Malware Detection Based On Expert System

Malware detection is a crucial aspect of software security. Traditional detection method is based on signature scanning. Signature scanning is the simplest approach to detecting computer viruses. It uses an extracted sequence of bytes (strings) that is typical of the virus but not likely to be found in clean programs. But this method only processes the byte code of program, but does not care about the behaviors of program. But along with the categories and quantity of malware's explosive growth, extracting the signatures of malware consumes more and more manpower and physical resources. More important, this technology's essence decided that it can only detect the known malware, as well as some uses circumvention techniques such as polymorphic, metamorphic, obfuscation and packer. So some heuristic detection techniques are introduced to overcome this drawback.This paper unified the behavioral analysis characteristic of malware, proposes a new heuristic detection technique based on expert systems in this paper. According to expertise about malware's major suspicious behavior, build the knowledge base of the expert system, and use a behavior gathering component to intercept anomaly behaviors happened in the operating system and get significant traces leaved by malware, then infer and give the results.In order to prove that this method is effective, this article's main work content, includes: First, proposed a malware detection system frame based on expert system; Second, using the dynamic analysis method of malware as well as the experience knowledge summarized the memory-resident viruses, trojan horses, and rootkit's behavior characteristics; Third, through the above malware's behavior characteristics and the knowledge expression method in the expert system tool CLIPS, summarized kinds of behaviores'expression method, for example the"create file"operation, the"write memory"operation, the"hook"operation and so on; Fourth, through the above malware's behavior characteristic and the production rule's expression method, constructed the memory-resident viruses, trojan horses, and rootkit's inference rules and so on.The main innovation of this article are: applied the expert system in to the host malware detection system; using the malware's suspicious behavior as knowledge, could effectively avoids the weakness of signature scanning; The low lever behaviores and the behavior trace gain engine can effectively resist rootkits malware.