The Research Of Semantics-based Malware Behavior Signature Extraction And Classification Technology

For a long time, malware has always been a hot issue in the field of computer security; the malware generation technique becomes more mature with the new situation, there are dozens of malware generated per second in the Internet, most of them are variants generated by polymorphism. The spread and destruction of these malware is enhanced compared with the old ones. Therefore, both users and the security experts need an automatic classification system with the ability of providing valuable information about activities of malware.Under this kind of condition, this thesis mainly studies the behavior-based signature extraction technology of malware and the corresponding classification technology: In a safe environment analysis to extract the malware behavior-based signature efficiently and transparently, and then achieve an accurate classification of malware with these signatures and known information, finally provide valuable information of behavior and classification.This thesis first investigates malware implementation and related technology, points out their impacts on different analysis methods; based on related resources and the typical behaviors of malware we proposed behavior-based signature model and corresponding matching rules, this model does a well performance with the confusion of independent system call insertion and equivalent behavior substitution; Then in comparison of known analysis technologies, we achieved an analysis environment for malware execution and signature extraction by extending the hardware emulator QEMU, by capturing the resource objects and their related operations, it uses matching rules to extract the behavior-based signature of malware efficiently and transparently with highly security, We use hash methods to narrow the scope of the comparison in malware classification according to the application environment described in this thesis, we also study the adjustment method of the classification signatures. We determine the grouping parameter of LSH with regard to recall, precision and complexity of computation. Finally, the experiment and test shows that our methods achieved a higher precision and recall of samples which classified to known classes while extracting meaningful behavioral information.At the end, we summarized our work in this thesis, pointed out the existing problems and described the future work.