高级搜索

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

基于代码进化的恶意代码沙箱规避检测技术研究

梁光辉 庞建民 单征

梁光辉, 庞建民, 单征. 基于代码进化的恶意代码沙箱规避检测技术研究[J]. 电子与信息学报, 2019, 41(2): 341-347. doi: 10.11999/JEIT180257
引用本文: 梁光辉, 庞建民, 单征. 基于代码进化的恶意代码沙箱规避检测技术研究[J]. 电子与信息学报, 2019, 41(2): 341-347. doi: 10.11999/JEIT180257
Guanghui LIANG, Jianmin PANG, Zheng SHAN. Malware Sandbox Evasion Detection Based on Code Evolution[J]. Journal of Electronics & Information Technology, 2019, 41(2): 341-347. doi: 10.11999/JEIT180257
Citation: Guanghui LIANG, Jianmin PANG, Zheng SHAN. Malware Sandbox Evasion Detection Based on Code Evolution[J]. Journal of Electronics & Information Technology, 2019, 41(2): 341-347. doi: 10.11999/JEIT180257

基于代码进化的恶意代码沙箱规避检测技术研究

doi: 10.11999/JEIT180257
基金项目: 国家自然科学基金(61472447, 61802435, 61802433)
详细信息
    作者简介:

    梁光辉:男,1987年生,博士生,研究方向为恶意代码分析

    庞建民:男,1964年生,教授,博士生导师,研究方向为网络安全、先进计算

    单征:男,1977年生,教授,博士生导师,研究方向为网络安全

    通讯作者:

    庞建民 jianmin_pang@126.com

  • 中图分类号: TP309

Malware Sandbox Evasion Detection Based on Code Evolution

Funds: The National Natural Science Foundation of China (61472447, 61802435, 61802433)
  • 摘要:

    为了对抗恶意代码的沙箱规避行为,提高恶意代码的分析效率,该文提出基于代码进化的恶意代码沙箱规避检测技术。提取恶意代码的静态语义信息和动态运行时信息,利用沙箱规避行为在代码进化过程中所产生的动静态语义上的差异,设计了基于相似度差异的判定算法。在7个实际恶意家族中共检测出240个具有沙箱规避行为的恶意样本,相比于JOE分析系统,准确率提高了12.5%,同时将误报率降低到1%,其验证了该文方法的正确性和有效性。

  • 图  1  模型框架

    图  2  沙箱规避行为统计

    表  1  沙箱规避代码进化示意

    Malicious code AEvasive Malicious code B
    Main_behavior( )Main_behavior( )
    {{
    1 Registry_opeartion( ) 1 flag = check_sandbox( )
    2 Process_injection( ) 2 if (flag == True):
    3 File_compress( ) 3 do_benign( ) or exit()
    4 Connection_C&C_server( ) 4 else:
    5 Waiting_for_instruction( ) 5 Registry_opeartion( )
    6 File_send( ) 6 Process_injection( )
    } 7 File_compress( )
    8 Connection_C&C_server( )
    9 Waiting_for_ instruction( )
    10 File_send( )
    }
    下载: 导出CSV

    表  2  规避行为检测算法

     For $\left( {{M_i},{M_j}} \right)$ in $C_M^2$:
      PS $\left( {{M_i},{M_j}} \right)$ = $\alpha $
      if $\alpha < \varepsilon $:
       continue
      ${\rm PB}\left( {{M_i},{M_j}} \right) = \beta $
      if $\alpha - \beta > \tau $:
       if ${B_i} > {B_j}$:
        ${M_j}$ is an evasive malware
       else:
        ${M_i}$ is an evasive malware
      else:
       No Evasion
    下载: 导出CSV

    表  3  恶意代码家族情况

    家族名称数量时间分布
    Bifrose3172008~2015
    Dridex572012~2014
    Necurs1542011~2016
    Sfone1512009~2016
    Unruy7252008~2016
    Urleas572010~2015
    Confidence1662011~2016
    下载: 导出CSV

