计算机科学

计算机科学 ›› 2021, Vol. 48 ›› Issue (4): 309-315.doi: 10.11896/jsjkx.201100171

• 信息安全 • 上一篇    下一篇

恶意行为图构建与匹配算法研究

王乐乐1, 汪斌强1, 刘建港2, 苗启广3   

  1. 1 战略支援部队信息工程大学信息技术研究所 郑州450000
    2 南京信息技术研究院 南京210000
    3 西安电子科技大学计算机科学与技术学院 西安710071
  • 收稿日期:2020-06-24 修回日期:2021-02-04 出版日期:2021-04-15 发布日期:2021-04-09
  • 通讯作者: 汪斌强(ndsczjh@163.com)

Study on Malicious Behavior Graph Construction and Matching Algorithm

WANG Le-le1, WANG Bin-qiang1, LIU Jian-gang2, MIAO Qi-guang3   

  1. 1 Institute of Information Technology,Information Engineering University,Zhengzhou 450000,China
    2 Nanjing Information Technology Institute,Nanjing 210000,China
    3 School of Computer Science and Technology,Xidian University,Xi’an 710071,China
  • Received:2020-06-24 Revised:2021-02-04 Online:2021-04-15 Published:2021-04-09
  • About author:WANG Le-le,born in 1985,Ph.D student.Her main research interests include information security and so on.(635718080@qq.com)
    WANG Bin-qiang,born in 1963,professor,Ph.D supervisor.His main research interests include network security and broad band information network.

PDF (PC)

749

摘要: 恶意程序是互联网时代一个非常具有威胁性的安全问题。恶意程序的出现和传播速度的加快,使得对恶意程序的检测变得更加困难。大多数防火墙和防病毒软件都是根据恶意特征、使用一系列特殊字节来识别恶意代码。然而,恶意程序编写者会使用代码混淆技术来躲避这种检测。为此,研究者提出了动态分析方法来检测这种新的恶意程序,但这种方法的时间效率和匹配精度并不令人满意。文中提出了一种有效的恶意行为图构建与匹配算法,包括存储二维关联图的存储方法、行为图的构建方法、行为关联规则的构建方法、行为图解析算法的设计、行为匹配算法等。最后给出了实验分析,证明了该方法具有较高的检测准确率;除Auto类外,其对其他类别恶意程序的识别率都在90%以上。

关键词: 行为关联, 行为匹配, 行为图, 最小行为

Abstract: Malware is a very threatening security problem in the Internet age.Due to the emergence of malicious programs and the speed up of propagation,it becomes more difficult to detect malicious programs.Most firewalls and antivirus software use a special set of bytes to identify malicious code based on malicious characteristics.However,a programmer of malicious program uses code obfuscation techniques to avoid this detection.Therefore,researchers use dynamic analysis method to combat this new malicious program,but the time efficiency and matching accuracy of this method are not satisfactory.This paper proposes an effective malicious behavior graph construction and matching algorithm,including the storage method of two-dimensional association graph,the construction method of behavior graph,the construction method of behavior association rules,the design of behavior graph parser,and the behavior matching algorithm.Finally,experimental verification analysis proves that this method has a high detection accuracy rate,except for the AutoRun category,the recognition rates for other types of malware are all above 90%.

Key words: Behavior correlation, Behavior graph, Behavior matching, Minimum behavior

中图分类号: 

  • TP393
[1]CERTNET/CC.2019 CNCERT Cybersecurity analysis[EB/OL].https://www.cert.org.cn/publish/main/46/2020/20-200420191144066734530/20200420191144066734530_.html.
[2]LUKASHIN A,POPOV M,BOLSHAKOV A,et al.ScalableData Processing Approach and Anomaly Detection Method for User and Entity Behavior Analytics Platform[C]//International Symposium on Intelligent and Distributed Computing.Springer,Cham,2019:344-349.
[3]CHENG B,TONG Q,WANG J,et al.Malware clustering using family dependency graph[J].IEEE Access,2019,7:72267-72272.
[4]ELHADI A A,MAAROF M A,BARRY B I,et al.Enhancing the detection of metamorphic malware using call graphs[J].Computers & Security,2014,46(oct.):62-78.
[5]NIKOLOPOULOS S D,POLENAKIS I.A graph-based model for malware detection and classification using system-call groups[J].Journal of Computer Virology & Hacking Techniques,2017,13(1):29-46.
[6]ZHAO B L,MENG X,HAN J,et al.Homology analysis of malware based on graph[J].Journal on Communications,2017,38(Z2):86-93.
[7]LIN S J.Research of android malware detection technologybased on function call graph[D].Beijing:Beijing University of Posts and Telecommunications,2017.
[8]LI L.Graph Structure Oriented Android Malware Detection[D].Beijing:Beijing Jiaotong University,2018.
[9]ZHAO C R,ZHANG W J,FANG Y,et al.Malware detectionbased on semanticAPI dependency graph[J].Journal of Sichuan University(Natural Science Edition),2020,57(3):78-84.
[10]XIAO F.Research on Malware Detection Method Based on Behavior Analysis[D].Beijing:Beijing University of Posts and Telecommunications,2020.
[11]FREDRIKSON M,JHA S,CHRISTODORESCU M,et al.Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors[C]//IEEE Symposium on Security & Privacy.IEEE,2010:45-60.
[12]MIAO Q G,WANG Y,CAO Y,et al.Research on detectiontechnology of malicious software based on sub-behavior[J].Systems Engineering and Electronics,2013,34(8):1735-1740.
[13]LIU W C.Research on Analysis Technology of Malware based on Minimum-Behavior[D].Xi’an:Xidian University,2012.
[14]MARTIGNONI L,STINSON E,FREDRIKSON M,et al.ALayered Architecture for Detecting Malicious Behaviors[C]//International Symposium on Recent Advances in Intrusion Detection(RAID 2008).Springer-Verlag,2008.
[15]Cuckoo[EB/OL].https://cuckoosandbox.org/.
[16]BAI J,SHI Q.Malware Detection Method based onDynamic Variable Length API Sequence[C]//2019 12th International Symposium on Computational Intelligence and Design (ISCID).IEEE,2019:285-288.
[17]KARA I.A basic malware analysis method[J].Computer Fraud &Security,2019,2019(6):11-19.
[18]CWSandbox[EB/OL].https://cwsandbox.org/.
[1] 陈源毅, 冯文龙, 黄梦醒, 冯思玲.
基于知识图谱的行为路径协同过滤推荐算法
Collaborative Filtering Recommendation Algorithm of Behavior Route Based on Knowledge Graph
计算机科学, 2021, 48(11): 176-183. https://doi.org/10.11896/jsjkx.201000004
[2] 何鑫, 许娟, 金莹莹.
行为关联网络:完整的变化行为建模
Action-related Network:Towards Modeling Complete Changeable Action
计算机科学, 2020, 47(9): 123-128. https://doi.org/10.161896/jsjkx.190800101
[3] 张亚红,张琳琳,赵楷,陈佳丽,冯在文.
一种基于运行时验证的Web服务选择方法
Web Service Selection Method Based on Runtime Verification
计算机科学, 2014, 41(1): 246-249.
[4] .
UML行为图驱动的Java程序运行时验证工具

计算机科学, 2007, 34(12): 273-277.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发