基于语义分析的Windows恶意软件检测方法

doi:10.3969/j.issn.1671-1122.2023.10.008

信息网络安全 ›› 2023, Vol. 23 ›› Issue (10): 58-63.doi: 10.3969/j.issn.1671-1122.2023.10.008

基于语义分析的Windows恶意软件检测方法

王宇¹, 吕良双¹, 夏春和¹^,²()

1.北京航空航天大学网络技术北京市重点实验室，北京 100191
2.广西区域多源信息集成与智能处理协同创新中心，桂林 541004

收稿日期:2023-05-24 出版日期:2023-10-10 发布日期:2023-10-11
通讯作者: 夏春和 E-mail:xch@buaa.edu.cn
作者简介:王宇（1999—），女，山东，硕士研究生，主要研究方向为网络与信息安全|吕良双（1965—），男，湖北，副教授，硕士，主要研究方向为网络与信息安全|夏春和（1963—），男，江苏，教授，博士，CCF会员，主要研究方向为网络与信息安全、计算机网络对抗和云计算
基金资助:
国家自然科学基金(62272024)

A Windows Malware Detection Method Based on Semantic Analysis

WANG Yu¹, LYU Liangshuang¹, XIA Chunhe¹^,²()

1. Beijing Key Laboratory of Network Technology, Beihang University, Beijing 100191, China
2. Guangxi Collaborative Innovation Center of Multi-Source Information Integration and Intelligent Processing, Guilin 541004, China

Received:2023-05-24 Online:2023-10-10 Published:2023-10-11

摘要/Abstract

摘要：

Windows恶意软件严重侵害个人、企业甚至国家安全，为了有效发现新型恶意软件、深入剖析恶意软件的工作机制，文章提出一种基于语义分析的Windows恶意软件检测方法。该方法使用API调用之间的依赖关系描述恶意软件的行为，结合符号执行技术提取API调用依赖图，并将其作为软件的底层行为特征，通过模式发现和匹配方法，将API调用依赖图映射为ATT & CK（Adversarial Tactics，Techniques，and Common Knowledge）框架中的攻击技术，反映恶意软件所包含的行为语义。文章构建了支持向量机分类器，将攻击技术特征作为分类器输入进行训练和测试。实验结果表明，文章提出的方法能够有效发现新型恶意软件。

关键词: 恶意软件检测, 符号执行, ATT & CK

Abstract:

Windows malware has posed a serious threat to personal, enterprise, and national security. In order to detect new malware effectively and analyze the working mechanism of malware in depth, this paper proposed a Windows malware detection method based on semantic analysis. The proposed method extracted the API call dependency graph as the low-level behavior feature of the software by leveraging symbolic execution technology. Subsequently, this graph was mapped to the attack techniques in the adversarial tactics, techniques, and common knowledge (ATT & CK) framework through pattern discovery and matching methods, which could reflect the behavioral semantics of malware. Moreover, in this paper, a support vector machine classifier was built, and the attack technique features were used as inputs for the classifier to perform training and testing. Experimental results indicate that the proposed method can effectively discover new malware.

Key words: malware detection, symbolic execution, ATT & CK

中图分类号:

TP309

王宇, 吕良双, 夏春和. 基于语义分析的Windows恶意软件检测方法[J]. 信息网络安全, 2023, 23(10): 58-63.

WANG Yu, LYU Liangshuang, XIA Chunhe. A Windows Malware Detection Method Based on Semantic Analysis[J]. Netinfo Security, 2023, 23(10): 58-63.

