面向数字货币特征的细粒度代码注入攻击检测  被引量：1

作　　者：孙聪 李占魁 陈亮 马建峰 乔新博 Sun Cong;Li Zhankui;Chen Liang;Ma Jianfeng;Qiao Xinbo(School of Cyber Engineering,Xidian University,Xi' an 710071;HUAWEI Technologies Co.,Ltd,Xi' an 710075)

机构地区：[1]西安电子科技大学网络与信息安全学院,西安710071 [2]华为技术有限公司,西安710075

出　　处：《计算机研究与发展》2021年第5期1035-1044,共10页Journal of Computer Research and Development

基　　金：国家自然科学基金项目(61872279);陕西省重点研发计划项目(2020GY-004,2019ZDLGY12-06)。

摘　　要：数字货币的迅速发展使其被越来越多的恶意软件利用.现有勒索软件通常使用数字货币作为支付手段,而现有代码注入攻击检测手段缺乏对相关恶意特征的考虑,使得其难以有效检测勒索软件的恶意行为.针对此问题,提出了一种细粒度的代码注入攻击检测内存特征方案,利用勒索软件在引导被攻击者支付过程中表现的数字货币内存特征,结合多种通用的细粒度内存特征,实现了一种细粒度的代码注入攻击检测系统.实验结果表明:新的内存特征方案能够在多个指标上有效提升现有检测系统内存特征方案的检测性能,同时使得基于主机的代码注入攻击检测系统能够准确检测勒索软件行为,系统还具有较好的内存特征提取性能及对未知恶意软件家族的检测能力.Digital currencies have developed rapidly and emerged as a critical form of our payment system.Consequently,the applications and platforms of digital currencies and their payment services are extensively exposed to various exploits by malware.In a typical scenario,modern ransomware usually leverages digital currencies as the medium of payment.The state-of-the-art code injection attack detections have rarely considered such digital currency-related memory features,thus can hardly identify the malicious behaviors of ransomware.To mitigate this issue,we propose a fine-grained scheme of memory forensics to facilitate the detection of host-based code injection attacks with the ability to identify ransomware.We capture the digital currency-related memory features exhibited in the procedure of inducing the victims payment.We incorporate such memory features into a set of general memory features and implement a fine-grained detection system on code injection attacks.According to the experimental results,the new scheme of memory forensics effectively improves the performance of the state-of-the-art detection system on different metrics.Meanwhile,our approach enables the detection systems of host-based code injection attacks to capture the behaviors of ransomware precisely.Moreover,the extraction of the newly proposed memory features is efficient,and our detection system is capable of detecting unknown malware families.

关 键 词：代码注入攻击 机器学习 内存取证 勒索软件 数字货币 

分 类 号：TP309.5[自动化与计算机技术—计算机系统结构]