基于动态行为指纹的恶意代码同源性分析

针对恶意代码在网络空间中呈爆发式增长,但多数是已有代码变种的情况。通过研究恶意代码行为特征,提出一套新的判别恶意代码同源性的方法.从恶意代码行为入手,提取恶意代码行为指纹,通过指纹匹配算法来分析恶意样本是否是已知样本的变种.经研究分析,最终筛选3种特征来描绘恶意软件的动态行为指纹:一是字符串的命名特征;二是注册表的变化特征;三是围绕关键API函数的调用顺序的特征.通过指纹匹配算法计算不同恶意代码之间的相似性度量,进行同源性分析.实验结果表明,该方法能够有效地对不同恶意代码及其变种进行同源性分析.

Homology Analysis of Malicious Code Based on Dynamic-behavior Fingerprint

With the situation of the explosive growth of malicious code in network space, and many of the malicious samples are variations of previously encountered samples. The paper presents a novel approach to investigate the homology of malicious code based on behavior characteristics. To distinguish the variations of malicious code, we extract the dynamic-behavior fingerprint of malwares, then use fingerprint matching algorithm to compute the similarity of malwares. Through our studying, finally, we select 3 different behavior characteristics as the dynamic-behavior fingerprint of malwares: (i) is the characteristic of the name of strings, (ii) is the characteristic of register changes, (iii) is the characteristic of the sequence of key API calls. Finally, we compute the similarity value of different malwares to distinguish the homology of malicious code. Experiments show that it effectively investigates the homology of malicious code.