SubSeven’s Honey Pot Program

A serious security threat today are malicious executables, especially new, unseen malicious executables often arriving as email attachments. These new malicious executables are created at the rate of thousands every year¹ and pose a serious threat. Current anti-virus systems attempt to detect these new malicious programs with heuristic generated by hand. This approach is costly and often ineffective. In this paper we introduce the Trojan Horse SubSeven, its capabilities and influence over intrusion detection systems. A Honey Pot program is implemented, simulating the SubSeven Server. The Honey Pot Program provides feedback and stores data to and from the SubSeven’s client.     

基于结构化指纹的恶意代码变种分析*

提出了一种基于结构化指纹的静态分析模型,用于辅助逆向工作者对恶意代码及其变种进行分析.该方法依据所提取的恶意代码及其变种的结构化指纹特征,在调用图和控制流图两个层次对两个文件进行同构比较,找出发生改变的函数以及发生改变的基本块,从而帮助逆向工作者迅速定位和发现恶意代码及其变种的不同之处,便于进一步分析.该模型采用了结构化特征及素数乘积等方法,可以较好地对抗一些常见的代码迷惑手段,从而识别出一些变形的代码是等价的.     

Malicious sequential pattern mining for automatic malware detection

Due to its damage to Internet security, malware (e.g., virus, worm, trojan) and its detection has caught the attention of both anti-malware industry and researchers for decades. To protect legitimate users from the attacks, the most significant line of defense against malware is anti-malware software products, which mainly use signature-based method for detection. However, this method fails to recognize new, unseen malicious executables. To solve this problem, in this paper, based on the instruction sequences extracted from the file sample set, we propose an effective sequence mining algorithm to discover malicious sequential patterns, and then All-Nearest-Neighbor (ANN) classifier is constructed for malware detection based on the discovered patterns. The developed data mining framework composed of the proposed sequential pattern mining method and ANN classifier can well characterize the malicious patterns from the collected file sample set to effectively detect newly unseen malware samples. A comprehensive experimental study on a real data collection is performed to evaluate our detection framework. Promising experimental results show that our framework outperforms other alternate data mining based detection methods in identifying new malicious executables.     

Securing communication using function extraction technology for malicious code behavior analysis

Since computer hardware and Internet is growing so fast today, security threats of malicious executable code are getting more serious. Basically, malicious executable codes are categorized into three kinds – virus, Trojan Horse, and worm. Current anti-virus products cannot detect all the malicious codes, especially for those unseen, polymorphism malicious executable codes. The newly developed virus will create the damages before it has been found and updated in database. The basic idea of the proposed system is, it will analyze the behavior of the malicious codes and based on the behavior signature of the malicious code content filtering mechanism will be used to filter out contents, so that, the system will be secured from the future communication processes. The behavior of the code is analyzed using the function extraction technology. The function extraction technology will replace the function codes into algebraic expressions. Based on the behavior of the malicious codes, it will be categorized into different kinds of malicious codes. The detected malicious code will be prevented from execution. Based on the type of malicious code, appropriate security mechanism will be used for further communication.     

基于多线程的超混沌加解密技术

针对现阶段虚拟机防病毒技术存在的缺陷,本文将基于超混沌Hénon映射的加解密技术与多线程技术相结合,提出了基于多线程超混沌密码的恶意代码隐藏算法;在对恶意代码涉及的隐藏性因素进行分析的基础上,基于层次分析法,提出了恶意代码的隐藏性分析模型。利用灰鸽子这一典型恶意代码对提出的恶意代码隐藏算法进行了实验与测试,并利用隐藏性分析模型对测试结果进行了分析,验证了提出的基于多线程超混沌密码的恶意代码隐藏算法的有效性。本文的研究成果可以增强恶意代码的隐藏性,增加恶意代码的威胁程度,为防病毒技术的发展提供了新思路。     

