计算机工程与应用 ›› 2021, Vol. 57 ›› Issue (1): 118-125.DOI: 10.3778/j.issn.1002-8331.2004-0259

• 网络、通信与安全 • 上一篇    下一篇

基于程序双维度特征的恶意程序相似性分析

任益辰,肖达   

  1. 1.北京邮电大学 网络空间安全学院,北京 100876
    2.移动互联网安全技术国家工程实验室,北京 100876
  • 出版日期:2021-01-01 发布日期:2020-12-31

Similarity Analysis of Malicious Programs Based on Two Dimensional Characteristics of Programs

REN Yichen, XIAO Da   

  1. 1.School of Cyberspace Security, Beijing University of Post and Telecommunications, Beijing 100876, China
    2.National Engineering Lab for Mobile Network Security, Beijing 100876, China
  • Online:2021-01-01 Published:2020-12-31

摘要:

网络空间中充斥着大量的恶意代码,其中大部分恶意程序都不是攻击者自主开发的,而是在以往版本的基础上进行改动或直接组合多个恶意代码,因此在恶意程序检测中,相似性分析变的尤为重要。研究人员往往单一种类的信息对程序相似性进行分析,不能全面地考量程序的有效特征。针对以上情况,提出综合考虑动态指令基本块集合的语义特征和控制流图的结构特征的程序相似性分析方法,从语义和结构两个维度对恶意程序相似性进行分析,具有较高的准确度和可靠性。

关键词: 恶意程序, 相似性, 语义特征, 结构特征

Abstract:

Most of malwares in cyberspace are not developed by the attacker, but based on the previous version to modify or directly combined from multiple malicious code. Therefore, similarity analysis is particularly important to detect malwares. Usually, only one single kind of malware characteristics is used to analyze the similarity of procedures, which can not fully identify the effective characteristics of procedures. So this paper proposes a program similarity analysis method which considers the semantic features of the basic block set of dynamic instructions and the structural features of the control flow graph. It analyzes the similarity of malicious programs from the semantic and structural dimensions, which can reach high accuracy and reliability.

Key words: malware, similarity, semantic features, structure features