基于API依赖关系的代码相似度分析

针对传统系统调用依赖图(SCDG)不能很好地消除API噪声、API重排等API特征混淆的问题,提出一种基于API依赖关系的恶意代码相似度分析方法。采用由API控制依赖关系和4类数据依赖关系组成的SCDG程序行为描述方式,通过数据依赖关系分析和控制依赖关系归一化,消除SCDG中的API噪声和API重排。实验结果表明,与API序列相似度分析方式相比,该方法能提高恶意代码相似度分析的准确性。     

基于语义的恶意代码行为特征提取及检测方法

提出一种基于语义的恶意代码行为特征提取及检测方法,通过结合指令层的污点传播分析与行为层的语义分析,提取恶意代码的关键行为及行为间的依赖关系;然后,利用抗混淆引擎识别语义无关及语义等价行为,获取具有一定抗干扰能力的恶意代码行为特征.在此基础上,实现特征提取及检测原型系统.通过对多个恶意代码样本的分析和检测,完成了对该系统的实验验证.实验结果表明,基于上述方法提取的特征具有抗干扰能力强等特点,基于此特征的检测对恶意代码具有较好的识别能力.     

基于相识度的恶意代码检测

特征码的识别方法仅能识别已知的恶意代码,并未解决恶意代码的判别问题.当前基于行为的扫描和启发式扫描也只是关注恶意代码的单个的危险行为点,误报率很高.侧重挖掘行为之间的关系,采用矩阵将待测代码的行为及行为之间的关系进行描述、测量,由此提出一种基于相识度的恶意代码检测方法.相识度是系统对待测代码的熟悉程度.根据相识度的大小来判断待测代码是否为恶意代码,相识度越大,待测代码是恶意代码的可能性就越小.在此基础上,提出了相应的恶意代码检测算法,通过实例验证了该方法的有效性.     

基于有效窗口和朴素贝叶斯的恶意代码分类

恶意代码分类是恶意代码分析和入侵检测领域中的核心问题.现有分类方法分析效率低,准确性差,主要原因在于行为分析原始资料规模大,噪声高,随机因素干扰.针对上述问题,以恶意代码行为序列报告作为基础,在分析随机因素及行为噪声对恶意代码行为特征和操作相似性的干扰之后,给出一个系统调用参数有效窗口模型,通过该模型加强行为序列的相似度描述能力,降低随机因素的干扰.在此基础上提出一种基于朴素贝叶斯机器学习模型和操作相似度窗口的恶意代码自动分类方法.设计并实现了一个自动恶意代码行为分类器原型MalwareFilter.使用真实恶意代码生成的行为序列报告对原型系统进行评估,通过实验证明了该方法的有效性,结果表明,该方法通过操作相似度窗口提高了训练和分类过程的性能和准确度.     

恶意代码的函数调用图相似性分析

恶意代码的相似性分析是当前恶意代码自动分析的重要部分。提出了一种基于函数调用图的恶意代码相似性分析方法,通过函数调用图的相似性距离ＳＤＭＦＧ来度量两个恶意代码函数调用图的相似性,进而分析得到恶意代码的相似性,提高了恶意代码相似性分析的准确性,为恶意代码的同源及演化特性分析研究与恶意代码的检测和防范提供了有力支持。     

基于谓词时序逻辑的恶意代码行为描述及检测

基于行为的判别已成为恶意代码检测技术研究的主流方向,现有方法容易受到拟态攻击或影子攻击的影响.针对这些问题,提出了一种全新的使用谓词时序逻辑描述恶意代码行为的方法,该方法能够同时刻画一组函数调用之间的逻辑组合、时序、参数依赖和主客体关联等关系,因此能更准确细致地描述恶意代码行为.在此基础上,提出了相应的恶意行为检测算法,通过实例测试验证了该方法的有效性.     

针对指令乱序变形技术的归一化研究

新出现的恶意代码大部分是在原有恶意代码基础上修改转换而来.许多变形恶意代码更能自动完成该过程,由于其特征码不固定,给传统的基于特征码检测手段带来了极大挑战.采用归一化方法,并结合使用传统检测技术是一种应对思路.本文针对指令乱序这种常用变形技术提出了相应的归一化方案.该方案先通过控制依赖分析将待测代码划分为若干基本控制块,然后依据数据依赖图调整各基本控制块中的指令顺序,使得不同变种经处理后趋向于一致的规范形式.该方案对指令乱序的两种实现手段,即跳转法和非跳转法,同时有效.最后通过模拟测试对该方案的有效性进行了验证.     

BiLSTM在JavaScript恶意代码检测中的应用

传统的机器学习方法在检测JavaScript恶意代码时,存在提取特征过程复杂、计算量大、代码被恶意混淆导致难以检测的问题,不利于当前JavaScript恶意代码检测准确性和实时性的要求.基于此,提出一种基于双向长短时神经网络(BiLSTM)的JavaScript恶意代码检测方法.首先,将得到的样本数据经过代码反混淆,数据分词,代码向量化后得到适应于神经网络输入的标准化数据.其次,利用BiLSTM算法对向量化数据进行训练,学习JavaScript恶意代码的抽象特征.最后,利用学习到的特征对代码进行分类.将本文方法与深度学习方法和主流机器学习方法进行比较,结果表明该方法具有较高的准确率和较低的误报率.     

