Research9n Analysis Technology Of Malware Based On Minimum-Behavior

The emergence of Internet technology gives people’s life and work a big change.People enjoy the convenience of Internet provides, but also under the threat ofmalware(Malicious Software). In the digital era, anti-malware has become the focus inthe field of information.The traditional malware detection is based on the static characteristics. But thetechniques of confusion, encryption, and packers make static detection technologybecome helpless. The dynamic analysis solves the problem of confusion, encryption,and packers, but dynamic analysis can’t effectly detect polymorphism of malwares andvariant virus. In order to solve the problem of polymorphism and variant virus, thetechnology based on behavior analysis technology is used in the malware detection. Thetechnologies of behavior abstraction make the low semantic information up to topsemantic behavior, which solves the the problems with variation and polymorphism. Butin the security field, no specific concept gives to behavior, and do not make a clearregulation for behavior scalability. Thus, this can’t give full play to the advantages ofbehavior analysis. In addition, as the malware and malware class spring up, theautomation of malware analysis become an inevitable trend.Based on the above, this paper realized a prototype of malware automateddetecting system based on minimum behavior. The whole detection system is dividedinto three key modules. Malware’s API(Application Programming Interface)information monitoring module, which could capture API information based onmodifiying simulator QEMU. Behavior characteristic vector generation module, whichabstract low-level semantic API information to high-level semantic minimum behavior,and produce behavior characteristic vector. Malicious code detection, classification andautomatic learning module, by the combining advantages of clustering analysis andclassification, complete analysis of unknown malicious programs classification, andrealize the malware feature library automatic evolution. Finally, it gives the systemexperiment and results analysis, the experimental results show that this methodcompared to the traditional based on API frequency statistics method, the TPF (TruePositive Fraction) is higher, the FPF (False Positive Fraction) is lower. And it coulddetect the new malicious classes automatically.