基于代碼進(jìn)化的惡意代碼沙箱規(guī)避檢測技術(shù)研究

梁光輝; 龐建民; 單征

doi:10.11999/JEIT180257

基于代碼進(jìn)化的惡意代碼沙箱規(guī)避檢測技術(shù)研究

doi: 10.11999/JEIT180257

1.
解放軍信息工程大學(xué) ??鄭州 ??450001
2.
數(shù)學(xué)工程與先進(jìn)計(jì)算國家重點(diǎn)實(shí)驗(yàn)室 ??鄭州 ??450001

基金項(xiàng)目: 國家自然科學(xué)基金(61472447, 61802435, 61802433)

詳細(xì)信息

作者簡介:
梁光輝：男，1987年生，博士生，研究方向?yàn)閻阂獯a分析

龐建民：男，1964年生，教授，博士生導(dǎo)師，研究方向?yàn)榫W(wǎng)絡(luò)安全、先進(jìn)計(jì)算

單征：男，1977年生，教授，博士生導(dǎo)師，研究方向?yàn)榫W(wǎng)絡(luò)安全

通訊作者:
龐建民　jianmin_pang@126.com

中圖分類號: TP309
計(jì)量
- 文章訪問數(shù): 2593
- HTML全文瀏覽量: 1384
- PDF下載量: 142
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2018-03-21
- 修回日期: 2018-11-06
- 網(wǎng)絡(luò)出版日期: 2018-11-14
- 刊出日期: 2019-02-01

Malware Sandbox Evasion Detection Based on Code Evolution

1.
PLA Information Engineering University, Zhengzhou 450001, China
2.
State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China

Funds: The National Natural Science Foundation of China (61472447, 61802435, 61802433)

摘要

摘要:
為了對抗惡意代碼的沙箱規(guī)避行為，提高惡意代碼的分析效率，該文提出基于代碼進(jìn)化的惡意代碼沙箱規(guī)避檢測技術(shù)。提取惡意代碼的靜態(tài)語義信息和動(dòng)態(tài)運(yùn)行時(shí)信息，利用沙箱規(guī)避行為在代碼進(jìn)化過程中所產(chǎn)生的動(dòng)靜態(tài)語義上的差異，設(shè)計(jì)了基于相似度差異的判定算法。在7個(gè)實(shí)際惡意家族中共檢測出240個(gè)具有沙箱規(guī)避行為的惡意樣本，相比于JOE分析系統(tǒng)，準(zhǔn)確率提高了12.5%，同時(shí)將誤報(bào)率降低到1%，其驗(yàn)證了該文方法的正確性和有效性。
- 惡意代碼 /
- 沙箱規(guī)避 /
- 靜態(tài)相似度
Abstract:
In order to resist the malware sandbox evasion behavior, improve the efficiency of malware analysis, a code-evolution-based sandbox evasion technique for detecting the malware behavior is proposed. The approach can effectively accomplish the detection and identification of malware by first extracting the static and dynamic features of malware software and then differentiating the variations of such features during code evolution using sandbox evasion techniques. With the proposed algorithm, 240 malware samples with sandbox-bypassing behaviors can be uncovered successfully from 7 malware families. Compared with the JOE analysis system, the proposed algorithm improves the accuracy by 12.5% and reduces the false positive to 1%, which validates the proposed correctness and effectiveness.
- Malware /
- Sandbox evasion /
- Static similarity

HTML全文

圖 1 模型框架

下載: 全尺寸圖片幻燈片

圖 2 沙箱規(guī)避行為統(tǒng)計(jì)

下載: 全尺寸圖片幻燈片

表 1 沙箱規(guī)避代碼進(jìn)化示意

Malicious code A	Evasive Malicious code B
Main_behavior( )	Main_behavior( )
{	{
1 Registry_opeartion( )	1 flag = check_sandbox( )
2 Process_injection( )	2 if (flag == True):
3 File_compress( )	3 do_benign( ) or exit()
4 Connection_C&C_server( )	4 else:
5 Waiting_for_instruction( )	5 Registry_opeartion( )
6 File_send( )	6 Process_injection( )
}	7 File_compress( )
	8 Connection_C&C_server( )
	9 Waiting_for_ instruction( )
	10 File_send( )
	}

下載: 導(dǎo)出CSV

表 2 規(guī)避行為檢測算法

　For $\left( {{M_i},{M_j}} \right)$ in $C_M^2$:

　　PS $\left( {{M_i},{M_j}} \right)$ = $\alpha $

　　if $\alpha < \varepsilon $:

　　　continue

　　${\rm PB}\left( {{M_i},{M_j}} \right) = \beta $

　　if $\alpha - \beta > \tau $:

　　　if ${B_i} > {B_j}$:

