Research And Realization Of The Malicious Code Detection System Based On Behavior Feature Analysis

Currently,with the rapid development of viruses, Trojans, backdoors and other malicious code technology, major events, important economic losses and significant leaks occur frequently. Traditional techniques for the detection of unknown malicious code detection is less effective, and therefore the behavior of the binary code for in-depth analysis, mining normal software and malware behavior characteristic nuances of network security is currently an urgent need.In view of this thesis,we through the in-depth analysis and debugging comparative study of the well-known malicious code appears in the current internet(eg: ghost, dog, Darkshell, etc.) to find behavioral characteristics of malicious code; Then, through a variety of techniques such as the analysis of application program IAT structure, API Hook technique, difference detection methods, notification routine detection methods to research on automatic analysis method for malicious code; The next, analysis the rootkit Trojan Principle and testing methods, and focus on the IAT Hook, EAT Hook, IDT Hook and SSDT Hook; Finally, we analysis and compare the original attack tree model, improved attack tree model, extended attack tree model, and propose a improved attack tree model baded on the empowering feature vector to classify the malicious behavior with the use of the empowering feature vector concept in this model.Based on the improved attack tree model which uses the empowering feature vector, we design and implement an active detection system prototype. This prototype makes a mathematical modeling for functional behavioral characteristics of malicious code, and has a combination of API call sequence,functional behavioral characteristics, hidden characteristics, Rootkit behavioral characteristics as a basis for discrimination, and gives a detailed analysis and critical behavior records to facilitate manual killing and in-depth analysis of malicious code. Experiment results show that this method can effectively detect known or unknown malicious code, and can also effectively detect the malicious code which uses the anti-detection technology such as take-command instruction, packers, polymorphic. So the method in this thesis has a great value in proactively identify aspects of malicious code.