Malware algorithm recognition based on offline instruction-flow analyse

doi:10.16511/j.cnki.qhdxxb.2016.25.005

Abstract
Figures/Tables
References
Related Articles
Metrics

Download: PDF(1148 KB)
Export: BibTeX | EndNote | Reference Manager | ProCite | RefWorks

Abstract Binary program algorithm identification is widely used for malware detection, software analyse, network encryption analyse and computer system protection. This paper describes a malware algorithm recognition method using offline instruction-flow analyses using binary instrumentation, taint traces, and loop recognition. The algorithm features are described including the behavior semantics and key constants extracted from the instruction-flow algorithm. Two machine learning models trained by these features are merged into one accurate recognition algorithm.

Keywords algorithm recognition taint trace machine learning malware detection

ZTFLH:

TP301.6

Issue Date: 15 May 2016

	Service

	E-mail this article
	E-mail Alert
	RSS
	Articles by authors

	ZHAO Jingling
	CHEN Shilei
	CAO Mengchen
	CUI Baojiang

Cite this article:

ZHAO Jingling,CHEN Shilei,CAO Mengchen, et al. Malware algorithm recognition based on offline instruction-flow analyse[J]. Journal of Tsinghua University(Science and Technology), 2016, 56(5): 484-492.

URL:

http://jst.tsinghuajournals.com/EN/10.16511/j.cnki.qhdxxb.2016.25.005 OR http://jst.tsinghuajournals.com/EN/Y2016/V56/I5/484

[1] Vyacheslav Zakorzhevsk. 卡巴斯基实验室每天检测到32.5万个最新恶意文件[Z/OL].[2014-12-03] . http://news.kaspersky.com.cn/news2014/12n/141203.htm. Vyacheslav Zakorzhevsk. 325, 000 new malicious files detected by Kabasiji labs every day[Z/OL].[2014-12-03] . http://news.kaspersky.com.cn/news2014/12n/141203.htm. (in Chinese)
[2] Calvet J, Fernandez J M, Marion J Y. Aligot:Cryptographic function identification in obfuscated binary programs[C]//Proceedings of the 2012 ACM Conference on Computer and Communications Security. New York, USA:ACM, 2012:169-182.
[3] Leder F, Martini P, Wichmann A. Finding and extracting crypto routines from malware[C]//Performance Computing and Communications Conference (IPCCC), 2009 IEEE 28th International. Piscataway, NJ:IEEE Press, 2009:394-401.
[4] Cui B, Wang F, HaoY, et al. A taint based approach for automatic reverse engineering of gray-box file formats[J].Soft Computing, 2015:1-16.
[5] Wang Z, Jiang X, Cui W, et al. ReFormat:Automatic reverse engineering of encrypted messages[C]//Proceedings of the 14th European Conference on Research in Computer Security. Berlin, GER:Springer-Verlag, 2008:200-215.
[6] Lutz N. Towards revealing attackers intent by automatically decrypting network traffic[J]. Eth Zuerich, 2008(8):1-52.
[7] 李继中, 蒋烈辉, 舒辉, 等. 基于动态数据流的密码函数加解密过程分析[J]. 计算机应用研究, 2014,31(4):1185-1188. LI Jizhong, JIANG Liehui, SHU Hui, et al. Analysis of encryption and decryption process among crypto functions based on dynamic data-flow[J].Application Research of Computer, 2014,31(4):1185-1188. (in Chinese)
[8] Gr bert F, Willems C, Holz T. Automated identification of cryptographic primitives in binary programs[J].Lecture Notes in Computer Science, 2011,6961:41-60.
[9] 张经纬, 舒辉, 蒋烈辉, 等. 公钥密码算法识别技术研究[J]. 计算机工程与设计, 2011,32(10):3243-3246. ZHANG Jingwei, SHU Hui, JIANG Liehui, et al. Research on public key's cryptography algorithm recognition technology[J].Computer Engineering and Desgin, 2011,32(10):3243-3246. (in Chinese)
[10] 李洋, 康绯, 舒辉. 基于动态二进制分析的密码算法识别[J]. 计算机工程, 2012, 38(17):106-109. LI Yang, KANG Fei, SHU Hui. Cryptographic algorithm recognition based on dynamic binary analysis[J].Computer Engineering, 2012,38(17):106-109. (in Chinese)
[11] Caballero J, Yin H, Liang Z, et al. Polyglot:Automatic extraction of protocol message format using dynamic binary analysis[C]//Proceedings of the 14th ACM Conference on Computer and Communications Security. New York, USA:ACM, 2007:317-329.
[12] Cui B, Wang F, Guo T, et al. A practical off-line taint analysis framework and its application in reverse engineering of file format[J].Computers & Security, 2015,51:1-15.
[13] 王乾. 基于动态二进制分析的关键函数定位技术研究[D]. 郑州:解放军信息工程大学, 2012. WANG Qian. Research on Locating of Key Functions Based on Dynamic Binary Analysis[D]. Zhengzhou:The PLA Information Engineering University, 2012. (in Chinese)
[14] 黎超. 基于切片的二进制代码可视化分析的研究[D]. 广州:广东工业大学, 2011 LI Chao. Research on Slicing-based Binary Executables Analysis Technology[D]. Guangzhou:Guangdong University of Technology, 2012. (in Chinese)
[15] 李雪莲. 基于PLS的加权朴素贝叶斯分类测试算法[J]. 电子质量, 2010(7):4-6. LI Xuelian. Weighted naive Bayes classification text algorithm based on partial least squares[J].Electronics Quality, 2010(7):4-6. (in Chinese)

