ارائه راه‌کاری کارا برای تشخیص بدافزارهای ناشناخته بر مبنای تحلیل دستورات اسمبلی

نوع مقاله : علمی-پژوهشی

نویسندگان

دانشکده مهندسی برق و کامپیوتر - دانشگاه شیراز

چکیده

 امروزه با گسترش سیستم‌های کامپیوتری نرم‌افزارهای مخرب رشد چشم‌گیری داشته‌اند. نرم‌افزارهای مخرب یا بدافزارها، یک برنامه هستند که باهدف آسیب‌رساندن به کامپیوتر، شبکه، اطلاعات و غیره توسعه داده‌شده‌اند. تشخیص نرم‌افزارها ‌مخرب شاخه‌ای از امنیت کامپیوتر است که برای تجزیه‌و‌تحلیل برنامه‌های مشکوک، تشخیص نرم‌‌افزارهای مخرب و درنهایت، ازبین‌بردن تهدید در تلاش است. روش‌های مبتنی بر آپکد، ازجمله روش‌های متداول در شناسایی بدافزارها می‌باشد. با توجه به این‌که همه‌ی آپکدهای سازنده‌ی فایل‌ها برای شناسایی بدافزارها مهم نیستند می‌توان از برخی از آن‌ها در فرآیند تشخیص صرف‌نظر کرد. لذا در این مقاله، برای کلاسه‌بندی فایل‌ها از آپکدها استفاده خواهدشد با این تفاوت که فقط چند آپکد مهم و موثر برای تشخیص فایل‌ها در نظر گرفته خواهدشد. درروش ارائه‌شده نخست آپکدهای مهم فایل‌ها شناسایی می‌شود و با استفاده از این آپکدها، تصاویر ساخته می‌شود. سپس از این تصاویر، ویژگی استخراج می‌شود و در مرحله‌ی کلاسه‌بندی، مورداستفاده قرار می‌گیرد. مزیت روش پیشنهادی این است که براساس آپکدهای مهم، تصاویر ساخته می‌شود و مسئله‌ی تشخیص بدافزارها، به مسئله‌ی پردازش و کلاسه‌بندی تصاویر تبدیل می‌شود. ازاین‌رو روش پیشنهادی نسبت به روش‌های پیشین بهینه‌تر عمل می‌کند و پیچیدگی کمتری دارد.

کلیدواژه‌ها


عنوان مقاله [English]

An Efficient Approach for Unknown Malware Detection Based on Opcode Analysis

نویسندگان [English]

  • F. Manavi
  • A. Hamzeh
Faculty of Electrical and Computer Engineering, University of Shiraz, Shiraz, Iran
چکیده [English]

Today, with the development of computer systems, malware has grown dramatically. Malware is defined as a program that is developed with malicious purpose, such as sabotaging the computer system, information theft or other malicious actions. Malware detection is a branch of computer security which attempts to analyze suspicious programs, detect malware and ultimately eliminate the threat. Opcode-based methods are commonly used in malware detection. Given that, all Opcode are not important for detecting malware, some of them can be ignored in the detection process. In this research, the proposed method is based on Opcode Analysis, but only some of the important and effective Opcodes will be considered for file detection. First, momentous Opcodes of file are identified and employed for generating images. Then, features are extracted from the images in order to accomplish the classification. The advantage of the proposed method is that images are created based on important Opcodes and detecting malware is converted into image classification. Therefore, the proposed method is more optimized compared to the previous methods and also has acceptable accuracy and less complexity.

کلیدواژه‌ها [English]

