Computer Science

Computer Science ›› 2021, Vol. 48 ›› Issue (6A): 448-458.doi: 10.11896/jsjkx.201100074

• Information Security • Previous Articles     Next Articles

Generating Malicious Code Attack Graph Using Semantic Analysis

YANG Ping, SHU Hui, KANG Fei, BU Wen-juan, HUANG Yu-yao   

  1. State Key Laboratory of Mathematical Engineering and Advanced Computing,Information Engineering University,Zhengzhou 450001,China
  • Online:2021-06-10 Published:2021-06-17
  • About author:YANG Ping,born in 1995,master candidate.Her main research interests include cyber security and reverse engineering.
    SHU Hui,born in 1974,postgraduate,Ph.D,professor,Ph.D supervisor.His main research interests include cyber security and reverse engineering.
  • Supported by:
    National Key R&D Program of China(2019QY1300).

PDF (PC)

1019

Abstract: In order to deeply analyze the logical relationship between malicious code high-level behaviors and analyze the working mechanism of malicious code,this paper takes behavior events as the research object and proposes a method for generating malicious code attack graphs based on semantic analysis.First of all,with the help of the MITRE ATT&CK model,a m-ATT&CK(Malware-Adversarial Tactics,Techniques,and Common Knowledges) model which is more suitable for malicious code behavior analysis is established.This model is composed of malware,behavior events,attack tactics and relationships between them.Then,an approximate pattern matching behavior mapping algorithm based on F-MWTO (Fuzzy Method of Window Then Occurrence) is proposed to realize the mapping of malicious code behavior information to m-ATT&CK model,and a Hidden Markov Model is constructed to mine the sequences of attack tactics.Semantic-level malicious code attack graph is defined and designed semantic-level attack graph generation algorithm,combing with identified behavior events to restore the contextual semantic information of the malicious code high-level behaviors and generating the semantic-level malicious code attack graph.Experimental results show that the semantic-level attack graph obtained based on the proposed methods can clearly show the working mechanism and attack intention of malicious code.

Key words: Behavior mapping, High-level behavior extraction, m-ATT&CK, Semantic-level attack graph, Sequences of attack tactics mining

CLC Number: 

