共查询到20条相似文献,搜索用时 140 毫秒
1.
代码迷惑可以使恶意代码绕过基于特征匹配的恶意代码检测器的检测.本文利用抽象解释理论,从程序语义的角度对高鹰等人提出的基于语义的恶意代码检测算法处理代码迷惑的能力进行了分析.在对该算法形式化描述的基础上,建立了一个与其等价的基于迹语义的检测器,并通过证明基于迹语义的检测器对于保持变体关系的代码迷惑算法的谕示可靠性和谕示完备性,从理论上阐述了高鹰等人的恶意代码检测算法的谕示可靠性和谕示完备性. 相似文献
2.
3.
随着网络技术和人工智能技术的不断发展,恶意代码对网络空间安全的威胁日益增加,对社会经济、国家安全构成严重威胁。恶意程序数量级呈指数增加大大增加了恶意代码分析的工作量,传统的恶意代码检测方式难以应对当下日益复杂的网络空间环境。本文提出了一种面向深度迁移学习的恶意代码可视化检测,基于计算机视觉技术将恶意代码进行可视化操作,并利用深度迁移学习和目标检测技术,对恶意代码相关特征片段进行检测分类。实验结果同样也表明,基于目标检测和计算机视觉技术,进行恶意代码可视化检测分析的方法在检测准确率、检测速度以及识别能力等方面较传统的恶意代码分类方法都表现出了更优异的性能。 相似文献
4.
随着网络安全技术的发展,计算机病毒已经不能够准确描述安全事件,提出了用恶意代码来描述,由于恶意代码的多样性,目前的恶意代码检测技术不能满足需要。在对恶意代码特征研究的基础上,提出了基于本地化特征的恶意代码检测技术。恶意代码要获取执行的机会,必然要进行本地化设置,对恶意代码的本地化特点进行了研究,在此基础上设计出了一种基于本地化特征的恶意代码检测系统,并进行了测试,结果证明基于本地化特征的恶意代码检测方法是一种有效的方法。 相似文献
5.
6.
深度学习已经逐渐应用于恶意代码检测并取得了不错的效果.然而,最近的研究表明:深度学习模型自身存在不安全因素,容易遭受对抗样本攻击.在不改变恶意代码原有功能的前提下,攻击者通过对恶意代码做少量修改,可以误导恶意代码检测器做出错误的决策,造成恶意代码的漏报.为防御对抗样本攻击,已有的研究工作中最常用的方法是对抗训练.然而对抗训练方法需要生成大量对抗样本加入训练集中重新训练模型,效率较低,并且防御效果受限于训练中所使用的对抗样本生成方法.为此,提出一种PE文件格式恶意代码对抗样本检测方法,针对在程序功能无关区域添加修改的一类对抗样本攻击,利用模型解释技术提取端到端恶意代码检测模型的决策依据作为特征,进而通过异常检测方法准确识别对抗样本.该方法作为恶意代码检测模型的附加模块,不需要对原有模型做修改,相较于对抗训练等其他防御方法效率更高,且具有更强的泛化能力,能够防御多种对抗样本攻击.在真实的恶意代码数据集上进行了实验,实验结果表明,该方法能够有效防御针对端到端PE文件恶意代码检测模型的对抗样本攻击. 相似文献
7.
基于主机的检测系统对文件检测能力更强.但是因为开销,成本过高,因此实际中基于网络的检测系统应用场景更广泛,可以部署的节点更多,提升网络恶意代码检测系统的检测能力可以更有效地为之后的恶意代码防御做出支持。但是其节点设备数量虽然多,却相对低端,单台成本更低,不能像主机检测一样将捕捉到的网络数据包还原,即使可以,也费时费力,处理速度跟不上网络流量,将会造成大量的丢包。因此,如果能让检测系统的前端主机在能够不重组数据包就检测出数据包是否为恶意代码意义重大,在不还原数据包的情况下,通过对单包的内容进行检测从而对有问题的包产生告警信息,可以显著增强基于网络的恶意代码检测系统前端主机的检测能力,使其在病毒种植过程中就能探测到异常。 相似文献
8.
近年来,随着物联网(Internet of things, IoT)设备的大规模部署,针对物联网设备的恶意代码也不断出现,物联网安全面临来自恶意代码的巨大威胁,亟需对物联网恶意代码检测技术进行综合研究. 随着人工智能(artificial intelligence, AI)在计算机视觉和自然语言处理等领域取得了举世瞩目的成就,物联网安全领域也出现了许多基于人工智能的恶意代码检测工作. 通过跟进相关研究成果,从物联网环境和设备的特性出发,提出了基于该领域研究主要动机的分类方法,从面向物联网设备限制缓解的恶意代码检测和面向性能提升的物联网恶意代码检测2方面分析该领域的研究发展现状. 该分类方法涵盖了物联网恶意代码检测的相关研究,充分体现了物联网设备独有的特性以及当前该领域研究存在的不足. 最后通过总结现有研究,深入讨论了目前基于人工智能的恶意代码检测研究中存在的问题,为该领域未来的研究提出了结合大模型实现物联网恶意代码检测,提高检测模型安全性以及结合零信任架构3个可能的发展方向.
