共查询到20条相似文献,搜索用时 46 毫秒
1.
提出一种基于语义的恶意代码行为特征提取及检测方法,通过结合指令层的污点传播分析与行为层的语义分析,提取恶意代码的关键行为及行为间的依赖关系;然后,利用抗混淆引擎识别语义无关及语义等价行为,获取具有一定抗干扰能力的恶意代码行为特征.在此基础上,实现特征提取及检测原型系统.通过对多个恶意代码样本的分析和检测,完成了对该系统的实验验证.实验结果表明,基于上述方法提取的特征具有抗干扰能力强等特点,基于此特征的检测对恶意代码具有较好的识别能力. 相似文献
2.
3.
4.
恶意代码变种给信息系统安全造成了巨大威胁, 为有效检测变种恶意代码, 通过动态监控、解析系统调用及参数, 将不同对象操作关联到同一对象, 构建对象状态变迁图, 然后对状态变迁图进行抗混淆处理, 获取具有一定抗干扰性的恶意代码行为特征图。最后, 基于该特征图检测未知代码。实验结果表明, 该方法能够有效抵抗恶意代码重排、垃圾系统调用等混淆技术干扰, 而且误报率低, 在检测变种恶意代码时具有较好的效果。 相似文献
5.
Web恶意代码主动检测与分析系统的设计与实现 总被引:1,自引:0,他引:1
在深入研究了客户端蜜罐的基础上,提出了动态与静态相结合的Web恶意代码检测方法,实现了Web恶意代码主动检测与分析系统(HoneyCat).该系统主动对指定的网站进行检测,并对可疑的页面进行分析,通过动态跟踪检测IE进程对注册表和文件的操作以及其网络行为,发现是否存在可疑行为,然后对有可疑行为的网页进行静态分析.静态分析利用漏洞特征库定位恶意代码的准确位置和所利用的漏洞.对于无法识别所利用漏洞的页面生成一个分析文件,为手工分析提供帮助,有助于对漏洞的研究,并有机会发掘未知漏洞.经过测试发现该系统运行稳定,准确率高,能有效地检测出页面中的恶意代码. 相似文献
6.
基于恶意代码行为分析的入侵检测技术研究 总被引:1,自引:0,他引:1
在进行人侵检测的过程中,传统方法由于对入侵判断过程的约束性过强,同时入侵数据中存在大量的冗余数据与噪声,导致无法抵御行为层混淆干扰造成的检测精确性过低的问题,不能从网络安全立体、纵深、多层次防御的角度出发对网络入侵进行检测.为此,提出了一种基于半监督聚类算法的恶意代码行为分析的入侵检测方法.提取系统调用流图特征,将其融合于代码的行为结构与特征中,标记后按照类型将其归纳整理,将整理后带有标记的代码行为特性数据的信息范围扩展到所在簇内的全部数据上,实现类型标记,完成对恶意代码行为的分析,实现入侵检测.仿真结果表明,提出的基于半监督聚类算法的恶意代码行为分析的入侵检测方法精准度高,实用性强. 相似文献
7.
8.
基于源代码分析的Web恶意代码探测方法 总被引:2,自引:0,他引:2
网页是网站与用户交互的界面,同时也成为黑客利用的场所。本文详细分析了网页上的挂马形式,提出一种基于源代码分析的恶意代码探测方法,通过分析网页源代码来识别网页是否被植入恶意代码。此方法不需执行代码,应用安全、简单、直接、有效。 相似文献
9.
10.
为了解决传统攻击树模型在恶意代码检测中存在行为差异性描述不准确、危害量化不合理的问题,提出一种将攻击树结构进行改造、构建攻击树文本图的改进攻击树检测方法,并设计了危害权值算法,从而可以更好地描述和判断恶意代码的攻击行为,引入云检测技术构建检测系统对算法进行验证.实验结果表明,该算法较传统算法对恶意代码及其变种的检测有明显的提高. 相似文献
11.
