计算机应用 ›› 2013, Vol. 33 ›› Issue (07): 2046-2050.DOI: 10.11772/j.issn.1001-9081.2013.07.2046

• 计算机软件技术 • 上一篇    下一篇

基于会话关联的软件网络通信行为分析技术

杜坤凭,康绯,舒辉,孙静   

  1. 信息工程大学 数学工程与先进计算国家重点实验室,郑州 450001
  • 收稿日期:2013-01-22 修回日期:2013-02-27 出版日期:2013-07-01 发布日期:2013-07-06
  • 通讯作者: 杜坤凭
  • 作者简介:杜坤凭(1989-),女,云南宣威人,硕士研究生,主要研究方向:软件逆向;康绯(1972-),女,河南周口人,副教授,硕士,主要研究方向:协议安全;舒辉(1974-),男,江苏盐城人,副教授,博士,主要研究方向:恶意代码;孙静(1985-),女,江苏连云港人,硕士,主要研究方向:网络通信。

Behavior analysis technology of software network communication based on session association

DU Kunping,KANG Fei,SHU Hui,SUN Jing   

  1. State Key Laboratory of Mathematical Engineering and Advanced Computing, Information Engineering University, Zhengzhou Henan 450001, China
  • Received:2013-01-22 Revised:2013-02-27 Online:2013-07-06 Published:2013-07-01
  • Contact: DU Kunping

摘要: 针对软件网络通信过程,提出一种基于会话关联的逆向分析方法,该方法首先对软件产生的网络通信流量和软件执行的应用程序编程接口(API)序列分别进行会话还原,再对还原的会话进行会话关联,为软件网络行为分析中的基于网络流量的分析方法和基于执行轨迹的分析方法建立了直接映射。设计并实现了相关的会话关联系统,并在此系统上进行了函数调用链的提取,使针对软件网络通信过程的分析更快捷。

关键词: 软件网络通信过程分析, 网络通信流量分析, 应用程序编程接口序列分析, 函数调用链

Abstract: According to the software network communication behavior, a reverse analytical method based on session association was proposed in this paper. The method restored the network traffic communication session and Application Programming Interface (API) sequence session produced by software firstly, then associated the sessions restored. Through the association, a direct mapping was built between two kinds of software network behavior analytical methods based on execution trace analysis and network traffic analysis respectively. The prototype system was designed and completed. Based on the system, the function call list was extracted. The reverse analytical method based on session association makes the reverse analysis of software network behaviors fast and convenient.

Key words: software network communication process analysis, network traffic analysis, Application Programming Interface (API) sequence analysis, function call list

中图分类号: