摘要: 针对目前因勒索软件造成网络安全事故的问题,在对大量勒索软件样本进行分析的基础上,提出一种基于动态符号执行的勒索软件检测与分析方法。基于插桩工具Pin和约束求解器STP构建ADRAS系统模型,利用动态符号执行和可满足性模理论技术监控勒索软件的加密函数,同时捕捉勒索软件加密行为以及相关的加密信息,从而对多个家族的勒索软件进行检测。实验结果表明,ADRAS系统模型可检测15种已知勒索软件家族的样本,包括著名的CryptoLocker以及最近爆发的WannaCry。
关键词:
勒索软件,
动态符号执行,
约束求解器,
混合加密算法,
恶意代码
Abstract: Aiming at the problem of network security caused by ransomware,based on the analysis of a large number of ransomware samples,a method of detecting and analyzing ransomware based on dynamic symbol execution is proposed.A ADRAS system model is built based on piling tool Pin and constraint solver STP,by using dynamic symbol execution and Satisfiability Modulo Theories(SMT),the ADRAS system model can monitor the encryption function of the ransomware,and effectively capture ransomware’s encryption behavior and related information,and finally detect the ransomware of a number of families.Experimental results show that,the ADRAS system model can detect 15 samples from known ransomware families,including the famous CryptoLocker and the recent outbreak of WannaCry.
Key words:
ransomware,
dynamic symbol execution,
constraint solver,
hybrid encryption algorithm,
malware
中图分类号:
陈政,方勇,刘亮,左政. 基于动态符号执行的勒索软件检测方法[J]. 计算机工程, 2018, 44(6): 104-110.
CHEN Zheng,FANG Yong,LIU Liang,ZUO Zheng. Ransomware Detection Method Based on Dynamic Symbol Execution[J]. Computer Engineering, 2018, 44(6): 104-110.