一种抗混淆的大规模Android应用相似性检测方法

随着代码混淆、加壳技术的应用,基于行为特征的Android应用相似性检测受到的影响愈加明显.提出了一种抗混淆的大规模Android应用相似性检测方法,通过提取应用内特定文件的内容特征计算应用相似性,该方法不受代码混淆的影响,且能有效抵抗文件混淆带来的干扰.对5.9万个应用内的文件类型进行统计,选取具有普遍性、代表性和可度量性的图片文件、音频文件和布局文件作为特征文件.针对3种特征文件的特点,提出了不同内容特征提取方法和相似度计算方法,并通过学习对其相似度赋予权重,进一步提高应用相似性检测的准确性.使用正版应用和已知恶意应用作为标准,对5.9万个应用进行相似性检测实验,结果显示基于文件内容的相似性检测可以准确识别重打包应用和含有已知恶意代码的应用,并且在效率和准确性上均优于现有方案.     

基于MobileNet的恶意软件家族分类模型

现有基于卷积神经网络(CNN)的恶意代码分类方法存在计算资源消耗较大的问题.为降低分类过程中的计算量和参数量,构建基于恶意代码可视化和轻量级CNN模型的恶意软件家族分类模型.将恶意软件可视化为灰度图,以灰度图的相似度表示同一家族的恶意软件在代码结构上的相似性,利用灰度图训练带有深度可分离卷积的神经网络模型MobileNet v2,自动提取纹理特征,并采用Softmax分类器对恶意代码进行家族分类.实验结果表明,该模型对恶意代码分类的平均准确率为99.32%,较经典的恶意代码可视化模型高出2.14个百分点.     

像素归一化方法在恶意代码可视分析中的应用

恶意代码的编写者通常采用自动化的手段开发恶意代码变种,使得恶意代码的数量呈现迅猛增长的态势。由于自动化的方式会重复利用恶意代码中的核心模块,因此也为病毒研究人员辨识和区分恶意代码族提供了有利依据。借鉴灰度图的思想,利用K-Nearest Neighbor（KNN）分类算法,给出了一种新的研究恶意代码谱系分类的可视化方法。其基本思想是,通过将二进制文件转换成双色通道的位图和像素归一图,从可视化的角度标识恶意样本特性,以此实现恶意代码族的相似度比较及分类。实验结果表明采用了像素归一化的降维映射机制能显著地减小文件可视特征的呈现时间开销,且该方法以自动化操作的方式运用Jaccard距离算法进行快速相似度比较,实现了恶意代码样本的有效分类,提高了分析人员的识别效率。     

Malware detection using assembly and API call sequences

One of the major problems concerning information assurance is malicious code. To evade detection, malware has also been encrypted or obfuscated to produce variants that continue to plague properly defended and patched networks with zero day exploits. With malware and malware authors using obfuscation techniques to generate automated polymorphic and metamorphic versions, anti-virus software must always keep up with their samples and create a signature that can recognize the new variants. Creating a signature for each variant in a timely fashion is a problem that anti-virus companies face all the time. In this paper we present detection algorithms that can help the anti-virus community to ensure a variant of a known malware can still be detected without the need of creating a signature; a similarity analysis (based on specific quantitative measures) is performed to produce a matrix of similarity scores that can be utilized to determine the likelihood that a piece of code under inspection contains a particular malware. Two general malware detection methods presented in this paper are: Static Analyzer for Vicious Executables (SAVE) and Malware Examiner using Disassembled Code (MEDiC). MEDiC uses assembly calls for analysis and SAVE uses API calls (Static API call sequence and Static API call set) for analysis. We show where Assembly can be superior to API calls in that it allows a more detailed comparison of executables. API calls, on the other hand, can be superior to Assembly for its speed and its smaller signature. Our two proposed techniques are implemented in SAVE) and MEDiC. We present experimental results that indicate that both of our proposed techniques can provide a better detection performance against obfuscated malware. We also found a few false positives, such as those programs that use network functions (e.g. PuTTY) and encrypted programs (no API calls or assembly functions are found in the source code) when the thresholds are set 50% similarity measure. However, these false positives can be minimized, for example by changing the threshold value to 70% that determines whether a program falls in the malicious category or not.     

Fragmented malware through RFID and its defenses

Malware, in essence, is an infiltration to one’s computer system. Malware is created to wreak havoc once it gets in through weakness in a computer’s barricade. Anti-virus companies and operating system companies are working to patch weakness in systems and to detect infiltrators. However, with the advance of fragmentation, detection might even prove to be more difficult. Malware detection relies on signatures to identify malware of certain shapes. With fragmentation, functionality and size can change depending on how many fragments are used and how the fragments are created. In this paper we present a robust malware detection technique, with emphasis on detecting fragmentation malware attacks in RFID systems that can be extended to detect complex obfuscated and mutated malware. After a particular fragmented malware has been first identified, it can be analyzed to extract the signature, which provides a basis for detecting variants and mutants of similar types of malware in the future. Encouraging experimental results on a limited set of recent malware are presented.     

