MACSPMD:基于恶意API调用序列模式挖掘的恶意代码检测

基于动态分析的恶意代码检测方法由于能有效对抗恶意代码的多态和代码混淆技术,而且可以检测新的未知恶意代码等,因此得到了研究者的青睐。在这种情况下,恶意代码的编写者通过在恶意代码中嵌入大量反检测功能来逃避现有恶意代码动态检测方法的检测。针对该问题,提出了基于恶意API调用序列模式挖掘的恶意代码检测方法MACSPMD。首先,使用真机模拟恶意代码的实际运行环境来获取文件的动态API调用序列;其次,引入面向目标关联挖掘的概念,以挖掘出能够代表潜在恶意行为模式的恶意API调用序列模式;最后,将挖掘到的恶意API调用序列模式作为异常行为特征进行恶意代码的检测。基于真实数据集的实验结果表明,MACSPMD对未知和逃避型恶意代码进行检测的准确率分别达到了94.55%和97.73%,比其他基于API调用数据的恶意代码检测方法 的准确率分别提高了2.47%和2.66%,且挖掘过程消耗的时间更少。因此,MACSPMD能有效检测包括逃避型在内的已知和未知恶意代码。     

Malware detection using assembly and API call sequences

One of the major problems concerning information assurance is malicious code. To evade detection, malware has also been encrypted or obfuscated to produce variants that continue to plague properly defended and patched networks with zero day exploits. With malware and malware authors using obfuscation techniques to generate automated polymorphic and metamorphic versions, anti-virus software must always keep up with their samples and create a signature that can recognize the new variants. Creating a signature for each variant in a timely fashion is a problem that anti-virus companies face all the time. In this paper we present detection algorithms that can help the anti-virus community to ensure a variant of a known malware can still be detected without the need of creating a signature; a similarity analysis (based on specific quantitative measures) is performed to produce a matrix of similarity scores that can be utilized to determine the likelihood that a piece of code under inspection contains a particular malware. Two general malware detection methods presented in this paper are: Static Analyzer for Vicious Executables (SAVE) and Malware Examiner using Disassembled Code (MEDiC). MEDiC uses assembly calls for analysis and SAVE uses API calls (Static API call sequence and Static API call set) for analysis. We show where Assembly can be superior to API calls in that it allows a more detailed comparison of executables. API calls, on the other hand, can be superior to Assembly for its speed and its smaller signature. Our two proposed techniques are implemented in SAVE) and MEDiC. We present experimental results that indicate that both of our proposed techniques can provide a better detection performance against obfuscated malware. We also found a few false positives, such as those programs that use network functions (e.g. PuTTY) and encrypted programs (no API calls or assembly functions are found in the source code) when the thresholds are set 50% similarity measure. However, these false positives can be minimized, for example by changing the threshold value to 70% that determines whether a program falls in the malicious category or not.     

HDM-Analyser: a hybrid analysis approach based on data mining techniques for malware detection

Today’s security threats like malware are more sophisticated and targeted than ever, and they are growing at an unprecedented rate. To deal with them, various approaches are introduced. One of them is Signature-based detection, which is an effective method and widely used to detect malware; however, there is a substantial problem in detecting new instances. In other words, it is solely useful for the second malware attack. Due to the rapid proliferation of malware and the desperate need for human effort to extract some kinds of signature, this approach is a tedious solution; thus, an intelligent malware detection system is required to deal with new malware threats. Most of intelligent detection systems utilise some data mining techniques in order to distinguish malware from sane programs. One of the pivotal phases of these systems is extracting features from malware samples and benign ones in order to make at least a learning model. This phase is called “Malware Analysis” which plays a significant role in these systems. Since API call sequence is an effective feature for realising unknown malware, this paper is focused on extracting this feature from executable files. There are two major kinds of approach to analyse an executable file. The first type of analysis is “Static Analysis” which analyses a program in source code level. The second one is “Dynamic Analysis” that extracts features by observing program’s activities such as system requests during its execution time. Static analysis has to traverse the program’s execution path in order to find called APIs. Because it does not have sufficient information about decision making points in the given executable file, it is not able to extract the real sequence of called APIs. Although dynamic analysis does not have this drawback, it suffers from execution overhead. Thus, the feature extraction phase takes noticeable time. In this paper, a novel hybrid approach, HDM-Analyser, is presented which takes advantages of dynamic and static analysis methods for rising speed while preserving the accuracy in a reasonable level. HDM-Analyser is able to predict the majority of decision making points by utilising the statistical information which is gathered by dynamic analysis; therefore, there is no execution overhead. The main contribution of this paper is taking accuracy advantage of the dynamic analysis and incorporating it into static analysis in order to augment the accuracy of static analysis. In fact, the execution overhead has been tolerated in learning phase; thus, it does not impose on feature extraction phase which is performed in scanning operation. The experimental results demonstrate that HDM-Analyser attains better overall accuracy and time complexity than static and dynamic analysis methods.     

