基于归一化的变形恶意代码检测

许多未知恶意代码是由已知恶意代码变形而来。该文针对恶意代码常用的变形技术，包括等价指令替换、插入垃圾代码和指令重排，提出完整的归一化方案，以典型的变形病毒Win32.Evol对原型系统进行测试，是采用归一化思想检测变形恶意代码方面的有益尝试。

Metamorphic Malware Detection Based on Normalization

Much of unknown malware comes from transformed known malware. This paper proposes a complete normalization scheme to resolve the common transforming methods, including identical instructions substitution, garbage code insertion and code reordering. It implements a prototype system and a test to the system is conducted using Win32.Evol, a typical metamorphic virus. It makes a useful attempt to adopt normalization, to detect metamorphic malware.