恶意软件动态执行路径中的循环、循环的输入和输出参数,构建恶意软件的动态循环数据流图,通过循环数据流图提取循环的输入和输出参数集合,设计已知加密函数的参考实现对循环输入集合中的元素进行运算,判断输出是否能够匹配输出集合中的元素从而识别恶意软件中的加密函数。实验证明此分析方法能够分析严重混淆的恶意软件其传输载荷所采用的加密函数。     

一种面向图神经网络安卓恶意代码检测的通用解释定位方法

面对不断涌现的安卓恶意应用,虽然大量研究工作采用图神经网络分析代码图实现了准确高效的恶意应用检测,但由于未提供应用内恶意代码的具体位置信息,难以对后续的人工复核工作提供有效帮助.可解释技术的出现为此问题提供了灵活的解决方法,在基于不同类型神经网络及代码特征表示实现的检测模型上展示出了较好的应用前景.本研究聚焦于基于图神经网络的安卓恶意代码检测模型上,使用可解释技术实现安卓恶意代码的准确定位:（1）提出了基于敏感API及多关系图特征的敏感子图提取方法.根据敏感API,控制流逻辑以及函数调用结构三类特征与恶意代码子图分布的关联性,细致刻画恶意代码特征,精简可解释技术关注的代码图规模;（2）提出了基于敏感子图输入的可解释技术定位方法.使用基于扰动原理的可解释技术,在不改变检测模型结构的情况下对代码图边缘进行恶意性评分,为各类基于图神经网络安卓恶意代码检测提供解释定位;（3）设计实验验证敏感子图提取对于与恶意代码特征的刻画效果以及基于敏感子图提取的解释定位效果.实验结果显示,本文的敏感子图提取方法相较于MsDroid固定子图半径的方法更为精确,能够为可解释技术提供高质量的输入;基于此方法改进后得到的可解释技术定位方法相较于GNNExplainer通用解释器及MsDroid定位方法,在保证定位适用性和效率的同时,恶意代码平均定位准确率分别提高了8.8%和2.7%.     

Abstracting minimal security-relevant behaviors for malware analysis

Dynamic behavior-based malware analysis and detection is considered to be one of the most promising ways to combat with the obfuscated and unknown malwares. To perform such analysis, behavioral feature abstraction plays a fundamental role, because how to specify program formally to a large extend determines what kind of algorithm can be used. In existing research, graph-based methods keep a dominant position in specifying malware behaviors. However, they restrict the detection algorithm to be chosen from graph mining algorithm. In this paper, we build a complete virtual environment to capture malware behaviors, especially that to stimulate network behaviors of a malware. Then, we study the problem of abstracting constant behavioral features from API call sequences and propose a minimal security-relevant behavior abstraction way, which absorbs the advantages of prevalent graph-based methods in behavior representation and has the following advantages: first API calls are aggregated by data dependence, therefore it is resistent to redundant data and is a kind of more constant feature. Second, API call arguments are also abstracted particularly, this further contributes to common and constant behavioral features of malware variants. Third, it is a moderate degree aggregation of a small group of API calls with a constructing criterion that centering on an independent operation on a sensitive resource. Fourth, it is very easy to embed the extracted behaviors in a high dimensional vector space, so that it can be processed by almost all of the prevalent statistical learning algorithms. We then evaluate these minimal security-relevant behaviors in three kinds of test, including similarity comparison, clustering and classification. The experimental results show that our method has a capacity in distinguishing malwares from different families and also from benign programs, and it is useful for many statistical learning algorithms.     

Novel active learning methods for enhanced PC malware detection in windows OS

The formation of new malwares every day poses a significant challenge to anti-virus vendors since antivirus tools, using manually crafted signatures, are only capable of identifying known malware instances and their relatively similar variants. To identify new and unknown malwares for updating their anti-virus signature repository, anti-virus vendors must daily collect new, suspicious files that need to be analyzed manually by information security experts who then label them as malware or benign. Analyzing suspected files is a time-consuming task and it is impossible to manually analyze all of them. Consequently, anti-virus vendors use machine learning algorithms and heuristics in order to reduce the number of suspect files that must be inspected manually. These techniques, however, lack an essential element – they cannot be daily updated. In this work we introduce a solution for this updatability gap. We present an active learning (AL) framework and introduce two new AL methods that will assist anti-virus vendors to focus their analytical efforts by acquiring those files that are most probably malicious. Those new AL methods are designed and oriented towards new malware acquisition. To test the capability of our methods for acquiring new malwares from a stream of unknown files, we conducted a series of experiments over a ten-day period. A comparison of our methods to existing high performance AL methods and to random selection, which is the naïve method, indicates that the AL methods outperformed random selection for all performance measures. Our AL methods outperformed existing AL method in two respects, both related to the number of new malwares acquired daily, the core measure in this study. First, our best performing AL method, termed “Exploitation”, acquired on the 9th day of the experiment about 2.6 times more malwares than the existing AL method and 7.8 more times than the random selection. Secondly, while the existing AL method showed a decrease in the number of new malwares acquired over 10 days, our AL methods showed an increase and a daily improvement in the number of new malwares acquired. Both results point towards increased efficiency that can possibly assist anti-virus vendors.     

