引用本文
  • 韩锦荣,张元曈,朱子元,孟丹.基于底层数据流分析的恶意软件检测方法[J].信息安全学报,2020,5(4):123-137    [点击复制]
  • HAN Jinrong,ZHANG Yuantong,ZHU Ziyuan,MENG Dan.Malware Detection Method Based on Low-level Data Flow Analysis[J].Journal of Cyber Security,2020,5(4):123-137   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭

←前一篇|后一篇→

过刊浏览    高级检索

本文已被:浏览 4873次   下载 4396 本文二维码信息
码上扫一扫!
基于底层数据流分析的恶意软件检测方法
韩锦荣1,2, 张元曈1,2, 朱子元1,2, 孟丹1,2
0
(1.中国科学院信息工程研究所 第五研究室 北京 中国 100093;2.中国科学院大学 网络空间安全学院 北京 中国 100049)
摘要:
近些年来,层出不穷的恶意软件对系统安全构成了严重的威胁并造成巨大的经济损失,研究者提出了许多恶意软件检测方案。但恶意软件开发中常利用加壳和多态等混淆技术,这使得传统的静态检测方案如静态特征匹配不足以应对。而传统的应用层动态检测方法也存在易被恶意软件禁用或绕过的缺点。本文提出一种利用底层数据流关系进行恶意软件检测的方法,即在系统底层监视程序运行时的数据传递情况,生成数据流图,提取图的特征形成特征向量,使用特征向量衡量数据流图的相似性,评估程序行为的恶意倾向,以达到快速检测恶意软件的目的。该方法具有低复杂度与高检测效率的特点。实验结果表明本文提出的恶意软件检测方法可达到较高的检测精度以及较低的误报率,分别为98.50%及3.18%。
关键词:  恶意检测  动态检测  数据依赖  底层特征
DOI:10.19363/J.cnki.cn10-1380/tn.2020.07.08
投稿时间:2018-07-05修订日期:2018-08-30
基金项目:本课题得到中国科学院战略性先导专项项目(No.XDC02010400)和国家科技重大专项项目(No.2016ZX01035101)资助。
Malware Detection Method Based on Low-level Data Flow Analysis
HAN Jinrong1,2, ZHANG Yuantong1,2, ZHU Ziyuan1,2, MENG Dan1,2
(1.The 5thLab, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;2.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China)
Abstract:
In recent years, the growing number of malicious software poses a serious threat to system security and has caused huge economic losses. Researchers have proposed many malicious software detection schemes, but due to the presence of packers and polymorphism techniques, traditional detection solutions such as static feature matching are inadequate. In addition, the traditional application layer dynamic detection method also has the disadvantage of being easily disabled or bypassed by malware. This paper proposes an approach for malicious software detection by using the low-level data flow relationship, which monitors the data transmission of the benign program and the malicious program at the low-level, then generates the data dependence graph, extracts feature from the data flow graph to form feature vector, uses the feature vector to measure the similarity of data flow graphs, and evaluates the malicious tendencies of software behavior to achieve the goal of quickly detecting malicious software. The method has the characteristics of low complexity and high detection efficiency. The experimental results show that the malware detection method proposed in this paper can achieve higher precision and lower false positive rate, which are 98.50% and 3.18% respectively.
Key words:  malware detection  dynamic detection  data dependence  low-level features