基于API关联性的恶意行为层次化分析方法.pdfVIP

计算机工程与设计 2014 年 11 月 Nov. 2014 COMPUTER ENGINEERING AND DESIGN 第 35 卷第11 期 Vo l. 35 No.11 基于 API 关联性的恶意行为层次化分析方法 李政廉，舒辉，康排，赵亚新 (数学工程与先进计算国家重点实验室，河南郑州 450000) 摘 要:为深入分析恶意代码的运行原理以及详细功能，减少恶意代码的分析周期，提出基于 API 关联的层次化行为分析 方法。分析API 的调用机制与参数的特征，给出基于API 的行为定义;在此基础上，设计并实现API 的行为关联算法，建 立行为关联模型;通过行为关联模型，可以通过恶意代码的 API 数据信息提取出基本行为信息，并进一步提取对象行为以 及进程行为，提供多维视角。设计恶意代码分析原型系统，使用实际测试样本集验证了该方法的可行性。 关键词: API 关联;行为抽取;行为分析;恶意代码;检测 中图法分类号: TP39 1. 9 文献标识号:A 文章编号: 1000-7024 (2014) 11-3730-06 Hierarchical analysis method of malicious behavior based on API association LI Zheng-lian. SHU Hui. KANG Fei. ZHAO Ya-xin (State Key Laboratory of Mathematical Engineering and Advanced Computing , Zhengzhou 450000 , China) Abstract: For the in-depth analysis of malicious code s running principles and detailed features , to reduce the analysis cycle of malicious code , the hierarchical analysis method of malware behaviors based on the API association was proposed. The mecha- nism and parameters of API calls were analyzed , and the API-based definition of behaviors was put forward. Based on these , the API behavior association algorithm was designed and implemented and a model of associated behaviors was estab!ished. Through the behavioral association model , the basic behavior information was gotten and the object behaviors and process behaviors were further extracted. By designing a prototype system for the malicious code analysis , the actual sample set was used to verify the feasibility of the analytical method. Key words: API association; extract behavior; behavior analysis; malicious code; detection