The Research And Design Of Sandbox Malware Detection Engine Based On Cuckoo

In the past few years,the community has invested huge funds in infrastructure and information security,but it is far from enough.On October 21 st,2016,large-scale denial of service attacks led to a large area paralysis of global Internet service and many famous sites,which resulted in the chaos of the network.In the same year,YAHOO exposed to be attacked with 1 billion 500 million users' account information leakage.“The network security law of the People's Republic of China” was formally implemented in June 1,2017.Accompanied by security incidents and losses,the government and enterprises have a higher emphasis on network security,specifically for the deployment of Intranet safety protection ability of the devices,such as intrusion detection system(IDS)and the violation detection system(BDS),which got popular in recent years.The BDS system probes can be divided into two categories: network characteristics exploration and host system exploration.Both of them are needed to document detection as its end point to understand the specific behavior of exploration,and the harm of the suspicious file.This thesis will focus on the security of the internal network files,and then integrate the static rule matching,dynamic behavior analysis,multi AV auxiliary leakage and other technologies to detect the files thoroughly.As the open source engines focus on implementation,without considering the practical application and engine protection in abnormal conditions,the author designed the Ling Po engine.Based on the cuckoo engine,Ling Po can meet the needs of the actual enterprise network testing.This thesis considers the availability,stability,speed and exception handling of the large quantities of continuously tested documents.It mainly completed research and works as follows:(1)This paper makes a detailed analysis of the current mainstream automated malware detection engine,including four aspects: the way of realization,the detection ability,the stability and the detection efficiency.The work focused on the implementation of open source engine,does not give full consideration to the actual application scenarios and high false alarm rate.On the basis of cuckoo,the author designs a Ling Po engine which can meet the actual needs of the Intranet.(2)Reconstruction of the file analysis process and virtual machine scheduling scheme,the file detection speed is greater than 100% in theory.File analysis process priority matching detection,to ensure the process is not blocked fast slow process;while using of sandbox idle resources to optimize the operation rate,At the same time,the utilization rate of idle resources in the sandbox is optimized,the sandbox pool can be run theoretically at full load.(3)The exception handling is reconstructed,and 582 kinds of malicious dynamic behavior characteristics are collected.Also,the malicious samples with anti-VM technology are interrupted and restricted.These measures are to ensure that the host is not contaminated by the sandbox in the analysis process,while the host resources of memory and CPU are protected.(4)In order to meet the performance requirements and solve the hardware constraints,the virtual machine creation mechanism and KVM configuration are optimized,and the structure of hierarchical snapshots is implemented.