Research On Behavior Feature Detection Of Deformed Malicious Code Based On System Call

Malicious code poses a serious threat to the security of the computer.According to 360 statistics,in 2015,356 million new malware templates were added.As polymorphic and deformed technology are widely used in malicious code,the possibility of evading anti-virus software detection of malicious codes are significantly advanced.Therefore,it is the difficult and key point of defense that how to advance detection technology of deformed malicious code.This thesis focuses on the detection of malicious code and its variant on the PC side.According to the analysis of predecessors work,we can find that many scholars have done a lot of research on the theory of taint propagation,however,control dependencies and the parameters risk weights has not been considered when they extract the features of malicious.Therefore,the Extracted features can't fully reflect the nature behavior of malicious code.With regards to this,this thesis propose the combination of dynamic taint propagation theory and malicious code behavior detection and propose an effective detection program for malicious code and its variants.The main work of this thesis is as follows:First of all,this thesis chooses the system risk call of malicious code(referred to risk behavior)and the dependency relationship of system risk call as the original feature of malicious code.In the process of extracting behavior dependency,we establish the rule of weighted taint propagation and apply this rule to construct malicious code behavior dependency original feature graph with weighted risk(referred to behavior dependency graph).Secondly,when extracting the behavior dependency relationship of malicious code,behavior dependency relationship and control relationship are obtained into the dependency relationship of malicious code.We construct behavior dependency graph of malicious code based on weighted taint propagation rules previously proposed.Thirdly,identify the confusing behavior of equivalent call and invalid call through the corresponding anti-aliasing process for extracted behavior dependency graph.For confusing behavior of equivalence call,we use equivalent replacement to restore the true intent of the malicious code.For confusing behavior of invalid call,we directly remove it in order to simplify the dependency relationship among malicious code behavior and improve the anti-jamming characteristic of original features.At the same time,we further extract malicious behavior features based on the original features that are processed by anti-aliasing.Finally,we construct the behavior dependency feature extraction system(referred to BDFE system)to extract the behavior feature of malicious code.And then,we construct malicious code prototype detection system combined with neural network algorithm,detect the samples of malicious code and analysis the detecting result.At the same time,this thesis also designs a set of comparative experiments,comparing with the thesis using the same technology and 360 anti-virus software respectively.The experiment results show that the proposed detecting solution improved the anti-jamming ability of behavior dependency graph to a certain extent and has a good ability of detecting and recognizing for the widely disseminated deformation malicious codes.