相似文献9.
10.
恶意代码变种给信息系统安全造成了巨大威胁, 为有效检测变种恶意代码, 通过动态监控、解析系统调用及参数, 将不同对象操作关联到同一对象, 构建对象状态变迁图, 然后对状态变迁图进行抗混淆处理, 获取具有一定抗干扰性的恶意代码行为特征图。最后, 基于该特征图检测未知代码。实验结果表明, 该方法能够有效抵抗恶意代码重排、垃圾系统调用等混淆技术干扰, 而且误报率低, 在检测变种恶意代码时具有较好的效果。 相似文献
11.
Contemporary malware makes extensive use of different techniques such as packing, code obfuscation, polymorphism, and metamorphism, to evade signature-based detection. Traditional signature-based detection technique is hard to catch up with latest malware or unknown malware. Behavior-based detection models are being investigated as a new methodology to defeat malware. This kind of approaches typically relies on system call sequences/graphs to model a malicious specification/pattern. In this paper, we present a new class of attacks, namely ??shadow attacks??, to evade current behavior-based malware detectors by partitioning one piece of malware into multiple ??shadow processes??. None of the shadow processes contains a recognizable malicious behavior specification known to single-process-based malware detectors, yet those shadow processes as an ensemble can still fulfill the original malicious functionality. To demonstrate the feasibility of this attack, we have developed a compiler-level prototype tool, AutoShadow, to automatically generate shadow-process version of malware given the source code of original malware. Our preliminary result has demonstrated the effectiveness of shadow attacks in evading several behavior-based malware analysis/detection solutions in real world. With the increasing adoption of multi-core computers and multi-process programs, malware writers may exploit more such shadow attacks in the future. We hope our preliminary study can foster more discussion and research to improve current generation of behavior-based malware detectors to address this great potential threat before it becomes a security problem of the epidemic proportions. 相似文献
12.
Detection of rapidly evolving malware requires classification techniques that can effectively and efficiently detect zero-day
attacks. Such detection is based on a robust model of benign behavior and deviations from that model are used to detect malicious
behavior. In this paper we propose a low-complexity host-based technique that uses deviations in static file attributes to
detect malicious executables. We first develop simple statistical models of static file attributes derived from the empirical
data of thousands of benign executables. Deviations among the attribute models of benign and malware executables are then
quantified using information-theoretic (Kullback-Leibler-based) divergence measures. This quantification reveals distinguishing
attributes that are considerably divergent between benign and malware executables and therefore can be used for detection.
We use the benign models of divergent attributes in cross-correlation and log-likelihood frameworks to classify malicious
executables. Our results, using over 4,000 malicious file samples, indicate that the proposed detector provides reasonably
high detection accuracy, while having significantly lower complexity than existing detectors. 相似文献
13.
Fu Song Tayssir Touili 《International Journal on Software Tools for Technology Transfer (STTT)》2014,16(2):147-173
The number of malware is growing extraordinarily fast. Therefore, it is important to have efficient malware detectors. Malware writers try to obfuscate their code by different techniques. Many well-known obfuscation techniques rely on operations on the stack such as inserting dead code by adding useless push and pop instructions, or hiding calls to the operating system, etc. Thus, it is important for malware detectors to be able to deal with the program’s stack. In this study, we propose a new model-checking approach for malware detection that takes into account the behavior of the stack. Our approach consists in: (1) Modeling the program using a pushdown system (PDS). (2) Introducing a new logic, called stack computation tree predicate logic (SCTPL), to represent the malicious behavior. SCTPL can be seen as an extension of the branching-time temporal logic CTL with variables, quantifiers, and predicates over the stack. (3) Reducing the malware detection problem to the model-checking problem of PDSs against SCTPL formulas. We show how our new logic can be used to precisely express malicious behaviors that could not be specified by existing specification formalisms. We then consider the model-checking problem of PDSs against SCTPL specifications. We reduce this problem to emptiness checking in Symbolic Alternating Büchi Pushdown Systems, and we provide an algorithm to solve this problem. We implemented our techniques in a tool and applied it to detect several viruses. Our results are encouraging. 相似文献
14.
