Research And Implementation Of Malware Detection Based On Assembly Instruction

With the rapid development of the Internet,electronic information data has become a vital asset for individuals and enterprises.Malicious programs are increasingly aimed at stealing information and earning profits.APT attacks(Lotus,White Elephant,Dark Hotel)disclosed in recent years mainly stole state secret information and business information of enterprises.Moreover,the losses caused by malicious programs have become more and more serious.In 2017,WannaCry and NotPetya extortion viruses swept the world and resulted in a loss of S8 billion and S10 billion respectively.Traditional malware detection technology pays more attention to the static characteristics of programs and the behavior characteristics of API functions.Detection technology based on static features cannot resist confusion methods such as polymorphism,metamorphic and packing.For API-based detection methods,attackers can evade detection by confusing or hiding API calls,such as adding API functions that do not affect program behavior or implementing some API functions by themselves.In this paper,a malware detection method based on assembly instruction is proposed.Compared with the method based on function behavior,it can analyze and study malicious programs more finely.This method can be divided into two parts.One is to extract assembly instruction information during the runtime of a program by using binary instrumentation technology and train hidden Markov model according to the sequence of opcode,which achieves good results in detecting five kinds of samples:Backdoor,Troj an,Virus,Worm and Benign program.The other is to design an abstract coding rule of assembly instruction,calculate the similarity of basic blocks by use of the longest common subsequence algorithm.Then Hungarian algorithm is used to obtain the similarity of programs.This method is better than Bindiff,a well-known binary comparison tool,in detecting the similarity of experimental samples.According to the methods above,this paper designs an off-line malware detection model based on assembly instruction named MDBA,which is robust against code obfuscation technology.MDBA can not only detect malicious programs effectively,but also can compare the similarities of programs,find the association between malware samples and assist malware analysis.