Research And Implementation Of Anomaly Detection Based On Software Behavior Model

With the rapid development of the global information technology,especially the application of network technology has been a real change in people's lives, while people are enjoying the good science and technology at the same time, also under the threat of information security.According to data released by the Internet Emergency Center in August 2016, computer viruses and system vulnerabilities have increased significantly compared with last month. Domestic and international security incidents frequently, people's lives have brought great harm,malicious programs in these security incidents play an important role, so the detection of malicious programs have become important. The malicious program at run time will often make some harm to the behavior of the system, these abnormal behavior causes the system to enter a state of exception, these abnormal behavior detection is the key to detecting malicious programs.In this paper, a malicious behavior detection system based on malicious behavior model and machine learning classification algorithm is proposed. In this paper, through the analysis of static analysis and dynamic combination analysis of several typical malicious programs and the establishment of malicious behavior model, using machine learning algorithm and the classification and detection of malware, malicious programs. In this paper, the anomaly detection technology based on software behavior model is implemented, and the experimental results are compared to verify the effectiveness of the system.The work of this paper is mainly reflected in the following points:(1) combined with static analysis and dynamic analysis method, the malicious program is analyzed, and the mechanism of malicious behavior is studied.(2) established a malicious behavior and use the model to construct a multi class classifier SVM classification algorithm, the classifier can be divided into detection program viruses, Trojans and worms, backdoor,several normal procedures, demonstrate the feasibility of this method.(3) the classifier with higher accuracy is obtained by choosing the appropriate kernel function and optimizing the parameters.(4) the anomaly behavior detection system based on malicious behavior model and support vector machine classification model is implemented,and the correctness of the system is verified by experiments.In the analysis phase, behavior characteristics by combining static analysis and dynamic analysis method of malicious programs, compared to the static or dynamic has a better effect in the detection stage, by detecting the system call has a higher degree of accuracy, the classification effect of classification of construction of nuclear function and parameter selection of the high.