Research And Implementation Of Malware Blocking Technology Based On Minifilter

With the development of Internet technology,the connection between devices has become more and more simple,bringing convenience to people’s lives,but also enabling malware to easily carry out various attacks on users’ computers,threatening personal privacy data and security of property.At present,the malware mainly targets Windows system,so it is very important to study the method of intercepting malicious process for Windows system and how to detect malicious process efficiently.Due to the continuous development of Windows 64-bit systems,traditional methods of intercepting malware have problems s uch as poor stability and low adaptability,which cannot meet the current requirements.In addition,although machine learning has been widely used in malware detection,many studies have focused on the characteristics of When extracting and vectorizing,o nly the static behavior or dynamic behavior of malware is considered,and the behavior information of malware cannot be described comprehensively.In view of the above problems,this paper proposes a method to intercept malicious process loading,and uses machine learning algorithm to analyze and detect malware.At the same time,the process of feature selection and vectorization is improved,thereby improving the detection effect of the model.The research content of this paper is as follows :(1)A malware detection model is designed and implemented.In this paper,the dynamic behavior analysis report of malware is obtained by building a Cuckoo sandbox environment.In the feature selection,not only the malicious behavior of the malware is considered,but also its malicious behavior is quantified,and the called API is extracted from the redundant report.sequence information,and take the total number of called API and the number of sensitive API of each category as the dynamic characteristics of the malware;by reading the malware bytecode and representing the features based on N-Gram,the chi-square test is used to select the features,and the The result is selected as the static features of the malware,and finally the static features and dynamic features are combined,and the random forest model is used for detection.(2)A method for monitoring process loading driven by Minifilter is proposed,and a model for monitoring and intercepting malicious process loading is designed and implemented based on this method.By analyzing the structure of Windows executable files,the process of Windows loader loading executable files and the principle of Minifilter framework,this paper finds the mapping relationship between loaded executable files and processes,and converts the monitoring of process loading into monitoring of file loading.And through the Minifilter registration filter to filter and operate specific IRP,a method to monitor and intercept process loading is proposed.Experiments show that the model based on the Minifilter monitoring process method can monitor and intercept the loading of malicious processes,and can run successfully in mainstream Windows versions,with higher stability and wider adaptability.At the same time,the detection ra te of the malware detection model combining static features and dynamic features is as high as 97.63%,which is about 2%higher than the best result of the method using a single feature,which proves the feasibility of the detection model.