A Homology Analysis Method of Malicious Code Based on System Call Control Flow Graph

A technology of homology analysis and control flow graph, which is applied in the field of network security, can solve the problems of poor homology analysis ability of malicious code variants, etc., and achieve the effect of improving homology analysis ability, good abstraction, and simplified data volume

Active Publication Date: 2022-02-08
BEIJING INSTITUTE OF TECHNOLOGYGY +1
View PDF4 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] Commonly used behavioral feature representation methods include instruction block control flow graph, function call graph, etc. The above several behavioral features will produce a certain amount of changes after the introduction of polymorphism, deformation and other obfuscation techniques, so the homology analysis of malicious code variants Poor ability

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A Homology Analysis Method of Malicious Code Based on System Call Control Flow Graph
  • A Homology Analysis Method of Malicious Code Based on System Call Control Flow Graph
  • A Homology Analysis Method of Malicious Code Based on System Call Control Flow Graph

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0045] In the homology analysis of malicious code variants, the internal logic of malicious code processed by obfuscation techniques such as deformation and polymorphism may be disrupted, and the control flow graph of instruction blocks extracted through static analysis can be used with little value; while dynamic analysis Expenses are high. In addition, the function call graph can obtain the calling relationship between functions, but there is no timing relationship.

[0046] The present invention considers constructing a system call control flow graph, the control flow graph is a directed and unweighted graph composed of system call nodes, and the direction of the edges represents the sequential relationship of system call execution, which retains the timing relationship between system calls. Here, "system call" means that a program running in user space requests a service from the operating system kernel that requires higher privileges to run. System calls provide the inte...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a malicious code homology analysis method based on a system call control flow graph. Firstly, a system call control flow graph of a program to be analyzed is constructed; In the weight graph, the direction of the edges indicates the sequence of system call execution; compare the system call control flow graphs of different programs to be analyzed, and use the graph similarity as the similarity measure of the homology analysis to realize the homology analysis. The present invention uses the system call control flow graph to perform homology analysis. The system call control flow graph completely ignores the details of the software code and only pays attention to the called system call function, thus simplifying the amount of data that needs to be processed. Therefore, based on the system call Control flow graphs provide the best abstraction of program behavior. Moreover, because only system calls are considered, the confusion of the instruction layer is avoided to a large extent, and it plays an anti-obfuscation role.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a malicious code homology analysis method based on a system call control flow graph. Background technique [0002] The number of malicious codes has increased significantly, but most of the new malicious codes are variants of existing malicious codes, and their core functions have not changed much. Malicious code variants often use obfuscation techniques to evade virus detection and attack. [0003] Homology first refers to the degree of similarity between the nucleotide sequences of two nucleic acid molecules or the amino acid sequences of two protein molecules in the study of molecular evolution. Homology analysis applied to the software field refers to comparing two software from source code to software function to find out whether they are the same or similar, and give a similarity degree to describe the similarity of the two software. [0004] The homology analysi...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/56
CPCG06F21/563
Inventor 王勇史小东梁杰孙青煜张继刘振岩薛静锋
Owner BEIJING INSTITUTE OF TECHNOLOGYGY
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap