Malware Behavior Automatic Detection Method Based On Sand Box Technology

Malware using various methods spread in computer systems and the Internet, the network security posed a threat to the environment. Any software damage the user, computer or network, can be regarded as malicious code, including computer viruses, Trojans, worms, extortion, spyware and so on. As the Internet becomes more developed, the threat of malware more and more attention. Therefore, the study of malicious code detection technology has important practical significance. The current anti-virus software uses signature-based scanning technology, which relies on known signatures, malicious code can‘t be detected with the new features, with the increase in the number of malicious code signatures ever-growing has become an important issue.For less than the current method, we proposed automated malware behavior detection method based sandbox technology. The main idea of this method is the use of virtual machine software to simulate a sandbox environment, the integration of static analysis and dynamic analysis. Static analysis method comprising: detect packed malware using file entropy, use ClamAV scanning signatures of malware; dynamic analysis method comprising: monitoring system calls, capture run-time behavior of malware, classified and graded malicious behavior using existing knowledge base, using virtual machine technology acquisition memory mirroring. Then use the above method to achieve a sandbox system that can automate analysis malware with static and dynamic method.Use our system detects typical malware samples collected. First focus on detection of two typical samples conficker and IMworm. Effective detect malware most malicious behavior, behavior detection rate respectively, 66.7% and 80.0%. Then detect 44 malware samples collected, compare with famous detection systems File B-chao. Proof the ability of our system to detect malicious behavior equal to File B-chao; malicious behavior on part of the testing superior File B-chao, such as disable system services, modify the system restore point, disable registry tools and other aspects. It reached the effect that automate detection of malware and improve analysis efficiency.