基於高階API執行序列之惡意程式家族特徵的自動化產生與分析

Abstract

近年來惡意程式所造成的威脅快速增加，分析並瞭解惡意程式的特徵將對惡意程式的偵測和防禦有所助益。而目前市面上的各家防毒軟體廠商均會依據所觀察到的惡意程式特徵為樣本貼上不同的家族標籤，本研究將依據此標籤進行各家族的行為分析。由於單一個惡意程式樣本可能會參雜許多混淆的行為意圖，因此相較於單一樣本的分析，我們著重在找尋同家族中的一群惡意程式中的共同行為。我們設計並實作了一個以API Call Sequence為基礎的階層式分群演算法－RasMMA，輸入一群惡意程式的動態側錄結果，此演算法能夠依據這些側錄內容將惡意程式樣本分群，並且輸出每一群惡意程式的具語義共同行為，這些共同行為即可作為該家族的特徵行為群。同時在我們的研究過程中發現同一個家族內的樣本，其行為也可能具有多元性，因此一個家族可能會擁有一個或多個的共同行為群，這些共同行為群甚至可能會有跨家族的現象。除了設計演算法來找到各惡意程式家族的特徵之外，本研究也嘗試將這些特徵用於家族後代樣本的偵測之中，並且證明我們的方法在惡意程式行為序列資料的分類中可以比其它傳統資料探勘方法具有更好的效果。

Recent years, the threats from malware are increasing in the world. It is important if we analyze the malwares and extract their signatures. The malware threat detection and defense will benefit from that.This research collected the malware family labels from anti-virus vendors and analyzed the behavior intents of malware family. We designed a API Call Sequence-based clustering algorithm – RasMMA, which could extract the common signature of a group of malwares. If we input some malware profiles, RasMMA algorithm could cluster the malware samples and output the common behavior of each cluster. The cluster common behavior is semantic-based which human experts could analyze the intent that malwares done. We could see the common behavior as the signature of malware family. Besides, we also found that malware family is pluralistic. The behavior clusters might different to each other in one family. Even though some clusters are cross-family clusters which behavior is similar to other families’ behavior.In the research, we also apply the behavior cluster to family sample detection. We found that our method had a better performance than other traditional data mining method in the time series malware data classification.