| 摘要: |
| 近些年来,层出不穷的恶意软件对系统安全构成了严重的威胁并造成巨大的经济损失,研究者提出了许多恶意软件检测方案。但恶意软件开发中常利用加壳和多态等混淆技术,这使得传统的静态检测方案如静态特征匹配不足以应对。而传统的应用层动态检测方法也存在易被恶意软件禁用或绕过的缺点。本文提出一种利用底层数据流关系进行恶意软件检测的方法,即在系统底层监视程序运行时的数据传递情况,生成数据流图,提取图的特征形成特征向量,使用特征向量衡量数据流图的相似性,评估程序行为的恶意倾向,以达到快速检测恶意软件的目的。该方法具有低复杂度与高检测效率的特点。实验结果表明本文提出的恶意软件检测方法可达到较高的检测精度以及较低的误报率,分别为98.50%及3.18%。 |
| 关键词: 恶意检测 动态检测 数据依赖 底层特征 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2020.07.08 |
| Received:July 05, 2018Revised:August 30, 2018 |
| 基金项目:本课题得到中国科学院战略性先导专项项目(No.XDC02010400)和国家科技重大专项项目(No.2016ZX01035101)资助。 |
|
| Malware Detection Method Based on Low-level Data Flow Analysis |
| HAN Jinrong,ZHANG Yuantong,ZHU Ziyuan,MENG Dan |
| The 5thLab, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China |
| Abstract: |
| In recent years, the growing number of malicious software poses a serious threat to system security and has caused huge economic losses. Researchers have proposed many malicious software detection schemes, but due to the presence of packers and polymorphism techniques, traditional detection solutions such as static feature matching are inadequate. In addition, the traditional application layer dynamic detection method also has the disadvantage of being easily disabled or bypassed by malware. This paper proposes an approach for malicious software detection by using the low-level data flow relationship, which monitors the data transmission of the benign program and the malicious program at the low-level, then generates the data dependence graph, extracts feature from the data flow graph to form feature vector, uses the feature vector to measure the similarity of data flow graphs, and evaluates the malicious tendencies of software behavior to achieve the goal of quickly detecting malicious software. The method has the characteristics of low complexity and high detection efficiency. The experimental results show that the malware detection method proposed in this paper can achieve higher precision and lower false positive rate, which are 98.50% and 3.18% respectively. |
| Key words: malware detection dynamic detection data dependence low-level features |
