A Research On Engine Of Behavior-Based Detection Of Malicious Code Technology

With the rapid development of Internet, it brings convenience to people’s work and life, and also brings the destruction of viruses and other malicious programs. Malicious code writing technology and anti-virus technology evolves over time. Malicious code writing technology turns from a single piece of destructional code to a piece of destructional code disguised by encrypting packers or polymorphic techniques to avoid signature scanning technology by anti-virus softwares. Some malicious code updates itself by modular self-organization. Anti-virus technology gradually developed from the original signature scanning technology to self-defense system based on the dynamic behavior of malicious code scanning technology. With the increasing number of viruses, cloud-based service is becoming a mainstream method of computer virus detection. Malicious code detection does not have a generic method, so that people should continue to study and progress in the field of anti-malware software.This paper analyzes the existing malicious code detection methods and proposes a new method using feature information entropy filtering and DAG-SVM-based multi-class support vector machine to detect unknown malicious code. The method get the multi-dimensional feature vector from the combination of PE files static characteristics scanning and dynamic API Sequence features and use the information entropy to filter the high-dimensional feature vector. The vector which is formed by the dimensionality reduction filter uses acyclic graph support vector machine classifier training method to achieve the identification of unknown malicious code. This method can overcome the traditional feature code scanning method that cannot identify unknown viruses and the static API Sequence Analysis have a low recognition rate facing with unknown viruses which hide API calls, using a directed acyclic graph support vector machine can effectively solve the misclassification of some samples and rejecting phenomenon in comparison with other support vector machine classification methods. Experiments show that the method has a higher accuracy.