图/表 3

参考文献 21

[1]	KARNIK A, GOSWAMI S, GUHA R. Detecting Obfuscated Viruses Using Cosine Similarity Analysis[C]// IEEE. First Asia International Conference on Modelling & Simulation. New York: IEEE, 2007: 165-170.
[2]	BRUSCHI D, MARTIGNONI L, MONGA M J I S, et al. Code Normalization for Self-Mutating Malware[J]. IEEE Security & Privacy, 2007, 5(2): 46-54.
[3]	BEAUCAMPS P, GNAEDIG I, MARION J Y. Behavior Abstraction in Malware Analysis[C]// Springer. International Conference on Runtime Verification 2010. Berlin:Springer, 2010: 168-182.
[4]	ZHANG Boyun, YIN Jianping, HAO Jingbo, et al. Malicious Codes Detection Based on Ensemble Learning[C]// Springer. International Conference on Autonomic and Trusted Computing 2007. Berlin:Springer, 2007: 468-477.
[5]	VEERAMANI R, RAI N. Windows API Based Malware Detection and Framework Analysis[C]// IEEE. International Conference on Networks and Cyber Security. New York: IEEE, 2012: 1-6.
[6]	TRINIUS P, WILLEMS C, HOLZ T, et al. A Malware Instruction Set for Behavior-Based Analysis[EB/OL]. (2010-01-01) [2023-05-12]. https://www.researchgate.net/publication/221307249_A_Malware_Instruction_Set_for_Behavior-Based_Analysis.
[7]	SEARLES R, XU Lifan, KILLIAN W, et al. Parallelization of Machine Learning Applied to Call Graphs of Binaries for Malware Detection[C]// IEEE. 25th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP). New York: IEEE, 2017: 69-77.
[8]	KI Y, KIM E, KIM H K. A Novel Approach to Detect Malware Based on API Call Sequence Analysis[J]. International Journal of Distributed Sensor Networks, 2015, 11(6): 1-9.
[9]	MIRA F, BROWN A, HUANG Wei. Novel Malware Detection Methods by Using LCS and LCSS[C]// IEEE. 2016 22nd International Conference on Automation and Computing (ICAC). New York: IEEE, 2016: 554-559.
[10]	DING Yuxin, XIA Xiaoling, CHEN Sheng, et al. A Malware Detection Method Based on Family Behavior Graph[J]. Computers & Security, 2018(73): 73-86.
[11]	MING Jiang, XIN Zhi, LAN Pengwei, et al. Impeding Behavior-Based Malware Analysis via Replacement Attacks to Malware Specifications[J]. Journal of Computer Virology and Hacking Techniques, 2017, 13(3): 193-207. doi: 10.1007/s11416-016-0281-3 URL
[12]	PEKTAS A, ACARMAN T. Classification of Malware Families Based on Runtime Behaviors[J]. Journal of Information Security and Applications, 2017(37): 91-100.
[13]	YUCEL C, KOLTUKSUZ A. Imaging and Evaluating the Memory Access for Malware[EB/OL]. (2020-03-01) [2023-05-12]. https://www.sciencedirect.com/science/article/abs/pii/S1742287619301902.
[14]	OOSTHOEK K, DOERR C. SoK: ATT&CK Techniques and Trends in Windows Malware[C]// Springer. International Conference on Security and Privacy in Communication Systems. Berlin:Springer, 2019: 406-425.
[15]	SMITH M R, JOHNSON N T, INGRAM J B, et al. Mind the Gap: on Bridging the Semantic Gap Between Machine Learning and Malware Analysis[C]// ACM. 13th ACM Workshop on Artificial Intelligence and Security. New York: ACM, 2020: 49-60.
[16]	YANG Ping, SHU Hui, KANG Fei, et al. Generating Malicious Code Attack Graph Using Semantic Analysis[J]. Computer Science, 2021, 48(S1): 448-458.
	杨萍, 舒辉, 康绯, 等. 一种基于语义分析的恶意代码攻击图生成方法[J]. 计算机科学, 2021, 48(S1): 448-458.
[17]	LENGAUER T, TARJAN R E. A Fast Algorithm for Finding Dominators in a Flowgraph[J]. ACM Transactions on Programming Languages and Systems, 1979, 1(1): 121-141. doi: 10.1145/357062.357071 URL
[18]	EAGLE C. The IDA Pro Book[M]. San Francisco: No Starch Press, 2011.
[19]	HARDOROUDI A H, DARESHURI A F, SARKAN H M. Robust Corrective and Preventive Action[C]// IEEE. 2011 IEEE International Systems Conference. New York: IEEE, 2011: 21-30.
[20]	ANDERSON H S, ROTH P. EMBER: An Open Dataset for Training Static PE Malware Machine Learning Models[EB/OL]. (2018-04-16) [2023-05-12]. https://arxiv.org/abs/1804.04637.
[21]	RAFF E, BARKER J, SYLVESTER J, et al. Malware Detection by Eating a Whole EXE[EB/OL]. (2017-10-25) [2023-05-12]. https://arxiv.org/abs/1710.09435.

任务目标	特征	准确率	精确率	召回率	F1值
未知恶意软件家族样本检测	字节码	81.95%	78.33%	87.29%	82.57%
	操作码（2-gram）	72.50%	68.08%	84.70%	75.49%
	导入API	87.34%	82.89%	93.43%	87.85%
	攻击技术模式	91.91%	89.56%	94.94%	91.96%
新出现的恶意软件样本检测	字节码	78.59%	77.71%	76.71%	77.20%
	操作码（2-gram）	80.19%	77.23%	83.07%	80.04%
	导入API	86.77%	84.60%	88.03%	86.28%
	攻击技术模式	87.07%	88.64%	83.33%	85.90%

任务目标	方法	准确率	精确率	召回率	F1值
未知恶意软件家族样本检测	MalConv	83.51%	78.61%	91.10%	84.40%
	LightGBM	92.32%	89.33%	95.76%	92.43%
	TechSVM	92.95%	89.92%	96.40%	93.05%
新出现的恶意软件样本检测	MalConv	80.10%	75.14%	86.54%	80.44%
	LightGBM	90.81%	89.03%	91.88%	90.43%
	TechSVM	92.83%	92.51%	92.31%	92.41%

基于语义分析的Windows恶意软件检测方法

A Windows Malware Detection Method Based on Semantic Analysis

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 3

参考文献 21

相关文章 14

编辑推荐

Metrics

本文评价

[1]	文伟平, 方莹, 叶何, 陈夏润. 一种对抗符号执行的代码混淆系统[J]. 信息网络安全, 2021, 21(7): 17-26.
[2]	徐国天, 刘猛猛. 基于改进哈里斯鹰算法同步优化特征选择的恶意软件检测方法[J]. 信息网络安全, 2021, 21(12): 9-18.
[3]	李明磊, 黄晖, 陆余良. 面向漏洞挖掘的基于符号分治区的测试用例生成技术[J]. 信息网络安全, 2020, 20(5): 39-46.
[4]	徐国天, 沈耀童. 基于XGBoost和LightGBM双层模型的恶意软件检测方法[J]. 信息网络安全, 2020, 20(12): 54-63.
[5]	宋鑫, 赵楷, 张琳琳, 方文波. 基于随机森林的Android恶意软件检测方法研究[J]. 信息网络安全, 2019, 19(9): 1-5.
[6]	张健, 陈博翰, 宫良一, 顾兆军. 基于图像分析的恶意软件检测技术研究[J]. 信息网络安全, 2019, 19(10): 24-31.
[7]	陈虎, 周瑶, 赵军锁. 针对特定文件结构和关键指令的符号执行优化方法[J]. 信息网络安全, 2018, 18(9): 86-94.
[8]	王夏菁, 胡昌振, 马锐, 高欣竺. 二进制程序漏洞挖掘关键技术研究综述[J]. 信息网络安全, 2017, 17(8): 1-13.
[9]	彭建山, 奚琪, 王清贤. 二进制程序整型溢出漏洞的自动验证方法[J]. 信息网络安全, 2017, 17(5): 14-21.
[10]	黄世锋, 郭亚军, 崔建群, 曾庆江. 基于优化模糊C均值的手机恶意软件检测[J]. 信息网络安全, 2016, 16(1): 45-50.
[11]	树雅倩, 付安民, 黄振涛. 基于云平台的移动支付类恶意软件检测系统的设计与实现[J]. 信息网络安全, 2016, 16(1): 59-63.
[12]	李建熠, 李晖, 黄梦媛. 基于内核日志的移动终端恶意软件检测[J]. 信息网络安全, 2015, 15(7): 58-63.
[13]	康文丹;展鹇;白静;蔡旺. 基于行为的移动智能终端恶意软件自动化分析与检测系统[J]. , 2013, 13(12): 0-0.
[14]	时志伟;李小军. 基于信息流分析的源代码漏洞挖掘技术研究[J]. , 2011, 11(11): 0-0.