Research And Application Of The Malicious Code Behavior Analysis Technology

When the quantity of computer virus increasing, more and more polymorphic virus challenge to the feature code detection, which is a kind of traditional computer virus detecting and cleaning methods: Because the feature code detection's development always drop behind virus', so unknown virus which can't be searched in feature virus library couldn't be cleaned. People are researching a universal virus detecting and cleaning method in order to tackle the crisis of quantity of virus.Behavior analysis has the capability to identify unknown malicious code so that these methods become a hot spot in security field. The security software based on behavior analysis possesses capability of self-learning, so it can strengthen system security automatically. The software focus the system behavior mode, mean the while it records the normal mode. When unnormal behaviors exceed threshold value, the security software will analyses these unnormals and estimates whether the system attacked or infected by virus, and take steps.What behavior features of viruses have, would be ascertained before behavior analysis. The dissertation concludes 35 features of virus behaviors in injecting, installation and running phases, and feature vector defined according these features as well. The method how to capture virus behaviors is introduced in detail.Mean while, considering the daily massive new analysis of virus samples, a new automatic PE samples analysis system has been designed. This system belongs to a kind of online system, which satisfies the requirement of people.Classification algorithm combining multiple samples on the property value to classify samples, and they are used as samples of the unknown category classification. The dissertation modeled minimum distance classifier matching Black & White detection, and AdaBoost classifier matching Black & Gray detection, based on behaviors data of sample programs. The dissertation conducted examination using Black and Gray sample, by above two classifiers, and proofed AdaBoost could reduce the false negatives rate of gray samples.