Research On Detecting Technology Of Malicious Code Based On Sub-Behavior

Computer is widely used in many fields of society,playing an important role in people’s life,and changing the way of people’s working.However,the security of computer system and people’s life is badly affected by the malicious code.According to the National Computer network Emergency Response technical Team/Coordination Center of China(CNCERT)in the first half year of 2010,safety state center handle all types of network security incident 784 pieces altogether,92.9% increased compared to the first half year of 2009,and malicious code stands 57.57%.Due to this,it has great significance to research on the detecting technology of malicious code.The thesis first introduces the classification and characteristics of the malicious code,and studies the existing analysis and detection technology.Then we propose the detecting method of malicious code based on sub-behavior.Sub-behavior is defined as API subsets which malicious code operating on kernel object at runtime.One existing solution based on API frequency mainly considers the structure characteristics of each API,which vulnerable to the confusion technology.To meet this needs,the method proposed in this thesis using the signature which is extracted from the dependence between system calls.It prevents malicious code from evasion techniques and enhances the semantic of extracted characteristics.Based on above analysis work,we implement a prototype of malicious code detection system based on the sub-behavior.The entire detection system is divided into three modules,malicious code behavior monitoring module,mainly to dynamically capture system call of malicious code on monitoring platform—APICapture;malicious code feature extraction module,through analyzing def-use dependence between system calls,extract sub-behavior characteristic of malicious code;malicious code detection module,because the existing detection algorithm is aimed at a single sample,this thesis utilizes the chi-square test algorithm based on the sub-behavior characteristic of each malware family.Finally,it gives the system experiment and results analysis,the experimental results show that this method compare to the traditional based on API frequency statistics method,the TPF(True Positive Fraction)is higher,the FPF(False Positive Fraction)is lower.