Research On Program Behavior Recognition Based On The Combination Of Dynamic And Static Information

In recent years,malware changes have been constantly updated,which makes a large number of user data are seriously threatened.How to quickly and accurately identify unknown program behavior is a major challenge in the field of software security.Traditional program dynamic identification technology is often based on the program system call level information,did not explore to a deeper level of assembly instruction layer.Static identification technology is usually based on the process of string encryption algorithm,it hasn't do much about other aspects of expansion.This paper presents a combination of procedures based on the behavior of behavioral recognition technology.In terms of program static features,we use the IDA Python tools to extract opcodes and literals from within the program and to collate and analyze other key constant information in the program's static state.In the aspect of program dynamic features,this paper proposes a system invocation extraction technique based on binary instrumentation.Different system call invariants are taken for system invocation of different types of features.In addition,this paper focuses on a semantic analysis technology based on dynamic assembly instruction sequence,modeling assemble instructions,designing algorithms for compiling instruction sequence similarity,recording the discrete features and sequence features of programs in a multi-dimensional manner.and finally using Machine learning technology to train these information,combined with the dynamic information and the advantages of static information,to identify unknow n programs.The characteristics of the experiment involved in many fields of knowledge,including binary program instrumentation,system call analysis,assembly instruction analysis,sequence alignment,machine learning,etc.,in the assembly instruction level,put forward the assembly instruction modeling and sequence similarity calculation method.At the system call level,a lot of attempts and innovations have also been made on the effective intercepting and extracting of data.