About
Our Research Directions: Exploration and Breakthroughs in the Field of Cybersecurity
In the digital age, cybersecurity has become a crucial research field. Our research focuses on multiple key aspects of cybersecurity, and we are committed to contributing to the construction of a more secure and reliable network environment. Our representative research achievements include “DeMal: Module decomposition of malware based on community discovery” published in Computers & Security, and “Protocol Reverse - Engineering Methods and Tools: A Survey” published in Computer Communications.
I. Malware Analysis: In-depth Exploration of the Inner Mechanism of Malware
1. Module Decomposition and Structural Insight
In the paper “DeMal: Module decomposition of malware based on community discovery”, we are dedicated to developing innovative methods and tools, such as the DeMal system, for the modular decomposition of malware. By meticulously analyzing the binary files of malware, we attempt to recover the program call relationships and extract key structural-related attributes, thereby dividing complex malware into multiple components with clear functional semantics. This not only helps to reveal the design layout of malware but also provides a powerful way for security researchers to deeply understand its behavior. For example, when analyzing a specific malware sample, we successfully identified its main control module, specific function modules, and related library functions through the DeMal system, clearly presenting the internal structure of the malware and laying a solid foundation for subsequent analysis and defense work.
2. Feature Extraction and Functional Understanding
To more accurately grasp the characteristics of malware, we focus on extracting a variety of key features. These include compiler-specific boundary features. Although the stability of these features varies among different compilers and malware, they provide important clues for finding module boundaries. The sequential function address feature, although malware developers may take measures to disrupt the linking order, under normal circumstances, the sequential feature of function arrangement has a certain stability before and after compilation, providing a reference for module division. Direct and indirect call features, such as the frequency in function call relationships, semantically related function calls, and special types of indirect calls (such as thunk functions, function pointer calls, etc.), these features help to reveal the interaction logic and potential boundaries between modules. Data reference features, by analyzing the access patterns of functions to global variables, we can infer the associations and functional similarities between modules, thus achieving a more comprehensive understanding of the functional implementation of malware.
3. Coping with Challenges and Application Expansion
Malware analysis faces many challenges, such as the interference of anti-analysis techniques, the loss of structural information during the compilation process, and the ambiguity of module boundaries. We effectively improve the accuracy and efficiency of module decomposition by comprehensively using a variety of technical means, such as the anti - obfuscation and indirect call recovery techniques in the hybrid analysis preprocessor, and adopting an ensemble model combined with multiple community discovery algorithms. Based on a deep understanding of malware modules, we further explore its applications in malicious code abstraction and family classification, providing new ideas and methods for more accurate identification and prevention of malware threats.
II. Protocol Reverse Engineering: Uncovering the Mysterious Veil of Network Protocols
1. Comprehensive Review of Methods and Tools
In the paper “Protocol Reverse - Engineering Methods and Tools: A Survey”, we conduct an in-depth study of protocol reverse engineering methods and tools based on network traces (NetT) and execution traces (ExeT). In terms of NetT, we analyze how various tools utilize clustering and statistical analysis methods to extract protocol features from a large number of network-captured messages, such as byte features, context and sequence features, and graph and distribution features, in order to infer the protocol format and state machine. For example, some tools effectively identify similar message field formats and boundaries by calculating byte features such as message byte frequency and mutation rate, or using sequence feature analysis methods such as n - gram and sequence alignment. In the aspect of ExeT, we explore how to extract information such as instruction execution traces and memory data access patterns related to protocol processing by analyzing the execution process of executable files, using dynamic or static program analysis techniques, thereby inferring the protocol specification.
2. Protocol Feature Classification and Innovation
We propose a classification method based on protocol features, dividing protocol features into different levels, providing a new perspective for more clearly describing and comparing different protocol reverse engineering tools. Through this classification, we can deeply study the role and value of different types of features in protocol reverse engineering and explore how to comprehensively utilize these features to improve the accuracy and efficiency of protocol analysis. For example, NetT-based features have unique advantages in handling large-scale network traffic data and can quickly discover the statistical laws of protocols; while ExeT-based features can more deeply explore the semantic information and internal logic of protocols, especially when dealing with encrypted or compressed protocols. We continuously explore new feature extraction methods and technologies, combined with advanced technologies such as machine learning and deep learning, to further enhance the capabilities of protocol reverse engineering.
3. Promoting the Development of Network Security and Communication
Protocol reverse engineering has important application value in the field of network security. We are committed to applying research results to practical scenarios such as network management, security verification, and intrusion detection. By deeply understanding the protocol specification, we can help discover potential security vulnerabilities in network protocols and provide strong support for network security protection. At the same time, we also pay attention to the role of protocol reverse engineering in promoting the optimization and improvement of network communication protocols. Through in-depth analysis of protocols, we provide valuable references for the design and development of protocols, promoting the continuous development of network communication technologies. For example, when studying certain industrial protocols, we discovered deficiencies in their format definitions and state machine designs through protocol reverse engineering techniques and proposed corresponding improvement suggestions, effectively improving the security and reliability of industrial networks.
In the challenging and opportunity-rich field of cybersecurity, we will continue to explore the cutting-edge technologies of malware analysis and protocol reverse engineering, constantly innovate, and contribute to safeguarding the security of the network world.