信息网络安全 ›› 2023, Vol. 23 ›› Issue (10): 58-63.doi: 10.3969/j.issn.1671-1122.2023.10.008

• 入选论文 • 上一篇    下一篇

基于语义分析的Windows恶意软件检测方法

王宇1, 吕良双1, 夏春和1,2()   

  1. 1.北京航空航天大学网络技术北京市重点实验室,北京 100191
    2.广西区域多源信息集成与智能处理协同创新中心,桂林 541004
  • 收稿日期:2023-05-24 出版日期:2023-10-10 发布日期:2023-10-11
  • 通讯作者: 夏春和 E-mail:xch@buaa.edu.cn
  • 作者简介:王宇(1999—),女,山东,硕士研究生,主要研究方向为网络与信息安全|吕良双(1965—),男,湖北,副教授,硕士,主要研究方向为网络与信息安全|夏春和(1963—),男,江苏,教授,博士,CCF会员,主要研究方向为网络与信息安全、计算机网络对抗和云计算
  • 基金资助:
    国家自然科学基金(62272024)

A Windows Malware Detection Method Based on Semantic Analysis

WANG Yu1, LYU Liangshuang1, XIA Chunhe1,2()   

  1. 1. Beijing Key Laboratory of Network Technology, Beihang University, Beijing 100191, China
    2. Guangxi Collaborative Innovation Center of Multi-Source Information Integration and Intelligent Processing, Guilin 541004, China
  • Received:2023-05-24 Online:2023-10-10 Published:2023-10-11

摘要:

Windows恶意软件严重侵害个人、企业甚至国家安全,为了有效发现新型恶意软件、深入剖析恶意软件的工作机制,文章提出一种基于语义分析的Windows恶意软件检测方法。该方法使用API调用之间的依赖关系描述恶意软件的行为,结合符号执行技术提取API调用依赖图,并将其作为软件的底层行为特征,通过模式发现和匹配方法,将API调用依赖图映射为ATT & CK(Adversarial Tactics,Techniques,and Common Knowledge)框架中的攻击技术,反映恶意软件所包含的行为语义。文章构建了支持向量机分类器,将攻击技术特征作为分类器输入进行训练和测试。实验结果表明,文章提出的方法能够有效发现新型恶意软件。

关键词: 恶意软件检测, 符号执行, ATT & CK

Abstract:

Windows malware has posed a serious threat to personal, enterprise, and national security. In order to detect new malware effectively and analyze the working mechanism of malware in depth, this paper proposed a Windows malware detection method based on semantic analysis. The proposed method extracted the API call dependency graph as the low-level behavior feature of the software by leveraging symbolic execution technology. Subsequently, this graph was mapped to the attack techniques in the adversarial tactics, techniques, and common knowledge (ATT & CK) framework through pattern discovery and matching methods, which could reflect the behavioral semantics of malware. Moreover, in this paper, a support vector machine classifier was built, and the attack technique features were used as inputs for the classifier to perform training and testing. Experimental results indicate that the proposed method can effectively discover new malware.

Key words: malware detection, symbolic execution, ATT & CK

中图分类号: