一种基于诱导机制的间谍软件检测方法  被引量：3

作　　者：郭春[1] 罗迪 申国伟 崔允贺 平源[2] GUO Chun;LUO Di;SHEN Guo-wei;CUI Yun-he;PING Yuan(State Key Laboratory of Public Big Data,College of Computer Science and Technology,Guizhou University,Guiyang,Guizhou 550025,China;School of Information,Xuchang University,Xuchang,Henan 461000,China)

机构地区：[1]贵州大学计算机科学与技术学院公共大数据国家重点实验室,贵州贵阳550025 [2]许昌学院信息学院,河南许昌461000

出　　处：《电子学报》2022年第4期1014-1024,共11页Acta Electronica Sinica

基　　金：国家自然科学基金(No.62162009);贵州省自然科学基金(No.黔科合基础[2020]1Y268);河南省重点研发与推广专项(No.212102210084)。

摘　　要：间谍软件是攻击者广泛采用的一类信息窃取类恶意软件,具有高威胁性、高隐蔽性等特点.间谍软件在实施窃密行为时通常采用触发执行策略,使得基于软件行为的动态检测方法难以在短时间内将其捕获,故上述方法检测间谍软件效果不佳.针对该问题,本文采用主动诱导间谍软件执行窃密行为的思路,从应用程序编程接口(Application Programming Interface,API)层面分析不同诱导操作和诱导强度对间谍软件的不同诱发效果,进而提出一种基于诱导机制的间谍软件检测方法(Spyware Detection Method based on Inducement Mechanism,SDMIM).SDMIM包含诱导操作筛选、软件“活跃度”计算、间谍软件判别3个阶段,能够适用于多种类型间谍软件的诱导式检测.实验结果表明,SDMIM能够在包含5种不同类型间谍软件的样本集上获得95.98%的检测准确率.As a kind of information-stealing software,spyware is featured with high threat and concealment and is widely exploited by attackers nowadays.Since the stealing behavior is executed under a specific trigger strategy,it can hardly be captured by the mainstream malware detection methods based on dynamic behavior analysis in a short time.Frequently,the corresponding performance of spyware detection is below expectation.To tackle this problem,in this paper,the influence of different inducement operations and inducement strengths on the inducement effects of spyware from the(Application Programming Interface,API)level is firstly analyzed by introducing the idea of actively inducing spyware to perform its secret stealing behavior.Then,a Spyware detection method based on inducement mechanism(SDMIM)is proposed.SDMIM consists of three phases:inducible operation filtering,software"activity"calculation,and spyware discrimination.It is fit for the inducible detection of various types of spyware.Experimental results show that SDMIM can achieve an accuracy of 95.98%for detecting a dataset consisting of five kinds of spyware.

关 键 词：间谍软件 诱导操作 动态检测 触发执行策略 API调用 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]