Research And Implementation Of Multi Platform Malware Identification System Based On Sandbox And Automatic Shelling

In recent years,with the rapid development of Internet technology,the propagation speed of malicious code in the network has also been significantly increased,which in turn has a negative impact on information and network security.Among them,malicious codes such as computer viruses and backdoor programs have realized the intersection and integration of technology,which has significantly improved the destructive power and survivability.Faced with the current situation,traditional malicious code detection technology cannot meet the needs of users,so it is imperative to seek a malicious code detection technology with antiinterference,good efficiency and high accuracy.In view of the above situation,this paper builds a multi-platform malicious code identification system based on sandbox and automatic shelling.The system analyzes how to accurately identify malicious code from four aspects:First,the realization of automatic shelling technology is studied.In terms of memory,as long as the program can run normally,the code segments displayed in the memory are all decrypted or decompressed(real),so the automatic unpacking from the research shell program is based on the dynamic binary detection framework.The technology starts from the memory level,including determining the shell type through the eigenvalue,finding the jump segment(OEP)before the shell program and the source program,the relevant code of the memory DUMP source program,and the import table(IAT)for the source program after the DUMP.)repair.Second,study the static analysis method of malicious code.The static analysis of malicious code takes the convolutional neural network as the core,the decompressed program is further separated into three interrelated but different files,the bytes in the file are converted into vectors through the bag-of-words model(CBOW),and then the vector The three-channel image is obtained by visualization,and the image set is used as the input data set of the residual neural network for training.The resulting model identified malicious code(in the case of unpacking)close to 96%.Third.research the dynamic analysis method of malicious code.The dynamic analysis of malicious code is based on the sandbox.By simulating the execution of the software in the sandbox and observing the traces after the software is executed,it is judged whether the software is malicious code.This paper uses the kernel-level API HOOK technology to monitor and intercept malicious code system API function calls at a lower level,and monitor malicious behavior at the kernel level.The system resource requested by the code is redirected,so that its operation is redirected to the system resource after the redirection,or the system call operation is virtualized,thereby realizing a real and isolated malicious code execution environment.Fourth,build a malicious code identification system based on sandbox and automation.The interaction between the front and back ends is built through Django of Python,the page is rendered through Bootstrap,and the Mysql database is used for blacklist records.Simulation experiments show that the software can identify malware more accurately and efficiently after comprehensive processing of automatic shelling,static analysis and dynamic analysis.