| Various technologies of how to generate malware variants allows the volume of malware growing exponentially. Therefore, the recognition of the malware variants is very important. Due to the variant technique is capable of change a program’s code and at the same time maintain the function of the original program constant. This makes a great difference between the original programs and the malware variants. Traditional judgment methods of malware variants using similarity are often based on syntactic features while ignoring the functional invariance, so it is hard to recognize the malware variant. It is very important to put forward a kind of model which can reflect a program’s function and a comparison method which based on semantic feature. In this paper, we will focus on the above two aspects and have an in-depth research based on static analysis.First, we determine the feature model of the program. Due to the character of malware variants, we consider the function and the function-call graph as their feature code. Because these features can be better reflect the function of a program comparing with the traditional features. So, as the changes of a program’s code, these features can keep constant and be more effective to recognize malware variants.Second, we propose a comparing algorithm of features which is based on semantic level. We have an in-depth research on variant generation technology especially the mechanism of code obfuscation technique. In view of its technical characteristics we put forward two kinds of feature comparing methods.(1) Analysis based on the operational code;(2) Analysis based on the function-call. The first method combines with the function classification of compilation instruction and cosine similarity of statistical algorithms to compare the feature code; the second method is based on the first method and use the function-call to compare features. These two methods are all based on the view of semantic level, and both of them can bypass the code obfuscation techniques which impact the malware variants. But, the second method has a stronger ability to distinguish than the first one.Finally, we propose the measure method of malware variants similarity. To compute the similarities between variants, we convert it to compute the similarities between features. For the features of function and function-call, this paper use "numbers based on the maximum common functions" and "numbers based on the maximum common edges" respectively to compute similarity. The experiments show that these two measurement methods are able to reflect the functional similarity of programs to a certain extent. |
PDF Full Text Request