| With the development of the Internet,malwares are rapidly spreading in Cyber by various methods,which make a threat to the security of our network environment.It can be considered as malware that destroys a user's computer system or the Network,such as computer viruses,trojans,the threat of malicious code spyware and so on.With the development of Internet,the threat of malware has been paid more and more attention.So that it play a important role in detecting malware technology.Current anti-virus software mainly uses signature-based scanning technology,which relies on the known feature datas.It can't find malicious code which has new feature.Moreover,as the number of malicious code increases,it is a important issue that the feature library becomes more and more large.In addition,after confusion,malware programs with instructions show an exponential growth trend.Such as ransomware that use Memory dynamic mapping techniques to avoid static detection.At the same time,dynamic detection has the problem that the detection time is generally slow,for preparing the virtual environment,performing operations such as piling,and waiting for malware to run for a period of time.Nowadays,researchers try to apply machine learning to detect malicious programs and find more efficient detection methods.Aiming at the existing problems and new technologies,this paper proses an automatic malicious code behavior detection method based on distributed sandbox technology.Firstly,based on the source sandbox cuckoo framework and conbined with Random Forest Algorithm to built a distributed sandbox system.After sandbox monitor program's running and catch the function calling sequence.By extracting malware behavior characteristic vector and construct a malicious behavior characteristic model.The feature vectors include API calling feature,network behavior feature,registry,folder path feature,and memory behavior feature.Then a malicious program detection model is constructed based on random forest algorithm,and the optimal base learner and the optimal sub-feature set are selected to detect the malicious program.The experimental results show that the system has higher hit rate(TPR),accuracy rate(AC),lower false alarm rate(FPR)and higher out-of-pocket error rate(OOB).The main work and achievements of this paper are as follows:1.Analyze the dynamic behavioral characteristics of different ransom family programs.2.Build a distributed sandbox environment based on open source sandbox.3.Function call feature collection.By analyzing malwares behavior patterns captured by the virtual environment,the function call sequence definition and event definition are given.4.Malwares behavior characteristics modeling5.Experiment comparison.The design experiment compares the results of three parts.Take the accuracy rate,false alarm rate,out-of-pocket error rate as evaluation indicators... |
PDF Full Text Request