| As the popularization and application of computer, the design and infection of computer virus has becoming an entire profitable industrial chain. The amount and damage of current virus are much bigger than before. Facing the threat of computer virus, virus detection technique, as the first step of virus prevention, is playing a more and more important role. Traditional virus detection techniques usually adopt signature-based method. Due to the disadvantages of this technique, behavior-based detection methods have developed rapidly in recent years. The basic foundation of this method is that, in order to achieve some specific functions, virus must have some behaviors that differ them from the ordinary programs.Appling Support Vector Machine (SVM), this thesis creates a space of virus API feature vector. By training a classifier, a hyper-plane is found that can divide the API space into two parts: one stands for virus and the other stands for normal program. Moreover, the thesis collects behaviors of different kinds of virus, and 1-v-1 Multi-class SVM is introduced to detecting viruses of different kind.However, this method only take API call sequence as program behavior features and the difference between API calls in the detection is not taken into consideration. This thesis further divides virus behaviors into separate function modules by introducing DLLs into detection. APIs in different modules have different importance. DLL and API are both considered as program calling resources. Based on calling relationship between DLLs and APIs, program calling resources can be pictured as a tree named program behavior resource tree. Important block structures are selected from the tree to be program behavior feature.Finally, a virus detection model based on behavior resource tree is proposed and verified by experiment which provides a helpful reference to virus detection. |
PDF Full Text Request