摘要： 针对基于特征码的恶意代码检测方法无法应对混淆变形技术的问题，提出基于关键应用编程接口(API)图的检测方法。通过提取恶意代码控制流图中含关键API调用的节点，将恶意行为抽象成关键API图，采用子图匹配的方法判定可疑程序的恶意度。实验结果证明，该方法能有效检测恶意代码变体，漏报率较低。

关键词: 控制流图, 关键应用编程接口图, 恶意代码检测

Abstract: Aiming at the problem that malware detection method based on signature can be easily subverted by obfuscation techniques, this paper proposes a detection method based on Critical Application Programming Interface Graph(CAG). By statically extracting nodes with critical API calling from Control Flow Graph(CFG) for each malware, each malicious behavior can be presented by one CAG. A matching algorithm based on CAG is used to determine whether a suspicious executable programming has the same malicious behavior as a malware does. Experimental results show that the method can detect malware variants efficiently with low false negative rate.

Key words: Control Flow Graph(CFG), Critical Application Programming Interface Graph(CAG), malware detection

中图分类号: 

• TP309.2