Research And Implementation Of Malicious Program Detection Technology Based On Binary Code Homology

With the rapid development of Internet technology,Internet services are becoming more and more abundant,and the connection between people's work and life and the Internet is getting closer.While the Internet has brought great convenience to people's lives,many security-related problems have emerged.In the current Internet environment,the number of malware is increasing,and most of them are variants or derivatives of known malicious viruses,or are subordinate to a malicious program family,which greatly affects the security of the entire Internet.How to effectively detect malware variants and malicious virus families has always been a hot topic in the field of information security.To solve this problem,this thesis proposes the use of binary code homology comparison technology to detect malware variants and malicious program families.In this thesis,a binary code homology comparison system is designed and implemented by analyzing and researching the existing binary code homology comparison technology.The system uses a variety of techniques for binary code homology alignment,using IDA disassembly software to disassemble the binary program,and then extracting the features of the program from the assembly code of the program and comparing them,and finally calculating the similarity between the programs,and the relationship between the programs is judged based on the similarity.The system combines multiple homology comparison techniques based on file,sequence,function structure and basic block structure,covering the file level,code level and structure level of the binary program,and analyzing and comparing the target software from multiple angles..The system uses malware or malicious virus family as a comparative sample to compare the similarity with unknown software,calculate the similarity between unknoxwn samples and virus samples,and judge the relationship between them according to the similarity,which can effectively detect whether the unknown sample is a malware variant or belongs to a known malicious virus family.