| The current antivirus software on the appraisal method of virus program, killing method based on the file signature still occupied the main position, but with the development of computer technology and gray industrial chain to mature and grow, number of viruses and shows a tendency of increase, the design of the program also gradually complicated and professional and technical level. The virus scan technology based on file signature, its premise is firstly extracted to virus file, has certain hysteresis. And large quantities of unknown samples for signature analysis and extraction, the need to invest a lot of manpower and material resources. Often is not realistic. So this year, many viruses researchers advanced the theory of automatic identification.After a period of exploration, the mainstream of virus program automatic identification technology has basically has two kinds, one is based on the analysis of sand box of virus samples automation technology: through the analog computer designated, structures, virtual file system and memory system, the main behavior against doing redirection. And by the virus program instruction stream and data stream to identify the samples. Second, based on the theory of honeypot virus samples automatic identification technology, through the real operating system installed on a monitoring program, induce virus samples perform malicious manipulation, purpose of identification.Because the sample identification based on the theory of the sandbox technology implementation cost is higher, and because of the limitations on instruction simulation and operation environment of poor simulation results reason mainly use within the antivirus engine as a local appraisal of the auxiliary. Main use in solid automatic identification in the background based on the theory of honeypot virus samples identification technology. In this paper, the traditional honeypot technology improvement, through virtualization technology, in the hardware environment create multiple honeypot simulation environment at the same time, greatly improving the efficiency of resource utilization. On this basis, through monitoring and identification method based on the appraisal rules and the dynamic weight to achieve the effect of sample identification. Mainly finished the following work:First of all, in this article, through the study of a large number of samples and study of related references, the viruses are summarized and extracted the main operating behavior.Secondly, according to the program behavior of the extraction operation, this paper designed a set of monitoring system based on virus behavior, the virus to study its technical principles.Thirdly, by monitoring the behavior characteristic, this paper designed the implementation appraisal rules on the use of a combination weights theory appraisal scheme. Through double appraisal theory, realize the accurate identification of virus samples.Finally, in the virus, the virus operation behavior monitoring and virus samples identification scheme, on the basis of design and implement a set of program based on behavior monitoring automatic identification system, and experiments have been carried out to verify the effectiveness and performance of the system. |
PDF Full Text Request