A malicious code homology analysis method based on system call control flow graph

A technology of homology analysis and control flow graph, which is applied in the field of network security, can solve the problems of poor homology analysis ability of malicious code variants, etc., and achieve the effects of avoiding confusion, good abstraction, and simplifying the amount of data

Active Publication Date: 2018-12-28
BEIJING INSTITUTE OF TECHNOLOGYGY +1
View PDF4 Cites 9 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] Commonly used behavioral feature representation methods include instruction block control flow graph, function call graph, etc. The above several behavioral features will p...

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A malicious code homology analysis method based on system call control flow graph
  • A malicious code homology analysis method based on system call control flow graph
  • A malicious code homology analysis method based on system call control flow graph

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0045] In the homology analysis of malicious code variants, the internal logic of malicious code processed by obfuscation techniques such as deformation and polymorphism may be disrupted, and the control flow graph of instruction blocks extracted through static analysis can be used with little value; while dynamic analysis Expenses are high. In addition, the function call graph can obtain the calling relationship between functions, but there is no timing relationship.

[0046] The present invention considers constructing a system call control flow graph, the control flow graph is a directed and unweighted graph composed of system call nodes, and the direction of the edges represents the sequential relationship of system call execution, which retains the timing relationship between system calls. Here, "system call" means that a program running in user space requests a service from the operating system kernel that requires higher privileges to run. System calls provide the inte...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a malicious code homology analysis method based on a system call control flow diagram. Firstly, a system call control flow diagram of a program to be analyzed is constructed. The system call control flow graph is a directed unweighted graph composed of system call nodes, and the direction of edges indicates the order of system call execution. The system call control flow diagrams of different programs to be analyzed are compared to realize homology analysis according to the similarity of the diagrams as a similarity measure of homology analysis. The invention utilizes the system call control flow diagram to carry out homology analysis, and the system call control flow diagram completely ignores the details of the software code and only pays attention to the called system call function, thus simplifying the amount of data to be processed, and therefore, the control flow diagram based on the system call has the best abstraction degree to the program behavior. Moreover, because only system calls are considered, the confusion of instruction layer is avoided to a large extent, and the anti-confusion effect is achieved.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a malicious code homology analysis method based on a system call control flow graph. Background technique [0002] The number of malicious codes has increased significantly, but most of the new malicious codes are variants of existing malicious codes, and their core functions have not changed much. Malicious code variants often use obfuscation techniques to evade virus detection and attack. [0003] Homology first refers to the degree of similarity between the nucleotide sequences of two nucleic acid molecules or the amino acid sequences of two protein molecules in the study of molecular evolution. Homology analysis applied to the software field refers to comparing two software from source code to software function to find out whether they are the same or similar, and give a similarity degree to describe the similarity of the two software. [0004] The homology analysi...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F21/56
CPCG06F21/563
Inventor 王勇史小东梁杰孙青煜张继刘振岩薛静锋
Owner BEIJING INSTITUTE OF TECHNOLOGYGY
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap