| 识别恶意软件中的加密函数 |
| |
| 引用本文: | 蔡建章 魏强 祝跃飞. 识别恶意软件中的加密函数[J]. 计算机应用, 2013, 33(11): 3239-3243 |
| |
| 作者姓名: | 蔡建章 魏强 祝跃飞 |
| |
| 作者单位: | 信息工程大学 网络空间安全学院,郑州 450002 |
| |
| 摘 要: | 针对恶意软件通过加密函数规避安全检测和流量分析这一问题,提出了一种识别恶意软件中加密函数的方法。通过识别恶意软件动态执行路径中的循环、循环的输入和输出参数,构建恶意软件的动态循环数据流图,通过循环数据流图提取循环的输入和输出参数集合,设计已知加密函数的参考实现对循环输入集合中的元素进行运算,判断输出是否能够匹配输出集合中的元素从而识别恶意软件中的加密函数。实验证明此分析方法能够分析严重混淆的恶意软件其传输载荷所采用的加密函数。
|
| 关 键 词: | 加密函数识别 循环的输入和输出参数 循环数据流图 循环输入输出集合 动态二进制插桩 |
| 收稿时间: | 2013-05-09 |
| 修稿时间: | 2013-07-14 |
Identification of encrypted function in malicious software |
| |
| CAI Jianzhang WEI Qiang ZHU Yuefei. Identification of encrypted function in malicious software[J]. Journal of Computer Applications, 2013, 33(11): 3239-3243 |
| |
| Authors: | CAI Jianzhang WEI Qiang ZHU Yuefei |
| |
| Affiliation: | Cyberspace Security Institute, Information Engineering University, Zhengzhou Henan 450002, China |
| |
| Abstract: | To resolve that the malware (malicious software) usually avoids security detection and flow analysis through encryption function, this paper proposed a scheme which can identify the encrypted function in malware. The scheme generated the dynamic loop data flow graph by identifying the loop and input/output of the loop in the dynamic trace. Then the sets of input/output were abstracted according to the loop data flow graph, the reference of known encrypted function was designed and the reference whose parameters were elements of the input sets was computed. If the result could match any element of the output sets, then the scheme could conclude the malware encrypts information by the known encrypted function. The experimental results prove that the proposed scheme can analyze the encrypted function of payload in the obfuscated malware. |
| |
| Keywords: | encrypted function identification input/output parameter of loop loop data flow graph input/output set in loop dynamic binary instrument |
|
| 点击此处可从《计算机应用》浏览原始摘要信息 |
|
点击此处可从《计算机应用》下载全文 |
