| Malware is a program that perform malicious tasks on your computer, such as viruses, Trojans, worms and malicious advertising program. Now with the rapid development of Internet, challenges and threats that network security faced is also growing fast, if we can solve the identification and analysis of malware, and abstract its activities model and network characteristics, and effective shield it with our network device, such as Intrusion Prevention System and Firewall, is an effective way to enhance our network security.One traditional method of analyzing malware is static analysis techniques, which is base on malware signature, but now malicious programs is growing in a rapid rate, and with the use of encryption technology, multi-state deformation, the static analysis system can not be effective against unknown malicious programs, dynamic analysis technique based on the behavior becomes the new solution.In this study, we build a malware analysis system based on dynamic analysis approach, the system use virtual machine technology to monitor the virtual machine system within kernel-level, and draw the operations and behavior of malicious programs, through the file, registry, system API and other aspects of monitoring. Dynamic analysis based on virtual machine can identify high-risk behavior of malicious programs, abstract their activity characteristics and model their behavior effectively, identify malicious programs from normal program on warn the administrator in time.In addition, the system can connect to the mail server, analyze all the e-mails that the company received, to detect malicious programs in time, and using virtual network response to extract the malware’s C&C domain and IP addresses, knowing the origin and the network communications feature of malicious programs, can help us the config our intrusion protection device, firewall, spam filters and other devices on the network, blocked the communication of detected malicious programs.In this study, using the Windows system monitoring technology, and malware behavior analysis technology, we grasp the characteristics of malware’s operating mechanism and activities, and establish a malware behavior analysis model, using machine learning methods, the system will learn with the a large number of malicious programs and normal program sample, to determine the Association and weights within different behavior rules. When an unknown program is put into the analyzed, the system could judge whether it’s a malware or not, and it can effective improve the security level of the network. |
