| With the development and popularization of computer technology,people encounter the hurt caused by computer viruses.Facing the growing number of computer virus,the traditional anti-virus technology has some limitations.The static detection method based on signature scanning is the most widely used anti-virus technology for detecting known viruses,and has excellent detection result.However,this method cannot detect unknown viruses.The time of finding and determining the virus is too long.The dynamic detection method based on behavior detection can detecte unknown computer viruses,but the method also has high false acceptance rate and high alarm rate.This paper presents a computer virus detection scheme based on behavior detection technology and signature technology against deficiencies.Firstly,in the study of signature extraction of virus program,an improved algorithm of variable length N-Gram signature extraction is proposed.Using the characteristics of directional selection,it extracts effective features and builds a virus signature library.The sample program is transformed into hexadecimal format.Its characteristics are matched with the virus signature database,and the signature of the sample program is extracted by means of N-Gram statistical language model.The experimental results show that compared with other signature extraction algorithms,the proposed method has the advantages of high accuracy and low false alarm rate.Secondly,in the signature detection research,the signature scanning technology is introduced.Using the computer virus database and the legitimacy library collected on the website as the test data,the signature of the sample program is tested and evaluated.The comprehensive judgment sample program is the possibility of the computer virus.The experimental results show that the false positives of the signature test are mainly focused on the virus variants.Lastly,in the study of virus behavior analysis,the automatic analysis function of sample behavior is designed and realized.Analyzing the behavior of the virus divides the malicious behavior level,set the breakpoint at the API function entry of the malicious behavior call.Running and monitor the sample program in the virtual machine uses the custom function to record information about the API function.According to the API call information and malicious behavior of the virus program,it analyzes the dynamic behavior of the sample program,and the initial judge whether the sample program is a computer virus.Experiments show that the sample behavior automatic analysis module compared with other anti-virus software has high detection rate. |
PDF Full Text Request