Suppressing the Spread of Email Malcode using Short-term Message Recall

Outbreaks of computer viruses and worms have established a pressing need for developing proactive antivirus solutions. A proactive antivirus solution is one that reliably and accurately detects novel malicious mobile code and one that either prevents damage or recovers systems from the damage that such code inflicts. Research has indicated that behavioral analysis, though provably imprecise, can feasibly predict whether novel behavior poses a threat. Nevertheless, even the most reliable detection methods can conceivably misclassify malicious code or deem it harmful only after substantial damage has taken place. The study of damage control and recovery mechanisms is, therefore, clearly essential to the development of better proactive systems. Earlier work has demonstrated that undoing the damage of malicious code is possible with an appropriate behavior monitoring and recording mechanism. However, it remains that even if a system is recovered, the virulent code may have already propagated to other systems, some of which may not be well-equipped in terms of proactive defenses. Curbing the propagation of undesired code once it has left the boundaries of a system is a hard problem and one that has not received much attention. This work focuses on a specific instance of this difficult problem: viruses and worms that spread by email. In this paper, we explore how advantageous it would be to have a short-term email undo mechanism whose purpose is to recall infected messages. Simulation results demonstrate that such ability can substantially curb the damage of email viruses on a global scale. The results are encouraging because they only assume technology that is either readily available or that is otherwise clearly practical today     

基于“In-VM”思想的内核恶意代码行为分析方法

随着互联网的高速发展,网络安全威胁也越来越严重,针对恶意代码的分析、检测逐渐成为网络安全研究的热点。恶意代码行为分析有助于提取恶意代码特征,是检测恶意代码的前提,但是当前自动化的行为捕获方法存在难以分析内核模块的缺陷,本文针对该缺陷,利用虚拟机的隔离特点,提出了一种基于"In-VM"思想的内核模块恶意行为分析方法,实验表明该方法能够分析内核模块的系统函数调用和内核数据操作行为。     

动态指令流差分分析在恶意软件分析中的应用*

针对静态分析方法已不能满足安全分析的需求,而传统的动态分析技术不能快速定位关键信息,且分析效率不高,提出了一种动态指令流差分分析技术,描述了差分分析模型和分析方法。该分析技术能够高速有效地分析恶意软件的关键数据,识别加密算法,分析混淆代码的功能模块和数据扩散情况。通过实验对其可行性和高效性进行了验证。     

面向恶意网页的静态特征体系研究

恶意网页是一种新型的Web攻击手法,攻击者通常将一段恶意代码嵌入网页中,当用户访问该网页时,恶意代码会试图利用浏览器或其插件漏洞在后台隐秘地执行一系列恶意行为.针对恶意网页静态特征抽取问题,本文从已有的特征中选取了14个信息增益值较高的特征,并通过分析恶意网页的混淆手法提出了8个新的特征,共同组成了22维的静态特征体系.此外,针对已有特征抽取流程提出两点改进：对不同编码格式的原始网页进行预处理;回送JavaScript脚本动态生成的的HTML代码,用以进一步抽取HTML相关特征.实验表明,在不均衡数据集和均衡数据集上,本文的特征体系具有一定的有效性.     

Detection technology of malicious code based on semantic

This paper puts forward one kind of behavioral characteristic extraction and detection method of malicious code based on semantic; it extracts the key behavior and dependence relations among behaviors by combining with stain spread analysis in command layer and semantic analysis in behavior layer. And then it uses anti-confusion engine identification semantic irrelevance and semantic equivalence behavior to obtain malicious code behavior characteristic with certain capacity of resisting disturbance, as well as realize characteristic extraction and detection on prototype system. It completes experimental demonstration on this system through analysis and detection on plenty of malicious code samples. The test result indicates that extraction characteristic based on the above methods has characteristic such as stronger capacity of resisting disturbance etc., detection based on this characteristic has better identification ability for malicious code.     

