| Now frequent malicious programs make network information security situation increasingly serious, and many new evading detection technologies(its deformation)also enables analysis becomes increasingly difficult. In this paper, learning the basics of the current malware detection technology and related technology of virtual machine, a comprehensive analysis of detection model is presented. With various detection and analysis tools and a careful analysis of the program code in different stages, different features are extracted. And we adopt a gradual approach to classify correctly malicious programs with the maximum extent, and to provide evidence for taking appropriate action behind. The main works we do as follows:1. A comprehensive analysis model based on virtual machine technology is proposed. Given the current malware with complicated morphing, pre-procedure modulein proposed model will be used as a separate module for analysis at first. Program is shelled or decrypted in this model. Then the true codes of the program are shown to facilitate the subsequent analysis. At the same time this model adds a comprehensive analysis module based on static analysis and dynamic analysis modules for analyzing and detecting malicious programs which are more difficult to analyze and detect.2. A new kind of feature extraction method is built. This paper presents the basic information extraction in the pre-procedure phase, functions’features extraction in static analysis phase and behavioral characteristics extraction of program in dynamic analysis of phase. On the one hand, the feature information extracted is more complete. On the other hand, more accurate performance characteristics can show functions of the program to make the right judgments easily.3. The idea of classification comprehensive analysis method in steps is proposed. Previous methods are based on the analysis of suspicious programs detected to make a final classification. Thus, this paper presents the idea of classification in steps, i.e. static, dynamic and final stage of a comprehensive analysis of all suspicious programs detected to classify. Not only can it achieve rapid classification suspicious programs, improve the detection efficiency, save analysis cost, but also it can maximize the correct classification of the complexity of the program of each suspect.4. Proposed different classifications for each module. According to the extracted features of static and dynamic module design different classification algorithm to classify. In the final comprehensive analysis module, the data feature vector space of program composited by weighted vector is used. We make a simple change of SVM classification formula for the benefit of our program classification. Meanwhile, the SVM classifier is trained by taking an initiative learning method. Optimizing step by step can save manpower and time. |
PDF Full Text Request