Research And Optimization Of Malware Detection Method Based On Rules Matching

With the enlargement of network scale and the development of network technologies, the characteristics of malicious code has also become more and more expertise, interest and organization, which brings a huge threat to the security of the computer and network. Therefore, it is important to detect the malicious code to protect the safety of the computer and network.In this thesis, malicious code detection system based on the rule matching is studied, and detection rules based on frequency statistics and high speed pattern matching algorithm are proposed. The thesis contributes mainly on the following aspects.1. Abnormal network behavior testing and optimization methods are proposed. In order to improve the detection efficiency of malicious code, we must ensure the rule set used in the detection system based on the rules matching is small and effective enough. Therefore, the elaboration of the detection rules of Snort system has carried on firstly. Next is the optimization of the detection rules tree, and then the matching frequency of the rules in the rule tree is collected. By this, each port under the three rules of subset are further divided into common subset and uncommon one, thus constructs the smaller and more effective set of rules.2. High speed pattern matching algorithm is suggested. Through the analysis of pattern matching algorithm, BM algorithm, BMH algorithm and SBM algorithm, high speed pattern matching algorithm is proposed. Experiments show that the HSPM algorithm, through the integrated use of BMH algorithm with SBM algorithm, achieved the same recognition rate with less time and number of matching when compared with the performances of BM algorithm and SBM algorithm.3. The malicious code detection system based on QEMU is realized. Firstly, the virtual test network is built by modification of QEMU source. Secondly, three modules of the malicious code prototype verification system based on the rules matching are implemented. At last, the performances of the system are tested from four aspects. The results demonstrate that the system meets the design goals and requirements.