ISSN 1000-1239 CN 11-1777/TP

• 信息安全 •

针对数据泄漏行为的恶意软件检测

1. (软件工程国家重点实验室(武汉大学) 武汉 430072) (空天信息安全与可信计算教育部重点实验室(武汉大学) 武汉 430072) (武汉大学计算机学院 武汉 430072) (lnwang.whu@gmail.com)
• 出版日期: 2017-07-01
• 基金资助:
国家自然科学基金项目(61373169)；国家“八六三”高技术研究发展计划基金项目(2015AA016004)；国家科技支撑计划基金项目(2014BAH41B00)；NSFC-通用技术基础研究联合基金项目(U1536204)

The Malware Detection Based on Data Breach Actions

Wang Lina, Tan Cheng, Yu Rongwei, Yin Zhengguang

1. (State Key Laboratory of Software Engineering (Wuhan University), Wuhan 430072) (Key Laboratory of Aerospace Information Security and Trusted Computing (Wuhan University), Ministry of Education, Wuhan 430072) (School of Computer Science, Wuhan University, Wuhan 430072)
• Online: 2017-07-01

Abstract: The advanced persistent threat (APT) attack is a big challenge towards enterprise and governmental data protection. The use of 0-day exploits is prevalent with malwares capable of APT attacks, and traditional security systems relying on known features can hardly detect them. In order to detect malwares which steal sensitive information, first of all we analyze existing APT malwares and describe the steps of their attacks. Based on the analysis, we propose a malware detection method focusing on data breach actions to the same kind of malwares. Combining anomaly detection with misuse detection, this method enables persistent monitoring, protecting hosts and network with low cost. Also proposed are inference rulesets which describe high-level malicious events observed in attack steps. Once suspicious events are detected, low-level actions from the hosts and the network will be further collected and correlated to high-level malicious events by the inference rules. Eventually we reconstruct the data breach attack procedure to judge the existence of the attacks. Simulation experiment verify the effectiveness of the method.