Dynamic Analysis Techniques Of Malicious Code Research And Implementation

With the development of network technology and the advent of information era, people would like to transmit files and share information through Internet. Along with the convenience Internet also brings a lot of network security issues. According to CNCERT 2008 (National Computer network Emergency Response Technical Team/Coordination Center of China), the number of network security event has increased distinctly comparing with the corresponding period in 2007. During all network threats, malicious code took up the biggest percentage and led to the most serious damage.In this thesis, the dynamic behavior analysis technique of malicious code was concerned. It was found that most current analysis methods were effective to identify known malicious code but ineffective to unknown virus and its variation after investigation, especially to those with the ability to against debugging and analyzing. To resolve these defects, a new approach oriented dynamic behavior analysis was proposed in the thesis, which could detect malicious codes through monitoring, capturing and analyzing system calls and contexts in malicious process.To be specific, the following work has been done in this thesis.(1) The basic principle, attack technique and survival ability of malicious were summarized.(2) Both current analyzing and detecting techniques were studied and compared. It was found that most current analysis methods were effective to identify known malicious code but ineffective to unknown virus and its variation, especially to those with the ability to against debugging and analyzing.(3) Lots of malware samples were collected and trained to abstract the common behavior signature for constructing the rule database.(4) Based on our new approach, a half-auto malware dynamic analysis prototype system was expounded and developed, which would generate a detailed report for virus analyzer.According to the experiment results, it was demonstrated that the malware dynamic analysis system succeeds in identifying malicious behavior of application with the low system overhead and high detecting efficiency. Moreover, the system can be used as debugger for static analysis or manual debug due to its disassemble and debugging capability.