The byte stream is widely used in malware detection due to its independence of reverse engineering. However, existing methods based on the byte stream implement an indiscriminate feature extraction strategy, which ignores the byte function difference in different segments and fails to achieve targeted feature extraction for various byte semantic representation modes, resulting in byte semantic confusion. To address this issue, an enhanced adversarial byte function associated method for malware backdoor attack is proposed in this paper by categorizing various function bytes into three functions involving structure, code, and data. The Minhash algorithm, grayscale mapping, and state transition probability statistics are then used to capture byte semantics from the perspectives of text signature, spatial structure, and statistical aspects, respectively, to increase the accuracy of byte semantic representation. Finally, the three-channel malware feature image is constructed based on different function byte semantics, and a convolutional neural network is applied for detection. Experiments on multiple data sets from 2018 to 2021 show that the method can effectively combine byte functions to achieve targeted feature extraction, avoid byte semantic confusion, and improve the accuracy of malware detection. 相似文献
12.
基于Web的远距离考试系统 总被引:3,自引:0,他引:3
本文针对目前使用的网络考试系统存在的若干问题,提出一种基于Web的远距离考试系统的实现方案。该方案安全、可靠、保密性好、维护简单,可以和已有的自动评卷系统协同工作,组成一套完善的远距离考试体系。 相似文献
13.
14.
提出了一种隐式流敏感的木马间谍程序检测方法.采用静态分析方式,具有更高的代码覆盖率;同时结合了数据流分析对间接跳转的目标进行计算;并且基于分支条件的操作语义,使用了针对木马间谍程序检测的改进的污点标记规则.应用该方法分析了103个真实的恶意代码样本和7个合法软件,并与现有方法进行了对比.实验结果表明,在进行木马间谍软件检测时该方法比显示流敏感的方法具有较低的漏报率,并且能够有效地发现需要特定条件触发的信息窃取行为.同时,该方法能够区分木马间谍程序和合法软件中的隐式流,显著消减对合法软件中的隐式流跟踪. 相似文献
15.
随着恶意样本数量的急剧增加,为减少人工溯源的工作量,恶意代码同源性分析研究的重要性日益凸显。然而,攻击者在复用恶意代码时,需针对不同的攻击场景设置特定的编译环境,这会造成同源二进制在语法和结构层面存在很大差异,降低恶意代码同源性分析的准确率。为解决此问题,本文通过分析编译环境对二进制生成带来的影响,实现了一个准确、无监督、高效的恶意代码同源性分析方案。本文采用二进制提升与重优化技术将其统一到中间表示层,一定程度上消除语法、结构层面的改变。针对传统CBOW模型学习代码单词语义的不足,提出指令级的上下文语义学习方案,并考虑到出现上下文无关指令的小概率事件,结合SIF模型计算基本块特征向量。此外,针对恶意代码中库函数和字符串包含敏感信息更丰富的特点,本文提出基本块初始匹配集合的建立算法,在K-Hop贪心匹配算法和线性匹配算法的基础上,进一步提高了恶意代码同源性分析的准确率。实验表明,对于开源恶意代码Mirai,本方案相较于现有的无监督模型和预训练模型,在分析准确性和运行开销两个方面的综合表现更优。同时,对于其他类型的恶意代码,本方案输出的同源性指数均高于本文预先设立的同源性判定阈值,进一步证明其有效性。 相似文献
16.
近年来,针对政府机构、工业设施、大型公司网络的攻击事件层出不穷,网络空间安全已成为事关国家稳定、社会安定和经济繁荣的全局性问题。高级持续威胁(Advanced Persistent Threat, APT)逐渐演化为各种社会工程学攻击与零日漏洞利用的综合体,已成为最严重的网络空间安全威胁之一,当前针对APT的研究侧重于寻找可靠的攻击特征并提高检测准确率,由于复杂且庞大的数据很容易将APT特征隐藏,使得获取可靠数据的工作难度大大增加,如何尽早发现APT攻击并对APT家族溯源分析是研究者关注的热点问题。基于此,本文提出一种APT攻击路径还原及预测方法。首先,参考软件基因思想,设计APT恶意软件基因模型和基因相似度检测算法构建恶意行为基因库,通过恶意行为基因库对样本进行基因检测,从中提取出可靠的恶意特征解决可靠数据获取问题;其次,为解决APT攻击路径还原和预测问题,采用隐马尔可夫模型(HMM)对APT恶意行为链进行攻击路径还原及预测,利用恶意行为基因库生成的特征构建恶意行为链并估计模型参数,进而还原和预测APT攻击路径,预测准确率可达90%以上;最后,通过HMM和基因检测两种方法对恶意软件进... 相似文献
17.
