Research On Unknown Pe Virus Detection Technology Based On Behavior Analysis

With the rapid development of information technology in the world, people are enjoying the convenience brought by the Internet, but also under threats of computer viruses. The computer viruses coding technology are changing from simple and functional damage to avoiding the detection of anti-virus software by employing polymorphic, packers and other technologies. The current major anti-virus software uses signature scanning technology to detect viruses, but this method cannot identify unknown viruses. Anti-virus technology based on the analysis of dynamic behavior detects viruses by monitoring the dynamic behaviors of suspicious files, and it can effectively identify unknown viruses, not depending on the static characteristics of viruses.Aiming at the shortcomings of the current computer virus detection methods, this thesis proposed a new computer virus detection method based on dynamic behavior features of samples and data mining algorithms, using the method can determine which one the sample belonged to. Then, this thesis designed and implemented a computer virus detection system based on behavior analysis. The system included a virtual machine control module which controlled the virtual machines, a dynamic behavior tracking module for capturing the behavior of the samples, a feature vector generation module which generated feature vectors, a support vector machine learning module for samples’ classification. Finally the thesis tested the validity of the model. The main work was as follows:(1) Something was proposed in the thesis which defined and analyzed common behavior features of viruses, explaining the principles of the PE viruses’malicious operation. (2) This thesis proposed a new approach which used the dynamic behavior features and the’one-to-multi’SVM algorithm for constructing the classifier. And the thesis studied the method’s feasibility of detecting unknown viruses and further determining the category of a virus.(3) Aiming at the deficiencies of the original feature selection algorithm based on information gain, an improved feature selection algorithm was proposed in the thesis. The new algorithm took the frequency which the samples feature items emerge in a category and the distribution of the samples features items into account, so that the selected feature items had better discrimination.(4) Based on sample behavior analysis and support vector machine classification method, this thesis designed and implemented a PE virus detection system.Experiments showed that, the virus detection method choosing an improved information gain algorithm to filter sample behavioral characteristics and then using support vector machine classification algorithm to detect viruses increased by3%over the method which chose the original information gain algorithm.