庞建民,,
单征
1.解放军信息工程大学 ??郑州 ??450001
2.数学工程与先进计算国家重点实验室 ??郑州 ??450001
基金项目:国家自然科学基金(61472447, 61802435, 61802433)
详细信息
作者简介:梁光辉:男,1987年生,博士生,研究方向为恶意代码分析
庞建民:男,1964年生,教授,博士生导师,研究方向为网络安全、先进计算
单征:男,1977年生,教授,博士生导师,研究方向为网络安全
通讯作者:庞建民 jianmin_pang@126.com
中图分类号:TP309计量
文章访问数:1603
HTML全文浏览量:666
PDF下载量:77
被引次数:0
出版历程
收稿日期:2018-03-21
修回日期:2018-11-06
网络出版日期:2018-11-14
刊出日期:2019-02-01
Malware Sandbox Evasion Detection Based on Code Evolution
Guanghui LIANG,Jianmin PANG,,
Zheng SHAN
1. PLA Information Engineering University, Zhengzhou 450001, China
2. State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China
Funds:The National Natural Science Foundation of China (61472447, 61802435, 61802433)
摘要
摘要:为了对抗恶意代码的沙箱规避行为,提高恶意代码的分析效率,该文提出基于代码进化的恶意代码沙箱规避检测技术。提取恶意代码的静态语义信息和动态运行时信息,利用沙箱规避行为在代码进化过程中所产生的动静态语义上的差异,设计了基于相似度差异的判定算法。在7个实际恶意家族中共检测出240个具有沙箱规避行为的恶意样本,相比于JOE分析系统,准确率提高了12.5%,同时将误报率降低到1%,其验证了该文方法的正确性和有效性。
关键词:恶意代码/
沙箱规避/
静态相似度
Abstract:In order to resist the malware sandbox evasion behavior, improve the efficiency of malware analysis, a code-evolution-based sandbox evasion technique for detecting the malware behavior is proposed. The approach can effectively accomplish the detection and identification of malware by first extracting the static and dynamic features of malware software and then differentiating the variations of such features during code evolution using sandbox evasion techniques. With the proposed algorithm, 240 malware samples with sandbox-bypassing behaviors can be uncovered successfully from 7 malware families. Compared with the JOE analysis system, the proposed algorithm improves the accuracy by 12.5% and reduces the false positive to 1%, which validates the proposed correctness and effectiveness.
Key words:Malware/
Sandbox evasion/
Static similarity
PDF全文下载地址:
https://jeit.ac.cn/article/exportPdf?id=6f1bfb8a-89b5-455b-900b-7969754bbfec
