| The development of the Internet has changed people's lives. Online news, online shopping, e-education and e-commerce applications are coming endless. The new digital world, full of opportunities and challenges, is coming. In the digital world, information, especially credit cards, e-mail address and other private information, is not only an important asset, but also a commodity that can buy by money. According to statistics, the total value of the trading system in the ground floor for sale of such goods (such as credit card information, e-mail address book or a game account, etc.) is more than 276 million U.S. dollars, of which the most commonly is the credit card information, costing as much as 53 billion dollars. Malicious software is an important tool to obtain such commodities at present. In 2007, the number of documented malicious software (including worms, Trojan, etc.) has came up to 2 227 415, which is four times of the number of 2006.70% of the malicious software can steal confidential information. Some featured malicious code can send the spy software, Trojan, rootkit as playload to other computers for stealing information, even damaging the whole internet. Compared with malicious software, network worms rely on Internet as the transmission medium for infecting computers.Malicious software and network worms are the biggest threat to Internet security. Therefore, the malicious software and network worm detection is an important research topic.One of main work of this paper is figuring out a new dynamic analysis method: machine learning method based on API. The method firstly captures the key API of the program while running, and then uses 4-Gram and information gain for feature extraction and finally uses the 2-level BKS algorithm for the multi-view classification. Experiments proved the high rate of correct classification. So, it can detect and classify malwares effectively.Another important work of this paper is proposing an automatic vulnerability-based worm signature generation technology:PASG (Protocol Aware Signature Generation) for internet worm detecting. PASG contains the advantages of both host-based and network-based methods. PASG captures the attacking worms and extracts network-related and host-related information, the uses the longest common sub-string, database training and protocol analysis technology for automatically Snort-available signature generation. The signature can not only effectively characterize the worms, but also useful for detection other worms to the same vulnerability. Experiments proved that although the length of the signature is short, the false positive rate is low and the correct rate is high. |
PDF Full Text Request