基于语义的恶意代码行为特征提取及检测方法

提出一种基于语义的恶意代码行为特征提取及检测方法,通过结合指令层的污点传播分析与行为层的语义分析,提取恶意代码的关键行为及行为间的依赖关系;然后,利用抗混淆引擎识别语义无关及语义等价行为,获取具有一定抗干扰能力的恶意代码行为特征.在此基础上,实现特征提取及检测原型系统.通过对多个恶意代码样本的分析和检测,完成了对该系统的实验验证.实验结果表明,基于上述方法提取的特征具有抗干扰能力强等特点,基于此特征的检测对恶意代码具有较好的识别能力.     

Metamorphic malware identification using engine-specific patterns based on co-opcode graphs

A metamorphic virus is a type of malware that modifies its code using a morphing engine. Morphing engines are used to generate a large number of metamorphic malware variants by performing different obfuscation techniques. Since each metamorphic malware has its own unique structure, signature based anti-virus programs are ineffective to detect these metamorphic variants. Therefore, detection of these kind of viruses becomes an increasingly important task. Recently, many researchers have focused on extracting common patterns of metamorphic variants that can be used as micro-signatures to identify the metamorphic malware executables. With the similar motivation, in this work, we propose a novel metamorphic malware identification method, named HLES-MMI (Higher-level Engine Signature based Metamorphic Malware Identification). The proposed method firstly constructs a unique graph structure, called as co-opcode graph, for each metamorphic family, then extracts engine-specific opcode patterns from the graphs. Finally, it generates higher-level signature belonging to each family by representing the extracted opcode-patterns with a binary vector. Experimental results on four datasets produced by different morphing engines demonstrate the effectiveness and efficiency of the proposed method by comparing with several existing malware identification methods.     

Structural analysis of binary executable headers for malware detection optimization

In the context of the OpenDAVFI project (a fork of the French initiative DAVFI for giving birth to a new generation, open antivirus engine which has been funded by the French Government), different AV filters have been developped and chained to detect both known and unknown malware very accurately while requiring a very limited number of updates. While most AV software use different static and dynamic detection techniques which are mostly based on the general concept of (static or heuristic) signature, we have observed that many malware do not comply to the Microsoft specifications with respect to the MZ-PE format. In this technical correspondence, we present structural analysis tests which have been implemented in the DAVFI/OpenDAVFi project. These tests accurately detect malware and therefore greatly reduce the number of malware that have to be analyzed by subsequent modules in our detection chain.     

一种混合的Android恶意应用检测方法

针对静态检测和动态检测方式存在的问题,提出了一种基于混合方式的恶意移动应用检测方法。该方法采用静态分析和动态分析相结合的方式,通过静态分析获取权限特征和函数调用特征,通过动态分析在沙盒环境下借助于事件仿真获取系统调用序列并提取函数调用依赖关系特征;在此基础上,提出了一种基于集成学习的分类器构造方法,区分恶意应用和正常应用。在来自于第三方应用市场中的3000个样本集上进行了实验验证,结果表明基于混合方式的恶意应用检测效果要优于基于静态分析的方式和基于动态分析的方式;考虑多种类型特征的样本上的检测精度要高于采用单一特征刻画的样本上的值;采用集成分类器具有较好的检测精度。     

Fools Download Where Angels Fear to Tread

Our study illustrates that the risk of getting infected by malware that antivirus protection doesn't detect is alarmingly high. New malware that the antivirus engines don't have signatures for is likely to escape detection by a desktop antivirus solution. Taking precautions while using the Internet can protect users only to a certain extent. If they visit the wrong Web site or download a file infected with 0-day malware, they probably won't be protected from infection. The malware specimens that our antivirus packages didn't detect during our two-week exposure period suggest to us that signature-based antivirus software doesn't provide sufficient protection for users who live on the bleeding edge with respect to where they obtain their software. Coupled with the exponential growth of new malware variants, our findings suggest that antivirus vendors have major problems keeping the signature lag within acceptable limits.     