[1]	WU Hao, NIU Fenglei. Machine learning model of radiation heat transfer in the high-temperature nuclear pebble bed[J]. Journal of Tsinghua University(Science and Technology), 2023, 63(8): 1213-1218.
[2]	DAI Xin, HUANG Hong, JI Xinyu, WANG Wei. Spatiotemporal rapid prediction model of urban rainstorm waterlogging based on machine learning[J]. Journal of Tsinghua University(Science and Technology), 2023, 63(6): 865-873.
[3]	REN Jianqiang, CUI Yapeng, NI Shunjiang. Prediction method of the pandemic trend of COVID-19 based on machine learning[J]. Journal of Tsinghua University(Science and Technology), 2023, 63(6): 1003-1011.
[4]	AN Jian, CHEN Yuxuan, SU Xingyu, ZHOU Hua, REN Zhuyin. Applications and prospects of machine learning in turbulent combustion and engines[J]. Journal of Tsinghua University(Science and Technology), 2023, 63(4): 462-472.
[5]	ZHAO Qiming, BI Kexin, QIU Tong. Comparison and integration of machine learning based ethylene cracking process models[J]. Journal of Tsinghua University(Science and Technology), 2022, 62(9): 1450-1457.
[6]	CAO Laicheng, LI Yuntao, WU Rong, GUO Xian, FENG Tao. Multi-key privacy protection decision tree evaluation scheme[J]. Journal of Tsinghua University(Science and Technology), 2022, 62(5): 862-870.
[7]	WANG Haojie, MA Zixuan, ZHENG Liyan, WANG Yuanwei, WANG Fei, ZHAI Jidong. Efficient memory allocator for the New Generation Sunway supercomputer[J]. Journal of Tsinghua University(Science and Technology), 2022, 62(5): 943-951.
[8]	LU Sicong, LI Chunwen. Human-machine conversation system for chatting based on scene and topic[J]. Journal of Tsinghua University(Science and Technology), 2022, 62(5): 952-958.
[9]	LI Wei, LI Chenglong, YANG Jiahai. As-Stream: An intelligent operator parallelization strategy for fluctuating data streams[J]. Journal of Tsinghua University(Science and Technology), 2022, 62(12): 1851-1863.
[10]	LIU Qiangmo, HE Xu, ZHOU Baishun, WU Haolin, ZHANG Chi, QIN Yu, SHEN Xiaomei, GAO Xiaorong. Simple and high performance classification model for autism based on machine learning and pupillary response[J]. Journal of Tsinghua University(Science and Technology), 2022, 62(10): 1730-1738.
[11]	MA Xiaoyue, MENG Xiao. Image position and layout effects of multi-image tweets from the perspective of user engagement[J]. Journal of Tsinghua University(Science and Technology), 2022, 62(1): 77-87.
[12]	TANG Zhili, WANG Xue, XU Qianjun. Rockburst prediction based on oversampling and objective weighting method[J]. Journal of Tsinghua University(Science and Technology), 2021, 61(6): 543-555.
[13]	WANG Zhiguo, ZHANG Yujin. Anomaly detection in surveillance videos: A survey[J]. Journal of Tsinghua University(Science and Technology), 2020, 60(6): 518-529.
[14]	SONG Yubo, QI Xinyu, HUANG Qiang, HU Aiqun, YANG Junjie. Two-stage multi-classification algorithm for Internet of Things equipment identification[J]. Journal of Tsinghua University(Science and Technology), 2020, 60(5): 365-370.
[15]	LU Xiaofeng, JIANG Fangshuo, ZHOU Xiao, CUI Baojiang, YI Shengwei, SHA Jing. API based sequence and statistical features in a combined malware detection architecture[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(5): 500-508.

Viewed

Full text

Abstract

Cited

Shared

Discussed