摘要: |
恶意代码检测技术作为网络空间安全的重要研究问题之一,无论是传统的基于规则的恶意代码检测方法,还是基于机器学习的启发式恶意代码检测方法,首先都需要自动化或人工方式提取恶意代码的结构、功能和行为特征。随着网络攻防的博弈,恶意代码呈现出隐形化、多态化、多歧化特点,如何正确而有效的理解恶意代码并提取其中的关键恶意特征是恶意代码检测技术的主要目标。程序切片作为一种重要的程序理解方法,通过运用“分解”的思想对程序代码进行分析,进而提取分析人员感兴趣的代码片段。由于经典程序切片技术主要面向高级语言,而恶意代码通常不提供源代码,仅能够获取反汇编后的二进制代码,因此二进制代码切片技术在恶意代码检测技术中的应用面临如下挑战:(1)传统的面向高级语言的程序切片算法如何准确而有效的应用到二进制代码切片中;(2)针对恶意代码如何尽可能完整的提取能够表征关键恶意特征的程序切片。本文通过对经典程序切片算法的改进,有效改善了二进制代码过程间切片和切片粒度问题,并通过人工分析典型恶意代码,提取了42条有效表征恶意代码关键恶意特征的切片准则。实验表明,本文提出的方法可以提升恶意代码同源性检测的精度和效率。 |
关键词: 程序切片 二进制分析 恶意代码检测 |
DOI:10.19363/J.cnki.cn10-1380/tn.2021.05.08 |
投稿时间:2019-07-12修订日期:2019-08-23 |
基金项目:本课题得到国家自然科学基金重点项目(No.U1736218)和科技部重大专项(No.2018YFB0804704)资助。 |
|
Application Research of Slicing Technology of Binary Executables in Malware Detection |
MEI Rui,YAN Han-Bing,SHEN Yuan,HAN Zhi-Hui |
Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China;National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC), Beijing 100029, China;School of Computer Science and Engineering, Beihang University, Beijing 100191, China |
Abstract: |
Malware detection technology has been an important research topics of cybersecurity. Both traditional rule-based malware detection methods or the heuristic malware detection methods based on machine learning are all need to extract structural, functional, and behavioral characteristics of malware automatically or manually. With the game of cyber attack and defense, malware presents the characteristics of stealthy, polymorphic and multipartite. How to understand the malware accurately and effectively and extract the key malicious features is the main goal of malware detection technology. As a kind of important program understanding method, program slicing analyzes the program code by using the idea of “decomposition”, and then extracts the code snippets that the analyst is interested in. Because the classic program slicing technology is mainly for high-level program languages, and malware usually does not provide source code, but only the binary code can be obtained. Therefore, the application of binary code slicing technology in malware detection technology faces the following challenges: (1) how the classical high-level language-oriented program slicing algorithm can be applied to binary code slices accurately and effectively; (2) how to extract the program slices that can represent the key malicious features as completely as possible for malware. Through the improvement of the classical program slicing algorithm, this paper effectively improves interprocedural slicing and slicing granularity issues. By analyzing the typical malware manually, we extract 42 slicing criterions that effectively characterize the malicious features of malware. Experiments show that the proposed method can improve the accuracy and efficiency of malware homology detection. |
Key words: program slicing binary analysis malware detection |