The Design And Implementation Of A Framework For The Analysis Of Malware Behavior And The Detection Based On Sandbox

When people are enjoying the convenience that Internet and computers bring to us,the situation of information security is getting severer and severer at the same time.Traditional methods for detecting malware based on static analysis have problems such as the need to maintain large virus databases,the inability to crack polymorphic deformation class hiding techniques,and low detection efficiency.The dynamic analysis method is based on capturing the behavior data of the program running,and then extracting the behavior feature that can accurately and completely reflect the running of the program,naturally overcoming the shortcomings of the static analysis method.However,there are still several deficiencies in dynamic analysis methods.First,at present,there is not a standardized and effective system development framework in our country.Second,currently,when people match the HOOK API code,it is basically conducted manually,which results in some problems like inefficiency and error-proneness.Finally,failing to use the behavioral data captured by dynamic analysis methods effectively may lead to unsatisfactory detection results.Based on the problems above,this thesis has designed a universal as well as easily expanded system,which is intended for the analysis of malware behavior and the detection framework of the sandbox,and the framework has been implemented based on Cuckoo.The concrete research and the implemented content are as follows:1.Aimed at this situation that when researchers are developing malware behavior analysis and detection system,there is no standardized and universal framework available,which results in an unclear system module division and the function that can not be expanded.Based on a mature sandbox system research,this thesis has abstracted and designed a framework for analysis and detection of malware with high cohesion,low coupling,and easy expansion.The framework can be applied to different client systems such as Windows 7 and Windows XP,different host systems such as Ubuntu and Windows,and different sandboxes such as QEMU and Virtualbox.2.The framework consists of a behavior data capture module,a behavior feature extraction module,and a behavior detection algorithm module.The behavior data capture module is used to obtain the sensitive API sequence and parameter values called when the program runs.For the manual matching HOOK API problem mentioned above,the behavior data capture module designed in this thesis contains automated batch matching API components,which can minimize manual participation.The module includes the design of the client system,the host system and the API monitoring component.The behavior feature extraction module is used to abstract and effectively distinguish the behavior features of the normal program and the malware.For the original behavior data,there is semantic uncertainty and it cannot be directly used as the input of the detection algorithm.This thesis adopts the safety-sensitive minimum behavior description method proposed by our research group,and finally extracts the 01 feature vector with the same dimension and can accurately reflect the high-level semantics of the program,and generates a behavior analysis report that is easy to understand;the behavior detection algorithm learns a malware detection classifier based on the 01 feature vector.In this thesis,Ada Boost promotion method and CART generation and pruning algorithm are used to implement the malware behavior detection algorithm.3.A system based on the Cuckoo platform is implemented to verify the rationality of the designed framework.First of all,completed the batch matching of HOOK API code components to Cuckoo,built a sandbox system for capturing the sensitive API sequence that were called during the running of the program;Based on string splicing,auxiliary table maintenance,and matching of important strings,primary and advanced behavioral features and 01 feature vectors are automatically extracted,and behavior analysis reports are generated;the generated classifier is used to judge the maliciousness of the program to be analyzed.A large number of tests have proved that the malware behavior analysis and detection system implemented by the Cuckoo platform can effectively capture the behavior data of the program,extract the behavior features which can be used in classification effectively,and achieve a good detection rate as well as a lower false positive rate.This verifies the versatility of the framework designed in this thesis.