计算机工程 ›› 2010, Vol. 36 ›› Issue (9): 139-141.doi: 10.3969/j.issn.1000-3428.2010.09.048

• 安全技术 • 上一篇    下一篇

基于关键应用编程接口图的恶意代码检测

白莉莉,庞建民,张一弛,岳 峰   

  1. (解放军信息工程大学信息工程学院,郑州 450002)
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2010-05-05 发布日期:2010-05-05

Malware Detection Based on Critical Application Programming Interface Graph

BAI Li-li, PANG Jian-min, ZHANG Yi-chi, YUE Feng   

  1. (Institute of Information Engineering, PLA Information Engineering University, Zhengzhou 450002)
  • Received:1900-01-01 Revised:1900-01-01 Online:2010-05-05 Published:2010-05-05

摘要: 针对基于特征码的恶意代码检测方法无法应对混淆变形技术的问题,提出基于关键应用编程接口(API)图的检测方法。通过提取恶意代码控制流图中含关键API调用的节点,将恶意行为抽象成关键API图,采用子图匹配的方法判定可疑程序的恶意度。实验结果证明,该方法能有效检测恶意代码变体,漏报率较低。

关键词: 控制流图, 关键应用编程接口图, 恶意代码检测

Abstract: Aiming at the problem that malware detection method based on signature can be easily subverted by obfuscation techniques, this paper proposes a detection method based on Critical Application Programming Interface Graph(CAG). By statically extracting nodes with critical API calling from Control Flow Graph(CFG) for each malware, each malicious behavior can be presented by one CAG. A matching algorithm based on CAG is used to determine whether a suspicious executable programming has the same malicious behavior as a malware does. Experimental results show that the method can detect malware variants efficiently with low false negative rate.

Key words: Control Flow Graph(CFG), Critical Application Programming Interface Graph(CAG), malware detection

中图分类号: