Research And Implementation Of Key Technologies Of Program Behavior Analysis In Anti-Trojan System

With the development of information technology, computer has become an indispensable part of people’s life. Individual users can use the computer to browse webpage, chat via video and shop online, enterprises can use the computer to save business data and realize automatic management. The way of a variety data’s preservation has been changed from the traditional way to the digital methods, digital information has been growing explosively for many years. While digital processing bringing convenience to people, information security has gradually attracted people’s attention. In recent years, the number of Trojans, spyware and other malicious software continues growing, user data breaches occur multiple times. Research of Trojan detection technology is a popular topic in the field of network security, and along with the development over the past years, signature-based Trojan detection technology has matured, research focus began to shift to detect unknown Trojans. The program behavior analysis technology as a foundational technology, play an important role in host active defense system, intrusion detection system and other unknown Trojan detection systems. When using the program behavior analysis technology to detect unknown Trojans, program behavior capture is the premise, a prefect program behavior decision algorithm is the core, and the effective clean up of Trojan programs is the foundation, the three are indispensable. However, since the program behavior analysis technology is just emerging, these three key technologies are still insufficient. Therefore, the research of these key technologies of program behavior analysis has great significance for the realization of anti-Trojan system and user data protection.In this paper, the existing program behavior capture techniques were studied, and we found that there is no good method to capture the behavior in the64-bit Windows systems. In terms of Trojans clear, current hidden process detection technologies have some deficiencies in stability and efficiency. In addition, in the aspect of program behavior judge algorithm research, improvements of the Naive Bias classification algorithm mainly focus on the invalid sample filtering and the attribute weights, never consider the probability of certain samples’appearance, easily lead to the deviation of the classification results.In this paper, according to the above three defects, intel VT technology is studied to achieve a program behavior capture technology in64-bit Windows systems. In terms of Trojans clear, a number of improvements have been carried out on the current hidden process detection method based memory search. A variety of program behavior decision algorithm are studied, realized a number of improvements on Naive Bias classification algorithm, such as attribute weighting and classification adjustments. And in order to ensure the accuracy of the algorithm while in different host environments, joined the host security risk assessment, dynamically adjusting algorithm parameters based on evaluation results. The key features of this paper is:First, the hidden process detection method based on memory search has been improved, so that it can run stably in multi-core CPU system, and becomes faster and more comprehensive; Second, made many improvements for the Naive Bias classification algorithm, proposed a training sample composition independent weight calculation method, which effectively avoids the negative influence of training sample composition; Third, used fuzzy evaluation method based on entropy weight to evaluate the host security risk level, and used the result to adjust the Naive Bias algorithm, making the classification more accurate.