| With the development of the Internet, more and more malicious code are written and attack people’s co mputer systems, which affect people’s normal life. Although some malicious code detect ion techniques exist now, with the increasing variet y of malicious code and the enhancement of the speed of its propagation, the detect ion capabilit y and ant i-attack capabilit y of these techniques don’t meet people’s requirements. Therefore, the malicious code detection technique with the higher efficiency and detect ion capabilit y need to be introduced.The malicious code detect ion technique is mainly divided into two t ypes: stat ic and dynamic malware detect ion technique. However, static malicious code detection techniques are affected by packers, confusio n and other ant i-impact analysis technique, on the other hand dynamic malicious code det ection techniques direct ly run the sample and capture the runt ime behavior, which are not affected by these anti-analysis techniques.Kernel object is a memory block in kernel. This memory block is a dat a structure whose members keep the information about the object. The main malicious behavior of most malicious samples is achieved by manipulat ing the kernel objects, so the introduction o f kernel objects is significant to malicious code detect ion. And now many dynamic malicious code detect ion technique s based on graph use system call behavior graph, which not only introduces so me noise which has nothing to do with malicious behavior, but has weaker resistance to confusio n techniques.This paper proposes a dynamic malicious code detection techno logy base d on kernel object. Specific implementation process is as fo llows: Monitor the taint propagation paths between the various kernel objects through dynamic taint analysis techno logy in the running process of the sample, and then capture s the dependencies bet ween kernel objects and object attributes and store them into so me result files. Parse the result file and build the kernel object behavior graph based on the result file, and then uses the graph clustering method to build a co mmon malicious behavior graph for each malware family. Finally get the corresponding detect ion results by the matching algorithm. This method obtains a higher detect ion rate and lower false posit ive rate, and the detect ion result has much improvement co mpared to so me other methods based on system call dependency graph. This paper achieves the dynamic taint analysis by writ ing a plug-in of dynamic binary analysis co mponent TEMU o f binary analysis plat form Bitblaze, then captures the taint propagation path between the kernel object and gets the dependencies between kernel object. |
PDF Full Text Request