基于动态行为分析的网页木马检测方法  被引量：9

作　　者：张卫丰[1] 刘蕊成 许蕾[2] ZHANG Wei-Feng1, LIU Rui-Cheng1, XU Lei2(1.School of Computer Science and Technology, Nanjing University of Posts ＆ Telecommunications, Nanjing 210003, China; 2.Department of Computer Science and Technology, Nanjing University, Nanjing 210023, Chin)

机构地区：[1]南京邮电大学计算机学院,江苏南京210003 [2]南京大学计算机科学与技术系,江苏南京210023

出　　处：《软件学报》2018年第5期1410-1421,共12页Journal of Software

基　　金：国家重点基础研究发展计划(973)(2014CB340702);国家自然科学基金(61272080;91418202;61403187)~~

摘　　要：网页木马是一种在网页中插入攻击脚本,利用浏览器及其插件中的漏洞,使受害者的系统静默地下载并安装恶意程序的攻击形式.结合动态程序分析和机器学习方法,提出了基于动态行为分析的网页木马检测方法.首先,针对网页木马攻击中的着陆页上的攻击脚本获取行为,监控动态执行函数执行,包括动态生成函数执行、脚本插入、页面插入和URL跳转,并根据一套规则提取这些行为,此外,提取与其相关的字符串操作记录作为特征;其次,针对利用堆恶意操作注入shellcode的行为,提出堆危险指标作为特征;最后,从Alexa和Virus Share收集了500个网页样本作为数据集,用机器学习方法训练分类模型.实验结果表明,与现有方法相比,该方法具有准确率高(96.94%)、可有效地对抗代码混淆的干扰(较低的误报率6.1%和漏报率1.3%)等优点.Web Trojan is a form of attack that inserts an attacking script into the Web page, and by exploiting the vulnerabilities of browsers and their plug-ins, it causes the victim＇s system silently download and install malicious programs. Based on dynamic program analysis and machine learning method, this paper proposes a method of detecting Trojans based on dynamic behavior analysis. Firstly, the behaviors of the attack scripts on the landing page, including the dynamic function execution, the dynamic generation function execution, the script insertion, the page insertion and the URL jump, are monitored. Then these behaviors are extracted according to a set of rules. The associated string operation records are also processed as features. Next, for the use of heap malicious operation （the shellcode behavior）, a feature indicating the heap risk is proposed. Finally, 500 web samples from Alexa and VirusShare are collected as data sets, and a classifier is trained by machine learning method. The experimental results show that compared with the existing methods, the presented method has high accuracy （96.94%） and can effectively prevent interference of code obfuscation （lower false positive rate of 6.1% and false negative rate of 1.3 %）.

关 键 词：网页木马 堆恶意操作 代码混淆 动态分析 机器学习 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]