首页> 外文会议>SysSec Workshop >Unity in Diversity: Phylogenetic-inspired Techniques for Reverse Engineering and Detection of Malware Families
【24h】

Unity in Diversity: Phylogenetic-inspired Techniques for Reverse Engineering and Detection of Malware Families

机译:多样性的统一:逆向工程的系统发育启发技术和恶意软件系列的检测

获取原文

摘要

We developed a framework for abstracting, aligning and analysing malware execution traces and performed a preliminary exploration of state of the art phylogenetic methods, whose strengths lie in pattern recognition and visualisation, to derive the statistical relationships within two contemporary malware families. We made use of phylogenetic trees and networks, motifs, logos, composition biases, and tree topology comparison methods with the objective of identifying common functionality and studying sources of variation in related samples. Networks were more useful for visualising short nop-equivalent code metamorphism than trees, tree topology comparison was suited for studying variations in multiple sets of homologous procedures. We found logos could be used for code normalisation, which resulted in 33% to 62% reduction in the number of instructions. A motif search showed that API sequences related to the management of memory, I/O, libraries and threading do not change significantly amongst malware variants, composition bias provided an efficient way to distinguish between families. Using context-sensitive procedure analysis, we found that 100% of a set of memory management procedures used by the FakeAV-DO and "Skyhoo" malware families were uniquely identifiable. We discuss how phylogenetic techniques can aid the reverse engineering and detection of malware families and describe some related challenges.
机译:我们开发了一种抽象,对齐和分析恶意软件执行迹线的框架,并对艺术系统发育方法进行了初步探索,其优势在模式识别和可视化中,从而导出了两个当代恶意软件系列中的统计关系。我们利用系统发育树和网络,图案,徽标,组成偏差和树拓扑比较方法,目的是识别常规功能和研究相关样品的变异源。网络更有用的是可视化短的NOP等效代码变质,而不是树木,树拓扑比较适用于研究多组同源手术的变化。我们发现标志可用于代码标准化,导致指令数量减少33%至62%。 MOTIF搜索显示与恶意软件变体的内存,I / O,库和线程管理相关的API序列不会显着变化,构图偏见提供了区分家庭的有效方法。使用上下文敏感程序分析,我们发现FakeAv-Do和“Skyhoo”恶意软件系列的一组内存管理程序的100%是唯一可识别的。我们讨论了系统发育技术如何有助于逆向工程和检测恶意软件系列,并描述一些相关的挑战。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有
  • 客服微信

  • 服务号