  • Classification
  • image
  • malware
  • malware detection
  • opcode
[1]      S. Mansfield-Devine, “Security guarantees: building credibility for security vendors”, Network Security, vol. 2016, no. 2, pp. 14-18, 2016.
[2]      G. McGraw, G. Morrisett, “Attacking malicious code: A report to the infosec research council “, IEEE Software, pp 33–44, 2000.
[3]      J. Jang, H. Kang, J. Woo, A. Mohaisen, H. KangKim, “Andro-Dumpsys: Anti-malware system based on the similarity of malware creator and malware centric information”, Computers & Security, vol. 58, pp. 125-138, 2016.
[4]      Z. Bazrafshan, H. Hashemi, S. Fard, A. Hamzeh, “A survey on heuristic malware detection techniques”, 5th Conference on Information and Knowledge Technology (IKT), pp. 113–120, shiraz, 2013.
[5]      H. Hashemi, A. Azmoodeh, A. Hamzeh and S. Hashemi “Graph embedding as a new approach for unknown malware detection”, Computer Virology and Hacking Techniques, vol. 12, no. 4, pp. 101-141, 2016.
[6]      P. Vinod, R. Jaipur, V. Laxmi, M. Gaur, “Survey on malware detection methods”, Proceedings of the 3rd Hackers’ Workshop on computer and internet security (IITKHACK’09), pp. 74-79, 2009.
[7]      M. Xu et aI., “A similarity metric method of obfuscated malware using fimction-call graph”, Journal in Computer Virology, vol. 9, no. 1, pp. 35- 47, 2013.
[8]      I. Santos, F. Brezo, X. Ugarte-Pedrero, and P. G. P. Bringas, “Opcode sequences as representation of executables for data-mining-based unknown malware detection”, information Sciences, vol. 231, pp. 64–82, 2013.
[9]      Y. Yanfang, L. Tao, J. Qingshan, W. Youyu, “CIMDS: Adapting Postprocessing Techniques of Associative Classification for Malware Detection”, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews), vol. 40, no. 3, pp. 298-307, 2010.
[10]      A. Shabtai, R. Moskovitch, Y. Elovici, C. Glezer, “Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey”, Information Security Technical Report, vol. 14, no. 1, pp. 16-29, 2009.
[11]      B. Kinholkar, “Study of Dataset Feature Filtering of OpCode for Malware Detection Using SVM Training Phase”, International Journal of Science and Research (IJSR), vol. 4, no. 12, 2015.
[12]      S. Cesare, Y. Xiang, W. Zhou, “Control flow-based malware variant detection”, IEEE Transactions on Dependable and Secure Computing, pp. 307–317, 2014.
[13]      Y. Ding, W. Dai, Sh. Yan, Y. Zhang, “Control flow-based opcode behavior analysis for Malware detection”, Computer & Security, vol. 44, pp. 65-74, 2014.
[14]      T. Wüchner, M. Ochoa, A. Pretschner, “Malware detection with quantitative data flow graphs”, 9th ACM symposium on Information, computer and communications security, pp. 271–282, 2014.
[15]      T. Abou-assaleh, N. Cercone, V. Keselj, R. Sweidan, “N-grambased detection of new malicious code”, Computer Software and Applications Conference, Proceedings of the 28th Annual International, vol. 2, no. 1, pp. 41–42, 2004.
[16]      G. Canfora, A. Lorenzo, “Effectiveness of opcode ngrams for detection of multi family android malware”, 10th International Conference on Availability, Reliability and Security (ARES), pp. 333–340. IEEE, 2015.
[17]      B. Kang, S. Y. Yerima, K. Mclaughlin and S. Sezer, “N-opcode analysis for android malware classification and categorization”, Cyber Security and Protection of Digital Services (Cyber Security), London, 2016.
[18]      D. Uppal, R. Sinha, “Exploring behavioral aspects of API calls for malware identification and categorization”, In 2014 International Conference on Computational Intelligence and Communication Networks, pp. 824-828, 2014.
[19]      Y. Qiu, “The openness of Open Application Programming Interfaces”, information, Communication & Society, pp. 1-17, 2016.
[20]      M. Belaoued, S. Mazouzi, “An MCA Based Method for API Association Extraction for PE Malware Categorization”, International Journal of Information and Electronics Engineering, vol. 5, no. 3, pp. 225-231, 2015.
[21]      D. Bilar, “Opcodes as predictor for malware,” International Journal of Electronic Security and Digital Forensics, vol. 1, no. 2, pp. 156–168, 2007.
[22]      I. Santos, B. Sanz, C. Laorden, F. Brezo, P.G. Bringas, “Opcodesequence- based semi-supervised unknown malware detection”, Computational Intelligence in Security for Information Systems, pp. 50–57, Berlin, 2011.
[23]      F. Manavi, A. Hamzeh. "A new approach for malware detection based on evolutionary algorithm." In Proceedings of the Genetic and Evolutionary Computation Conference Companion, pp. 1619-1624. ACM, 2019.
[24]      F. Manavi, A. Hamzeh, “A new method for malware detection using opcode visualization”, 2017 Artificial Intelligence and Signal Processing Conference (AISP), pp. 96-102, Shiraz, 2017.
[25]      M. Farrokhmanesh, A. Hamzeh, “A novel method for malware detection using audio signal processing techniques”, Artificial Intelligence and Robotics (IRANOPEN), pp. 85 – 91, 2016.
[26]      L. Nataraj, S. Karthikeyan, G. Jacob, B. S. Manjunath, “Malware images: Visualization and automatic classification,” In Proc. 8th Int. Symp. Visualization for Cyber Security, VizSec, ACM, pp. 41–47, 2011.
[27]      A. Oliva, A. Torralba, “Modeling the shape of the scene: A holistic representation of the spatial envelope,” Int. J. Comput. Vision, vol. 42, pp. 145–175, 2001.
[28]      M. Douze, H. Jégou, H. Sandhawalia, L. Amsaleg, and C. Schmid, “Evaluation of gist descriptors for web-scale image search”, The ACM International Conference on Image and Video Retrieval pp. 19, ACM, 2009.
[29]      J. Hayes, A. Efros, “Scene completion using millions of photographs”, ACM Transactions on Graphics, 2007.
[30]      X. Li, C. Wu, C. Zach, S. Lazebnik, J.-M. Frahm, “Modeling and recognition of landmark image collections using iconic scene graphs”, In ECCV, 2008.
[31]      F. Lin, W.W. Cohen, “Power iteration clustering”, 27th International Conferenceon Machine Learning(ICML10), pp. 655–662, 2010.
[32]      M. Eskandari, Z. Khorshidpour, S. Hashemi, “HDM-analyser: a hybrid analysis approach based on data mining techniques for malware detection”, Journal of Computer Virology and Hacking Techniques, vol. 9, pp. 77–93, 2013.