| With the rapid development of computer and Internet industry,people enjoy the convenience brought by information technology.At the same time,computer security events caused by malicious code(malware)have caused great harm to the country and society,which greatly promoted the development of information security industry.Under the increasing “survival pressure”,hackers must constantly transform malware to evade the detection of anti-virus software.There are many technologies in the malware detection field.With the advantages of high efficiency and low false positives,signature-based technology is adopted by most anti-virus software.In the process of anti-anti Virus modification of malware,hackers should first find the location of the signatures,then take corresponding measures to evade detection.To achieve the final evasion,researchers need to have professional background and auxiliary tools,and consume much time and energy.In this paper,we propose and implement an intelligent malware mutation scheme,which can not only quickly deduce the instructions of the feature code,but also integrate various confusion methods to modification the feature instructions,so that the mutated malware can evade the detection of the model and antivirus software.The intelligent malware mutation scheme is divided into three parts:1.Machine learning module.We train XGBoost model based on the Op Code n-gram features.We obtain the important black features and white features that affect the prediction seriously,then locate the signature instruction from these black features.2.Code obfuscation module.We integrate the traditional obfuscation methods such as equivalent instruction replacement and garbage instruction insertion.This paper also proposes and implements the instruction reconstruction method based on loopback jump,which supports the modification of transfer instructions.This method can achieve fine-grained modification of feature instructions.3.Shell-based protection module.In order to enhance the deformation effect and anti-anti Virus ability of the mutation scheme,we update the UPX shell and realize a new shell which integrates compression and encryption algorithm.The shell uses random secret key,so it can generate different programs in each running and produce metamorphic malware rapidly.The testing of machine learning model and anti-virus software show that our intelligent mutation malware scheme can effectively evade the model and anti-virus software,it can be applied on large-scale samples for rapid batch anti-anti Virus as well. |
PDF Full Text Request