عنوان مقاله
ایده: تشخیص بدافزار مبتنی بر توالی Opcode (رمز عمل)
فهرست مطالب
مقدمه
کشف ارتباط رمز عمل
روش تشخیص بدافزار
نتایج آزمایش
کارهای مرتبط
نتیجه گیری
بخشی از مقاله
کشف ارتباط رمز عمل
رمزهای عمل (یا کدهای عملیاتی) به عنوان یک متغیر پیشگو برای تشخیص بدافزار مبهم شده یا دگرگون شده عمل می کنند. برخی از رمزهای عمل (به عبارتی mov یا push)، دارای فراوانی بالای ظهور در بدافزار و نرم افزارهای قابل اجرا هستند، به همین خاطر درجه تشابه حاصله (براساس فراوانی رمز عمل) بین دو فایل می تواند تا حدی تحریف شود. بنابراین، راهی برای اجتناب از این پدیده پیشنهاد و به هر رمز عمل ارتباطی اعطا می کنیم که واقعاً دارای آن می باشد.
کلمات کلیدی:
Introduction Malware (or malicious software) is every computer software that has harmful intentions, such as viruses, Trojan horses, spyware or Internet worms. The amount, power and variety of malware increases every year as well as its ability to avoid all kind of security barriers [1] due to, among other reasons, the growth of Internet. Furthermore, malware writers use code obfuscation techniques to disguise an already known security threat from classic syntactic malware detectors. These facts have led to a situation in which malware writers develop new viruses and different ways for hiding their code, while researchers design new tools and strategies to detect them [2]. Generally, the classic method to detect malware relies on a signature database [3] (i.e. list of signatures). An example of a signature is a sequence of bytes that is always present in a concrete malware file and within the files already infected by that malware. In order to determine a file signature for a new malware executable and to finally find a proper solution for it, specialists have to wait until that new malware instance has damaged several computers or networks. In this way, malware is detected by comparing its bytes with that list of signatures. When a match is found the tested file will be identified as the malware instance it matches with. This approach has proved to be effective when the threats are known in beforehand, and it is the most extended solution within antivirus software. Still, upon a new malware appearance and until the corresponding file signature is obtained, mutations (i.e. aforementioned obfuscated variants) of the original malware may be released in the meanwhile. Therefore, already mentioned classic signature-based malware detectors fail to detect those new variants [2]. Against this background we advance the state of art in two main ways. First, we address here a new method that is able to mine the relevance of an opcode (operational code) for detecting malicious behaviour. Specifically, we compute the frequency with which the opcode appears in a collection of malware and in a collection of benign software and, hereafter, we calculate a discrimination ratio based on statistics. In this way, we finally acquire a weight for each opcode. Second, we propose a new method to compute similarity between two executable files that relies on opcode sequence frequency. We weigh this opcode sequence frequency with the obtained opcode relevance to balance each sequence in the way how discriminant the composing opcodes are.