Uli Harder Matt W. Johnson Jeremy T. Bradley William J. Knottenbelt 《Electronic Notes in Theoretical Computer Science》2006,151(3):47-59
A network telescope is a portion of IP address space dedicated to observing inbound internet traffic. The purpose of a network telescope is to detect and log malicious traffic which originates from internet worms and viruses. In this paper, we investigate the statistical properties of observed traffic from a passive Class C telescope over a total of three months. We observe that only a few IP sources and destination ports are responsible for the majority of the traffic. We also demonstrate various ways to visualise the traffic profile from a telescope. We show that specific profiles can identify and distinguish portscans, hostscans and distributed denial-of-service (DDOS) attacks. Looking at the inter-arrival time of packets, the power spectrum and the detrended fluctuation analysis of the observed traffic, we show that there is very little sign of long-range dependence. This is in stark contrast to other network traffic and presents exciting possibilities for identifying malicious traffic purely from its traffic profile. 相似文献
18.
网络空间中充斥着大量的恶意代码,其中大部分恶意程序都不是攻击者自主开发的,而是在以往版本的基础上进行改动或直接组合多个恶意代码,因此在恶意程序检测中,相似性分析变的尤为重要.研究人员往往单一种类的信息对程序相似性进行分析,不能全面地考量程序的有效特征.针对以上情况,提出综合考虑动态指令基本块集合的语义特征和控制流图的结... 相似文献
19.
Monika Sharma;Ajay Kaul; 《Expert Systems》2024,41(1):e13482
Malware developers install malware on mobile users' devices and steal their personal information without their knowledge. According to recent studies, it has been observed that malware developers are now targeting Android mobile devices. Researchers have examined the issues of detecting malware in these devices and proposed different methods and techniques. This study's main goal is to aid researchers in gaining a basic understanding of Android malware and its numerous detection methods. Earlier experiments that used machine learning to detect Android malware will be carefully reviewed in this paper. This in-depth review article thoroughly examines the origins, evolution, and sustainability of Android malware detection. It offers an in-depth literature review that includes the most recent approaches and research trends for detecting malware, from static analysis to dynamic analysis, machine learning, and deep learning. Additionally, we review current approaches' shortcomings and difficulties and suggest possible paths for further investigation. The paper aims to stimulate further innovation in this essential field by providing researchers and practitioners with a comprehensive overview of the current status of Android malware detection. 相似文献
20.
Behavior‐based detection and signature‐based detection are two popular approaches to malware (malicious software) analysis. The security industry, such as the sector selling antivirus tools, has been using signature and heuristic‐based technologies for years. However, this approach has been proven to be inefficient in identifying unknown malware strains. On the other hand, the behavior‐based malware detection approach has a greater potential in identifying previously unknown instances of malicious software. The accuracy of this approach relies on techniques to profile and recognize accurate behavior models. Unfortunately, with the increasing complexity of malicious software and limitations of existing automatic tools, the current behavior‐based approach cannot discover many newer forms of malware either. In this paper, we implement ‘holography platform’, a behavior‐based profiler on top of a virtual machine emulator that intercepts the system processes and analyzes the CPU instructions, CPU registers, and memory. The captured information is stored in a relational database, and data mining techniques are used to extract information. We demonstrate the breadth of the ‘holography platform’ by conducting two experiments: a packed binary behavior analysis and a malvertising (malicious advertising) incident tracing. Both tasks are known to be very difficult to do efficiently using existing methods and tools. We demonstrate how the precise behavior information can be easily obtained using the ‘holography platform’ tool. With these two experiments, we show that the ‘holography platform’ can provide security researchers and automatic malware detection systems with an efficient malicious software behavior analysis solution. Copyright © 2011 John Wiley & Sons, Ltd. 相似文献