| The purpose of automatically classify the software by the software’s behavior is designed to automatically classify the software into normal software or malicious by the degree of harm of the software’s behavior. To achieve this classification, firstly you need to analyze whether there has malicious code in software, and then depending on the type of malicious code the software contains, along with the malicious code’s behavior in the system, by the collaboration of these acts damaged to the system or users, analyze the degree of hazard of software. Use the automatic classification of software is useful to analyze some unknown virus or Trojan’s variants conduct, it can reduce the unknown harm to the users and the system, it can always be used as a tip when the users using unknown software.To detect and analyze the malicious code, there are two kinds of methods, one is called static analysis method, and the other is dynamic analysis method. Taking into account the possibility of malicious code appears in the smaller non-toxic programs, and the static analysis method is always used just to detect malicious code itself, the behaviors of malicious code are neglected, it is representing human consumption, and in the analysis of variants of the Trojan virus, it is easily to leak reported, this paper adopted the dynamic analysis method. Method called dynamic analysis, namely by monitoring malicious code’s running in the system freely to analyze malicious code. The dynamic tracking method is mainly tracking the API functions and the feature of the commands when the malicious code is running in the operating system, and then contrasting the information’s changing before and after the malicious code running to analyze the function and purpose of the malware.In this paper, by the full use of dynamic detection technology, we have analyzed a large number of different kinds of malware, and extracted the feathers which have the typical characters from these malicious software, created a dangerous behavior mapping library, which is used to conduct software behavior mapped data. We have also designed an algorithm to convert these data into the formal which can be used for practical training. Through hundreds of experiments, we have designed a BP neural network that is suitable for training our samples, and also determined all the parameters of this neural network. By training the neural network, a evaluate system based on software behavior to judge whether the unknown software is a malware was built. Meanwhile, in order to verify the accuracy of the prediction system, the idea of support vector machine was prompt to do a comparative experimental, results show that the design is successful, now the BP neural network has been successfully applied to an actual system we designed, and the false negative rate and false positive rate of the system were reached a quite satisfactory level. |
PDF Full Text Request