引用本文
  • 梅瑞,严寒冰,沈元,韩志辉.二进制代码切片技术在恶意代码检测中的应用研究[J].信息安全学报,2021,6(3):125-140    [点击复制]
  • MEI Rui,YAN Han-Bing,SHEN Yuan,HAN Zhi-Hui.Application Research of Slicing Technology of Binary Executables in Malware Detection[J].Journal of Cyber Security,2021,6(3):125-140   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭

←前一篇|后一篇→

过刊浏览    高级检索

本文已被:浏览 7579次   下载 6400 本文二维码信息
码上扫一扫!
二进制代码切片技术在恶意代码检测中的应用研究
梅瑞1,2, 严寒冰3, 沈元4, 韩志辉3
0
(1.中国科学院信息工程研究所 北京 中国 100093;2.中国科学院大学网络空间安全学院 北京 中国 100049;3.国家计算机网络应急技术处理协调中心 北京 中国 100029;4.北京航空航天大学计算机学院 北京 中国 100191)
摘要:
恶意代码检测技术作为网络空间安全的重要研究问题之一,无论是传统的基于规则的恶意代码检测方法,还是基于机器学习的启发式恶意代码检测方法,首先都需要自动化或人工方式提取恶意代码的结构、功能和行为特征。随着网络攻防的博弈,恶意代码呈现出隐形化、多态化、多歧化特点,如何正确而有效的理解恶意代码并提取其中的关键恶意特征是恶意代码检测技术的主要目标。程序切片作为一种重要的程序理解方法,通过运用“分解”的思想对程序代码进行分析,进而提取分析人员感兴趣的代码片段。由于经典程序切片技术主要面向高级语言,而恶意代码通常不提供源代码,仅能够获取反汇编后的二进制代码,因此二进制代码切片技术在恶意代码检测技术中的应用面临如下挑战:(1)传统的面向高级语言的程序切片算法如何准确而有效的应用到二进制代码切片中;(2)针对恶意代码如何尽可能完整的提取能够表征关键恶意特征的程序切片。本文通过对经典程序切片算法的改进,有效改善了二进制代码过程间切片和切片粒度问题,并通过人工分析典型恶意代码,提取了42条有效表征恶意代码关键恶意特征的切片准则。实验表明,本文提出的方法可以提升恶意代码同源性检测的精度和效率。
关键词:  程序切片  二进制分析  恶意代码检测
DOI:10.19363/J.cnki.cn10-1380/tn.2021.05.08
投稿时间:2019-07-12修订日期:2019-08-23
基金项目:本课题得到国家自然科学基金重点项目(No.U1736218)和科技部重大专项(No.2018YFB0804704)资助。
Application Research of Slicing Technology of Binary Executables in Malware Detection
MEI Rui1,2, YAN Han-Bing3, SHEN Yuan4, HAN Zhi-Hui3
(1.Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;2.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China;3.National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC), Beijing 100029, China;4.School of Computer Science and Engineering, Beihang University, Beijing 100191, China)
Abstract:
Malware detection technology has been an important research topics of cybersecurity. Both traditional rule-based malware detection methods or the heuristic malware detection methods based on machine learning are all need to extract structural, functional, and behavioral characteristics of malware automatically or manually. With the game of cyber attack and defense, malware presents the characteristics of stealthy, polymorphic and multipartite. How to understand the malware accurately and effectively and extract the key malicious features is the main goal of malware detection technology. As a kind of important program understanding method, program slicing analyzes the program code by using the idea of “decomposition”, and then extracts the code snippets that the analyst is interested in. Because the classic program slicing technology is mainly for high-level program languages, and malware usually does not provide source code, but only the binary code can be obtained. Therefore, the application of binary code slicing technology in malware detection technology faces the following challenges: (1) how the classical high-level language-oriented program slicing algorithm can be applied to binary code slices accurately and effectively; (2) how to extract the program slices that can represent the key malicious features as completely as possible for malware. Through the improvement of the classical program slicing algorithm, this paper effectively improves interprocedural slicing and slicing granularity issues. By analyzing the typical malware manually, we extract 42 slicing criterions that effectively characterize the malicious features of malware. Experiments show that the proposed method can improve the accuracy and efficiency of malware homology detection.
Key words:  program slicing  binary analysis  malware detection