ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2021, Vol. 58 ›› Issue (5): 1035-1044.doi: 10.7544/issn1000-1239.2021.20200937

所属专题: 2021人工智能安全与隐私保护技术专题

• 信息安全 • 上一篇    下一篇

面向数字货币特征的细粒度代码注入攻击检测

孙聪1,李占魁1,2,陈亮1,马建峰1,乔新博1   

  1. 1(西安电子科技大学网络与信息安全学院 西安 710071);2(华为技术有限公司 西安 710075) (suncong@xidian.edu.cn)
  • 出版日期: 2021-05-01
  • 基金资助: 
    国家自然科学基金项目(61872279);陕西省重点研发计划项目(2020GY-004,2019ZDLGY12-06)

Digital Currency Features Oriented Fine-Grained Code Injection Attack Detection

Sun Cong1, Li Zhankui1,2, Chen Liang1, Ma Jianfeng1, Qiao Xinbo1   

  1. 1(School of Cyber Engineering, Xidian University, Xi’an 710071);2(HUAWEI Technologies Co., Ltd, Xi’an 710075)
  • Online: 2021-05-01
  • Supported by: 
    This work was supported by the National Natural Science Foundation of China (61872279) and the Key Research and Development Program of Shaanxi Province (2020GY-004, 2019ZDLGY12-06).

摘要: 数字货币的迅速发展使其被越来越多的恶意软件利用.现有勒索软件通常使用数字货币作为支付手段,而现有代码注入攻击检测手段缺乏对相关恶意特征的考虑,使得其难以有效检测勒索软件的恶意行为.针对此问题,提出了一种细粒度的代码注入攻击检测内存特征方案,利用勒索软件在引导被攻击者支付过程中表现的数字货币内存特征,结合多种通用的细粒度内存特征,实现了一种细粒度的代码注入攻击检测系统.实验结果表明:新的内存特征方案能够在多个指标上有效提升现有检测系统内存特征方案的检测性能,同时使得基于主机的代码注入攻击检测系统能够准确检测勒索软件行为,系统还具有较好的内存特征提取性能及对未知恶意软件家族的检测能力.

关键词: 代码注入攻击, 机器学习, 内存取证, 勒索软件, 数字货币

Abstract: Digital currencies have developed rapidly and emerged as a critical form of our payment system. Consequently, the applications and platforms of digital currencies and their payment services are extensively exposed to various exploits by malware. In a typical scenario, modern ransomware usually leverages digital currencies as the medium of payment. The state-of-the-art code injection attack detections have rarely considered such digital currency-related memory features, thus can hardly identify the malicious behaviors of ransomware. To mitigate this issue, we propose a fine-grained scheme of memory forensics to facilitate the detection of host-based code injection attacks with the ability to identify ransomware. We capture the digital currency-related memory features exhibited in the procedure of inducing the victims’ payment. We incorporate such memory features into a set of general memory features and implement a fine-grained detection system on code injection attacks. According to the experimental results, the new scheme of memory forensics effectively improves the performance of the state-of-the-art detection system on different metrics. Meanwhile, our approach enables the detection systems of host-based code injection attacks to capture the behaviors of ransomware precisely. Moreover, the extraction of the newly proposed memory features is efficient, and our detection system is capable of detecting unknown malware families.

Key words: code injection attack, machine learning, memory forensics, ransomware, digital currency

中图分类号: