| Family of malicious software in behavior shows convergence and consistency,so for the same family of software behavior has similar characteristics,we can use the known behavior patterns to assess the malicious and possible harm of the software.Based on the behavior of similar code detection is divided into two kinds of dynamic and static methods.Dynamic detection method by running the software in a real or simulated environment,but the detection efficiency is low and it is not easy to trigger the malicious behavior completely,it is difficult to carry out automated testing;the static detection method does not need to execute the program,control flow and data flow analysis analysis of assembly code through decompile technology,but can not completely restore the encrypted confused code,can not detect the release of malicious behavior during the operation,so the static detection accuracy is low.In view of the above problems,this paper combines the research results of the current malicious code detection technology,and puts forward the similarity detection technology of android malicious code behavior based on the mixed feature,which combines the advantages of high efficiency of static detection and high accuracy of dynamic detection.The research content and Innovation as follows:1.The method of graph isomorphism based on program behavior subgraph is proposed,and the similarity of program behavior is measured from the static side.First use the code conversion framework to decompile the high-level language code into a unified intermediate language code representation.The instruction format of the program is optimized,and the subgraph of the program is plotted.Secondly,the subgraph filter algorithm is used to filter out the subgraphs that are independent of the behavior similarity measure,which solves the problem that the graph matching NP problem will consume a lot of computing resources and take up a lot of memory,and improve the system operation efficiency.The behavior similarity measure of the static feature of the program is completed.2.The design of the Android application to run a complete dynamic flow of events,the use of static detection of suspicious components as a dynamic detection of the operation of the guidance path to improve the application and application and the system interaction between the event flow,to solve the dynamic running program coverage a lower problem and increases the coverage of the application execution path.3.Improved text-independent compression algorithms,according to the program running the local principle of the original system call sequence compression processing,the compressed result set forms an indefinite long sequence of behavioral sequences.They completely preserve the procedural behavior semantics The original trace result set has been significantly reduced in size after compression and solving the dynamic operation of the program generated by the huge amount of trace records difficult to measure the difficulties.Through the similarity measure of the software behavior sequence fragments,the behavior similarity detection of the dynamic characteristics of the program is finally completed. |
PDF Full Text Request