基于静态结构的恶意代码同源性分析

由于变种和多态技术的出现,恶意代码的数量呈爆发式增长。然而涌现的恶意代码只有小部分是新型的,大部分仍是已知病毒的变种。针对这种情况,为了从海量样本中筛选出已知病毒的变种,从而聚焦新型未知病毒,提出一种改进的判定恶意代码所属家族的方法。从恶意代码的行为特征入手,使用反汇编工具提取样本静态特征,通过单类支持向量机筛选出恶意代码的代表性函数,引入聚类算法的思想,生成病毒家族特征库。通过计算恶意代码与特征库之间的相似度,完成恶意代码的家族判定。设计并实现了系统,实验结果表明改进后的方法能够有效地对各类家族的变种进行分析及判定。     

恶意代码检测研究前沿与发展趋势的计量分析

主要应用CiteSpace可视化工具，以近16年在恶意代码检测领域的CNKI中文期刊数据和WOS数据为研究对象，基于文献计量内容分析方法系统地回顾了国内外在恶意代码检测领域的关注点、研究脉络的发展规律、存在的共性与差异性和研究现状。通过对比国内外恶意代码检测的研究进展，可以发现目前恶意代码检测的研究处于增长阶段，并且研究主要关注领域为手机客户端和WEB应用安全等。同时，恶意代码检测研究目前存在的典型问题也暴露出来。展望了恶意代码检测研究可能的发展方向，为国内相关的研究提供参考。     

基于MobileNet的恶意软件家族分类模型

现有基于卷积神经网络(CNN)的恶意代码分类方法存在计算资源消耗较大的问题.为降低分类过程中的计算量和参数量,构建基于恶意代码可视化和轻量级CNN模型的恶意软件家族分类模型.将恶意软件可视化为灰度图,以灰度图的相似度表示同一家族的恶意软件在代码结构上的相似性,利用灰度图训练带有深度可分离卷积的神经网络模型MobileNet v2,自动提取纹理特征,并采用Softmax分类器对恶意代码进行家族分类.实验结果表明,该模型对恶意代码分类的平均准确率为99.32%,较经典的恶意代码可视化模型高出2.14个百分点.     

基于特征阈值的恶意代码快速分析方法

当前恶意代码具有种类多、危害大、复杂程度高、需要的应急响应速度快等特点,针对现有恶意代码分析方法难以适应现场快速分析处置与应用实践的需求的问题,研究了基于特征阈值的恶意代码分析方法,构建了恶意代码快速分析处置的具体环节,包括环境分析、文件细化、静态分析、动态分析,并通过构建的阈值判断来定位代码的功能和家族属性,并给出清除恶意代码的具体方法。实际应用结果证明,此方法对恶意代码安全特性相关的意图、功能、结构、行为等因素予以综合,实现在现场处置层面上对恶意代码安全性的分析研究,为当前网络安全恶意代码的现场快速响应和处置提供了重要支撑。     

A security monitoring method for malicious P2P event detection

Recently malicious code is spreading rapidly due to the use of P2P(peer to peer) file sharing. The malicious code distributed mostly transformed the infected PC as a botnet for various attacks by attackers. This can take important information from the computer and cause a large-scale DDos attack. Therefore it is extremely important to detect and block the malicious code in early stage. However a centralized security monitoring system widely used today cannot detect a sharing file on a P2P network. In this paper, to compensate the defect, P2P file sharing events are obtained and the behavior is analyzed. Based on the analysis a malicious file detecting system is proposed and synchronized with a security monitoring system on a virtual machine. In application result, it has been detected such as botnet malware using P2P. It is improved by 12 % performance than existing security monitoring system. The proposed system can detect suspicious P2P sharing files that were not possible by an existing system. The characteristics can be applied for security monitoring to block and respond to the distribution of malicious code through P2P.     

