| With the rapid development of the Internet, computer viruses have been one kind of the most serious threats to information security. Traditional signature scanning technology is the most effective, simplest technology for known viruses, and has been widely applied in the field of anti-virus. But the signature scanning technique requires manual analysis infected files, summary characteristics of the virus, recording the current virus signature and insert it to the virus database. It need a long period from virus creation to virus detection, and could not detect unknown virus. The scan engine can not detect and kill the latest virus without update virus signature database. The traditional signature scanning method is difficult to cope with the huge number of unknown viruses. In order to prevent unknown viruses infect computer system and detect them effectively and quickly, the purpose of this dissertation is to tackle the problem by designing an unknown virus detection strategy and developing a virus detection to detect virus and protect computer security.First of all, a further study is performed on unknown virus detection, related concepts on Nearest Neighbor Algorithm. In view of the current behavior-based unknown virus detection methods need to run executable programs which may destroy computer system or hardware, the static method based on Win32 API behaviors for detecting unknown virus is proposed. Firstly parsing PE files to extract the sensitive Win32 API calls. Secondly, classifying the API functions based on malicious behavior and conducting a fixed dimension characteristic behavior vector into the behavior database. Thirdly, considering different distances between virus samples with different contribution, the closer samples are more similar, weighted sums of the neighbors in the same class as a condition of classification. And the redundant feature items are reduced with the feature extraction method of minimizing discriminant Entropy. Then the improved K-Nearest Neighbor (KNN) Algorithm is used to classify. The method is proposed based on Win32 API related behavior virus detection and traditional signature scanning method. The new Win32 PE virus detection system is designed.Finally, the virus detection experiments show that the static virus detection based on Win32 API related behaviors is feasible. Experimental results show that the method of unknown virus detection has a high hit rate and low error rate, and can be used to detect unknown virus. The facts show that multi-engine combined by unknown virus detection engine and signature scanning engine can improve the virus detection ability of the anti-virus software, while the signature database is not update in time. The results of this thesis provide a reference for further study of Win32 PE virus detection. |
PDF Full Text Request