Detection of Software Similarity Based on Run-Time Program Structures

• Main Authors: Sheng-Yao Hsu, 許勝堯
• Other Authors: Chin-Ying Huang
• Format: Others
• Language: zh-TW
• Published: 2012
• Online Access: http://ndltd.ncl.edu.tw/handle/90057774710464462237

碩士 === 國立臺灣海洋大學 === 資訊工程學系 === 100 === Internet has been one of the most important parts in our daily life. Although it brings a lot of benefits to people, it is also a convenient platform for attackers to spread software. Most existing techniques used to detect malicious software are based on patterns and signatures of malware codes. However, it can be evaded by rewriting malware or even using automatic tools such as a packer to obfuscate the codes. The goal of this thesis is to detect codes obfuscated by packers. The basic idea is that an obfuscated code should have similar program structure to the original version. Therefore, we use pin-tool, a dynamic instrument tool, to monitor the execution of a program and extract its run-time program structure by construction call graphs. We then identify program similarity by comparing nodes in the call graphs. The proposed solution is able to successfully match packed software with its original version. Experiments on both malicious and benign programs show that all evaluated software with it’s a proper configuration.