Research On Sandbox Technology For Malicious Code Detection

Malicious Code disseminates widely in computer Operating System and Networksthrough a variety of means, and has a serious impact on information security. Recently,computer virus, worm and trojan gradually integration on technology are significantlyenhanced its ability to attack, destroy and viability, coupling with the increasing of variants. Ittakes a great challenge to malicious code detection, defense and clear. Therefore, Researchingon malicious code detection technology has important practical significance.As the traditional Sandbox monitoring API functions called in user space, having theshortcoming of easily bypassing by malicious code, and the detection method based onVirtual Machine and simulation environment largely consuming system resources and iseasily detected by malicious code defense mechanism, in this thesis, We use kernel-level APIHook technology to monitor malicious code system API function call and renamingmechanism based on the operating system level resources of the system interface, redirectingthe system resources which malicious code requests to operate, and then operate theredirected resources to achieve a real and isolated malicious code execute environment. So itis able to achieve to monitor malicious behavior, and the Sandbox shares the resources ofOperating System as much as possible, only monitors the malicious behavior and releasenon-malicious behavior, which can meet the requirements of building a high-performanceSandbox, The Sandbox can ensure the malicious code fully executed and the testing processvalidity and integrity.The malicious code detection technology is researching for Windows Operating System,through analyzing the traditional sandbox technology, We find two major shortcomings, Sowe combine with kernel-level API Hook technology and namespace virtualization technology,proposing a kernel-level API Hook and operating virtualization Sandbox technology solution,comparing with other types of sandboxes, the experiment shows that the Sandbox can detectmalicious behavior more accurately and efficiently.