计算机工程 ›› 2018, Vol. 44 ›› Issue (6): 104-110.doi: 10.19678/j.issn.1000-3428.0047884

• 安全技术 • 上一篇    下一篇

基于动态符号执行的勒索软件检测方法

陈政 1,方勇 2,刘亮 2,左政 1   

  1. 1.四川大学 电子信息学院,成都 610065; 2.四川大学 网络空间安全学院,成都 610207
  • 收稿日期:2017-07-10 出版日期:2018-06-15 发布日期:2018-06-15
  • 作者简介:陈政(1991—),男,硕士研究生,主研方向为Windows安全、恶意代码检测;方勇,教授、博士;刘亮,讲师、博士;左政,博士研究生。

Ransomware Detection Method Based on Dynamic Symbol Execution

CHEN Zheng  1,FANG Yong  2,LIU Liang  2,ZUO Zheng  1   

  1. 1.College of Electronics and Information Engineering,Sichuan University,Chengdu 610065,China; 2.College of Cybersecurity,Sichuan University,Chengdu 610207,China
  • Received:2017-07-10 Online:2018-06-15 Published:2018-06-15

摘要: 针对目前因勒索软件造成网络安全事故的问题,在对大量勒索软件样本进行分析的基础上,提出一种基于动态符号执行的勒索软件检测与分析方法。基于插桩工具Pin和约束求解器STP构建ADRAS系统模型,利用动态符号执行和可满足性模理论技术监控勒索软件的加密函数,同时捕捉勒索软件加密行为以及相关的加密信息,从而对多个家族的勒索软件进行检测。实验结果表明,ADRAS系统模型可检测15种已知勒索软件家族的样本,包括著名的CryptoLocker以及最近爆发的WannaCry。

关键词: 勒索软件, 动态符号执行, 约束求解器, 混合加密算法, 恶意代码

Abstract: Aiming at the problem of network security caused by ransomware,based on the analysis of a large number of ransomware samples,a method of detecting and analyzing ransomware based on dynamic symbol execution is proposed.A ADRAS system model is built based on piling tool Pin and constraint solver STP,by using dynamic symbol execution and Satisfiability Modulo Theories(SMT),the ADRAS system model can monitor the encryption function of the ransomware,and effectively capture ransomware’s encryption behavior and related information,and finally detect the ransomware of a number of families.Experimental results show that,the ADRAS system model can detect 15 samples from known ransomware families,including the famous CryptoLocker and the recent outbreak of WannaCry.

Key words: ransomware, dynamic symbol execution, constraint solver, hybrid encryption algorithm, malware

中图分类号: