| With the development of information technology, especially the Internet, network security issues are being increasingly concerned. Malicious code has become the focus of research in network security. This paper concerns automatic behavior analysis technique of malicious code.Automatic behavior analysis of malware is the foundation of Malware Emergency Response and Computer Forensic. It is the process of determining the behavior and purpose of a given sample, which provides specfic information for system restore or loss evaluation. Second, it is a necessary step to develop removal tools and behavior signature for detection tools. Futhermore, there are diverse skills in malware itself designed to countermine security tools. By analyzing malware behavior, it is helpful for security experts to understand new measures, and develop new detection techniques.Behavior tracing and analysis technique are two critical problems. Current systems ues debugger, API Hook or Virtual Machine Emulator to trace program behavior. But the former ones can not analyze malware using anti-debug or anti-hook technique, and the later one is very complex, consumes more resource. On the other hand, most of the systems only list behaviors of sample, but not to estimate behavior threat. To address these problems, we aim to implement a system with automatic and stealthy analysis process, steady analysis environment, and competness analysis report, which includes function, purpose and behavioral threat evaluation of the sample.First, we summarize malware analysis and anti-analysis techniques, and figure out shortages of current tools. Second, we propose a new behavior trace technique - code slice execute technique. It monitors and analyzes sample on instruction level, supports program analysis on both coarse- and fine-grained granularity, and can countermine malware with anti-debug and anti-hook techniques. Third, we study malware behavior automatic analysis, classify malware behavior, and make behavioral modeling, then extract malware behavior signatures to construct behavior rule database, which is used to identify malware automatically by simulating security experts. This analysis technique supports measurable behavior analysis, which finally improves the automatization, intelligentization of the process, frees analysts from heavy work.Based on the techniques we proposed, we develop a malware automatic behavior analysis system called MalAnalysis. Our experiment results demonstrate that MalAnalysis presents more effective performance than existing tools. Therefore, it can create direct analysis swiftly and exactly for malware treatment applications, which speeds up security response, and produces sufficient conditions for construcing all-around security defence system. |
PDF Full Text Request