Research And Implementation Of Malware Variants Identification Based On Program Data Value

Malwares are spreading rapidly all over the world through the Internet. And most of the new malwares are just the variants of malwares those occurred before. Malware variants identification plays an important role in the protection of computer systems and other security-related work. With the technology of malware variants generating evolves, lots of anti-analysis techniques (such as encryption, deformation, obfuscation) emerge. This makes the malware analysis and identifica-tion more and more difficult.The key of malware variants identification is the stable features extraction of malware and malicious behavior modeling. Currently, the model used in the identification of malware variants varies from the signature model to the system call graph model. Malware recognition methods based on those models are ineffective to deal with obfuscations attacks with system call alternative. Therefore, this thesis proposes a new malware model, and implements a safe, reliable and scalable malware variants identification tool with strong anti-inference ability.The main contributions are as follows:(1) Malware analysis methods are discussed and their shortcomings are summarized.(2) Malware variants generating techniques are discussed and the importance of identification of malware variants is proposed. The difficulties encountered are pointed out.(3) A stable model is proposed based on program data value classification according to the relation between the program function and program data value. Different variables are classified according to the type of the resources involved, and their influences on the functions of the program are discussed. The effectiveness of the model is descripted aiming at the malware variants generating techniques.(4) A malware variants identification tool was designed and implemented on the base of DECAF platform. According to the experiments, the model proposed is stable and the analysis based on this model is effective. It is scalable, good at defending obfuscation attacks with certain advantages compared with the existing tools.