Research On Malicious Code Analysis Based On API Association

With endless new malicious code showing up, in the field of malicious code analysis, most people use the method of static disassembly and dynamic debugging to analyze the malicious code, so the efficiency of the analysis is very low. By automating the analysis, we can effectively improve the efficiency of the analysis, and get access to new technologies used for improving the status of network security. Based on summarizing the existing analysis methods a, the paper tries to do search on how to get use of APIs and their association to extract the behavior of malicious code.This paper analyzes the current situation in the field of malicious code analysis, and proposes the framework for automated analysis of malicious code based on API association. In this framework, the paper defines the method of malicious code behavior description, and behavior analysis model is constructed. In this model, by studying the laws of API calls, this paper proposes API association analysis method, and sums up the general behavior extraction methods. On the basis of these studies, the paper implements the technology based on dynamic binary analysis platform to get malicious code API call sequence and parameter information, and then by technology of association extracting based parsing API function library, we construct API association model to achieve the API association extraction. To solve the problem of behavior extraction the paper produces a behavioral description library, designs the behavior extraction algorithm, and then implements behavior extraction technology based of the behavior description library. Finally, by use of the technology of the view construction,the paper analyzes the relationship of behaviors, builds a hierarchical view of the behavior to provide hierarchical analysis perspective.In the end, this paper implements malicious behavior analysis prototype system based on API association and then selects a large number of malicious code samples for testing. Besides, the paper chooses typical virus samples for deep analysis to verify the system functionality. The results show that the system can achieve fast and accurate extraction of malicious code behavior.