| The development of computer network has brought us much convenient, also with many problems that has never appeared, and the security problem is an outstanding issue. The widely spread of malwares, such as Virus, Worm, Trojan, is unrelenting threat to individual users and corporate users; luckily we have antivirus software to deal with this situation. Traditional antivirus software tries to find malwares through matching signature strings with malware samples, but this method is facing more and more challenges, in this case a new method called dynamic detection is being developed and improved, which is based on the behavior of malware execution. This method mainly analyses the called API sequences while malware is executing, so it can effectively resist packed malwares and metamorphic malware; also, the method uses signature behavior (for example, self-reference replication) instead of signature strings, so it can avoid the problem that signature database needs frequently update or signature can not upgrade in time.Generally speaking, how much detail we can monitor and how we use the details to match signature behavior decides the results of dynamic detection. In this paper, I propose IRP data package as a new data source besides user mode API and kernel mode API, which is used to transfer messages among system drivers. And the use of IRP data package can give us more detailed information which may be hidden by malware. The current monitor method is still imperfect and the monitor information is not detailed enough, so I proposed a simplified method called SRR. The new method (ASRR) can solve a particular type of problem with only limited false positive.Experiment results prove that combining IRP data package with ASRR can achieve a result far better than APIs with SRR. It also shows the necessity to use IRP data package as data source and the new method causes only limited false positive. |
PDF Full Text Request