Behavior-based Analysis Of Malicious Code Detection Technology And Realization

With the appearence and development of the technology of viruses, worms, botnets and other malicious code, information security has faced a huge threat. Followed with malicious code analysis and detection technology, for example,the signature scanning, can analysis and detect a certain extent, but still could not avoid their defects. Thus, there is urgent need for a malicious code analysis and detection means to carry out a detailed analysis of malicious code.This paper studies the types and features of malicious code, discusses the deficiencies and shortcomings of some analysis and detection methods. On this basis, it puts forward a new method to analyse and detecte malicious code. This is the plan that to get the information of the conduction of a executable code by monitoring system calls and important kernel data. Detect whether a executable code is malicious code through the analysis of behavior. This technique can detect known and unknown malicious code; to respond effectively to a variety of variations or packers of malicious code; effectively detect hidden malicious code behavior; can automatically analyze malicious code behavior; to generate a detailed behavioral analysis reports, as a judge as well as the basis for further analysis.In this paper, research the technology of malicious code behavior analysis, both user mode and kernel mode, completed the design and implementation of behavior-based analysis of malicious code detection system. There are five modes in the behavior-based analysis of malicious code detection system: analysis of behavior of user state module, interrupt handling module, analysis of behavior of kernel state module, communication module, the user interface module. Analysis of behavior of user state module completes the analysis of behavior in the user state of a binary executable code, while the technic core is monitoring and controlling system calls. Analysis of behavior of kernel state module completes the analysis of behavior in the kernel state of a binary executable code based on monitoring important kernel data struvture in system, such as SSDT. Interrupt handling module and communication module offers the the interactive interfaces for above two modules. Interrupt handling module sets the hidden breakpoint and provides the context of the breakpoint for the module which analyses the behavior of user state. The user interface module generates the analysis log and presents all analysis and detects information to user. After the design and development of the system, we use various kinds of binary executable code to test. The results show that much behavior of the multiple samples can be analysed and detected, including the typical hidden behavior of malicious code. The system generates more complete and comprehensive analysis results about the samples. To analyze the results which gives various dimensions of the behavioral characteristics of the sample, can judge whether a code is alicious better. The system improved accuracy, and to overcome the shortcoming that a single signature scanning, integrity testing can not detect unknown malicious code defects.