Research On Malicious Process Detection Technology Based On System Call Analysis

Malicious code is the computer code,which is intentionally compiled and threat or damage to the terminal computer,and can be used for blackmail,destruction and espionage.It can be seen that malicious code poses a huge threat to the security of the computer.Despite efforts to reduce the threat of malicious code,but malicious code is still spreading,with recordseting a large number of new malicious code samples being found every day.Therefore,to strengthen the detection of malicious code is an urgent need to solve the problem.Traditional signature-based and heuristic detection methods can detect only known threats,but cannot detect unknown threats.Therefore,the researchers proposed a method based on system call.This dissertation studies the use of system call trace analysis to detect malicious processes.The goal of the study is to use the"lightweight"technology to ensure the practicality of the method,and to ensure that the detection system in the actual environment has a low false alarm rate.Therefore,the major works of this dissertation are as follows.1.In order to obtain experimental samples more effectively,a practical malicious code testing platform is constructed.The platform through the system call service?SCS?to achieve the collection of benign software and malware system call records and malicious code samples.2.In order to extract effective malicious code features from a large number of system calls,a feature extraction technique based on n-gram is proposed.This technique discusses the feature extraction strategy and extraction process from four aspects:information retrieval,feature selection,feature scaling and feature dimension reduction,which ensures that the extracted features can detect malicious code.3.According to the problem of real-time and low false alarm rate of malicious process detection,four malicious code detection algorithms are proposed to realize the distinction between malicious and benign process on the host.Then,the sequential malicious code detection method is used to detect the malicious process as fast as possible to reduce the adverse effect of malicious code execution.Finally,the false positive rate of detection technology was evaluated experimentally.The experimental results show that the detection technology has a true positive rate of 95%and a false positive rate of only 10^-5.