| With the rapid development of computer technology and popularization of all professions and trades around the world,The Internet has penetrated into every aspect of people’s lives,has become an integral part of people’s lives.It provides a quick and timely communication and data transmission.Users free to browse through the Internet and exchange files.There is no doubt about the Internet has bring a lot of convenience to people’s work and life, however,at the same time,it also brings a lot of questions.Especially in recent years, the malicious softwares have caused huge economic losses to enterprises and in-dividual persons, even threaten national security, which has posed a serious challenge to the application of the Internet.Currently, most users lack in the network security awareness, and the harm the malicious softwares caused is increasing, therefore, how to build a fast and effective early warning system for network security has become an important goal in the field of computer security.At the same time, with the technology of malicious code authors improv-ing, they use packing,anti-virtual environment technology, making the tra-ditional program static analysis inefficient when dealing with unknown mal-ware. Currently, the program dynamic analysis plays an irreplaceable role in the detection of malicious code. Program dynamic analysis uses system call API functions to simulate the behaviors of the programs, then,select the feature vectors of the program through the appropriate algorithm, and use support vector machines to achieve the classification.In this paper, we propose a new concept deviation rate, which reflects the influence of different features for classification in support vector machine. Based on this, we will build the dynamic analysis system as follows:First,we use the analysis tool Ether, based on the virtual environment XEN,to monitor the program’s system call API functions sequence.Ether use hardware virtualiza-tion extension technology, exists in the outside of the target operating sys-tem.Thereforce,it can avoid the detection of malware for debugging tools, so it is transparent for malware.Secondly, according to the API functions sequence, we use sequence-forward feature selection algorithm to select the feature vec-tors from a fixed length1of a short sequence of API functions mode.The feature selection algorithm based on the rate of deviation.We don’t select the character of the bigger rate of deviation any more until the selected feature vectors to achieve local optimum.For the variable-length sequence mode, we get the reduced pattern set from the sequence by the Teiresias algorithm and the reduced algorithm, then use the previously mentioned feature selection algorithm to select the feature vector from the reduced mode set.Thereforce, we got the local optimal feature vectors of the two modes, and build two sup-port vector machines through the matlab-libsvm tools successfully.Finally, the two support vector machines’simultaneous working constitute our analysis system, which can classify unknown program into benign and malicious soft-ware.By comparison with the well-known antivirus software, we conclued that is our system have excellent performance in the detection rate and accuracy rate. |
PDF Full Text Request