    表  4  沙箱规避情况统计

    家族名称样本数量沙箱规避样本数量百分比(%)
    Bifrose3174112.9
    Dridex572238.5
    Necurs1544025.9
    Sfone151117.2
    Unruy725709.6
    Urleas573052.6
    Confidence1662615.6
    下载: 导出CSV

    表  5  检测结果对比

    TPTNFPFN精度(%)TPR (%)FPR (%)F1
    JOE2321294524981.682.53.80.8204
    MSED2261331145694.180.110.8653
    下载: 导出CSV
  • ANUBIS: Analyzing unknown binaries[OL]. www.anubis.iseclab.org, 2015.
    YIN Heng and SONG Dawn. Temu: Binary code analysis via whole-system layered annotative execution[R]. Submitted to Vee University of California, Berkeley, Tech Rep, 2010.
    CUCKOO Sandbox. Automated malware analysis[OL]. www.cuckoosandbox.org, 2016.
    RAIU C, HASBINI M, BEOLV S, et al. From Shamoon to Stonedrill-Wipers attacking Saudi organizations and beyond[R]. Kaspersky Lab, March, 2017.
    YOKOYAMA A, ISHII K, and TANABE R. SandPrint: Fingerprinting malware sandboxes to provide intelligence for sandbox evasion[C]. International Symposium on Research in Attacks, Intrusions, and Defenses, SudParis, France, 2016: 165–187.
    KIRAT D, VINGA G, and KRUEGEL C. Barebox: Efficient malware analysis on bare-metal[C]. Proceeding of the 27th Annual Computer Security Applications Conference, Orlando, USA, 2011: 403–412.
    CRANDALL J R, WASSERMANN G, and OLIVEIRA D A S. Temporal search: Detecting hidden malware timebombs with virtual machines[J]. ACM SIGARCH Computer Architecture News, 2006, 34(5): 25–36. doi: 10.1145/1168919
    KIRAT D and VIGNA G. MalGene: Automatic extraction of malware analysis evasion signature[C]. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Los Angeles, USA, 2015: 769–780.
    GILBOY M R. Fighting evasive malware with DVasion[D]. [Master dissertation], University of Maryland, College Park, 2016: 31–44.
    TANBE R. Evasive malware via identifier implanting[C]. International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Pairs, France, 2018: 162–184.
    KRUEGEL C. Evasive malware exposed and deconstructed[C]. RSA Conference, San Francisco, USA, 2015: 112–120.
    MIRAMIRKHANI N, APPINI M P, and NIKIFORAKIS N. Spotless sandboxes: Evading malware analysis systems using wear-and-tear artifacts[C]. IEEE Symposium on Security and Privacy, San Jose, USA, 2017: 1009–1024.
    BINDIFF[OL]. www.zynamics.com/bindiff.html. 2017.
    张一弛. 基于反编译的恶意代码检测关键技术研究与实现[D]. [博士论文], 解放军信息工程大学, 2009: 22–39.

    ZHANG Yichi. Research and Implementation of critical technology in malware detection based on decompilation[D]. [Ph.D. dissertation], PLA Information and Engineering University, 2009: 22–39.
    KI Y, KIM E, and KIM H. A novel approach to detect malware based on API call sequence analysis[J]. International Journal of Distributed Sensor Networks, 2015, 58(7): 3201–3206.
    MALWAREBENCHMARK[OL]. www.malwarebenchmark.org, 2018.
    JOESECURITY Sandbox[OL]. www.joesandbox.com, 2018.
  • 加载中
图(2) / 表(5)
计量
  • 文章访问数:  2565
  • HTML全文浏览量:  1338
  • PDF下载量:  142
  • 被引次数: 0
出版历程
  • 收稿日期:  2018-03-21
  • 修回日期:  2018-11-06
  • 网络出版日期:  2018-11-14
  • 刊出日期:  2019-02-01

目录

    /

    返回文章
    返回