Research On Function Taint Summary Technology For Malware Behavior Analysis

With the continuous development of Internet technology,malware attack technology is constantly iteratively updated.Tens of millions of malware samples are produced and used every year,posing a great threat to network security.Malware behavior analysis is an important part of combating malware,and it is also an important direction of malware research in recent years.As a commonly used software analysis method,taint analysis technology has been studied in malware behavior analysis.However,current malware behavior analysis based on taint analysis has two shortcomings.On the one hand,due to the low efficiency of taint analysis,taint analysis technology has not been widely used in malware analysis.On the other hand,there is a lack of effective malware behavior analysis model based on taint analysis,and it is difficult to extract advanced behavior of malware.In order to solve the above problems,this thesis proposes a taint analysis optimization method and a malware behavior analysis model based on function taint summary.The main work and innovations of this thesis are as follows:(1)A taint analysis optimization method based on function taint summary is proposed.In order to alleviate the problem of low analysis efficiency caused by instruction-level analysis,this thesis proposes a function taint summary-based optimization method that uses the function taint propagation process instead of the instruction taint propagation process.First,a widely applicable definition of function taint summary is given;then,the method of generating function taint summary is studied.For user functions,a summary generation method sensitive to acyclic structure path and a summary generation method for cyclic structure limited iteration are designed;for API functions,a semantically supported function data region taint summary is given.(2)A malware behavior analysis model based on function taint summary is proposed.In order to extract malware behavior efficiently and accurately,this thesis applies function taint summary technology to malware behavior analysis,studies the API function summary for malware behavior analysis,and proposes a function data region summary based on semantic support.An analysis model Kn-MBM is proposed,which is based on function taint summary and uses taint analysis technology to form API meta-behavior through API call association,and then extract high-level behavior of malware through API meta-behavior association and meta-behavior association matrix MB-M.(3)Designed and implemented the taint analysis framework FSTaint and the malware behavior analysis model Kn-MBM.In order to give full play to the optimization effect of the function summary and realize the "replayable" analysis requirement,this thesis designs and implements the taint analysis framework FSTaint,which is composed of function summary generation module,program execution trace recording module,data flow restoration and recording module and general taint analysis module.Using the taint analysis interface provided by FSTaint,combined with API function taint summary,metadata,meta-behavior and MB-M,the malware behavior analysis model Kn-MBM is implemented.Experiments show that the taint analysis efficiency of FSTaint is 7.75 times that of libdft,and Kn-MBM can achieve clear and accurate API call correlation and advanced malware behavior extraction.