  • TP393.08
[1] YU B,FANG Y,YANG Q,et al.A survey of malware behavior description and analysis[J].Frontiers of Information and Electronic Engineering (English),2018,19(5):583-603.
[2] https://attack.mitre.org/versions/v6/techniques/T1020/.
[3] DAS S,LIU Y,ZHANG W,et al.Semantics-based online malware detection:towards efficient real-time protection against malware[J].IEEE Transactions on Information Forensics and Security,2016,11(2):289-302.
[4] NAVAL S,LAXMI V,RAJARAJAN M,et al.Employing Program Semantics for Malware Detection[J].IEEE Transactions on Information Forensics and Security,2017,10(12):2591-2604.
[5] COVER,THOMAS M,THOMAS,et al.Asymptotic Equipartition Property[M]//Elements of Information Theory.John Wiley & Sons,Inc.2001.
[6] ALAZAB M,VENKATARAMAN S,WATTERS P.TowardsUnderstanding malware behaviour by the extraction of API calls[C]//Proc 2nd Cybercrime and Trustworthy Computing Workshop.2010:52-59.
[7] GUPTA S,SHARMA H,KAUR S.Malware Characterization Using Windows API Call Sequences[C]//International Conference on Security,Privacy,and Applied Cryptography Engineering.Springer,Cham,2016.
[8] LI Z L,SHU H,KANG F,et al.Hierarchical analysis method of malicious behavior based on API correlation[J].Computer Engineering and Design,2014,35(11):3730-3735.
[9] NING P,REEVES D,CUI Y.Correlating Alerts Using Prerequisites of Intrusions:Towards Reducing False Alerts and Uncovering High Level Attack Strategies[R].North Carolina State University,Department of Computer Science,2001.
[10] WANG X S,ZHANG Y,LI Y H.Development and Improve-ment of an Intrusion Detection System Based on Correlation Analysis[C]//Proceedings of 2006 National Theoretical Computer Science Conference.2006:169-171.
[11] CUPPENS F,MIEGE A.Alert correlation in a cooperative intrusion detection framework[C]//Proceedings 2002 IEEE Symposium on Security and Privacy.Berkeley,CA,USA,2002:202-215.
[12] CHEN X S,YIN H B.The analysis of event correlation in intrusion detection[J].Journal of Huazhong University of Science and Technology,2003,31(4):30-33.
[13] AGRAWAL R,IMIELINSKI T,SWAMI A.Mining association rules between sets of items in large database[C]//Washington DC:Procedings of the ACM SIGMOD Conference on Management of Data.1993:207-216.
[14] AGRAWAL R,SRIKANT R.Fast Algorithms for mining association rules[C]//Proc 1994 Int'l Conf Very Large Database.Santiago,Chile,1994:487-499.
[15] LIANG J S,ZHENG T.The Application of the AssociationRules in Intrusion Detection System[C]//China Computer Information Protection Annual Conference and Information Protection System Construction Seminar.2008.
[16] ZHANG Y,LIU Y H,TIAN D X,et al.Intrusion Detection System Based on Association Rules[J].Journal of Jilin University:Information Science Edition,2006(2):204-209.
[17] FENG X.The Application of Fuzzy Association Rule Mining in Intrusion Detection[D].Anhui:University of Science and Technology of China,2010.
[18] https://attack.mitre.org.
[19] https://attack.mitre.org/versions/v6/tactics/enterprise/.
[20] https://attack.mitre.org/versions/v6/techniques/enterprise/.
[21] UTCHINS E M,CLOPPERT M J,AMIN R M.Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains[OL].https://www.researchgate.net/publication/266038451_Intelligence-Driven_Computer_Network_Defense_Informed_by_Analysis_of_Adversary_Campaigns_and_Intrusion_Kill_Chains.
[22] NICKELS K.Leveraging MITRE ATT&CK for Detection[EB].Analysis & Defense.
[23] Free Automated Malware Analysis Service[EB/OL].https://www.hybrid-analysis.com/.2020.11.
[24] YANG P,SHU H,KANG F,et al.Automatically GeneratingMalware Summary Using Semantic Behavior Graphs (SBGs)[C]//2020 Information Communication Technologies Conference (ICTC).Nanjing,China,2020:282-291.
[25] FISCHER M J,PATERSON M S.String-matching and other products[C]//Proceeding of the 7th SIAM AMS Complexity of Computation.Cambridge,USA,1974:113-125.
[26] MANBER U,BAEZA-YATES R.An algorithm for string matching with a sequence of don't cares[J].Information Processing Leters,1991,37(3):133-136.
[27] CHEN G,WU X D,ZHU X Q,et al.Effcient string matching with wildcards and length constraints[J].Knowledge and Information Systems,2006,10(4):399-419.
