Method for extracting malicious code behavior characteristic

Abstract

The invention discloses a method for extracting a malicious code behavior characteristic, which belongs to the technical field of network security. The method comprises the following steps of: 1) running a malicious code and extracting executive information of the malicious code, wherein the executive information comprises an executive instruction sequence and a behavior sequence of the maliciouscode; 2) constructing a control dependence graph and a data dependence graph for executing the code according to the executive information; 3) comparing relevance of the control dependence graph and the data dependence graph and recording related relevance information; and 4) comparing the control dependence graphs and the data dependence graphs of different malicious codes and extracting characteristic dependency of each type of samples according to similarity clustering. Compared with the prior art, the method has the characteristics of complete information extraction, high anti-interference performance, certain applicability to varieties of a single sample characteristic, small-sized characteristic library and wide application range.

Description

technical field [0001] The invention belongs to the technical field of network security, and in particular relates to a malicious code behavior feature extraction method. Background technique [0002] With the increasing application of computers in various fields, malicious codes have become one of the main threats to the current Internet and computer security, and malicious code detection has become an important issue in software and system security. With the continuous development of computer technology, malicious code presents the characteristics of fast transmission speed, strong infection ability, and great destructive power, causing more and more serious security impacts and even economic losses. With the development of malicious code technology, it can generate a large number of variants in a short period of time by using obfuscation technology and concealment technology. Traditional feature extraction and matching methods based on code features cannot effectively pro...

AI Technical Summary

Problems solved by technology

[0016] To sum up, the main problems of malicious code feature extraction at present are: the system that analyzes and tracks malicious code to extract features has the same authority as malicious code, and complex hiding techniques can bypass analysis so that features cannot be extracted; Data dependence and control rely on information representation features, and the accuracy of features is not high; the extraction is mostly aimed at a single malicious code sample, and the variants generated by obfuscation techniques cannot be detected, and the feature adaptability is not strong; variants produced by slight obfuscation techniques will generate new features , the feature library is huge, which brings storage and matching time complexity hidden dangers

Images