一种利用动态控制流路径分析的隐藏恶意代码异常检测方法

doi:10.7523/j.issn.2095-6134.2010.1.018

中国科学院大学学报 ›› 2010, Vol. 27 ›› Issue (1): 138-143.DOI: 10.7523/j.issn.2095-6134.2010.1.018

• 简报 • 上一篇

一种利用动态控制流路径分析的隐藏恶意代码异常检测方法

潘剑锋, 刘守群, 奚宏生, 谭小彬

中国科学技术大学自动化系,合肥 230027

收稿日期:2009-06-15 修回日期:2009-07-26 发布日期:2010-01-15
通讯作者: 潘剑锋
基金资助:
国家"863"计划基金项目(2006AA01Z449)资助 

A method for hidden malcode anomaly detection using dynamic control-flow analysis

PAN Jian-Feng, LIU Shou-Qun, XI Hong-Sheng, TAN Xiao-Bin

Department of Automation, University of Science and Technology of China, Hefei 230027, China

Received:2009-06-15 Revised:2009-07-26 Published:2010-01-15

摘要/Abstract

摘要：

提出了一种基于动态控制流路径分析的隐藏恶意代码检测方法.该方法首先有针对性地选取与恶意代码相关的敏感路径并动态记录其执行过程的控制流路径,然后采用基于调用层次树匹配的异常检测算法分析所获得的数据,从而检查出系统中隐藏型恶意代码.实验结果表明,该方法能有效检测出隐藏恶意代码,具有高检出率和低误报率的特点,适用于计算机操作系统内的隐藏型恶意代码的检测.

关键词: 恶意代码, 异常检测, 动态控制流, 调用树编辑距离

Abstract:

The present study proposes a method for hidden malcode detection based on the analysis of dynamic control-flow. First we recorded the malcode-related control-flow paths of program, and then the control-flow paths were analyzed, by calling tree match algorithm, to detect the hidden malcode in the system. The experiments show that this method can detect hidden malcode efficiently at a high detection rate and with low false positive, and thus it can be applied to malcode detection on operating systems.

Key words: malcode, anomaly detection, dynamic control-flow, call tree edit distance

中图分类号:

TP309.5

潘剑锋, 刘守群, 奚宏生, 谭小彬. 一种利用动态控制流路径分析的隐藏恶意代码异常检测方法[J]. 中国科学院大学学报, 2010, 27(1): 138-143.

PAN Jian-Feng, LIU Shou-Qun, XI Hong-Sheng, TAN Xiao-Bin. A method for hidden malcode anomaly detection using dynamic control-flow analysis[J]. , 2010, 27(1): 138-143.

参考文献

[1] Michael B, Heath D B, Paul P. An undergraduate rootkit research project: How available? how Hard? how dangerous? //Information Security Curriculum Development Conference’07. Kennesaw, Georgia, USA: ACM, 2007.

[2] Tan X B, Xi H S. Hidden semi-Markov model for anomaly detection
[J]. Applied Mathematics and Computation, 2008, 205(2): 562-567.

[3] Wang W,Guan X H,Zhang X L, et al. Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data
[J]. Computers & Security, 2006, 25: 539-550.

[4] Sean P, Matt B, Sidney K, et al. Analysis of computer intrusions using sequences of function calls
[J]. IEEE Transactions on Dependable and Secure Computing, 2007, 4(2): 137-150.

[5] Tan X B, Wang W P, Xi H S, et al. Anomaly detection based on hidden markov model
[J]. Mini-Micro Systems, 2004, 25(8):1546-1549(in Chinese). 谭小彬, 王卫平, 奚宏生, 等. 基于隐马尔可夫模型的异常检测
[J]. 小型微型计算机系统, 2004, 25(8):1546-1549.

[6] Yu Z W, Jeffrey J P T, Thomas W. An automatically tuning intrusion detection system
[J]. IEEE Transactions on Systems, Man, and Cybernetics—Part B:Cybernetics, 2007, 37(2): 373-384.

[7] Intel 64 and IA-32 architectures software developer’s manual, volume 3B: system programming guide, part 2
[M]. 2008: 3-38.

[8] AMD64 architecture programmer’s manual, volume 2: system programming
[M]. 2007: 327-341.

[9] Yao J T, Zhang M. A fast tree pattern matching algorithm for XML query //Proceedings of the IEEE/WIC/ACM International Conference on Web Intelligence. Beijing: WIC, 2004: 235-241.

[10] Yang R, Panos K, Anthony K H T. Similarity evaluation on tree-structured data //Proceedings of the ACM SIGMOD International Conference on Management of Data. Baltimore, Maryland: ACM, 2005: 754-765.

[11] Philip B. A survey on tree edit distance and related problems . Theoretical Computer Science, 2005, 337(1-3): 217-239.

一种利用动态控制流路径分析的隐藏恶意代码异常检测方法

A method for hidden malcode anomaly detection using dynamic control-flow analysis

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 3

编辑推荐

Metrics

本文评价

访问统计

联系我们

[1]	孙宇豪, 李国通, 张鸽. 一种基于相关概率模型的卫星异常检测方法[J]. 中国科学院大学学报, 2021, 38(3): 409-416.
[2]	桂树, 郭立, 陆海先, 谢锦生. 基于MUGG的轨迹建模与异常检测[J]. 中国科学院大学学报, 2013, 30(2): 244-250.
[3]	谢锦生, 郭立, 陈运必, 赵龙. 基于时空惊奇计算的视频异常检测方法[J]. 中国科学院大学学报, 2013, 30(1): 83-89.