| More and more damage and economic loss has been done to the society owing to the threat of rapidly increasing number of malicious programs since the quick development of the internet. Typical examples are viruses, worms, trojans, and spywares. It then turns to be a critical problem how to detect virus, especially the detection of unknown virus, which has been becoming the emphasis and hotspot in the field of network security.The feature of behavior-based analysis is its ability to detect unknown virus whose signature is not included in the database yet. Compared with the traditional static signatures-based detection method, it issues a verdict according to the run-time behavior characteristics of the virus.In this paper Win32 API calls are used to represent the run-time behavior of the virus. We relate behavior with corresponding API calls after an research into virus. We also implement an automatic analysis system consisting of an engine and a plug-in to trace the Win32 API calls. Windows debugging technology and virtual machine technology are employed to realize the system.Finally, we present a Na?ve Bayes Classifier based on characteristics generated by our automatic analysis system to detect virus. Experimental results obtained from our classifier indicate that our characteristics can describe the behavior of virus well with low false positive fraction and high hit rate. |
PDF Full Text Request