Malicious Code Identification System Based On Behavior Analysis

The network security has become a major threat to people's life, especially the malicious code, the economic losses caused by malicious code is more than billions of dollars. Since the new malicious code appear at an increasing rate, the traditional static detection technology based signature is difficult to find unknown malicious code, while malicious code detection technology based behavior can effectively detect unknown malicious code. Therefore, carrying out malicious code research has important theoretical and practical significance.The main work of this thesis is as follows:(1) We acquired the precise behavior of the sample without affecting the normal operation system. By using debugger technology in virtual machine we can capture the behavior of the sample accurately, while running a behavior monitoring module in a virtual machine we can guarantee the safety of the physical computer without fearing it infected by viruses.(2) This thesis selected behaviors with high degree association by using weight adjustment algorithm based information gain. This thesis banded together Na?ve Bayes algorithm and feature weight adjustment algorithm based on information gain, trained the classified samples, established feature library and identified malicious code by using Na?ve Bayes algorithm through data mining.(3) We achieved automated obtained samples'behaviors continuously by using automation technology of virtual machine. By using VMware's VIX API, the system achieved obtaining samples'behavior without manual operation, automatically operating virtual machine, automatically obtaining samples'behavior and automatically get behavior monitoring report.Through the test in a real environment, the malicious code recognition system based behavior analysis in this thesis can obtain samples'behavior accurately. And this thesis tested samples by using Na?ve Bayes algorithm. Through the inspection, the system can get behavior of sample and identify sample's category, but the accuracy still needs to be further improved.