MAPAS: a practical deep learning-based android malware detection system

A lot of malicious applications appears every day, threatening numerous users. Therefore, a surge of studies have been conducted to protect users from newly emerging malware by using machine learning algorithms. Albeit existing machine or deep learning-based Android malware detection approaches achieve high accuracy by using a combination of multiple features, it is not possible to employ them on our mobile devices due to the high cost for using them. In this paper, we propose MAPAS, a malware detection system, that achieves high accuracy and adaptable usages of computing resources. MAPAS analyzes behaviors of malicious applications based on API call graphs of them by using convolution neural networks (CNN). However, MAPAS does not use a classifier model generated by CNN, it only utilizes CNN for discovering common features of API call graphs of malware. For efficiently detecting malware, MAPAS employs a lightweight classifier that calculates a similarity between API call graphs used for malicious activities and API call graphs of applications that are going to be classified. To demonstrate the effectiveness and efficiency of MAPAS, we implement a prototype and thoroughly evaluate it. And, we compare MAPAS with a state-of-the-art Android malware detection approach, MaMaDroid. Our evaluation results demonstrate that MAPAS can classify applications 145.8% faster and uses memory around ten times lower than MaMaDroid. Also, MAPAS achieves higher accuracy (91.27%) than MaMaDroid (84.99%) for detecting unknown malware. In addition, MAPAS can generally detect any type of malware with high accuracy.

     

Holography: a behavior‐based profiler for malware analysis

Behavior‐based detection and signature‐based detection are two popular approaches to malware (malicious software) analysis. The security industry, such as the sector selling antivirus tools, has been using signature and heuristic‐based technologies for years. However, this approach has been proven to be inefficient in identifying unknown malware strains. On the other hand, the behavior‐based malware detection approach has a greater potential in identifying previously unknown instances of malicious software. The accuracy of this approach relies on techniques to profile and recognize accurate behavior models. Unfortunately, with the increasing complexity of malicious software and limitations of existing automatic tools, the current behavior‐based approach cannot discover many newer forms of malware either. In this paper, we implement ‘holography platform’, a behavior‐based profiler on top of a virtual machine emulator that intercepts the system processes and analyzes the CPU instructions, CPU registers, and memory. The captured information is stored in a relational database, and data mining techniques are used to extract information. We demonstrate the breadth of the ‘holography platform’ by conducting two experiments: a packed binary behavior analysis and a malvertising (malicious advertising) incident tracing. Both tasks are known to be very difficult to do efficiently using existing methods and tools. We demonstrate how the precise behavior information can be easily obtained using the ‘holography platform’ tool. With these two experiments, we show that the ‘holography platform’ can provide security researchers and automatic malware detection systems with an efficient malicious software behavior analysis solution. Copyright © 2011 John Wiley & Sons, Ltd.     

PDiOS:iOS应用程序中私有API的调用检测

苹果公司对App Store上的每一款应用程序都进行了审核,包括是否存在访问用户敏感信息的私有API调用,但是仍有恶意应用通过了该项审查。针对iOS应用程序中私有API的调用问题,提出了一种动、静态相结合的检测技术PDiOS。通过反向分片和常量传播的静态分析方式来处理大部分API调用,基于强制执行的动态迭代分析来处理剩余API。静态分析包含了对二进制文件的全面分析以及对资源文件中隐式调用的处理,动态分析主要依赖于二进制动态分析框架进行迭代分析。最后通过对比公开头文件中的API来确定私有API的调用。在对官方商店的1012款应用程序的检测中,确认有82款应用程序存在共128个不同的私有API调用。在对企业证书签名的32款应用程序的检测中,确认有26款使用了私有API调用。     

基于非用户操作序列的恶意软件检测方法

针对Android恶意软件持续大幅增加的现状以及恶意软件检测能力不足这一问题,提出了一种基于非用户操作序列的静态检测方法。首先,通过对恶意软件进行逆向工程分析,提取出恶意软件的应用程序编程接口（API）调用信息;然后,采用广度优先遍历算法构建恶意软件的函数调用流程图;进而,从函数流程图中提取出其中的非用户操作序列形成恶意行为库;最后,采用编辑距离算法计算待检测样本与恶意行为库中的非用户操作序列的相似度进行恶意软件识别。在对360个恶意样本和300的正常样本进行的检测中,所提方法可达到90.8%的召回率和90.3%的正确率。与Android恶意软件检测系统Androguard相比,所提方法在恶意样本检测中召回率提高了30个百分点;与FlowDroid方法相比,所提方法在正常样本检测中准确率提高了11个百分点,在恶意样本检测中召回率提高了4.4个百分点。实验结果表明,所提方法提高了恶意软件检测的召回率,有效提升恶意软件的检测效果。     

基于多重异质图的恶意软件相似性度量方法

现有恶意软件相似性度量易受混淆技术影响,同时缺少恶意软件间复杂关系的表征能力,提出一种基于多重异质图的恶意软件相似性度量方法RG-MHPE （API relation graph enhanced multiple heterogeneous ProxEmbed）解决上述问题.方法首先利用恶意软件动静态特征构建多重异质图,然后提出基于关系路径的增强型邻近嵌入方法,解决邻近嵌入无法应用于多重异质图相似性度量的问题.此外,从MSDN网站的API文档中提取知识,构建API关系图,学习Windows API间的相似关系,有效减缓相似性度量模型老化速度.最后,通过对比实验验证所提方法RG-MHPE在相似性度量性能和模型抗老化能力等方面表现最好.     

