| 引用本文: |
-
解亚敏,贾晓启,杜海超,唐静,陈政材,闫奎滈.逃避型恶意代码检测方法综述[J].信息安全学报,已采用 [点击复制]
- Xie Yamin,Jia Xiaoqi,Du Haichao,Tang Jing,Chen Zhengcai,Yan Kuihao.A Survey of evasion malware detection methods[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 逃避型恶意软件是一种具备逃避或对抗分析能力的恶意软件。随着攻防技术的不断博弈,恶意代码所采用的逃避技术呈现多样化和隐蔽化的趋势,调试器、沙箱等常规安全措施无法对逃避型恶意软件进行有效检测。为了防御不断增长和演变的逃避型恶意软件,学术界与产业界提出了多种有效的检测方法以支撑逃避型恶意代码的快速发现。本文围绕逃避型恶意代码的特点和检测难点痛点,对现有的逃避策略和检测方法进行研究。首先,总结了逃避型恶意代码的概念和特点,通过分析不同家族所使用的逃避策略,凝练形成恶意代码常用的逃避技术,这些逃避策略包括混淆、加密、加壳等传统静态逃避技术,人工智能辅助逃避方法,以及反虚拟化、反调试、基于时间的攻击、基于资源分析的攻击等动态逃避方法。随后,本文以逃避型恶意代码为研究对象,围绕逃避型恶意代码检测方法进行研究,从静态检测和动态检测两个方面总结了逃避型恶意代码检测领域的最新进展和研究成果,探讨了基于虚拟机自省的检测技术、基于动态二进制的检测技术、基于裸金属的检测技术,以及基于指纹伪装等辅助方法的应用场景、优势和局限性等。此外,为了实现更高效的逃避型恶意代码检测,本文还讨论了逃避型恶意软件检测面临的主要挑战和未来的研究方向,包括恶意软件强制执行分析技术、基于生成指纹的检测技术、基于人工智能的检测技术、基于动态时间序列的分析技术。 |
| 关键词: 恶意代码 逃避技术 动态分析 反虚拟化 反调试 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2025.04.20 |
| 投稿时间:2024-01-04修订日期:2024-03-15 |
| 基金项目: |
|
| A Survey of evasion malware detection methods |
|
Xie Yamin, Jia Xiaoqi, Du Haichao, Tang Jing, Chen Zhengcai, Yan Kuihao
|
| (Institute of Information Engineering,Chinese Academy of Sciences) |
| Abstract: |
| Evasive malware is a kind of malware with the ability to evade or resist analysis. With the continuous game of attack and defense technology, the evasion techniques used by malicious code show a trend of diversification and concealment. Conventional security measures such as debuggers and sandboxes cannot effectively detect evasion malware. In order to defend against the growing and evolving evasion malware, academia and industry have proposed a variety of effective detection methods to support the rapid discovery of evasion malware. This paper focuses on the characteristics of evasion malicious code and the pain points of detection difficulties, and studies the existing evasion strategies and detection methods. Firstly, the concept and characteristics of evasive malicious code are summarized. By analyzing the evasive strategies used by different families, the common evasive technologies of malicious code are condensed. These evasive strategies include traditional static evasive technologies such as obfuscation, encryption, and shelling, artificial intelli-gence-assisted evasive methods, as well as dynamic evasive methods such as anti-virtualization, anti-debugging, time-based attacks, and resource-based attacks. Subsequently, this paper takes evasive malicious code as the research object and conducts research around the detection methods of evasive malicious code. The latest progress and research results in the field of evasive malware detection are summarized from two aspects of static detection and dynamic detec-tion. The detection technology based on virtual machine introspection, the detection technology based on dynamic binary, the detection technology based on bare metal, and the application scenarios, advantages and limitations of auxiliary methods such as fingerprint camouflage are discussed. In addition, in order to achieve more efficient evasion malware detection, this paper also discusses the main challenges and future research directions of evasion malware detection, in-cluding malware enforcement analysis technology, detection technology based on fingerprint generation, detection tech-nology based on artificial intelligence, and analysis technology based on dynamic time series. |
| Key words: malware evasive technology dynamic analysis anti-virtualization anti-debugging |
