Malicious Code Detection Based on Software Fingerprint

Abstract

The malicious code on the network is increasingly rampant that the traditional detection method of characteristic code has been difficult to deal with malicious code, with features of various variants, deformations and other problems. In this paper we present a new static analysis model based on software fingerprint to distinguish malicious codes. Through obtaining the software call graph by disassembling the binary file and mapping it as an image, shape moments can be obtained as the software fingerprint based on the retrieval theory of content image, combined with moment theory and the image's color, texture and shape features. The idea of pattern matching is used to measure the extracted software fingerprint similarity to determine whether it is malicious code or not. Then, we analyze the collected program samples. Test and verify whether the program has good performance in uniqueness, invariability and sensibility. With the rapid popularization of Internet and corporate information technology acceleration, the computer is a great convenience to people's lives, whether it is shopping, leisure or work and more obvious the importance of the Internet, but due to the openness of the Internet and flexible application and operating system vulnerability so that people can enjoy the benefits brought by the computer at the same time, also is experiencing distress and abuse of all kinds of malicious code threats to network security events increased year by year. Network security incidents, the most serious harm caused by malicious code, causing huge economic losses to the country as a whole, society and the individual, information security has become a major challenge facing. Domestic and foreign researchers turned to the semantics of malicious code, trying to judge the signatures of the two deformation malicious code through the instruction-level semantics rather than program syntax, further can determine whether the deformation of the malicious code. Trying to evade detection of malicious code, malicious codes are disassembled and for standardization or stack analysis system call for the use of fuzzy transformation technology to discriminate. In recent years, the researchers also uses malicious code detection technology engineering methodology, based on feature detection based on the application of malicious code detection technology based on data mining and machine learning. However, while foreign research scholars during the malicious code detection and anti-virus software R & D, the attacker malicious code using anti-debugging techniques, anti-Hook technology, to detect whether the code being debugged, the to find themselves debugger or analysis environment, malicious code using fuzzy transform technique and a series of anti-debugging measures show some non-anomalous behavior of the code, so as to protect their own purposes. In this process, we need manually assistive technology. Most automated virus analysis software only to capture some of the behavior, security experts need further analysis and screening of experimental results, and finally determine the extent of the harm of malicious behavior. In summary, the malicious code on the network more and more rampant code detection method for the traditional characteristics of difficult to deal with malicious code variants, deformation problem, solve the problem of the detection of unstable deformation caused due to malicious code upgrade has become a research focus and difficulty, but also of the issues that must be resolved key issues.