Malicious software homology analysis method based on behavior tree
What is Al technical title?
Al technical title is built by PatSnap Al team. It summarizes the technical point description of the patent document.
A homology analysis and malware technology, applied in the field of behavior tree-based malware homology analysis, which can solve problems such as malware classification errors, damage to the ability to distinguish, and affect the performance of malware analysis.
Active Publication Date: 2020-10-02
SOUTH CHINA UNIV OF TECH
View PDF9 Cites 2 Cited by
Summary
Abstract
Description
Claims
Application Information
AI Technical Summary
This helps you quickly interpret patents by identifying the three key elements:
Problems solved by technology
Method used
Benefits of technology
Problems solved by technology
[0006]
The purpose of the present invention is to solve the problem that the common malware analysis method based on the API sequence ignores the control structure between the APIs in the prior art, resulting in the wrong classification of the malware, and solves the problem that the API sequence of the malware has a noisy API, which destroys the original Distinguishable features affect the performance of malware analysis, provide a behavior tree-based malware homology analysis method, and improve the accuracy of malware homology judgments
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more
Image
Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
Click on the blue label to locate the original text in one second.
Reading with bidirectional positioning of images and text.
Smart Image
Examples
Experimental program
Comparison scheme
Effect test
Embodiment 1
[0065] This embodiment discloses a behavior tree-based malware homology analysis method, the basic process is as follows figure 1 shown, including the following steps:
[0066] T1. Collect the API call sequence generated when the malware is executed;
[0067] T2. Convert API call sequences into API logs to mine malware behavior models;
[0068] T3. Based on the behavior tree, extract the behavioral characteristics of malware;
[0069] T4. Build behavioral characteristics of malware families;
[0070] T5, calculating the similarity vector of malware;
[0071] T6, the collected data is divided into a training set and a test set according to the ratio of 8:2;
[0072] T7. Building a classification model W on the training set based on the naive Bayesian classification algorithm;
[0073] T8. Use the classification model W to complete the family classification of malware.
[0074] In this embodiment, a behavior tree with anti-noise property is used to express and draw the beh...
Embodiment 2
[0081] The characteristics and performance of the present invention will be further described in detail below in conjunction with Embodiment 2.
[0082] A preferred embodiment of the present invention includes the following steps:
[0083] T1. Collect the API call sequence generated when the malware is executed;
[0084]T2. Convert the API call sequence into API logs, and mine the behavior tree of malware;
[0085] T2.1. Convert API call sequence into API log;
[0086] Among them, the API call sequence is a collection of APIs generated by the malware during each run, defined as S=1 ,a 2 ,...,a n >, where a r , 1≤r≤n represents the rth API call, which is a binary group a r ={time,label}, time indicates the time when the API is called, label is the name of the API call, n indicates that the API call sequence S consists of n tuples, and in the API call sequence S, the APIs are sorted in ascending order of call time ;
[0087] Wherein, the API log is a set composed of one o...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more
PUM
Login to view more
Abstract
The invention discloses a malicious software homology analysis method based on a behavior tree, provides a new definition for behaviors of malicious software, is not limited to analysis of API continuous short sequences, describes behavior characteristics of the malicious software from each behavior and a relationship between the behaviors, and is richer in behavior semantics. The method comprisesthe following steps: firstly, calling a sequence from an API generated during malicious software execution, and constructing the behavior tree for reflecting a malicious software behavior model by adopting an Inductive Miner algorithm; secondly, extracting behavior characteristics from each behavior tree, generating family weighted behavior characteristics, converting the behavior trees into similarity vectors based on a similarity algorithm, and finally, training a family classification model by applying a naive Bayes classification algorithm. According to the method, the problems of lack ofa control structure and existence of noise in the API sequence in previous malicious software homology analysis based on the API sequence can be solved, and the malicious software family classification capability is improved.
Description
technical field [0001] The invention relates to the technical field of computer security research, in particular to a behavior tree-based malware homology analysis method. Background technique [0002] Most of the newly emerging malware are variants of known malware families. Therefore, finding the homology between unknown malware and known malware families and quickly classifying unknown malware is helpful. to speed up malware analysis. [0003] Malware belonging to the same family has similar behaviors, and the API call sequence is the information source that best describes the behavior of malware. Therefore, most studies use the API call sequence as the research basis, but the API sequence is used as the research basis for malware analysis. object, faced with the following problems: [0004] First, in order to improve the anti-detection ability of malware, malware authors randomly insert redundant APIs in the process of writing malware without affecting the original beh...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more
Application Information
Patent Timeline
Application Date:The date an application was filed.
Publication Date:The date a patent or application was officially published.
First Publication Date:The earliest publication date of a patent with the same application number.
Issue Date:Publication date of the patent grant document.
PCT Entry Date:The Entry date of PCT National Phase.
Estimated Expiry Date:The statutory expiry date of a patent right according to the Patent Law, and it is the longest term of protection that the patent right can achieve without the termination of the patent right due to other reasons(Term extension factor has been taken into account ).
Invalid Date:Actual expiry date is based on effective date or publication date of legal transaction data of invalid patent.
Login to view more 
Login to view more