基于海量软件片段比对的恶意代码检测方法研究

项目名称： 基于海量软件片段比对的恶意代码检测方法研究

项目编号： No.U1536106

项目类型： 联合基金项目

立项/批准年度： 2016

项目学科： 管理科学

项目作者： 陈恺

作者单位： 中国科学院信息工程研究所

项目金额： 64万元

中文摘要： 恶意代码，尤其是未知恶意代码,对个人和国家的安全构成了巨大威胁；海量智能终端软件的普及更将恶意代码的影响范围扩大到数十亿用户。针对海量软件中未知恶意代码的检测和评估是信息安全保障的重要手段。现有恶意代码测评方法多依赖代码特征或行为特征，难以检测未知（尤其是未知行为）的恶意代码；部分检测方法需动态跟踪软件操作，难以满足百万数量软件检测的需求；缺乏在软件片段层次上对恶意代码影响的估算,难以面向软件市场进行全局化评估。本课题针对恶意软件片段被多次重用的特点，展开面向海量软件的未知恶意代码测评。研究超细粒度片段化软件模块分割方法；将切分后的软件片段提取多维度特征并降维，进行高效地一对一比对；筛选、关联分析并比对结果，融合多源信息识别出恶意代码片段；最后面向全市场，进行恶意代码的验证和评估；实现测评系统，使用至少150万个真实智能终端软件，开展针对海量软件恶意代码的实际测评工作。

中文关键词： 恶意代码检测；智能终端；代码片段重用；多源信息融合；可扩展性检测

英文摘要： Malware, especially unknown malware, always makes serious threats to both ordinary users and governments. Nowadays, the prevalent use of smartphones gives malware opportunities to impact billions of users. Detecting malware in millions of applications is the key to protect information systems. Most of current malware detection techniques depend on code signatures or behavior signatures of malware. Without any pre-knowledge of unknown malware (especially the unknown behaviors), it is quite difficult for these techniques to detect them. Some techniques need to dynamically load and track the execution of malware. The high overhead which these techniques bears make it impossible for large scale malware detection (e.g., from 1,000,000 applications). Moreover, current techniques do not estimate the impact of similar malicious code fragment in the whole software market. . Based on the insights that common malicious code is reused across different malware, we propose a novel technique to detect malware from millions of applications. In detail, the technique includes several parts: 1) cutting applications to fine-grained code fragments; 2) constructing multi-dimension features for those fragments and performing scalable pairwise comparison through dimensionality reduction; 3) detecting malicious code based on integrating multi-source information and correlation analysis; 4) implementing a system to detect and assess malware in applications and evaluating the system on over 1,500,000 smartphone applications in real world.

英文关键词： Malware detection;Smartphone;Code fragment reuse;Multi-source information integration;Scalable detection