[28] WU X D,ZHU X Q,HE Y,et al.PMBC:Pattern mining from biological sequences with wildcard constraints[J].Computers in Biology and Medicine,2013,43(5):481-492.
[29] QIANG J P,XIE F,GAO J,et al.Pattern matching with wildcards of arbitrary length[J].Acta Automatica Sinica,2014,40(11):2499-2511.
[30] RISTAD E S,YIANILOS P N.Learning String Edit Distance[J].IEEE Transactions on Pattern Analysis and Machine Intelligence,1998,20(5):522-532.
[31] YI P,ZHOU Q,MEN H S.Dynamic social network community discovery algorithm based on HMM[J].Journal of Computer Research and Development,2017,54(11):2611-2619.
[32] ZHOU D Q,ZHANG H F,ZHANG S W,et al.HMM-based distributed denial of service attack detection method[J].Journal of Computer Research and Development,2005,42(9):1594-1599.
[33] YUAN Y,WANG C R,WANG C,et al.Cloud resource allocation model based on incomplete information game[J].Computer Research and Development,2016,53(6):1342-1351.
[34] NING P,CUI Y,REEVES D S.Constructing Attack ScenariosThrough Correlation of Intrusion Alerts[C]//Proc.of the 9th ACM Conference on Computer and Communications Security.Washington,D.C.,2002:245-254.
[35] NING P,REEVES D,CUI Y.Correlating Alerts Using Prerequisites of Intrusions:Towards Reducing False Alerts and Uncovering High Level Attack Strategies[R].North Carolina State University,Department of Computer Science,2001.
[36] ZHANG H B.Research on IDS alarm correlation model based on description logic[D].Shanghai:Shanghai Jiaotong University.
[1] LI Jia-rui, LING Xiao-bo, LI Chen-xi, LI Zi-mu, YANG Jia-hai, ZHANG Lei, WU Cheng-nan. Dynamic Network Security Analysis Based on Bayesian Attack Graphs [J]. Computer Science, 2022, 49(3): 62-69.
[2] LIU Kai-xiang, XIE Yong-fang, CHEN Xin, LYU Fei, LIU Jun-jiao. Industrial Serial Protocol State Detection Algorithm Based on DTMC [J]. Computer Science, 2022, 49(3): 301-307.
[3] LI Yi-meng, LI Cheng-hai, SONG Ya-fei, WANG Jian. Method of Malware Family Classification Based on Attention-DenseNet-BC Model Mechanism [J]. Computer Science, 2021, 48(10): 308-314.
[4] WANG Jin-heng, SHAN Zhi-long, TAN Han-song, WANG Yu-lin. Network Security Situation Assessment Based on Genetic Optimized PNN Neural Network [J]. Computer Science, 2021, 48(6): 338-342.
[5] YANG Lin, WANG Yong-jie. Application and Simulation of Ant Colony Algorithm in Continuous Path Prediction of Dynamic Network [J]. Computer Science, 2021, 48(6A): 485-490.
[6] ZHOU Tian-yang, ZENG Zi-yi, ZANG Yi-chao, WANG Qing-xian. Team Cooperative Attack Planning Based on Multi-agent Joint Decision [J]. Computer Science, 2021, 48(5): 301-307.
[7] CAO Kang-hua, DONG Wei-wei, WANG Jin-liang, ZHOU Lin, WANG Yong. Attack Detection Method for Electricity Information Collection System Based on Virtual Honeynet [J]. Computer Science, 2019, 46(11A): 455-459.
[8] GAO Sha-sha, WANG Zhong-hua. Dynamical Management Technology of Multi-Level Security Domain for Embedded Operating System Based on MILS [J]. Computer Science, 2019, 46(11A): 460-463.
[9] LU Xian-guang, DU Xue-hui, WANG Wen-juan. Alert Correlation Algorithm Based on Improved FP Growth [J]. Computer Science, 2019, 46(8): 64-70.
[10] CAO Wei-dong, XU Zhi-xiang, WANG Jing. Intrusion Detection Based on Semi-supervised Learning with Deep Generative Models [J]. Computer Science, 2019, 46(3): 197-201.
[11] CHEN Wei-peng, AO Zhi-gang, GUO Jie, YU Qin, TONG Jun. Research on Cyberspace Situation Awareness Security Assessment Based on Improved BP Neural Network [J]. Computer Science, 2018, 45(11A): 335-337.
[12] YIN Zhong-xu, ZHANG Lian-cheng. SQL Injection Intrusion Avoidance Scheme Based on Automatic Insertion of Dataflow-relevant Filters [J]. Computer Science, 2019, 46(1): 201-205.
[13] LU Qiang, YOU Rong-yi, YE Xiao-hong. Network Nearest Neighbor Intrusion Detection Algorithm Based on Adaptive Convolution Filtering [J]. Computer Science, 2018, 45(7): 154-157.
[14] LI Yi-hong, LIU Fang-zheng, DU Zhen-yu. Malware Detection Algorithm for Improving Active Learning [J]. Computer Science, 2019, 46(5): 92-99.
[15] PEI Lan-zhen, ZHAO Ying-jun, WANG Zhe, LUO Yun-qian. Comparison of DGA Domain Detection Models Using Deep Learning [J]. Computer Science, 2019, 46(5): 111-115.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.