一种基于亲缘性的恶意代码分析方法简

随着网络及应用技术的不断发展,恶意代码的问题日益突出。目前大多数反病毒措施都是基于传统的基于特征码的扫描技术,使用“扫描引擎＋病毒库”的结构方式虽然对已知病毒的检测相对准确,但对新出现的恶意代码无法准确、及时地做出检测。本文提出了一种基于亲缘性恶意代码分析方法,使用系统函数集合、行为特征、相似代码特征这三个方面来表征一类恶意代码的特征,以达到缩小特征库规模,快速检测未知恶意代码的目的,特别是变种恶意代码。实验结果表明本文所提出的方法可以取得良好的检测结果。     

栈式自编码的恶意代码分类算法研究

针对传统机器学习方法不能有效地提取恶意代码的潜在特征,提出了基于栈式自编码(Stacked Auto Encoder,SAE)的恶意代码分类算法。 其次,从大量训练样本中学习并提取恶意代码纹理图像特征、指令语句中的隐含特征;在此基础上,为提高特征选择对分类算法准确性的提高,将恶意代码纹理特征以及指令语句频度特征进行融合,训练栈式自编码器和softmax分类器。 实验结果表明：基于恶意代码纹理特征以及指令频度特征,利用栈式自编码分类算法对恶意代码具有较好的分类能力,其分类准确率高于传统浅层机器学习模型（随机森林,支持向量机）,相比随机森林的方法提高了2.474％ ,相比SVM的方法提高了1.235％。     

Behavior-based features model for malware detection

The sharing of malicious code libraries and techniques over the Internet has vastly increased the release of new malware variants in an unprecedented rate. Malware variants share similar behaviors yet they have different syntactic structure due to the incorporation of many obfuscation and code change techniques such as polymorphism and metamorphism. The different structure of malware variants poses a serious problem to signature-based detection technique, yet their similar exhibited behaviors and actions can be a remarkable feature to detect them by behavior-based techniques. Malware instances also largely depend on API calls provided by the operating system to achieve their malicious tasks. Therefore, behavior-based detection techniques that utilize API calls are promising for the detection of malware variants. In this paper, we propose a behavior-based features model that describes malicious action exhibited by malware instance. To extract the proposed model, we first perform dynamic analysis on a relatively recent malware dataset inside a controlled virtual environment and capture traces of API calls invoked by malware instances. The traces are then generalized into high-level features we refer to as actions. We assessed the viability of actions by various classification algorithms such as decision tree, random forests, and support vector machine. The experimental results demonstrate that the classifiers attain high accuracy and satisfactory results in the detection of malware variants.     

A graph mining approach for detecting unknown malwares

Nowadays malware is one of the serious problems in the modern societies. Although the signature based malicious code detection is the standard technique in all commercial antivirus softwares, it can only achieve detection once the virus has already caused damage and it is registered. Therefore, it fails to detect new malwares (unknown malwares). Since most of malwares have similar behavior, a behavior based method can detect unknown malwares. The behavior of a program can be represented by a set of called API's (application programming interface). Therefore, a classifier can be employed to construct a learning model with a set of programs' API calls. Finally, an intelligent malware detection system is developed to detect unknown malwares automatically. On the other hand, we have an appealing representation model to visualize the executable files structure which is control flow graph (CFG). This model represents another semantic aspect of programs. This paper presents a robust semantic based method to detect unknown malwares based on combination of a visualize model (CFG) and called API's. The main contribution of this paper is extracting CFG from programs and combining it with extracted API calls to have more information about executable files. This new representation model is called API-CFG. In addition, to have fast learning and classification process, the control flow graphs are converted to a set of feature vectors by a nice trick. Our approach is capable of classifying unseen benign and malicious code with high accuracy. The results show a statistically significant improvement over n-grams based detection method.     

一种新的网络异常监测模型

网络已经成为当今社会建设与发展的重要基础建设,然而蠕虫、病毒等恶意代码对网络的正常运行造成严重的冲击和危害,造成巨大的损失。因此实现在网络环境的实时监控,迅速检测和掌握恶意代码发作情况对于防范恶意代码的破坏,降低其造成的损失具有重要的意义。本文提出了一种新的基于层次化结构的网络异常监控模型,它采用分层,跨平台的分布式监测,集中监控数据分析的系统结构,拥有具有良好系统监控策略配置能力和系统扩展性。