基於資訊流之應用程式行為模型

Abstract

我們提出了一個基於資訊流的應用程式行為模型，該模型強調應用程式執行時所造成系統物件間的資訊流。資訊流不止是包含底層物件的屬性，同時也表現出物件間的關聯性，此外，此模型支援用正規表示式來做詢問。我們展示將模型套用在惡意行為識別應用上，並且在Xen虛擬化平台上建立一個雛型行為引擎，該行為引擎在對客戶端透明的情況下攔截客戶端所執行的系統呼叫，接著將系統呼叫軌跡轉換成上述的模型，使其能夠接受正規表示式來做詢問。實驗部分確認雛型系統能夠將未知的惡意軟體行為比對出來，被監控的客戶端系統仍可維持80%的原有效能。

We propose an application behavior model based on information flow. The model focuses on the flow of information among system objects due to the execution of an application. A flow encompasses not only the attributes of its underlying objects but also the relations between the objects. The model supports efficient query through regular expressions. We have shown that the model is applicable to practical applications such as the identification of malicious behavior of unknown malware. We built a prototype behavior engine on top of Xen virtualization platform. The behavior engine transparently monitors the guest system calls, convert the system call trace into the information flow behavior model, and allows queries of application behavior through regular expressions. The evaluation confirms that the prototype system can indeed support behavior matching of unknown malware and incurs only a mild 20% performance overhead on the monitored guest system.