Font Size: a A A

Research And Implementation Of Malicious Code Detection Technology Based On Virtualization

Posted on:2017-04-06Degree:MasterType:Thesis
Country:ChinaCandidate:X N LiFull Text:PDF
GTID:2308330485478309Subject:Computer Science and Technology
Abstract/Summary:
The rapid development of Internet technology is put into use in all kinds of industries, but huge security risks come along with the convenience which the technology brings to us. With the exposure of some major network security incidents such as Stuxnet and Flame virus in recent years, the information security gets more and more attentions. The Chinese government has raised the information security to the national security strategic level. In field of information security, the greatest threat is malicious code which is developed to long-term hidden, highly targeted and high attack.It has become one of hot topics in information security field, so malicious code detection technology has great significance.This thesis focuses on malicious code detection technology based on the host behaviors. Its goal is to build malicious code detection system, which can automatically detect, provide the host behaviors and classify of malicious code.The main work is as follows:(1) Analyses and studies current mainstream of malicious code technology, and sums up behavior characteristics of malicious code. Based on the kernel security technology of Windows, we explore the technology of malicious code monitoring on the layer of kernel.(2) Adopts virtualization technology to protect the operating system resources from damage and leaking during detection process. The kernel level hook technology is adopted to achieve file virtualization and device driver is added to filter network flow to realize the virtualization.(3) Based on analyzing the defect of some hidden process detection techniques, we propose an improved hidden process detecting technology, which can efficiently detect the hidden process in the operating system and can be to detect the hidden attribute of malicious code process.(4) Uses AHP to detect malicious code, and establishes the malicious code evaluation model based on AHP. Base on it, BP neural network is usesd to make improvements, which can subdivide the evaluation result of malicious code. The malicious code can be divided into viruses, Trojans, worms, and other four categories. Based on APH we propose an improved method which uses BP neural network to classify malicious code. Experiments are done to prove the effectiveness of the method.(5) According to theory of malicious code detection method based on the host behaviors, this thesis designs a malicious code detection system based on virtualization technology. The experimental result shows that the system can effectively monitor malicious code behavior and make judgments.Innovation of this thesis is mainly reflected in the following aspects:(1) Proposes an improved hidden process detecting technology, which can efficiently detect the hidden process in the operating system and can be used to detecting the hidden attribute of malicious code process.(2) Based on AHP, we propose an improved method that uses BP neural network to detect malicious code. The malicious code evaluation model is established and improved by using BP neural network in this method which can subdivide the evaluation result of malicious code.(3) Based on Windows driver development and C++programming, we design and implement the system prototype which can detect malicious code efficiently and subdivide the class of malicious code.
Keywords/Search Tags:Malicious Code, Behavior Monitoring, Virtualization, Hidden Processes, Detection
Related items