Malicious software feature fusion analytical method and system based on shared behavior segments

Abstract

The invention discloses a malicious software feature fusion analytical method and a system based on shared behavior segments. The method includes deploying, collecting and analyzing nodes of malicious software, and constructing a distributed hash table (DHT) module; collecting samples of the malicious software and segmented into segment sets, and calculating local statistical properties; sharing to the DHT, gathering global features of the behavior segments, and returning to source nodes; the source nodes calculating candidate neighbor node sets and performing similar calculation of behavior characteristics through remote nodes of the candidate neighbor node sets to construct an adjacency relation diagram of the behavior characteristics; and generating an aggregation three for aggregation based on the adjacency relation diagram of the behavior characteristics, and outputting root behavior characteristics. The system comprises a plurality of nodes, each node comprises a characteristic segmenting module, the DHT module, a behavior segment synergy sharing module, a neighbor behavior characteristic discovering module and a behavior characteristic gradual aggregation module. The method and the system have the advantages of being high in analytical accuracy and performances and good in expandability.

Description

technical field [0001] The invention relates to the technical field of computer network security, in particular to a malware feature fusion analysis method and system based on behavior segment sharing. Background technique [0002] According to the definition of terms in the Internet Security Threat Report of the National Internet Emergency Center, malware refers to programs that are installed and executed in information systems without authorization to achieve improper purposes. Malicious software mainly includes: 1) Trojan horse (Trojan Horse), malicious software with the main goal of stealing user's personal information, and even remote control of user's computer. 2) Bots, malicious software used to build large-scale attack platforms. According to the communication protocol used, bots can be further divided into: IRC (Internet Relay Chat) bots, HTTP (Hypertext Transfer Protocol) bots, P2P (peer-to-peer) bots, etc. 3) Worms refer to malicious software that can self-repli...

AI Technical Summary

Problems solved by technology

Such a huge malware sample poses a huge challenge to the malware detection system to correctly identify, classify, and describe malware

2) The behavior of malware shows a stronger diversity. Through technologies such as message encryption, changing transmission channels, and polymorphism, different samples of the same malware show different behaviors, and it is difficult to correctly identify the observed malware samples. effective analysis

3) Malware samples are widely distributed in space and have high concealment, so the number of samples of the same malware that can be observed in a single LAN or enterprise network is very limited

Therefore, it is difficult for existing fully distributed analysis techniques to mine signatures from polymorphic malware behaviors.

[0007] To sum up, in order to integrate malware network behaviors to extract signatures, there are computing and communication bottlenecks in centralized servers or centralized management nodes in existing centralized and hierarchical malware analysis systems, while existing fully distributed Malware analysis technology can only detect and extract monomorphic malware whose behavior does not change during the propagation process, and cannot deal with malware that uses complex technologies such as message encryption, changing propagation channels, and polymorphism

Images