A Research Of Malware Detection And Evaluation Based On Behavior Analysis

With the occurrence of a series of major cyber security incident such as the Zhen-Wang and the Flames Virus shocking the world, information security has risen to the height of the national strategic level. In this context, China is also facing a serious threat of malicious cyber attacking by hostile forces, in which the malicious code undoubtedly has the greatest harm. So this has also become the research focus in the field of network security and the research on malicious code also launched from all aspects. This article focuses on the analysis technology and the assessment method on the behavior of malicious code.At present, in the malicious code research field, domestic anti-virus vendors focuses more attention on the product development with application levels, relatively only a few attention on energy-based technology research. And the detection technology of malicious code in foreign anti-virus vendors is relatively mature, but due to commercial interests involved, it is difficult to get relevant information from public sources. Through the research on a variety of online analysis sandbox of malicious code, most analysis content includes the malicious behavior and the family classification of malicious code, but the lack of Threat assessment. So the kind of reports has poor readability. However, the threat assessment of malicious code is one of the most important parts in the field of information security risk assessment. Therefore, the research objectives of this paper are:to build an auto-analytical platform of malicious code detection, which has a healthy analysis environment and ultimately provides comprehensive analysis reports. The kinds of reports include the behavior analysis and threat assessment of malicious code.First, based on the study of the detection technology and the assessment methods, the article focuses on itself-depth study of the malicious code, which includes the analysis of the behavior and features of the malicious code, such as characteristics of file structure, strings feature, host behavioral(the process behavior, the behavior of the registry, the file behavior and network behavior).Then, the article has created the evaluation model of malicious code threat level based on behavioral analysis and put forward the calculation method of basic hazard value of malicious behavior based on mutual information. According to the ideas of AHP, the author can calculate the index weight by characteristic matrix. On this basis, the author has designed and implemented the automatic system including detection and evaluation based on behavior analysis of malicious code. The system consists of three main functional modules, like the data preprocessing module, the virtual machine execution module, the integrated assessment module, as well as two data blocks, like the index system of behavior and the weight database.At last, it is necessary to test the effectiveness and reasonableness of the evaluation system and the implement method, compared with domestic and international platforms. The experimental results show that the system is better able to achieve the target.