电子学报 ›› 2022, Vol. 50 ›› Issue (4): 1014-1024.DOI: 10.12263/DZXB.20211017

• 学术论文 • 上一篇    下一篇

一种基于诱导机制的间谍软件检测方法

郭春1, 罗迪1, 申国伟1, 崔允贺1, 平源2   

  1. 1.贵州大学计算机科学与技术学院公共大数据国家重点实验室,贵州 贵阳 550025
    2.许昌学院信息学院,河南 许昌 461000
  • 收稿日期:2021-08-01 修回日期:2022-03-04 出版日期:2022-04-25
    • 作者简介:
    • 郭 春 男,1986年生,贵州贵阳人.博士,贵州大学计算机科学与技术学院副教授,CCF会员.主要研究领域为数据挖掘、入侵检测、恶意代码检测. E-mail: gc_gzedu@163.com
      罗 迪 男,1996年生,贵州六盘水人.贵州大学计算机科学与技术学院硕士研究生,CCF学生会员.主要研究方向为计算机网络与信息安全.E-mail: luodi_happy@163.com
      申国伟 男,1986年生,湖南邵东人. 贵州大学计算机科学与技术学院教授、硕士生导师,CCF会员.主要研究领域为网络与信息安全、大数据.E-mail: gwshen@gzu.edu.cn
      崔允贺(通讯作者) 男,1987年生,贵州贵阳人.贵州大学计算机科学与技术学院讲师、硕士生导师.主要研究领域为网络安全、云计算、数据中心. E-mail: yhcui@gzu.edu.cn
      平 源 男,1981年生,重庆合川人.博士,许昌学院信息工程学院教授.主要研究领域为机器学习、数据隐私安全、云计算、边缘计算. E-mail: pyuan.lhn@xcu.edu.cn
    • 基金资助:
    • 国家自然科学基金 (62162009); 贵州省自然科学基金 (黔科合基础[2020]1Y268); 河南省重点研发与推广专项 (212102210084)

A Spyware Detection Method based on Inducement Mechanism

GUO Chun1, LUO Di1, SHEN Guo-wei1, CUI Yun-he1, PING Yuan2   

  1. 1.State Key Laboratory of Public Big Data, College of Computer Science and Technology, Guizhou University, Guiyang, Guizhou 550025, China
    2.School of Information, Xuchang University, Xuchang, Henan 461000, China
  • Received:2021-08-01 Revised:2022-03-04 Online:2022-04-25 Published:2022-04-25
    • Supported by:
    • National Natural Science Foundation of China (62162009); Natural Science Foundation of Guizhou Province, China (黔科合基础[2020]1Y268); Key Research and Development and Promotion Project of Henan Province (212102210084)

摘要:

间谍软件是攻击者广泛采用的一类信息窃取类恶意软件,具有高威胁性、高隐蔽性等特点.间谍软件在实施窃密行为时通常采用触发执行策略,使得基于软件行为的动态检测方法难以在短时间内将其捕获,故上述方法检测间谍软件效果不佳.针对该问题,本文采用主动诱导间谍软件执行窃密行为的思路,从应用程序编程接口(Application Programming Interface,API)层面分析不同诱导操作和诱导强度对间谍软件的不同诱发效果,进而提出一种基于诱导机制的间谍软件检测方法(Spyware Detection Method based on Inducement Mechanism,SDMIM).SDMIM包含诱导操作筛选、软件“活跃度”计算、间谍软件判别3个阶段,能够适用于多种类型间谍软件的诱导式检测.实验结果表明,SDMIM能够在包含5种不同类型间谍软件的样本集上获得95.98%的检测准确率.

关键词: 间谍软件, 诱导操作, 动态检测, 触发执行策略, API调用

Abstract:

As a kind of information-stealing software, spyware is featured with high threat and concealment and is widely exploited by attackers nowadays. Since the stealing behavior is executed under a specific trigger strategy, it can hardly be captured by the mainstream malware detection methods based on dynamic behavior analysis in a short time. Frequently, the corresponding performance of spyware detection is below expectation. To tackle this problem, in this paper, the influence of different inducement operations and inducement strengths on the inducement effects of spyware from the (Application Programming Interface,API) level is firstly analyzed by introducing the idea of actively inducing spyware to perform its secret stealing behavior. Then, a Spyware detection method based on inducement mechanism (SDMIM) is proposed. SDMIM consists of three phases: inducible operation filtering, software "activity" calculation, and spyware discrimination. It is fit for the inducible detection of various types of spyware. Experimental results show that SDMIM can achieve an accuracy of 95.98% for detecting a dataset consisting of five kinds of spyware.

Key words: spyware, inducement operation, dynamic detection, trigger implementation strategy, API call

中图分类号: