| One of the most harmful threats of the rapid development of the information age is the continuously developing computer viruses.As the information technology is moving into the era of cloud computing,normal anti-virus tools cannot overcome the defects of hysteresis and reliability.In recent years,more and more researches of virus behavior analysis based on VMI(Virtual Machine Introspection)are launching,because of the advantages of VMI on being able to detect the malicious behavior of virus from outside the virtual machine.After study the principle of VMI and the common technology of anti-virus tools,this article discuss and design a system of virus behavior analysis and detection based on open source VMI tools and a process behavior analysis tool named Cuckoo.This system is composed of three parts: the engine of behavior analysis,virus behavior features library,and the engine of virus detection.The virus behavior features library is established by auto analyzing the behavior of virus samples.The main function of the system is to compare the virus behavior features and the behavior of processes in the virtual machine,and find which ones are viruses.This article first design a system to auto analyze the computer virus samples based on open source tool Cuckoo,and establish a virus behavior features library from the log files.Then using the VMI tools Libvmi and Volatility to monitor the guest operating system,and output the processes' behavior to a log file.The system now can compare the virus behavior and the processes' behavior to achieve the goal of detecting virus.Finally,we test the performance of the system and propose some possible optimization program.In the experiment,we use 10 executable programs and 10 computer virus to test the ability of the system on finding virus.The experiment proves the accuracy of the system to distinguish virus from normal executable programs is over 90%.And the system almost have no impact on the performance of the virtualization system. |
PDF Full Text Request