A Malicious Code Analysis System For E-Mail Attachments

In recent years, for the rapid development of Internet, new network applications come out everyday. The trends have seriously affected the traditional Internet business. Many well-known service have disappeared one by one.The E-mail,however, for the advantages as huge user groups, convenient form of operation, and stability of the service, not only did not die out but alive with a new attitude appeared in the Internet arena.E-mail provides a platform for the criminals. They spread malicious code through e-mail, so they can damage user's files, steal user's data. Through analysis, malicious code spreads using e-mail attachments, so the malicious code detection system for e-mail atta-chments is very necessary.To cope with the mode that malicious codes spread through E-mail attachments, in this paper we firstly reform the system model by analyzing the E-mail communication model and then we establish a restore machine model based on RFC822 packets analysis module after analysising the working process, message format and command details of the three application layer protocols, POP3, SMTP and IMAP. The restore machine extracts the sender, the receiver, the sending date, the mail subject and other necessary information and records them into the log. Finally, we analysed the the working principle of Libnids and established the packet capturing model from link layer to transport layer.In the paper we use a feature called structured dactylogram for static detection for malicious codes. As software can be manifested by network structure, we present routine calling as images, extract the color moments and shape moments as structured dactylogram for this software using CBIR based on image details.We use HSV color space instead of RGB color space in the original algorithm so the consistency, integrity, compactedness, naturalness and other aspects of the color moment can be improved.Also the shift, flexibility, and rotation of shape invariant moment are demonstrated. Experimental evidence manifests that structured dactylogram has good uniqueness, constantness and sensibility, and the two factor witch can cause inaccurate judgement are analysed later.Finally, the paper presents a program and implementation details and test results of the malicious code detection system for e-mail attachments.