Research On Detection Technology For Context-Aware Malicious

Posted on:2018-05-06

Degree:Master

Type:Thesis

Country:China

Candidate:T Zhou

Full Text:PDF

GTID:2428330569485437

Subject:Computer technology

Abstract/Summary:

PDF Full Text Request

Context-Aware Malware is a malicious code that has the ability to detect the environment.By adding funciton to detect the virtual machine or sandbox in the code,if detected in a limited environment,the malicious code can change its own execution flow and escape the sandbox,increase the survival time.Traditional detection methods for Context-Aware malware include the use of API Hook in the sandbox operating system,the deletion of sandbox signature files and so on.But these methods exist the introduction of new traces and remove the dirty.In order to improve the concealment of sandbox,Based on the ability of VMI(Virtual Machine Introspection)to design API and instructions Hook method in a sandbox VMM(Virtual Machine Monitor)layer,to effectively detect the environment Context-Aware malware.By summarizing the API and the instruction of detecting the characteristics of the sandbox,designs the anti-detection strategy from the aspects of virtual machine features,like sandbox environment characteristics,general environment characteristics and instruction characteristics.And then from the registry,file system,process,virtual hardware,privilege instructions and other anti-detection strategy to deal with.At the same time designing an sensitive API tracking module,record the malicious code runtime behavior call informations,the malicious code generated API call and its sensitive parameters will be written to the log file,including the sandbox detection method.Based on open source platform DECAF,to achieve the prototype of the sandbox system according to these anti-detection strategy,and the typical Context-Aware malware such as WannaCry,etc.will be tested.At the same time,the sandbox detection tool is used to test the concealment of the prototype sandbox.The result shows that the prototype system can obtain the detection parameters and API of the malicious code,and prototype system has good concealment and can detect the environment-detected behavior of the code.After comparing a large number of samples with a fixed property sandbox,the number of malicious code detected is higher than traditional fixed sandbox 19.4%,which complements the detection of this type of malicious code for the traditional sandbox.

Keywords/Search Tags:

Context-Aware Malware, API Hook, Instruction Hook, Sandbox Anti-Detection

PDF Full Text Request

Related items

1	Design And Implementation Of Sandbox-based Android Malware Detection Engine
2	A Research On Malware Behaviors In Virtual Environments
3	Research On Malware Intelligent Recognition Technology Based On Sandbox Instruction Flow Snapshot
4	Design And Implementation Of Stealth Backdoor
5	Design And Implementation Of Android Sandbox On Virtualization And Redirection Technology
6	Research On Sandbox Technology For Malicious Code Detection
7	Study On Fixed-hook Detection System Based On Color Cluster In Natural Environment
8	Research On Dynamic Monitoring Technology Of Android Application Based On Sandbox
9	Research And Implementation Of Sandbox Defense Technology Based On Virtualization
10	The Research And Design Of Sandbox Malware Detection Engine Based On Cuckoo