Detection And Analysis Of Malware Network Behavior Based On Isolation Environment

Malware is a tremendous threat on the computer security. With the development of the network technology, the malware is strengthening its ability of the malware self-propagation through the Internet. Computer may be infected with malware when surfing the Internet. To enhance the capacity of defense and prevent the large-scale propagation of malware, the analysis of the malware behavior becomes more and more important for computer self-protection. This thesis focuses on the analysis of the malware behavior, especially the malware network behavior, based on the dynamic analysis. The main contribution of the thesis as follows:The study implements the dynamic monitoring mechanism and the hijacking mechanism. The dynamic monitoring mechanism can be used to capture the basic malware behavior. And the hijacking mechanism captures the more detail information to describe the behavior. The analysis of malware network behavior is based on the capturing of malware behavior.The study proposes the method of message semantics extraction using the dynamic taint analysis and malware behavior. According to the dynamic taint analysis, the propagation of the behavior data in memory can be observed and propagation information can be used to extract the message semantics. The message semantics extraction is the basic condition to confirm the malware self-propagation. The study explores the malware self-duplication behavior and self-propagation behavior. For malware self-duplication, thesis advances the affirmance mechanism of malware self-duplication, which is based on the sequence of malware behavior. For malware self-propagation, thesis advances the affirmance mechanism of malware self-propagation, which is based on the combination sequence of malware behavior with message semantics extraction.The study designs and implements the system TermiNetor, which monitors and analyzes the malware network behavior based on the isolated environment. TermiNetor tracks the behavior sequence of the malware, which executes in the isolated environment. TermiNetor achieves the all mentioned methods and mechanisms. TermiNetor analyzes the malware network behaviors and confirms the malware self-duplication behavior and self-propagation behavior.