Design And Realization Of A Platform For Malware Detection Based On Simulation Of VMwarevirtual Machine

In the field of malicious code detection, traditional virus detection technology based on feature code still occupies the main position now. However, with the popularity of the hacker, there is a substantial increase in the number of malicious codes around the world. Traditional virus detection needs to collect samples so that it can extract the characteristics of the virus. With the increasing number of the virus, it makes the corresponding analysis work expanding. On the other hand, the passive response model of the traditional technology always lags behind virus attacking so that it has the inherent hysteresis.A new detection technology which depends on dynamic simulation of malicious code does not rely on the feature library limited by passive update and response. This new detection technology analyzes dynamic behaviors of files to decide whether these files are malicious. So this new detection technology can effectively overcome the shortcoming of lagging belonged to the traditional technology. Because it inspects the details of runtime behaviors of these tested files, this new detection technology does a more accurate judgment. At the same time, it can effectively obtain the specific damage behaviors of malicious code.Sandbox is a dynamic simulation technology widely used by AV software now.Because it can only simply simulate part of CPU instructions and basic operating environment, sandbox can’t get accurate malicious behaviors of files in many cases,which leads to low killing rate. In view of the insufficient simulation ability of sandbox,combining with the hardware virtualization technology, this thesis designs a method based on virtual machine in order to simulate the real environment to realize the malicious code simulation and puts forward a weighting algorithm based on probability difference of same behavior. The weighting algorithm gives the weight of malicious behavior a definite answer in order to analyze and judge the property of suspicious code.Finished works are as following:First of all, this thesis extracts and sums up basic behaviors of current popular malicious codes according to the sample analysis and literature research. And this thesis classifies and summarizes the key malicious behaviors of malicious codes.Secondly, this thesis analyzes several classical algorithms of malicious codedecision, including a decision algorithm based on linear superposition of weight, a decision algorithm based on Bayes theorem prior judgment, and a decision algorithm based on support vector machine(SVM). Then it summarizes features of these algorithms.Thirdly, aiming at the shortcomings of the traditional decision algorithm, this thesis puts forward an algorithm to decide the weight of the malicious behavior based on behavior probability difference in the double sample space and improves the algorithm based on linear superposition of weight.Finally, aiming to the behavior features of malicious code, this thesis designs a corresponding behavior detection technology. Combining with virtualization technology and the improved decision model, this thesis designs and implements a malicious code simulation system based on virtual machine and tests the overall performance of this system.