Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Malicious software homology analysis method based on behavior tree

A homology analysis and malware technology, applied in the field of behavior tree-based malware homology analysis, which can solve problems such as malware classification errors, damage to the ability to distinguish, and affect the performance of malware analysis.

Active Publication Date: 2020-10-02
SOUTH CHINA UNIV OF TECH
View PDF9 Cites 2 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0006] The purpose of the present invention is to solve the problem that the common malware analysis method based on the API sequence ignores the control structure between the APIs in the prior art, resulting in the wrong classification of the malware, and solves the problem that the API sequence of the malware has a noisy API, which destroys the original Distinguishable features affect the performance of malware analysis, provide a behavior tree-based malware homology analysis method, and improve the accuracy of malware homology judgments

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Malicious software homology analysis method based on behavior tree
  • Malicious software homology analysis method based on behavior tree
  • Malicious software homology analysis method based on behavior tree

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0065] This embodiment discloses a behavior tree-based malware homology analysis method, the basic process is as follows figure 1 shown, including the following steps:

[0066] T1. Collect the API call sequence generated when the malware is executed;

[0067] T2. Convert API call sequences into API logs to mine malware behavior models;

[0068] T3. Based on the behavior tree, extract the behavioral characteristics of malware;

[0069] T4. Build behavioral characteristics of malware families;

[0070] T5, calculating the similarity vector of malware;

[0071] T6, the collected data is divided into a training set and a test set according to the ratio of 8:2;

[0072] T7. Building a classification model W on the training set based on the naive Bayesian classification algorithm;

[0073] T8. Use the classification model W to complete the family classification of malware.

[0074] In this embodiment, a behavior tree with anti-noise property is used to express and draw the beh...

Embodiment 2

[0081] The characteristics and performance of the present invention will be further described in detail below in conjunction with Embodiment 2.

[0082] A preferred embodiment of the present invention includes the following steps:

[0083] T1. Collect the API call sequence generated when the malware is executed;

[0084]T2. Convert the API call sequence into API logs, and mine the behavior tree of malware;

[0085] T2.1. Convert API call sequence into API log;

[0086] Among them, the API call sequence is a collection of APIs generated by the malware during each run, defined as S=1 ,a 2 ,...,a n >, where a r , 1≤r≤n represents the rth API call, which is a binary group a r ={time,label}, time indicates the time when the API is called, label is the name of the API call, n indicates that the API call sequence S consists of n tuples, and in the API call sequence S, the APIs are sorted in ascending order of call time ;

[0087] Wherein, the API log is a set composed of one o...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a malicious software homology analysis method based on a behavior tree, provides a new definition for behaviors of malicious software, is not limited to analysis of API continuous short sequences, describes behavior characteristics of the malicious software from each behavior and a relationship between the behaviors, and is richer in behavior semantics. The method comprisesthe following steps: firstly, calling a sequence from an API generated during malicious software execution, and constructing the behavior tree for reflecting a malicious software behavior model by adopting an Inductive Miner algorithm; secondly, extracting behavior characteristics from each behavior tree, generating family weighted behavior characteristics, converting the behavior trees into similarity vectors based on a similarity algorithm, and finally, training a family classification model by applying a naive Bayes classification algorithm. According to the method, the problems of lack ofa control structure and existence of noise in the API sequence in previous malicious software homology analysis based on the API sequence can be solved, and the malicious software family classification capability is improved.

Description

technical field [0001] The invention relates to the technical field of computer security research, in particular to a behavior tree-based malware homology analysis method. Background technique [0002] Most of the newly emerging malware are variants of known malware families. Therefore, finding the homology between unknown malware and known malware families and quickly classifying unknown malware is helpful. to speed up malware analysis. [0003] Malware belonging to the same family has similar behaviors, and the API call sequence is the information source that best describes the behavior of malware. Therefore, most studies use the API call sequence as the research basis, but the API sequence is used as the research basis for malware analysis. object, faced with the following problems: [0004] First, in order to improve the anti-detection ability of malware, malware authors randomly insert redundant APIs in the process of writing malware without affecting the original beh...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56G06K9/62
CPCG06F21/566G06F18/22G06F18/24155
Inventor 徐杨余盛龙王彩蝶李东
Owner SOUTH CHINA UNIV OF TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com