چكيده به لاتين
Malicious softwares are considered as a real threat to computer environments. Analysis approaches are applied to confront these malicious softwares, extract their goals and thereby perform appropriate reaction. Static analysis have approaches are relatively faster than dynamic approaches, however due to barriers such as obfuscation, encryption and packing teqniques these approaches are not successful. A solutions to resolve such difficulties is to intermingle static approaches with the dynamic ones. The major difficulty with dynamic approaches is the damages caused by the execution of the malware. A known teqnique to resolve these difficulty is to execute the malware in a sandbox environment or virtual machine. In this thesis, a hybrid method to analyze and detect malwares is proposed. The method consists of four main steps of static analysis, dynamic analysis, detection of anti-analysis malwares and finally a malware family classifier. The static analysis component uses the call flow graph of the malware to build a feature vector. The dynamic analysis component applies the two environments of Pin dynamic analysis and the Cuckoo sandbox, to study and make a log of runtime behavior of malwares. One of the major difficulties with dynamic analysis methods are anti-analysis malwares. These malwares behave differently if they recognize sandboxing or virtual machine environments. As a result, the probability of detection these malwares as a benign file would be increased and consequently, it may lead to damages.Therefore, a method is introduced in three sections to identify anti dynamic analysis malwares. In the first section, the behavioral differences of malicious file in dynamic analyze environments would be used. In the second section, the percentage of execution of the control flow graph, which obtained from of static analyzer, would be examined in dynamic analyzer. Finally, in third section, some sings which are semantically signs of anti-analysis would be searched. These three phases would be completely done simultaneously and would be shown this method has high efficiency in recognizing these types of malwares. Finally, the both vectors will be combined and the malware classification will be done via selecting effective features and applying machine learning algorithms.