　　　　${M_j}$ is an evasive malware

　　　else:

　　　　${M_i}$ is an evasive malware

　　else:

　　　No Evasion

下載: 導(dǎo)出CSV

表 3 惡意代碼家族情況

家族名稱	數(shù)量	時(shí)間分布
Bifrose	317	2008～2015
Dridex	57	2012～2014
Necurs	154	2011～2016
Sfone	151	2009～2016
Unruy	725	2008～2016
Urleas	57	2010～2015
Confidence	166	2011～2016

下載: 導(dǎo)出CSV

表 4 沙箱規(guī)避情況統(tǒng)計(jì)

家族名稱	樣本數(shù)量	沙箱規(guī)避樣本數(shù)量	百分比(%)
Bifrose	317	41	12.9
Dridex	57	22	38.5
Necurs	154	40	25.9
Sfone	151	11	7.2
Unruy	725	70	9.6
Urleas	57	30	52.6
Confidence	166	26	15.6

下載: 導(dǎo)出CSV

表 5 檢測結(jié)果對比

	TP	TN	FP	FN	精度(%)	TPR (%)	FPR (%)	F1
JOE	232	1294	52	49	81.6	82.5	3.8	0.8204
MSED	226	1331	14	56	94.1	80.1	1	0.8653

下載: 導(dǎo)出CSV

參考文獻(xiàn)(17)

ANUBIS: Analyzing unknown binaries[OL]. www.anubis.iseclab.org, 2015.

YIN Heng and SONG Dawn. Temu: Binary code analysis via whole-system layered annotative execution[R]. Submitted to Vee University of California, Berkeley, Tech Rep, 2010.

CUCKOO Sandbox. Automated malware analysis[OL]. www.cuckoosandbox.org, 2016.

RAIU C, HASBINI M, BEOLV S, et al. From Shamoon to Stonedrill-Wipers attacking Saudi organizations and beyond[R]. Kaspersky Lab, March, 2017.

YOKOYAMA A, ISHII K, and TANABE R. SandPrint: Fingerprinting malware sandboxes to provide intelligence for sandbox evasion[C]. International Symposium on Research in Attacks, Intrusions, and Defenses, SudParis, France, 2016: 165–187.

KIRAT D, VINGA G, and KRUEGEL C. Barebox: Efficient malware analysis on bare-metal[C]. Proceeding of the 27th Annual Computer Security Applications Conference, Orlando, USA, 2011: 403–412.

CRANDALL J R, WASSERMANN G, and OLIVEIRA D A S. Temporal search: Detecting hidden malware timebombs with virtual machines[J]. ACM SIGARCH Computer Architecture News, 2006, 34(5): 25–36. doi: 10.1145/1168919

KIRAT D and VIGNA G. MalGene: Automatic extraction of malware analysis evasion signature[C]. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Los Angeles, USA, 2015: 769–780.

GILBOY M R. Fighting evasive malware with DVasion[D]. [Master dissertation], University of Maryland, College Park, 2016: 31–44.

TANBE R. Evasive malware via identifier implanting[C]. International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Pairs, France, 2018: 162–184.

KRUEGEL C. Evasive malware exposed and deconstructed[C]. RSA Conference, San Francisco, USA, 2015: 112–120.

MIRAMIRKHANI N, APPINI M P, and NIKIFORAKIS N. Spotless sandboxes: Evading malware analysis systems using wear-and-tear artifacts[C]. IEEE Symposium on Security and Privacy, San Jose, USA, 2017: 1009–1024.

BINDIFF[OL]. www.zynamics.com/bindiff.html. 2017.

張一弛. 基于反編譯的惡意代碼檢測關(guān)鍵技術(shù)研究與實(shí)現(xiàn)[D]. [博士論文], 解放軍信息工程大學(xué), 2009: 22–39.

ZHANG Yichi. Research and Implementation of critical technology in malware detection based on decompilation[D]. [Ph.D. dissertation], PLA Information and Engineering University, 2009: 22–39.

KI Y, KIM E, and KIM H. A novel approach to detect malware based on API call sequence analysis[J]. International Journal of Distributed Sensor Networks, 2015, 58(7): 3201–3206.

MALWAREBENCHMARK[OL]. www.malwarebenchmark.org, 2018.

JOESECURITY Sandbox[OL]. www.joesandbox.com, 2018.

相關(guān)文章

施引文獻(xiàn)

資源附件(0)

訪問統(tǒng)計(jì)