Computer Science ›› 2021, Vol. 48 ›› Issue (4): 309-315.doi: 10.11896/jsjkx.201100171

• Information Security • Previous Articles     Next Articles

Study on Malicious Behavior Graph Construction and Matching Algorithm

WANG Le-le1, WANG Bin-qiang1, LIU Jian-gang2, MIAO Qi-guang3   

  1. 1 Institute of Information Technology,Information Engineering University,Zhengzhou 450000,China
    2 Nanjing Information Technology Institute,Nanjing 210000,China
    3 School of Computer Science and Technology,Xidian University,Xi’an 710071,China
  • Received:2020-06-24 Revised:2021-02-04 Online:2021-04-15 Published:2021-04-09
  • About author:WANG Le-le,born in 1985,Ph.D student.Her main research interests include information security and so on.(635718080@qq.com)
    WANG Bin-qiang,born in 1963,professor,Ph.D supervisor.His main research interests include network security and broad band information network.

Abstract: Malware is a very threatening security problem in the Internet age.Due to the emergence of malicious programs and the speed up of propagation,it becomes more difficult to detect malicious programs.Most firewalls and antivirus software use a special set of bytes to identify malicious code based on malicious characteristics.However,a programmer of malicious program uses code obfuscation techniques to avoid this detection.Therefore,researchers use dynamic analysis method to combat this new malicious program,but the time efficiency and matching accuracy of this method are not satisfactory.This paper proposes an effective malicious behavior graph construction and matching algorithm,including the storage method of two-dimensional association graph,the construction method of behavior graph,the construction method of behavior association rules,the design of behavior graph parser,and the behavior matching algorithm.Finally,experimental verification analysis proves that this method has a high detection accuracy rate,except for the AutoRun category,the recognition rates for other types of malware are all above 90%.

Key words: Behavior correlation, Behavior graph, Behavior matching, Minimum behavior

CLC Number: 

  • TP393
[1]CERTNET/CC.2019 CNCERT Cybersecurity analysis[EB/OL].https://www.cert.org.cn/publish/main/46/2020/20-200420191144066734530/20200420191144066734530_.html.
[2]LUKASHIN A,POPOV M,BOLSHAKOV A,et al.ScalableData Processing Approach and Anomaly Detection Method for User and Entity Behavior Analytics Platform[C]//International Symposium on Intelligent and Distributed Computing.Springer,Cham,2019:344-349.
[3]CHENG B,TONG Q,WANG J,et al.Malware clustering using family dependency graph[J].IEEE Access,2019,7:72267-72272.
[4]ELHADI A A,MAAROF M A,BARRY B I,et al.Enhancing the detection of metamorphic malware using call graphs[J].Computers & Security,2014,46(oct.):62-78.
[5]NIKOLOPOULOS S D,POLENAKIS I.A graph-based model for malware detection and classification using system-call groups[J].Journal of Computer Virology & Hacking Techniques,2017,13(1):29-46.
[6]ZHAO B L,MENG X,HAN J,et al.Homology analysis of malware based on graph[J].Journal on Communications,2017,38(Z2):86-93.
[7]LIN S J.Research of android malware detection technologybased on function call graph[D].Beijing:Beijing University of Posts and Telecommunications,2017.
[8]LI L.Graph Structure Oriented Android Malware Detection[D].Beijing:Beijing Jiaotong University,2018.
[9]ZHAO C R,ZHANG W J,FANG Y,et al.Malware detectionbased on semanticAPI dependency graph[J].Journal of Sichuan University(Natural Science Edition),2020,57(3):78-84.
[10]XIAO F.Research on Malware Detection Method Based on Behavior Analysis[D].Beijing:Beijing University of Posts and Telecommunications,2020.
[11]FREDRIKSON M,JHA S,CHRISTODORESCU M,et al.Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors[C]//IEEE Symposium on Security & Privacy.IEEE,2010:45-60.
[12]MIAO Q G,WANG Y,CAO Y,et al.Research on detectiontechnology of malicious software based on sub-behavior[J].Systems Engineering and Electronics,2013,34(8):1735-1740.
[13]LIU W C.Research on Analysis Technology of Malware based on Minimum-Behavior[D].Xi’an:Xidian University,2012.
[14]MARTIGNONI L,STINSON E,FREDRIKSON M,et al.ALayered Architecture for Detecting Malicious Behaviors[C]//International Symposium on Recent Advances in Intrusion Detection(RAID 2008).Springer-Verlag,2008.
[15]Cuckoo[EB/OL].https://cuckoosandbox.org/.
[16]BAI J,SHI Q.Malware Detection Method based onDynamic Variable Length API Sequence[C]//2019 12th International Symposium on Computational Intelligence and Design (ISCID).IEEE,2019:285-288.
[17]KARA I.A basic malware analysis method[J].Computer Fraud &Security,2019,2019(6):11-19.
[18]CWSandbox[EB/OL].https://cwsandbox.org/.
[1] CHEN Yuan-yi, FENG Wen-long, HUANG Meng-xing, FENG Si-ling. Collaborative Filtering Recommendation Algorithm of Behavior Route Based on Knowledge Graph [J]. Computer Science, 2021, 48(11): 176-183.
[2] ZHANG Ya-hong,ZHANG Lin-lin,ZHAO Kai,CHEN Jia-li and FENG Zai-wen. Web Service Selection Method Based on Runtime Verification [J]. Computer Science, 2014, 41(1): 246-249.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!