關於我們 聯絡我們 研發人才登入


 
基於動態分析之加殼惡意程式偵測系統
 
zoomin      
 
技術名稱
Technology
基於動態分析之加殼惡意程式偵測系統
發明人
Inventor
洪西進, 林廷翰,
所有權人
Asignee
國立臺灣科技大學

專利國家
Country
申請號
Application No.
專利號
Patent No.
中心案號
Serial No.
中華民國 103142960 I514188 1030065TW0
 
點閱數:280
技術摘要:
『加殼』,是一種軟體壓縮加密技術,在軟體工程中很普遍被使用。軟體工程師用此技術保護其開發之軟體與壓縮檔案大小,避免軟體被逆向工程的方法破解或修改。然而,近幾年來,『加殼』卻常常成為在駭客撰寫惡意程式時,用來混淆防毒軟體偵測的趨勢。
本研究即是藉由逆向工程及動態分析的技術,來辨識惡意軟體檔案是否加殼之方法。目的是想要補足靜態分析方法其可能分析失誤之處。本研究之貢獻在於擷取組合語言指令順序的獨特性。在擷取出檔案反組譯後,將該程式的EntryPoint程式執行點開始起的第1行至第15行之組合語言碼,做為訓練集特徵,再用相同方式擷取出測試檔案。
結果顯示,使用此特徵方法十分有效。透過SVM的分析分類,可以正確的辨識加殼檔案,且可分類出檔案是由哪一種加殼軟體所加殼過。
"Packers", a software compression and encryption technique, is commonly used in Software Engineering. Engineers used this technique to protect its software and use this to compress file size so that the software will not be cracked or modified by a method of reverse engineering. However, in recent years, it has become a trend to confuse the function of the detection of anti-virus software by hackers when they write malware.
This paper proposed an approach which is based on reverse engineering and dynamic analysis techniques to identify if malware files are packed or not. Our aim is trying to complement the possible mistakes or errors of static analysis methods. Our contribution is to capture the unique of Assembly language instruction sequences. After the file is retrieved and disassembled, we take the assembly language codes from line one to line fifteen at the start of the program from EntryPoint. We take the codes as the Training-set feature. Then, we retrieved the test file with the same approach.
The results show that the performance of this approach is a very effective method. Through the analyses and the classification of SVM, we can correctly identify the packed file. We can also sort out with which packer software how the files are packed.



 
   




國立臺灣科技大學 技轉中心 10607 台北市大安區基隆路 4 段 43 號 國際大樓 9 樓 TEL:02-2733-3141 #7346
2007~2017 © NTUST All Rights Reserved  著作權聲明
 參訪人數:
本系統採用專利行銷平台