Distributed Malware Detection Based On Host Abnormal Behavior

In recent years, malware such as virus, worms and Trojans spread more frequently on the network than before. Meanwhile, the technology of malware adopted keeping develop continuously, which brings a huge threat to the normal network application security. To deploy malware detection technology on the host or on the network is an effective measure to reduce this security threat.There are two main malware detection and prevention technologies are widely used. One is the malware entities detection technology which is based on signature, as represented by virus protection software.The other is the malware detection technology which is based on the signature of the attacks behavior, as represented by Network Intrusion Detection Systems. The anterior detection technology can not detect unknown malware, or malware that processed by techniques such as polymorphism, metamorphism or packer. Though the latter detection technology can detect the unknown malware, it has a high false alert rate. The research work of this paper focuses on the weakness of the two main detection technologies.The paper studies and analyzes the dated detecting technologies.Then a malware detection framework which is based on the host abnormal behavior is proposed. The paper contributes mainly on the following aspects.1. Based on analyzing the advantage and the disadvantages of the network-based and the host-based malware detection technologies, a distributed malware detection model is proposed. The principle of the model is to detect the behavior on the distributed detection network when the host-based detection can not judge whether one behavior is caused by malware or not.2. A distributed malware detection algorithm which is based on the host abnormal behavior is proposed. The algorithm includes the active propagation malware detection algorithm and non-active propagation malware detection algorithm.3. A strategy of reconstructing the propagation path of abnormal behavior is proposed in this paper. when one abnomal behavior can not be judged which caused by malware through distributed malware detection algorithm, it's propagation path will be reconstructed. The user can make a judgement to the abnormal behavior with the reference of the propagation path reconstruction of abnormal behavior.4. The simulation is made on the NS-2 environment to test the effective of the detection method that proposed in this paper. The simulation results show that the method is effective in detecting malware. Meanwhile, the reconstruction of the propagation path can further reduce the false negative rate of the method.The simulation results show that the method proposed in this paper is effective in detecting malware and could give some research idea for the malware detection technology. And the method also has a good reference for the theory and engineering practice.