Design And Implementation Of Maliciousness Decision System For Software Behaviors Based On Neural Network

With the proceeding of Informatization in China,computer and Internet has been rooted in people's daily life.Meanwhile,there are malicious software,like virus,trojan horse,worm,backdoors on Internet,made serious damage to our society.To prevent the financial loss of individuals and company,making our society more harmony,detection of malicious software has been a important field in computer science.There are lots of deficiency in current dynamic malware detection techniques.First,current dynamic malware detection system was implemented on virtual machine or emulators,and a lot of malware adapted anti-virtual machine or anti-emulator techniques,which make dynamic malware detection system impossible to acquire real behaviors of sample software.Second,a lot of dynamic malware detection system use API information acquired from sample software to decide if sample is malicious.But many malware used anti-hook or directly call system calls to avoid dynamic malware detection system monitoring it's behavior.Finally,many detection system makes no filtering to behavior information of sample software.This became a heavy burden to the machine learning module or neural network module,lowered accuracy of malware detection system as well.To solve problems above,this paper designed and implemented a maliciousness decision system for software behaviors based on neural network.This paper makes follows contributes:(1)Implemented an information catching environment based on bare-metal.This environment was implemented based on Meta-OS operating system and Dynamo RIO,a DBI tool.This environment included imperative network environment and assist environment to execute a malware.We executed malware in bare-metal environment,and acquire behavior information by DynamoRIO.After analyzing finished,we use Meta-OS to restore system's status to pure status.(2)Proposed a concept of minimum safety behavior,and summary a minimum safety behavior set.First,we gave a definition of malware based on previous work.Then proposed a concept of safety sensitive resources based on the definition of malware.Furthermore,we proposed a concept of minimum safety behavior,and summary a minimum safety behavior set.By only focused on the behaviors belong to minimum safety behavior set,we reduced the amount of behaviors cared by dynamic malware analysis,improved the speed and efficiency of dynamic malware analysis.(3)Designed and implemented whole behavior information capture module.This paper designed and implemented a whole behavior information capture module based on DynamoRIO,a DBI tool.This module capture all behavior information by edited DynamoRIO.All behavior information will be extracted to a higher,coarser and more comprehensible level of behavior using arguments dependency and resources dependency.Finally,this module will normalized all extracted behaviors to a feature set,to import to neural for maliciousness decision.