Research And Implementation Of Suspicious Behavior Annotation Based On Decompilation

As the popularization of the computer and network, the virus, Trojan horse and spyware become harmful and far-going. According to the situation, virus protection software is developed rapidly to defeat the attack of malicious. However, there are some shortages appeared in today's anti-virus software. First, nowadays, most of anti-virus software is based on virus library and signature, so it has a poor efficiency against new virus. Second, they can only make a decision between ordinary program and malicious program, but has a lack of annotation of program's behaviors so that analyzer of malware can't locate the malicious code rapidly and exactly. To analyzer of malware, a new tool is needed intensively. It can not only annotate the behavior of program but also give a decision between malicious and benign behaviors. It can help analyzer to evaluate the degree of suspicion and harm.This thesis introduces the knowledge of decompilation and annotation first, then, presents a technique for annotating malicious behaviors based on decompilation which is called double-space and multi-level annotation. Based on the deep analysis on the technique of SVG(Scalable Vector Graphics),the thesis presents a technique for using SVG to realize graphical annotation of suspicious behaviors to construct the first space of the double-space and multi-level annotation system, then, we analyze the realization of the technique; In analyzing the XML technology and the characteristic of malicious behaviors based on decompilation, we design a Suspicious Behaviors Description Language (SBDL) to solve the description of the complicated fabric in malicious behaviors and this constructs the second space of the system.The annotation technique presented by this thesis is implemented in RADUX (Reverse Analysis for Detecting Unsafe eXecutables), which is a prototype aimed at analyzing and detecting against malicious codes, and is validated by two testing centers. The annotation system has a good performance while it be set up and used by some units. The results show that the method and algorithm presented by the thesis are feasible and effective.