Function call graph fingerprint based malicious software detection method

A function call graph and malicious software technology, applied in the direction of electrical digital data processing, instrumentation, platform integrity maintenance, etc., can solve problems such as incompleteness, high scale and complexity, fine granularity, etc., and achieve scale reduction and high recognition rate , the effect of strong unique identification

Active Publication Date: 2015-11-11
SICHUAN UNIV
View PDF6 Cites 13 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

These methods explore and solve the problem of malware detection from different perspectives, and propose graph-based malware detection methods with different ideas, and have achieved many constructive results, but there are still several problems as follows: The efficiency of the de

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Function call graph fingerprint based malicious software detection method
  • Function call graph fingerprint based malicious software detection method
  • Function call graph fingerprint based malicious software detection method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0053] This embodiment mainly evaluates whether the method of the present invention can effectively detect known malicious software. This embodiment uses 4985 benign software samples and 5340 malicious software samples, uses all malicious software samples to generate the function call graph fingerprint library, and all benign software and malicious software are used as test samples to evaluate the detection rate and false alarm rate of the detection method ,Accuracy. In order to compare with the graph isomorphism method FCGiso proposed by the present invention, the classic graph isomorphism method VF2 is also used for graph isomorphism judgment. The experimental results are shown in Table 1, and the detection time using the FCGiso graph isomorphism judgment method is as follows: Figure 5 , Figure 6 As shown, the detection time of the VF2 graph isomorphism judgment method is as follows Figure 7 , Figure 8 shown.

[0054] Table 1 Detection results of known malware

[0...

Embodiment 2

[0060] This example mainly evaluates whether the method of the present invention can effectively detect packed known samples. First, use 9 packing tools to pack the samples notepad.exe and calc.exe, use the original two samples to generate a function call graph fingerprint library, and use the packed 18 samples as test samples, the experimental results are shown in Table 2 shown.

[0061] Table 2. Packed variant detection results

[0062]

[0063] As can be seen from Table 2, the method of the present invention can detect most of the packed variants. The packed samples of ASProtect cannot be detected, mainly because the tool uses compression, encryption, anti-debugging, and disassembly technologies, which makes the common unpacking tools unable to unpack successfully. In addition, the size of the original sample file, the packed file, and the unpacked file are different, so it can be judged that the method based on the hash signature is invalid for the packed sample. The...

Embodiment 3

[0065] This embodiment mainly evaluates whether the method of the present invention can effectively detect malware variants. In this embodiment, four malicious software families are selected, and some samples are variants produced by confusion, and some are variants after modification or function expansion of known malicious software. First, a sample of each family is selected to generate a function call graph fingerprint library, and other samples of each family are used as test samples. The test results are shown in Table 3.

[0066] Table 3 Malware variant detection results

[0067]

[0068] It can be seen from Table 3 that the method of the present invention can detect most of the variants of the same family. Commonly used obfuscation techniques mainly include garbage instruction insertion, equivalent instruction replacement, register replacement, instruction sequence replacement, and instruction control flow transformation. The first four techniques will not change th...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a function call graph fingerprint based malicious software detection method, comprising: judging whether a known malicious software sample is packed; performing disassembly processing to obtain an assembly code of the malicious software sample; by taking a function as a node and inter-function call as an edge, generating a function call graph; adding the function call graph as a fingerprint of the sample into a graph fingerprint library; judging whether the to-be-detected sample is packed; performing disassembly processing to obtain an assembly code of the to-be-detected sample; based on the assembly code, generating the function call graph of the to-be-detected sample, wherein the graph serves as the fingerprint of the detected sample; and performing isomorphism judgment on the function call graph fingerprint of the to-be-detected sample and each graph in the graph fingerprint library. According to the method, the function call graph is used as the fingerprint of the software, and most malicious software and malicious software variants are identified by fully utilizing a characteristic that the functional call graph is a special graph, so that the identification time is short and the efficiency is high.

Description

technical field [0001] The invention relates to the field of malicious software detection in network security, in particular to a method for detecting malicious software based on function call graph fingerprints. Background technique [0002] With the development of information technology, the Internet is profoundly changing the way of production and life of human beings. People are increasingly inseparable from the Internet, and various "safety" problems follow. People have benefited from the development of the Internet, but also suffered from cyber attacks. Cyberspace security has become a serious challenge plaguing the world. According to the "China Internet Site Development and Security Report (2015)" released by the Internet Society of China and the National Internet Emergency Center, as of December 2014, the number of Internet users in my country reached 649 million, and a total of 31.17 million new Internet users were added throughout the year. , the Internet penetrat...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F21/56
CPCG06F21/564G06F21/566
Inventor 王俊峰白金荣
Owner SICHUAN UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap