| Due to the flourishing development of Internet technology,Web Service as a new distributed computing model has the characteristics of cross-platform,openness and simplicity to meet the needs of people on the network.It is because of this extensive and open nature that it can easily access the user host,cross the user's firewall and other security measures,leading to the user host exposed to the network sharing environment,vulnerable to malicious software attacks.Because the traditional static detection only focuses on the malware code itself and does not consider the actual running behavior of malware,it not only consumes manpower but also easily generates the possibility of false positives and false negatives.The dynamic detection is concerned with the malware behavior in the actual operation of the action generated by monitoring malware behavior to analyze the behavior of malware behavior,purpose-oriented,targeted and improve the efficiency of the analysis.Therefore,the dynamic analysis method is used to detect malware in this thesis.However,there is a great risk of malware analysis under the local host,which will easily cause the local host to be attacked and destroyed by malware.Because of its good isolation and fast recovery,virtualization analysis technology can be used as the experimental environment for malware analysis.Therefore,in this thesis,the dynamic analysis method is used to analyze the malware behavior under the virtualized architecture.Both the malware and the benign software aim to use the API function provided by the system to accomplish their specific functions.Under the framework of virtualization the system is also true.Due to the large amount of user-layer API features,it is not accurate enough.Therefore,this thesis analyzes the software behavior characteristics by monitoring the sequence of kernel APIs invoked by the program during operation.Native API sequences are selected by N-gram method to obtain feature sequences.Due to the fixed length of the feature sequences obtained by the traditional N-gram method,some feature sequences with rich semantic features are lost.Therefore,this thesis proposes a selection method of malicious behavior based on adaptive variable length.At the same time,the joint information entropy is introduced to select the features of Native API sequence,which helps to solve the problem of feature selection.Finally,using the classification method in machine learning,the classification model is established to validate the classification of malicious and benign samples.The experimental results of this thesis have achieved 97.6% detection rate,5.1% false positive rate and 96.8% overall accuracy rate,and the highest AUC value reached 0.983.Each index is higher than the fixed-length N-gram semantic feature extraction method,and has achieved a good detection result. |
PDF Full Text Request