Information Technology Reference
In-Depth Information
windows API are hooked in the Monitor System, and all messages are recorded. At
the same time, some specific packets are descripted in XML files that are sent to As-
sistant System for a response packet to the running process in Guest System. The
Assistant System also provides several network services, such as SMTP, HTTP and
DNS, in order to support the running of the targeted executable.
3.1
The Guest System
The Guest System is a virtual execution environment for the running of a malware
sample. In our dynamic analysis platform, the instruction-level analysis and memory
space management are supported.
3.2
The Monitor System
This Monitor System is the kernel module of binary analysis that is used for dynamic
analysis of the malware samples. There are several sub modules in it.
Runtime State Data . It is responsible for collection and maintain of the state data
during the running of the malware instance under analysis, including the executed
instructions, the data packet buffers, the elapsed time interval, etc. All of those data are
used to construct the network behavior specification and explore execution paths for
coverage. The other functionality of this module is to recombination of the sessions of
network communication and record the elapsed time interval, which is calculated by
gain the local time of Guest System when a packet is received or sent.
Accelerator . It is designed to accelerate the binary analysis for mining network be-
havior as soon as possible. In this component the windows APIs that are used for
execution suspending are hooked, such as the sleep function, which is frequently em-
ployed by malware. When the sleep function is invoked, its parameter is recorded and
the execution is returned immediately by the dynamic analysis platform. The value of
parameter is transmitted to the runtime time data module.
Paths . This module is used to explore execution paths for path coverage as much as
possible. We use a forced execution strategy for multiple paths exploration. If the in-
consistent execution state in memory space occurs, this running will be killed and res-
tart to a next running for continued analysis.
Rule Set . It is a database of rules which describe the functionality of some packets.
All the rules are defined by security experts. If an executable automatically sends out a
packet on port 25 with SMTP protocol during its running, we write a rule that the
packet is used for spamming emails. The rule set is scalable and new rules can be in-
serted into it at any time.
NBS . It is the kernel module for mining network behavior. The network behavior
specification is constructed by it. And it is performed to identify the type of a protocol
in a packet by destination port and protocol signatures, unpack a packet to extract use-
ful data, determine the functionality of a packet. An example of the function identifica-
tion method is shown in Fig. 3 .
Search WWH ::




Custom Search