检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
作 者:李伟明[1] 邹德清[1] 孙国忠 LI Wei-ming ZOU De-qing SUN Guo-zhong(School of Computer Science, Huazhong University of Science and Technology, Wuhan 430074, China Dawning Information Industry Co., Ltd., Beijing 100080, China)
机构地区:[1]华中科技大学计算机学院,湖北武汉430074 [2]曙光信息产业有限公司,北京100080
出 处:《网络与信息安全学报》2017年第2期20-30,共11页Chinese Journal of Network and Information Security
基 金:国家自然科学基金资助项目(No.61272072);国家重点基础研究与发展计划基金资助项目("973"计划)(No.2016YFB0200300)~~
摘 要:为了更加全面地检测恶意代码的行为,提出连续内存镜像分析技术。核心是在QEMU虚拟机中运行恶意代码样本,获取样本运行时期连续增量的内存镜像,然后按照时序解析为多个完整的内存镜像。在单个内存镜像分析的基础上,对不同时刻内存镜像做对比分析。同时设计运用可视化工具D3.js,以图表的形式直观动态地展示系统运行过程中内存状态的变化。最后实现原型系统,通过对40种恶意代码样本进行测试,检测出的恶意代码行为数量在传统单镜像内存分析的基础上增加了19.7%。In order to detect the behavior of malicious code more comprehensively, the technology of continuous memory image analysis was proposed. The core idea was to run malicious code in QEMU virtual machine, to obtain the memory image of the continuous increment in the running period, and then to analyze the memory image of the base and increment as the memory image. On the basis of the analysis of a single memory image, different memory images were analysised comparatively. At the same time, the visualization tool D3.js was used to visually display the change of the memory state in the process of system operation. Finally, the prototype system was tested by 40 kinds of malicious code samples, and the number of malicious code behavior was increased by 19.7% than traditional single memory image.
分 类 号:TP309[自动化与计算机技术—计算机系统结构]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:3.144.98.87
