| With the development and popularization of Internet, the network security problems are becoming more and more severe, and the malicious code is one of the most serious problems. Currently most antivirus companies adopt traditional scanning technology based on signature, with a ‘scanning engine + virus database’ structure. Although this method has a very high detection rate to known viruses, and a very low false alarm rate, but not accurately and timely for new malicious code or malicious code with packers, polymorphism, deformation or any other anti-detection technology. What’s more, the signature library will become larger and larger as more new malicious code appearing.This thesis presents a malicious code analysis method based on affinity, using the API set and similar codes to characterize the malicious code affinity signature(MAS for short) for each class of malicious code. And this thesis also presents a detection method of malicious code based on MAS(MAS detection for short), and runs a detection engine based on affinity, and applies it to an intrusion detection system, then designs some experiments to verify MAS detection. The experiments prove that MAS detection can achieve a better detection rate, but a little high false alarm rate, which means further improvements are needed.In addition, MAS library only achieves one MAS for each class of malicious code which significantly reduces the signature library, and MAS detection uses the reference of heuristic detection, so the MAS library does not need to be frequently updated, and also the detection efficiency will be relatively stable for a period of time. |
PDF Full Text Request