计算机工程与应用 ›› 2017, Vol. 53 ›› Issue (14): 93-98.DOI: 10.3778/j.issn.1002-8331.1609-0202

• 网络、通信与安全 • 上一篇    下一篇

基于静态结构的恶意代码同源性分析

陈  琪1,蒋国平2,夏玲玲3   

  1. 1.南京邮电大学 计算机学院,南京 210003
    2.南京邮电大学 自动化学院,南京 210003
    3.南京邮电大学 通信与信息工程学院,南京 210003
  • 出版日期:2017-07-15 发布日期:2017-08-01

Homology analysis of malware based on function structure

CHEN Qi1, JIANG Guoping2, XIA Lingling3   

  1. 1.School of Computer Science and Technology, Nanjing University of Posts and Telecommunications, Nanjing 210003, China
    2.College of Automation, Nanjing University of Posts and Telecommunications, Nanjing 210003, China
    3.College of Telecommunications and Information Engineering, Nanjing University of Posts and Telecommunications, Nanjing 210003, China
  • Online:2017-07-15 Published:2017-08-01

摘要: 由于变种和多态技术的出现,恶意代码的数量呈爆发式增长。然而涌现的恶意代码只有小部分是新型的,大部分仍是已知病毒的变种。针对这种情况,为了从海量样本中筛选出已知病毒的变种,从而聚焦新型未知病毒,提出一种改进的判定恶意代码所属家族的方法。从恶意代码的行为特征入手,使用反汇编工具提取样本静态特征,通过单类支持向量机筛选出恶意代码的代表性函数,引入聚类算法的思想,生成病毒家族特征库。通过计算恶意代码与特征库之间的相似度,完成恶意代码的家族判定。设计并实现了系统,实验结果表明改进后的方法能够有效地对各类家族的变种进行分析及判定。

关键词: 恶意代码, 单类支持向量机, 静态分析, 聚类

Abstract: With the emergence of metamorphic and polymorphic technology, the account of malicious code is in explosive growth, most of which is the variant of previously encountered samples. In order to conquer this problem and focus on new types of virus, this paper presents an approach to determine the family of malicious code. It extracts the static feature of malware samples by using disassembly tools, and filters out characteristic functions through one-class support vector machine. A family feature database is generated from those functions by adopting clustering idea. Unknown samples, after extracting characteristic functions, are compared to the content of database to determine their family. Experimental results show that it can effectively investigate the malicious code and classify variations into different malware family.

Key words: malicious code, one-class Support Vector Machine(SVM), static analysis, clustering