An Encryption Algorithm Cycle Identification Method Based on Bit Execution

Ransomware uses symmetric encryption algorithms to lock user files to extort money. This paper proposes a cryptographic algorithm loop identification method based on bit-precise execution, aiming to solve the problem of identifying unknown loops. The structure of the loop body of encryption algorith...

Full description

Saved in:
Bibliographic Details
Published in:2024 IEEE 9th International Conference on Data Science in Cyberspace (DSC) pp. 7 - 12
Main Authors: Sun, Yunge, Du, Gaolei, Qu, Junpeng, Fu, Yong
Format: Conference Proceeding
Language:English
Published: IEEE 23.08.2024
Subjects:
algorithm loop body
boolean formula
Data science
Deformation
Encryption
Input variables
Libraries
malware
Matrix converters
Merging
nonlinear cryptographic component
Ransomware
Registers
Software algorithms
symmetric encryption algorithm
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Ransomware uses symmetric encryption algorithms to lock user files to extort money. This paper proposes a cryptographic algorithm loop identification method based on bit-precise execution, aiming to solve the problem of identifying unknown loops. The structure of the loop body of encryption algorithms is fixed and usually includes nonlinear operations and linear operations. This article converts the loop body in the unknown software into a set of Boolean formulas, and converts the malware into a register data flow through the symbolic executor, thereby converting it into a set of Boolean formulas for execution. Execute known encryption algorithms with bit accuracy and establish a Boolean formula input-output relationship library for cryptographic components. The two sets of Boolean formulas are passed through a designed input matrix to achieve the Boolean formula mapping and input variable mapping of the confirmation algorithm, which can effectively judge the encryption algorithms in some malware.
DOI:10.1109/DSC63484.2024.00009