| In recent years,computers and the Internet have been diversified,and they have appeared in almost every field.For example,mobile communications,Internet payment,and artificial intelligence have become popular in recent years.People's dependence on network information has also increased.While the Internet and computers promote people's work efficiency and promote the development of life,cyber security threats are also born.Every major global network security company monitors the global network security situation every year and publishes its network security report.According to Symantec's Internet security report,malware attacks account for the largest proportion of network security threats.Viruses,Worms,and Trojan horses and other malware emerge on the Internet.They spread freely on the Internet and threaten the Internet environment at all times.The study found that a large amount of new malware is derived from known malware.Therefore,how to detection of malware variants is a very worthy research direction.In recent years,systematic software development tools have emerged and are supported by many program developers.Its simple operation method can efficiently complete software development and save a lot of time.But it has brought about a lot of network security environment.In particular,making new malware variants is easier.This is lead to a large number of malware threats.The new malicious software variants change the structure of their own code and avoid safety testing by not affecting their own functions.It brought great difficulties for network security testing.However,although many obfuscation techniques have been added,many codes are still being reused,so this provides us with an analysis basis.This paper presents a new method to analyze and identify malware,it is named Systematic Similarity Analysis based on Function-call-relation(SSAF).This method uses functions as the basic logical units.Firstly,the feature matching of all functions in the malicious file is made by using the function feature,the purpose is to classify malicious software and reduce the scale of calculations.It avoids the defects in the basic block matching process,such as low operational time and space efficiency.Secondly,it combines the call relations between various functions,calculate the similarity of the call relationship similarity.The similarity of the function is obtained by weighted calculation,and then the similarity of the file is calculated,and an accurate malware similarity analysis result is obtained.Thus,the work of identifying the same family software variant and distinguishing the different family malware is completed.Experimental results show that the SSAF method performs well in identifying malicious software and classifying malware.At the same time,the scale of operations can be reduced in large-scale malware detection systems.Finally,the accuracy and classification effect of the detection are better than those of 3-CFG and SMIT. |
PDF Full Text Request