Kernel Object Behavior-based Malware Detection Method And Ontology Representation

In recent years, with the rapid development of Internet, the Internet information era has come. Internet has brought great convenience to us. People's lives have been integrated into Internet. Internet provides convenience to people, at the same time, there are huge security risks. With viruses, Trojan s, worms and other malware arbitrary spreading and developing, malware have made people face with endless troubles and fears. Malware writers who blindly pursue their own interests, have created a wide variety of codes which harm the whole network. This phenomenon has formed a stubborn black chain.Malware detection has undoubtedly become the focus of research in the field of network security. Many researchers have engaged in the research work of malware, and have obtained many important achievements. With the deep researches on ontology, people have found that ontology can describe the knowledge in certain field with high strictness and accuracy. We think that it is a meaningful work to use ontology to describe the knowledge in malware field.In this paper we build malware ontology to detecting malware, and we propose the method how to construct malware ontology based on kernel objects behavior for malware detection. We use binary analysis tool TEMU to get the activity information of malware kernel object, a nd use dynamic taint analysis method to obtain the object's spread information effectively. Then we analyze these behaviors of malware and constructed the kernel object behavior graph of malware. We could get three information from the graph, character str ing information of kernel object, information of operating kernel object and dependency information between kernel objects. After obtaining the behavior graph, we use pruning techniques to optimize the graph, it reduce the size of the kernel objects behavior graph, and better reflect feature of object 's behavior. We also apply graph clustering method to extract common behavior, and generate malware family common behavior by maximum common supergraph and weighted minimum common supergraph. We create two rules which focus on different aspects to detect malware. According to construction rules of OWL, all of the information is converted into malware behavior domain ontology including malware individual and malware family. Because of the strict structure of ontology, we obtain better recall and accuracy for malware detection.