基于底层数据流分析的恶意软件检测方法

近些年来,层出不穷的恶意软件对系统安全构成了严重的威胁并造成巨大的经济损失,研究者提出了许多恶意软件检测方案。但恶意软件开发中常利用加壳和多态等混淆技术,这使得传统的静态检测方案如静态特征匹配不足以应对。而传统的应用层动态检测方法也存在易被恶意软件禁用或绕过的缺点。本文提出一种利用底层数据流关系进行恶意软件检测的方法,即在系统底层监视程序运行时的数据传递情况,生成数据流图,提取图的特征形成特征向量,使用特征向量衡量数据流图的相似性,评估程序行为的恶意倾向,以达到快速检测恶意软件的目的。该方法具有低复杂度与高检测效率的特点。实验结果表明本文提出的恶意软件检测方法可达到较高的检测精度以及较低的误报率,分别为98.50%及3.18%。     

Malware classification based on call graph clustering

Each day, anti-virus companies receive tens of thousands samples of potentially harmful executables. Many of the malicious samples are variations of previously encountered malware, created by their authors to evade pattern-based detection. Dealing with these large amounts of data requires robust, automatic detection approaches. This paper studies malware classification based on call graph clustering. By representing malware samples as call graphs, it is possible to abstract certain variations away, enabling the detection of structural similarities between samples. The ability to cluster similar samples together will make more generic detection techniques possible, thereby targeting the commonalities of the samples within a cluster. To compare call graphs mutually, we compute pairwise graph similarity scores via graph matchings which approximately minimize the graph edit distance. Next, to facilitate the discovery of similar malware samples, we employ several clustering algorithms, including k-medoids and Density-Based Spatial Clustering of Applications with Noise (DBSCAN). Clustering experiments are conducted on a collection of real malware samples, and the results are evaluated against manual classifications provided by human malware analysts. Experiments show that it is indeed possible to accurately detect malware families via call graph clustering. We anticipate that in the future, call graphs can be used to analyse the emergence of new malware families, and ultimately to automate implementation of generic detection schemes.     

基于textCNN模型的Android恶意程序检测

针对当前Android恶意程序检测方法对未知应用程序检测能力不足的问题,提出了一种基于textCNN神经网络模型的Android恶意程序检测方法.该方法使用多种触发机制从不同层面上诱导激发程序潜在的恶意行为;针对不同层面上的函数调用,采用特定的hook技术对程序行为进行采集;针对采集到的行为日志,使用fastText算...     

MACSPMD:基于恶意API调用序列模式挖掘的恶意代码检测

基于动态分析的恶意代码检测方法由于能有效对抗恶意代码的多态和代码混淆技术,而且可以检测新的未知恶意代码等,因此得到了研究者的青睐。在这种情况下,恶意代码的编写者通过在恶意代码中嵌入大量反检测功能来逃避现有恶意代码动态检测方法的检测。针对该问题,提出了基于恶意API调用序列模式挖掘的恶意代码检测方法MACSPMD。首先,使用真机模拟恶意代码的实际运行环境来获取文件的动态API调用序列;其次,引入面向目标关联挖掘的概念,以挖掘出能够代表潜在恶意行为模式的恶意API调用序列模式;最后,将挖掘到的恶意API调用序列模式作为异常行为特征进行恶意代码的检测。基于真实数据集的实验结果表明,MACSPMD对未知和逃避型恶意代码进行检测的准确率分别达到了94.55%和97.73%,比其他基于API调用数据的恶意代码检测方法 的准确率分别提高了2.47%和2.66%,且挖掘过程消耗的时间更少。因此,MACSPMD能有效检测包括逃避型在内的已知和未知恶意代码。     

基于栈的恶意程序隐式系统调用的检测方法

提出了一种检测恶意程序中隐式系统调用的方法.该方法使用地址栈和地址栈图来检测恶意程序中隐式的系统调用信息,其中,地址栈将每个栈的元素和栈操作的指令相结合,而地址栈图抽象地表示可执行体并且检测恶意的系统调用.通过实验表明,这是一种有效的方法.     

