| It is more direct and obvious for malware to gain economic benefits in recent years.With the rapid growth of malware and improvement of malware hidden technology, theself-protection capability of malware is growing and its life cycle is further extended.The rapid development of anti-analysis and anti-detection techniques put forward higherrequirements on malware dynamic behavior analysis system. Analysis systems need toensure their transparency and improve the ability to monitor malware behavior. So thetraditional malware dynamic analysis system which coexists in the same environmentwith malware cannot meet the actual demand at present. Along with hardware-assistedvirtualization technology, the advantage of its high privilege level provides a guaranteefor the transparency of dynamic analysis system. Thus the malware dynamic analysissystem based on hardware-assisted virtualization technology can effectively avoid theescape of malware and access to lower-level and realistic behavior in theory.Dynamic malware analysis methods ensure the transparency of the analysis system,but there are still some problems to be solved. Main work as follows:1. Propose and implement monitoring methods of processes and system call basedon hardware-assisted virtualization to improve the transparency of malware analysissystem.2. Design and implement the semantic extraction and correlation analysis formalware behavior to solve the problem of semantic extraction in virtual machinemonitor.3. Design and implement the child process monitoring to improve the behaviormonitoring capabilities of analysis system.The malware dynamic analysis system named MAX is designed and implementedbased on hardware-assisted virtualization technology. The system, MAX, implementshidden process detection and monitor malware system call behavior under Windowsoperation system. After parsing semantic information, MAX can automatically generatethe malware behavior report. With resource isolation and snapshot technology providedby virtualization technology, analysis system can batch processing malware samples.The hidden process detection and system call monitoring functions provided by MAX are verified by experiments. The transparency of MAX system is proved by the resultsof malware dynamic behavior analysis compared with other analysis systems, andperformance loss and analysis of monitor switch is also given by experiments. |
PDF Full Text Request