A comprehensive survey on deep learning based malware detection techniques

Recent theoretical and practical studies have revealed that malware is one of the most harmful threats to the digital world. Malware mitigation techniques have evolved over the years to ensure security. Earlier, several classical methods were used for detecting malware embedded with various features like the signature, heuristic, and others. Traditional malware detection techniques were unable to defeat new generations of malware and their sophisticated obfuscation tactics. Deep Learning is increasingly used in malware detection as DL-based systems outperform conventional malware detection approaches at finding new malware variants. Furthermore, DL-based techniques provide rapid malware prediction with excellent detection rates and analysis of different malware types. Investigating recently proposed Deep Learning-based malware detection systems and their evolution is hence of interest to this work. It offers a thorough analysis of the recently developed DL-based malware detection techniques. Furthermore, current trending malwares are studied and detection techniques of Mobile malware (both Android and iOS), Windows malware, IoT malware, Advanced Persistent Threats (APTs), and Ransomware are precisely reviewed.     

Automated malware recognition method based on local neighborhood binary pattern

Multimedia Tools and Applications - Malware recognition has been widely used in the literature. One of the malware recognition methods is the byte code based methods. These methods generally use...     

基于行为分析的黑客攻击软件自动化分析工具的设计与实现

静态分析和动态分析是两种主流的恶意代码分析技术.随着反调试、程序补丁、代码混淆、多态和变型等技术的出现,静态分析技术的局限性越来越明显.该文设计了一种基于内核调用和正则表达式技术的恶意软件自动化分析工具,并用熊猫烧香病毒进行了验证,此工具提高了自动化分析的效率.     

Metamorphic Malware Detection Using Code Metrics

ABSTRACT

Malware is becoming more and more aggressive and new techniques are emerging to allow malicious code to evade detection by antiviruses. Metamorphic malware is a particularly insidious kind of virus that changes its form at each infection. In this article, a technique for detecting metamorphic viruses is proposed that is based on identifying specific features of the assembly code, such as the instructions that change the contents of the registers, the instructions that change the control flow, and the potential code fragmentation. Such features have been derived by the analysis of a large dataset of malware. The experimentation suggests that the proposed technique produces very high precision (over 97%) in recognizing metamorphic malware, and allows also for distinguishing among different families of malware.     

Behavior-based features model for malware detection

The sharing of malicious code libraries and techniques over the Internet has vastly increased the release of new malware variants in an unprecedented rate. Malware variants share similar behaviors yet they have different syntactic structure due to the incorporation of many obfuscation and code change techniques such as polymorphism and metamorphism. The different structure of malware variants poses a serious problem to signature-based detection technique, yet their similar exhibited behaviors and actions can be a remarkable feature to detect them by behavior-based techniques. Malware instances also largely depend on API calls provided by the operating system to achieve their malicious tasks. Therefore, behavior-based detection techniques that utilize API calls are promising for the detection of malware variants. In this paper, we propose a behavior-based features model that describes malicious action exhibited by malware instance. To extract the proposed model, we first perform dynamic analysis on a relatively recent malware dataset inside a controlled virtual environment and capture traces of API calls invoked by malware instances. The traces are then generalized into high-level features we refer to as actions. We assessed the viability of actions by various classification algorithms such as decision tree, random forests, and support vector machine. The experimental results demonstrate that the classifiers attain high accuracy and satisfactory results in the detection of malware variants.     

一种恶意软件行为分析系统的设计与实现

基于虚拟化技术的恶意软件行为分析是近年来出现的分析恶意软件的方法。该方法利用虚拟化平台良好的隔离性和控制力对恶意软件运行时的行为进行分析,但存在两方面的不足：一方面,现有虚拟机监视器（Virtual Machine Monitor,VMM）的设计初衷是提高虚拟化系统的通用性和高效性,并没有充分考虑虚拟化系统的透明性,导致现有的VMM很容易被恶意软件的环境感知测试所发现。为此,提出一种基于硬件辅助虚拟化技术的恶意软件行为分析系统——THVA。THVA是一个利用了安全虚拟机（SVM）、二级页表（NPT）和虚拟机自省等多种虚拟化技术完成的、专门针对恶意软件行为分析的微型VMM。实验结果表明,THVA在行为监控和反恶意软件检测方面表现良好。     

恶意代码分类的一种高维特征融合分析方法

恶意代码分类是一种基于特征进行恶意代码自动家族类别划分的分析方法。恶意代码的多维度特征融合与深度处理,是恶意代码分类研究的一种发展趋势,也是恶意代码分类研究的一个难点问题。本文提出了一种适用于恶意代码分类的高维特征融合方法,对恶意代码的静态二进制文件和反汇编特征等进行提取,借鉴SimHash的局部敏感性思想,对多维特征进行融合分析和处理,最后基于典型的机器学习方法对融合后的特征向量进行学习训练。实验结果和分析表明,该方法能够适应于样本特征维度高而样本数量较少的恶意代码分类场景,而且能够提升分类学习的时间性能。