Architecture of a morphological malware detector

Most of malware detectors are based on syntactic signatures that identify known malicious programs. Up to now this architecture has been sufficiently efficient to overcome most of malware attacks. Nevertheless, the complexity of malicious codes still increase. As a result the time required to reverse engineer malicious programs and to forge new signatures is increasingly longer. This study proposes an efficient construction of a morphological malware detector, that is a detector which associates syntactic and semantic analysis. It aims at facilitating the task of malware analysts providing some abstraction on the signature representation which is based on control flow graphs. We build an efficient signature matching engine over tree automata techniques. Moreover we describe a generic graph rewriting engine in order to deal with classic mutations techniques. Finally, we provide a preliminary evaluation of the strategy detection carrying out experiments on a malware collection.     

Attention-based convolutional neural network deep learning approach for robust malware classification

Recently, transforming windows files into images and its analysis using machine learning and deep learning have been considered as a state-of-the art works for malware detection and classification. This is mainly due to the fact that image-based malware detection and classification is platform independent, and the recent surge of success of deep learning model performance in image classification. Literature survey shows that convolutional neural network (CNN) deep learning methods are successfully employed for image-based windows malware classification. However, the malwares were embedded in a tiny portion in the overall image representation. Identifying and locating these affected tiny portions is important to achieve a good malware classification accuracy. In this work, a multi-headed attention based approach is integrated to a CNN to locate and identify the tiny infected regions in the overall image. A detailed investigation and analysis of the proposed method was done on a malware image dataset. The performance of the proposed multi-headed attention-based CNN approach was compared with various non-attention-CNN-based approaches on various data splits of training and testing malware image benchmark dataset. In all the data-splits, the attention-based CNN method outperformed non-attention-based CNN methods while ensuring computational efficiency. Most importantly, most of the methods show consistent performance on all the data splits of training and testing and that illuminates multi-headed attention with CNN model's generalizability to perform on the diverse datasets. With less number of trainable parameters, the proposed method has achieved an accuracy of 99% to classify the 25 malware families and performed better than the existing non-attention based methods. The proposed method can be applied on any operating system and it has the capability to detect packed malware, metamorphic malware, obfuscated malware, malware family variants, and polymorphic malware. In addition, the proposed method is malware file agnostic and avoids usual methods such as disassembly, de-compiling, de-obfuscation, or execution of the malware binary in a virtual environment in detecting malware and classifying malware into their malware family.     

基于图像相似性的Android钓鱼恶意应用检测方法

在移动互联网日益兴盛的今天,攻击者已开始通过移动应用的形式来实施网络钓鱼,而现有的网络钓鱼检测方法主要针对网页钓鱼,无法应对这一新的安全威胁。钓鱼恶意应用的一个显著特点是通过构造与目标应用相似的界面来诱骗用户输入敏感信息。基于这种视觉相似性,提出了一种面向Android平台的钓鱼恶意应用检测方法。该方法通过动态技术截取被检测应用的人机交互界面,利用图像哈希感知算法计算其与目标应用界面的图像相似度。如果相似度超过阈值,则识别被检测应用程序为钓鱼恶意应用。实验表明,该方法可以有效检测Android平台上的恶意钓鱼应用程序。     

结合局部优化匹配的Android恶意家族检测算法

近年来,飞速增长的Android恶意代码给移动安全研究带来了沉重的负担。为海量的恶意样本进行准确的家族分类对移动恶意代码的识别与演变过程研究具有极为重要的作用。基于此目的提出了一种新的基于局部结构优化分析的恶意软件家族识别与分类方法。从应用程序的反编译文件中提取函数调用图,采用基于节点相似度的迭代匹配算法来构建恶意家族特征,通过对待检测应用程序函数调用图与恶意家族特征的匹配来进行应用程序的恶意性检测与家族识别。实验结果表明,该方法较三项已有研究和Androguard工具具有更好的性能。     

Music classification as a new approach for malware detection

Each year, a huge number of malicious programs are released which causes malware detection to become a critical task in computer security. Antiviruses use various methods for detecting malware, such as signature-based and heuristic-based techniques. Polymorphic and metamorphic malwares employ obfuscation techniques to bypass traditional detection methods used by antiviruses. Recently, the number of these malware has increased dramatically. Most of the previously proposed methods to detect malware are based on high-level features such as opcodes, function calls or program’s control flow graph (CFG). Due to new obfuscation techniques, extracting high-level features is tough, fallible and time-consuming; hence approaches using program’s bytes are quicker and more accurate. In this paper, a novel byte-level method for detecting malware by audio signal processing techniques is presented. In our proposed method, program’s bytes are converted to a meaningful audio signal, then Music Information Retrieval (MIR) techniques are employed to construct a machine learning music classification model from audio signals to detect new and unseen instances. Experiments evaluate the influence of different strategies converting bytes to audio signals and the effectiveness of the method.