Research On Malware Behavior Analysis And Detection System Based On Cuckoo

Facing the increasingly severe information security situation,traditional malware detection based on the static analysis,not only the detection efficiency decreases with the increase of malware,and,due to the use of shell,encryption and confusion technology,the detection effectiveness also showed a trend of decline.Dynamic analysis through the execution of samples,get the run-time information,to determine the malicious of samples naturally across the shell,encryption,code confusion and other kinds of obstacles,but how to combine sandbox technology for automatic analysis,how to improve the analysis efficiency,how to effectively describe the behavior of the sample and how to determine the malicious of samples by their behavior,become the problem need be solved first.Based on the current system security situation,according to the analysis aimed at malicious code,this thesis designs and implementations a detection speed and accuracy are guaranteed automatic analysis system.Specific work as follows:1.Aiming at the malware of Windows,this thesis selects Windows API as the basic data to study the malicious code;then according to the behavior of APIs,classifying them into several class,and giving out the APIs that have great influence on the system from every class,such as Create File,Create Process,Reg Open Key etc.2.Studying the Cuckoo platform about obtaining APIs,applying the Domain Specific Languages and combining with the rule of Cuckoo to realize HOOK APIs for samples’ run-time data;3.According to the behavioral characteristics of malware,this thesis giving out the behavior model,auxiliary behavior model and malicious behavior model.Combining these models with the run-time data from Cuckoo,this thesis realizes the automatic analysis system to generate behavior analysis report,and organizing the result by the type of behavior.4.Aiming at the behavior from automatic analysis result,considering the arguments of API that reflect the concrete behavior,this thesis abstracts the discrete feature vector of 629 dimension to describe the samples’ behavior.Applying SVM algorithm to the vector,the purpose of classifying samples by its behavior is realized.5.According to the strategy designed by the thesis and the continuous research on malware analysis,this system can expand the API,behavior model and discrete feature to improve the detection rate and supplement behavior of samples.Experiments show that the system designed and implemented in this thesis can effectively obtain the sample runtime information and analyze the behavior of the sample.Based on the behavior,the behavior vector can be abstracted effectively and used to classify the samples in machine learning.