Research On Mechanism And Defense Of Malicious Code

With the increasingly serious problems caused by malicious code, research on the mechanism and prevention of malicious code is conducted with the Windows OS as the test and application platforms. The six principal achievements have been obtained:First, an attack model of malicious code is proposed, and the key techniques used in malicious code are analyzed. A vulnerability planting malicious code, which then is tested and evaluated from three ways, i.e. generality, invisibility and the performance on the infected systems, is then designed and implemented. The results show that this malicious code has stronger survivability. The research and its application of the mechanism provide theoretical foundation and guideline for the study of the prevention techniques against the malicious code and the network security policy.Second, the static and dynamic analysis methods to defense against malicious code are presented, and the concealment techniques used by malicious code are concluded and summed up, based on which an obfuscating transformation strategy that can be used to improve the survivability of the malicious code is proposed. Furthermore, the obfuscating transformation strategy is formally specified and analyzed, followed with developing a framework of obfuscating transformation engine. The results show that malicious code using obfuscating transformation can be free of most of malicious code detecting tools who adopt the misuse intrusion detection.Third, according to the character of the malicious code, an integrated framework of prevention against malicious code is proposed. This framework integrates various prevention techniques, such as misuse detection, abnormal detection and privilege control, and implements host-based and network-based prevention against malicious code.Fourth, from the point of system intrusion prevention, we present a new approach to detecting and defending the malicious code based on runtimeinterception of Win32 functions. After analyzing the attack behavior pattern of malicious code and exploring their detecting and defending mechanism we design a prototype system. At last, we make Worm.KillMSBlast worm as an example to evaluate the system by using our approach, the related experimental data and results of analysis demonstrate an effective method to detect malicious code and prevent spread of malicious code in time.Fifth, from the point of network intrusion prevention, a new approach against malicious code based on netlike association analysis is presented. By analyzing the behavior mode of the malicious code, a new early warning algorithm is designed and a large-scale early-warning model and a prototype system built on the algorithm are developed. In addition, relative experimental data and analytical results are given. In contrast with the current detection method, this method is much more effective and can warn the unknown malicious code early.Sixth, the fundamental definition and the functionality structure of network worm are given and the thought that reasonably apply the network worm is presented. The framework, implementation strategy of network worm, and function algorithm of individual worm, are designed. According to the analytical results on the advantages of the benign worms, it is concluded that benign worm can be applicable to various aspects, such as anti-worm, network detection agent, patching general holes and distributed computation, and can enhance system and network security.In a word, the work of this thesis is to positively explore the prevention techniques against malicious code based on Windows OS applications, which provides guideline and theoretical foundation to develop more secure application platform with prevention functionality against malicious code.