| Security vulnerabilities, malicious code and illegal behaviors of internal person causethreat to system security. At present, the security protection of the system mainly relies onanti-virus software and intrusion detection system and so on. But these means ofprotection mainly focused on operating system. At the same time, the development anduse of all kinds of attacks, virus variants, Packing software and other technologies makedetection more difficult, technology research based on the software behavior is a way tosolve the above problems. This thesis has studied on behavior detection system which isavailable to the specific application system. The specific content is as follows.First, the software behavior is composed by a series of actions in a certain context.Software behavior can be seen as a sequence of actions. Action is a process of change theentity itself or other entity status by sending messages or trigger events change. the systemcall is also an important event. Therefore, we can study the characteristics of softwarebehavior from the message and system call angles.Then behavioral characteristics are extracted from the angle of the message andsystem call. The behavioral characteristics mainly include action execution sequence,action parameters and the execution context which is required. The action related degree isintroduced and given its calculation method in order to measure the degree of associatedaction. By using the parameters of action carry, context parameter correlation matrix whenexecuted and the context correlation matrix, the action related degrees are calculatedfinally. Actions relevant can reflect whether there is correlations between different actions,that is, whether composes the same sequence of actions.Finally, I search for other associated actions by action relevance, compare anddetermine the rules of the associated action sequence composed of the same behavior andthe rule base. The normal operation of training can obtain as much credible actionsequences as possible to generate a trusted rule base that is a basis of determining thesoftware behavior. In order to allow the detection system to be able to determine and deterillegal behavior, the harmful rule base in introduced to keep the collection of illegal behavior. Suspicious behaviors without in the rule base are determined based on its impacton the state of the system. If they cause unstable state of the system, they are identified asillegal acts dynamically and added harmful rule base. |