With the development of Internet technology and software security technology, more and more malicious programs use new anti-disassembly,anti-debugging, instruction obfuscation and feature concealment technology, making detection and identification of malicious programs more difficult. Traditional static detection technology cannot confront the static confusion and feature hiding of malicious programs. Traditional dynamic detection technology often uses the granularity of function behavior and discards the granularity of assembly instruction stream,resulting in a single feature extraction and low effect.This paper presents a new method based on non-aware sandbox to capture and extract the behavior features and instruction flow features of malicious programs and construct multi-model fusion classifier to identify malicious programs. This paper first introduces the design and implementation of PinFWSandBox, which is based on Pin, and then dynamically runs the malicious program in the unperceived sandbox. By using the binary instrumentation technology and assembler instruction flow snapshot replay technology, we extract system call features,instruction flow features and instruction sequence similarity features.Secondly, a simple model Naive Bayesian algorithm is used to construct a single model classifier, and finally a multi-model fusion classifier is constructed for malicious program recognition and classification. This paper studies the design of the classification system, with high efficiency,high recall rate, multi-purpose, security and stability characteristics. The classification results of malicious classifier and random non-malicious program are close to 96% and 98% respectively, and the classification of generalized program function is also of good effect. |