Wrapper–Filter Feature Selection Algorithm Using a Memetic Framework

This correspondence presents a novel hybrid wrapper and filter feature selection algorithm for a classification problem using a memetic framework. It incorporates a filter ranking method in the traditional genetic algorithm to improve classification performance and accelerate the search in identifying the core feature subsets. Particularly, the method adds or deletes a feature from a candidate feature subset based on the univariate feature ranking information. This empirical study on commonly used data sets from the University of California, Irvine repository and microarray data sets shows that the proposed method outperforms existing methods in terms of classification accuracy, number of selected features, and computational efficiency. Furthermore, we investigate several major issues of memetic algorithm (MA) to identify a good balance between local search and genetic search so as to maximize search quality and efficiency in the hybrid filter and wrapper MA     

Wrapper-filter feature selection algorithm using a memetic framework.

This correspondence presents a novel hybrid wrapper and filter feature selection algorithm for a classification problem using a memetic framework. It incorporates a filter ranking method in the traditional genetic algorithm to improve classification performance and accelerate the search in identifying the core feature subsets. Particularly, the method adds or deletes a feature from a candidate feature subset based on the univariate feature ranking information. This empirical study on commonly used data sets from the University of California, Irvine repository and microarray data sets shows that the proposed method outperforms existing methods in terms of classification accuracy, number of selected features, and computational efficiency. Furthermore, we investigate several major issues of memetic algorithm (MA) to identify a good balance between local search and genetic search so as to maximize search quality and efficiency in the hybrid filter and wrapper MA.     

Revealing Packed Malware

To evade malicious content detection, malware authors use packers, binary tools that instigate code obfuscation. By using executable packers, modern malware can completely bypass personal firewalls and antivirus (AV) scanners.Reverse engineering (RE) has become an important approach to analyzing a program's logic flow and internal data structures, such as system call functions. Security researchers and AV products must be able to unpack and inspect the payloads hidden within the packed programs using RE tools.     

一种基于混合特征的移动终端恶意软件检测方法

随着移动终端恶意软件的种类和数量不断增大,本文针对Android系统恶意软件单特征检测不全面、误报率高等技术问题,提出一种基于动静混合特征的移动终端恶意软件检测方法,以提高检测的覆盖率、准确率和效率.该方法首先采用基于改进的CHI方法和凝聚层次聚类算法优化的K-Means方法构建高危权限和敏感API库,然后分别从静态分...     

Auto-Sign: an automatic signature generator for high-speed malware filtering devices

This research proposes a novel automatic method (termed Auto-Sign) for extracting unique signatures of malware executables to be used by high-speed malware filtering devices based on deep-packet inspection and operating in real-time. Contrary to extant string and token-based signature generation methods, we implemented Auto-Sign an automatic signature generation method that can be used on large-size malware by disregarding signature candidates which appear in benign executables. Results from experimental evaluation of the proposed method suggest that picking a collection of executables which closely represents commonly used code, plays a key role in achieving highly specific signatures which yield low false positives.     

面向安卓恶意软件检测的对抗攻击技术综述

随着对Android恶意软件检测精度和性能要求的提高,越来越多的Android恶意软件检测引擎使用人工智能算法.与此同时,攻击者开始尝试对Android恶意软件进行一定的修改,使得Android恶意软件可以在保留本身的功能的前提下绕过这些基于人工智能算法的检测.上述过程即是Android恶意软件检测领域的对抗攻击.本文...     

基于API函数及其参数相结合的恶意软件行为检测

提出了一个较灵活、可扩展的方法, 它是基于更细致的运行特征： API函数调用名、API函数的输入参数及两种特征的结合。抽取以上三类特征, 借助信息论中的熵, 定义了恶意代码信息增益值的概念, 并计算相应的API及其参数在区分恶意软件和良性软件时的信息增益值, 进而选择识别率高的特征以减少特征的数目从而减少分析时间。实验表明, 少量的特征选取和较高的识别率使得基于API函数与参数相结合的检测方法明显优于当前主流的基于API序列的识别算法。