Behavior Analysis Of Malicious Code

Malicious codes (such as virus, botnet, Trojan horse, worm, Rootkit) have explosively grown onthe internet, which make information system security more serious. While traditional maliciouscode detection technology, for example, the abnormal detection, can detect partial malicious code,but still exists some defects. Thus, the research on analysis of malicious code is of greatsignificance.This paper discusses the definition, types and features of malicious code. The traditionalmonitoring method of malicious code was studied in detail and shortcomings are discussed. On thisbasis, we put forward Modified Secure In-VM Monitoring (MSIM), a approach based on hardwarevirtualization features. This method monitors system events to obtain behavior characteristic ofcode, which enables transparent behavior monitoring of malicious code at the low expense ofperformance overhead.When come to malicious code analysis, static analysis cannot detect unknown malicious codeand variants, while dynamic analysis costs too much resource and the detection result is of lowaccuracy. An method to analyze malicious code based on integrated behavior characteristic ispresented, which extracts three dimensional features: associated behavior, function call graph, andsystem call behavior. The decision result is given out based on weighted matching for differentfeature analysis.This paper focuses research on transparent behavior monitoring, behavior characteristic analysisand virtualization technology. we implement behavior-based analysis of malicious code analysissystem. It mainly includes four parts: starting detection module, virtualization module, analysis ofbehavior characteristic module, and code detection module. Starting detection module detectssystem initialization and loads virtualization module. Virtualization module enables operationsystem transfer and transparent monitoring. Analysis of behavior characteristic module collects andextracts behavior characteristic of malicious code. Code detection module gives out decision resultbased on weighted matching for different feature analysis. Experiment results show prototypesystem effectively improves the accuracy of detection and performance overhead.