面向最小行为的恶意程序检测研究

Journal of Systems Engineering and Electronics ›› 2012, Vol. 34 ›› Issue (8): 1735-1740.

面向最小行为的恶意程序检测研究

苗启广, 王蕴, 曹莹, 刘文闯

西安电子科技大学计算机学院, 陕西西安 710071

出版日期:2012-08-27 发布日期:2010-01-03

Research on detecting technology of malicious software based on sub-behavior

MIAO Qi-guang, WANG Yun, CAO Ying, LIU Wen-chuang

School of Computer, Xidian University, Xi’an 710071, China

Online:2012-08-27 Published:2010-01-03

摘要/Abstract

摘要：

提出了一种基于最小行为的恶意程序分析方法。最小行为，即程序运行时能够表达完整语义的最小应用程序编程接口（application programming interface, API）关联集合。实现了基于最小行为的恶意程序检测原型系统，能够动态捕获恶意程序调用的API及其参数信息，提取API调用之间的使用依赖轮廓，构建恶意程序的最小行为特征向量，利用卡方校验算法实现检测。该方法与传统的基于API频率统计的方法相比，过滤掉了大量无用信息，恶意程序的检出率更高，误检率更低。

Abstract:

A malware detection method based on minimum behavior is proposed. Minimum behavior is defined as application programming interface (API) subsets which the malicious code operates on each resource at runtime. A malicious software (malware) detecting system based on minimum behavior is implemented to dynamically capture the system calls, and construct the signature of malware by extracting the defined use (def-use) relation between systems calls, and then detect the malware using a chisquare test algorithm. Compared with the method based on the frequency of API, the proposed method has a higher true positive fraction, and the false positive fraction is lower.

苗启广, 王蕴, 曹莹, 刘文闯. 面向最小行为的恶意程序检测研究[J]. Journal of Systems Engineering and Electronics, 2012, 34(8): 1735-1740.

MIAO Qi-guang, WANG Yun, CAO Ying, LIU Wen-chuang. Research on detecting technology of malicious software based on sub-behavior[J]. Journal of Systems Engineering and Electronics, 2012, 34(8): 1735-1740.