Novel unwanted code detecting method based on characteristics of function call relationship graph

Abstract

The invention discloses a novel unwanted code detecting method based on the characteristics of a function call relationship graph. The traditional feature code detection technique which judges software by local characteristics has the drawback that a detecting tool is required to maintain a large amount of prior feature codes and the drawback that detecting schemes lack necessary stability and reliability. The method detects unwanted codes by extracting graph characteristic information on the basis of the function call relationship graph and the research results in existing software network. The main process of the method consists of three steps: 1, establishing a software function call graph; 2, extracting characteristic indexes from the graph; and 3, differentiating unwanted software and normal software by an effective data mining algorithm. The method can effectively detect common zero-day unwanted code and well detect unwanted codes adopting a fuzzy and polymorphic technique and can keep high stability in case of a calculated attack.

Description

technical field [0001] The invention relates to malicious software detection in computer information security, in particular to a novel and practical malicious code detection method based on the feature of software function call relation graph. Background technique [0002] With the wide application of computer science in various fields of society, the security of computer software has attracted more and more attention. Establishing a trusted software system has become an effective means to maintain computer information security, and the detection of malicious code has become the core research direction of software credibility analysis. [0003] The traditional signature-based detection method needs to be updated and maintained through a dedicated database to extract relevant signatures in advance, use the scanning engine to find the local information of the software, and use the string matching method to compare the similarity between these information and signatures. Accor...

AI Technical Summary

Problems solved by technology

[0006] First, the detection method based on the signature needs to obtain the signature of the malicious code, and transfer the ever-increasing signature to the database of the client, and the maintenance of the increasingly large database becomes the price paid by the user

The biggest disadvantage of this detection method is that it is difficult to detect unknown malicious codes, and users cannot deal with new security threats in a timely manner.

[0007] Second, heuristic analysis or software behavior-based detection methods are used to classify software by obtaining special local information of codes, but for malicious codes that use fuzzy and polymorphic codes, such local features are often not fixed, so the detection method Insufficient accuracy in judging these malicious codes

[0008] Third, using standard format information to distinguish software detection methods uses the external description information of the software. Most of this information does not directly involve the behavior of the software. For malicious code designers familiar with this method, they can use the special format information processing to greatly reduce the detection effect of the method

Images