基于动态分析的恶意代码检测方法由于能有效对抗恶意代码的多态和代码混淆技术,而且可以检测新的未知恶意代码等,因此得到了研究者的青睐。在这种情况下,恶意代码的编写者通过在恶意代码中嵌入大量反检测功能来逃避现有恶意代码动态检测方法的检测。针对该问题,提出了基于恶意API调用序列模式挖掘的恶意代码检测方法MACSPMD。首先,使用真机模拟恶意代码的实际运行环境来获取文件的动态API调用序列;其次,引入面向目标关联挖掘的概念,以挖掘出能够代表潜在恶意行为模式的恶意API调用序列模式;最后,将挖掘到的恶意API调用序列模式作为异常行为特征进行恶意代码的检测。基于真实数据集的实验结果表明,MACSPMD对未知和逃避型恶意代码进行检测的准确率分别达到了94.55%和97.73%,比其他基于API调用数据的恶意代码检测方法 的准确率分别提高了2.47%和2.66%,且挖掘过程消耗的时间更少。因此,MACSPMD能有效检测包括逃避型在内的已知和未知恶意代码。 相似文献
15.
Guillaume Bonfante Matthieu Kaczmarek Jean-Yves Marion 《Journal in Computer Virology》2009,5(3):263-270
Most of malware detectors are based on syntactic signatures that identify known malicious programs. Up to now this architecture
has been sufficiently efficient to overcome most of malware attacks. Nevertheless, the complexity of malicious codes still
increase. As a result the time required to reverse engineer malicious programs and to forge new signatures is increasingly
longer. This study proposes an efficient construction of a morphological malware detector, that is a detector which associates
syntactic and semantic analysis. It aims at facilitating the task of malware analysts providing some abstraction on the signature
representation which is based on control flow graphs. We build an efficient signature matching engine over tree automata techniques.
Moreover we describe a generic graph rewriting engine in order to deal with classic mutations techniques. Finally, we provide
a preliminary evaluation of the strategy detection carrying out experiments on a malware collection. 相似文献
16.
当前Android恶意应用程序在传播环节缺乏有效的识别手段,对此提出了一种基于自动化测试技术和动态分析技术的Android恶意行为检测方法。 通过自动化测试技术触发Android应用程序的行为,同时构建虚拟的沙箱监控这些行为。设计了一种组合事件行为触发模型——DroidRunner,提高了Android应用程序的代码覆盖率、恶意行为的触发率以及Android恶意应用的检测率。经过实际部署测试,该方法对未知恶意应用具有较高的检测率,能帮助用户发现和分析未知恶意应用。 相似文献
17.
Behavior‐based detection and signature‐based detection are two popular approaches to malware (malicious software) analysis. The security industry, such as the sector selling antivirus tools, has been using signature and heuristic‐based technologies for years. However, this approach has been proven to be inefficient in identifying unknown malware strains. On the other hand, the behavior‐based malware detection approach has a greater potential in identifying previously unknown instances of malicious software. The accuracy of this approach relies on techniques to profile and recognize accurate behavior models. Unfortunately, with the increasing complexity of malicious software and limitations of existing automatic tools, the current behavior‐based approach cannot discover many newer forms of malware either. In this paper, we implement ‘holography platform’, a behavior‐based profiler on top of a virtual machine emulator that intercepts the system processes and analyzes the CPU instructions, CPU registers, and memory. The captured information is stored in a relational database, and data mining techniques are used to extract information. We demonstrate the breadth of the ‘holography platform’ by conducting two experiments: a packed binary behavior analysis and a malvertising (malicious advertising) incident tracing. Both tasks are known to be very difficult to do efficiently using existing methods and tools. We demonstrate how the precise behavior information can be easily obtained using the ‘holography platform’ tool. With these two experiments, we show that the ‘holography platform’ can provide security researchers and automatic malware detection systems with an efficient malicious software behavior analysis solution. Copyright © 2011 John Wiley & Sons, Ltd. 相似文献
18.
由于Android系统的开放性,恶意软件通过实施各种恶意行为对Android设备用户构成威胁。针对目前大部分现有工作只研究粗粒度的恶意应用检测,却没有对恶意应用的具体行为类别进行划分的问题,提出了一种基于静态行为特征的细粒度恶意行为分类方法。该方法提取多维度的行为特征,包括API调用、权限、意图和包间依赖关系,并进行了特征优化,而后采用随机森林的方法实现恶意行为分类。在来自于多个应用市场的隶属于73个恶意软件家族的24 553个恶意Android应用程序样本上进行了实验,实验结果表明细粒度恶意应用分类的准确率达95.88%,综合性能优于其它对比方法。 相似文献
19.
Mihai Christodorescu Somesh Jha Johannes Kinder Stefan Katzenbeisser Helmut Veith 《Journal in Computer Virology》2007,3(4):253-265
Malware is code designed for a malicious purpose, such as obtaining root privilege on a host. A malware detector identifies
malware and thus prevents it from adversely affecting a host. In order to evade detection, malware writers use various obfuscation
techniques to transform their malware. There is strong evidence that commercial malware detectors are susceptible to these
evasion tactics. In this paper, we describe the design and implementation of a malware transformer that reverses the obfuscations performed by a malware writer. Our experimental evaluation demonstrates that this malware
transformer can drastically improve the detection rates of commercial malware detectors. 相似文献