| Malware behavior detection has always been the core research issue of malware detection.By detecting all the behavior patterns of malware and understanding its workflow,we can understand the inherent logic of malware.Usually,the released software may have their code obfuscated,and it is not easy to detect all the behavior logic directly through static analysis.Therefore,the dynamic analysis of malware is particularly important.The main advantages of the malware dynamic analysis system are:convenient,fast,and can truly restore the behavior of malware in various actual scenarios.To dynamically analyze the malware,allowing malware to execute smoothly has become the most urgent problem in the field of malware research.A series of problems such as configuring the network environment and supplying software service resources are the major research issues in this field.The key result of this paper is to solve the problem of reproducing malware environment,and design and implement a static analysis framework-Chipmunk,which provides software security analysts with intuitive and clear visual static analysis results,and generates local running configuration files.Besides,we design and implement an upper layer system of experimental environment deployment-Conductor.The system can quickly and easily construct the local environment and the network topology in which malware runs by analyzing network environment configuration files.It can achieve resource allocation at specified components in the network topology according to the external interrogation traffic of malware by means of highly interactive proxy and improve the network topology during the execution of malware.The main work of this paper is:First,we extract the demand directly from the malware operating environment.After automating the analysis of the control flow and data flow of the static level of malware through a static analysis framework and setting up a preliminary test environment,we designed a highly interactive agent to monitor the logic and behavior of malware.Through the interception and analysis of all outgoing challenge traffic,we know that it is in the process of execution.The real-time external resources required to provide various network components and network services such as Web server,DNS,Internet,etc.,gradually expand and improve the test environment.Second,we use fingerprint based detection for malware exploitations.Based on the environment extraction,the subsequent outbound traffic of malware is regarded as the fingerprint of the malware for specific exploitation.In order to make the exploit successful,and observe the follow-up behavior of the malware,we need to retrieve the CVE lists,matching similar fingerprints,add and configure the victim host of the system with the vulnerability in the network topology.Third,by using the method of program slicing,we simplifying the static analysis work according to the two concepts of control flow and data flow as clues.We obtain Get trigger paths and data dependencies for key functions.Fourth,we provide the user with a unified upper management system.In order to realize the resource configuration or the addition or deletion of the network topology on the virtual machine of any node or any node on a fairly large-scale server cluster,we provide an upper management system:Conductor,which shields the underlying technology implementation.Taking into account the differences in different implementation technologies,the entire configuration process is standardized and transparent,and users only need to call standard interfaces to specify machine and service information.The work of this paper can help malware analysts quickly build a continuous and viable experimental environment for malware,allowing malware to fully expose its malicious behavior in a suitable local and network environment,reducing the workload of analysts. |