Detecting Malware By Using Functional Characteristics

Today, malware spreading by means of the rapid proliferation of networking technology, has become a serious threat to computer security. The widely used signature-based detection methods can only identify the malicious code that has been found. In order to adapt to known malware, heuristic detection methods are used in malware detection. The API/System call sequence has become a hotspot. However, the premise of this approach is the observed API must be reliable. In fact, with the current malicious code technology, API or system call can also be bypassed, mislead or tampered with, which makes detection methods rely solely on the API functions is no longer reliable.The key issue is how to identify a function by its code, not the function address. To solve this problem, we propose the concept of functional characteristics and use it in malware detection. The method combines static and dynamic ways to extract various features that uniquely identifie the key function of malware. Content of the thesis focuses on the following aspects.(1) We summarized malware detection techniques. Through the elaboration of various detection techniques, we analyzed the basic principles, the main foundation and typical practices. Based on this, we pointed out the key problem on the grounds of API recognition.(2) We summarized the methods of function recognition and analyzed those methods according to the scenario, pointed out the deficiencies and difficulties of the current work.(3)We defined the concept of functional characteristics of the function and designed its representation and extraction methods. By observing the function of a function and analyzing its core semantic, we showed multi-level representation of a function. The extraction method can be automated.(4) We implemented a malware detection prototype Mal-detect which used functional characteristics. It relied on the IDA platform, combined with analysis of the existing plugins to complete the detection. And the experiments show that the functional characteristics is more stable, more accurate than former ones with relatively strong robustness, which can be applied to actual malware analysis.