Malware Behavior Detection And Analysis Based On Kernel Level API

With the rapid growth of malicious software,information security is the most important problem we have to face on the Internet.Lots of network security events such as Flame,Stuxnet happend and exposed,in all kinds of information security threats,malicious code due to its high pertinence,and long-term potential,with high attack skill and other characteristics,has become the greatest threat on the Internet.Therefore,it is necessary to develop a malware analysis system to analyze the malicious code with high accuracy.Firstly,the characteristics and the existing malicious code detection method are analysed,it is found that there is a problem that the unknown malicious code can not be detected and the accuracy is low.Secondly,the characteristics of various API functions and behavior are summarized.On the basis of the classification of the behavior characteristics,this paper proposes a malicious code detection method based on kernel level API behavior analysis,by monitoring the system API call and the core data to obtain the relevant executable code behavior.Based on kernel level API detection technology,the detection model of malicious software abstracted three layers,target layer,rule layer and implementation layer.In the target layer,the whole detection,collection of information are completed.Based on the analysis and classification of malicious software behavior,the rule layer is divided into four parts: File behavior,registry behavior,process behavior,network behavior.In the implementation layer complete the detailed functional testing,and the results of information into the rule layer,and then transfer the data to the target layer from the rule layer.At last,based on the model,the malware detection system is implemented.Through the detailed design of the sub module,the system is composed of three parts: the kernel layer module system,the judgment subsystem and the system interface.The kernel layer module system is consists of five modules: file behavior detection module,process behavior detection module,registry behavior detection module,network behaviordetection module and kernel behavior detection module.The system can detect a variety of kernel level code hiding behavior,such as DLL link library,APC injection and other malicious behavior detection.After the experimental data test and verification,the malware detection system compared with the previous detection system,increased the detection possibility of unknown malicious code,which has higher efficiency and accuracy.