Research On Key Technologies For Malicious-degree Decision Of Program Behaviors Based On Dynamic Fuzzy Neural Network

In recent years, as the explosion of malicious code in Internet, the computer systems have suffered serious security threaten. Malicious code becomes more and more sophisticated as it widely adopts such advanced technologies as polymorph and self-mutation. The traditional method to detect intrusion and virus is characteristic-based, which has high efficiency but the limitations are obviously. It is difficult to detect complex attacks for its delay of virus generation and the single measurement method based on the characteristics. Many studies indicate that although the byte signature has changed between virus and its mutations or known viruses and unknown malicious code, the function and key behaviors are almost the same. Therefore, researchers begin pay more attention to malicious code detection from the perspective of behaviors analysis.This thesis presents a malicious-degree decision system based on dynamic fuzzy neural network. Integrated with fuzzy reasoning and neural network in artificial intelligence, this system gives a comprehensive evaluation such as malicious-degree by analyzing the behaviors of unknown code. Firstly, in order to change the situation that most of the current studies dig program behaviors only through function calls, this thesis adopts a comprehensive scheme to get behaviors in such phases as file structures analysis, instruction sequence analysis and function calls identification during the decompilation process. Secondly, as virus use diversified obfuscation methods to hinder function call identification, this thesis analyzes the most common obfuscation that insert data after call instruction and give an effective identify algorithm which can correctly identify function calls. Thirdly, to solve the problem of how to use the virus acts to achieve similar behavior recognition, behaviors with similar function are classified, and a scheme based on the calculation of weighted similarity is designed to identify the program behaviors in function calls. Fourthly, due to the uncertain correlation between behaviors and the complexity of the analysis process, a dynamic fuzzy neural network decision system is designed and implemented. The fuzzy reasoning rules are created and modulated during the training process by dynamic neural network and malicious-degree decision is accomplished by fuzzy reasoning system based on fuzzy rules in rules library. Finally, this decision system completes the determination on mutated and unknown malicious executables and solves the problems of how to establish effective rules and how to determinate with rules.The method of behavior-based detection which is presented by this thesis gets an initial implementation and application in VDUC (Vulnerabilities Detector for Unsafe Code) which is a prototype system aiming at security vulnerability detection designed for national 863 projects. This method is compared with simple and multiple Bayes in the end. The experimental results and comparison show that this decision system can achieve good results in detecting polymorphic and unknown viruses.