电子学报 ›› 2012, Vol. 40 ›› Issue (4): 661-668.DOI: 10.3969/j.issn.0372-2112.2012.04.007

• 学术论文 • 上一篇    下一篇

基于动态污点分析的恶意代码通信协议逆向分析方法

刘豫, 王明华, 苏璞睿, 冯登国   

  1. 中国科学院软件研究所,信息安全国家重点实验室,北京 100190
  • 收稿日期:2011-02-28 修回日期:2011-04-08 出版日期:2012-04-25 发布日期:2012-04-25

Communication Protocol Reverse Engineering of Malware Using Dynamic Taint Analysis

LIU Yu, WANG Ming-hua, SU Pu-rui, FENG Deng-Guo   

  1. State Key Laboratory of Information Security,Institution of Software,Chinese Academy of Sciences,Beijing 100190,China
  • Received:2011-02-28 Revised:2011-04-08 Online:2012-04-25 Published:2012-04-25

摘要: 对恶意代码通信协议的逆向分析是多种网络安全应用的重要基础.针对现有方法在协议语法结构划分的完整性和准确性方面存在不足,对协议字段的语义理解尤为薄弱,提出了一种基于动态污点分析的协议逆向分析方法,通过构建恶意进程指令级和函数级行为的扩展污点传播流图(Extended Taint Propagation Graph, ETPG),完成对协议数据的语法划分和语义理解.通过实现原型系统并使用恶意代码样本进行测试,结果表明本方法可以实现有效的语法和语义分析,具有较高的准确性和可靠性.

关键词: 恶意代码, 协议逆向分析, 动态污点分析

Abstract: Communication protocol reverse engineering of malwares is significant base for various network security applications.However,recent works have limited accuracy and integrity in identifying protocol fields and are especially weak in understanding fields' semantics.This paper proposed a method for communication protocol reverse engineering based on dynamic taint analysis.By building an extended taint propagation graph (ETPG) recording both instruction and function level behaviors of a malicious process,dividing the protocol data into different syntax fields and inducing the semantic information of individual fields were achieved.A prototype system was implemented and evaluated with malware samples.The results show that this method can divide the syntax fields and extract semantic information accurately and effectively.

Key words: malware, protocol reverse engineering, dynamic taint analysis

中图分类号: